Elusive Thoughts

Intro This article was posted to show you how ridiculously easy is to back door any executable of your choice (well almost any) without even knowing how to pronounce the word CoMpUtEr. I call this constructive hacking because you literally construct the Trojan Horse using windows embedded packers without knowing how to program in any programming language, and the best part is that it is not even traceable from almost all if any anti virus software that exist in the market. The magical wizard When I say magical wizard I am referring to the IExpress wizard (obviously very well know to the hacking community for a long time now). IExpress wizard exist in almost all windows versions with default installation. You can use the IExpress Wizard and it's command-line options that come with Windows XP, Windows Server 2003, and Windows Vista to simplify the creation of a setup program. Using the IExpress Wizard, you can create self-extracting files that automatically run the setup progra...

Intro This post is about identifying web back doors. Recently I made a research about PHP Malware C99 Shell and it seems to be very popular among lots of hacking groups and script kiddies.  C99 PHP Shell C99Shell is a very well designed shell that practically lets you do about anything with the server, if you have the proper access rights. Here is a list with more web back doors , the link given is actually a google project and it is not going to be accessible trough corporate web gateways (with mal-ware filtering, URL filtering or Content filtering). Google Dorks Now days someone would not even have to hack a web server, the only thing they have to do is google already compromised servers by using Google Dorks and boom already got into the compromised machine. Usually the compromised machines found this way are not so interesting, because something that is valuable is better protected (well not always!) and the google crawlers will spot it after a relatively big amou...

What is WCE? It is a Windows Credentials Editor. It manipulates Windows logon Sessions and it is considered to be an evolution of the Pass-the-Hash Toolkits by it author Hernan Ochoa. WCE Internals presented at RootedCon in Madrid on early 2011. This presentation explains the inner workings of WCE including how Windows store credentials in memory pre and post Windows Vista. Post-Exploitation with WCE presented on July 2011. Simple and effective high-level presentation with test cases.  What does WCE do? WCE lists in-memory logon sessions (It dumps in-memory username, LM & NT hashes) Change/delete NTLM credentials of logon sessions Create new logon sessions and associate arbitrary NTLM credentials Why WCE is better than pass the Hash  Feature WCE Pass The Hash Supports Windows Vista/7/2008 True False Single executable True False Delete NTLM Credentials True False Works with session isolation True False Programmatic discovery of new LSASRV addr...

Intro This article is about basic types of port scanning. Port States (taking from Nmap man page) open An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. closed A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next. filtered Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. Sometimes they respond with ICMP error messages such as type 3 c...

This summary is not available. Please click here to view the post.

Intro  This article is created for completeness in this Blog as far as the Web Application Security is concerned and it is mainly focused in MS SQL injections. What is SQL? SQL was originally developed at IBM in the early 1970s but was not officially formalized until 1986 by the American National Standards Institute (ANSI). SQL was initially designed as a data query and manipulation language with limited functionality when compared to today’s feature-rich SQL dialects. SQL Microsoft SQL Server Transact-SQL (T-SQL) is Microsoft's and Sybase's proprietary extension to SQL. SQL, often expanded to Structured Query Language, is a standardized computer language that was originally developed by IBM for querying, altering and defining relational databases, using declarative statements. T-SQL expands on the SQL standard to include procedural programming, local variables, various support functions for string processing, date processing, mathematics, etc. and changes to the DELETE...

XML External Entity (XXE) Injection — Updated 2026 XML External Entity (XXE) Injection DTD Abuse // File Disclosure // Blind OOB Exfiltration // SSRF via XML XXE CWE-611 A5:2021 SSRF Blind OOB Updated 2026 Intro External entity injection is generally speaking a type of XML injection that allows an attacker to force a badly configured XML parser to "include" or "load" unwanted functionality that compromises the security of a web application. This type of attack is well documented and known since 2002, though it continues to appear in modern applications — particularly in SOAP services, file upload handlers, and legacy enterprise integrations. Taxonomy (2026): XXE was categorized as OWASP A4:2017 — XXE (its own dedicated category). In OWASP Top 10 2021, it was merged into A5:2021 — Security Misconfiguration . The primary CWE is CWE-611 (Improper Restriction of XML External Entity Reference)....