Monday, August 31, 2020

Learning Web Pentesting With DVWA Part 3: Blind SQL Injection

In this article we are going to do the SQL Injection (Blind) challenge of DVWA.
OWASP describes Blind SQL Injection as:
"Blind SQL (Structured Query Language) injection is a type of attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal , the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible."
To follow along click on the SQL Injection (Blind) navigation link. You will be presented with a page like this:
Lets first try to enter a valid User ID to see what the response looks like. Enter 1 in the User ID field and click submit. The result should look like this:
Lets call this response as valid response for the ease of reference in the rest of the article. Now lets try to enter an invalid ID to see what the response for that would be. Enter something like 1337 the response would be like this:

We will call this invalid response. Since we know both the valid and invalid response, lets try to attack the app now. We will again start with a single quote (') and see the response. The response we got back is the one which we saw when we entered the wrong User ID. This indicates that our query is either invalid or incomplete. Lets try to add an or statement to our query like this:
' or 1=1-- -
This returns a valid response. Which means our query is complete and executes without errors. Lets try to figure out the size of the query output columns like we did with the sql injection before in Learning Web Pentesting With DVWA Part 2: SQL Injection.
Enter the following in the User ID field:
' or 1=1 order by 1-- -
Again we get a valid response lets increase the number to 2.
' or 1=1 order by 2-- -
We get a valid response again lets go for 3.
' or 1=1 order by 3-- -
We get an invalid response so that confirms the size of query columns (number of columns queried by the server SQL statement) is 2.
Lets try to get some data using the blind sql injection, starting by trying to figure out the version of dbms used by the server like this:
1' and substring(version(), 1,1) = 1-- -
Since we don't see any output we have to extract data character by character. Here we are trying to guess the first character of the string returned by version() function which in my case is 1. You'll notice the output returns a valid response when we enter the query above in the input field.
Lets examine the query a bit to further understand what we are trying to accomplish. We know 1 is the valid user id and it returns a valid response, we append it to the query. Following 1, we use a single quote to end the check string. After the single quote we start to build our own query with the and conditional statement which states that the answer is true if and only if both conditions are true. Since the user id 1 exists we know the first condition of the statement is true. In the second condition, we extract first character from the version() function using the substring() function and compare it with the value of 1 and then comment out the rest of server query. Since first condition is true, if the second condition is true as well we will get a valid response back otherwise we will get an invalid response. Since my the version of mariadb installed by the docker container starts with a 1 we will get a valid response. Lets see if we will get an invalid response if we compare the first character of the string returned by the version() function to 2 like this:
1' and substring(version(),1,1) = 2-- -
And we get the invalid response. To determine the second character of the string returned by the version() function, we will write our query like this:
1' and substring(version(),2,2) = 1-- -
We get invalid response. Changing 1 to 2 then 3 and so on we get invalid response back, then we try 0 and we get a valid response back indicating the second character in the string returned by the version() function is 0. Thus we have got so for 10 as the first two characters of the database version. We can try to get the third and fourth characters of the string but as you can guess it will be time consuming. So its time to automate the boring stuff. We can automate this process in two ways. One is to use our awesome programming skills to write a program that will automate this whole thing. Another way is not to reinvent the wheel and try sqlmap. I am going to show you how to use sqlmap but you can try the first method as well, as an exercise.
Lets use sqlmap to get data from the database. Enter 1 in the User ID field and click submit.
Then copy the URL from the URL bar which should look something like this
http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Now open a terminal and type this command:
sqlmap --version
this will print the version of your sqlmap installation otherwise it will give an error indicating the package is not installed on your computer. If its not installed then go ahead and install it.
Now type the following command to get the names of the databases:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id
Here replace the PHPSESSID with your session id which you can get by right clicking on the page and then clicking inspect in your browser (Firefox here). Then click on storage tab and expand cookie to get your PHPSESSID. Also your port for dvwa web app can be different so replace the URL with yours.
The command above uses -u to specify the url to be attacked, --cookie flag specifies the user authentication cookies, and -p is used to specify the parameter of the URL that we are going to attack.
We will now dump the tables of dvwa database using sqlmap like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa --tables
After getting the list of tables its time to dump the columns of users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users --columns
And at last we will dump the passwords column of the users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users -C password --dump
Now you can see the password hashes.
As you can see automating this blind sqli using sqlmap made it simple. It would have taken us a lot of time to do this stuff manually. That's why in pentests both manual and automated testing is necessary. But its not a good idea to rely on just one of the two rather we should leverage power of both testing types to both understand and exploit the vulnerability.
By the way we could have used something like this to dump all databases and tables using this sqlmap command:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id --dump-all
But obviously it is time and resource consuming so we only extracted what was interested to us rather than dumping all the stuff.
Also we could have used sqlmap in the simple sql injection that we did in the previous article. As an exercise redo the SQL Injection challenge using sqlmap.

References:

1. Blind SQL Injection: https://owasp.org/www-community/attacks/Blind_SQL_Injection
2. sqlmap: http://sqlmap.org/
3. MySQL SUBSTRING() Function: https://www.w3schools.com/sql/func_mysql_substring.asp

More articles


  1. Free Pentest Tools For Windows
  2. Hack App
  3. What Is Hacking Tools
  4. Hack Tools For Mac
  5. Hackers Toolbox
  6. Pentest Tools For Ubuntu
  7. Free Pentest Tools For Windows
  8. Hack Tools For Windows
  9. Pentest Tools For Mac
  10. Hack Tools Download
  11. Hacker Tool Kit
  12. Hacking Tools For Mac
  13. Pentest Tools Apk
  14. Free Pentest Tools For Windows
  15. Blackhat Hacker Tools
  16. Hack Tools For Windows
  17. Pentest Tools Windows
  18. New Hack Tools
  19. Hack Tools Download
  20. Bluetooth Hacking Tools Kali
  21. Hacker Tools Hardware
  22. Hacking Tools For Games
  23. Kik Hack Tools
  24. Hacker Tools Github
  25. Black Hat Hacker Tools
  26. Hacker Tools Online
  27. Hack Tools Download
  28. Hacking Tools For Windows Free Download
  29. Hack Tools For Windows
  30. What Are Hacking Tools
  31. Hacking Tools Software
  32. Pentest Tools Website Vulnerability
  33. Pentest Tools Open Source
  34. Hack Tools 2019
  35. Best Hacking Tools 2019
  36. Hack Tools Online
  37. Growth Hacker Tools
  38. Hacker Tools For Windows
  39. Pentest Tools Website Vulnerability
  40. Hacker
  41. New Hack Tools
  42. Hack Tool Apk
  43. Computer Hacker
  44. Game Hacking
  45. Hacking Tools For Windows Free Download
  46. Beginner Hacker Tools
  47. How To Install Pentest Tools In Ubuntu
  48. Hack Tools
  49. Computer Hacker
  50. Best Hacking Tools 2020
  51. Pentest Tools List
  52. Best Hacking Tools 2019
  53. How To Make Hacking Tools
  54. Easy Hack Tools
  55. Pentest Tools Download
  56. Tools For Hacker
  57. Hack Tool Apk
  58. Hack Tools 2019
  59. Hacker Tools
  60. Pentest Tools Bluekeep
  61. Pentest Tools Website
  62. Pentest Tools Subdomain
  63. Hack Website Online Tool
  64. Hacking Tools Kit
  65. Hack Tools Pc
  66. Hacking Tools Pc
  67. Hacking Tools 2020
  68. World No 1 Hacker Software
  69. Black Hat Hacker Tools
  70. Hacking Tools Windows 10
  71. Hacking Tools Name
  72. Pentest Reporting Tools
  73. Best Hacking Tools 2019
  74. Hacking Tools Windows
  75. Hacker
  76. Best Hacking Tools 2019
  77. Best Hacking Tools 2019
  78. Pentest Tools Android
  79. Pentest Tools Tcp Port Scanner
  80. Hacks And Tools
  81. Hack And Tools
  82. Hacking Tools Download
  83. What Is Hacking Tools
  84. Pentest Tools Framework
  85. Pentest Tools Kali Linux
  86. Computer Hacker
Posted by at No comments:

Sunday, August 30, 2020

Best Hacking Tools

      MOST USEFUL HACKING TOOL

1-Nmap-Network Mapper is popular and free open source hacker's tool.It is mainly used for discovery and security auditing.It is used for network inventory,inspect open ports manage service upgrade, as well as to inspect host or service uptime.Its advantages is that the admin user can monitor whether the network and associated nodes require patching.

2-Haschat-It is the self-proclaimed world's fastest password recovery tool. It is designed to break even the most complex password. It is now released as free software for Linux, OS X, and windows.


3-Metasploit-It is an extremely famous hacking framework or pentesting. It is the collection of hacking tools used to execute different tasks. It is a computer severity  framework which gives the necessary information about security vulnerabilities. It is widely used by cyber security experts and ethical hackers also.

4-Acutenix Web Vulnerability Scanner- It crawls your website and monitor your web application and detect dangerous SQL injections.This is used for protecting your business from hackers.


5-Aircrack-ng - This tool is categorized among WiFi hacking tool. It is recommended for beginners  who are new to Wireless Specefic Program. This tool is very effective when used rightly.


6-Wireshark-It is a network analyzer which permit the the tester to captyre packets transffering through the network and to monitor it. If you would like to become a penetration tester or cyber security expert it is necessary to learn how to use wireshark. It examine networks and teoubleshoot for obstacle and intrusion.


7-Putty-Is it very beneficial tool for a hacker but it is not a hacking tool. It serves as a client for Ssh and Telnet, which can help to connect computer remotely. It is also used to carry SSH tunneling to byepass firewalls. So, this is also one of the best hacking tools for hackers.


8-THC Hydra- It is one of the best password cracker tools and it consist of operative and highly experienced development team. It is the fast and stable Network Login Hacking Tools that will use dictonary or bruteforce attack to try various combination of passwords against in a login page.This Tool is also very useful for facebook hacking , instagram hacking and other social media platform as well as computer folder password hacking.


9-Nessus-It is a proprietary vulnerability scanner developed by tennable Network Security. Nessus is the world's most popular vulnerability scanner according to the surveys taking first place in 2000,2003,2006 in security tools survey.


10-Ettercap- It is a network sniffing tool. Network sniffing is a computer tool that monitors,analyse and defend malicious attacks with packet sniffing  enterprise can keep track of network flow. 


11-John the Ripper-It is a free famous password cracking pen testing tool that is used to execute dictionary attacks. It is initially developed for Unix OS. The Ripper has been awarded for having a good name.This tools can also be used to carry out different modifications to dictionary attacks.


12-Burp Suite- It is a network vulnerability scanner,with some advance features.It is important tool if you are working on cyber security.


13-Owasp Zed Attack Proxy Project-ZAP and is abbreviated as Zed  Attack Proxy is among popular OWASP project.It is use to find vulnerabilities in Web Applications.This hacking and penetesting tool is very easy to use  as well as very efficient.OWASP community is superb resource for those people that work with Cyber Security.


14-Cain & Abel-It is a password recovery tool for Microsoft Operating System. It allow easy recovery of various kinds of passwords by sniffing the networks using dictonary attacks.


15-Maltego- It is a platform that was designed to deliver an overall cyber threat pictures to the enterprise or local environment in which an organisation operates. It is used for open source intelligence and forensics developed by Paterva.It is an interactive data mining tool.

These are the Best Hacking Tools and Application Which are very useful for penetration testing to gain unauthorized access for steal crucial data, wi-fi hacking , Website hacking ,Vulnerability Scanning and finding loopholes,Computer hacking, Malware Scanning etc.

This post is only for educational purpose to know about top hacking tools which are very crucial for a hacker to gain unauthorized access. We are not responsible for any type of crime.





More articles


Posted by at No comments:

QakBot Banking Trojan Returned With New Sneaky Tricks To Steal Your Money

A notorious banking trojan aimed at stealing bank account credentials and other financial information has now come back with new tricks up its sleeve to target government, military, and manufacturing sectors in the US and Europe, according to new research. In an analysis released by Check Point Research today, the latest wave of Qbot activity appears to have dovetailed with the return of

via The Hacker News
This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com

Related articles


Posted by at No comments:

Why Receipt Notifications Increase Security In Signal

This blog post is aimed to express and explain my surprise about Signal being more secure than I thought (due to receipt acknowledgments). I hope you find it interesting, too.

Signal, and especially its state update protocol, the Double Ratchet algorithm, are widely known for significantly increasing security for instant messaging. While most users first see the end-to-end security induced by employing Signal in messaging apps, the properties achieved due to ratcheting go far beyond protecting communication against (active) attackers on the wire. Due to updating the local device secrets via the Double Ratchet algorithm, the protocol ensures that attackers, who temporarily obtain a device's local storage (on which Signal runs), only compromise confidentiality of parts of the communications with this device. Thus, the leakage of local secrets from a device only affects security of a short frame of communication. The exact duration of compromise depends on the messaging pattern among the communicating parties (i.e., who sends and receives when), as the state update is conducted during the sending and receiving of payload messages.


The Double Ratchet

The Double Ratchet algorithm consists of two different update mechanisms: the symmetric ratchet and the asymmetric ratchet. The former updates symmetric key material by hashing and then overwriting it with the hash output (i.e.,  k:=H(k)). Thus, an attacker, obtaining key material can only predict future versions of the state but, due to the one-wayness of the hash function, cannot recover past states. The asymmetric ratchet consists of Diffie-Hellman key exchanges (DHKE). If, during the communication, party A receives a new DH share gb as part of a message from the communication partner B, then A samples a new DH exponent a and responds with the respective DH share ga in the next sent message. On receipt of this DH share, B will again sample a new DH exponent b' and attach the DH share gb' to the next message to A. With every new DH share, a new DHKE gab is computed among A and B and mixed into the key material (i.e., k:=H(k,gab)). For clarity, I leave out a lot of details and accuracy. As new DH shares ga and gb are generated from randomly sampled DH exponents a and b, and the computation of gab is hard if neither a nor b are known, the key material recovers from an exposure of the local secrets to an attacker after a new value gab was freshly established and mixed into it. Summing up this mechanism, if an attacker obtains the local state of a Signal client, then this attacker cannot recover any previously received message (if the message itself was not contained in the local state), nor can it read messages that are sent after a new gab was established and mixed into the state. The latter case happens with every full round-trip among A and B (i.e., A receives from B, A sends to B, and A receives again from B).
Conceptual depiction of Double Ratchet in Signal two years ago (acknowledgments were only protected between client and server). The asymmetric ratchet fully updates the local secrets after one round-trip of payload messages.

Research on Ratcheting

During the last two years, the Signal protocol inspired the academic research community: First, a formal security proof of Signal was conducted [1] and then ratcheting was formalized as a generic primitive (independent of Signal) [2,3,4]. This formalization includes security definitions that are derived via 1. defining an attacker, 2. requiring security unless it is obvious that security cannot be reached. Protocols, meeting this optimal notion of security, were less performant than the Double Ratchet algorithm [3,4]. However, it became evident that the Double Ratchet algorithm is not as secure as it could be (e.g., recovery from exposure could be achieved quicker than after a full round-trip; see, e.g., Appendix G of our paper [3]). Afterwards, protocols (for slightly weakened security notions) were proposed that are similarly performant as Signal but also a bit more secure [5,6,7].

Protecting Acknowledgments ...

In our analysis of instant messaging group chats [8] two years ago (blog posts: [9,10]), we found out that none of the group chat protocols (Signal, WhatsApp, Threema) actually achieves real recovery from an exposure (thus the asymmetric ratchet is not really effective in groups; a good motivation for the MLS project) and that receipt acknowledgments were not integrity protected in Signal nor WhatsApp. The latter issue allowed an attacker to drop payload messages in transmission and forge receipt acknowledgments to the sender such that the sender falsely thinks the message was received. Signal quickly reacted on our report by treating acknowledgments as normal payload messages: they are now authenticated(-encrypted) using the Double Ratchet algorithm.

... Supports Asymmetric Ratchet

Two years after our analysis, I recently looked into the Signal code again. For a training on ratcheting I wanted to create an exercise for which the lines in the code should be found that execute the symmetric and the asymmetric ratchet respectively. Somehow I observed that the pure symmetric ratchet (only updates via hash functions) was nearly never executed (especially not when I expected it) when lively debugging the app but almost always new DH shares were sent or received. I realized that, due to encrypting the receipt acknowledgments now, the app always conducts full round-trips with every payload message. In order to observe the symmetric ratchet, I needed to temporarily turn on the flight mode on my phone such that acknowledgments are not immediately returned.
Conceptual depiction of Double Ratchet in Signal now (acknowledgments encrypted). The asymmetric ratchet fully updates the local secrets after an acknowledgment for a message is received.

Consequently, Signal conducts a full DHKE on every sent payload message (in case the receiving device is not offline) and mixes the result into the state. However, a new DH exponent is always already sampled on the previous receipt (see sketch of protocol above). Thus, the exponent for computing a DHKE maybe remained in the local device state for a while. In order to fully update the state's key material, two round-trips must be initiated by sending two payload messages and receiving the resulting two acknowledgments. Please note that not only the mandatory receipt acknowledgments are encrypted but also notifications on typing and reading a message.

If you didn't understand exactly what that means, here a tl;dr: If an attacker obtains your local device state, then with Signal all previous messages stay secure and (if the attacker does not immediately use these secrets to actively manipulate future conversations) all future messages are secure after you wrote two messages (and received receipt acknowledgments) in all of your conversations. Even though this is very (in practice certainly sufficiently) secure, recent protocols provide stronger security (as mentioned above) and it remains an interesting research goal to increase their performance.

[1] https://eprint.iacr.org/2016/1013.pdf
[2] https://eprint.iacr.org/2016/1028.pdf
[3] https://eprint.iacr.org/2018/296.pdf
[4] https://eprint.iacr.org/2018/553.pdf
[5] https://eprint.iacr.org/2018/889.pdf
[6] https://eprint.iacr.org/2018/954.pdf
[7] https://eprint.iacr.org/2018/1037.pdf
[8] https://eprint.iacr.org/2017/713.pdf
[9] https://web-in-security.blogspot.com/2017/07/insecurities-of-whatsapps-signals-and.html
[10] https://web-in-security.blogspot.com/2018/01/group-instant-messaging-why-baming.html

Read more


Posted by at No comments:

Saturday, August 29, 2020

Zirikatu Tool - Fud Payload Generator Script

Read more
Posted by at No comments:
Subscribe to: Comments (Atom)