Password

All posts tagged Password

We have seen how to set passwords on cisco switches or routers here. Of course setting passwords does add to the security of the device but there is small problem. The password is stored in plain text.  Anyone who gets access to the switch can easily see all the passwords by typing command “show running-config or show startup-config”. Today we will see how to encrypt passwords on Cisco routers and switches.

encisco1

Encrypting passwords can further enhance the security of the device. Privileged password can be encrypted by using the command “enable secret” instead of “enable password”. This command should be set from privileged global configuration mode.

encisco2

Lets see what can we see  when we use the command “show running-config”.

encisco3

We can see that the password we set has been encrypted. but what about other passwords. The  console, auxiliary and vty lines passwords cannot be encrypted even if we use “enable secret” command. To encrypt those passwords, we have to use another command “service password-encryption” as shown below.

encisco4

This command will encrypt all the passwords stored in plain text on the device.

NOTE : This is strictly for educative purposes.

 

Havij is an automated SQL injection tool. To say in the own words of its creators,

” Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands. ”

It is available both in free and commercial versions. Today we are going to see how to dump the contents of a database using Havij. For this I am going to use the free version. First download Havij from here and install it. Then open it and enter the vulnerable page url in the target column ( for this tut I am using my own vulnerable webpage ).

havij1

 

Set the database option to ‘auto detect‘ and hit analyse. This should show you the current database name as shown below.

havij2

 

Click on the “info” tab. This will show you information about the victim’s system. We can see information like Host IP address, web server version etc.

havij3

 

Click on the “Tables” tab.

havij4

 

Click on “Get DBs” option. This will list all the databases as shown below.

havij5

 

To get tables in a specific database, select the database and click on Get Tables”. This will list all the tables present in the selected database. I selected database “shunya” here.

havij6

 

We can see that there is on table ‘users’ in our database ‘shunya’ .To get columns , select the table ‘ users’ and click on “Get Columns”.

havij7

 

Thia will list all the columns in the table. We can see that we have five columns in the table ‘users’.all the columns. It’s time to dump the values of columns. Select the columns whose data we want to dump and click on Get data”. Here I selected all the columns.

havij8

 

We got all the data including usernames and passwords. But passwords seem to be encrypted. No problem. Click on the password hashes and copy them. Then click on MD5″ tab and paste the password. Click on “Start”. Havij automatically decrypts the password for us. Decrypt all passwords in the similar manner.

havij9

 

Click on “Find admin”. This option finds the admin  page of the website automatically. When it finds the admin page, you can try the username and passwords to get access to the website. Hope this was helpful.

havij10

 

Here’s a video version of this howto.

 

Good evening friends, Today we will see how to configure passwords on Cisco routers and switches. Cisco devices have four types of passwords.

  • Console password : Used to set password for the console access.
  • Auxiliary password : It is used to set password to auxiliary port ( if the switch has one.)
  • VTY lines password : Used to set password for  for telnet and ssh access.
  • Privileged password : Used to set password for privileged access to the switch.

I am not going to show you how to set up auxiliary password here. To see how to set up console password and VTY lines password, go here.

Privileged mode of a Cisco device has some advanced IOS commands that can have disastrous consequences if used by wrong hands. So it is very important to set up a password to access privileged commands. Use the following commands

ciscopass1

 

The “enable” command takes us into privileged mode. The “conf t” mode takes us into global configuration mode which pertains to the configuration settings of the whole switch. The “enable password”  sets a password for the privileged mode. ‘123456’ is the password. The “exit”  command takes us out of the privileged mode. To see if a password has been set for the privileged mode, try entering into privileged mode by typing “en” command. We can see that it prompts us for the password.