http://blog.gdssecurity.com/labs/2010/8/10/constricting-the-web-the-gds-burp-api.html

I wrote a simple script to use the API to parse the Burp proxy logs and send it to SQLMap to automate testing SQL injection for all GET and POST parameters and skip all urls without any parameters.

1. Clone the GDSSecurity burpee repository git clone https://github.com/GDSSecurity/burpee.git

2. Download burpSQL.py from https://github.com/milo2012/burpSQL into the burpee folder

3. Next, we will have to configure logging in Burpsuite

4. Change the proxy settings of your browser to 127.0.0.1:8080

5. Crawl the website with Owasp Ajax Crawling tool or spider with Burpsuite or the manual way.

Below are the command line options for burpSQL

6. The above is pretty self explanatory.  If your Burp proxy log is cluttered with urls from multiple domains, you can filtered the SQL injection testing to specific domains using the –domain switch.

Drop me a message if you have any suggestions or comments.  Thank you !

As mentioned in the post, this works on Windows Vista and 7.

I have written a BeEF module called “Get Wireless Keys” which automates the process of robbing the victim of the wireless keys using a signed Java applet.

Follow the steps listed on https://github.com/beefproject/beef/wiki/BeEF-and-Backtrack-5  in order to download BeEF.  My module is now available in the repo.

If you are new to BeEF, you can find some video tutorials here. https://github.com/beefproject/beef/wiki

This will act as a bridge to allow hacking beyond the browser as you will easily be able to compromise other systems in the network once you  connect to the victim’s wireless networks using the stolen wireless keys on your computer.

Upon launching the module against the victim, the victim will get a popup on his browser.  The victim would need to click “Run” in order for this to work.

You will see the below output in the console of BeEF. This means that the victim’s has executed the java applet and the applet has returned some results.

In the below screen shot, it shows that the wireless profiles on the victim’s computer has been saved to /pentest/web/beef/exported_wlan_profiles.xml

The next thing that we need to do is to import the wireless into your Windows Vista/7 computer.

You should be able to connect to the wireless networks that have been saved on the victim’s computer without any password prompts.

You might want to use this module together with “get physical location” module that I have written to identify the actual location of the wireless access point that the victim use in his home or office.

Thats if you are within close proximity to the victim. If not, this module is useless to you.

Alternatively, you could mass mail to all emails address that you can find that belong to a domain with the link to beef.

If you are using Preshared Keys instead WPA/WPA2 enterprise in your organisation, then all you need is one person in the organization to click Run to the Java Applet alert popup to get pwned.

Please feel free to leave me your comments or follow me on twitter at @keith55.

1.  Meanwhile, you can download the file attached  and copy and extract the files to /pentest/web/beef/modules/host/ .   After that, you should be able to access the module in BeEF as shown in the below screenshot.

2.  The user will receive the below popup in their web browser.   You can change the name of the Java applet to something more discrete as compared to what I have named.

Within seconds, you should be able to get the geolocation of the remote user.

You can download the BeEF module via one of the below links if you do not want to wait for it to be committed to the repository.

https://www2.dropbox.com/sh/cxpafqhpscszfoe/8bGfta5G5W/get_physical_location.zip

I will be doing a write up about the things I learn about writing BeEF module with Java applet integration in the next couple of days.

I hope it can help other people who are just getting started with BeEF development.

Let me know if you would have any suggestions.   Thanks !

Using Tamper This (Firefox Addon), I am able to find out the information that is passed to Google. Yes, I was too lazy to look up Google’s geolocation APIs

.

It seems that the browser is passing information about neighboring wireless access points to Google.

The information that are passed to Google include BSSID, SSID and RSSI (Received Signal Strength Index) of the access points.

Using these information, Google is able to pinpoint your location accurately.

Sometimes it is useful to find out the an accurate location of a remote target especially when geolocation identification using IP address is vague.

We can hide and run this inside in a Java applet.. No one clicks RUN on a Java applet right?

Currently, the applet outputs the below information to the Java console. It can be modified to send the information to a remote location instead.

What the applet does is that it runs the below system commands to gather information about the access points and pass it to Google so that we can determine your Geolocation accurately.

Below are the system commands that are called by the Java applet to gather the information required.

1. Windows

netsh wlan show networks mode=bssid

2. Mac

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s

The applet works on a Mac / Windows OS for now.

The below is the actual URL which retrieves the longitude and latitude based on the access point information

https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true&wifi=mac:[mac_address]|ssid:[ssid_name]|ss:[rssi]&wifi=mac:[mac_address]|ssid:[ssid_name]|ss:[rssi]

The below query string is passed to Google to retrieve the Street Address using the GPS longitude and latitude.

https://maps.google.com/maps?q=[longitude],[latitude]&iwloc=A&hl=en

This attack can be made more persistent in future by modifying the Applet to install an agent remotely on the target and then reporting back to the control centre with the updated gps location even after the user had closed the browser.

If you are starting to get paranoid over Wifi, please use the good old LAN cable and disable your wireless card.
You can install QuickJava and NoScript add-ons in Firefox to disable Java, Javascript, Flash, Silverlight and all other goodness from your browser.

But by doing so, you probably will realize that you aren’t able to access 2/3 of the internet after doing so.

I am looking into submitting this to #beefproject in the near future once I fixed some bugs in my #beef module. I suck at #beef.

You can download the files via this link http://flashmirrors.com/files/19vzwqlffpij9rf/getGPSLocation.zip

If you are just interested in the source file, you can get it from here http://pastebin.com/zKENyhXv

[Updated:  A windows executable version of the program has been uploaded to http://flashmirrors.com/files/0t0rjparbzcaxfc/getGPSLocationWin.zip]

It is easier to learn about SQL injection for Microsoft Access using Microsoft Access because it is easier to visualize for beginners.  I have included screenshots to help beginners like myself to learn about SQL Injections.

There are a few useful links about SQL Injection for Microsoft Access
1.  http:/www.insomniasec.com/publications/Access-Through-Access.pdf  <- You should never hack Microsoft Access without this document.
2. http://www.krazl.com/blog/index.php/ms-access-sql-injection-cheat-sheet/
3. http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html  <- Very useful list of column and tables names that you can use for brute-forcing
4. http://seclists.org/pen-test/2003/May/74  <- Some nifty tricks here.

Reference Table for Microsoft Access SQL Injection

Steps for SQL Injection for Microsoft Access

1. Terminate the input string with a single ‘ or double quote “
2. Find out the number of columns in the current table. Refer to (2) in table.
3. Extract the valid column names from the SQL injection.  Refer to (3) in table.
4. If Step (3) doesn’t work, extract the first column name of the current table.  Refer to (4) in table.
5. Brute force the table names.  Refer to (10) in table.
6. Brute force the column names.  Refer to (11) in table.
7. Retrieve The Length of the Data in X Column.  Refer to (6) in table.
8. For simple websites, you can use (e.g. UNION SELECT null, null, [column_name], null from users to extract the values).  Not all columns will return the value in a UNION SELECT.  It all depends on the data type of the original column.   You might want to shift the [column_name] around until you get a valid data output on the website.
9. In a blind SQL injection,  you can use one of the methods mentioned in (7) and (8) to extract the data from the database.

Login Bypass

Prerequisites:                     Username, Number of Columns in Table and Table Name

In some cases, the SQL injection login bypass command (‘ or 1=1)doesn’t work.

This is when the SQL statement below becomes useful.

Get the Number of Columns in an Access Table

Prerequisites:              None

The below SQL command can be used to derive the number of columns in a MSAccess table.

You will increase the number after ORDER BY until you receive an error.  The number before you receive the error is the total number of columns in the current table.

The group by command also can be used to retrieve the column names.  However, the group by command doesn’t work if the SQL statement contains SELECT *

You will be able to retrieve all the column names in the SQL statement if the SELECT statement doesn’t contain *

Retrieve the Data in the Column  / Row of the Access Table

Prerequisites:  Column and Table Name

The below command uses the “IIF” keyword and checks if the first character of the word in the first column and row matches the character “m”.

Retrieve the Data in the Column  / Row of the Access Table

Prerequisites:  Column and Table Name

The below command uses the “IIF” keyword and checks if the first character of the word in the first column and row matches the character “m”.

Since the query returns some results, it means that the first character of the word in the first column and row matches the character “m”.

The below command uses the “IIF” keyword and checks if the first character of the word in the first column and row matches the character “Y”.

Since the query doesn’t return any results, it means that the first character of the word in the first column and row matches the character “Y”.

Get The First Column Name from the Current Table

Prerequisites:                      None

We are able to reveal the first column of the table using the below SQL statement.  For the other columns, you will have to brute force them using a word list

Retrieving the Data Type of the Colum

Prerequisites:                      Column and Table Name

Using the below statement, you can reveal the type of the column.  However, you will need to know the table name and column name in order for this statement to work

The below command checks the date type of the column “username”.

The below command checks the date type of the column “username”.

The below command checks the date type of the column “username”.

The below command checks the date type of the column “id”.

Using the IF ELSE keyword in the below SQL statement, we can infer the answers to our questions by asking the access database ‘Yes’ or ‘No’ type of questions.

The below statement checks to see if the data type of username is “long”.  If the data type is long then results will be returned.   If not, the results would be blank.

How to Check if The Access Database is Sandboxed

Prerequisites:                     None

If the JET engine is sandboxed, you will not be able to use unsafe commands like curdir().  In order to test whether the Jet engine is sandboxed, you can type in the below statement

Microsoft JET 3.51 SP2/SP3 and Windows NT SP6a (MS JET 3.51.0623.4) does not provide sandboxing.

You can refer to http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B294698&Product=acc for a list of safe and unsafe functions that you can/cannot use.

Retrieve the List of Tables in the Access Database

You might be able to get a list of tables that are on the access database using the below command

However, you might not be able to access this outside MS Access.

Retrieve The Data In the X Column and X Row

Prerequisites:                     Column and Table Name

In order to find the username in the 3^rd row, the below SQL statement would be used.

Retrieve The Length of the Data in X Column

Prerequisites:                     Column and Table Name

To check if the length of the first string in the username column, we would use the below SQL statement

Retrieving the Columns in a Table

Prerequisites:                     If the SELECT statement doesn’t use * under the Column Selection portion of the SQL statement

If the column selection in the SELECT statement is not using * but using the column names instead, we will able to force MSAccess to reveal the column names by using Group By 1 Having 1=1 statement

As shown in the below screenshot, the first column in the SQL statement has been revealed

We append the previously found column ‘username’ to the SQL statement in order to reveal the name of the next column,  If you no longer receive any alerts, that means that you have uncovered all the column names in the SQL statement.

Check if A Table Exists

Prerequisites:                     None

 You can use the below command to brute force for valid table names

The M1 free sms website is available at http://msgctr.m1.com.sg/guest/index.jsp

The website is ‘protected’ from abuse by a very simple captcha.

The script is pretty much self explanatory and is now available on pastebin.com http://pastebin.com/31NXHGYn

You can also crack the captcha using Tesseract which is the de facto tool for cracking captchas.

However, I have used the font recognition services on http://new.myfonts.com/WhatTheFont for this purpose due to the below reasons
1. This is a very simple captcha
2. The success rates are higher than an untrained tesseract 3.0
3. I do not have to find the font that the captcha is using (required to train tesseract for recognizing the characters in the captcha)

As shown in the below screenshot, MyFonts is able to detect the characters in the captcha accurately which is perfect for cracking the captcha on M1′s sms website.

Please do not abuse the free sms service on M1′s website. It is illegal to do so.

This post is to demonstrate that weak captchas can be easily cracked using online services.

There is a very good article here on how to crack Captcha using Tesseract

http://www.clshack.com/en/how-to-bypass-captcha-with-python-tesseract.html

For more difficult captchas, you want want to by rendering the services of human captcha crackers.
http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html

Therefore, it might be more convenient to perform a lookup using the online free services before even trying to crack the hash with Hashcat.

findmyhash is a very useful tool for cracking the hashes using free online services.

Most of the password dumps have been appearing on websites like Pastebin.com and it makes it even more useful if findmyhash is able to find and crack md5/sha1 hashes located in a website link like pastebin. I have submitted a patch to https://code.google.com/p/findmyhash/issues/detail?id=7 for this new feature.

If you do not feel comfortable with another party knowing about the hashes, you should skip using findmyhash all together and dive straight to hashcat instead.

Cracking hashes from a url

To directly search and crack hashes from a url, you only need to key in the below commands

• python findmyhash_v1.1.2.py MD5 -u http://pastebin.com/ddWYY634
• python findmyhash_v1.1.2.py SHA1 -u http://pastebin.com/1YbcH2k5

Applying the patch

As the patch is not yet accepted and committed to the source, you can apply the patch listed at https://code.google.com/p/findmyhash/issues/detail?id=7 by performing the below actions

• python findmyhash_v1.1.2.py -i findmyhash.patch -o findmyhash_v1.1.3.py

Video on how to use findmyhash 1.1.2

Below is a video on how to use findmyhash.py

https://www.youtube.com/watch?feature=player_embedded&v=O2I8pd2uMIU#!

Download File

You can download the updated findmyhash at http://pastebin.com/9GRTrNj7

Results might varies on your machine.

For the below test, I ran metagoofil against microsoft.com for 100 pdfs.

Results show that you can get quite a significant speed improvement if you are downloading a lot of documents for analysis with metagoofil.

Download Links

If you adventurous enough to try the patch, you can download the patch or the updated metagoofil.py file from the below links

Patch: http://pastebin.com/J3d7yUkJ
Updated Metagoofil.py File: http://pastebin.com/AfpaUgQv

Let me know if you face any issues.

Metagoofil is available for download at http://code.google.com/p/metagoofil

It allows you to extract useful metadata from public documents belong to a target company from search engine.

You can learn about using Metagoofil at Irongeek’s site  http://www.irongeek.com/i.php?page=videos/using-metagoofil-to-extract-metadata-from-public-documents-found-via-google

I was trying to use metagoofil today.  The results show that there are 7 files found but they are actually invalid links.

How to apply the patch?
You can download the patch from http://pastebin.com/prHBxqfK

Save the file from pastebin as parser.patch in the metagoofil-read-only folder.

To apply the patch, type “patch -i parser.patch” as shown in the below screenshot.

You should see the below lines in your updated parser.py file in your metagoofil-read-only folder.

Thank you for reading this post and enjoy having fun with using Metagoofil as much as I do.

The official website for ACT is https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool

The current version of ACT 0.1a seems to have issues with crawling some Ajax websites due to some issues in the dependencies.

I have submitted the bugfixes to the website but it will take some time for the changes to be committed.

Below shows the screenshots of the results of the crawl before and after the patch.

Before the patch

After the patch
As shown in the below screenshot, extra 4 links were discovered after the patch.

I have also added the function of being able to specify the proxy server via command line mode.

Below is the temporary download link for the ACT if you can’t wait for the changes to be committed at the main site.

https://www.dropbox.com/s/gosq97z5vjlr09f/act-new.jar