201 97 2MB
English Pages [296] Year 2021
Table of Contents Table of Contents Introduction You Should Read This Book If… Isn't This Illegal? Why Learn PHP? Getting Started Getting Set Up Covering Your Tracks Our First Hack How to Code Creating Your First Program Variables and Data Types Changing Your Program's Behavior with 'If' Statements Writing Functions Function Parameters Return Values Using Inbuilt Functions Scopes String Concatenation Arrays Loops Looping Through an Array Foreach Loops
While Loops Generating HTML Code with PHP Mixing PHP and HTML Mixing PHP and CSS Writing JavaScript with PHP String Operations Dig Up All The Dirt on Your Visitors Introduction to Visitor Hacking What is an IP Address? Get Someone's IP Getting IP Email Alerts Getting Past Tracking Blockers Generating IP Info Links Including a Tracking Script on All Pages Getting Page Information Saving Hits to a Text File Troubleshooting Generating a Timestamp Blocking Our Own Visits Get Everything About an IP Address Getting Device Information Tracking Downloads Storing Tracking Data in a MySQL Database Storing Tracking Data Inside a Database Using MySQL Creating a Database
Saving Information to a Database Using PHP Adding Security Adding More Security Hacking with Tracking Tricking Someone into Giving You Their IP Address Geolocating Hits Identifying Fake IP Addresses Finding Out Who's Behind An IP Address or VPN Identifying Hackers Scaring Stalkers and Hackers Blocking Stalkers and Hackers Use Tracking Data to Prove Stalking and Hacking Weaponizing PHP Making a Fake Login Screen Other Ways to Weaponize PHP A Note from the Author
Introduction I've read many books about hacking over the years and I have been dissatisfied by all of them. A lot of them talk about things like port scanning and packet sniffing, and using tools like Metasploit, or finding shortcomings in a website's user input sanitization. All of the books went into detail about all the things I could do if I were a hacker, but none of them actually explained to me how to become a hacker. After reading at least a dozen books like this over the years, it was like I knew a lot about how to acquire a lockpick, all the things I could theoretically do with a lockpick, and how to use a lockpick, but I still knew nothing about how I could open a locked door. That's why I wrote this book. This book isn't like other hacking guides, where it's like "All you have to do to guess someone's password is port scan them, figure out what server they're using, hope it's running unpatched software with an exploit that you can download online, then deploy it to the open port, then do something with the data to achieve some vague thing." This book won't tell you how to create a password cracker, as if randomly guessing someone's password is even remotely plausible for the average hacker these days. This book won't talk about feverishly trying to find mistakes in a website's input sanitization, allowing you to execute your own code on the site or server, where your main weapon against a target is sheer luck. This book won't actually teach you how to unlock a locked door. The main premise of this book is that an increased focus on internet security has made penetration out of the realm of possibility
for most hackers nowadays. What this book will instead teach you is how to hack people who come to you. These people might be hackers or stalkers lurking on your websites, using tracking blockers and VPNs to keep their activities hidden. They might be people you've lured to your website for a specific purpose, who you can fool into giving you secret data. Or they may be just people already visiting your website that you want to find out more about. Either way, this book will show you how to weaponize your own web pages. To unmask your visitors. To track their location. To get them to reveal things that they might not want you to know. Or, to block them entirely. This book won't only teach you the basic principles behind hacking, it will go the full distance and tell you exactly how to hack people who come to your website and exactly how to get them there. To do this, I'm going to first teach you the basics of PHP – a language we can use to program servers to do our bidding. This sounds scary, but programming isn't that hard, and PHP is one of the easiest coding languages for a beginner to learn. The Getting Started section will give you instructions on how to get set up to start hacking. I'll get you set up with a code editor, an FTP client, and a test server. I'll also teach you how to cover your tracks while hacking, using things like VPNs, free web hosts, hacking browsers, fake email accounts, and anonymous currencies. This section will also introduce you to hacking by showing you how to perform a quick, easy, no-coding-required hack that will let you read the source code of a website.
The How to Code section will be a crash course on PHP programming, teaching you everything you need to know to start writing PHP scripts. I'm going to teach you how to code, and then I'm going to teach you how to hack. Coding isn't scary and I'm going to equip you with the basics that you can use for white hat endeavors too, like getting a programming job. I'll walk you through creating your first program, and then we'll move on to learning about variables, functions, arrays, and loops. You'll also learn how to program your server to generate and manipulate HTML, CSS, and JavaScript code on the fly. By the end of this section, you will know enough about programming servers to start writing your own programs. This section won't include a discussion on best practices, so the scripts you'll be writing in this book won't be works of art. But, they'll work. This book is not intended as a comprehensive book about PHP – we'll simply be using PHP to achieve our own hacking-related ends. The following section, Dig Up All The Dirt on Your Visitors, will teach you everything you need to know to start extracting information from your website's visitors. We'll learn about how IP addresses work and how we can program our servers to extract data from them – even if the visitors are using software to block online trackers. We'll also talk about getting visitor data from third-party services and APIs on the fly and making it available for use inside our scripts. The Storing Tracking Data in a MySQL Database chapter is about saving all of your visitors' information into a database for easy viewing and retrieval. You'll learn about how to use PHP to communicate with a MySQL database
and how to interact with that database using an open source software tool called phpMyAdmin. The next section, Hacking with Tracking, will then explain how to deploy tracking against visitors. It will walk you through how to trick someone into giving you their IP address, how to identify fake IPs, how to geolocate website hits and track people's location, how to trick someone into revealing their real location, how to see who's trying to hide by installing a JavaScript tracker on your website, how to correlate tracking data to infer conclusions about who people behind IP addresses really might be, how to prank people by showing them different content based on reported data like their IP, and much, much more. The final section, Weaponizing PHP, will be all about weaponizing PHP for offensive purposes. This section will show you a way to hijack a website using an iFrame, how to make a fake login screen to trick people into emailing you one of their passwords, how to hijack a contact form, and how to code a backdoor into a web application. I want to note that all the apps, services, and websites mentioned in this book may not be around by the time you read this. If that's the case, it should be easy to find alternatives online. I have made it so that all the guides in this book are written to work with any similar app, service, or website you'd like to use, so the knowledge should still be valid even if the actual tools I'm mentioning have long since been shut down.
I hope you enjoy reading this book as much as I did writing it. - ghost4815
You Should Read This Book If… You have a cyberstalker and you want to get evidence that they're stalking your web pages and social media, or to find a way to just block them entirely. This entire book was inspired by years of having to deal with my own wild experiences with a cyberstalker, along with dismissive members of family, friends, and law-enforcement, as well as, later on, fully complicit coworkers who were actively communicating with the criminal. In this book, you will learn how to become your own private detective, allowing you to expose a cyberstalker, block them, and collect hard evidence against them. It’s not uncommon to hear victims report that an ex or ex-friend is still stalking them online 25 years after their last in-person contact. If that is your situation, first off, I'm really sorry. And second, the guides in this book will help you take a proactive approach to dealing with the threat, to get this person to leave you alone, or, failing that, to gather enough evidence to put them in prison if it goes on long enough to become a criminal matter. You're a member of law enforcement and you want to learn how to deal with cyberstalkers, hackers, or pedophiles who are using tools such as Virtual Private Networks (VPNs), VPS servers (Virtual Private Servers), or tracking blockers to stay anonymous online. You might also want to learn how cybercriminals can weaponize the internet against their victims, allowing you to spot cybercrimes in the future. You'll discover all sorts of interesting ways to expose cybercriminals even though their IP address is bogus, allowing you to bring them to justice no matter how hard the
bastards try to stay hidden. You're looking for a fun way to get started programming PHP – or programming in general. I will show you not just the basics of programming, but I'll also give you activities that will force you to put what you've learned together to produce results you actually care about. You're looking to get a better idea of who is looking at your websites now that tracking blockers are going mainstream. You might suspect that there are way more people looking at your web pages than you know, and you'd like a way to find out if you're correct. Your website is being hacked, so that you can get a better idea on what intruders are doing and how to stop them. You're interested in hacking generally. You want to find out exactly how hackers can fool you into revealing your personal data online or compromise your cybersecurity, allowing you to help secure yourself against it. In this book, I will assume that you have at least a basic knowledge of web programming. You've built a simple website before. You know what an HTML file is. You know how it's structured. You'd know what I mean if I mentioned something like the 'root folder' or the 'head tags' or the 'script tags'. If you know the basics of HTML, you shouldn't have trouble following the guides in this book at all. If you know a bit of CSS, all the better, but you could easily get by without it.
Isn't This Illegal? This book will teach you how to push the limits of everything you can do to achieve things that you really shouldn't be able to do. Nothing in this book is illegal, and you won't learn how to become a master hacker by reading it, but it will show you how to deploy simple things in creative ways to see and do things you really shouldn't be able to. This book is mostly focused on getting readily available information from servers and IP addresses. It will not primarily be about gaining access to unauthorized materials, even though some sections will get you 90% of the way there to doing so. The key to this book is to perform hacks that are unseen. Usually, our victims will willingly give up their data. Other times, they'll give it up without realizing that they've been hacked and they will probably never figure it out. We don't need fancy anonymous servers to launch our attacks. Most of the time, our visitors won't know they've been hacked at all.
Why Learn PHP? PHP is a server-side programming language. By writing PHP code, you're literally programming a remote server to do your bidding. The instructions that you write tell the server how to build the page that the user has requested from their browser. This is cool because it allows us to serve dynamic pages to users, rather than static HTML pages with content that doesn't change. Here's a simple way to illustrate this concept. Way back when I was a scriptkiddie who didn't know how to code, if I wanted to make a website with a dark mode, I might have done something like this. I would design a version of the site in HTML and CSS – one with black text on a white background, and one with white text on a black background. I would then have a hardcoded link at the bottom of each page that said something like 'Toggle Theme'. That button would link to the opposite version of the website currently being viewed. The light version of the website could be accessed at http://light.mywebsite.com, and the dark version of the website could be accessed at http://dark.mywebsite.com. Now, I never actually did that, but, if I didn't know HTML, CSS, or JavaScript, that's the kind of stunt I'd have to pull to make a feature like that work. This is a nightmare for a number of reasons, the biggest being that if I wanted to make a change to the website, I would have to make the change to both versions, making maintenance hell. If I knew a server-side programming language, however, a feature like this
would be way easier to accomplish. All I'd have to do is write a simple script on all my web pages that would do the following: 1. Get the current time. 2. Check if that time is before or after 6pm. 3. If the time is before 6pm, give the page a white background and black text. 4. Or, if the time is after 6pm, give the page a black background and white text. Now, there are more than a few issues with this idea (the biggest one being that you can't actually get the user's current time in PHP; you only have access to the server's) but it is sufficient to illustrate my point: you can use a server-side programming language to add dynamic content to your pages. Other examples of adding dynamic content to your pages could be: Setting a cookie on a user's computer and changing the greeting at the top of the page that acknowledges that the user has been there before, if the script detects its presence on page load. Fetching the current weather conditions from a third-party service and, if it's raining, trigger a rain animation on the background of every page on a website. Fetching the user's current location and showing them local traffic information on a map website.
Another advantage of learning a server-side programming language is that it allows you to interact with your server's file system. A basic example of how we might take advantage of this feature is to code a very crude visit counter on a web page. Here's how we'd implement it: Every time the page loads, open a text file called 'visit_count.txt' that's saved in the root folder of our server (or, if it doesn't exist already, create it). Read the contents of the file, which will be a number. Save that number into a variable (we'll get to those later). Increment that number by one. Then overwrite the contents of visit_count.txt with the new number and close the file. When the page loads, output the new number to the bottom of the web page, where it might read: '1001 people have viewed this web page'. Being able to create, read, and write files on a server is an extremely powerful thing because it can make the state of a website persistent, either entirely or for individual users, and file operations are a flagship feature of a server-side language like PHP. PHP also has an advantage over languages like JavaScript for hackers in that it doesn't leave its source code visible to the end user. When a user views a web page coded with PHP, the user won't be able to see any of the server code that was used to build the page. They'll only be able to see the result of the backend code in the form of HTML, CSS, JavaScript, and text. All of
your PHP hacking scripts thus can't be analyzed by the user, allowing you to keep all your tricks up your sleeve. By learning PHP, you will be able to command the full power of a server to write dynamic programs that visitors will use, either to their delight or their chagrin.
Getting Started
Getting Set Up There are three things you'll need to get started programming with PHP: a code editor, a server, and an FTP client. A code editor is a program that will help you write scripts and applications. A server will allow you to test, run, and deploy code. An FTP client will enable you to easily upload code to a server. The first thing you need to know about coding in PHP is that PHP code is just text. The text itself is not special. You don't need anything fancy to write that text. You could write code in Notepad or Microsoft Word and the interpreter wouldn't care. What you use to write your code is entirely up to you – the thing that makes the interpreter read your text as PHP code is the .php file extension, but more on that later. Even though you can write PHP code using any text editor, you will definitely want to install a code editor. A code editor is a text editor designed for programmers. A code editor makes the experience of writing code faster, easier, and just all around nicer. The first advantage of installing a code editor I'm going to tell you about is shallow, but it's probably the one that you'll be most likely to care about at first. One of the main advantages of using a code editor for me personally is that it's more atmospheric than a text editor. Eighty percent of the reason I love Visual Studio Code – my code editor of choice – is that it just looks
cool. The Abyss theme's light blue text on a dark blue background is not only extremely easy on the eyes, but it makes you feel like a real programmer. It really sets the mood for all your work. Another advantage of using a code editor is syntax highlighting. This feature is designed to recognize parts of your code and differentiate them visually, making your scripts way easier to read. For example, in Visual Studio Code with the Abyss theme turned on, it's easy to see all your functions because it automatically highlights function names in yellow. This means that, if I'm scrolling through a long document trying to debug something related to my functions, I can easily see where all the functions are at a glance. Perhaps the most useful feature of a code editor is something called linting. As we'll see in later sections, all computer code must follow a specific format so that the machine knows what to make of the instructions you're trying to feed it. Code editors are aware of these formatting requirements, and are designed to highlight mistakes when you accidentally break them. For example, if you forget to end one of your PHP statements with a semicolon, your code editor might tell you what your mistake was and what line it's on so you can go back and fix it. When you scroll to that line, it will be easy to spot your mistake, since your code editor may have underlined it for you. I'm not very observant so I tend to make stupid, little mistakes a lot when writing code. Linting is probably one of the main reasons I can get my programs working in a reasonable amount of time at all. Another useful feature code editors have is code autocomplete, something
that suggests the next piece of code you should write based on what you've already written. I find this extremely helpful when writing CSS, as I can never remember off the top of my head what value options I can use for element properties like position and display. As you may expect, the code editor I'm going to recommend you download is Microsoft's Visual Studio Code. It is hands-down the best code editor I've ever used. It's fast. It's beautiful. You can run it on Windows, Mac, or Linux. And it's free. Just Google 'download visual studio code' to get it. The next thing you'll need to get started is a server. As PHP is a server-side programming language, PHP will not run in a web browser offline without jumping through some hoops. HTML, CSS, JavaScript code will be happily executed by a browser locally, but, as PHP code requires a server with an installation of the PHP interpreter installed to run, if you try to run your PHP scripts in a browser without a server, the browser won't have a clue how to execute your code. PHP needs to be served by a server, otherwise it won't work. The easiest way to get a server is to buy some server space from a web hosting company. When you buy hosting space from a web hosting provider, what you're actually doing is buying space on a remote server somewhere in the world. The server that your website is hosted on is often shared with many different websites, each of whom also have their files and data stored on it, and who all share its resources like CPU time and RAM. That's unless you purchase dedicated hosting, which means that the server is all yours.
When you buy some hosting space, you can easily upload your scripts and test them there. I use Hostinger as my web host, but there are many other great options out there. Make sure that any server space you buy, anonymous or otherwise, has PHP 7+ installed. This book is written with this version of PHP in mind, and some code may not run if you're using an earlier version of the language. While buying some server space is the easiest way to get yourself up and running with a test server, there is a better way. That better way is installing a virtual server on your computer. This is a good idea because it allows you to test your code without going through the headache of uploading your files to a remote server via FTP to test every change you make. Even if you have the fastest internet connection in the universe, testing your code that way will quickly make you lose the will to live. By installing and launching a virtual server, you can run PHP in a browser. Virtual servers allow web developers to build and test their websites offline before deploying them live. Virtual servers are also called local servers, because they allow you to simulate a server locally. There are a number of programs that will simulate a server on your computer. I highly recommend AMPPS. I've been using it for years and it's always gotten the job done. It works on Windows and Mac and you can easily find a download link on Google. Once you've installed AMPPS, all you have to do to run your PHP scripts and websites offline is type 'localhost' in your browser's address bar. That address will point to a special folder on your computer that will act as the root of your virtual web hosting. To find that
folder, just fire up AMPPS and click the big folder icon in the row of icons at the top. Say you want to run your PHP script, which is called myphpscript.php. All you have to do is put your script in that folder, and you can now access it by typing localhost/myphpscript.php in any of your web browsers' address bars. Even though testing is easier on a local server, I would still recommend buying yourself some hosting space. By using a web host like Hostinger, you'll also have easy access to phpMyAdmin, something that will make working with databases in later sections of this book a breeze. The last thing you'll need to get set up and ready to start hacking is an FTP client. This is a piece of software that will establish a connection between your computer and a remote server, allowing you to transfer files to and from that server using the File Transfer Protocol. Your hosting provider will almost certainly have a dedicated place in its admin panel to upload files (in Hostinger it's called 'File Manager'), but an FTP program will make the process of uploading files to our server much nicer. There are many FTP clients out there available for download, both free and paid. I use an app called Transmit as my FTP client but FileZilla is an excellent free alternative (it also works on Windows). Once you install one of these programs on your computer, all you have to do to connect to your server is supply the host/address name, along with your FTP username and password, and a port number. You can find this information inside your web host's hosting admin panel, usually under a section called something like 'FTP Accounts'. Note: You don't need to use FTP for your local server.
Covering Your Tracks Now that you're up and running, I'm going to describe a few methods to minimize the ways someone can connect your real identity to your hacking activities online. Note I said 'minimize' rather than 'eliminate'. It's very difficult to remain anonymous online these days, since most services like email providers and web hosts require a valid phone number to sign up. Still, it is possible to remain pseudonymous, which means that, unless you give someone like the police a serious reason to track you down, you'll be able to fly under the radar. If you are reading this book to defend yourself against or track down cybercriminals, this section will give you invaluable insights into how cyberstalkers and hackers stay anonymous online and avoid law enforcement. The first tip I'll give you is to install a dedicated 'hacking' browser. This will be a browser that is entirely separate from your regular web browser. You should use this browser to do things like manage your attack servers or check your fake email accounts, and you should use it for nothing else. Keeping your hacking browser separate from your regular browser prevents things like cookies and your other account logins from linking you to your fake online accounts. Take Google for example: if you're logged into your fake Gmail account and your regular Gmail account in the same web browser, Google might be able to say 'both of these accounts are linked to the same cookie and the same IP address, therefore they must be the same user'. You can avoid these situations entirely by installing a different browser that you use only for
hacking. There are a number of alternative browsers you could install on your computer. The ones that are arguably the most useful for hacking are Opera and a new web browser called Brave. Brave is definitely my pick for hacking. It's built on the same rendering engine as Google Chrome, meaning that it should be familiar right out of the box if you already use Chrome. You can also install any extensions that work on Chrome in Brave. The best reason to use Brave as your hacking browser, though, is because it blocks online trackers by default. As we will see throughout this book, blocking trackers entirely online is impossible, but using Brave will still block the vast majority of them, something which will come in handy when the stakes are high and you're trying to stay anonymous online. By using a browser that blocks trackers by default, the chances of you getting caught by a tracker while doing something you shouldn't goes down by a good margin. Brave's default New Tab page gives you a summary of how many trackers you have blocked online during your entire time using the application. I have been using Brave to surf the web for over a year now and, in that time, the browser has successfully blocked over 500,000 scripts from tracking me. Brave also includes built-in ad blocking, something that should also upgrade your ability to stay anonymous online, since online advertising is what tends to track you the most. If you really want to go nuclear, Brave also has a feature to block JavaScript entirely, either globally or on a per-site basis. Since the vast majority of tracking scripts are written in JavaScript, this will further help you stay anonymous if the stakes are really high.
Opera doesn't block tracking by default, but it can be configured to do so inside its settings panel. It also comes with a free, inbuilt VPN that you can use to disguise your IP address. I wouldn't recommend using this VPN for a number of reasons, mostly because it only works inside Opera and thus won't keep the other internet activity on your computer (e.g. your email client) from leaking your real IP like a dedicated VPN would. Once you've installed a hacking browser, the first thing you'll want to do is configure it to make it as secure as possible. You can do this in Brave by going into the settings screen and clicking into the 'Shields' section. The first thing you should do here is set tracker and ad blocking to 'Aggressive' so that Brave will block any scripts that could be potentially used to track you online. Then, disable cookies by default. Cookies can be used to track you as you move around the internet. We'll be employing tracking cookies in later sections to do just that, but we don't want it to happen to us, so cookies need to go. Disabling cookies may break the functionality of some websites, but we can enable them for individual sites using the shields menu located at the end of the address bar. After you've done this, go into the 'Get Started' section of the settings panel and make sure that the browser is configured to open the new tab page on startup, rather than continuing where you left off. If the browser is set to open the pages you were looking at when you closed it last on startup, one day you will accidentally launch Brave without your VPN on, and it will happily start loading what you were looking at the last time you used it, even if you were
right in the middle of a hack. Making sure that Brave doesn't open the last thing you were looking at when you last closed it will ensure this never happens. The last thing you'll want to do is configure Brave so that it automatically clears all your browsing data on exit. To do this, go to the 'Additional Settings' section of the settings panel, then hit 'Privacy and security'. Then, click 'Clear Browsing Data' and a popup should appear. Go to the 'On exit' tab and then tick everything you want Brave to wipe out when you quit the browser. At the very least, I would recommend clearing cookies and other site data on exit, but you'll probably want to clear your browsing and download history and everything else if you really want to be safe. The shield menu at the end of the address bar (the orange lion's head icon) mentioned before will allow you to change Brave's settings on a per-site basis. You can change the level of tracking for the website you're looking at, you can disable or enable scripts for that domain, allow or disallow cookies on that website, and more. The key to running a hacking browser is to never log into any of your regular accounts through it. Use your real accounts in your regular browser, and conduct your hacking activities through your hacking browser. The second method of reducing the ways someone can connect your real identity to your hacking activities online is to create a new user account on your computer, or change the name of your existing one. Occasionally, a
hack may expose your computer's local file system paths. For example, if you download an enemy website to examine its source code offline, and you accidentally run the HTML file inside your browser, if that website has a JavaScript tracker installed, it may report the full URL of the visited page to the website's owner. If you made the mistake of giving your computer's user account the same name as your real name, the owner of the website might see something like this:
Visited URL:
C:\Users\Jasmine%20Ball\My%20Secret%20Hacking%20Folder\index.html
If your real name is Jasmine Ball, this might be bad. The way to get around this is to name your computer's user account something obscure. If renamed your account 'SecretUser', then the website owner would see this if you accidentally leaked your local filepath:
Visited URL:
C:\Users\SecretUser\My%20Secret%20Hacking%20Folder\index.html
You could go nuclear and just use an entirely different computer to carry out your hacking activities, but renaming your user account, or creating a
separate one from your regular account under a different name, is a more practical way to go. The third tip I'll give you for staying anonymous online is getting a VPN. We'll have a look at VPNs more closely in a later chapter, but, suffice to say, getting a VPN is the single best move you can make to stay anonymous online, and I'll illustrate why with an anecdote. I was a huge Stargate fan when I was a kid. I loved SG-1 and its spinoff, Stargate Atlantis. So, when the third spinoff of the franchise, Stargate Universe, was announced, I desperately wanted to watch it. Unfortunately, it wasn't available legally in Australia when I wanted to do this way back in 2009. So, I, like most people in that situation, started illegally downloading the show via a torrent client. A few weeks after I downloaded a horrifically low-quality bootleg of SGU's first season, I got an email from MGM titled "Notice of Unauthorized Use of Metro Goldwyn Mayer Property". It stated that they were monitoring the IP addresses of everyone illegally downloading that file online, and that they got my details from my ISP, who happily told them that I was the person behind one of those addresses. Here was the evidence they provided in the email:
Evidentiary Information: Notice ID: 214-1542445 Initial Infringement Timestamp: 30 Nov 2009 16:22:36 GMT Recent Infringement Timestamp: 30 Nov 2009 16:22:36 GMT Infringers IP Address: 115.70.74.144 Protocol: BitTorrent Infringed Work: Stargate Universe Infringing File Name: Stargate.Universe.S01E07.HDTV.XviD-NoTV.avi
Infringing File Size: 366935682 Bay ID: 3035513946c25436cc33f293bfc72d9201257ac3|366935682 Port ID: 25455 Infringer's DNS Name: 144.74.70.115.static.telstra.com.au URL (If Applicable): http://tracker.openbittorrent.com/announce
If I had used a VPN while downloading this file, though, MGM would've had a much harder time trying to track me down. I could've used it to hide my real IP address, and, rather than MGM seeing an IP address from an Australian ISP that they could get my details from, all they might've been able to connect my fake IP address to was a server sitting in a building somewhere in Norway. The company that owned that server may not keep logs, and may not be even remotely receptive to honoring a foreign company's request to access their server logs. Using a VPN can provide some serious protection online, by hiding the one thing that can link you to all your online activities: your IP. As we will see, obfuscating your IP address in this way won't protect you from a determined hacker, but it will still go a long way to separating your real identity from your activities online. Using a VPN also provides the benefit of encrypting your traffic from anyone trying to intercept and analyze it. If your ISP is trying to snoop on your internet traffic, for example, all they will see is a stream of seemingly random letters and numbers, rather than the raw, unencrypted data that's coming and going from your computer. NordVPN is probably the best VPN out there at the moment. It's fast, secure,
and it has thousands of servers to choose from all over the world. You could route your connection through servers in almost any continent or country, and anyone tracking you might think you're coming from Norway, Russia, the Netherlands, or even Antarctica! The downside to using Nord is that there's no free tier, so you'll have to pay to use it. If you don't want to give them your credit card number, you can pay with cryptocurrency, or you can purchase a subscription in a retail store. You can view all of Nord's payment options by visiting
their
website
here:
https://support.nordvpn.com/Billing/Payments/1047406772/What-paymentmethods-do-you-accept.htm. If you don't want to pay for a subscription, though, there are some excellent free alternatives out there. I highly recommend Windscribe and ProtonVPN. Whatever VPN you choose, make sure it has an inbuilt kill-switch. This will make it so that, if your VPN connection accidentally drops out while you're using it, it will kill your internet connection entirely until it's back up. This means that your computer won't fall back to using your real connection for the duration of the drop-out, leaking your real IP. Another way to help stay anonymous online is to sign up for a free email account, with a fake name. You'll definitely want multiple email accounts under multiple aliases to conduct your hacking activities online. Most free email services require you to provide a phone number in order to sign up, which makes them risky, so I'd avoid email entirely where possible. But, using an email that's not your primary one is still a good idea. ProtonMail is a decent choice as it encrypts all of your communications by default, making it
a great option for staying anonymous. You may decide at some point to sign up for a fake Google Account. Google will ask you for a mobile phone number, and they won't let you set up your account without one. Even if you sign up for a Google Account, you'd need to be doing something pretty serious for Google to release your data to the authorities. You have to decide whether or not putting your real phone number in there is worth the risk. Another tip for staying anonymous: get some pseudonymous web hosting. Behind every domain name online is an IP address that corresponds to the server that is hosting the website the domain points to. You can find out the IP address of any website by simply opening Terminal (if you're on a Mac) or Command Prompt (if you're on Windows) and typing ping, followed by the domain name. If I wanted to determine the IP address of one of the servers that is hosting Pornhub, I would type:
ping www.pornhub.com
... into my Mac's Terminal application. Here's what I got in response when I did this just now:
ping pornhub.com PING pornhub.com (66.254.114.41): 56 data bytes 64 bytes from 66.254.114.41: icmp_seq=0 ttl=56 time=39.383 ms 64 bytes from 66.254.114.41: icmp_seq=1 ttl=56 time=44.465 ms 64 bytes from 66.254.114.41: icmp_seq=2 ttl=56 time=48.078 ms 64 bytes from 66.254.114.41: icmp_seq=3 ttl=56 time=45.041 ms 64 bytes from 66.254.114.41: icmp_seq=4 ttl=56 time=39.581 ms 64 bytes from 66.254.114.41: icmp_seq=5 ttl=56 time=46.837 ms
The real purpose of 'pinging' is to test whether or not a server is reachable by sending it small amounts of data and then measuring the amount of time it takes to respond. That's what most of this returned data is about. The main take-home from this for our purposes, though, is that IP address: 66.254.114.41. Our ping command has revealed that Pornhub is at least partially located on that server. It may share that server space with other websites, or it may run on a dedicated server. I would say it's running on a dedicated server since, if I type 66.254.114.41 into my browser's address bar, it goes straight to Pornhub. The reason all of this is important is that, if you, say, hosted your attack scripts on the same server as your personal website, all someone would have to do to link the attack server to you is to ping both your personal website and your attack server and see if the IP addresses match. This may not prove conclusively that you're behind the attacks, but it's a good starting place to prove who's responsible, especially if your target is already somewhat likely to suspect that you're behind it.
The way to get around this is to get another server that we can use to deploy our hacks. Ideally, we'd want the company hosting this server to know nothing about us or our identity. You can easily sign up for a free web host with a fake name and email address, but you'll probably need to give them a phone number and they may make it difficult to sign up through a VPN. I'd recommend 000webhost but there are many other options out there. Because 000webhost is designed to eventually upsell you, they have all the features of a regular web host, such as access to phpMyAdmin, something we'll be using throughout this book. 000webhost will make you choose a name for your website, which will be a subdomain of 000webhost unless you decide to connect a domain. You can choose any name you want (providing it hasn't been taken). If you're just making a general attack server, I'd recommend something like a random sequence
of
letters
and
hh142517.000webhost.com.
numbers This
as is
your
subdomain,
much
better
such
as: than
myrealname.000webhost.com. By signing up for a free web host, you will get access to a partition on a server that is shared by many other websites. You can ping your new website to find out what its IP address is. You might be interested to know what other websites are sharing your server's IP address. You can find out which ones are by doing a reverse IP lookup online, using a tool such as the one at: https://hackertarget.com/reverse-ip-lookup/. If many other websites are sharing your server, they may muddy the waters if someone is trying to identify the source of your hacking via your server IP. The first thing you'll
want to do when signing up for hosting space is to disable directory listings in your .htaccess file, or whatever the equivalent is on your server. If you're being hosted on an Apache server (most servers run Apache), just add these lines to your .htaccess file to prevent directory listings:
Options -Indexes
We'll have a look at why this is important later on. Another great way to help keep your real identity separate from your hacking activities is to use anonymous currencies to pay for stuff online. You can use Bitcoin for this, but it's complicated and it isn't 100% anonymous, especially if you use an exchange like Coinbase. Prior to the internet, if you wanted to make an anonymous purchase, you'd use cash. That was before eCommerce took off and many things that you might want to purchase anonymously could only be paid for via PayPal or a credit card. There is still a way to more or less use cash online, though: you can use a VISA gift card, paid for with cash. Almost all payment processors will take a VISA gift card as if it were a real credit card. That way you don't have to give the payment processor your real credit card information, something which will require you to give them your real name and address. To make an online purchase with a VISA gift card, all you have to do is enter the card number, expiry date, and the 3 digit CVV code on the back. If the website wants to know the name on the card, just enter 'Gift Card' in the name field and it should work, something that still
surprises me to this day. There's a reason that scammers from India always want you to pay them with gift cards: they're a loophole in the payment system that may never get closed. They're too useful and lucrative to ban but they're also a great way to transfer money overseas anonymously or to make anonymous purchases online. The key to successfully purchasing a VISA gift card is to do it at a store far away from your house, and while trying to avoid being seen by cameras, and to only ever pay for it in cash. I would assume that companies who make gift cards keep track of what cards were sold at which store, and they can query that information using the card's unique number. They may even know the exact time the transaction took place. If so, they may be able to look at security footage to identify both you and your vehicle. Keep this in mind when purchasing the card. There are all kinds of gift cards you can buy that you can then use anonymously. It might be interesting to go to your local supermarket to check out what kinds of cards they sell; you might be able to pay for more stuff online with cash (or what it is essentially cash) than you'd thought. Another random tip I'll give you to stay anonymous is to change your writing style. You never know what personal writing quirks might give the writer away. I personally tend to use 'that' a lot, and I almost always use the oxford comma. I try not to do this stuff when producing text in the process of hacking, to limit people's ability to connect it to me on that basis. And another random tip is to not talk about your hacking activities offline. The worst mistake you can possibly make when trying to stay anonymous is to trust or confide in people in your real life about what you're doing. Never breathe a word of it to anyone, even if it's just in good fun. One day it might
not be just good fun, and then you'll seriously regret having said anything. Also, definitely encrypt your hard drive. If you're on a Mac, this can easily be done through FileVault with just a click. If you're on Windows it's a bit trickier, but Google should be able to help. Encrypting your hard drive means that if someone wants to extract the data from your computer, all they'll get is garbled information that is useless without the decryption key or a password. The last tip I will give you in this section is to accept the fact that sometimes you can't be entirely anonymous. The internet is so riddled with tracking that it's very hard to do anything without leaving a digital fingerprint. The key to evading the law is to not do anything illegal and, if you do, to do something that's not worth chasing up. Sometimes, when you're doing really high risk stuff, the key to a successful hack isn't to avoid getting caught, it's to fully accept the consequences of getting caught and to proceed regardless.
Our First Hack Before we get into the weeds of learning how to code and describing different approaches to hacking, I want to show you something that will whet your appetite a bit. I'm going to show you something with which you may already be familiar. This trick will allow you to go to any website and force it to expose half its secrets. What I'm going to show you is how to easily view any website's frontend source code. Here's how to do it. First, navigate to any website. Then, right click and hit the option to view the page's source. On Chrome and Firefox, the menu item is called 'View Page Source'. On Safari, it's called 'Show Page Source'. Either way, once you've hit that menu option, a new page or panel will open. That page or panel contains all the source code for the frontend of the website. This is the code that is used to generate the side of the website that you see. This code is a mix of HTML, CSS, and JavaScript. At the most basic level, the code you can see here is used to lay out, update, theme, and add interactivity to a web page, as well as communicate with the server. This differs from backend code, which is used for generating the page to be served to users, communicating with databases, performing file operations, sending emails, and performing a whole bunch of other tasks that frontend languages like JavaScript either can't do or aren't suited for. Every website uses a combination of frontend and backend code to create the final experience that you see. What can we learn about a website from looking at its HTML, CSS, and
JavaScript? As it turns out, we can learn a whole slew of things that the owners of the website and/or the people who built it might not necessarily want us to know. Here's some code that you can find on one of my websites, in a script called gallery.js that, surprise, surprise, controls the logic of my image galleries:
function request(id){ $.ajax({ url: "/tracking/tracking.php", data:{ gallery_view: id }, type: "POST" }); }
This is an AJAX call in jQuery (a framework that makes writing JavaScript easier). You might not understand much of what you're seeing, but you might still be able to look at the words you can read and discern a few interesting things about how the website operates. AJAX stands for Asynchronous JavaScript And XML. That sounds scary, but it's just a way to send and receive data from a server after a page has loaded. Normally, as soon as a web page is done loading, the server's job is done, and it's all up to HTML, CSS, and JavaScript to talk to the user from there. AJAX
is a way to, for example, run a server-side script when a user clicks a button or hits a keyboard key. Knowing that that's what AJAX is for, we can see that this piece of JavaScript is calling a script called 'tracking.php' on the server. By looking at the page source, we can already tell that this page is tracking us with a server-side script, and that the language the backend is written in is PHP. If we find references to this function in the code that runs when someone clicks the 'Next' and 'Previous' buttons in an image gallery, we can therefore say that this page is tracking what images we're looking at as we're browsing through albums, sending the id of those images to the server as POST data. You might not know the page is doing this as a regular user of the site, but now you do. By looking at this piece of code, we can also get an idea of the website's structure on the server. Here's the path to the tracking script that the AJAX function is calling again:
/tracking/tracking.php
The slash at the beginning of the path denotes that this is a relative filepath, and that the filepath that follows begins in the website's root directory. If the website in question is www.mywebsite.com, JavaScript will convert that link into www.mywebsite.com/tracking/tracking.php. Visiting that link directly may invoke the tracker script, or it may produce an error that will reveal more
information about how it or the website works. Rookie coders don't often anticipate their scripts being accessed from outside their programs, and may forget to program in any behavior to handle this case, so sometimes you can see interesting things by doing this. Visiting the folder that contains tracking.php might be even more interesting. When you visit a folder on the internet, the server will automatically look for an index page inside that folder to serve to the browser. This page is most likely named index.htm, index.html, or index.php, but there are other index page names and file extensions that are considered valid by different servers. Here's the interesting part, though. If there is no index page inside a website's root directory or subdirectory, and if the website's .htaccess file hasn't been configured to throw a 403 forbidden error or to serve a default page, the website will simply display a list of files in that directory! Because a web browser is, at its core, just a remote file explorer with a built-in rendering engine, you might begin to traverse the directories of the website as if you were looking at files on your own computer! Depending on the nature of the website you're trying to hack, this might reveal all sorts of things. I have personally found things like business client lists with names and addresses, files containing database usernames and passwords, access logs, and many other things, just because someone forgot to include an index page inside one of their website's subdirectories. Granted, these things could still be accessed directly via their URL (e.g. www.mywebsite.com/authentication/password.txt),
but
the
chances
of
someone guessing that URL and navigating to it to steal sensitive data is minimal. Security through obscurity here would work in 99% of cases. But, it made it so much easier to just get a list of all the files within a subdirectory, and to be able to just click the files that contained sensitive data. It's remarkably common for websites to be vulnerable to this sort of attack, especially ones built by younger web designers who lack security knowledge or slipshod developers who just want to get paid. There are many other things you can discover about a website by looking at its page source. You might not be able to read most of it, so concentrate on the things you can understand. Page source code is almost invariably littered with English words that reveal something about the website's functionality. You might be able to read the website's external CSS and JavaScript files. Some JavaScript is as straightforward to read as you can get. It's not hard to tell what the line alert("You have been logged out."); does, even to the noncoder, so you might get a lot of mileage out of going through a website's JavaScript code. You might also be able to tell what the site is built with by looking for references to popular content management systems like Joomla! or Wordpress. Or you might be able to figure out what (if any) tracking solutions they're using by looking for references to things like Google Analytics or Statcounter. You can sometimes find URLs from where the website is pulling its data, and visit those to see things the owners may not want you to see. You might also be able to read comments from the developers who built the site. Comments are phrases written in non-computer languages like English which are commonly used to help the developer understand the code they've written in the future, long after they're done with
it and have forgotten how it works. Some of the comments in the source of the main web application my workplace uses internally are somewhat amusing, with the app's developers occasionally leaving comments like:
//I'm not confident in how this function works anymore…
Occasionally, you might stumble across a website with source code that looks something like this:
(function(){window.google={kEI:'C9_OYKTuCMSUgTqgJyABw',kEXPI:'31',u:'9eb444e',kBL:'bWXf'};google.sn='webhp';google.kHL='en';})(); (function(){ var f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||! (b=a.getAttribute("eid")));)a=a.parentNode;return b||h}function m(a){for(var b=null;a&& (!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b}
This is part of the source code of the Google Search homepage. Frontend code doesn't normally look like that. It's extremely hard – if not impossible – to read, and that may be the point. Google has obviously ran their code through a JavaScript minification tool, which reduces the size of the final JavaScript file and makes it much harder to read. This can, among other things, obfuscate their source code to prevent hackers from easily reading it. Source code that looks like this is much harder to draw conclusions from and spot weaknesses in casually.
This is pretty simple stuff and this hack does not use PHP, but I just wanted to show you this first before we dive into learning how to code, because I want to show you that there are ways to expose secrets on the internet that you shouldn't necessarily be able to see. Looking at a website's source code isn't illegal. You can and should do it. It's not really a secret. It's built into all browsers and is easily accessible in the right click menu. But, it allows you to peek just a little behind the curtain.
How to Code
Creating Your First Program In this chapter, I'm going to show you how to write your first PHP program. If you've watched or read any introduction to a programming language before, you'll be nauseatingly familiar with the program we're going to write. All it's going to do is output two words on the screen. Those words are going to be 'Hello World'. That seems extremely simple and cue eye-roll, but it's going to teach you more about coding in PHP than you'd think. First, you're going to need to fire up your local server. Then, you'll need to open the local server's root directory (click the big folder icon if you're using AMPPS). If you're not using AMPPS, or you're using a different version of it than I am, and you can't locate the folder icon, you may need to use Google to find the folder. It should be called either www, htdocs, or public_html. Once you're in the folder, launch your code editor, then create a new text document. Save this document in your local server's root folder, with the name hello_world.php. You might be familiar with saving web pages with the .htm or .html file extensions, but pages containing PHP code won't run unless the page's extension is .php. A page with the .php extension can contain HTML, CSS, and JavaScript code, exactly like .htm or .html pages can – the only difference is that a server with PHP installed will run .php pages through its interpreter, allowing you to run PHP scripts inside it.
In addition to giving the page the .php file extension, PHP requires us to put PHP code between a special set of tags. Here's what PHP tags look like:
The tag tells the server that that's the end of it. A server with PHP installed will interpret anything between these tags as PHP code that needs to be parsed and executed. You can include as many of these script tags on a page as you want. You can have a hundred PHP scripts running on your page if you'd like to, and you can even shove them between HTML, CSS, and JavaScript, something we'll have a look at in a later section. Write those tags into your script so that your server will interpret the code we're going to write between those tags as code. Then, I'm going to tell you about one of the most important keywords in PHP: the 'echo' keyword. This keyword tells the interpreter to output whatever we include after it until the end of the statement as text. Imagine you opened a blank .html document and just started writing text without any tags - that's the kind of text that echo is going to output for us, making it extremely powerful as, as we'll see later, we can use it to output HTML, CSS, and JavaScript code for us.
Write the echo keyword between your script's PHP tags, like this:
If you're using Visual Studio code, you'll probably notice that the keyword changes color once you've typed it. If so, the syntax highlighting feature of your code editor has recognized what you just wrote as a PHP keyword, which is something that may come in handy as your scripts grow bigger and more complex. After the keyword, we're going to write a string. 'String' is a term in computer science to denote a sequence of letters, numbers, symbols, and/or characters that the computer will see as text, not code. As in most other programming languages, a string in PHP is written between a set of opening and closing quote marks, either single or double (" or '). Let's put a string containing the characters that make up "Hello World" after the echo keyword inside a pair of double quotes to tell the server that we want to output this text. I say 'characters' and not just 'letters' because we're also going to include the 'space' character inside the string. Here's what our script should look like now:
The linting feature of your code editor might be telling you about a syntax error at this point, and, if you tried to run this script as it is right now, your local server would probably have an aneurysm. That's because we need to end all statements in PHP with a semicolon. This allows the interpreter to differentiate one statement from another. Let's type a semicolon at the end of our echo "Hello World" line so it looks like this:
I've actually gotten so used to ending statements with a semicolon over the years, as a result of programming in JavaScript, CSS, and PHP for so long, I often have to consciously stop myself ending statements written in English with a semicolon. And there it is. Our script is finished. It's not flashy, and it's not going to change the world, but it's going to be a complete program that does a thing. Let's now access our local server's root directory from our browser to see it in action. To do this, open your web browser and type 'localhost' into the address bar. You should see a directory listing with a single item: hello_world.php. If you don't, it means that you may need to access your local server through its IP address, something you can find in the local
server's admin panel (the thing that you see when you launch the app). In XAMPP, I need to explicitly start my local server before it becomes useable in my browser by hitting the Start button. Then, I need to go to the Volumes tab, hit Mount, and then I need to type the IP address that's now in the General tab into my browser's address bar. Your local server might need you to do something convoluted like that. If that still doesn't work, hello_world.php might be in the wrong folder, and the fix for that is obvious. If you do see hello_world.php, click it and you should see the Hello World text in your browser. If all went well, then congratulations! You just wrote and ran your first PHP script! I want to make a few notes before I close out this section. The first thing I want to mention is that PHP is very loose when it comes to formatting. These are some of the ways we could format the script:
Here's what that single-line example would look like if we had two echo statements inside the script:
PHP doesn't care about indents or line breaks. Your code could be all on a single line if you wanted it to be, and, as long as you end each statement with a semicolon, PHP will be able to read it just fine. You, on the other hand, probably wouldn't be able to read it just fine if you wrote your scripts all on a single line, so I'd recommend using line breaks and indents to make your code more readable/less of a hideous mess. I'll also mention this: you don't need to include the closing PHP tag ?> if there is no code following your script on the page. PHP will happily interpret the end of the page as the script's end if there's no HTML, JavaScript, or CSS code after the PHP code.
Variables and Data Types In PHP, a variable looks like this:
$variable
It's just a word that starts with a dollar sign. Think of a variable as a container. In programming, these containers hold data. You can store data in these containers by assigning the data to it using the = operator. Here's an example of storing a number inside a variable:
$myVariable = 1;
I can then access the number stored inside that variable by simply writing the variable name.
Strings are case-sensitive, meaning that "Jake" and "jake" aren't the same. You can store almost any kind of data inside a variable. Here's a list of the data types a variable will accept for storage in PHP: String (a sequence of characters inside quotes). Integer (a whole number). Float (a number with a decimal point, known in programming as a 'floating point' number). Boolean (true or false). NULL (no data). Array (a container for multiple pieces of data of any type). Object (a container that has properties and methods that we can use). Variables are also case-sensitive, so $Number and $number aren't the same. In addition, you must obey some rules when naming them. They can only contain uppercase letters, lowercase letters, and numbers. You can't start a variable name with a number, though. Variables should be given names that allow you to tell at a glance what they do, making your code easier to read. Using single letters as variable names and then trying to read your code months later is the quickest path I know to madness. Variable names can't contain spaces, so you'll need to use camel case ($camelCase) or underscores ($camel_case) for multi-word names. Variables should all be given unique
names to avoid conflicts. And, finally, a variable will hold the last value it was assigned. Using variables might seem useless right now, but variables really unlock the power of programming. Imagine you have a program that's 200 lines of code long and it makes reference to the color red 50 times. Now imagine that you want to change red to yellow. If you'd stored the color as a variable named $color and you made references to the variable 50 times throughout your program, all you'd have to do is change the value of the $color variable to change it in all 50 places! That's only one very basic example of why variables can be extremely useful when programming, but, as you'll see throughout this book, the benefits won't stop there.
Changing Your Program's Behavior with 'If' Statements If you want to make your PHP programs behave differently in certain situations, you can add branches to your code using if statements. You might want to make your code do different things based on the current value of a variable, the return value of a function, whether or not something is true or false, the current time of day, someone's IP address – almost anything can be used to change the behavior of your code. To write an if statement, simply write the keyword 'if', followed by a set of parentheses which hold your test condition/s, after which you write the code you want to run if those conditions are true. Here's an example of a program using an if statement to behave differently if a variable is true or false:
Good morning, !