Hack Online Stalkers, Hackers, & Visitors - Get & Trace IPs FOR REAL.

Citation preview

---

Table of Contents Table of Contents Introduction You Should Read This Book If… Isn't This Illegal? Why Learn PHP? Getting Started Getting Set Up Covering Your Tracks Our First Hack How to Code Creating Your First Program Variables and Data Types Changing Your Program's Behavior with 'If' Statements Writing Functions Function Parameters Return Values Using Inbuilt Functions Scopes String Concatenation Arrays Loops Looping Through an Array Foreach Loops

While Loops Generating HTML Code with PHP Mixing PHP and HTML Mixing PHP and CSS Writing JavaScript with PHP String Operations Dig Up All The Dirt on Your Visitors Introduction to Visitor Hacking What is an IP Address? Get Someone's IP Getting IP Email Alerts Getting Past Tracking Blockers Generating IP Info Links Including a Tracking Script on All Pages Getting Page Information Saving Hits to a Text File Troubleshooting Generating a Timestamp Blocking Our Own Visits Get Everything About an IP Address Getting Device Information Tracking Downloads Storing Tracking Data in a MySQL Database Storing Tracking Data Inside a Database Using MySQL Creating a Database

Saving Information to a Database Using PHP Adding Security Adding More Security Hacking with Tracking Tricking Someone into Giving You Their IP Address Geolocating Hits Identifying Fake IP Addresses Finding Out Who's Behind An IP Address or VPN Identifying Hackers Scaring Stalkers and Hackers Blocking Stalkers and Hackers Use Tracking Data to Prove Stalking and Hacking Weaponizing PHP Making a Fake Login Screen Other Ways to Weaponize PHP A Note from the Author

Introduction I've read many books about hacking over the years and I have been dissatisfied by all of them. A lot of them talk about things like port scanning and packet sniffing, and using tools like Metasploit, or finding shortcomings in a website's user input sanitization. All of the books went into detail about all the things I could do if I were a hacker, but none of them actually explained to me how to become a hacker. After reading at least a dozen books like this over the years, it was like I knew a lot about how to acquire a lockpick, all the things I could theoretically do with a lockpick, and how to use a lockpick, but I still knew nothing about how I could open a locked door. That's why I wrote this book. This book isn't like other hacking guides, where it's like "All you have to do to guess someone's password is port scan them, figure out what server they're using, hope it's running unpatched software with an exploit that you can download online, then deploy it to the open port, then do something with the data to achieve some vague thing." This book won't tell you how to create a password cracker, as if randomly guessing someone's password is even remotely plausible for the average hacker these days. This book won't talk about feverishly trying to find mistakes in a website's input sanitization, allowing you to execute your own code on the site or server, where your main weapon against a target is sheer luck. This book won't actually teach you how to unlock a locked door. The main premise of this book is that an increased focus on internet security has made penetration out of the realm of possibility

for most hackers nowadays. What this book will instead teach you is how to hack people who come to you. These people might be hackers or stalkers lurking on your websites, using tracking blockers and VPNs to keep their activities hidden. They might be people you've lured to your website for a specific purpose, who you can fool into giving you secret data. Or they may be just people already visiting your website that you want to find out more about. Either way, this book will show you how to weaponize your own web pages. To unmask your visitors. To track their location. To get them to reveal things that they might not want you to know. Or, to block them entirely. This book won't only teach you the basic principles behind hacking, it will go the full distance and tell you exactly how to hack people who come to your website and exactly how to get them there. To do this, I'm going to first teach you the basics of PHP – a language we can use to program servers to do our bidding. This sounds scary, but programming isn't that hard, and PHP is one of the easiest coding languages for a beginner to learn. The Getting Started section will give you instructions on how to get set up to start hacking. I'll get you set up with a code editor, an FTP client, and a test server. I'll also teach you how to cover your tracks while hacking, using things like VPNs, free web hosts, hacking browsers, fake email accounts, and anonymous currencies. This section will also introduce you to hacking by showing you how to perform a quick, easy, no-coding-required hack that will let you read the source code of a website.

The How to Code section will be a crash course on PHP programming, teaching you everything you need to know to start writing PHP scripts. I'm going to teach you how to code, and then I'm going to teach you how to hack. Coding isn't scary and I'm going to equip you with the basics that you can use for white hat endeavors too, like getting a programming job. I'll walk you through creating your first program, and then we'll move on to learning about variables, functions, arrays, and loops. You'll also learn how to program your server to generate and manipulate HTML, CSS, and JavaScript code on the fly. By the end of this section, you will know enough about programming servers to start writing your own programs. This section won't include a discussion on best practices, so the scripts you'll be writing in this book won't be works of art. But, they'll work. This book is not intended as a comprehensive book about PHP – we'll simply be using PHP to achieve our own hacking-related ends. The following section, Dig Up All The Dirt on Your Visitors, will teach you everything you need to know to start extracting information from your website's visitors. We'll learn about how IP addresses work and how we can program our servers to extract data from them – even if the visitors are using software to block online trackers. We'll also talk about getting visitor data from third-party services and APIs on the fly and making it available for use inside our scripts. The Storing Tracking Data in a MySQL Database chapter is about saving all of your visitors' information into a database for easy viewing and retrieval. You'll learn about how to use PHP to communicate with a MySQL database

and how to interact with that database using an open source software tool called phpMyAdmin. The next section, Hacking with Tracking, will then explain how to deploy tracking against visitors. It will walk you through how to trick someone into giving you their IP address, how to identify fake IPs, how to geolocate website hits and track people's location, how to trick someone into revealing their real location, how to see who's trying to hide by installing a JavaScript tracker on your website, how to correlate tracking data to infer conclusions about who people behind IP addresses really might be, how to prank people by showing them different content based on reported data like their IP, and much, much more. The final section, Weaponizing PHP, will be all about weaponizing PHP for offensive purposes. This section will show you a way to hijack a website using an iFrame, how to make a fake login screen to trick people into emailing you one of their passwords, how to hijack a contact form, and how to code a backdoor into a web application. I want to note that all the apps, services, and websites mentioned in this book may not be around by the time you read this. If that's the case, it should be easy to find alternatives online. I have made it so that all the guides in this book are written to work with any similar app, service, or website you'd like to use, so the knowledge should still be valid even if the actual tools I'm mentioning have long since been shut down.

I hope you enjoy reading this book as much as I did writing it. - ghost4815

You Should Read This Book If… You have a cyberstalker and you want to get evidence that they're stalking your web pages and social media, or to find a way to just block them entirely. This entire book was inspired by years of having to deal with my own wild experiences with a cyberstalker, along with dismissive members of family, friends, and law-enforcement, as well as, later on, fully complicit coworkers who were actively communicating with the criminal. In this book, you will learn how to become your own private detective, allowing you to expose a cyberstalker, block them, and collect hard evidence against them. It’s not uncommon to hear victims report that an ex or ex-friend is still stalking them online 25 years after their last in-person contact. If that is your situation, first off, I'm really sorry. And second, the guides in this book will help you take a proactive approach to dealing with the threat, to get this person to leave you alone, or, failing that, to gather enough evidence to put them in prison if it goes on long enough to become a criminal matter. You're a member of law enforcement and you want to learn how to deal with cyberstalkers, hackers, or pedophiles who are using tools such as Virtual Private Networks (VPNs), VPS servers (Virtual Private Servers), or tracking blockers to stay anonymous online. You might also want to learn how cybercriminals can weaponize the internet against their victims, allowing you to spot cybercrimes in the future. You'll discover all sorts of interesting ways to expose cybercriminals even though their IP address is bogus, allowing you to bring them to justice no matter how hard the

bastards try to stay hidden. You're looking for a fun way to get started programming PHP – or programming in general. I will show you not just the basics of programming, but I'll also give you activities that will force you to put what you've learned together to produce results you actually care about. You're looking to get a better idea of who is looking at your websites now that tracking blockers are going mainstream. You might suspect that there are way more people looking at your web pages than you know, and you'd like a way to find out if you're correct. Your website is being hacked, so that you can get a better idea on what intruders are doing and how to stop them. You're interested in hacking generally. You want to find out exactly how hackers can fool you into revealing your personal data online or compromise your cybersecurity, allowing you to help secure yourself against it. In this book, I will assume that you have at least a basic knowledge of web programming. You've built a simple website before. You know what an HTML file is. You know how it's structured. You'd know what I mean if I mentioned something like the 'root folder' or the 'head tags' or the 'script tags'. If you know the basics of HTML, you shouldn't have trouble following the guides in this book at all. If you know a bit of CSS, all the better, but you could easily get by without it.

Isn't This Illegal? This book will teach you how to push the limits of everything you can do to achieve things that you really shouldn't be able to do. Nothing in this book is illegal, and you won't learn how to become a master hacker by reading it, but it will show you how to deploy simple things in creative ways to see and do things you really shouldn't be able to. This book is mostly focused on getting readily available information from servers and IP addresses. It will not primarily be about gaining access to unauthorized materials, even though some sections will get you 90% of the way there to doing so. The key to this book is to perform hacks that are unseen. Usually, our victims will willingly give up their data. Other times, they'll give it up without realizing that they've been hacked and they will probably never figure it out. We don't need fancy anonymous servers to launch our attacks. Most of the time, our visitors won't know they've been hacked at all.

Why Learn PHP? PHP is a server-side programming language. By writing PHP code, you're literally programming a remote server to do your bidding. The instructions that you write tell the server how to build the page that the user has requested from their browser. This is cool because it allows us to serve dynamic pages to users, rather than static HTML pages with content that doesn't change. Here's a simple way to illustrate this concept. Way back when I was a scriptkiddie who didn't know how to code, if I wanted to make a website with a dark mode, I might have done something like this. I would design a version of the site in HTML and CSS – one with black text on a white background, and one with white text on a black background. I would then have a hardcoded link at the bottom of each page that said something like 'Toggle Theme'. That button would link to the opposite version of the website currently being viewed. The light version of the website could be accessed at http://light.mywebsite.com, and the dark version of the website could be accessed at http://dark.mywebsite.com. Now, I never actually did that, but, if I didn't know HTML, CSS, or JavaScript, that's the kind of stunt I'd have to pull to make a feature like that work. This is a nightmare for a number of reasons, the biggest being that if I wanted to make a change to the website, I would have to make the change to both versions, making maintenance hell. If I knew a server-side programming language, however, a feature like this

would be way easier to accomplish. All I'd have to do is write a simple script on all my web pages that would do the following: 1. Get the current time. 2. Check if that time is before or after 6pm. 3. If the time is before 6pm, give the page a white background and black text. 4. Or, if the time is after 6pm, give the page a black background and white text. Now, there are more than a few issues with this idea (the biggest one being that you can't actually get the user's current time in PHP; you only have access to the server's) but it is sufficient to illustrate my point: you can use a server-side programming language to add dynamic content to your pages. Other examples of adding dynamic content to your pages could be: Setting a cookie on a user's computer and changing the greeting at the top of the page that acknowledges that the user has been there before, if the script detects its presence on page load. Fetching the current weather conditions from a third-party service and, if it's raining, trigger a rain animation on the background of every page on a website. Fetching the user's current location and showing them local traffic information on a map website.

Another advantage of learning a server-side programming language is that it allows you to interact with your server's file system. A basic example of how we might take advantage of this feature is to code a very crude visit counter on a web page. Here's how we'd implement it: Every time the page loads, open a text file called 'visit_count.txt' that's saved in the root folder of our server (or, if it doesn't exist already, create it). Read the contents of the file, which will be a number. Save that number into a variable (we'll get to those later). Increment that number by one. Then overwrite the contents of visit_count.txt with the new number and close the file. When the page loads, output the new number to the bottom of the web page, where it might read: '1001 people have viewed this web page'. Being able to create, read, and write files on a server is an extremely powerful thing because it can make the state of a website persistent, either entirely or for individual users, and file operations are a flagship feature of a server-side language like PHP. PHP also has an advantage over languages like JavaScript for hackers in that it doesn't leave its source code visible to the end user. When a user views a web page coded with PHP, the user won't be able to see any of the server code that was used to build the page. They'll only be able to see the result of the backend code in the form of HTML, CSS, JavaScript, and text. All of

your PHP hacking scripts thus can't be analyzed by the user, allowing you to keep all your tricks up your sleeve. By learning PHP, you will be able to command the full power of a server to write dynamic programs that visitors will use, either to their delight or their chagrin.

Getting Started

Getting Set Up There are three things you'll need to get started programming with PHP: a code editor, a server, and an FTP client. A code editor is a program that will help you write scripts and applications. A server will allow you to test, run, and deploy code. An FTP client will enable you to easily upload code to a server. The first thing you need to know about coding in PHP is that PHP code is just text. The text itself is not special. You don't need anything fancy to write that text. You could write code in Notepad or Microsoft Word and the interpreter wouldn't care. What you use to write your code is entirely up to you – the thing that makes the interpreter read your text as PHP code is the .php file extension, but more on that later. Even though you can write PHP code using any text editor, you will definitely want to install a code editor. A code editor is a text editor designed for programmers. A code editor makes the experience of writing code faster, easier, and just all around nicer. The first advantage of installing a code editor I'm going to tell you about is shallow, but it's probably the one that you'll be most likely to care about at first. One of the main advantages of using a code editor for me personally is that it's more atmospheric than a text editor. Eighty percent of the reason I love Visual Studio Code – my code editor of choice – is that it just looks

cool. The Abyss theme's light blue text on a dark blue background is not only extremely easy on the eyes, but it makes you feel like a real programmer. It really sets the mood for all your work. Another advantage of using a code editor is syntax highlighting. This feature is designed to recognize parts of your code and differentiate them visually, making your scripts way easier to read. For example, in Visual Studio Code with the Abyss theme turned on, it's easy to see all your functions because it automatically highlights function names in yellow. This means that, if I'm scrolling through a long document trying to debug something related to my functions, I can easily see where all the functions are at a glance. Perhaps the most useful feature of a code editor is something called linting. As we'll see in later sections, all computer code must follow a specific format so that the machine knows what to make of the instructions you're trying to feed it. Code editors are aware of these formatting requirements, and are designed to highlight mistakes when you accidentally break them. For example, if you forget to end one of your PHP statements with a semicolon, your code editor might tell you what your mistake was and what line it's on so you can go back and fix it. When you scroll to that line, it will be easy to spot your mistake, since your code editor may have underlined it for you. I'm not very observant so I tend to make stupid, little mistakes a lot when writing code. Linting is probably one of the main reasons I can get my programs working in a reasonable amount of time at all. Another useful feature code editors have is code autocomplete, something

that suggests the next piece of code you should write based on what you've already written. I find this extremely helpful when writing CSS, as I can never remember off the top of my head what value options I can use for element properties like position and display. As you may expect, the code editor I'm going to recommend you download is Microsoft's Visual Studio Code. It is hands-down the best code editor I've ever used. It's fast. It's beautiful. You can run it on Windows, Mac, or Linux. And it's free. Just Google 'download visual studio code' to get it. The next thing you'll need to get started is a server. As PHP is a server-side programming language, PHP will not run in a web browser offline without jumping through some hoops. HTML, CSS, JavaScript code will be happily executed by a browser locally, but, as PHP code requires a server with an installation of the PHP interpreter installed to run, if you try to run your PHP scripts in a browser without a server, the browser won't have a clue how to execute your code. PHP needs to be served by a server, otherwise it won't work. The easiest way to get a server is to buy some server space from a web hosting company. When you buy hosting space from a web hosting provider, what you're actually doing is buying space on a remote server somewhere in the world. The server that your website is hosted on is often shared with many different websites, each of whom also have their files and data stored on it, and who all share its resources like CPU time and RAM. That's unless you purchase dedicated hosting, which means that the server is all yours.

When you buy some hosting space, you can easily upload your scripts and test them there. I use Hostinger as my web host, but there are many other great options out there. Make sure that any server space you buy, anonymous or otherwise, has PHP 7+ installed. This book is written with this version of PHP in mind, and some code may not run if you're using an earlier version of the language. While buying some server space is the easiest way to get yourself up and running with a test server, there is a better way. That better way is installing a virtual server on your computer. This is a good idea because it allows you to test your code without going through the headache of uploading your files to a remote server via FTP to test every change you make. Even if you have the fastest internet connection in the universe, testing your code that way will quickly make you lose the will to live. By installing and launching a virtual server, you can run PHP in a browser. Virtual servers allow web developers to build and test their websites offline before deploying them live. Virtual servers are also called local servers, because they allow you to simulate a server locally. There are a number of programs that will simulate a server on your computer. I highly recommend AMPPS. I've been using it for years and it's always gotten the job done. It works on Windows and Mac and you can easily find a download link on Google. Once you've installed AMPPS, all you have to do to run your PHP scripts and websites offline is type 'localhost' in your browser's address bar. That address will point to a special folder on your computer that will act as the root of your virtual web hosting. To find that

folder, just fire up AMPPS and click the big folder icon in the row of icons at the top. Say you want to run your PHP script, which is called myphpscript.php. All you have to do is put your script in that folder, and you can now access it by typing localhost/myphpscript.php in any of your web browsers' address bars. Even though testing is easier on a local server, I would still recommend buying yourself some hosting space. By using a web host like Hostinger, you'll also have easy access to phpMyAdmin, something that will make working with databases in later sections of this book a breeze. The last thing you'll need to get set up and ready to start hacking is an FTP client. This is a piece of software that will establish a connection between your computer and a remote server, allowing you to transfer files to and from that server using the File Transfer Protocol. Your hosting provider will almost certainly have a dedicated place in its admin panel to upload files (in Hostinger it's called 'File Manager'), but an FTP program will make the process of uploading files to our server much nicer. There are many FTP clients out there available for download, both free and paid. I use an app called Transmit as my FTP client but FileZilla is an excellent free alternative (it also works on Windows). Once you install one of these programs on your computer, all you have to do to connect to your server is supply the host/address name, along with your FTP username and password, and a port number. You can find this information inside your web host's hosting admin panel, usually under a section called something like 'FTP Accounts'. Note: You don't need to use FTP for your local server.

Covering Your Tracks Now that you're up and running, I'm going to describe a few methods to minimize the ways someone can connect your real identity to your hacking activities online. Note I said 'minimize' rather than 'eliminate'. It's very difficult to remain anonymous online these days, since most services like email providers and web hosts require a valid phone number to sign up. Still, it is possible to remain pseudonymous, which means that, unless you give someone like the police a serious reason to track you down, you'll be able to fly under the radar. If you are reading this book to defend yourself against or track down cybercriminals, this section will give you invaluable insights into how cyberstalkers and hackers stay anonymous online and avoid law enforcement. The first tip I'll give you is to install a dedicated 'hacking' browser. This will be a browser that is entirely separate from your regular web browser. You should use this browser to do things like manage your attack servers or check your fake email accounts, and you should use it for nothing else. Keeping your hacking browser separate from your regular browser prevents things like cookies and your other account logins from linking you to your fake online accounts. Take Google for example: if you're logged into your fake Gmail account and your regular Gmail account in the same web browser, Google might be able to say 'both of these accounts are linked to the same cookie and the same IP address, therefore they must be the same user'. You can avoid these situations entirely by installing a different browser that you use only for

hacking. There are a number of alternative browsers you could install on your computer. The ones that are arguably the most useful for hacking are Opera and a new web browser called Brave. Brave is definitely my pick for hacking. It's built on the same rendering engine as Google Chrome, meaning that it should be familiar right out of the box if you already use Chrome. You can also install any extensions that work on Chrome in Brave. The best reason to use Brave as your hacking browser, though, is because it blocks online trackers by default. As we will see throughout this book, blocking trackers entirely online is impossible, but using Brave will still block the vast majority of them, something which will come in handy when the stakes are high and you're trying to stay anonymous online. By using a browser that blocks trackers by default, the chances of you getting caught by a tracker while doing something you shouldn't goes down by a good margin. Brave's default New Tab page gives you a summary of how many trackers you have blocked online during your entire time using the application. I have been using Brave to surf the web for over a year now and, in that time, the browser has successfully blocked over 500,000 scripts from tracking me. Brave also includes built-in ad blocking, something that should also upgrade your ability to stay anonymous online, since online advertising is what tends to track you the most. If you really want to go nuclear, Brave also has a feature to block JavaScript entirely, either globally or on a per-site basis. Since the vast majority of tracking scripts are written in JavaScript, this will further help you stay anonymous if the stakes are really high.

Opera doesn't block tracking by default, but it can be configured to do so inside its settings panel. It also comes with a free, inbuilt VPN that you can use to disguise your IP address. I wouldn't recommend using this VPN for a number of reasons, mostly because it only works inside Opera and thus won't keep the other internet activity on your computer (e.g. your email client) from leaking your real IP like a dedicated VPN would. Once you've installed a hacking browser, the first thing you'll want to do is configure it to make it as secure as possible. You can do this in Brave by going into the settings screen and clicking into the 'Shields' section. The first thing you should do here is set tracker and ad blocking to 'Aggressive' so that Brave will block any scripts that could be potentially used to track you online. Then, disable cookies by default. Cookies can be used to track you as you move around the internet. We'll be employing tracking cookies in later sections to do just that, but we don't want it to happen to us, so cookies need to go. Disabling cookies may break the functionality of some websites, but we can enable them for individual sites using the shields menu located at the end of the address bar. After you've done this, go into the 'Get Started' section of the settings panel and make sure that the browser is configured to open the new tab page on startup, rather than continuing where you left off. If the browser is set to open the pages you were looking at when you closed it last on startup, one day you will accidentally launch Brave without your VPN on, and it will happily start loading what you were looking at the last time you used it, even if you were

right in the middle of a hack. Making sure that Brave doesn't open the last thing you were looking at when you last closed it will ensure this never happens. The last thing you'll want to do is configure Brave so that it automatically clears all your browsing data on exit. To do this, go to the 'Additional Settings' section of the settings panel, then hit 'Privacy and security'. Then, click 'Clear Browsing Data' and a popup should appear. Go to the 'On exit' tab and then tick everything you want Brave to wipe out when you quit the browser. At the very least, I would recommend clearing cookies and other site data on exit, but you'll probably want to clear your browsing and download history and everything else if you really want to be safe. The shield menu at the end of the address bar (the orange lion's head icon) mentioned before will allow you to change Brave's settings on a per-site basis. You can change the level of tracking for the website you're looking at, you can disable or enable scripts for that domain, allow or disallow cookies on that website, and more. The key to running a hacking browser is to never log into any of your regular accounts through it. Use your real accounts in your regular browser, and conduct your hacking activities through your hacking browser. The second method of reducing the ways someone can connect your real identity to your hacking activities online is to create a new user account on your computer, or change the name of your existing one. Occasionally, a

hack may expose your computer's local file system paths. For example, if you download an enemy website to examine its source code offline, and you accidentally run the HTML file inside your browser, if that website has a JavaScript tracker installed, it may report the full URL of the visited page to the website's owner. If you made the mistake of giving your computer's user account the same name as your real name, the owner of the website might see something like this:

Visited URL:

C:\Users\Jasmine%20Ball\My%20Secret%20Hacking%20Folder\index.html

If your real name is Jasmine Ball, this might be bad. The way to get around this is to name your computer's user account something obscure. If renamed your account 'SecretUser', then the website owner would see this if you accidentally leaked your local filepath:

Visited URL:

C:\Users\SecretUser\My%20Secret%20Hacking%20Folder\index.html

You could go nuclear and just use an entirely different computer to carry out your hacking activities, but renaming your user account, or creating a

separate one from your regular account under a different name, is a more practical way to go. The third tip I'll give you for staying anonymous online is getting a VPN. We'll have a look at VPNs more closely in a later chapter, but, suffice to say, getting a VPN is the single best move you can make to stay anonymous online, and I'll illustrate why with an anecdote. I was a huge Stargate fan when I was a kid. I loved SG-1 and its spinoff, Stargate Atlantis. So, when the third spinoff of the franchise, Stargate Universe, was announced, I desperately wanted to watch it. Unfortunately, it wasn't available legally in Australia when I wanted to do this way back in 2009. So, I, like most people in that situation, started illegally downloading the show via a torrent client. A few weeks after I downloaded a horrifically low-quality bootleg of SGU's first season, I got an email from MGM titled "Notice of Unauthorized Use of Metro Goldwyn Mayer Property". It stated that they were monitoring the IP addresses of everyone illegally downloading that file online, and that they got my details from my ISP, who happily told them that I was the person behind one of those addresses. Here was the evidence they provided in the email:

Evidentiary Information: Notice ID: 214-1542445 Initial Infringement Timestamp: 30 Nov 2009 16:22:36 GMT Recent Infringement Timestamp: 30 Nov 2009 16:22:36 GMT Infringers IP Address: 115.70.74.144 Protocol: BitTorrent Infringed Work: Stargate Universe Infringing File Name: Stargate.Universe.S01E07.HDTV.XviD-NoTV.avi

Infringing File Size: 366935682 Bay ID: 3035513946c25436cc33f293bfc72d9201257ac3|366935682 Port ID: 25455 Infringer's DNS Name: 144.74.70.115.static.telstra.com.au URL (If Applicable): http://tracker.openbittorrent.com/announce

If I had used a VPN while downloading this file, though, MGM would've had a much harder time trying to track me down. I could've used it to hide my real IP address, and, rather than MGM seeing an IP address from an Australian ISP that they could get my details from, all they might've been able to connect my fake IP address to was a server sitting in a building somewhere in Norway. The company that owned that server may not keep logs, and may not be even remotely receptive to honoring a foreign company's request to access their server logs. Using a VPN can provide some serious protection online, by hiding the one thing that can link you to all your online activities: your IP. As we will see, obfuscating your IP address in this way won't protect you from a determined hacker, but it will still go a long way to separating your real identity from your activities online. Using a VPN also provides the benefit of encrypting your traffic from anyone trying to intercept and analyze it. If your ISP is trying to snoop on your internet traffic, for example, all they will see is a stream of seemingly random letters and numbers, rather than the raw, unencrypted data that's coming and going from your computer. NordVPN is probably the best VPN out there at the moment. It's fast, secure,

and it has thousands of servers to choose from all over the world. You could route your connection through servers in almost any continent or country, and anyone tracking you might think you're coming from Norway, Russia, the Netherlands, or even Antarctica! The downside to using Nord is that there's no free tier, so you'll have to pay to use it. If you don't want to give them your credit card number, you can pay with cryptocurrency, or you can purchase a subscription in a retail store. You can view all of Nord's payment options by visiting

their

website

here:

https://support.nordvpn.com/Billing/Payments/1047406772/What-paymentmethods-do-you-accept.htm. If you don't want to pay for a subscription, though, there are some excellent free alternatives out there. I highly recommend Windscribe and ProtonVPN. Whatever VPN you choose, make sure it has an inbuilt kill-switch. This will make it so that, if your VPN connection accidentally drops out while you're using it, it will kill your internet connection entirely until it's back up. This means that your computer won't fall back to using your real connection for the duration of the drop-out, leaking your real IP. Another way to help stay anonymous online is to sign up for a free email account, with a fake name. You'll definitely want multiple email accounts under multiple aliases to conduct your hacking activities online. Most free email services require you to provide a phone number in order to sign up, which makes them risky, so I'd avoid email entirely where possible. But, using an email that's not your primary one is still a good idea. ProtonMail is a decent choice as it encrypts all of your communications by default, making it

a great option for staying anonymous. You may decide at some point to sign up for a fake Google Account. Google will ask you for a mobile phone number, and they won't let you set up your account without one. Even if you sign up for a Google Account, you'd need to be doing something pretty serious for Google to release your data to the authorities. You have to decide whether or not putting your real phone number in there is worth the risk. Another tip for staying anonymous: get some pseudonymous web hosting. Behind every domain name online is an IP address that corresponds to the server that is hosting the website the domain points to. You can find out the IP address of any website by simply opening Terminal (if you're on a Mac) or Command Prompt (if you're on Windows) and typing ping, followed by the domain name. If I wanted to determine the IP address of one of the servers that is hosting Pornhub, I would type:

ping www.pornhub.com

... into my Mac's Terminal application. Here's what I got in response when I did this just now:

ping pornhub.com PING pornhub.com (66.254.114.41): 56 data bytes 64 bytes from 66.254.114.41: icmp_seq=0 ttl=56 time=39.383 ms 64 bytes from 66.254.114.41: icmp_seq=1 ttl=56 time=44.465 ms 64 bytes from 66.254.114.41: icmp_seq=2 ttl=56 time=48.078 ms 64 bytes from 66.254.114.41: icmp_seq=3 ttl=56 time=45.041 ms 64 bytes from 66.254.114.41: icmp_seq=4 ttl=56 time=39.581 ms 64 bytes from 66.254.114.41: icmp_seq=5 ttl=56 time=46.837 ms

The real purpose of 'pinging' is to test whether or not a server is reachable by sending it small amounts of data and then measuring the amount of time it takes to respond. That's what most of this returned data is about. The main take-home from this for our purposes, though, is that IP address: 66.254.114.41. Our ping command has revealed that Pornhub is at least partially located on that server. It may share that server space with other websites, or it may run on a dedicated server. I would say it's running on a dedicated server since, if I type 66.254.114.41 into my browser's address bar, it goes straight to Pornhub. The reason all of this is important is that, if you, say, hosted your attack scripts on the same server as your personal website, all someone would have to do to link the attack server to you is to ping both your personal website and your attack server and see if the IP addresses match. This may not prove conclusively that you're behind the attacks, but it's a good starting place to prove who's responsible, especially if your target is already somewhat likely to suspect that you're behind it.

The way to get around this is to get another server that we can use to deploy our hacks. Ideally, we'd want the company hosting this server to know nothing about us or our identity. You can easily sign up for a free web host with a fake name and email address, but you'll probably need to give them a phone number and they may make it difficult to sign up through a VPN. I'd recommend 000webhost but there are many other options out there. Because 000webhost is designed to eventually upsell you, they have all the features of a regular web host, such as access to phpMyAdmin, something we'll be using throughout this book. 000webhost will make you choose a name for your website, which will be a subdomain of 000webhost unless you decide to connect a domain. You can choose any name you want (providing it hasn't been taken). If you're just making a general attack server, I'd recommend something like a random sequence

of

letters

and

hh142517.000webhost.com.

numbers This

as is

your

subdomain,

much

better

such

as: than

myrealname.000webhost.com. By signing up for a free web host, you will get access to a partition on a server that is shared by many other websites. You can ping your new website to find out what its IP address is. You might be interested to know what other websites are sharing your server's IP address. You can find out which ones are by doing a reverse IP lookup online, using a tool such as the one at: https://hackertarget.com/reverse-ip-lookup/. If many other websites are sharing your server, they may muddy the waters if someone is trying to identify the source of your hacking via your server IP. The first thing you'll

want to do when signing up for hosting space is to disable directory listings in your .htaccess file, or whatever the equivalent is on your server. If you're being hosted on an Apache server (most servers run Apache), just add these lines to your .htaccess file to prevent directory listings:

Options -Indexes

We'll have a look at why this is important later on. Another great way to help keep your real identity separate from your hacking activities is to use anonymous currencies to pay for stuff online. You can use Bitcoin for this, but it's complicated and it isn't 100% anonymous, especially if you use an exchange like Coinbase. Prior to the internet, if you wanted to make an anonymous purchase, you'd use cash. That was before eCommerce took off and many things that you might want to purchase anonymously could only be paid for via PayPal or a credit card. There is still a way to more or less use cash online, though: you can use a VISA gift card, paid for with cash. Almost all payment processors will take a VISA gift card as if it were a real credit card. That way you don't have to give the payment processor your real credit card information, something which will require you to give them your real name and address. To make an online purchase with a VISA gift card, all you have to do is enter the card number, expiry date, and the 3 digit CVV code on the back. If the website wants to know the name on the card, just enter 'Gift Card' in the name field and it should work, something that still

surprises me to this day. There's a reason that scammers from India always want you to pay them with gift cards: they're a loophole in the payment system that may never get closed. They're too useful and lucrative to ban but they're also a great way to transfer money overseas anonymously or to make anonymous purchases online. The key to successfully purchasing a VISA gift card is to do it at a store far away from your house, and while trying to avoid being seen by cameras, and to only ever pay for it in cash. I would assume that companies who make gift cards keep track of what cards were sold at which store, and they can query that information using the card's unique number. They may even know the exact time the transaction took place. If so, they may be able to look at security footage to identify both you and your vehicle. Keep this in mind when purchasing the card. There are all kinds of gift cards you can buy that you can then use anonymously. It might be interesting to go to your local supermarket to check out what kinds of cards they sell; you might be able to pay for more stuff online with cash (or what it is essentially cash) than you'd thought. Another random tip I'll give you to stay anonymous is to change your writing style. You never know what personal writing quirks might give the writer away. I personally tend to use 'that' a lot, and I almost always use the oxford comma. I try not to do this stuff when producing text in the process of hacking, to limit people's ability to connect it to me on that basis. And another random tip is to not talk about your hacking activities offline. The worst mistake you can possibly make when trying to stay anonymous is to trust or confide in people in your real life about what you're doing. Never breathe a word of it to anyone, even if it's just in good fun. One day it might

not be just good fun, and then you'll seriously regret having said anything. Also, definitely encrypt your hard drive. If you're on a Mac, this can easily be done through FileVault with just a click. If you're on Windows it's a bit trickier, but Google should be able to help. Encrypting your hard drive means that if someone wants to extract the data from your computer, all they'll get is garbled information that is useless without the decryption key or a password. The last tip I will give you in this section is to accept the fact that sometimes you can't be entirely anonymous. The internet is so riddled with tracking that it's very hard to do anything without leaving a digital fingerprint. The key to evading the law is to not do anything illegal and, if you do, to do something that's not worth chasing up. Sometimes, when you're doing really high risk stuff, the key to a successful hack isn't to avoid getting caught, it's to fully accept the consequences of getting caught and to proceed regardless.

Our First Hack Before we get into the weeds of learning how to code and describing different approaches to hacking, I want to show you something that will whet your appetite a bit. I'm going to show you something with which you may already be familiar. This trick will allow you to go to any website and force it to expose half its secrets. What I'm going to show you is how to easily view any website's frontend source code. Here's how to do it. First, navigate to any website. Then, right click and hit the option to view the page's source. On Chrome and Firefox, the menu item is called 'View Page Source'. On Safari, it's called 'Show Page Source'. Either way, once you've hit that menu option, a new page or panel will open. That page or panel contains all the source code for the frontend of the website. This is the code that is used to generate the side of the website that you see. This code is a mix of HTML, CSS, and JavaScript. At the most basic level, the code you can see here is used to lay out, update, theme, and add interactivity to a web page, as well as communicate with the server. This differs from backend code, which is used for generating the page to be served to users, communicating with databases, performing file operations, sending emails, and performing a whole bunch of other tasks that frontend languages like JavaScript either can't do or aren't suited for. Every website uses a combination of frontend and backend code to create the final experience that you see. What can we learn about a website from looking at its HTML, CSS, and

JavaScript? As it turns out, we can learn a whole slew of things that the owners of the website and/or the people who built it might not necessarily want us to know. Here's some code that you can find on one of my websites, in a script called gallery.js that, surprise, surprise, controls the logic of my image galleries:

function request(id){ $.ajax({ url: "/tracking/tracking.php", data:{ gallery_view: id }, type: "POST" }); }

This is an AJAX call in jQuery (a framework that makes writing JavaScript easier). You might not understand much of what you're seeing, but you might still be able to look at the words you can read and discern a few interesting things about how the website operates. AJAX stands for Asynchronous JavaScript And XML. That sounds scary, but it's just a way to send and receive data from a server after a page has loaded. Normally, as soon as a web page is done loading, the server's job is done, and it's all up to HTML, CSS, and JavaScript to talk to the user from there. AJAX

is a way to, for example, run a server-side script when a user clicks a button or hits a keyboard key. Knowing that that's what AJAX is for, we can see that this piece of JavaScript is calling a script called 'tracking.php' on the server. By looking at the page source, we can already tell that this page is tracking us with a server-side script, and that the language the backend is written in is PHP. If we find references to this function in the code that runs when someone clicks the 'Next' and 'Previous' buttons in an image gallery, we can therefore say that this page is tracking what images we're looking at as we're browsing through albums, sending the id of those images to the server as POST data. You might not know the page is doing this as a regular user of the site, but now you do. By looking at this piece of code, we can also get an idea of the website's structure on the server. Here's the path to the tracking script that the AJAX function is calling again:

/tracking/tracking.php

The slash at the beginning of the path denotes that this is a relative filepath, and that the filepath that follows begins in the website's root directory. If the website in question is www.mywebsite.com, JavaScript will convert that link into www.mywebsite.com/tracking/tracking.php. Visiting that link directly may invoke the tracker script, or it may produce an error that will reveal more

information about how it or the website works. Rookie coders don't often anticipate their scripts being accessed from outside their programs, and may forget to program in any behavior to handle this case, so sometimes you can see interesting things by doing this. Visiting the folder that contains tracking.php might be even more interesting. When you visit a folder on the internet, the server will automatically look for an index page inside that folder to serve to the browser. This page is most likely named index.htm, index.html, or index.php, but there are other index page names and file extensions that are considered valid by different servers. Here's the interesting part, though. If there is no index page inside a website's root directory or subdirectory, and if the website's .htaccess file hasn't been configured to throw a 403 forbidden error or to serve a default page, the website will simply display a list of files in that directory! Because a web browser is, at its core, just a remote file explorer with a built-in rendering engine, you might begin to traverse the directories of the website as if you were looking at files on your own computer! Depending on the nature of the website you're trying to hack, this might reveal all sorts of things. I have personally found things like business client lists with names and addresses, files containing database usernames and passwords, access logs, and many other things, just because someone forgot to include an index page inside one of their website's subdirectories. Granted, these things could still be accessed directly via their URL (e.g. www.mywebsite.com/authentication/password.txt),

but

the

chances

of

someone guessing that URL and navigating to it to steal sensitive data is minimal. Security through obscurity here would work in 99% of cases. But, it made it so much easier to just get a list of all the files within a subdirectory, and to be able to just click the files that contained sensitive data. It's remarkably common for websites to be vulnerable to this sort of attack, especially ones built by younger web designers who lack security knowledge or slipshod developers who just want to get paid. There are many other things you can discover about a website by looking at its page source. You might not be able to read most of it, so concentrate on the things you can understand. Page source code is almost invariably littered with English words that reveal something about the website's functionality. You might be able to read the website's external CSS and JavaScript files. Some JavaScript is as straightforward to read as you can get. It's not hard to tell what the line alert("You have been logged out."); does, even to the noncoder, so you might get a lot of mileage out of going through a website's JavaScript code. You might also be able to tell what the site is built with by looking for references to popular content management systems like Joomla! or Wordpress. Or you might be able to figure out what (if any) tracking solutions they're using by looking for references to things like Google Analytics or Statcounter. You can sometimes find URLs from where the website is pulling its data, and visit those to see things the owners may not want you to see. You might also be able to read comments from the developers who built the site. Comments are phrases written in non-computer languages like English which are commonly used to help the developer understand the code they've written in the future, long after they're done with

it and have forgotten how it works. Some of the comments in the source of the main web application my workplace uses internally are somewhat amusing, with the app's developers occasionally leaving comments like:

//I'm not confident in how this function works anymore…

Occasionally, you might stumble across a website with source code that looks something like this:

(function(){window.google={kEI:'C9_OYKTuCMSUgTqgJyABw',kEXPI:'31',u:'9eb444e',kBL:'bWXf'};google.sn='webhp';google.kHL='en';})(); (function(){ var f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||! (b=a.getAttribute("eid")));)a=a.parentNode;return b||h}function m(a){for(var b=null;a&& (!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b}

This is part of the source code of the Google Search homepage. Frontend code doesn't normally look like that. It's extremely hard – if not impossible – to read, and that may be the point. Google has obviously ran their code through a JavaScript minification tool, which reduces the size of the final JavaScript file and makes it much harder to read. This can, among other things, obfuscate their source code to prevent hackers from easily reading it. Source code that looks like this is much harder to draw conclusions from and spot weaknesses in casually.

This is pretty simple stuff and this hack does not use PHP, but I just wanted to show you this first before we dive into learning how to code, because I want to show you that there are ways to expose secrets on the internet that you shouldn't necessarily be able to see. Looking at a website's source code isn't illegal. You can and should do it. It's not really a secret. It's built into all browsers and is easily accessible in the right click menu. But, it allows you to peek just a little behind the curtain.

How to Code

Creating Your First Program In this chapter, I'm going to show you how to write your first PHP program. If you've watched or read any introduction to a programming language before, you'll be nauseatingly familiar with the program we're going to write. All it's going to do is output two words on the screen. Those words are going to be 'Hello World'. That seems extremely simple and cue eye-roll, but it's going to teach you more about coding in PHP than you'd think. First, you're going to need to fire up your local server. Then, you'll need to open the local server's root directory (click the big folder icon if you're using AMPPS). If you're not using AMPPS, or you're using a different version of it than I am, and you can't locate the folder icon, you may need to use Google to find the folder. It should be called either www, htdocs, or public_html. Once you're in the folder, launch your code editor, then create a new text document. Save this document in your local server's root folder, with the name hello_world.php. You might be familiar with saving web pages with the .htm or .html file extensions, but pages containing PHP code won't run unless the page's extension is .php. A page with the .php extension can contain HTML, CSS, and JavaScript code, exactly like .htm or .html pages can – the only difference is that a server with PHP installed will run .php pages through its interpreter, allowing you to run PHP scripts inside it.

In addition to giving the page the .php file extension, PHP requires us to put PHP code between a special set of tags. Here's what PHP tags look like:

The tag tells the server that that's the end of it. A server with PHP installed will interpret anything between these tags as PHP code that needs to be parsed and executed. You can include as many of these script tags on a page as you want. You can have a hundred PHP scripts running on your page if you'd like to, and you can even shove them between HTML, CSS, and JavaScript, something we'll have a look at in a later section. Write those tags into your script so that your server will interpret the code we're going to write between those tags as code. Then, I'm going to tell you about one of the most important keywords in PHP: the 'echo' keyword. This keyword tells the interpreter to output whatever we include after it until the end of the statement as text. Imagine you opened a blank .html document and just started writing text without any tags - that's the kind of text that echo is going to output for us, making it extremely powerful as, as we'll see later, we can use it to output HTML, CSS, and JavaScript code for us.

Write the echo keyword between your script's PHP tags, like this:

If you're using Visual Studio code, you'll probably notice that the keyword changes color once you've typed it. If so, the syntax highlighting feature of your code editor has recognized what you just wrote as a PHP keyword, which is something that may come in handy as your scripts grow bigger and more complex. After the keyword, we're going to write a string. 'String' is a term in computer science to denote a sequence of letters, numbers, symbols, and/or characters that the computer will see as text, not code. As in most other programming languages, a string in PHP is written between a set of opening and closing quote marks, either single or double (" or '). Let's put a string containing the characters that make up "Hello World" after the echo keyword inside a pair of double quotes to tell the server that we want to output this text. I say 'characters' and not just 'letters' because we're also going to include the 'space' character inside the string. Here's what our script should look like now:

The linting feature of your code editor might be telling you about a syntax error at this point, and, if you tried to run this script as it is right now, your local server would probably have an aneurysm. That's because we need to end all statements in PHP with a semicolon. This allows the interpreter to differentiate one statement from another. Let's type a semicolon at the end of our echo "Hello World" line so it looks like this:

I've actually gotten so used to ending statements with a semicolon over the years, as a result of programming in JavaScript, CSS, and PHP for so long, I often have to consciously stop myself ending statements written in English with a semicolon. And there it is. Our script is finished. It's not flashy, and it's not going to change the world, but it's going to be a complete program that does a thing. Let's now access our local server's root directory from our browser to see it in action. To do this, open your web browser and type 'localhost' into the address bar. You should see a directory listing with a single item: hello_world.php. If you don't, it means that you may need to access your local server through its IP address, something you can find in the local

server's admin panel (the thing that you see when you launch the app). In XAMPP, I need to explicitly start my local server before it becomes useable in my browser by hitting the Start button. Then, I need to go to the Volumes tab, hit Mount, and then I need to type the IP address that's now in the General tab into my browser's address bar. Your local server might need you to do something convoluted like that. If that still doesn't work, hello_world.php might be in the wrong folder, and the fix for that is obvious. If you do see hello_world.php, click it and you should see the Hello World text in your browser. If all went well, then congratulations! You just wrote and ran your first PHP script! I want to make a few notes before I close out this section. The first thing I want to mention is that PHP is very loose when it comes to formatting. These are some of the ways we could format the script:





Here's what that single-line example would look like if we had two echo statements inside the script:

PHP doesn't care about indents or line breaks. Your code could be all on a single line if you wanted it to be, and, as long as you end each statement with a semicolon, PHP will be able to read it just fine. You, on the other hand, probably wouldn't be able to read it just fine if you wrote your scripts all on a single line, so I'd recommend using line breaks and indents to make your code more readable/less of a hideous mess. I'll also mention this: you don't need to include the closing PHP tag ?> if there is no code following your script on the page. PHP will happily interpret the end of the page as the script's end if there's no HTML, JavaScript, or CSS code after the PHP code.

Variables and Data Types In PHP, a variable looks like this:

$variable

It's just a word that starts with a dollar sign. Think of a variable as a container. In programming, these containers hold data. You can store data in these containers by assigning the data to it using the = operator. Here's an example of storing a number inside a variable:

$myVariable = 1;

I can then access the number stored inside that variable by simply writing the variable name.

Strings are case-sensitive, meaning that "Jake" and "jake" aren't the same. You can store almost any kind of data inside a variable. Here's a list of the data types a variable will accept for storage in PHP: String (a sequence of characters inside quotes). Integer (a whole number). Float (a number with a decimal point, known in programming as a 'floating point' number). Boolean (true or false). NULL (no data). Array (a container for multiple pieces of data of any type). Object (a container that has properties and methods that we can use). Variables are also case-sensitive, so $Number and $number aren't the same. In addition, you must obey some rules when naming them. They can only contain uppercase letters, lowercase letters, and numbers. You can't start a variable name with a number, though. Variables should be given names that allow you to tell at a glance what they do, making your code easier to read. Using single letters as variable names and then trying to read your code months later is the quickest path I know to madness. Variable names can't contain spaces, so you'll need to use camel case ($camelCase) or underscores ($camel_case) for multi-word names. Variables should all be given unique

names to avoid conflicts. And, finally, a variable will hold the last value it was assigned. Using variables might seem useless right now, but variables really unlock the power of programming. Imagine you have a program that's 200 lines of code long and it makes reference to the color red 50 times. Now imagine that you want to change red to yellow. If you'd stored the color as a variable named $color and you made references to the variable 50 times throughout your program, all you'd have to do is change the value of the $color variable to change it in all 50 places! That's only one very basic example of why variables can be extremely useful when programming, but, as you'll see throughout this book, the benefits won't stop there.

Changing Your Program's Behavior with 'If' Statements If you want to make your PHP programs behave differently in certain situations, you can add branches to your code using if statements. You might want to make your code do different things based on the current value of a variable, the return value of a function, whether or not something is true or false, the current time of day, someone's IP address – almost anything can be used to change the behavior of your code. To write an if statement, simply write the keyword 'if', followed by a set of parentheses which hold your test condition/s, after which you write the code you want to run if those conditions are true. Here's an example of a program using an if statement to behave differently if a variable is true or false:

Good morning, !

When the user loads the page, the contents of the $name variable defined above the HTML will be echoed inline, right into the "Good morning !" greeting. If a user accessed this page, they would see a paragraph saying: 'Good morning, Jeff!' This technique can easily be used to add another level of dynamicism to your pages.

Mixing PHP and CSS You can also make your styles dynamic by mixing PHP into your CSS code. Check this out:



body { background-image: url("/assets/bg/"); }

This code will randomize the background image of this web page. It has the filename of three potential background images stored in an array in a PHP script at the top. This array is then shuffled using the shuffle() function, which will randomize the order of the items in the array. A PHP script has been placed inside the CSS background-image attribute, which will echo out the first item in the $bgImages array. Because the contents of the array have been shuffled, the $bgImages[0] could be either forest.jpg, flowers.jpg, or beach.jpg, depending on which item is now in the first position inside the

array. Because the background images are stored in "/assets/bg/", the result of our echo will appear at the end of this filepath, resulting in something like "/assets/bg/forest.jpg". CSS will then make this the background image of our page, as it will happily interpret the filename we've echoed in PHP as if we'd written it in by hand!

Writing JavaScript with PHP PHP will happily write your JavaScript code for you as well. Here's an example of PHP outputting the code to trigger a JavaScript alert on a web page:







String Operations I enjoy writing PHP code mostly because it comes with a whole range of built-in functions that make common tasks easier. We'll canvas PHP's most interesting functions over the course of this book, but for now I want to show you a couple of them that can make dealing with strings easier. Let's work with this string:

$name = "morgan"; echo $name;

//morgan

This name is all in lowercase lettering. Say we want it in all caps. Here's all we'd have to do:

$name = "morgan"; echo strtoupper($name);

//MORGAN

Now let's say we want to have only the first letter of the string capitalized and the rest lowercase:

$name = "morgan"; echo ucfirst($name);

//Morgan

Pretty easy stuff, huh? When I first saw functions like these, I wasn't particularly impressed, but there are so many uses for them. For example, just say you've got a whole list of first names – all lowercase strings. You want to send an email to all of them, with a capitalized version of their name in the greeting. All you'd have to do is echo each name in your list with the ucfirst() function and your work is done! Here's a few more handy string functions: Here's a two-word string:

$name = "morgan acacia"; echo $name;

//morgan acacia

Now say we wanted to transform this string so that the first letter of both words are capitalized. PHP has an inbuilt function that allows you to easily accomplish this. Here's how it works:

$name = "morgan acacia"; echo ucwords($name);

//Morgan Acacia

You might run into a situation where you only want part of a string and you'd like a way to split the string up. You can do this with a function called explode(). This function will return the parts of your string as an array, which you can then access. All you have to do is type explode() and pass it first the character that you want to split the string at, and then, as the second parameter, the string itself. Here's an example:

$name = "morgan acacia"; $nameArray = explode(" ", $name);

echo $nameArray[0]; //morgan

echo $nameArray[1]; //acacia

As you can see, PHP split the string at the space (I typed a space between those two double quotes), and returned an array with the two halves of the string at position 0 and position 1. The space character that was used to determine the place where the split should occur is gone – PHP just gets rid

of it, leaving you only with the parts of the string on either side of where it was. Explode can also work if your string has multiple places where the separating character is present. I could explode each word of an entire book into a separate array item if I passed explode() space as a separator and the book as a string. PHP has loads of built-in functions that you can use to do all kinds of interesting things. W3Schools has an excellent reference manual for all of PHP's

inbuilt

functions.

It

can

be

viewed

here:

https://www.w3schools.com/php/php_ref_overview.asp. Don't worry if you don't want to look at it just yet, though: you will be introduced to many more of PHP's inbuilt functions over the course of this book.

Dig Up All The Dirt on Your Visitors

Introduction to Visitor Hacking Now that we've learned the basics of how to code, we can move on to the core topic of this book: hacking visitors to our pages on the web. The first thing we're going to do is dig up as much dirt on our visitors as we possibly can by harvesting every bit of information we can get from their requests to our servers. We're going to program our servers using PHP to grab people's IP address and user agent string, and then I'll show you how to use a thirdparty API to parse them to get a slew of useful information. Because our tracking scripts are going to be executing on the server rather than the browser, people are going to have to give us their tracking data whether they're blocking trackers or not. We won't be relying on the easily-blocked JavaScript programming language like other trackers do. We're going to be using our server-side language to ensure that anyone who accesses our pages is going to be seen while they're doing it. As mentioned earlier, these people do not necessarily have to come to us by choice: we can use social engineering to lure people to our web pages, tricking them into making requests and exposing their data. In this section, we're going to be talking about how to extract information from our visitors. We'll talk about how to weaponize this information against visitors, stalkers, and hackers in a later section. Here's a list of all the information we can get about people by analyzing hits to our web pages. We'll be able to get the: Time and date of their visit to the millisecond. Reported IP address.

Continent. Country. City. Zip code. Latitude and longitude (roughly). ISP. Pages they've visited. Files they've downloaded. The request URI (what they meant to access even if they couldn't). Device type (e.g. browser, automated software tool, crawler, etc). Device name and brand. Browser name and version number. Where they came from (the referring link). What query string they used to access the page. And much, much more! As we're going to see, some of the information that we get from our visitors may be fake, but we'll also have a look at identifying fake information from visitors in later sections.

What is an IP Address? Before we get started, let's talk about IP addresses. An Internet Protocol (IP) address is a string that identifies devices on the internet. All devices that are connected to the internet must have a unique IP address – both computers and servers – so that devices know where to request or send data being exchanged. There are two types of IP addresses: IPv4 and IPv6. An IPv4 address looks like this:

192.168.17.43

Whereas an IPv6 address might look something like this:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Let's have a closer look at IPv4, which is the most common type of IP you'll come across. Each IPv4 address is a 32-bit number, which means that it's a number that can be expressed using 32 binary digits, though we'll only ever see the number in its more human-readable, base-10 form.

If you make a request to a server, you must send that server your IP address, so it knows where to send the data you requested. In order to do this, it needs to know exactly on what part of the internet you can be found. The information about your location on the global internet network is encoded in your IP address. Each IPv4 address consists of four different parts, which are separated by periods, which themselves are expressed as a number between 0 and 255. The divisions in the number are meaningful, but we aren't going to go into too much detail about those numbers here. IP addresses are their own little rabbit hole, but all I want to provide here is a basic understanding of how IP addresses work and how to recognize them when they pop up in your tracking data. Determining your own IP address is easy: just Google something like 'what is my IP address' and click on one of the links. My favorite website for seeing what my IP address is www.whatismyipaddress.com, but you might find another website that's more to your taste. You should easily be able to find a website that will show you both what your IPv4 and IPv6 address is (your ISP will almost certainly have assigned you both). It's a good idea to note what your real IP address looks like, and to Google your IP address while hacking to verify that it's different and that your VPN is working. IPv6 addresses differ from IPv4 in that they can be expressed using 128 bits instead of IPv4's 32 bits. IPv6's higher size limit allows many trillions more possible combinations of IP addresses than IPv4, something that is desperately needed as the number of devices and networks all sharing the internet increases exponentially each year. I find IPv6 addresses far less

readable and recognizable at a glance than IPv4 addresses, but you'll encounter IPv4 addresses far more regularly as you begin to track web page hits so it shouldn't be that much of a problem. IP addresses can be either static or dynamic. Sometimes a visitor may always have the same IP address, while others may have a different address each time you see them pop up in your tracking data. Dynamic IP addresses change automatically and regularly. ISPs buy a large pool of IP addresses and assign them automatically to their customers. Periodically, they re-assign them and put the older IP addresses back into the pool to be used by other customers. The rationale for this approach is to generate cost savings for the ISP. Automating the regular movement of IP addresses means they don't have to carry out specific actions to re-establish a customer's IP address if they move home, for example. There are security benefits, too, because a changing IP address makes it harder for criminals to hack into your network interface. In contrast to dynamic IP addresses, static addresses remain consistent. Once an ISP assigns a static IP address, it remains the same. Most mobile connections are dynamic: your 3G, 4G, or 5G enabled internet device might report a new IP address constantly when you look it up, especially if you're traveling with it. As you begin to analyze the IP addresses of your visitors, you'll begin to notice the patterns in them. You might notice that the Googlebot – the software the traverses the internet looking for new and changed content to keep Google Search current – reports an IP address that always starts with 66. Your mobile device might always start with a specific integer, and

connections from local ISPs might always have the same numbers at the beginning of the address. VPNs might follow numerical patterns that are completely unlike those from local IP addresses. You'll get more adept at recognizing the differences in IP addresses at a glance as time goes on. There are other types of IP addresses. As discussed in the section 'Covering Your Tracks', a server also has its own IP address, which we can use to request data from it. When browsing the internet, we usually don't have any awareness of the IP addresses of the servers from which we request data, because those IP addresses are accessed using their more recognizable aliases: domain names and URLs, which are human-readable pointers to servers on the internet and locations within them. Also, every device that connects to your internet network has an address called a MAC address. This includes computers, smartphones, and tablets but also any Bluetooth-enabled devices like speakers, printers, or smart TVs. Your router needs a way to identify these items separately so it can send and receive data from them specifically, and many items need a way to recognize each other. Therefore, your router generates addresses that are unique identifiers for each device that differentiate them on the network.

Get Someone's IP Now that we know what an IP address is and how to recognize one, let's write a quick script to output a visitor's IP address in PHP. We're going to first open our code editor and create a new file for our script. Let's call it ip_getter.php and save it to our local server's root folder. As usual, we'll create some PHP tags for our script:

And then between those tags we're going to echo a single variable:

And that's it! You're going to want to upload your script to a real server via your FTP client for testing. If you don't yet have a real server to test on, the section 'Getting

Set Up' will give you a brief guide on how to get one. Upload the script to your web hosting's root folder and then access it via its URL, which will be something like:

www.yourdomain.com/ip_getter.php

Once the page loads, you should see your own IP address at the top of the page. It's literally that simple. Note: if you're accessing this script through localhost, it may show you something weird, so make sure you deploy it to a live server before concluding that this technique doesn't work, that this book sucks, and that I, the author, should die. So how does this work? $_SERVER is something called a 'superglobal' variable. These variables are automatically generated by the server when a request is made, and they hold useful information that we can access. The $_SERVER superglobal is a variable that contains an array that is automatically populated with information that we can access from our scripts while they're running, from any scope. Since $_SERVER holds something called an 'associative array', we can access the data within it using strings as keys rather than numerical keys as is the case with the indexed arrays we've looked at already. One of these array keys is REMOTE_ADDR. If we access the value of this key in the $_SERVER array with array notation (e.g.

$_SERVER["REMOTE_ADDR"]), we can access the data the server got from the computer requesting data from it. That's all a complicated way of saying, if you type $_SERVER["REMOTE_ADDR"], you can get someone's IP address, and you can type other $_SERVER things inside those brackets to get other information from the server like HTTP headers and file paths. A list of all PHP superglobals can be found online in the PHP manual here: https://www.php.net/manual/en/language.variables.superglobals.php All we've done so far is echo this information onto the page. We've done this for illustrative purposes. We could easily do other stuff with it: we can save it to a variable, email it to ourselves, save it to a text file, or save it to a database. We'll be doing all this and more in the following sections. For now, however, I want to address something. $_SERVER["REMOTE_ADDR"] is not always reliable. DDoS protection service Cloudflare can interfere with us getting someone's real IP address. The reported IP address also might be spoofed by using a proxy or VPN. If your website has Cloudflare enabled, $_SERVER["REMOTE_ADDR"] might return the IP address of Cloudflare as opposed to the visitor's. Fortunately, Cloudflare will send us the visitor's IP address in the form of an HTTP header which we can check the existence of in our scripts. Here's a quick script you can use to get someone's IP if your website is protected by Cloudflare:

if (isset($_SERVER["HTTP_CF_CONNECTING_IP"])){ $_SERVER["REMOTE_ADDR"] = $_SERVER["HTTP_CF_CONNECTING_IP"]; }

Getting IP Email Alerts Now that you know how to capture someone's IP address, let's have a look at one way of saving this information so that you can collect and review it. The most basic way to do this is to use PHP's inbuilt mail() function to send an email to us whenever someone visits our pages, with the IP address inside. Like all inbuilt functions, PHP's mail() function takes a set number of parameters. If we write 'mail' with a set of parentheses, we can then describe the email we want the server to send by passing the function data, either as strings or variables, in the format it expects. Here's the mail function's basic syntax:

mail(to, subject, message, headers);

Thus, to instruct our server to send an email with PHP, all we have to do is follow this format. We'll first write mail, open a set of parentheses, then write our 'to' email address as the first parameter, the subject of the email as our second parameter, the message we want to send as our third, and the headers we'll want to send along with our email in the fourth position, all separated by a simple comma. The mail function also takes a fifth parameter, but we won't be using it for our purposes here so I have omitted it from our discussion to keep things simple/our brains from exploding.

Here's what the code to send our IP address to ourselves will look like:

The mail() function doesn't always work on localhost, so, if you upload this using your FTP client to a real server and then access the page, the script should run immediately. The email should come through right away to the email address passed to the mail function in the $to variable. If you can't find it, it'll probably be in your spam folder. The subject of the email will be "Website hit!", it will be from the email address passed in as the 'From' mail header, and opening it should reveal your own IP address. If you install this script on all of your web pages, you will get an email every time someone loads one of your pages, and the email will contain the visitor's IP! Before moving on, I want to make a note about the 'header' parameter of

PHP's mail function. You can pass anything you want to the header parameter as a string in the following format: header:value. So, to specify the email address you want the recipient (in this case, you) to see when they receive the email, you pass a string containing the header name (From), then write a colon (From:) and then the address (From: [email protected]). You can write any email address you want there and PHP will happily send the email as if it came from that address.

Getting Past Tracking Blockers The email tracking script we just built seems primitive, but here's the most interesting thing about it: it can't be blocked. You would assume that, if you installed a popular piece of software that claims to block online tracking like a web browser or extension, then it should be largely impossible to track you as you surf the internet. This could not be further from the truth, as the tracking script we just coded demonstrates. You can test this out right now by firing up a browser like Brave and accessing your tracking script. Even if you set Brave's tracking blocker to the highest setting (Aggressive), if you access your tracking script or a page it has been included on inside the browser, you will still get an email with your IP address inside. Furthermore, if you access Brave's 'shields' panel by clicking the orange lion head icon next to the address bar, Brave will report that it has blocked zero items. Usually, Brave will tally the tracking scripts it has blocked on a page, and it will allow you to view the total in the shields pane. If you go to a site such as www.youtube.com and have a look at Brave's shields panel, you will see that it will block many items. If you click the downward arrow button next to the 'Trackers & ads blocked' section, you can even see a list of scripts that have been blocked. This will be a list of all the JavaScript trackers Brave has detected and has prevented from loading. If you view the same screen when you access your tracking script, though, or access a website you have

included your email tracking script on, you won't see anything like this (assuming you don't have other trackers installed). How can this be? This is because our tracking script is executing on the server rather than inside the browser. Brave and other browsers that block tracking scripts can only do so by analyzing the page's source code after it has been sent by the server. If it finds known tracking code in the data the server has sent, or a link/call to known tracking code, or even scripts with the words "track" or "tracking" in their name, it will prevent that code from running. Tracking scripts we build in PHP, however, will execute on the server first, before the page is even sent to the browser for analysis. The mail() function we have invoked to build this tracking script will run before the browser has any say in the matter. By the time a browser like Brave gets the page for analysis, your tracking email will have already been long-since sent. Scripts that are called via JavaScript from the server after page load via AJAX can be blocked by Brave, but scripts that execute on the server are untouchable. This principle will form the basis of all of our visitor hacking going forward. There is a huge movement toward online anonymity, and browsers like Brave have been developed to enable this trend. But, as we have demonstrated, it's all a lie. You can block trackers on the client (the browser), but you can't block ones that run on the server. Blocking online tracking is thus a fantasy. By weaponizing server-side tracking against your visitors, you can ensure that no-one can hide. They can use VPNs and other methods to try to remain anonymous, but, as you will see, these ways aren't 100% effective at

protecting a user's identity, either. You might be wondering how this is allowed, but it does make sense. If you have blocked trackers and you Google your own IP address, Google will tell you what your IP address is. How could it do that if tracking blockers actually worked? Also, if a service (e.g. a gaming service) tried to ban someone by blocking their IP address, how could they do that if avoiding the ban was as easy as installing a tracking blocker? There always needs to be a way to detect and log someone's IP inside the server, and, lo and behold, there is. We can use this to our advantage. While everyone else is using their JavaScript trackers like Statcounter to log their visitors, we'll be using the server to capture IPs and track users, whether they want to be tracked or not. This gives us an advantage over stalkers, hackers, or even regular people who don't want their personal data exposed when they view our websites, and it gives us an advantage over people using web-builder services like Squarespace, who can't install any server-side code on their pages.

Generating IP Info Links Once you have someone's IP address, you can immediately extract a whole bunch of interesting information from it. By using a service such as the one at www.whatismyipaddress.com, all you have to do is copy and paste the IPs you're capturing in your notification emails and look them up. Using an online IP lookup service, you can get information like the internet service provider the visitor is on, as well as geolocation information such as the visitor's continent, country, state, suburb, post code, and even their longitude and latitude. The accuracy of IP geolocation information can vary. In the past, I have been able to pinpoint someone's location down to their suburb, but usually the geolocation you can get from an IP address will be accurate within 150 kilometers. If you look up your own IP address using something like www.whatismyaddress.com, you will get an idea of how accurate the location data you can extract from an IP is (a greater discussion of IP geolocation can be found in a following section). Information about the time and date of the visit can be determined easily from the time and date the email was sent. Copying and pasting every IP you get from your tracking emails to get information about it, however, will get old pretty fast, so let me show you a better way to do it. You can use PHP to automatically generate and include links to an online IP lookup service inside your tracking emails. To make this work, the first thing you'll need to do is choose an IP lookup

service. My pick would be www.whatismyipaddress.com. The reason that I recommend this website is because it has a URL scheme that we can easily mimic inside PHP to generate links to tracking data about that IP. For example, if I wanted to get data about 180.163.220.62, I wouldn't need to type anything into the search field, I could just type the following URL into my address bar:

www.whatismyipaddress.com/ip/180.163.220.62

This service, therefore, has a clear URL scheme: the website address, followed by a forward slash, then the letters "ip", another forward slash, and then the IP address you want to look up. It is very easy to generate such a link inside PHP using string concatenation. Here's our original tracking script that mails IPs to the email address of your choosing:

We can easily add more things inside that $message variable to include a convenient link we can click inside the emails to get more information about the address. Let me show you what the finished script would look like and then I'll explain it:

You'll immediately notice a new variable: $lookup_url. This variable will build and hold the full URL that you can use to look up a visitor's IP address. It

will

join

the

first

part

of

the

URL

–

in

this

case,

http://www.whatismyipaddress.com/ip/ – with the value held in the $ip variable. If the IP address of the visitor is 180.163.220.62, and we echoed the

link out, the output would be:

http://www.whatismyipaddress.com/ip/180.163.220.62

All hail string concatenation. The other way this script has been updated lies inside the $message variable. In order to make tracking emails a bit nicer, I've included descriptions of the IP address and lookup links as text, and then concatenated them with the variable they describe. For example, the output of:

"Hit from IP address: " . $ip . "\n" . "IP lookup: " . $lookup_url;

… will be: 1. The text "Hit from IP address: " (note the space at the end). 2. Then the IP address. 3. Then a new line, created by the special, escaped new line character "\n" which will put everything that follows it on a new line. 4. After this will follow a string of text saying "IP lookup: " with another trailing space after the colon. 5. Then the URL contained inside the $ip_lookup variable will be inserted into the resulting string.

If you're sending your emails to a service such as Gmail, which automatically detects links and makes them clickable, you should be able to click those links to view detailed information about your visitors' IP addresses right away. If your email service does not automatically make links clickable, you'll have to generate the HTML required to make it a clickable link. Here's what that would look like:

dark on off www.google.com

That's all an XML file is. You don't need any special software to write it. It's just a .txt file with .xml as the file extension, with at the top, a pair of main opening and closing tags (here: ) and information between HTML-like opening and closing tags with names that you choose. The file is easily readable both to humans and computers, making it a breeze to work with. PHP has an inbuilt function called simplexml_load_file() that can grab an XML either locally or from the internet, and save its contents as an object with properties we can access with the -> notation. Now that you know what XML looks like, you'll be able to understand how ipstack works. When you make a request to the ipstack API, you send along with it your unique access key (so it knows the account making the request) and the IP address you want information on. Here's an example of all the data an ipstack API call will return, in XML format:

134.201.250.155 134.201.250.155 ipv4 NA North America US United States CA

California Los Angeles 90013 34.0453 -118.2413

5368361 Washington D.C.

en English English

https://assets.ipstack.com/images/assets/flags_svg/us.svg U+1F1FA U+1F1F8 1

America/Los_Angeles 2018-03-29T07:53:46-07:00 -25200 PDT 1

USD US Dollar US dollars $ $

25876 Los Angeles Department of Water & Power





low



That's all the data you can get from someone's IP address using ipstack. It still amazes me to see the complete XML to this day. I will make two notes about this data, however. The first is that, if the IP address is a VPN, most of the data will be wrong. That's fine, though, because we can still use fake data in a variety of ways, which we'll look into later. The second note I will make is that you can only get some of the data if you're using a free account. I've only had a paid account once, which I used to get ISP information from addresses. But, I quickly switched to the free account when I found that it served my purposes, and the rest of this section will be written with the limitations of the free tier in mind. The free tier of ipstack will let you perform 5,000 API requests per month, so you'll be able to look up 5,000 IP addresses. You can get around this further by making two ipstack accounts

with different email addresses and just rotating out your access keys when you've almost hit the request limit on one, but 5,000 is pretty damned generous. If it's too generous and ipstack goes out of business, the instructions contained in this chapter should be applicable to other, similar services as well. With a free ipstack account, you'll be able to get everything the API returns up to the location module. Your returned XML files will thus look like this:

134.201.250.155 134.201.250.155 ipv4 NA North America US United States CA California Los Angeles 90013 34.0453 -118.2413

5368361 Washington D.C.

en English

English

https://assets.ipstack.com/images/assets/flags_svg/us.svg U+1F1FA U+1F1F8 1



I want to note that I'm not affiliated with ipstack in any way. I like the service and it has helped me protect myself against my cyberstalker countless times. It's an amazing API and so I've decided to base this section on it. If you have an issue with this then fight me. To get started using ipstack, go to www.ipstack.com and sign up for a free account. You'll get an access key that will look something like this:

7318754c35ff823463a03a301f5470efa

Once you have this key, you can then start calling the API to get XML data. You do so via a URL that looks something like this:

http://api.ipstack.com/134.201.250.155?access_key=YOUR_ACCESS_KEY&output=xml

So all you have to do to get data about an IP address in XML format from ipstack is to write a URL with four parts: 1. http://api.ipstack.com/ 2. The IP address you want to look up 3. ?access_key= 4. Your access key 5. &output=xml A fully formed request URL might look like this:

http://api.ipstack.com/134.201.250.155?access_key= 7318754c35ff823463a03a301f5470efa&output=xml

You can look up an IP right now by visiting a URL like that. Just put the IP address you want to look up where the IP is in the example above, make sure your access key is after the equals sign, and then hit Enter. You should see the XML file right there in your browser! It should be immediately obvious if you've been following along how we could build a URL like that in PHP dynamically: we could just create a string that has $_SERVER["REMOTE_ADDR"] in there. What's not immediately obvious, however, is how we can get this XML data and use it inside our scripts. As it turns out, it's fairly simple (even though figuring out how to do

it initially as a beginner probably took several years off my life). We'll just load the XML in using PHP's simplexml_load_file() function, which will then allow us to access its data as if it were an object. Here's an example: