Friday, August 29, 2014

Useful Google hacks

Read full details here: Useful Google hacks

I’ve been searching Internet and found lots of interesting info about how to use Google for hacks and different intuitive ways to use search strings to get useful information. Googledorks already uses these to compile their lists. However I was unable to find some information and explanations in there. So I’ve decided to compile a nice guide for Useful Google Hacks and Tricks for readers and myself. I’ve included as much credits I can at the bottom of this post including authors websites, however, if I’ve missed any, feel free to comment and I’ll ensure they are included. Also note that, these information’s are publicly available in many websites, so it was quite hard for me to credit original authors/finders.

Useful Google Hacks

Google is #1 ranked search engine in modern Internet. They are a giant who got access to your website, your mobile, your eCommerce site, your IRC site and god knows what else. That means they get a massive amount of information’s and data. Out of those there’s always the chance of leaked sensitive data such as server config, password file, backup file, proprietary materials such as eBooks, Music, PDF, Word Documents, Serial Number etc. In this post I will try to show how to use Google hacks to gather information and looks for exploitable information. If you find something important, please try to contact the owner and report the search string to Google rather than abusing it. I am not responsible how readers might or mights not use the information provided below.




Hacking Security Cameras

Now this is a known one, We’ve all tried it at some point. I am not even sure if this is allowed or not, but I definitely think IP cameras should be more secured so that people can’t look into your Baby Monitor or simple Home Security Cameras. Different vendors provided product specific patches in different times, be sure to spread the word so that you’re not the victim of unsolicited prying.
There exists many security cameras used for monitoring places like parking lots, college campus, road traffic etc. which can be hacked using Google so that you can view the images captured by those cameras in real time. All you have to do is use the following search query in Google. Type in Google search box exactly as follows and hit enter
inurl:”viewerframe?mode=motion”
Click on any of the search results (Top 5 recommended) and you will gain access to the live camera which has full controls.
You now have access to the Live cameras which work in real-time. You can also move the cameras in all the four directions, perform actions such as zoom in and zoom out. This camera has really a less refresh rate. But there are other search queries through which you can gain access to other cameras which have faster refresh rates. So to access them just use the following search query.
intitle:”Live View / – AXIS”
Click on any of the search results to access a different set of live cameras. Thus you have hacked Security Cameras using Google.

Hacking Personal and Confidential Documents

Using Google it is possible to gain access to an email repository containing CV of hundreds of people which were created when applying for their jobs. The documents containing their Address, Phone, DOB, Education, Work experience etc. can be found just in seconds.
intitle:”curriculum vitae” “phone * * *” “address *” “e-mail”
You can gain access to a list of .xls (excel documents) which contain contact details including email addresses of large group of people. To do so type the following search query and hit enter.
filetype:xls inurl:”email.xls”
Also it’s possible to gain access to documents potentially containing information on bank accounts, financial summaries and credit card numbers using the following search query
intitle:index.of finances.xls

Hacking Google to gain access to Free Stuffs

Ever wondered how to hack Google for free music or eBooks. Well here is a way to do that. To download free music just enter the following query on Google search box and hit enter.
“?intitle:index.of?mp3 eminem“
Now you’ll gain access to the whole index of Eminem album where in you can download the songs of your choice. Instead of Eminem you can substitute the name of your favorite album. To search for the eBooks all you have to do is replace “Eminem” with your favorite book name. Also replace “mp3″ with “pdf” or “zip” or “rar”.
Read the rest of it here: Useful Google hacks

Find HorizSync VertRefresh rates to fix Linux display issue - Why my display is stuck at 640x480?

Read full details here: Find HorizSync VertRefresh rates to fix Linux display issue - Why my display is stuck at 640x480? 

I had this problem a few days back and it took me sometime to figure out what to do.
I have a NVIDIA GTX460 Graphics card on my current machine and a Acer 22" Monitor. After installing NVIDIA driver, my display was stuck at 640x480 and no matter what I do, nothing fixed it. This is an unusual problem with NVIDIA driver. I am assuming Intel and ATI driver might have similar issues.


Fix Linux display issue

So if you are having problem with your display or if your display is stuck at 640x480 then try the following:
Edit /etc/X11/xorg.conf file
root@kali:~# vi /etc/X11/xorg.conf

You will see something like this
Section "Monitor"
    # HorizSync source: edid, VertRefresh source: edid
    Identifier     "Monitor0"
    VendorName     "Unknown"
    ModelName      "Acer X223W"
    HorizSync       28.0 - 33.0
    VertRefresh     43.0 - 72.0
    Option         "DPMS"
EndSection

Now the lines that control display in monitor is the following two:
    HorizSync       28.0 - 33.0
    VertRefresh     43.0 - 72.0
Depending on your monitor size, you have to find the correct HorizSync VertRefresh rates.

Find supported HorizSync VertRefresh rates in Linux

This took me quite some time to determine exactly what I am looking for. I obviously tried xrandr command like anyone would do..
root@kali:~# xrandr --query

This gave me an output like the following
root@kali:~# xrandr --query
Screen 0: minimum 8 x 8, current 1680 x 1050, maximum 16384 x 16384
DVI-I-0 disconnected (normal left inverted right x axis y axis)
DVI-I-1 disconnected (normal left inverted right x axis y axis)
DVI-I-2 connected 1680x1050+0+0 (normal left inverted right x axis y axis) 474mm x 296mm
   1680x1050      60.0*+
   1600x1200      60.0  
   1440x900       75.0     59.9  
   1400x1050      60.0  
   1360x765       60.0  
   1280x1024      75.0  
   1280x960       60.0  
   1152x864       75.0  
   1024x768       75.0     70.1     60.0  
   800x600        75.0     72.2     60.3     56.2  
   640x480        75.0     72.8     59.9  
HDMI-0 disconnected (normal left inverted right x axis y axis)
DVI-I-3 disconnected (normal left inverted right x axis y axis)



Read the rest of it here: Find HorizSync VertRefresh rates to fix Linux display issue - Why my display is stuck at 640x480?

Thursday, August 28, 2014

Use SQLMAP SQL Injection to hack a website and database in Kali Linux

Read full details here: Use SQLMAP SQL Injection to hack a website and database in Kali Linux

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL databases. In this guide I will show you how to SQLMAP SQL Injection on Kali Linux to hack a website (more specifically Database) and extract usernames and passwords on Kali Linux.




What is SQLMAP

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

  1. Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
  2. Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
  3. Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  4. Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
  5. Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  6. Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
  7. Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
  8. Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  9. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  10. Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
  11. Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.
[Source: www.sqlmap.org]
Be considerate to the user who spends time and effort to put up a website and possibly depends on it to make his days end. Your actions might impact someone is a way you never wished for. I think I can’t make it anymore clearer.
So here goes:


Step 1: Find a Vulnerable Website

This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results.

Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website

This list a really long.. Took me a long time to collect them. If you know SQL, then you can add more here.. Put them in comment section and I will add them here.

Google Dork string Column 1 Google Dork string Column 2 Google Dork string Column 3
inurl:item_id= inurl:review.php?id= inurl:hosting_info.php?id=
inurl:newsid= inurl:iniziativa.php?in= inurl:gallery.php?id=
inurl:trainers.php?id= inurl:curriculum.php?id= inurl:rub.php?idr=
inurl:news-full.php?id= inurl:labels.php?id= inurl:view_faq.php?id=
inurl:news_display.php?getid= inurl:story.php?id= inurl:artikelinfo.php?id=
inurl:index2.php?option= inurl:look.php?ID= inurl:detail.php?ID=
inurl:readnews.php?id= inurl:newsone.php?id= inurl:index.php?=
inurl:top10.php?cat= inurl:aboutbook.php?id= inurl:profile_view.php?id=
inurl:newsone.php?id= inurl:material.php?id= inurl:category.php?id=
inurl:event.php?id= inurl:opinions.php?id= inurl:publications.php?id=
inurl:product-item.php?id= inurl:announce.php?id= inurl:fellows.php?id=
inurl:sql.php?id= inurl:rub.php?idr= inurl:downloads_info.php?id=
inurl:index.php?catid= inurl:galeri_info.php?l= inurl:prod_info.php?id=
inurl:news.php?catid= inurl:tekst.php?idt= inurl:shop.php?do=part&id=
inurl:index.php?id= inurl:newscat.php?id= inurl:productinfo.php?id=
inurl:news.php?id= inurl:newsticker_info.php?idn= inurl:collectionitem.php?id=
inurl:index.php?id= inurl:rubrika.php?idr= inurl:band_info.php?id=
inurl:trainers.php?id= inurl:rubp.php?idr= inurl:product.php?id=
inurl:buy.php?category= inurl:offer.php?idf= inurl:releases.php?id=
inurl:article.php?ID= inurl:art.php?idm= inurl:ray.php?id=
inurl:play_old.php?id= inurl:title.php?id= inurl:produit.php?id=
inurl:declaration_more.php?decl_id= inurl:news_view.php?id= inurl:pop.php?id=
inurl:pageid= inurl:select_biblio.php?id= inurl:shopping.php?id=
inurl:games.php?id= inurl:humor.php?id= inurl:productdetail.php?id=
inurl:page.php?file= inurl:aboutbook.php?id= inurl:post.php?id=
inurl:newsDetail.php?id= inurl:ogl_inet.php?ogl_id= inurl:viewshowdetail.php?id=
inurl:gallery.php?id= inurl:fiche_spectacle.php?id= inurl:clubpage.php?id=
inurl:article.php?id= inurl:communique_detail.php?id= inurl:memberInfo.php?id=
inurl:show.php?id= inurl:sem.php3?id= inurl:section.php?id=
inurl:staff_id= inurl:kategorie.php4?id= inurl:theme.php?id=
inurl:newsitem.php?num= inurl:news.php?id= inurl:page.php?id=
inurl:readnews.php?id= inurl:index.php?id= inurl:shredder-categories.php?id=
inurl:top10.php?cat= inurl:faq2.php?id= inurl:tradeCategory.php?id=
inurl:historialeer.php?num= inurl:show_an.php?id= inurl:product_ranges_view.php?ID=
inurl:reagir.php?num= inurl:preview.php?id= inurl:shop_category.php?id=
inurl:Stray-Questions-View.php?num= inurl:loadpsb.php?id= inurl:transcript.php?id=
inurl:forum_bds.php?num= inurl:opinions.php?id= inurl:channel_id=
inurl:game.php?id= inurl:spr.php?id= inurl:aboutbook.php?id=
inurl:view_product.php?id= inurl:pages.php?id= inurl:preview.php?id=
inurl:newsone.php?id= inurl:announce.php?id= inurl:loadpsb.php?id=
inurl:sw_comment.php?id= inurl:clanek.php4?id= inurl:pages.php?id=
inurl:news.php?id= inurl:participant.php?id=
inurl:avd_start.php?avd= inurl:download.php?id=
inurl:event.php?id= inurl:main.php?id=
inurl:product-item.php?id= inurl:review.php?id=
inurl:sql.php?id= inurl:chappies.php?id=
inurl:material.php?id= inurl:read.php?id=
inurl:clanek.php4?id= inurl:prod_detail.php?id=
inurl:announce.php?id= inurl:viewphoto.php?id=
inurl:chappies.php?id= inurl:article.php?id=
inurl:read.php?id= inurl:person.php?id=
inurl:viewapp.php?id= inurl:productinfo.php?id=
inurl:viewphoto.php?id= inurl:showimg.php?id=
inurl:rub.php?idr= inurl:view.php?id=
inurl:galeri_info.php?l= inurl:website.php?id=

Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection

For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.
Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15
Just add a single quotation mark ' at the end of the URL. (Just to ensure, " is a double quotation mark and ' is a single quotation mark).
So now your URL will become like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'
If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.
See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons.



Read the rest of it here: Use SQLMAP SQL Injection to hack a website and database in Kali Linux

Tuesday, August 26, 2014

Install AMD ATI proprietary fglrx driver in SolydXK Linux

Read full details here: Install AMD ATI proprietary fglrx driver in SolydXK Linux


SolydX is a Debian based distribution with the Xfce desktop. It intends to be as light-weight as possible without giving up any of the expected functionality.
  1. SolydX and SolydK are Debian based distributions with the Xfce and KDE desktop.
  2. SolydXK aims to be simple in use, providing an environment that is both stable and secure.
  3. SolydXK is an open source alternative for small businesses, non-profit organizations and home users.



Contents

My experience with SolydXK

I like XFCE desktop. I think I made it pretty clear in many of my previous posts. XFCE (or XFCE4) is lightweight, fast and simple. It is lightweight on system resources and when I use my Laptop, I prefer to use a lightweight distro. My primary OS is Kali Linux, but even with that, I always install XFCE (well my guides are all written in GNOME just because it makes readers slight less confused .. ermm.. ) but for personal use, I prefer XFCE.
SolydX is a Debian based lightweight distro that uses XFCE desktop. It is very slim and runs on lowest possible settings without compromising functionality. Solyd also got a KDE version namely Solydk.

After installing SolydX the first thing I experienced is overheating CPU. I’ve had it with pretty much every Linux distro on my crappy laptop running AMD Radeon HD 7500 graphics card (I have an Intel/ATI hybrid card). So naturally, I went around looking for instructions on how to install AMD ATI proprietary fglrx driver in Solydxk Linux. Unfortunately, I found lots of forums post but not a good solution (as I say Step by Step solution).
So here I am again, writing a guide on how to install AMD ATI proprietary fglrx driver except this time, it is for Solydx Linux.
In this guide I will refer Solydx as SolydXK or vice-versa as this guide would apply to both SolydX and SolydK.

Step by step guide to install proprietary fglrx driver in SolydXK Linux

Following instructions were tested on 64-bit SolydXK Linux running kernel version 3.14-2-amd64 kernel. I did a fresh install and installed AMD driver’s first. Individual user experiences might be slightly different.
NOTE: I use Linux as root user, so you need to use sudo in-front of every command.

Read the rest of it here: Install AMD ATI proprietary fglrx driver in SolydXK Linux

Monday, August 25, 2014

Identify PCI and USB Wired and Wireless Driver in Linux - Identify USB Driver. Ubuntu, Debian, Mint, CentOS, Fedora & all Linux distro

Read full details here: Identify PCI and USB Wired and Wireless Driver in Linux - Identify USB Driver. Ubuntu, Debian, Mint, CentOS, Fedora & all Linux distro

This guide shows how you can identify USB Driver Chipset(most commonly Wireless) Information on Linux. Often users troll different forums and blogs to find out they can identify which driver their PCI or USB device is using. This guide applies to all possible scenarios. After reading and following this guide you will be able to identify the followings:



Examples of USB devices

  1. Identify USB driver for USB Wireless Adapters
  2. Identify USB driver for Mouses
  3. Identify USB driver for Keyboards
  4. Identify USB driver for External Hard drives
  5. Identify USB driver for DVD R/W devices
  6. Identify USB driver for Blueray devices
  7. Identify USB driver for High Definition Audio Controller
  8. Identify USB driver for VGA or graphics cards
  9. Identify USB driver for Ethernet devices
  10. Identify USB driver for Card readers
In short, any device drivers can be identified that is using plugged into a USB port.
This guide will work for any Linux distributions, namely -
  1. Linux Mint
  2. Ubuntu
  3. Debian GNU/Linux
  4. Mageia / Mandriva
  5. Fedora
  6. openSUSE / SUSE Linux Enterprise
  7. Arch Linux
  8. CentOS / Red Hat Enterprise Linux
  9. PCLinuxOS
  10. Slackware Linux
  11. Puppy Linux
  12. Kali Linux (my distro ;) )
As usual, I will start with basics first. next few paragraphs are slightly boring but if you really want to understand, you might as well read them, otherwise just skip to the technical bits. Table of contents above.
So let’s start with the basics .. what is a an USB device…

What is Universal Serial Bus or USB?

Universal Serial Bus (USB) is an industry standard developed in the mid-1990s that defines the cables, connectors and communications protocols used in a bus for connection, communication, and power supply between computers and electronic devices.
USB was designed to standardize the connection of computer peripherals (including keyboards, pointing devices, digital cameras, printers, portable media players, disk drives and network adapters) to personal computers, both to communicate and to supply electric power. It has become commonplace on other devices, such as smartphones, PDAs and video game consoles. USB has effectively replaced a variety of earlier interfaces, such as serial and parallel ports, as well as separate power chargers for portable devices. Source: Wikipedia


Question: How do I identify USB driver for anything in Linux?

This is a million dollar question, just how often you see a similar post in forums and blogs with vague and unreliable answers? I will try my best to answer anything and everything in this post about all devices and their drivers in here. So, stay tuned as this is going to a long a** post.

Identify USB Driver Chipset Information in Linux

lsusb which is a standard command in all Linux distribution will show you the PCI devices on your system.
LS = List
USB = Universal Serial Bus devices

Step 1: List all USB devices – Identify USB driver

root@kali:~# lsusb
This will give you a sample output like the following:
root@kali:~# lsusb
Bus 002 Device 003: ID 148f:2870 Ralink Technology, Corp. RT2870 Wireless Adapter
Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 004: ID 046d:c016 Logitech, Inc. Optical Wheel Mouse
Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
root@kali:~# 


Read the rest of it here: Identify PCI and USB Wired and Wireless Driver in Linux - Identify USB Driver. Ubuntu, Debian, Mint, CentOS, Fedora & all Linux distro

Thursday, August 21, 2014

Denial-of-service Attack - DOS using hping3 with spoofed IP in Kali Linux

Read full details here: Denial-of-service Attack - DOS using hping3 with spoofed IP in Kali Linux

In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users.

Although the means to carry out, the motives for, and targets of a DoS attack vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

As clarification, distributed denial-of-service attacks are sent by two or more persons, or bots, and denial-of-service attacks are sent by one person or system. As of 2014, the frequency of recognized DDoS attacks had reached an average rate of 28 per hour.

Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.

Denial-of-service threats are also common in business, and are sometimes responsible for website attacks.

This technique has now seen extensive use in certain games, used by server owners, or disgruntled competitors on games, such as popular Minecraft servers. Increasingly, DoS attacks have also been used as a form of resistance. Richard Stallman has stated that DoS is a form of ‘Internet Street Protests’. The term is generally used relating to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.

One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

Denial-of-service attacks are considered violations of the Internet Architecture Board’s Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations.
I recently published another post that shows you DOS attack map in Realtime. So if you got a good connection and enough bandwidth, hey, you might even see your own attack on that map.

Our take on Denial-of-service Attack – DOS using hping3

Let’s face it, you installed Kali Linux to learn how to DOS, how to crack into your neighbors Wireless router, how to hack into a remote Windows machine be that a Windows 2008 R2 server or Windows 7 or learn how to hack a website using SQL Injection. There’s lot’s of guide that explain it all. In this guide, I am about to demonstrate how to DOS using hping3 with random source IP on Kali Linux. That means,
  1. You are executing a Denial of Service attack or DOS using hping3
  2. You are hiding your a$$ (I meant your source IP address).
  3. Your destination machine will see source from random source IP addresses than yours (IP masquerading)
  4. Your destination machine will get overwhelmed within 5 minutes and stop responding.


Sounds good? I bet it does. But before we go and start using hping3, let’s just go over the basics..



What’s hping3?

hping3 is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de-facto tools for security auditing and testing of firewalls and networks, and was used to exploit the Idle Scan scanning technique now implemented in the Nmap port scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in a very short time.
Like most tools used in computer security, hping3 is useful to security experts, but there are a lot of applications related to network testing and system administration.

DOS using hping3 - darkMORE Ops

hping3 should be used to…

  • Traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities.
  • Perform the idle scan (now implemented in nmap with an easy user interface).
  • Test firewalling rules.
  • Test IDSes.
  • Exploit known vulnerabilties of TCP/IP stacks.
  • Networking research.
  • Learn TCP/IP (hping was used in networking courses AFAIK).
  • Write real applications related to TCP/IP testing and security.
  • Automated firewalling tests.
  • Proof of concept exploits.
  • Networking and security research when there is the need to emulate complex TCP/IP behaviour.
  • Prototype IDS systems.
  • Simple to use networking utilities with Tk interface.
hping3 is pre-installed on Kali Linux like many other tools. It is quite useful and I will demonstrate it’s usage soon.

DOS using hping3 with random source IP

That’s enough background, I am moving to the attack. You only need to run a single line command as shown below:




Read the rest of it here: Denial-of-service Attack - DOS using hping3 with spoofed IP in Kali Linux

Wednesday, August 20, 2014

Identify PCI and USB Wired and Wireless Driver in Linux - Identify PCI Driver. Ubuntu, Debian, Mint, CentOS, Fedora & all Linux distro

Read full details here: Identify PCI and USB Wired and Wireless Driver in Linux - Identify PCI Driver. Ubuntu, Debian, Mint, CentOS, Fedora & all Linux distro

This guide shows how you can identify PCI Driver Chipset Information on Linux. Often users troll different forums and blogs to find out they can identify which driver their PCI or USB device is using. This guide applies to all possible scenarios. After reading and following this guide you will be able to identify the followings:

Examples of PCI devices

  1. Identify PCI driver for Processor – CPU
  2. Identify PCI driver for Motherboards
  3. Identify PCI driver for Communication controllers
  4. Identify PCI driver for Network devices
  5. Identify PCI driver for USB devices
  6. Identify PCI driver for USB controllers
  7. Identify PCI driver for High Definition Audio Controller
  8. Identify PCI driver for VGA or graphics cards
  9. Identify PCI driver for Memory (RAM)
  10. Identify PCI driver for Thermal Control Registers
  11. Identify PCI driver for Ethernet devices
  12. Identify PCI driver for DVD R/W devices
  13. Identify PCI driver for Blueray devices
  14. Identify PCI driver for CDROM devices
In short, any device drivers can be identified that is using plugged into a PCI slot.

This guide will work for any Linux distributions, namely -
  1. Linux Mint
  2. Ubuntu
  3. Debian GNU/Linux
  4. Mageia / Mandriva
  5. Fedora
  6. openSUSE / SUSE Linux Enterprise
  7. Arch Linux
  8. CentOS / Red Hat Enterprise Linux
  9. PCLinuxOS
  10. Slackware Linux
  11. Puppy Linux
  12. Kali Linux (my distro ;) )
As usual, I will start with basics first. next few paragraphs are slightly boring but if you really want to understand, you might as well read them, otherwise just skip to the technical bits. Table of contents above.
So let’s start with the basics .. what is a PCI device…

What is Peripheral Component Interconnect or PCI?

Conventional PCI, often shortened to PCI, is a local computer bus for attaching hardware devices in a computer. PCI is an initialism of Peripheral Component Interconnect and is part of the PCI Local Bus standard. The PCI bus supports the functions found on a processor bus but in a standardized format that is independent of any particular processor’s native bus. Devices connected to the PCI bus appear to a bus master to be connected directly to its own bus and are assigned addresses in the processor’s address space.It is a parallel bus, synchronous to a single bus clock.

Attached devices can take either the form of an integrated circuit fitted onto the motherboard itself (called a planar device in the PCI specification) or an expansion card that fits into a slot. The PCI Local Bus was first implemented in IBM PC compatibles, where it displaced the combination of several slow ISA slots and one fast VESA Local Bus slot as the bus configuration. It has subsequently been adopted for other computer types. Typical PCI cards used in PCs include: network cards, sound cards, modems, extra ports such as USB or serial, TV tuner cards and disk controllers. PCI video cards replaced ISA and VESA cards until growing bandwidth requirements outgrew the capabilities of PCI. The preferred interface for video cards then became AGP, itself a superset of conventional PCI, before giving way to PCI Express.

The first version of conventional PCI found in consumer desktop computers was a 32-bit bus using a 33 MHz bus clock and 5 V signalling, although the PCI 1.0 standard provided for a 64-bit variant as well. These have one locating notch in the card. Version 2.0 of the PCI standard introduced 3.3 V slots, physically distinguished by a flipped physical connector to preventing accidental insertion of 5 V cards. Universal cards, which can operate on either voltage, have two notches. Version 2.1 of the PCI standard introduced optional 66 MHz operation. A server-oriented variant of conventional PCI, called PCI-X (PCI Extended) operated at frequencies up to 133 MHz for PCI-X 1.0 and up to 533 MHz for PCI-X 2.0. An internal connector for laptop cards, called Mini PCI, was introduced in version 2.2 of the PCI specification. The PCI bus was also adopted for an external laptop connector standard—the CardBus. The first PCI specification was developed by Intel, but subsequent development of the standard became the responsibility of the PCI Special Interest Group (PCI-SIG).

Conventional PCI and PCI-X are sometimes called Parallel PCI in order to distinguish them technologically from their more recent successor PCI Express, which adopted a serial, lane-based architecture. Conventional PCI’s heyday in the desktop computer market was approximately the decade 1995-2005. PCI and PCI-X have become obsolete for most purposes, however, they are still common on modern desktops for the purposes of backwards compatibility and the low relative cost to produce. Many kinds of devices previously available on PCI expansion cards are now commonly integrated onto motherboards or available in universal serial bus and PCI Express versions. Source: Wikipedia

Question: How do I identify PCI driver for anything in Linux?

This is a million dollar question, just how often you see a similar post in forums and blogs with vague and unreliable answers? I will try my best to answer anything and everything in this post about all devices and their drivers in here. So, stay tuned as this is going to a long a** post.

Identify PCI Driver Chipset Information in Linux

lspci which is a standard command in all Linux distribution will show you the PCI devices on your system.

LS = List
PCI = Peripheral Component Interconnect devices

Step 1: List all PCI devices – Identify PCI driver

root@kali:~# lspci
 
This will give you a sample output like the following:

root@kali:~# lspci
(some output removed)
00:00.0 Host bridge: Intel Corporation Core Processor DMI (rev 11)
00:03.0 PCI bridge: Intel Corporation Core Processor PCI Express Root Port 1 (rev 11)
00:19.0 Ethernet controller: Intel Corporation 82578DM Gigabit Network Connection (rev 06)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev a6)
00:1f.0 ISA bridge: Intel Corporation 5 Series Chipset LPC Interface Controller (rev 06)
00:1f.3 SMBus: Intel Corporation 5 Series/3400 Series Chipset SMBus Controller (rev 06)
01:00.0 VGA compatible controller: NVIDIA Corporation GT218 [GeForce 210] (rev a2)
root@kali:~#
 
Now you can see the device names, types and some funky numbers at the front. (highlighted in bold-red).

Step 2: Get verbose output for selected device – Identify PCI driver

Let’s say we want to identify the driver used my Linux kernel for Ethernet controller (which is the wired port on my motherboard).
00:19.0 Ethernet controller: Intel Corporation 82578DM Gigabit Network Connection (rev 06)
Copy the number’s at the front i.e. 00:19.0 and use it with lspci command to find more info

root@kali:~# lspci -vv -s 00:19.0
This will give you an output like below:
root@kali:~# lspci -vv -s 00:19.0
00:19.0 Ethernet controller: Intel Corporation 82578DM Gigabit Network Connection (rev 06)
    Subsystem: Acer Incorporated [ALI] Device 8000
    Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
    Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
    Latency: 0
    Interrupt: pin A routed to IRQ 46
    Region 0: Memory at faec0000 (32-bit, non-prefetchable) [size=128K]
    Region 1: Memory at faefa000 (32-bit, non-prefetchable) [size=4K]
    Region 2: I/O ports at d000 [size=32]
    Capabilities: [c8] Power Management version 2
        Flags: PMEClk- DSI+ D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+)
        Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=1 PME-
    Capabilities: [d0] MSI: Enable+ Count=1/1 Maskable- 64bit+
        Address: 00000000fee0f00c  Data: 4192
    Capabilities: [e0] PCI Advanced Features
        AFCap: TP+ FLR+
        AFCtrl: FLR-
        AFStatus: TP-
    Kernel driver in use: e1000e

So the Kernel is using a driver named e1000e.



Read the rest of it here: Identify PCI and USB Wired and Wireless Driver in Linux - Identify PCI Driver. Ubuntu, Debian, Mint, CentOS, Fedora & all Linux distro

How to find files containing specific text in Linux? Ubuntu, Debian, Mint, CentOS, Fedora and any Linux distro

Read full details here: How to find files containing specific text in Linux? Ubuntu, Debian, Mint, CentOS, Fedora and any Linux distro


Very often new users would dwell on Google trying to find the correct command to find files containing specific text. This is particularly important when you’re tying to follow a badly written guide of forum post that says something like replace 0 with 1 in this line which will fix PulseAudio configured for per-user sessions … (warning)

PULSEAUDIO_SYSTEM_START=0
 
Now for an experienced user, no problem, you know exactly where to find a configuration file for PulseAudio. For a new Linux user, yeah tell me about it. I’ve been there when I started with Slackware back late nineties.
This guide shows a bunch of commands that you can use  to find files containing specific text in Linux, namely Ubuntu, Debian, Mint, CentOS, Fedora and any Linux distro.
This guide will work for any Linux distributions, namely -
  1. Linux Mint
  2. Ubuntu
  3. Debian GNU/Linux
  4. Mageia / Mandriva
  5. Fedora
  6. openSUSE / SUSE Linux Enterprise
  7. Arch Linux
  8. CentOS / Red Hat Enterprise Linux
  9. PCLinuxOS
  10. Slackware Linux
  11. Puppy Linux
  12. Kali Linux (my distro ;) )


Find files containing specific text using grep command

grep is a command-line utility for searching plain-text data sets for lines matching a regular expression. Grep was originally developed for the Unix operating system, but is available today for all Unix-like systems. Its name comes from the ed command g/re/p (globally search a regular expression and print), which has the same effect: doing a global search with the regular expression and printing all matching lines.
To find files containing specific text, you are possibly better off using the grep command. The grep command can find and search a specific text from all files quickly.

grep command syntax

Syntax for grep command is simple:
grep "text string to search” directory-path
OR
grep [option] "text string to search” directory-path
OR
grep -r "text string to search” directory-path
OR
grep -r -H "text string to search” directory-path
OR
egrep -R "word-1|word-2” directory-path
OR
egrep -w -R "word-1|word-2” directory-path

Find files containing specific text using grep command examples

In this example, we will search for 'PULSEAUDIO_SYSTEM_START‘ in all configuration files located in /etc directory.
Now there’s a small problem, depending on your Linux, BSD or Unix distro, Find command can be slightly different (in terms of Syntaxes). So I will outline all possible combinations, you can just try one at a time to determine which one best suites you.

Find files containing specific text when you know the location

If you know the exact location and directory you’re after, then use
root@kali:~# grep "PULSEAUDIO_SYSTEM_START" /etc/default/pulseaudio 
PULSEAUDIO_SYSTEM_START=1
root@kali:~#


Read the rest of it here: How to find files containing specific text in Linux? Ubuntu, Debian, Mint, CentOS, Fedora and any Linux distro

Monday, August 18, 2014

Cracking WPA2 WPA with Hashcat in Kali Linux (BruteForce MASK based attack on Wifi passwords)

Read full details here: Cracking WPA2 WPA with Hashcat in Kali Linux (BruteForce MASK based attack on Wifi passwords)

  cracking-wpa-wpa2-with-oclhashcat-cudahashcat-or-hashcat-on-kali-linux-bruteforce-mask-based-attack-blackmore-ops-6
cudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and decrypt or Cracking WPA2 WPA with Hashcat - handshake .cap files. Only constraint is, you need to convert a .cap file to a .hccap file format. This is rather easy.

Hashcat

Hashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. It is available free of charge, although it has a proprietary codebase. Versions are available for Linux, OSX, and Windows and can come in CPU-based or GPU-based variants. Hashcat currently supports a large range of hashing algorithms, including: Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX, and many others. Hashcat has made its way into the news many times for the optimizations and flaws discovered by its creator, which become exploited in subsequent hashcat releases. (For example, the flaw in 1Password's hashing scheme.)

Attack types

Hashcat offers multiple attack modes for obtaining effective and complex coverage over a hash's keyspace. These modes are:
  • Brute-Force attack
  • Combinator attack
  • Dictionary attack
  • Fingerprint attack
  • Hybrid attack
  • Mask attack
  • Permutation attack
  • Rule-based attack
  • Table-Lookup attack
  • Toggle-Case attack
The traditional bruteforce attack is considered outdated, and the Hashcat core team recommends the Mask-Attack as a full replacement.

Variants

Hashcat comes in two main variants:
  • Hashcat - A CPU-based password recovery tool
  • oclHashcat - A GPU-accelerated tool
Many of the algorithms supported by Hashcat can be cracked in a shorter time by using the well-documented GPU-acceleration leveraged in oclHashcat (such as MD5, SHA1, and others). However, not all algorithms can be accelerated by leveraging GPUs. Bcrypt is a good example of this. Due to factors such as data dependant branching, serialization, and Memory (to name just a few), oclHashcat is not a catchall replacement for Hashcat. Hashcat is available for Linux, OSX and Windows. oclHashcat is only available for Linux and Windows due to improper implementations in OpenCL on OSX
Important Note: Many users try to capture with network cards that are not supported. You should purchase a card that supports Kali Linux including injection and monitor mode etc. A list can be found in 802.11 Recommended USB Wireless Cards for Kali Linux. It is very important that you have a supported card, otherwise you'll be just wasting time and effort on something that just won't do the job.

My Setup

I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for most of the exercise. In this post, I will show step on Cracking WPA2 WPA with Hashcat (handshake files) (.cap files) with cudaHashcat or oclHashcat or Hashcat on Kali Linux. I will use cudahashcat command because I am using a NVIDIA GPU. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Let me know if this assumptions is incorrect. To enable GPU Cracking, you need to install either CUDA for NVIDIA or AMDAPPSDK for AMD graphics cards. I've covered those in in my previous posts.

NVIDIA Users:

  1. Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver
  2. Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda

AMD Users:

  1. Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6
  2. Install AMD APP SDK in Kali Linux
  3. Install Pyrit in Kali Linux
  4. Install CAL++ in Kali Linux
 

Why use Hashcat for cracking WPA WPA2 handshake file?

Pyrit is the fastest when it comes to cracking WPA2 WPA handshake files. So why are we using Hashcat to crack WPA2 WPA handshake files?
  1. Because we can?
  2. Because Hashcat allows us to use customized attacks with predefined rules and Masks.
Now this doesn't explain much and reading HASHCAT Wiki will take forever to explain on how to do it. I'll just give some examples to clear it up. Hashcat allows you to use the following built-in charsets to attack a WPA2 WPA handshake file.

Built-in charsets

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !”#$%&'()*+,-./:;⇔?@[\]^_`{|}~
?a = ?l?u?d?s

Numbered passwords

So lets say you password is 12345678. You can use a custom MASK like ?d?d?d?d?d?d?d?d What it means is that you're trying to break a 8 digit number password like 12345678 or 23456789 or 01567891.. You get the idea.

Letter passwords - All uppercase

If your password is all letters in CAPS such as: ABCFEFGH or LKHJHIOP or ZBTGYHQS ..etc. then you can use the following MASK:

?u?u?u?u?u?u?u?u
 
It will crack all 8 Letter passwords in CAPS.

Letter passwords - All lowercase

If your password is all letters in lowercase such as: abcdefgh or dfghpoiu or bnmiopty..etc. then you can use the following MASK:

?l?l?l?l?l?l?l?l
 
It will crack all 8 Letter passwords in lowercase. I hope you now know where I am getting at.

Passwords - Lowercase letters and numbers

If you know your password is similar to this: a1b2c3d4 or p9o8i7u6 or n4j2k5l6 ...etc. then you can use the following MASK:

?l?d?l?d?l?d?l?d

Passwords - Uppercase letters and numbers

If you know your password is similar to this: A1B2C3D4 or P9O8I7U6 or N4J2K5L6 ...etc. then you can use the following MASK:

?u?d?u?d?u?d?u?d

Passwords - Mixed matched with uppercase, lowercase, number and special characters.

If you password is all random, then you can just use a MASK like the following:

?a?a?a?a?a?a?a?a
 
Note: ?a represents anything .... I hope you're getting the idea.

Read the rest of it here: Cracking WPA2 WPA with Hashcat in Kali Linux (BruteForce MASK based attack on Wifi passwords)