Saturday, September 3, 2016

SQLMap with Tor for Anonymity

In a previous tutorial, I had demonstrated how to use SqlMap to carry out Sql Injection on a website. In this tutorial, I will show you how to use Tor to add a layer of obscurity between you and the target website.

Installing Tor

Getting tor for Kali Linux is as simple as typing a single line in the terminal-
apt-get instal tor
If you have any problems installing, then do an apt-get update first.



Start Tor

This is also quite simple
tor
You'll see something like this-

Root@kali:
    Sep 04 02:41:25.806 [notice] Tor v0.2.8.7 (git-cc2f02ef17899f86) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2h and Zlib 1.2.8.
    Sep 04 02:41:25.806 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
    Sep 04 02:41:25.806 [notice] Read configuration file "/etc/tor/torrc".
    Sep 04 02:41:25.811 [notice] Opening Socks listener on 127.0.0.1:9050
    Sep 04 02:41:25.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
    Sep 04 02:41:25.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
    Sep 04 02:41:26.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
    Sep 04 02:41:26.000 [notice] Bootstrapped 0%: Starting
    Sep 04 02:41:27.000 [notice] Bootstrapped 5%: Connecting to directory server
    Sep 04 02:41:27.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
    Sep 04 02:41:27.000 [notice] Bootstrapped 15%: Establishing an encrypted directory connection
    Sep 04 02:41:27.000 [notice] Bootstrapped 20%: Asking for networkstatus consensus
    Sep 04 02:41:28.000 [notice] Bootstrapped 25%: Loading networkstatus consensus
    Sep 04 02:41:29.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
    Sep 04 02:41:30.000 [notice] Bootstrapped 40%: Loading authority key certs
    Sep 04 02:41:30.000 [notice] Bootstrapped 45%: Asking for relay descriptors
    Sep 04 02:41:30.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/7117, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
    Sep 04 02:41:31.000 [notice] Bootstrapped 50%: Loading relay descriptors
    Sep 04 02:41:34.000 [notice] Bootstrapped 55%: Loading relay descriptors
    Sep 04 02:41:34.000 [notice] Bootstrapped 61%: Loading relay descriptors
    Sep 04 02:41:34.000 [notice] Bootstrapped 66%: Loading relay descriptors
    Sep 04 02:41:34.000 [notice] Bootstrapped 73%: Loading relay descriptors
    Sep 04 02:41:34.000 [notice] Bootstrapped 78%: Loading relay descriptors
    Sep 04 02:41:35.000 [notice] Bootstrapped 80%: Connecting to the Tor network
    Sep 04 02:41:36.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
    Sep 04 02:41:38.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
    Sep 04 02:41:38.000 [notice] Bootstrapped 100%: Done
Important: Don't close this terminal. Open a new terminal for further steps.

Testing with Sqlmap

Use this command
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=2 --tor --tor-type=SOCKS5

If you want a text version:-

Root@kali:
    _
    ___ ___| |_____ ___ ___ {1.0.8.2#dev}
    |_ -| . | | | .'| . |
    |___|_ |_|_|_|_|__,| _|
    |_| |_| http://sqlmap.org

    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

    [*] starting at 02:47:02

    [02:47:02] [WARNING] increasing default value for option '--time-sec' to 10 because switch '--tor' was provided
    [02:47:02] [INFO] setting Tor SOCKS proxy settings
    [02:47:02] [INFO] testing connection to the target URL
    [02:47:03] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
    [02:47:04] [INFO] testing if the target URL is stable
    [02:47:06] [INFO] target URL is stable
    [02:47:06] [INFO] testing if GET parameter 'cat' is dynamic
    [02:47:07] [INFO] confirming that GET parameter 'cat' is dynamic

Additional obscurity

Google's crawlers often visit websites, and are one of the least suspicious entities in the website's logs. We can use that to our advantage. Use this command to pretend to be googleBot.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=2 --tor --tor-type=SOCKS5 --user-agent="Googlebot (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
 This is what you would see.


At this point, you are going to look like a google bot, and your IP would be that of some Tor exit node. This should be enough for most purposes.

This is all I had in mind for this tutorial. I urge you not to assume that using Tor means you can do illegal stuff and get away with it. This tutorial is written only for educational purposes.

30 comments:

  1. AdBlock disabled for this site, it is the least I can do.

    ReplyDelete
    Replies
    1. Thank you. Comments like these is what pushes me to write tutorials in the best way I can.

      Delete
  2. Replies
    1. Blogger (blogspot) is rather secure since it's a service offered by Google, which automatically handles all the backend, while the authors can only modify the front-end.

      Delete
  3. i have some issues while using sqlmap and tor, i mean.. it says 'connection refused' and i already downloaded tor, it works fine, but for some reason i cannot use it with sqlmap.

    ReplyDelete
    Replies
    1. pd: it says 'connection refused' when i have to put the url of the site

      Delete
    2. 1) Did TOR bootstrap to 100%?
      2) Does SQLMap give the same error when you inject the website without using TOR?

      Delete
    3. this is what i get when i put the url with tor

      setting tor socks proxy settings
      testing conection to the target url
      unable to connect to the target url ('connection refused')or proxy sqlmap is going to retry the request
      and then again
      unable to connect to the target url ('connection refused')or proxy

      about 2, it doesn't give me that error when i inject the website without tor

      Can i add u somewhere to talk with u easily? i'd aprecciate so much.

      Delete
    4. I can provide help in comments but can't really chat person to person. Can you try some other site (for example the one I used) and see if the error is still there. Maybe that website has blocked requests from TOR exit nodes.

      Delete
    5. ahmmm.. okay.
      Just wanted to chat cuz im learning about all of this, im noob. And sometimes i have nobody to ask. Started like a month ago.
      Well, thanks for your help. Ill keep trying

      Delete
  4. Im beginner but I wont learn.
    how to deface wordpress and cPanel. with shell backdoor
    thnk b4

    ReplyDelete
  5. im must question for you master ,what if enter to tor browser calm make action hacking ?
    and what doyou can me for gather your forums ?

    ReplyDelete
  6. Thanks for the good and short tutorial! It's way easier to use Tor in Sqlmap than I thought.

    ReplyDelete

  7. BEST WAY TO HAVE GOOD AMOUNT TO START A GOOD BUSINESS or TO START LIVING A GOOD LIFE..... Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (williamshackers@hotmail.com) for how to get it and its cost . .......... EXPLANATION OF HOW THESE CARD WORKS.......... You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT $5,000, 2nd VAULT $10,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly... Done. ***NOTE: DON'T EVER MAKE THE MISTAKE OF CLICKING THE "ALL" OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. email (williamshackers@hotmail.com). We are located in USA.

    ReplyDelete
  8. Tekhnik Menyembuhkan Ayam Aduan Yang Terkena Lumpuh Klik Di Sini

    Agen Sabung Ayam Online Terbaik Dan Juga Terpercaya http://www.bakarayam.co

    Informasi Terlengkap Mengenai Sabung Ayam

    https://ayambakar33033.wordpress.com/2018/06/21/lebih-dari-satu-ciri-memaparkan-ayam-bangkok-aduan-super-yg-menakutkan/

    https://bakarayam33033.wordpress.com/2018/07/19/teknik-dalam-menjaga-ayam-toraja-lumpuh-serta-keram-serta-dikit-info-permainan-paramisi/

    ReplyDelete
  9. BEST WAY TO HAVE GOOD AMOUNT TO START A GOOD BUSINESS or TO START LIVING A GOOD LIFE..... Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (williamshackers@hotmail.com) for how to get it and its cost . .......... EXPLANATION OF HOW THESE CARD WORKS.......... You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT $1,000, 2nd VAULT $5,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly... Done. ***NOTE: DON'T EVER MAKE THE MISTAKE OF CLICKING THE "ALL" OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. email (williamshackers@hotmail.com) We are located in USA.

    ReplyDelete
  10. I know a professional hacker named james who has worked for me this week. He offers very legitimate services such as clearing of bad records online without being traced back to you, He clone/hack mobile phones, hack Facebook account, instagram, WhatsApp, emails, Twitter, bank accounts, Skype, FIXES CREDIT REPORTs, track calls. He also help retrieve accounts that have been taking by hackers. His charges are affordable, reliable and 100% safe. For his job well done this is my own way to show appreciation, Contact him via address below...
    Email...hackintechnology@gmail. com
    Text no..+1(669) 225-2253 WhatsApp..+1 (845) 643-6145

    ReplyDelete
  11. SERVICES WE RENDERED

    WU.TRANSFERBUG@GMAIL.COM specializes on services like; Western Union and Money Gram Transfer, Bank Transfer And Bank Logins, PayPal Transfer And PayPal Logins.

    WESTERN UNION/MONEYGRAM

    We have big Western Union Hack for everywhere and any time for you. We transfer money to all countries/territories in the world that have Western Union and Money Gram Agents. We can transfer big amounts and you can receive this money in your country. We don’t deduct any % of your transfer because we are hackers of cash, we give your cash in full and with big transfers we do give discounts .We make it very safe and the service is very fast. We do fair and reliable work.

    INFO WE JUST NEED FROM YOU TO MAKE YOUR TRANSFER :-

    First and Last Name
    City, State
    Country

    ABOUT RISK
    To reduce risk we cannot do transfer to same name all the time, The transaction is done by our exchanger who send the money to the receiver. This is done to increase the margin of safety both for us and the receiver no complains.

    Western Union Price List

    1500$-150$
    2500$-300$
    3500$-400$
    4500$-550$
    5500$-600$
    6500$-700$
    7500$-800$

    CONTACT
    Contact us Email : wu.transferbug@gmail.com
    ICQ : 728 446 133

    ReplyDelete
  12. WESTERN UNION / MONEY GRAM SERVICES
    Best hackers for Western Union, Money Gram and Bank Transfers! Western Union Hack available for you everywhere and at any time. We transfer money to all countries/territories in world that have Western Union/ Money Gram or through Bank Transfer if you prefer. You can receive this money in your Country/Territory. Our minimum transfer is $1500 for $200 and our maximum $7,500 for $750 with other prices on the table below.

    HOW WESTERN UNION HACKS WORKS
    We use a software bug in the system that enables us to spread malware (malicious software) and gain access to funds. Once you make your request/order, the funds are accessed. We then send you the cash out details and MTCN (reference number) for verification purposes.

    PERCENTAGE DEALS/BEGGING?
    We do not do percentage deals with people we do not know so please do not bother asking. The same goes for begging e.t.c.
    INFORMATION REQUIRED
    Recipients First Name and Last Name
    Recipients Address (Country, City)
    Recipients Zip Code

    Amount Price
    $1500 $150
    $2500 $300
    $3500 $400
    $4500 $550
    $5500 $600
    $6500 $700
    $7500 $800

    We have a 24 hours of the day, 7 days a week, and 365 days a year support service to assist you with inquiries, questions and orders. Contact our customer support service via Email: wuofficial@yahoo.com

    ReplyDelete
  13. WESTERN UNION MONEY TRANSFERS

    Prices in USD (for people in US, Canada):
    $1000 for $100
    $2000 for $200
    $3000 for $300
    $4000 for $400
    $5000 for $500
    $6000 for $600

    Prices in Euro (for people in Europe):
    €1000 for €100
    €2000 for €200
    €3000 for €300
    €4000 for €400
    €5000 for €500
    €6000 for €600

    Prices in GBP (for people in UK):
    £1000 for £100
    £2000 for £200
    £3000 for £300
    £4000 for £400
    £5000 for £500
    £6000 for £600

    and many more service available
    like credit card , Paypal , bank log ins etc

    contact on

    alastairsidi@gmail.com

    +1561506

    ReplyDelete
  14. James IS AN hacker who offer best quality professional hacking services that can’t be matched with other hackers. I am a professional hacker with the most advanced hacking technique to hack Social media, Email accounts, SmartPhone, Website, Database and many more. Also you can request for customized hack. These days hiring a professional hacker is difficult. You might get scammed for wrong hacking services or by fake hackers on the Internet. Don’t get fooled by scammers that advertising false professional hacking services. Some noteable services above that I'm providing 100% gurantee of success. Hit me up through; HACKINTECHNOLOGY@GMAIL.COM or text+16692252253

    ReplyDelete
  15. Hello all
    am looking few years that some guys comes into the market
    they called themselves hacker, carder or spammer they rip the
    peoples with different ways and it’s a badly impact to real hacker
    now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
    Anyone want to make deal with me any type am available but first
    I‘ll show the proof that am real then make a deal like

    Available Services

    ..Wire Bank Transfer all over the world

    ..Western Union Transfer all over the world

    ..Credit Cards (USA, UK, AUS, CAN, NZ)

    ..School Grade upgrade / remove Records

    ..Spamming Tool

    ..keyloggers / rats

    ..Social Media recovery

    .. Teaching Hacking / spamming / carding (1/2 hours course)

    discount for re-seller

    Contact: 24/7

    fixitrogers@gmail.com


    ReplyDelete
  16. Hello, welcome to hackinempire where problems are been solved,
    We deal with the Western Union / Money Gram / Paypal Transfers and functioning of sites like Facebook, twitter, Instagram, Snapchat, Bank Account, icloud, Credit cards, spouses phones etc.
    Thus Beware of scammers because most persons are been scammed and they end up getting all solutions to their cyber bullies and attacks by US. I am hackinempire one of the leading hack agents. PURPOSE IS TO GET YOUR JOBS DONE AT EXACTLY NEEDED TIME REQUESTED!! And our WORK SUCCESS IS 100%!!! I'm always available for you when you need help. Contact or write us on: hackinempire@gmail.com. Thanks for your time.

    ReplyDelete
  17. Hello all
    am looking few years that some guys comes into the market
    they called themselves hacker, carder or spammer they rip the
    peoples with different ways and it’s a badly impact to real hacker
    now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
    Anyone want to make deal with me any type am available but first
    I‘ll show the proof that am real then make a deal like

    Available Services

    ..Wire Bank Transfer all over the world

    ..Western Union Transfer all over the world

    ..Credit Cards (USA, UK, AUS, CAN, NZ)

    ..School Grade upgrade / remove Records

    ..Spamming Tool

    ..keyloggers / rats

    ..Social Media recovery

    .. Teaching Hacking / spamming / carding (1/2 hours course)

    discount for re-seller

    Contact: 24/7

    fixitrogers@gmail.com

    ReplyDelete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC