'attack'에 해당되는 글 7건

  1. 2011.04.12 SQL injection PT tool - sqlmap 0.9 (update)
  2. 2010.03.31 EXEs in word docs
  3. 2010.01.15 PasswordsPro - 해시(Hash) 암호화 크랙
2011. 4. 12. 18:56

SQL injection PT tool - sqlmap 0.9 (update)

“sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.“

This is the change log:

  • Rewritten SQL injection detection engine (Bernardo and Miroslav).
  • Support to directly connect to the database without passing via a SQL injection, -d switch (Bernardo and Miroslav).
  • Added full support for both time-based blind SQL injection and error-based SQL injection techniques (Bernardo and Miroslav).
  • Implemented support for SQLite 2 and 3 (Bernardo and Miroslav).
  • Implemented support for Firebird (Bernardo and Miroslav).
  • Implemented support for Microsoft Access, Sybase and SAP MaxDB (Miroslav).
  • Extended old ‘–dump -C‘ functionality to be able to search for specific database(s), table(s) and column(s), –search switch (Bernardo).
  • Added support to tamper injection data with –tamper switch (Bernardo and Miroslav).
  • Added automatic recognition of password hashes format and support to crack them with a dictionary-based attack (Miroslav).
  • Added support to enumerate roles on Oracle, –roles switch (Bernardo).
  • Added support for SOAP based web services requests (Bernardo).
  • Added support to fetch unicode data (Bernardo and Miroslav).
  • Added support to use persistent HTTP(s) connection for speed improvement, –keep-alive switch (Miroslav).
  • Implemented several optimization switches to speed up the exploitation of SQL injections (Bernardo and Miroslav).
  • Support to test and inject against HTTP Referer header (Miroslav).
  • Implemented HTTP(s) proxy authentication support, –proxy-cred switch (Miroslav).
  • Implemented feature to speedup the enumeration of table names (Miroslav).
  • Support for customizable HTTP(s) redirections (Bernardo).
  • Support to replicate the back-end DBMS tables structure and entries in a local SQLite 3 database, –replicate switch (Miroslav).
  • Support to parse and test forms on target url, –forms switch (Bernardo and Miroslav).
  • Added switches to brute-force tables names and columns names with a dictionary attack, –common-tables and –common-columns. Useful for instance when system table ‘information_schema‘ is not available on MySQL (Miroslav).
  • Basic support for REST-style URL parameters by using the asterisk (*) to mark where to test for and exploit SQL injection (Miroslav).
  • Added safe URL feature, –safe-url and –safe-freq (Miroslav).
  • Added –text-only switch to strip from the HTTP response body the HTML/JS code and compare pages based only on their textual content (Miroslav).
  • Implemented few other features and switches (Bernardo and Miroslav).
  • Over 100 bugs fixed (Bernardo and Miroslav).
  • Major code refactoring (Bernardo and Miroslav).
  • User’s manual updated (Bernardo).

Download sqlmap 0.9 (sqlmap-0.9.tar.gz/sqlmap-0.9.zip) here.

출처 :  www.pentestit.com

Trackback 1 Comment 0
2010. 3. 31. 13:28

EXEs in word docs

Today, our friends at Trend Micro blogged about a new attack vector using Microsoft Word documents. We saw this as well last week, and have written a detection for the dropped trojan.

It’s not just a “lawsuit” that’s being spammed, we also picked up another form of this attack in our honeypots over the weekend:

When you open the Word document, you see a “PDF”, but it’s actually not. It’s a JPG, which links to an executable.

In Word 2007, it’s kind of like the Amish virus: The user has to really want to get infected.

Latest VirusTotal detection here.

Alex Eckelberry

원문 : http://sunbeltblog.blogspot.com

Trackback 0 Comment 0
2010. 1. 15. 19:40

PasswordsPro - 해시(Hash) 암호화 크랙

Important! Using this software for purposes other than recovering your own lost passwords violates License Agreement and may violate the Law!

Program Description

This program is designated for the recovery of passwords for different types of hashes. The program currently supports about 30 types of hashes, and new ones can be easily added by creating a custom external hashing DLL-module. The actual list of available modules can be found on the software-related forum. The peak number of hashes the application is capable of working with simultaneously is 256.

List of supported hashes:

– MySQL5
– DES(Unix)
– MD2
– MD4
– MD4(Base64)
– MD5
– MD5(APR)
– MD5(Unix)
– MD5(Base64)
– MD5(phpBB3)
– MD5(Wordpress)
– MD5_HMAC($salt,MD5_HMAC($salt,$pass))
– SHA-1
– SHA-1(Base64)
– SHA-1(Django)
– SHA-256
– SHA-256(Unix)
– SHA-256(Django)
– SHA-256(md5($pass))
– SHA-256(PasswordSafe)
– SHA-384
– SHA-384(Django)
– SHA-512
– SHA-512(Unix)
– Haval-128
– Haval-160
– Haval-192
– Haval-224
– Haval-256
– Tiger-128
– Tiger-160
– Tiger-192
– RipeMD-128
– RipeMD-160
– Whirlpool
– RAdmin v2.x
– Lineage II C4
– Domain Cached Credentials
– md5(md5($pass))
– md5($pass.$salt)
– md5($salt.$pass)
– md5(sha1($pass))
– md5($hex_salt.$pass)
– md5(md5(md5($pass)))
– md5(md5($pass).$salt)
– md5(md5($salt).$pass)
– md5($salt.md5($pass))
– md5($salt.$pass.$salt)
– md5(md5($salt).md5($pass))
– md5(md5($pass).md5($salt))
– md5(md5($pass).$const_salt)
– md5($salt.md5($salt.$pass))
– md5($salt.md5($pass.$salt))
– md5($salt.md5($pass).$salt)
– md5(sha1(md5(sha1($pass))))
– md5($hex_salt.$pass.$hex_salt)
– md5($username.md5($pass).$salt)
– md5(md5($username.$pass).$salt)
– sha1(md5($pass))
– sha1($salt.$pass)
– sha1($pass.$salt)
– sha1($username.$pass)
– sha1($salt.sha1($pass))
– sha1($username.$pass.$salt)
– sha1($salt.sha1($salt.sha1($pass)))

Note: All hashing modules are located in the \Modules subfolder of the software installation archive and can be imported through the program settings menu ("Hashing modules" tab).

Program Features
– Passwords recovery using the following methods:
       • Preliminary attack
       • Brute force attack (including distributed attack)
       • Mask attack
       • Simple dictionary attack
       • Combined dictionary attack
       • Hybrid dictionary attack
       • Rainbow attack
– Recovery of passwords of up to 127-character length
– Recovery of passwords for incomplete hashes of any type
– User hash editor
– Searching data on the list of imported users
– Quick-add hash using a dialog box
– Quick-add hashes from Clipboard
– Quick-check current password for all imported users
– Support of character replacement tables for hybrid dictionary attack
– Unlimited number of dictionaries available for dictionary attack
– Unlimited number of tables available for Rainbow attack
– Unlimited number of servable users with hashes (in the licensed version)
Data Import

User hashes can be imported in the program using one of the following methods:

• Import from PasswordsPro format files (*.Hashes-files).

• Import from text files with hashes given in the following format:
        Login:Hash:Salt(or HMAC-key):Password:Comment
The software installation archive includes test files with all types of supported hashes given in this format.

• Using dialog box.

• From Clipboard.
Data Export

The application allows saving current user and hash list to the file of the application's internal format (*.Hashes-files), as well as exporting the data to a text or HTML file.

Password Recovery

  - Preliminary Attack

This type of attack is the quick check of user hashes for a match to simple passwords like – "123", "qwerty", "99999", etc. as well as to passwords found earlier and stored in the "PasswordsPro.dic" file.

- Brute Force Attack

This type of attack is the total check of all possible password values.

Brute force attack also includes the distributed attack. This type of attack allows using multiple computers for the recovery of passwords, distributing the recovery calculation load among them. This type of attack takes off automatically when user provides more than one computer for facilitating the attack. At the same time, the range selection feature becomes available for the current computer. So, to start a distributed attack, you'd have to:

1. Run this program on several computers.
2. Choose how many computers are to facilitate the attack.
3. Set the same attack options on all computers that are to facilitate the attack.
4. Choose an individual passwords attack range for each of the computers.
5. Launch brute force attack on all computers.

- Mask Attack

This type of password attack is used when user possesses partial information about the lost password. For example:
– Password begins with the "12345" character combination.
– First 4 characters of the password are numbers, others are Latin letters;
– And so on.

For that purpose, define the mask for every character of the password to be recovered in the mask attack settings. Symbolic notations of standard or custom character sets – ?u, ?d, ?2, etc. – are used as mask characters (see the Character sets tab in program options).

- Simple Dictionary Attack

This type of attack is the attempt to find the hash match in text files – dictionaries.

- Combined Dictionary Attack

This type of attack includes the validation of passwords made of several words taken from different dictionaries. This attack allows to recover complex passwords like "superadmin", "admin*admin", etc.

- Hybrid Dictionary Attack

This type of attack allows changing passwords from the dictionaries (for example, shift password to upper case, append '1' to the end of the password, etc.) and to validate them as users passwords. The actions performed over the source passwords are the so-called "rules" – the full list of these rules can be found in the "Rules.txt" file in the software installation archive.

- Rainbow Attack

This type of attack uses the Rainbow technology (http://project-rainbowcrack.com/) for creating pre-calculated tables.

The software includes the following plugins:

Hash Generator – generates any hash of types supported by the program.

Password Generator – generates random passwords with specified parameters.

Dictionary Generator – generates dictionaries of passwords from specified ranges and performs other functions related to dealing with dictionaries – sorting, merging, etc.

Text Converter – converts text from Base64 to plain text format and vice-versa.

Hidden Passwords Recovery – recovers text hidden behind asterisks.

System Information – displays overall system information.

Password Sender – the plugin is purposed for sending recovered passwords to websites.

The application can also be completed with new plugins, which would carry out necessary functions. For the creation of those, please read ReadMe.chm in the \Plugins\API folder of the application distribution. The same folder contains the ready plugin template written in Microsoft Visual C++.

Command Line Parameters

The application supports the following command line parameters:

/config:filename – loads an INI-file other than PasswordsPro.ini.

/auto – automatically launches current attack and exits when the attack is completed.

These parameters allow automating the routine slightly using batch command files (BAT). Do the following:

1. Create several INI-files with different names for different types of attack.
2. Create a BAT-file, for instance, containing (for Windows 2000/XP):
        PasswordsPro.exe /auto /config:Preliminary.ini
        start /w PasswordsPro.exe /auto /config:DictSimple.ini
        start /w PasswordsPro.exe /auto /config:DictHybrid.ini
        start /w PasswordsPro.exe /auto /config:BruteLatin.ini
        start /w PasswordsPro.exe /auto /config:BruteNumber.ini

3. Run the created BAT-file.
4. Note: This mode does not assume any user intervention and therefore does not display any messages (neither on the completion of attack, nor on errors occurred). The termination of current attack will close the program and launch the next attack.
Program Status

PasswordsPro is Shareware.
The personal license fee is €39.95.

To learn more about licensing options and purchasing license key, please visit this page.

Demo Version Restrictions

Maximum number of users can be imported: 1.

License Agreement

1. All rights for PasswordsPro are reserved to InsidePro Software.

2. The software is distributed as Demo, without any restrictions on the length of the evaluation. You may also copy and redistribute the unchanged distribution of the Demo edition on any data mediums (hard disk, floppy disk, CD-ROM, etc.).

3. To remove all restrictions from the software, you must register your copy of the software by purchasing and then entering a license key (or several license keys) in the application.

4. The use of license keys by any person not registered as an authorized user of the software, distribution of or publishing license keys are illegal. The author of the software reserves the right to revoke the registered user status from such key owners and block the revoked keys in the future versions of software.

5. You shall not modify, disassemble or decompile this software. The violation of this provision in any part shall lead to the immediate termination of this license agreement.

6. The software is provided "AS IS". You use this software at your own risk. Under no circumstances shall the author be held liable for any data loss or damage, lost profits or any other damages caused by using or not using this software.

7. The author guarantees that the software does not contain harmful, spyware nor any other code designed for performing any functions other than those stated in Program Description.

8. Using the software shall indicate your acceptance of this license agreement.

9. If you do not wish to be bounded by these terms, delete all files of this software from your computer and stop using this software.


Q1: I have hash "XXXYYYZZZ". What is its type (i.e. hashing algorithm)?
A: Here are some types of hashes supported by PasswordsPro (or by other applications):
      • if the hash begins with the "$1$" signature, it's usually an MD5(Unix) hash.
      • if the hash begins with the "$apr1$" signature, it's usually an MD5(APR) hash.
      • if the hash has 8-byte length, it may be a MySQL-hash or any other longer hash cut to 8-byte pieces, for instance, an MD5-hash.
      • 16-byte long hashes usually are:
          – MD4, MD5 and other hashes
          – some salted hashes like md5(md5($pass).$salt)
          – some composite hashes like md5(md5($pass)), etc.
      • if the hash length is 20 bytes, it may be a SHA-1 or a MySQL5-hash.

If the hash type is unknown, you can try figuring the algorithm used by the program that created the hash; for example, by analyzing source code of the PHP script that uses this hash.

You can always check the look of any hash using the Hash Generator service that recognizes over 100 types of hashes.

Sometimes a hash may be Base64-formatted, and it will have to be converted to text for the precise analysis. The above mentioned service or an appropriate utility can help you with that as well.

Q2: If it's so easy to calculate the hash for my password, why can't I recover the password from the hash?
A: Any hashing algorithm is in fact the calculation of a checksum for the source text. That involves one-way math operations with a source message, like AND, etc. For example, even if we do know Y and Z in the "X AND Y = Z" equation, we still won't be able to find the exact X value (the most we can do is to calculate the range of probable X values satisfying this equation). That's one of the reasons why the transverse "hash -> password" is impossible (theoretically, you can just calculate the range of probable source passwords; however, it's actually impossible). The second reason why the source password can't be precisely found from a hash is the issue of collisions.

Q3: What are "collisions"?
A: As soon as output values (all possible hashes) for any hashing algorithm are limited by hash size (for example, the number of possible MD5 hashes is 2128 or 3.4*1038 values), and the number of input values (source messages) is unlimited, then it's clear that there are source messages with the identical hash. Those source messages are called collisions.

Q4: What are "salt" and "salted hashes"?
A: Salt is most widely used to ensure that users with same passwords have different hashes. Salt is usually a line composed of 4...8 random characters, which is additionally used for user passwords hashing and is saved along together with the final hash (for example, MD5(Unix) hashes use this) or stored separately.

Q5: Why are salted hashes recovered at such a low speed?
A: Here is the picture. Passwords forcing the regular (non-salted) hashes go as follows – current password hash is calculated once, then it's compared to every forced hash. For the recovery of salted hashes, current password is to be hashed every time for each user, as they have different salts. Certainly, the speed of the attack will go down as the user number goes up.

Q6: Why are MD5(Unix) and MD5(APR) hashes recovered so slow?
A: That's because both salts use a 1000-iteration hash generation cycle, where each iteration involves 2 to 4 regular MD5 conversions. So, the attack speed for such hashes is thousands of times lower compared to the speed of recovering regular MD5 hashes.

Q7: I've been recovering a password for several days already, but still can't find it. Why?
A: As the inverse transformation hash -> password is impossible, the only way the password can be recovered is by comparing the given hash with hashes generated from every password being validated. So, combinations of different attack types and settings are to be tried. For example, you can spend much time to brute force a password with the "a...z" alphabet while the sought password can be numerical. So, if you can't find your password, that doesn't mean it is very complex. It can be a short one but have a space at the end. Or it can be long but simple (like "administrator12345") and recoverable in a few minutes with the hybrid attack, and so on. However, your hash can really be match to a complex password (like "tGEa+.]W\Z$C"). Unfortunately, such passwords are almost unrecoverable.

Q8: What's the application area of hashes suffixed with [PHP] in external modules?
A: You can find that out by using the "About module" function from the "Hashing modules" tab in the program options. Note: the [PHP] suffix means that the syntax of these algorithms matches PHP-code, where they are mostly used.

Q9: What is "dictionary" and where can it be obtained from?
A: Dictionary is a text file that contains possible user passwords (each line in the file contains one password). Such files may contain frequently used passwords ("admin", "master", etc.) as well as passwords from a required character range ("1111" – "9999"), which can be generated by the "Dictionary Generator" plugin. You can always find dozens of megabytes of such dictionaries here.

Q10: "Symbol replacement tables" in the hybrid dictionary attack – what is it?
A: These tables (*.KBT-files) are text files where users can set which characters of passwords being checked are to be replaced with something else. This feature is useful for users of non-English-speaking countries with 2 keyboard layouts, English and national. In this case, native language passwords can be entered using English keyboard layout or, vice versa, English words can be typed using national characters. There's the "Russian.kbt" file in the installation archive; it contains tables for the Russian keyboard layout.

Q11: What's the order you recommended to follow for recovering user passwords from hashes?
A: It's recommended to recover passwords for hashes in the following order:
       – Preliminary attack
       – Simple dictionary attack (with a large number of dictionaries)
       – Hybrid dictionary attack (with a small number of dictionaries)
       – Brute force attack with the "0...9" alphabet for 8-9 character depth
       – Brute force attack with the "a...z" alphabet for 7-8 character depth
       – Brute force attack with all available alphabets for 4-6 character depth
       – Brute force attack with "0...9" and "a...z" alphabets for 7-8 character depth
       – Combined dictionary attack
Certainly, if you have Rainbow-tables, the Rainbow attack should also be used. Also, if you've got any information about the password, use the mask attack.

Q12: How to use custom character sets?
A: Custom character sets are commonly used in mask attacks. In other words, if you know, for instance, that the first 5 characters of the password are numbers or capital Latin letters, you can type "?d?u" in the "?4:" field (or just enter whole alphabet to use: "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"), then describe the first 5 characters in the mask: ?4?4?4?4?4.

Q13: I would like to translate the program interface to my native language. How can I do that?
A: You can translate the program interface to your native language, but you will also have to support and promptly update your LNG-file on your own in the forum on the software website. So, to do that:
       – Visit the PasswordsPro forum – the program interface could be already translated to your language.
       – Create the "English.lng" file (or "Russian.lng" file) using program options menu and translate it to your language.
       – Host that file on your website, FTP-server or one of file hosting servers on the Internet.
       – Create a new topic in the program forum and post the link to the translated LNG-file there.
As new versions are released (you can track new releases by signing up to the InsidePro project news mailing list) you will need to timely update your LNG-file and update the link on the forum. Certainly, your translation may be rewarded by a free license key to the program.

Q14: What Rainbow-tables are and how can they be used for password recovery?
A: Find the detailed information on Rainbow-tables here. You can use the rtgen or Winrtgen programs to generate such tables. To recover passwords this way, import the list of *.RT-files in the program and select table attack. Certainly, the type of hashes in the tables must match the type of hashes selected for the attack.

Q15: I am importing a list of salt hashes containing the ':' character, and the program fails to properly split the source lines into fields. How should I import such hashes to the program?
A: For such situations exactly, there's a menu option to set character to be used as a field delimiter in the user hash lines (':' is the default character). You can also change the character used for splitting fields for the exporting of user hashes.

Q16: During a dictionary attack, the program reports attack completion while the dictionary hasn't been processed completely. Why?
A: That happens when a service character is found in the dictionary. Some of such characters are interpreted by the program as the end of the file (EOF), so it quits from working with the dictionary (like the 0x1F character, which appears in the file after the concatenation of several files, can be interpreted as a DOS COPY command). So it's recommended to weed such characters, as well as of tabulation symbols, empty lines, etc., out of dictionaries before they are used. Note: to sort dictionaries and clean out empty lines and double passwords you can use the "Dictionary Generator" plugin.

Q17: During the Rainbow attack, the program messages "Can't open charset configuration file!" and halts the attack. What is this file, where can I take it and what for is it needed?
A: This is a file that contains character sets (like "alpha" (A...Z), "numeric" (0...9), etc.) used for generating Rainbow-tables as well as for recovering passwords using such tables. The installation archive contains the "Charset.txt" file with 25 most frequently used character sets; though you can always add your own sets to this file.

Q18: I would like to write my own hashing module to recover passwords for my hashes using your program. How can I do that?
A: If the program doesn't support the type of hashes you need, you can write your own hashing module using any programming language to create a DLL library with several exportable functions (see the ReadMe.chm file in the \Modules\API folder of the program installation archive), but you will have to work on your own to update and support it through the forum on the software website. You can build it on the base of a test out module with Microsoft Visual C++ .NET 2003 sources, which are put as an example in the program archive. Certainly, the creation of the new module for the program can be rewarded with a free license key to the program.

Q19: I am importing an old-version *.Hashes-file (or copying an old-version PasswordsPro.ini to a new-version folder). Why the program displays types of hashes incorrectly or why are the program options different than those set in the previous version?
A: The format of *.Hashes and *.ini files (as well as other work files created by the program) may differ from one version to another for many reasons; for example, after the optimization of parameters saved to an *.ini-file, or changing the list of supported hashes, etc. So it's strongly recommended that you use the *.Hashes and *.ini files created in the version of PasswordsPro that you currently use. Hashes created with older versions of the software can be imported through text files.

Q20: Can the TAB character or any other character with the ASCII code below 32 be used as delimiter when importing hashes?
A: Yes, you can use any character, even with an ASCII code below 32 (tab character, line feed, etc.) and there are two ways to doing that:
1. Copy the TAB character (for example) to clipboard and insert it in the application settings. However, it will appear as a square, but that will do the job.
2. In the PasswordsPro.INI file, find the DlgOptionsMore section, and then in the EditBox1 parameter set the ASCII code of the field delimiter character. For example, for the TAB character those lines would be:

출처 : http://www.insidepro.com

Trackback 0 Comment 0