FULL PATH DISCLOSURE TUTORIAL

In this little write up today, I am going to try and explain you what 'FPD' is, how to detect it, analyze it, and some pretty good methods of finding it in the wild.

/* Note that my write up was intended to PHP-based websites, but some of the methods works for ASP/ASPX too. */

what is FPD

 FPD' (Stands for Full Path Disclosure) is one of the most common methods of attacks (While I doubt this kind of action categorized as a form of an attack, it is still a highly-related method of website security testing), that Pen-testers / Hackers / whatever use in order to gain an error which will expose the full installation path of the targeted site.

Why is this happening?

By default (Don't quote me here. Some web-services and packages disable this function, but partly in most cases), the PHP error reporting function -

Code:

error_reporting(0);

different hash types

diferent websites use different types of hashing technique to store their password in the database.So,one must identify the hash type in order to crack it.
here are the different types of hash:

DES(Unix)
Example: IvS7aeT4NzQPM
Used in Linux and other similar OS.
Length: 13 characters.
Description: The first two characters are the salt (random characters; in our example the salt is the string "Iv"), then there follows the actual hash.
Notes: [1] [2]

how to find admin page of a website

Today im gonna show how to find admin panels when you have info to login.

There's a few options to find it.

1) Adding to URL

http://www.site.com/admin
http://www.site.com/administrator
http://www.site.com/admin.php
http://www.site.com/login

Oracle SQL injection

Hello guys this is a tutorial about Oracle based SQL injection
Here is the site to learn with

PHP Code:

http://www.comune.taranto.it/citta/dettaglio_news.php?id_news=491&id_categoria=122 

Let's try order by

Basic SQL injection with Login Queries

Bypassing Login pages on websites using SQL injectable queries

Level: Beginners and Intermediate
Requirements: Patience and stradegy
Alright in this tutorial, we'll be learning how to bypass login pages with the help of MySequel injection using Login Queries. 

 

 What is SQL injection?
Answer: Basically, it's a process where you execute a certain query in a website in order to extract information such as log-in information, users etc. for either personal gain or random use from the website's database.

Postgre Errorbased sqli

Postgre:

Traditional relational database management systems (DBMSs) support a data model consisting of a collection of named relations, containing attributes of a specific type. In current commercial systems, possible types include floating point numbers, integers, character strings,
money, and dates.

Lets start to play with Postgre:

1st Step find the vulnerability:

Code:

http://www.creatop.com.cn/index.cfm?MenuID=80'

MSSQL [asp] Sql injection

The sql injection on asp is same as on php...but a little bit of changes are made...

So first of all we will find some site that is Vulnerable and is on .asp

So assume that u got a site with the name of

Code:

http://www.target.com/

Sybase sql injection tutorial

I will make a small tutorial on error based sybase sql injection

site link is:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630

put a ' at the end and you will see this
Sybase: Server message: Unclosed quote before the character string ' '

now to get the version:

Quote:

PHP Code:

http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert%28integer,@@version%29-- 

MS-Access Injection

site link for this tutorial

http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151

how do we know its vuln?like regular injection,typing " ' " in the end of the value.

Code:

www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151'

 error 80040e14

How to know DB and method of injection

How to know SQL_DB and method of injection

MySQL server

| from error

PHP Code:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax 

Using the query after link

cookie sql injection,injecting via cookie [session based]

this tut will teach you how how to sql inject via cookie [also known as 'session based' or 'cookie parameter'].
first install chrome and download cookie editor addon from Philip.

after goto vulnerable link:
www.vulnerable.com/x.php
open cookie editor

OS Fingerprinting

OS Fingerprinting :- OS Fingerprinting refers to detection of target computer's operating system.
Since, different operating system responds differently to the same kind of ICMP message, it is very important for an attacker to determine the exact operating system running on target system.
Also attacker can carry out attacks by taking over the vulnerabilities/bugs found in that particular operating system.
There are four areas that we will look at to determine the operating system (however there are other signatures that can be used). These signatures are:

1) TTL - What the operating system sets the Time To Live on the outbound packet.
2) Window Size - What the operating system sets the Window Size at.
3) DF - Does the operating system set the Don't Fragment bit.
4) TOS - Does the operating system set the Type of Service, and if so, at what.

There are two different types of OS Fingerprinting technique -

ICMP Scanning

ICMP scanning procedure is used to know whether a host is alive or not.During most scans using ICMP an ICMP_ECHO datagram is sent to the remote computer to determine whether it has an active IP or not. If all is well the computer that sent the ICMP_ECHO packet will recieve and ICMP_ECHO_REPLY packet which means that the host computer is p and alive. If no response is recieved it usually means that the host computer is down or an administrator is filtering the reply from the host

this scanning can be done using ping request. Ping is great to use if you aren't planning on scanning a large amount of host 

just open the command prompt and type the following command:

ping <target address> 

Daemon Banner Grabbing

All open ports have a service or a daemon running on them. As soon as you telnet or connect to such open ports, you are greeted with a welcome message which is known as DAEMON BANNER. A daemon banner contains certain information about the daemon running on that particular port, operating system information, or other crucial system information. Many open ports also allow an attacker to probe further for information which can sometimes be very important in an attacker’s bid to break into the target system.

The traditional technique of daemon-banner grabbing is to use the TELNET application to manually connect to the open ports on the target system.However, this technique is very slow and inefficient .Most attackers use a port scanning or enumeration tool that automatically grabs the daemon banner information from a remote host machine .One such tool is the netcat port scanning tool

the procedure is given below:

goto the netcat directory in command prompt and type the following command

WAF Bypassing

What is a WAF?

WAF stands for Web Application Firewall. A WAF is put in place by the web applications administrator in an attempt to prevent attacks such as SQLi and XSS. They detect malicious attempts with the use of signature based filters and escapes defined within a list of rules. As a result of this design, they are vulnerable to being easily bypassed by obfuscating your exploit code.

Methods of Bypass

There are many more ways of bypassing these than I can list here but this is a basic overview of three common and easy methods to try first.

HOW TO Crack WPA & WPA2

This is tutorial on  how to crack WPA/WPA2 keys of a wireless network

WPA is a security technology for Wi-Fi wireless computer networks. WPA improves on the authentication and encryption features of WEP (Wired Equivalent Privacy). In fact, WPA was developed by the networking industry in response to the weaknesses of WEP. WPA provides stronger encryption than WEP

the process are given as follows:


First you need to determine your devices names and modes. This is easily done by opening Konsole and using the following command

Code:

airmon-ng

How to crack WEP keys of a wifi network

WEP stands for Wired Equivalent Privacy, a standard for WiFi wireless network security.But A WEP key is a security code used on some Wi-Fi networks. WEP keys allow a group of devices on a local network (such as a home network) to exchange encoded messages with each other while hiding the contents of the messages from easy viewing by outsiders.
A WEP key is a sequence of hexadecimal digits. These digits include the numbers 0-9 and the letters A-F. Some examples of WEP keys are:

• 1A648C9FE2
• 99D767BAC38EA23B0C0176D15

How to text bomb a mobile phone

This is a simple tutorial on how to send as many number of messages to  any phone number you want at a time.

just go to the following sites:

SIMPLE QUERY BASED SQL INJECTION TUTORIAL

The soul purpose o fthis tutorial is to show you how to perform query based sql injection technique to retrive admin username and password.This is very easy once  you understand everything.this tutorial is only for mysql version>5

1st step is to find a sql vulnerable link.This type of link can be found by the following type of google dork

"inurl:index.php?catid="
"inurl:news.php?catid="
"inurl:index.php?id="
"inurl:news.php?id="

all with out "
we are here taking the following site

http://www.dynamicinst.net/news.php?id=25

HOW TO HACK ASPX SITES

 THIS TUTORIAL IS ONLY FOR EDUCATIONAL PURPOSES AND I AM NOT RESPONSIBLE FOR ANYTHING  YOU DO  ILLEGAL

i am going to give a tutorial on how to hack a aspx site.

the procedure are given below

the url in which the attack will be done is:

http://sterlitelubricants.com/automotive.aspx?state=viewpage&id=6

or

http://sterlitelubricants.com/automotive.aspx?state=viewpage&id=1

1st step:

http://sterlitelubricants.com/automotive.aspx?state=viewpage&id=6 ' having 1=1--

it will give the following error

WHOIS

This is a very small tutorial about Whois serach tool

It is a tool which is usefull for finding all information about a particular website such as it's  admin information,registered day,IP address and how many other sites are hosted on this server

A very good website for testing this is

http://www.domaintools.com/

It is widely used by all security researchers

Traceroute

traceroute is a computer network diagnostic tool for displaying the route (path) of the packets across an Internet Protocol(IP) network to reach it;s destination address.It shows you the route over the network between two systems, listing all the intermediate routers a connection must pass through to get to its destination.

The traceroute program is available on most computers which support networking, including most Unix systems, Mac OS X, and Windows 95 and later.
On a Unix system, including Mac OS X, run a traceroute at the command line like this:
traceroute server.name

BASIC ADMIN BYPASS

A injecting sql queries into another database or using queries to get auth bypass as an admin.

 Basic sql injection

Gaining auth bypass on an admin account.
Most sites vulnerable to this are .asp
First we need 2 find a site, start by opening google.
Now we type our dork: "defenition of dork" 'a search entry for a certain type of site/exploit .ect"
There is a large number of google dork for basic sql injection.
here is the best:
"inurl:admin.asp"

How to know passwords stored in web browsers

It is Quite Dangerous to save your password in Internet Explorer, Mozilla FireFox, Google Chrome, or even in Messengers.
Whenever you select “Remember my Password” option, then your Passwords are Automatically saved into your Computer, for further use.
The saved Passwords can be retrieved quite easily.
It is more dangerous when you are using public computers. In that case anyone can easily extract your password and misuse it.

Here is the Tip on how to Extract Saved Passwords:-

External VS Internal IP Addresses

In simpler terms:-
An external address is like a telephone number that anyone can phone.
It has to be unique (and should be allocated to you).
(Imagine if two people had the same phone number for completely different houses - who would get the call - similar problem would occur with computers with the same external number).
Using that IP address (telephone number) any other computer connected to the web can talk to you (any phone on the phone exchange can phone you), unless you limit them in some way (firewalls etc - a bit like call barring).

An internal address is more like an extension number within an office.

Hiding IP address

IP address is short for Internet Protocol (IP) address.
An IP address is an identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination.

The Format of an IP Address

The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address.

There are two types of IP address
(for IPv4)   172.16.254.1
(for IPv6)   2001:db8:0:1234:0:567:8:1

Reasons for hiding IP address:

Enumerating Remote Systems

Getting start with Hacking: Enumerating Remote systems

Many of the beginners in the field of hacking start to hack or crack without having pre-hacking tips which often leads them to the wrong direction. Its better to work on a specific target before attacking. Lets start with the session, and then continue till expertise.

Firstly, keep in mind, these following points if you want to hack a Remote Computer System:

Vulnerability + Exploit = Hacking

MAC ADDRESS AND MAC SPOOFING

MAC Address
A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment
MAC addresses are most often assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware, the card's read-only memory, or some other firmware mechanism. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number and may be referred to as the burned-in address. It may also be known as an Ethernet hardware address (EHA), hardware address or physical address
MAC addresses are 12-digit hexadecimal numbers (48 bits in length). By convention, MAC addresses are usually written in one of the following two formats:
MM:MM:MM:SS:SS:SS
MM-MM-MM-SS-SS-SS
The first half of a MAC address contains the ID number of the adapter manufacturer. These IDs are regulated by an Internet standards body (see sidebar). The second half of a MAC address represents the serial number assigned to the adapter by the manufacturer. In the example,

How to find the Remote Computer's MAC Address

Every device on a TCP/IP network has a unique number assigned to it called the MAC (Media Access Control) address. The MAC address is used by the network hardware such as routers, switches, etc. to send traffic from one device to another device on your network.

Your computer uses a service called ARP (Address Resolution Protocol) to resolve and track the TCP/IP and MAC address of the remote devices that you're communicating with. This information is handy for doing semi-low level network troubleshooting. It can also be used for granting or denying permissions to a network segment or device on that network.

To determine the MAC address of a remote device: