Category: Hacking

Posted on by 2 Comments

SQL Injection with Sqlmap : Step by step guide

Hi Friends. Today we will see how to perform SQL injection with Sqlmap. Sqlmap is an “open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers “. It is pre-installed in Kali Linux. For this tutorial I am using Vulnerawa as target and it is necessary to setup a webapp pentest lab with it. See how to set up a webapp pentest lab.

If the webapp pentest lab is all ready. Open the browser in Kali linux and type the address as shown below.( the ip address may differ for you ). You should see the Vulnerawa web page as shown below. Click on “About”.

The below webpage will open. It shows about the founders of Vulnerawa.

Click on “founder 1”. It will show brief details about him as shown below.

Similarly go back and click on “Founder 2” and “Founder 3”. The result will be as below. Now if you have observed, the “id” parameter in the URL changes as we click on different users. For founder 1, it is 1 and sequentially.

Now introduce a single quote( ‘ ) character in the URL. after the number as shown below.

Click on “Enter” and the page will show an error as shown below. “You have an error as shown below……..”. This is a clear sign that the webpage is vulnerable to SQL injection.

Now open SQLmap from the path as shown below.

Now copy the vulnerable url and type the following command the terminal. Here -u stands for url.

The result will be as shown below. It will reveal the website technology and the scripting language used.

SQL injection with sqlmap

Now let’s grab the banner of the website. Type the following command and hit “Enter”.

You can see the banner as shown below.

To see the current user of the website, type the following command.

The current user can be seen as below.

Now let us see the current database used by the website. Type the following command.

We can see that the current database is “Vulneraw”.

Now let us see all the tables present in the database “Vulneraw” by using following command.

We see that we have only one table in the current database. The table is “users”.

Now lets see the number of columns in the table “users”. Type the following command.

We see there are four columns in table “users”.

Now let’s dump the values of two columns username and password by typing the following command.

The result is as below. we got the username and passwords.

\

If we want to dump all the entries of the table, type the following command.

Here are the entries.

Now let’s see if we are lucky enough to get the shell of the target. Shell is the target machine’s command line or terminal. Type the following command.

It will prompt us to enter the application language being used by the website. We already know it is PHP. Enter its value. Next it will prompt you to enter the writable directory. You cam choose your option wisely. I chose the default root directory for Wamp server. Hit on “Enter”.

I successfully got the os-shell. Now let’s try some commands. Type “dir” to see the contents of the root directory. It works as shown below.

Let’s see how many users are there on the system. Type the command “net user” . We can see the users listed as below. Happy hacking practice.

To find sites vulnerable to this sql injection use google dork “site:.com inurl:id=1” or similar dorks. That’s all in this tutorial.

Posted on by

Banner grabbing for beginners

Hello, aspiring ethical hackers. In this blogpost, you will learn about banner grabbing. Banner grabbing plays a very important role in ethical hacking for penetration testers and hackers alike. To understand what is banner grabbing, you need to understand what is a banner first.

What is a Banner?

A banner is the information displayed by software or service running on a specific port. This information involves the type of software running, version of the software running etc. This information is displayed by default by every software running for marketing purposes.

What is Banner grabbing?

Banner grabbing as its name implies, is grabbing this banner. A banner when displayed to a common user may provide information to the user. In the same way, by grabbing this banner, hackers and penetration testers can get information about the software running on it and the version of the software running. This allows them to search or research for any vulnerabilities in the software.

Types of Banner grabbing

Banner grabbing can be performed in two ways: Active & passive.

  1. Active banner grabbing: In active banner grabbing, a hacker or penetration tester interacts with the software & target services to grab the banner.
  2. Passive banner grabbing: In passive banner grabbing, a hacker or penetration tester doesn’t interact with the target service while grabbing the banner. This can be done by packet sniffing on the network traffic of the network.

Although banner grabbing can be performed on almost all services running on all ports, the most common services that are used for banner grabbing are,

FTP-Port 21
SSH-Port 23
SMTP-Port 22
HTTP-Port 80

Tools used for Banner grabbing:

  1. Telnet, wget, curl etc

Apache:

Imagine I have set up a website named www.shunya.com on an Apache server. A hacker can easily find Information about the web server in different ways. For example, a hacker can visit the website and and try to open a webpage which is not existent on my server, like below.

banner grabbing

In the above example, hacker tried to open page named “admin.php” which was not available on my server and in turn the server responded with a type of web server, the target OS and the scripting language. This is giving out too much information.

The traditional and popular way of fingerprinting is through telnet. A hacker opens command line or terminal. and types the command “telnetwww.shunya.com 80″. When the screen goes black, type “HEAD / HTTP/1.0″and this will give the server information.

There are also many fingerprinting tools available. I am gonna show you only one, Id serve. Let’s see how to banner grab using Id serve.

Now what are the preventive measures we can take in Apache server to disable or atleast prevent fingerprinting to some extent. Apache web server has a configuration file called “httpd.conf” where we can make changes to fight fingerprinting. Go to httpd.conf and change the value of the option “Server Signaturetooff”.This will not display any information about server when an nonexistent page has been accessed.

In the httpd.conf file, changing the value of “Server Tokens”from “Full” to “Prod” will only show the minimum server information as shown below.

This still discloses that our web server is Apache but it doesn’t show the version. In Kautilya’s words this is delaying the march of enemy. Here are the options we set.

IIS 8:

Now imagine we changed our www.shunya.com website from Apache server to the latest version of Microsoft web server, IIS 8. To prevent error pages form revealing any information in IIS server, we can set custom error pages. Now let’s use IDserve tool to fingerprint the IIS 8 server.

It shows the server version. Now how can we prevent this. Microsoft provides a tool named UrlScan freely available for download which can be used easily to process HTTP requests. Download this tool and install it. ( See how to configure Urlscan for IIS 7.5 and IIS 8 ). Then go to the configuration file of UrlScan, “UrlScan.ini” located at “C:WindowsSystem32inetservUrlscan”by default and change the value of “RemoveServerHeader’ from “0″ to “1″.

This will not reveal the server version information as shown below.

We can further mislead the attacker by setting our server name to some other value different than our original one. This can be done by setting the value of “RemoveServerHeader” to “0 “and changing the value of “AlternateServerName” to the value we want to specify ( in our example Nginx ).

So when the attacker tries to fingerprint our website, he will be misleaded.

Note: Taking this preventive measures will not stop a determined hacker to find out our server information.

That’s all in webserver banner grabbing and countermeasures.

Posted on by 26 Comments

Virtual hacking lab for beginners

Hello aspiring hackers. In this blogpost, you will learn how to create a virtual hacking lab in VirtualBox. Sometime back, I wrote an article on how to set up a virtual penetration testing lab using Vmware Workstation. But Vmware Workstation is a commercial product.

Today I am going to show you how to create a pen test lab in VirtualBox absolutely free of cost. I hope this tutorial will be helpful for many beginners into cyber security domain.

What do we need?

1. Oracle VirtualBox. (Download)

2. Kali Linux. (Download)

3. Metasploitable 2. (Download)

Oracle VirtualBox is the virtualization software we will be using to create our lab. We will be using Kali Linux as the attacker machine and Metasploitable 2 as the victim machine. Install Kali Linux and Metasploitable 2 in VirtualBox.

See how to install Kali Linux in VirtualBox.

See how to install Metasploitable in VirtualBox.

Select Kali Linux, Go to settings > network. Enable “network adapter 1″.Set the “Attached to” option to “internal network”. Set the name of the network adapter to “intnet”. Click on “OK”to save the settings.

Do the same for Metasploitable virtual machine.

virtual pentesting lab

Power on the metasploitable VM. Log into the system. Default username and password are “msfadmin”.

Type the command “ifconfig”to see the IP addresses of interfaces.

The ‘lo’ interface is the loopback. Now we are going to set the IP address on the interface “eth0”. Type the command “sudo ifconfig eth0 10.10.10.2 netmask 255.0.0.0 up”. The sudo password is “msfadmin. Verify that the IP address is set by typing command “ifconfig”.

Power on Kali Linux. In the terminal, type command “ifconfig eth0 10.10.10.1 netmask 255.0.0.0 up”. Verify if the IP address is set by typing command “ifconfig”.

Test whether this system can communicate with victim system by pinging the victim machine as shown below.

The connection is successful. Our virtual pentesting lab is ready. Happy practicing.

Posted on by 7 Comments

Install Metasploitable in VirtualBox

Hello aspiring Ethical Hackers. In this article, you will learn how to install Metasploitable in VirtualBox. What is Metasploitable? Learning penetration testing or ethical hacking requires practical knowledge and good practice needs a vulnerable target. That is where Metasploitable comes into picture. It is an intentionally vulnerable operating system made by the makers of Metasploit themselves so that aspiring ethical hackers can practice and hone their hacking skills. As its name conveys Metasploitable is loaded with vulnerabilities that can be exploited with Metasploit modules.

This virtual machine can be used to conduct security training, test security tools, and practice common penetration testing techniques. For this i am going to use Metasploitable 2 which can be downloaded from here. After downloading the zip archive, extract the files into a folder. The file contents look like below.

Installing Metasploitable

Open VirtualBox and click on “New Virtual machine wizard”. Type the name of your choice. I am using ‘Metasploitable-2‘. Choose ‘Type’ as Linux and ‘version’ as Ubuntu. Click on “Next”.

Choose the memory size appropriate to the availability of RAM on your host machine although 512MB is more than enough. Click on “Next”.

In the hard drive creation window, select option “Use an existing virtual hard drive”, browse to the folder where we have extracted our zip files and select the ‘vmdk’ file available. Click on “Create”.

Then you are automatically booted into the metasploitable OS. The default username and password are “msfadmin”.

This is how you install Metasploitable in VirtualBox. See how to create a penetration testing lab.

Posted on by 20 Comments

SQL injection with Havij : Step by step guide

NOTE : This is strictly for educative purposes.

Havij is an automated SQL injection tool. To say in the own words of its creators,

” Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands. “

It is available both in free and commercial versions. Today we are going to see how to dump the contents of a database using Havij. For this I am going to use the free version. First download Havij from here and install it. Then open it and enter the vulnerable page url in the target column ( for this tut I am using my own vulnerable webpage ).

Set the database option to ‘auto detect‘ and hit analyze. This should show you the current database name as shown below.

Click on the “info” tab. This will show you information about the victim’s system. We can see information like Host IP address, web server version etc.

Click on the “Tables” tab.

Click on “Get DBs” option. This will list all the databases as shown below.

sql injection with havij

To get tables in a specific database, select the database and click on Get Tables”. This will list all the tables present in the selected database. I selected database “shunya”here.

We can see that there is on table ‘users’ in our database ‘shunya’ .To get columns , select the table ‘ users’ and click on “Get Columns”.

This will list all the columns in the table. We can see that we have five columns in the table ‘users’.all the columns. It’s time to dump the values of columns. Select the columns whose data we want to dump and click on Get data”. Here I selected all the columns.

We got all the data including usernames and passwords. But passwords seem to be encrypted. No problem. Click on the password hashes and copy them. Then click on MD5″ tab and paste the password. Click on “Start”. Havij automatically decrypts the password for us. Decrypt all passwords in the similar manner.

Click on “Find admin”. This option finds the admin page of the website automatically. When it finds the admin page, you can try the username and passwords to get access to the website. Hope this was helpful.