keskiviikko 21. lokakuuta 2015

Hacking with Kali Linux

I was curious about hacking things and the so called "dark side of the internet" so I installed Kali linux to my virtualbox and checked out few things.

Finding website admin panel with dictionary scan


So first thing I wanted to check is how you can find admin panels. In every content management systems (CMS) there must be admin panel to login and maintain it. So I found perl script that scans target site with different admin panel names. Unfortunately this is so called dictionary attack and if the name doesnt happen to be in the list, it wont find anything.

Open up your Kali linux and download this file: http://www.2shared.com/complete/R1eEFhs3/def_adminfinder.html

CD to your download folder and just run:

perl def_adminfinder.pl 

and it will launch. Then the script will ask the target site, type your site and enter.


Then we can see the script checking possible admin panel locations.


You have to wait for the script to finish to see the results unless you can spot status: found from the output stream. This is very simple tool to find admin panel, but it is a weak dictionary tool. This is not even hacking, cracking what so ever. I would say it is a tool.

How to generate a password list


When hacker is bruteforcing in to a system, it basically means to try every possible combination of numbers, letters and special marks that are defined. For that we need to create a list of those words. Linux can generate these files with a tool called crunch. 

type in: crunch 4 4 123456 > passwords.lst

The first number means how long the password should be atleast (minimum). Second number is how long it should (maximum) and then I have defined combinations with numbers 123456 and put them to a file called passwords.lst. Now this command will create every single possible combination of 123456 length of four. 





As you can see we have different combinations in a list. Try next crunch 2 2 abcd > passwords2.lst
to explore how this works.


Then we have all the combinations with abcd length minimum and maximum 2

Crunch is a tool to create password lists for bruteforce attacks which can take very long time. You can also download most used password lists by googling a little bit.

Password attack with Hydra to basic authentication


Now if you have website which has basic authentication you could create a massive list of words and then "bruteforce" yourself in to that site. Other way is to download ready made password list to speed up things a little bit, you can find some here: https://github.com/danielmiessler/SecLists/tree/master/Passwords

Basic authentication box will look like this:



Give command:

hydra -L accounts.txt -P passwords.txt http://www.yoursite.com

-L gives account list as parameter and -P option gives the password list. Then hydra will try every combination with the words in the lists. 


And the account + password combination in my list matched. I have successfully logged in.


SQLmap injection tool

if PHP page url looks like this: page.php?id=1 you can try if the page is vulnerable to sql attacks by adding ' to the end of url like www.yourpage.com/page.php?id=1'

If the answer you get is: "You have error in your sql syntax" the page is vulnerable to attacks. 

Simple command to find out databases is: sqlmap -u www.yoursite.com --dbs 
This will try different sql injections and list all the databases available.  


And as you can see, I found vulnerable website. Now I know their technology and what databases they have. This is just short demonstration what you can do with this tool.

To continue checking what is inside this table use command:

sqlmap -u www.yoursite.com/ -D information_schema --tables

This will check what is inside information_schema table.

Scanning email addresses with harvester

If you want to do email scan using search engines there is a tool called "theharvester". Fire up your Kali Linux and type theharvester to get information about the app.

You can scan emails with command theharvester -d www.nikiahlskog.com -l 50 -b all

From the information we can find that -d is the url we are searching. -l is the amount of results we look and -b is the search engine if I understood this correctly. After scannin my own site I have found 3 email addresses, but none of them is real. 





Using Hydra to hack login form


To attack login form you need: passwordlist and usernames list. User command:

hydra -L usernames.txt -P passwords.txt testsite.com http-get-form "/index.php:admin_username=^USER^&passwordfield=^PASS^:Denied"

-L is the usernamelist, -P is password list. http-get gets the right page, then comes the username field we try to hack, then password field and after : we put a word that hydra will be looking if the login is denid. 

Cracking Wlan passwords with reaver

Will continue this later probably...

airmon-ng start/check/stop
airodump-ng wlan0mon
wash -i wlan0mon -C
reaver -i wlan0mon -b BSSID --fail-wait=360

airodump-ng -bssid -c 6 --write/root/Desktop/crack-wpa wlan0mon

Ei kommentteja:

Lähetä kommentti