Wednesday, June 15, 2016

Earn Extra Money Home

How to Earn extra money from home

Work from Home
In the following thorough article I will explain the way I use to earn extra money online.
I will pour out all of the details, explaining exactly what I do - take it or leave it.

The "method" I use can be a way to earn extra money or a way to change your day job completely and live off this method by earning more than enough to live from.

I am no "guru" and am not selling anything, I am just a programmer which searched for the best way to earn moeny online for about 7 years now!!, and only the last year I finally found the one good way to do it and earn thousands of dollars each month, please note that about 6 years I managed to scratch just about 100$ per month till I found this way which I use to earn about 3000$ per month and counting.

This is the "Index" of my article with the main points I will write about:
  • Earning money as an affiliate
  • Doing it the wrong way
  • My Personal Story
  • Who earns online ?
  • Earning money the right way
  • Detailing the way I earn money exactly step by step
  • Summary and Final Thoughts

So let us begin:

Earning money as an affiliate

Become an Affiliate and Earn the big bucks

I won't say there is only one way to earn money online, but for me the simplest one I found was to work online as an affilate.
Affiliate marketing is a term of a person selling a product he doesn't own, and earning a percentage of the sale.

One of the most famous affiliate programs is Amazon's affiliate program, they offer about 7% of any sale you will direct to their site, so lets say you have a big mailing list of about 10,000 people and you refer them to an Amazon product you recommend which costs 100$ (using a special link you get from Amazon so they can know you referred the customers thus are entitled for your 7% of the sale), from your 10,000 faithful readers, 1000 readers go to that link to check that product, and from those 1000 only 40 people buy that product, still 40 people buying the 100$ product is 100 * 40 = 4000$ earned by Amazon because of you.
As you are entitled to 7% of these sales you will earn 7% * 4000$ = 280$

The good thing about being an affiliate marketer is that if several people aren't satisfied with the product, then they can refund it or whatever they want and it doesn't bother you at all.
You don't need to hold stocks of that product in a warehouse, you don't need to refund and lose money over shipment, you don't need to take care of shipment at all nor think about taxes or payment gateways etc - the good life of an affiliate marketer!

But still, you probably don't have a 10,000 reader email, right ?
And 7% isn't high enough :-(

So what can you actually do to earn more ?

I suggest not looking too much at Amazon's affiliate program as the percentage you can earn from each sale is low - and understandably so, because we are talking about PHYSICAL products, each one needs to be shipped and packaged, stored and be counted for, and above all else there is huge competition for each product so the seller's earning margin must be low so he can compete the other sellers.

So which affiliate program DO I suggest ?
I suggest staying in the affiliate marketing business, but selling a virtual product and not a real one, thus each additional product sold doesn't cost the seller any moeny (except for creating the initial product), so the seller can offer a much higher percentage of revenue to you as an affiliate of his (yes, I am talking about 30%-70% of earning from each sale).

So if for example you have that 10,000 readers list, and you pitch this product (online course for example) which costs 50$, and your gain from each sale is 50% then from those 40 people buying the product you will earn 40 * 25$ = 1000$ ! (now that is better)

Which affiliate programs do I suggest ?
I like using Clickbank as my affiliate program as they have lots of products under their belt and I have used them for several years now and they paid me a lot of money till now :-)

So let's sum it up:
  • Sign up to an affiliate program
  • The above affilate program should be selling virtual products
  • My recommendation is to use clickbank as your affiliate program

Now you only need to:
  • Build a website selling that virtual product
  • And people to get to your site

I won't delve into the grindy technical details of a domain name, hosting of the site, SEO details and a lot more, not because they aren't important, but just because they don't fit into this specific article (as each one of the above details should be fitted into it's own article), but basically, you can build a site wherever you want with whichever hosting you pick and just stick your product details there (more on that later).

How will you get people to your site - well, this is the million dollar question - which I will explain how to do in this article so keep reading as I am spilling all of the beans here!
In a nutshel - In order to get people to your site you will post articles into your site, which people will read and then they will click on your product in order to buy it.

What about SEO?
SEO - Search Engine Optimization is something I will teach you here to master (I will teach you only the first steps of it but you will read online and master) as your site should be google-friendly.

BUT this is biggest hurdle and people fall for bad SEO all of the time - I will explain what I mean in the next topic

Doing SEO the wrong way

Nooo, don't go to the wrong way ...

As you understand by now, the biggest problem is getting people to your site for free.
You can build the most beautiful site on the web but if nobody visits your site then all is in vain.

This is where people fail, many people try to earn a living online or at least make some extra cash online, most fail because they do it the wrong way  :-(

What is the wrong way ?
The wrong is trying to do "magic" to get people to your site, trying to get visitors without much work.

This is how it happens:
A guy finds his affiliate program
The guy builds a beautiful website
the guy is now tired of the work he did till now and so he searches for ways to get people to his site
The guy writes on google something like "how to get visitors to my site"

The guy finds lots of so-called "gurus" proclaiming they have the best and quickest way to get people to the guy's site and so he is tempted to pay only 47$ in the good scenario, 97$ per month in the worse scenario, and then lots of money goes to the guru, lots of work for the affiliate marketer with partial results which can give him just enough hope to continue paying the guru while earning nothing to some minor amount not justifying the work and money spent.

And then the guy's site gets penalized by google for using a forbidden tactic, and all of his hard work and hard earned moeny goes for nothing.

Usually those guys will try after some time an other guru or an other trick - all for nothing (or in my case for 100$ per month which don't justify the thousands of hours I worked till earning that amount not to mention all the moeny I threw out of the window)

Now you probably ask yourself - aha - what is the difference between my technique and all of the rest of the techniques which I proclaim not to work ?

Well, that is a good question, please read on as I am going to explain exactly how I do it (yes, I really earn about 3000$ per month now), with no bullshit attached.

To sum this chapter up:
The wrong way to get people to your site is to search online :-) as you will find many "trciks" and "gurus" bullshitting you, where you will spend lots of time and money while getting nowhere except being banned by the search engines for doing tricks and shticks.

My Personal Story

My Own Journey

About seven years ago I decided that the internet is a great place and that I could have a small bite of the internet revenues, it was a simple thought:
  • Billions of dollars are spent online monthly
  • I am a talented developer (Java and Web)
  • I am smarter than most of those people earning online
  • So I can earn a small bite (small bite from billions) which can enable me to work from home and stop being a dayjob worker for any other boss
  • Even if I fail to gain huge amounts of money and my bite in the world's revenues is really small - I can still earn some extra cash which can come in handy
Thus I began my search online:
  • How to build a site
  • Where should I build it
  • Different hosting plans at different companies
  • Domain names
  • Affiliate programs
  • SEO
  • How to trick the search engine
  • Rinse and repeat - if I build one site that earns only 5$ per month, I can then replicate it and build 200 sites like that one, earning 1000$ per month

The only thing I gained from the above is a huge amount of information about the whole site/dns/domain/hosting/seo scene. (which is great of course)
But I didn't earn nearly enough (100$/month at my peak).

What were my mistakes?
I was always on the search for quick gains
I tried to trick the system
I didn't focus long enough on any individual site, I replicated my sites too early
I wasted much too much time buying tools to do some bad job or even worse, I built several tools myself which as you know or not takes a lot of time!
I always looked for solutions which can get me a passive income, some magic trick where I could "fire and forget", build a cow and always take it's milk (apparently it doesn't work that way)

Which tools did I build/buy (which you totally shouldn't if you want my advice)?
  • Tools to get links to my site (yeah, shady tools) like comment posters on many different platforms
  • Tools to spin and put garbled text in my site (very bad practice, one which got me finally banned from google)
  • Many others, but most of them were of the two categories above

This sad story has a good ending though, as I stumbled upon a site explaining the right way of doing things (yes, all will be explained on the next chapters on this article, I am not hiding anything) and my head exploded, I understood all of my mistakes on that moment and knew I must scratch out all of my previous sites and failings and start anew with the right model leading the way.

Thus I have looked around to see, who is actually making money online ?

Who earns online ?

Real People Earn Real Money

In order to find the right way to earn online I looked around to see who DOES really earn online ?I was shocked to understand the very simple truth, most of the people earning online are dumb people!, yup, people who know nothing about SEO, know not a trick nor a guru, just plain straight people which started a site and did some hard work on it writing hundreds of posts in their blog or capturing hundreds of hours of youtube videos or many other hard working people.

So I asked myself, how come they earn so much and I with my 200 sites!!! (yup, I built over 200 sites over those 6 years) earned just 100$ per month !?  It just didn't make any sense.

That was when it dawned on me - my question was my answer!
The sophisticated people don't manage to earn much online, the simple people do

The REAL thing actually works, the single natural real site of that dumb person does better that my 200 sites (several times over), I am a very smart guy (especially in the internet ways), and I got trampled by people knowing close to nothing about the internet - WTF?

I felt like the rabbit which got beaten by the turtle.

What did I do wrong?
EVERYTHING!

I created nothing real, I created no real value for my visitors, I didn't look for the best interest of my visitors I looked for the best way I can earn moeny from them.
It sounds like a small distinction but it encapsulates the whole deal for earning online.

And the smart search engines caught me every time and threw my sites down the search engine results grid over and over and over again.

The way to earn money is not to trick google
The way to really earn money is to create something with real value which google will find and will understand the real value of it, thus will put my site with its value on the top of its search results.

To sum up this paragraph:
The plain and simple sites which want to give their users real value earn the most online
The sites which try to trick google will never win (they might earn something small for a short amount of time but nothing will last)
The way to really earn extra cash online or even earn so much so you can change your dayjob is to put real value into your site, value which will benefit your users causing your site to be appreciated by users and search engines alike.

Earning money the right way

Yes, there IS a right way!

I want to finally specify the right way to earn lots of money online

I myself use it for a full year now and it works (3000$/month every month and counting).
As you probably figured if you read this far, I am talking about providing real content on your site, getting real people to read your good and quality content, getting them to trust you and buy your product.

The thing is google (and all of the major search engine follow google's lead) understood its mistake in giving precedence to sites with lots of links (although spammy) and with bad content, so google actually officially scratched out the imfamous google-pagerank and created new algorithms to define a page's quality, generally speaking google's new algorithm searches for the page's authority more than other factors.

So you want to be an internet authority on a specific subject, thus google will point people your way when they search for an authority which can give them good data about the subject you are an authority about.

How do you become an online authority ?
Warning: In order to become an authority HARD WORK is required, you won't be able to get where I am now without putting at least two hours a day.

In the next paragraph I will specify the actual details of the work you should put to get there, but I will write the steps you need to take now - in a nutshel

  1. Focus on only one niche/subject
  2. It should be a passion of yours or you might find yourself not wanting to put the time into the site
  3. Build a site about the niche you chose
  4. Do some keyword research
  5. Write an article every day
That's it (details on the next chapter).
I guarantee the following:
In 2-3 months you will get your first sale
In half a yearyou will get to a sale per day
In a year you will get to the 1000$-3000$ per month salary!

No need for any SEO voodoo
No need for social networks (althogh those might help)
No need for a mailing list (although it is advised)

Just write your post per day and you will get to the 3/6/12 months goals I specified above - I promise

Even without understanding the google internals, you can still understand the logic, you put good quality content online, you become an authority on your niche, google understands that you are an authority/expert in that niche thus google will point visitors to your site.

Simple.

What is the exact recipe to doing the above? - read on!


Detailing the way I earn money exactly step by step

Step by Step Tutorial

  1. Find a niche which you feel comfortable in, you will write hundreds of articles about it so it really should be something you are passionate about.
    • The above "niche" is a subject you want to talk about, it should be broad enough so you will have enough content to write about, but it shouldn't be too broad or else you won't be specific enough for google to understand what sort of expert you are, for example instead of picking the animal niche which is way too broad, you should be more specific and pick something like rabbit training or even rabbit world where you will talk about rabbits, rabbit food, rabbit training or anything you think about.
  2. You must master keyword research - Keyword research means what are the words people put into the search engines and search for information with; You are looking for a search term which lots of people use but which doesn't have a tough competition - In a nutshel
    1. You will do keyword research for everything on your site, every post you want to write will title a good keyword (many searches but meager competition)
    2. The idea is that if for a specific keyword there isn't lots of competition, but there are lots of people searching for it, for example lets say that 15 people per day are searching for "inhouse rabbit training" and noone writes about it, then your post will get all of those people into your site, so now you got 15 visitors per day to your site, so if you have 100 posts like that (you will get to 100 posts in half a year max) then you got yourself 1500 visitors per day which is a lot!
      1. Tools I recommend for keyword research (both free)
  3. Internal SEO - I know I said SEO is bullshit but you should take some aspects of SEO into mind when building your site, like the actual links (permalink), some meta data, h1 tags, internal linking and putting the keywords in the first paragraph of the post you are writing - most aspects of SEO can be handled by wordpress if you choose to implement your site using that CMS, then install all in one SEO plugin and fill all of its fields for each post.
    • Suggested Tools: 
    • Wordpress installed on your own hosting with your own domain
    • All in one SEO plugin for the wordpress site
    • Actually there are many other plugins, but for starters begin with the above
  4. A Post every single day
    • Each post should be titled with a good keyword title
    • Meta data and category/tag names should be used
    • Each post should contain at least 500 words
    • Each post should promote an affiliate link or link to a post/page which promotes an affiliate link
  5. The page on the site promoting your main affiliate offer should contain a big 2000 words article, containing great information, this page should be linked from many other posts, this post should contain high quality content.
  6. You should spend at least two hours per day on your site, looking at what you can optimize, make better, upgrade-the-look-of in your site, in that time you will make the site active so make sure to answer each and every comment or email reachout. You can spend that daily time to read about your niche (making you smarter about the content of your site) or you might surf the web making you smarter about techniques to make your site better (for example look at the next bullet)
  7. Bonus things to do: Add an emailing list, Create your own eBook on your site, Create social accounts and be always active on them etc.

If I need to point to the two big things you should do on the site which will make the change then I will point to Keyword Research and an article (almost) each day.

Summary and Final Thoughts

Go for it!

In the above article I wrote about all of the aspects of earning money online: the good, the bad, my personal journey and the way I use to really earn a nice sum of money each and every month.
Just follow all of this article's leads, and especially the final chapter details, and you should do really well, no need for any other guru/utility/magic tool and so on.

That being said, I understand that although I failed in earning money in my first six years, I still did gain lots of knowledge which helped my final step to be worthwhile.

So my suggestion is that if you have all of the previous knowledge to follow my path I depicted in this article then please do, and there is (almost) no need to spend a dime to get to where I am.
But if you have much less knowledge, and many things I talked about are not sitting well in your mind I will suggest one program which can really help you.

Yes, you know I am totally against all of these programs etc, but this one is different, it is really good and it follows the right path and shows the right direction, no tricks included!

I am talking about Wealthy Affiliates - this is a membership site, targeted at novice to moderate internet users, it offers lots and lots of guidance in the form of one on one chats with lots of other users and experts, as well as so much content - they do it the right way and they are the only ones I can truly recommend (and yes, it is an affiliate link, but believe me when I say that my respect for them is unbiased).

The cost for their plan is about 49$/month, but if you need the knowledge, the courses they offer, the place to chat (getting instant answers) with starters and experts alike one on one or in a group, with a very large pool of active users then that is the right place for you.


So please, leave me a comment, write about your experience or ask any question in the comment section below

Monday, April 25, 2016

The good and the bad about Sierra's online Quests

Originally Ken & Roberta Williams began their Sierra Quests while trying to invent a new Genre - Interactive books.

Roberta loved the idea of having kids play a fairy tale book thus King's Quest I was created.

Her inspirations were text games which were games without any graphical trace, so on the screen you would see a description of where you are now and you could try doing things using your imagination and the text parser.

Roberta thought to upgrade these games by adding graphics and having the player move the main character over the screen (yes, without a mouse) in order to move between screens or moving in the same screen getting to various objects, while still sending commands using her text parser (move rock, climb tree [Spoilers?] etc).

Sierra quests were massive success and actually were a beginning of a genre, but as with many genre inventers (except Steve Jobs as he was perfect) she tried her hand in inventing these types of games, and many game design decisions were done using trial and error, I just want to emphasize this point as I want to talk now about the things they did wrong  :-)

What went wrong with those games?
1. In King's Quest, for example, Sierra built an open world where you could go around and see all of it, but while you had your specific mission (for example: Find the Shield, Mirror and the Chest) you could wander around for hours over hours having no clue what to do next.

As a kid I wandered for days in beautiful CGA Daventry, but I can't imagine many kids these days having so much patience for it - Are you kidding me ?, After a minute or two they will ask where should they go and if you don't have an answer ready within one minute tops they will go out of the game and fire up any other shooter / flash game or whatever.

2. Dying frequently - This is not an action genre, but still there were many places where for no apparent reason one could die, a wolf, a witch or many others would appear randomly and kill you unless you fled fast enough from the screen.  Not only that but there were many places where one could fall to his death easily, like stair cases, cliffs, ponds, or even just touching some items could get you killed like poisenous flowers and others. As Sierra had created quests and wanted to make them longer to play they put those death places but IMHO, to make a game longer you should put more puzzles or other goodies, not random places where one could die and will need to load the game IF HE REMEMBERED TO SAVE!

3. Dead Ends - These are one of the most horrible aspects of Sierra games - dead ends!
What do I mean ?  Well, if you didn't do something (which sometimes looks optional) in an early stage of the game you will get stuck on a later stage without any way to retrace your steps and do that thing (unless you have a good save game you didn't delete already).  For example, on King's Quest I you take a carrot which you need in order to lure a goat to follow you (so it will kick the Troll), but there is nothing preventing you from eating the damn carrot, and then how will you move that goat?!
Another example: In Space Quest you need to take a crystal shard at the beginning so later on you will be able to use it in order to finish a puzzle, but if you fail to find it (which is easy) you might still take that one way elevator and get stuck on the other puzzle forever!

4. Treasure Hunting - Some of the items you need to finish your quest aren't given to you by any character in the game but randomly appear on random screens along the game, so as the game goes you just wander around trying to find an object which might appear on a random scren - frustrating as you don't even know what you need you just try to take anything which isn't nailed to the wall..

5. Pixel hunting - Some of the items you need to take along the game are so small , so they literraly are a single pixel big (in those days when the game resolution was so low), and it is frustrating to death to just miss one of those (the whistle on kq4 ?) because of that factor.

6. Damn hard puzzles - Most of the puzzles are good and reasonable, but there are some puzzles along the game which are totally unacceptable, like spelling Rumplestitskin's name in cypher mode !?

7. Timed scenes - I personally hate this one, when a timer appears on the screen and you must accomplish a task in a timely manner, It happenned alot on King's Quest III, where you needed to accomplish tasks between Memnnon's appearances, walking that cliff fast without falling then searching for ingredients and coming back in time was just frustrating for me, not challenging.

8. Text Parser - The early games had no option for a mouse so I understand that a text parser is a must, but still more work should have gone into it (And I know that it is complicated) In the text-parser quests I had to just try any combination of things I could think about, for example, I see a rock so what should I do with it? "Pick rock", "Push rock", "kick rock", "Shove Rock"  you get the hang of it, I remember myself as a kid trying so many things on so many objects which was sooooo frustrating.

Lucasarts on the other hand took the idea of quests from Sierra, but they have built their engine and had an upgraded philosophy which was meant to fix these flaws, well, not on the spot but they fixed their gaming philosophy quite fast.

Although I said from the beginning that Sierra is not to be blamed for the above (IMHO) flaws as they were the first to invent this genre which means that they couldn't get those games perfect on the first releases, I still think that they could have learned better and changed their game's philosophy much fastre than they have.

How to hack a wordpress site

Just as an example - how would one go to hack a wordpress site.


  • You go to the site you want to hack, use a siffer to find the framework the site was built with, I use a chrome plugin for this task (Wappalyzer).
  • Now that we know we stand before a wordpress site, we need to find the login page, for that we will begin with a google search to find the "default wordpress login url" (http://example.com/wp-admin or http://example.com/wp-login.php)
  • If the site owner was clever (be clever!) and changed the default url for the login, we will use a tool like DirBuster (unix only?) to crawl the site in order to find all urls (from them you will recognize the login url)
  • Now that we have the login page we will want to attempt to brute force our way in, but a bruteforce where we try to guess the username AND the password is hopeless as the number of tries is HUGE, so we will try to find the username. In wordpress there is a "feature" called author enumeration where each author has his numeric ID, so just go to the blog's url and add the following to the url "/?author=1" which will show you all of the posts of the first author (probably the administrator), you can keep going with the nubmers in order to find all authors, so in our case we will run the following url: "http://example.com/?author=1", now we have the author = main user name!
  • As we now have the main username, the bruteforce becomes much simpler, we need to guess only the password! So we need a list of passwords, go online and download a good list of passwords.
  • You can also create your own list by using a tool called Crunch to create a file containing a list of passwords. For example if you know that the password is four characters long, and doesn't contain capital letters then you can just create a file with all possible combinations of lower cased letters and numbers using crunch (apparently 71mb of combinations, I used the following command to check this one out: "crunch 1 4 -f /usr/share/rainbowcrack/charset.txt mixalpha-numeric -o wordlist.txt" (1 to 4 long passwords, containing characater sets from a file, defining mixalpha numeric as all alpha characters and numbers, outputting the result to a file).
  • For the last stage we will use a tool which will use the username and the list of passwords in order to bruteforce its way into the login page, Hydra is a good candidate for that (xHydra for a gui in unix), the way it works is you give it the login url, the username and password html handlers (IDs), then you supply the username (admin?), and the list of paswords, the last component it needs is the response the page sends when the user fails to login, that way it will continue trying untill it doesn't get that response, an exapmle command will look like: 
    • hydra -l admin -p passwords.txt -t 7 (threads) -m /wp-login.php:user_login=^USER^&user_pass=^PASS^:failed login (failure message) www.example.com http-post-form (POST method) -- All of the prenthesis are my "comments"
  • That's it, with an admin username and password the wordpress site is yours for the taking
  • The downside of bruteforce attacking is that it is going over network, so it is slow, which means that you can't try using lists which are too large (if you are cracking local passwords which are not over network then you can use huge lists, but over network it won't work, it will take months...), so if you don't manage to hack a site using the slim password lists then you must revert to an other way of hacking the site
  • Another problem you might encounter is if the site owner was smart (be smart!) he can eliminate all bruteforce attacks by using a simple plugin which identifies bruteforce attacks and locks your IP, in this case you also need to revert to an other method of hacking
  • If you must try other methods, then I would go for exploiting site vulnerabilities
    • Scan the WP site with WPScan

Thursday, January 7, 2016

The many hurdles of cracking a WEP network

Goal: To obtain the password of a wifi network encrypted using WEP.


I thought this to be an easy task as I read around the web, but it became a huge task consuming way too much of my time and money, for this task which was actually totally unneeded for me, just a curiosity, well, I may as well write about it.

While crawling around I naturally searched for a windows based solution, early on I found out that there is a consensus about the best wifi cracking suite of programs called aircrack-ng.

While going to their site I found that they say that cracking under windows is much less stable, robust and will never be as good as cracking from linux as windows adds layers of protection which prevent some of the cracking techniques.

Ok, so I will do it using a linux distribution.


I went back to my research and found out about the kali linux dist, it is a distribution based on Debian linux which already contains lots and lots of hacking/cracking utilities.
Which will save me lots of time, so I downloaded a Kali linux virtual machine so I can run it in parallel to my main OS (windows 8).

While working from that virtual machine I found out that my laptop's internal wifi card is no good for hacking other wifis, as a basic prerequisite is to have a wifi card which can go into "Monitoring" mode, which is a mode where it can passively capture wifi packets flying from routers to clients, so most of the wifi cards are no good for that task.

I searched around and ordered a usb-wifi card containing a chipset (ralink 3070) which supports this monitor mode.
After about a month and about 30$, I got my wifi card.

Hooked it up to my laptop and began a painful process of trying to get my virtual machine to control the usb wifi card as if it is physically connected to it, because it seems that my windows machine might recognize it, but doesn't transfer it as it is to the virtual machine.
After many hours I decided to install a kali linux distribution on a usb flash disk, and boot from that disk, that way it should be able to recognize the wifi usb dongle.

Installed Kali OS on a usb flash disk, hooked up the new usb wifi card and ... nothing, it didn't recognize the usb connection, I did everything I could think about, updated drivers, firmware, everything I could find online - to no avail!

I went back to the research and found that most people recommend an other chipset (atheros based, exactly this model: AWUS036NHA) for wifi which also supports this "monitor" mode, so off i went to ebay, 50$ and about a month, and this new usb wifi card got hooked to my computer ran by my Kali linux distribution from my usb drive.

My USB wifi got recognized out of the box! YAY.
Now to the software part.

I am no newbie to computers, and had many thoughts about moving from windows to linux, at least on my special projects laptop (not on the family computer of course), after the following experience, I finally decided against moving to a linux (ubuntu) distribution.


After doing some reading, I found out that in order to crack that WEP thingy, I need to run about 20 linux commands containing complicated arguments sent to the command line, so I thought to look for a shortcut.
I get the whole linux-geek thing, yeah, it is better to know the ins and outs of every utility I run, but I can't master them all, so I prefer to thoroughly understand the applications which I need for my day to day use, and leave the rest to nice gui based applications, which encapsulate the internal logic, and work with me as a user to satisfy my needs, and not to cover every aspect the command line application can handle.

So I found out that there are only several GUI wrappers for aircrack-ng and even those aren't working well, as they expose so much unneeded functionality.

Let me explain, lets say I am a user who wants to crack a WEP password, so I would expect to fire an application, which will show me all the networks around, I will click on the desired network, will see a progress bar, steadily filling up, and BAM will get the password - nothing more, nothing less.
Instead these linux frontends expose so much internal logic, which is really frustrating.

So, I did find one good frontend for the task called "fern" - this one looks amazing, if it worked on my machine.
For some reason, it didn't manage to turn my wifi card to that "monitor" mode.

So I went back to the command line and thought of doing it the good old command line way, but it seems that there is a problem and airmon-ng doesn't succeed in changing my card to monitoring mode.
After some reading I found an other solution:
Shut down the wifi card ifconfig wlan1 down
Change the mode: iwconfig wlan1 mode monitor
Start the wifi card: ifconfig wlan1 up

Now I started FERN, but still it doesn't work - bye bye fern.

Back to the command line.
So the aircrack-ng suite contains many applications, but for my lean needs I used the following:
airmon-ng: for managing the "monitor" mode (at the end I used the above method instead of this one as it didn't work!)
airodump-ng: view networks & view and dump to a file all packets
aireplay-ng: Injects packets of different kinds to the router so it will be faster to capture packets for this network (this one is optional)
aircrack-ng: Parses the packets from the dump file airodump created, and attempts to crack the password.

So the method goes as follows (crudely):
  • Change the network card to "monitor" mode (airmon-ng or ifconfig + iwconfig)
  • Scan the networks around (airodump-ng)
  • Find the network you want to hack and save the channel, bssid and name.
  • Scan the packets coming out of that wifi network (airodump-ng) and dump them to a file
  • If the capturing of the packets is too slow then you can make it faster by injecting packets to that network (aireplay-ng)
  • After capturing at least 5000 packets, crack the passwords using that dump (aircrack-ng)

Needless to say that I wasn't pleased by this complicated procedure, so I kept searching and found an other frontend which is still very complicated for a frontend as in order to work with it, you need to understand way too much about the internals of hacking wep, but still, it is better than the command line, and there aren't any good alternatives, so I used aircrackGUI.
Download: wget https://aircrackgui-m4.googlecode.com/files/AircrackGUI-M4-Ultimate-1.0.0-Beta2-32bits.tgz
Extract: tar -zxvf AircrackGUI-M4-Ultimate-1.0.0-Beta2-32bits.tgz
Run: ./aircrack-GUI
 

Yes, the best tool is already four years old with no updates seen in the horizon.

This frontend works exactly like the command line, it just spares you the need to copy paste the bssid for example and is much more pleasant to the eyes.
It worked only after I got this strange exception that some library is missing:
Download library: wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl0.9.8_0.9.8o-4squeeze14_i386.deb
Install it: dpkg -i libssl0.9.8_0.9.8o-4squeeze14_i386.deb

At the end of this whole venture I found the WEP password as a HEX number, which apparently should be used as is in the password area of the wifi connection (just without the colons), so in order to use it, I removed the colons, then copy and pasted that string to the wifi password form.

That's it.

My conclusions?
  • I should really stick to windows
  • Linux users are very smart guys but IMHO they should learn to build GUI applications
  • Linux GUI applications should be targeted towards the user needs and encapsulate the advanced functionality, instead of exposing all of the command line options in a GUI manner.
  • I don't really need my neighbor's wifi password


EDIT (2016)
---------------
As of this year (2016) I am actively earning 3000$/month from blogging (not this blog, this is for my fun), I have blogged here a big article about my mistakes and my success in getting to that goal (I intend to leave my working job till the end of 2016, living off my blogging), if my success inspires you then please leave me a comment there:
My Personal Journey

Wednesday, January 6, 2016

Single Java App a Day

This idea popped into my head several days ago and doesn't leave me, so although I know I won't have time to implement it in the near future I am writing it down - feel free to steal this idea and implement it!

Basic idea - for an extensive amount of time (a month? two months?) build every day a new java application, as follows:
  • Think thoroughly about the design of the applications as they should have common componnets spanning over all of the applications, where each app will add it's added benefit (the main business login) on top of the common grounds
  • For example, I want to have all of my applications as javafx gui applications, so I should build a common component with a main content area, a log area below that one, a menu with all common menu items already there (file->save, file->exit, help->help, help->about, help->exit) etc
  • Each application will do an atomic action (KISS)
  • All applications should be open sourced and on github
  • All the common boiler plate should be created before building the first application
  • After creating several applications, I will have to upgrade the boilerplate as I understand better the needs of each application - thus I will need to have an additional maintenance day to upgrade all existing applications to the new boilerplate (a day every 10 days/apps ?)
  • Many applications might be redundant as similiar applications might be at large already
  • Before I begin I should have a method to pack each application into an exe or bundle it to a nice bundle while having common maven code for the "Package" task
  • Each applications should take a single day only
  • Business logic for each application could be wrapping a java library, wrapping a command line app etc
  • This should be done like a 30 day challenge
  • I might want to build an app which bundles several previous apps
  • Ideas for apps:
    • Parse sitemap
    • Generate Sitemap
    • Parse JSON
    • Parse & Edit CSV
    • Parse Robots.txt file
    • Prime numbers generator
    • Random numbers generator
    • Raffilator (creates a draw between several groups)
    • Synnonimizer
    • Currency converter
    • length converter
    • Temperture converter
    • Image to pdf
    • Simple PDF editor
    • ...
  • The goals of this practice are
    • Changing my mindset from large projects taking months to do anything to simple & quick apps
    • Lots of Java practice
    • Lots of JavaFX practice
    • All open sourced so maybe some of them might catch up and might be useful to the public

Sunday, November 8, 2015

Hacking Tips

You have an encrypted Password and you want to find what it is

A good practice is to encrypt a password using a one way encryption, then when the user uses his password, you just encrypt it with the same algorithm and compare the stored encrypted value to the new value, if they are the same then he user entered the right password.

Having the password as encrypted strings is a good measure of security, if you want to find the original password then it is not simple as the encryption works one way only.

But still, in order to find the original password you can try the following:
  • Throw the hashed string to google - you will be amazed
  • Dumb brute-force, by hashing every keyboard sequence using a computer algorithm, the problem with this one is that it is very CPU intensive and it might take a verrrry long time
  • Dictionary attack, doesn't use random keys, but uses real words in order to try and guess the password - this is a much faster method, but if the password wasn't a word or word combination from a dictionary then you are out of luck
  • Rainbow tables - this method is still the regular brute force attack, but instead of generating the random passwords (the actual hashing algorithms takes some time), it uses a huge pre-hashed list of passwords - this method is the same as the regular brute force attack (or dictionary), it just costs more in disk space (tables can range several GBs), but is much faster as it doesn't do any hash.
Which tool should you use for the above task ?
  • Cain & Able (by Oxid)
  • John the Ripper
  • Many others


You are out in the wild and desperately need to connect to a wifi ?

Try Hacking a wifi network and using it!


Wifi networks have several forms of security (generations of wifi protection)
(weakest to more secure)  WEP, WPA, WPA2 etc

How can you get the wifi password ?

  • Use a good tool to detect wifi networks, find a network with a strong signal and weak protection (WEP ?)
  • Don't use NetStumbler as it is old and doesn't support passive detection (which is undetectable)
  • Use a tool like Kismet (best? - also cracks wep), Acrylic wifi, or a simple one like Nirsoft's Wireless NetView
  • Capture packets in order to reveal the wifi password: Aircrack (the best option, although it seems to support only some network cards), please note that this one works on specific network cards and is a uite of tools, so you will need to use several of them for this functionality
  • Or have an all in one solution: Infernal-Twin (python)

Find a username/password to a form online (login?), FTP ? or other 

  • You might not know the url to the login page so you will want a tool which can get as input a website, then do a crawl (+guess work) over it in order to find the login form (DirBuster, can be also found as an extention of OWASP ZAP)
  • You might need to manually fail one login in order to see the failed login message
  • The site might have some protection for brute force attack (maybe you will need a delay between your attacks?)
  • The actual form hacking tool: 
    • Hydra
    • Medussa (maybe not as good as Hydra)
    • Burp Suite (which is a huge thing, which also supports this attack)
    • wfuzz (worth checking)
    • WebSlayer
    • Brutus (Windows! although dev stopped 15 years ago, has lots of features)
    • Bruter (Another windows tool, with added support for proxies)
    • FireForce (Simpler to use but as it is only a firefox plugin I would doubt the proxy support and the functionality is very limited)
    • Many of the above have the ability to generate lists of passwords according to a regexp or you can just run Crunch to generate your own list of passwords

Hack a site using a vulnerability (sql injection, xss ...)

  • Find the vulnerability: Nikto, Burp Suite, OWASP Zed Attack Proxy Project, Vega
  • Exploit it: Metasploit



Sunday, October 11, 2015

Run your Java app as an EXE

My current task is deploying my JavaFX app as an EXE application

Why?

Because, unfortunately, "jar" files aren't looked upon (by windows) as executables which one should only double click in order to run, as if jar files are less legitimate than exe applications.

This is not fair!
People don't like running java applications because they need then to install a Java Virtual Machine, but they forget that in order to run those precious C# applications they need to install the .NET virtual machine, because windows does that automatically with windows updates so it is treansparent, but fundamentally they are the same, both need a virtual machine installed (JRE for java and .NET for .net apps), and a file association in order to run.

Well, as I won't change the world (although I would love to see microsoft having a JRE installed using microsoft [optional] updates), I searched for a solution which will enable me to "convert" my jar file to an EXE file.


Why Not !?

The whole idea behind the java programming language is that it is a cross platform language, so the same jar could run on windows, mac or linux, but when I convert it to an EXE, it will limit my jar severly, having it run only on windows.

But if this is a requirement then that is what I need to do (and maybe have several releases, one for each platform).


How?

The jar to exe conversion can be done in several ways.
An exe can run internally a "java -jar" command (like a batch file)
An exe can contain the jar in it internally and run it

Still, special care should be taken with the JRE, which can be taken care of as follows
The exe can rely on the user pre installing a jre
The exe can ask for a path to the jre
It can parse the system's "JAVA_HOME" environment variable
It can be installed with a zipped or unzipped jre (maybe in a subdirectory)
It can incorporate the whole jre in the exe
It can check for an installed jre upon startup and if not found then can prompt the user to download one


Many options are available for the simple requirement of being able to run a java on windows natively


I am searching for a way to convert my jar to an exe without demanding anything from the user, so I want the whole JRE to be included in that exe as well as the jar, which means that if a user is using windows he will be able to run my app, with no concern that it was ever created using java.

The downside is that my EXE is expected to be very large (at least 50mb) - but I don't care as space is not an issue these days, and of course, it will only work on windows (so the best solution will compile it to all platforms)


Criterias for the application I am searching for:
  • Free (best if it is open source)
  • Maintained
  • Has all features I need
  • Easy enough to use


Solutions I found

The Good
JWrapper - good free option, ended up using this one
Launch4j - Should have worked, but didn't for some reason
Packr - Open source, newest kid in town, but it doesn't incorporate the jre inside the exe, only packs them together (jre in a subdirectory)
Oracle's Bundling Solution as a Maven Plugin - This one was added as an update as I found it only now at 2016 - it just bundles the jre as an external folder but might be worth a try as it looks quite simple to use


The Bad (No good way to use for free)
Excelsior JET - For the rich
Install4j / Exe4j - Looks like a good option if I wanted to spend money


The Ugly
JExeCreator (last version 2012, officialy discontinued)
JNC (Old, and site is down)
JSmooth - Last version 2007, doesn't bundle the JRE, has bugs


Conclusion

A maintained project is an important factor in my requirements, a factor I almost always search for, and especially in this application I am searching for as I know that in the next java release (java9 ?), sun wants to incorporate the jigsaw project, which is a way not to use all of the JRE only parts of it, which means in our case, that in order to use this application with Java9, I will need an apoplication which will be updated to support it.

Thus JSmooth (which actually looks very nice, but is really old), JNC and JExeCreator fell off my grid. (although they are free).

All of the paid apps were disqualified (but if I had to choose a paid one I would check Exe4j), although some of them have a trial edition for free, but in most cases it is time limited and without important features and with big notices to buy the full thing.

Which left me with JWrapper, Launch4j and Packr.
Packr is the newest project (github) and looks like a good candidate if it had more features, as currently it doesn't incorporate the JRE into the executable, just points the jar file to run from a predefined JRE which is in a subdirectory of the build - not good enough, but to be fair, it's name is Packr, so I guess it does its purpose by packing all the parts together.

Launch4j & JWrapper look like good candidates, but for some strange reason I couldn't get launch4j to work as it should although I did dedicate several hours to try and run it as this is the only truly free candidate.
Which left me with JWrapper, which is a paid app but with a free option with all of the features, the only drawback is a splash screen which appears at the first run - I can live with it.

So I suggest using JWrapper, if you need something else I would suggest looking into Launch4j, and if money is not a problem then go for Exe4j.