Interesting video. However…. 1. The IP address used in the video, is PRIVATE. Which means the server is on the same private network and probably NOT behind a firewall… therefore unrealistically easy to access. 2. Only completely incompetent people open up all ports to all IP addresses of a server facing the Internet. This is the kind of thing that would get someone fired immediately. 3. Most user names and passwords ( actually hashed passwords ) are stored in databases. Storing plaintext or encrypted passwords, goes against best practices. 4. Most password inputs check for the length ( is it too short or too long ) and content ( does it have numbers, lowercase, uppercase ) of the password BEFORE attempting to validate the password. Nice video, but too many red flags for me.
The target was setup for the sake of the video but yeah on a modern server install most of what was running is off by default at install or firewalled. I haven't seen FTP enabled in a long long time, virtually everyone uses SFTP now. FTP and web apps like forum software had tons of security flaws in the past, they were the easy way in.
THE REAL LESSON : Find the login access port , look for vulnerabilities (of overall system) , exploit the vulnerability, when shell runs move on dir to find the login access system, look for config file of the login system, get credentials, HACK COMPLETE. 😄 NB : the system doesn't need to be running services you saw on the video only to be hackable, its a process learn and understand it, then apply steps on any machine. The lesson here is to understand the concept ((technical steps)) not to learn about a new vulnerability. Many systems have different services therefore the ((technical steps)) will remain the same but dealing with different machines, services and vulnerabilities.
@@ufc786 all website are hackable but you have to find the right vulnerability for it, but you wanna hack web applications without any basic knowledge of programming language, Linux, windows, type of vulnerability, I guess go watch other channel this channel clearly don't explain what he's doing exactly.. Bottom line I came here to laugh at his stupidity and leave and found your comment thanks
How many servers are inside your own firewall, has passwords stored in plain text and all ports open and would accept an the hash rather than the password? This is like "opening a door without a key" when the door is a shower curtain.
I wish you uploaded this two weeks ago. lol you taught me everything me prof did not in under 7 mins and he had a whole semester lol This is exactly what we did on the final even down to the elastics. makes me want to fire up Linux rn lol very informative thank you.
I mean, you got yourself a meterpreter shell on the server. Why tf you would after that need to login to a random whatever service that the server is hosting ?
I don’t get it. How is removing the “password” type from the password input field make the server accept the verbatim password hash instead? AFAIK, the only thing the “password” property does is display ‘*’s and deny copying its contents. Whatever the user enters *must* be converted to a hash (with salt added) before comparing it to the stored hash.
My guess is that is the vulnerability that’s being exploited here. Probably Glassfish is looking at the POST body and hashing anything with type password. Because the type was removed, the value of password wasn’t hashed server side and just compared against the stored hashed password.
@@CodrTV1 Yes, that is a plausible explanation. This would be *very* lazy programming, though. The server must *never* assume that the data provided by the client is benign.
There is no need to remove "password" type - it's just for presentation. Actual trick is to prevent JS from hashing your ALREADY HASHED password and send this hash directly to the server (like it's done by JS). Nothing hard and done logical.
Yeah, all those services should be running in dockerized containers without publicly exposed ports. Poor systems architecture seems to be 70% of getting hacked.
Oh God. I'm about to deploy a website all by my big boy self for the first time (meaning not a squares pace website but a website I hard coded **ahem with lots of open source help**). I'm worried it's gonna be vulnerable and now i'm really worried lol. But I'm gonna be much more careful now.
Hello mr hackerloi i didn't understand why did u search the exploit elastic or how did you know that it was the exploit to use please do answer (love ur vids btw) Lauwer
Elastic is a common package used to enable search on many websites. He knew to use that exploit specifically because the nmap command returned it as one of the services running on an open port. Don't get too excited, though. There's almost no chance you'd find an open port to a service like that which wasn't password/IP address protected. This only works because the victim machine was intentionally very poorly designed.
@@2Sor2Fig Thanks for your answer, although i wasn't getting excited, i was just wondering why he did use this exploit other than a other (Thanks again for your answer)
hello how are you i want to learn syp security i want to become syp security but i didn't get good website can your help me pleace am from uganda am waiting your answer and teel me the fees if i manech i learn it
Sir big fan please reply how to start with your "how to hack series".what shall I know or learn before starting before starting or algorithm of starting it
hello, how are you. just want to ask how to recover social media got hack and they changed password, name and make it private. i still have my social media link that been hack.
Hello Loi I’m 17 years old starting out in the e-commerce, reselling business buying and selling items from thrift stores to Walmart and target. And throughout this since I can’t have my own debit card yet I have to buy visa gift cards and someone has stolen some of my info I’ve used to register those cards I’m pretty sure. They keep buying something from google play and stole about $150+ if I’m correct and even though that may not seem like a lot to you it’s a lot for me due to the current situation I’m in. what’s a way I can prevent this from happening again and if able to can you or your subs help me out? I wanna find out who the person behind this scam is so they can get justice but the visa website never has customer service available
Just hit 'ENTER' ????? lolol Yes, i've done it before.... But I DO behave these days, just staying out of trouble.... However, i find your videos so very delightful, you are very, very, VERY good. I cannot believe that they even let you publicise all this information - unbelievable
Hi Sir how i can change content of someone other website that i am not the owner because some website sharing my property personal information like cars pictures etc?
Is there any way I can see my gmail password whilst I am logged in on my pc? I don't remember the password and it is not saved in password manager. Please help 🙏🥺🥺
Hi I've been having a lot of issues with cellphone data and home Internet. In the first part of the video you said u know u would know if someone would hack you. Can you explain the process or tools you use for that??
![Seungmin "그렇게, 천천히, 우리(As we are)" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/kAzmhLHePqU/mqdefault.jpg)
It's a good day when hacker loi uploads.
Agreed
and bad day for someone who he hacked
Facts
Exactly bro
Just found it and am already happy
try website I provide
Interesting video. However….
1. The IP address used in the video, is PRIVATE. Which means the server is on the same private network and probably NOT behind a firewall… therefore unrealistically easy to access.
2. Only completely incompetent people open up all ports to all IP addresses of a server facing the Internet. This is the kind of thing that would get someone fired immediately.
3. Most user names and passwords ( actually hashed passwords ) are stored in databases. Storing plaintext or encrypted passwords, goes against best practices.
4. Most password inputs check for the length ( is it too short or too long ) and content ( does it have numbers, lowercase, uppercase ) of the password BEFORE attempting to validate the password.
Nice video, but too many red flags for me.
5. more and more websites forces user to use 2FA
6. The exploit is very old. Its very less probably that this service didn't update in many time.
The target was setup for the sake of the video but yeah on a modern server install most of what was running is off by default at install or firewalled. I haven't seen FTP enabled in a long long time, virtually everyone uses SFTP now. FTP and web apps like forum software had tons of security flaws in the past, they were the easy way in.
Red flags ? It's a pure bullshit...
Yeah basically all usernames and passwords are stored in a database and you’d need a lot of CPU power to crack anything
No trash talk, right into the topic nice vid man
It's more complex than what he teach. Especially when you meet firewalls , other protection system timing.
THE REAL LESSON : Find the login access port , look for vulnerabilities (of overall system) , exploit the vulnerability, when shell runs move on dir to find the login access system, look for config file of the login system, get credentials, HACK COMPLETE. 😄
NB : the system doesn't need to be running services you saw on the video only to be hackable, its a process learn and understand it, then apply steps on any machine. The lesson here is to understand the concept ((technical steps)) not to learn about a new vulnerability. Many systems have different services therefore the ((technical steps)) will remain the same but dealing with different machines, services and vulnerabilities.
Are most websites all hackable ? Like loi showed. Can all websites be hacked as admin ?
@@ufc786 all website are hackable but you have to find the right vulnerability for it, but you wanna hack web applications without any basic knowledge of programming language, Linux, windows, type of vulnerability, I guess go watch other channel this channel clearly don't explain what he's doing exactly.. Bottom line I came here to laugh at his stupidity and leave and found your comment thanks
Really enjoyed the shorter video format here. Keeps things simple
How many servers are inside your own firewall, has passwords stored in plain text and all ports open and would accept an the hash rather than the password?
This is like "opening a door without a key" when the door is a shower curtain.
But, imagine you never knew how to open the shower curtain - that's where this video helps!
I think this video is meant for inexperienced web app developers who need to learn about these vulnerabilities.
But dude he hacked it dude, dude
You can never take a chance to skip loi's Video..!!!!!
yes i like it, every second is important.
Loi, thanks for another brilliant tutorial sir!
I wish you uploaded this two weeks ago. lol you taught me everything me prof did not in under 7 mins and he had a whole semester lol This is exactly what we did on the final even down to the elastics. makes me want to fire up Linux rn lol very informative thank you.
I need to find a login URL, can you find that please?
Just install linux and follow this guide man!
Small tip: if you suspect a hacked page, enter a wrong password, if you get access then walk away
Love from India 🇮🇳🇮🇳❤️
Informative and brief...
Well Done...
hacker loi why have you not been uploading 😭😭😭 my kali linux is running i have nothing to do
andrew tate?
😂😂😂😂😂
Larry Tate 😂
LMAOOOO
@@AdamShalom-r8s 🤣
@@Lazumor 🤣
help me( i stucked at Started reverse TCP handler in metasploit)help me
Same☹️
@@onlyfuns7410 how to get rid out of it
i watched many of your videos ,live demostrations,etc, i knew that you are an expert... Interesting...
Wow so lovely vedio... Really amazing.. Well done thanks for sharing this vedio
. 🙂🙂🙂
Bro! loved your content from India!
Dear FBI, I’m watching this for educational purposes only
Some Info here helped me! Thank you friend!
I mean, you got yourself a meterpreter shell on the server. Why tf you would after that need to login to a random whatever service that the server is hosting ?
I don’t get it. How is removing the “password” type from the password input field make the server accept the verbatim password hash instead? AFAIK, the only thing the “password” property does is display ‘*’s and deny copying its contents. Whatever the user enters *must* be converted to a hash (with salt added) before comparing it to the stored hash.
Haha indeed.
My guess is that is the vulnerability that’s being exploited here. Probably Glassfish is looking at the POST body and hashing anything with type password. Because the type was removed, the value of password wasn’t hashed server side and just compared against the stored hashed password.
@@CodrTV1 Yes, that is a plausible explanation. This would be *very* lazy programming, though. The server must *never* assume that the data provided by the client is benign.
@@KeroZimerman oh absolutely. But this is why vulnerabilities exist. Inexperienced developers making silly mistakes.
There is no need to remove "password" type - it's just for presentation. Actual trick is to prevent JS from hashing your ALREADY HASHED password and send this hash directly to the server (like it's done by JS). Nothing hard and done logical.
really nice camera and energy, love it
Your awesome!! Love the videos you make
thn u very much , even i tried it , it works 👍👍👍👍👍
Can u send me one insta ac password
What about just leaving port 80 open and proxy whatever you need to be open to the world?
Yeah, all those services should be running in dockerized containers without publicly exposed ports. Poor systems architecture seems to be 70% of getting hacked.
Oh God. I'm about to deploy a website all by my big boy self for the first time (meaning not a squares pace website but a website I hard coded **ahem with lots of open source help**). I'm worried it's gonna be vulnerable and now i'm really worried lol. But I'm gonna be much more careful now.
You called for me? lol jk have a nice day, son.
JESUS!!!!!!!!!
This was great very useful!!! 😃🤘
Thank you. Very good example 👍
Brother, how can I be a member of your youtube channel?
Wow! I've been waiting for you😂
Sudo msfconsole need a passwd and where we can find this passwd ?.if we target a machine is it posible that we know the msfconsole passwd ?
You need to be hiden once you do this, i think you forgot to specify this, any scan you do you're ip gets send to host, so you need to use proxychain
Anyone willing to do this should know that already
Please does this work and have you tried it
just awesome nice bro just keep moving forward
Hello mr hackerloi
i didn't understand why did u search the exploit elastic or how did you know that it was the exploit to use
please do answer (love ur vids btw)
Lauwer
Elastic is a common package used to enable search on many websites. He knew to use that exploit specifically because the nmap command returned it as one of the services running on an open port. Don't get too excited, though. There's almost no chance you'd find an open port to a service like that which wasn't password/IP address protected. This only works because the victim machine was intentionally very poorly designed.
@@2Sor2Fig Thanks for your answer,
although i wasn't getting excited, i was just wondering why he did use this exploit other than a other (Thanks again for your answer)
@@lauwer_v6504 No probs
Hii ,sir your video is great ! I LEARN ALOT OF haking from your channel
hello how are you i want to learn syp security i want to become syp security but i didn't get good website can your help me pleace am from uganda am waiting your answer and teel me the fees if i manech i learn it
Is there any way to track the live location of a mobile phone.
Your a best ethical Hacker sir
Thank you, really good example 💪
Sir, is the target from the AWS cloud?
Sir big fan please reply how to start with your "how to hack series".what shall I know or learn before starting before starting or algorithm of starting it
Hi. Is it save for me try to huck something for practice? 🤔
Hi , sir can you give us a road map in hacking field like what we learn first and how we become a successful hacker
Amazing, but could you please speak a little bit slower please🙏
I Use Email verification before entring to database! I use passwordless login! Tell what else can I DO?
You know how to hack?
@@PraiseThaDon i know some testing not a hacker!
Only a mad lad would show how to hack their system. I've been telling you guys he's savage
hello, how are you. just want to ask how to recover social media got hack and they changed password, name and make it private. i still have my social media link that been hack.
Hello Loi I’m 17 years old starting out in the e-commerce, reselling business buying and selling items from thrift stores to Walmart and target. And throughout this since I can’t have my own debit card yet I have to buy visa gift cards and someone has stolen some of my info I’ve used to register those cards I’m pretty sure. They keep buying something from google play and stole about $150+ if I’m correct and even though that may not seem like a lot to you it’s a lot for me due to the current situation I’m in. what’s a way I can prevent this from happening again and if able to can you or your subs help me out? I wanna find out who the person behind this scam is so they can get justice but the visa website never has customer service available
whre can find this program?
hi, i am from brasil, i learn to much from you
Hi Loi Liang Yang i have been hacked and can you pls help me if my pc is still hacked.
Just hit 'ENTER' ????? lolol Yes, i've done it before.... But I DO behave these days, just staying out of trouble.... However, i find your videos so very delightful, you are very, very, VERY good. I cannot believe that they even let you publicise all this information - unbelievable
so, if a hacker hacks my outlook. changes its name. (wich i know) how can i hack it?
how to install metasploit? i tried sudo apt install metasploit but it didnt work
How secure are banking apps on an android phone, with fingerprint biometrics?
If you guys want to log in on any websites then you guys should watch these videos about how hackers log in any websites.
can u help me about the website that scammed my money?
Hello sir. I have a friend scammed on intime tax refund website. He invested ₱50,000 and got scammed. Can you help my friend sir
Thanks!
so if we dont know about elastic search engine then game over right?
Can you realy use the hash in the glassfish config file as the password ?
why you are so fast😄 please make one video about how to find admin login page
How to hark awebform through user interface and make changes
Hi Sir how i can change content of someone other website that i am not the owner because some website sharing my property personal information like cars pictures etc?
Is it possible to track a mobile if it's stolen and younonly have IMEI num
What if 2FA is enabled? 🤔
Is there any way I can see my gmail password whilst I am logged in on my pc? I don't remember the password and it is not saved in password manager. Please help 🙏🥺🥺
0:38 i love his threats ahhh like an anime villan!
hey can you help get some credible details on how i can access the student portal of our school
Hi I've been having a lot of issues with cellphone data and home Internet. In the first part of the video you said u know u would know if someone would hack you. Can you explain the process or tools you use for that??
Okay, how do I protect my WordPress site from this kind of attack?
Updates! Automatic updates!!! Get a plugin for it or put a wp-cli command on a cronjob. Always keep ya shit up to date!
what program are you using?
Failed to resolve/decode supposed IPv4 source address "V": Temporary failure in name resolution
how long does it take time for the result nmap -sV -p1-65535 ipadd ?
Loooooved this video! Thank you Hacker Loi!!!
Sir can be hack betting I'd like casino
I have a I'd and password now how can be increased point
is it possible to get back Facebook acct that has been hacked.username and password delete
What software do you work with? I would love to try weaknesses on my site
kali linux and metasploit LIU
Let’s face it some of us are here to get revenge on someone
And let's be realistic for those who want that: You will not be able to hack that person. *cries*
@@3dsbros64 sadly 😢
@@ep11-o7s ye i know
3dsbros64 0001
gotta love how hackers talk just as fast as they type none stop
Whatever you do, don't tell them you know who is Hacker Loi 👀
Hacker loi, how do i use a video from a website without them noticing i am using their video on my own website? Thank you.
Good day sir please how can I become a member of this channel sir …
Bro please reply I need your help , when I type run then i got error and Java has not executed aborting
, please help
Some sites ask for id number instead of username. Does this method work?
i tried the Metrix on a wix site and that doesn't work, any different attacks that works on wix servers ?
Can you show a video if some sites use vpn how to hack them;
can we get a link in description for that vulnerable machine
Hi sir, I need your help. Please
Hi,
very interesting, i love this, how to connect you to learning.... pls help me out...
Sir how we can know that any upcoming pdf or image is containig payload
what is the programming language you are using
0:45
*That crap scares me man, pls no evil laugh* XD
Hello i am new to your channel what you using? Windows terminal?
I think I met you in real life bro😁
Sorry in advance for my noob question, but why were you able to get into the full file system just from one compromised port?
with his help🔝🔝 all account can be access and all password can be hacked. His the best
He used a remote code execution vulnerability that created a shell on the server
@@ayylmao1558 thank you for answer. Can you clarify a bit further what code was used and how did that help creating the shell?
Dude 😂 That greeting was off the charts hallarious!🤣🤣
Love from Nepal 🇳🇵🇳🇵