Tuesday, 31 December 2013

Nmap Port Scanner Basic Tutorial

nmap image

Nmap ("Network @@@@Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and defensive purposes.

Nmap has some basic options:

#1: Scan a single host or an IP address (IPv4)

### Scan a single ip address ###
nmap 192.168.1.1

## Scan a host name ###
nmap server1.cyberciti.biz

## Scan a host name with more info###
nmap -v server1.cyberciti.biz

Some more basic options:

  1. -sT : TCP Connect, using method connect(), we can determine wheter the port opened or not, but it is easily to detect by firewall/intrusion detection software.
  2. -sS : SYN stealth scan, using syn to begin connection then sending rst to stop initiation connection, so that no connection will be made. it results in harder detection.
  3. -sF, -sN, -sX : FIN, NULL, Xmass Tree Scan. FIN will send Fin Flag, Null will set no flag and Xmass Tree sets the FIN, URG and PUSH flags. It is used to avoid system detection.
  4. -sP : Ping Scan , scan with ping command to determine whether the target online or not
  5. -sU : UDP Scan , scan port with UDP packet.
  6. -sO : IP Protocol Scan, scan port using ip raw packet.
  7. -sI : Idle Scanning, more advanced scanning mode.
  8. -sV : Version Detection,
  9. -sA : ACK Scan,
  10. -sW, -sR, -sL : Window Scan, RPC Scan, List Scan
Not a fan of command line tools?

Try zenmap the official network mapper front end:

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly.

A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

Wednesday, 25 December 2013

SQL Injection Tutorial for Beginners

Although there are thousands of potential exploits designed to take advantage of improperly designed websites, SQL injection is by far one of the most effective, easiest, and far-reaching attacks. SQL injection attacks are reported on a daily basis as more and more websites rely on data-driven designs to create dynamic content for readers. These dynamic designs use MySQL or another database system which probably relies on SQL; thus making them vulnerable to attack.

Sql injection image

Since a SQL Injection attack works directly with databases, you should have a basic understanding of SQL before getting started. SQL Database for Beginners is an excellent resource for those unfamiliar with Structured Query Language.

In this article, you will learn how to perform a SQL injection attack on a website. Please note that this article is for instructional purposes only. If you successfully breach a website that does not belong to you, you are in violation of federal law and could face incarceration and hefty fines. That said, it is useful to understand how SQL injection works so that you can prevent it from occurring on your own website.

What is a SQL Injection?

SQL injection is a code injection technique that exploits a security vulnerability within the database layer of an application. This vulnerability can be found when user input is incorrectly filtered for string literal escape characters embedded in SQL statements.

Although SQL injection is most commonly used to attack websites, it can also be used to attack any SQL database. Last year, a security company reported that the average web application is attacked at least four times per month by SQL injection techniques. Online retailers receive more attacks than any other industry with an online presence.

Picking a Target

The first step to performing a SQL injection attack is to find a vulnerable website. This will probably be the most time-consuming process in the entire attack. More and more websites are protecting themselves from SQL injection meaning that finding a vulnerable target could take quite some time.

One of the easiest ways to find vulnerable sites is known as Google Dorking. In this context, a dork is a specific search query that finds websites meeting the parameters of the advanced query you input. Some examples of dorks you can use to find sites vulnerable to a SQL injection attack include:

  • inurl:index.php?id=
  • inurl:trainers.php?id=
  • inurl:buy.php?category=
  • inurl:article.php?ID=
  • inurl:play_old.php?id=
  • inurl:declaration_more.php?decl_id=
  • inurl:pageid=
  • inurl:games.php?id=
  • inurl:page.php?file=
  • inurl:newsDetail.php?id=
  • inurl:gallery.php?id=
  • inurl:article.php?id=
  • inurl:show.php?id=
  • inurl:staff_id=
  • inurl:newsitem.php?num= andinurl:index.php?id=
  • inurl:trainers.php?id=
  • inurl:buy.php?category=
  • inurl:article.php?ID=
  • inurl:play_old.php?id=
  • inurl:declaration_more.php?decl_id=
  • inurl:pageid=
  • inurl:games.php?id=
  • inurl:page.php?file=
  • inurl:newsDetail.php?id=
  • inurl:gallery.php?id=
  • inurl:article.php?id=
  • inurl:show.php?id=
  • inurl:staff_id=
  • inurl:newsitem.php?num=

Of course, there are many others as well. The key component of these specialized search queries is that they all focus on websites that rely on PHP scripts to generate dynamic content from a SQL database somewhere on the backend of the server. You can learn more about advanced Google search techniques in Unleash Google Search.

Remember that a SQL injection attack can work on any SQL database, but PHP-based websites are usually your best targets because they can be set up by just about anyone (i.e. WordPress) and often contain lots of valuable information about customers within the database you are attempting to hack.

However, just because Google pops up with a result using these dorks does not mean it is vulnerable to attack. The next step is to test each site until you find one that is vulnerable.

Navigate to one of the websites you found. For this example, assume that one of the search results is http://www.udemy.com/index.php?catid=1. To find out if this site is vulnerable to SQL injection, simply add an apostrophe at the end of the URL like this:

http://www.udemy.com/index.php?catid=1’

Press enter and see what the website does. If the page returns a SQL error, the website is vulnerable to SQL injection. If the page loads normally, it is not a candidate for SQL injection and you should move on to the next URL in your list. The errors you receive do not matter. As a general, if the website returns any SQL errors, it should be vulnerable to SQL injection techniques.

At this point, understanding SQL is even more important as you will begin manipulating the database directly from the vulnerable page. Practical SQL Skills is a solid resource for beginner and intermediate users.

Starting the Attack

After locating a vulnerable site, you need to figure out how many columns are in the SQL database and how many of those columns are able to accept queries from you. Append an “order by” statement to the URL like this:

http://www.udemy.com/index.php?catid=1 order by 1

Continue to increase the number after “order by” until you get an error. The number of columns in the SQL database is the highest number before you receive an error. You also need to find out what columns are accepting queries.
You can do this by appending an “Union Select” statement to the URL. A union select statement in this URL would look like this:

http://www.udemy.com/index.php?catid=-1 union select 1,2,3,4,5,6

There are a couple of things to note in this example. Before the number one (after catid), you need to add a hyphen (-). Also, the number of columns you discovered in the previous step is the number of digits you put after the union select statement. For instance, if you discovered that the database had 12 columns, you would append:

catid=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12

Exploiting the Database

At this point, you know what columns to direct your SQL queries at and you can begin exploiting the database. You will be relying on union select statements to perform most of the functions from this point forward.

The tutorial ends here. You have learned how to select a vulnerable website and detect which columns are responsive to your queries. The only thing left to do is append SQL commands to the URL. Some of the common functions you can perform at this point include getting a list of the databases available, getting the current user, getting the tables, and ultimately, the columns within these tables. The columns are where all of the personal information is stored.

If you are unfamiliar with using SQL commands to finish the exploit, you should study various commands before attempting a SQL injection attack. You can also check out Website Hacking in Practice for additional tips and tricks.
Using this information, you can search for vulnerabilities within your own websites and perform penetration testing for others. Remember that what you do with this information is solely your responsibility. Hacking is a lot of fun – but it doesn’t mean you have to break the law to have a good time.

Sunday, 22 December 2013

Irelands new super computer

Ireland's new €3.7m supercomputer, which will quadruple the high powered computing resources previously available to scientists in the country, has been launched at an event in Dublin.

The machine, named Fionn, will be capable of running many different applications, and will enable researchers in Ireland to solve their scientific problems more quickly.

Fionn will be used for a whole range of scientific applications, including nano material discovery, medical device development, weather forecasting and renewable energy.

The 8,400 computer cores and 24 terabytes of RAM that make up the device are located in the Telecommunications Software and Systems Group data centre at Waterford Institute of Technology.

It will be managed and operated by the Irish Centre for High End Computing (ICHEC), which grants access to it through a process where applications for its use are peer reviewed and chosen by ICHEC's Science Council.

It will run non-stop for the next four years, providing around 295,000,000 hours of computation. €450,000 of the funding for the new computer has come from private industry, with the balance coming from Government through Science Foundation Ireland (SFI).