BBQSQL is an open source SQL injection framework written in Python, specially made to be hyper fast and database agnostic. The BBQSQL tool was developed by Ben Toews in Python.
The most fascinating feature of this tool is that it can exploit blind SQL injection vulnerability.
This is very useful tool to check the web application's security and then patch exposed vulnerabilities found by the tool. Let's start working with BBQSQL with the following steps:
1. The first step will be setting up parameters. It consists of many parameters that we can configure while setting up an attack:
files: It provides files to be sent along with the request.
headers: This can be a string or a dictionary sent with the request.
{"User-Agent":"bbqsql"} or "User-Agent: bbqsql".
cookies: A dictionary or string sent along with cookies.
{"PHPSESSIONID":"123123"} or PHPSESSIONID=123123;JSESSIONI D=foobar.
url: This specifies a URL that the requests should be sent to.
allow redirects: This is a Boolean[value] that determines whether HTTP redirects will be followed when making requests.
proxies: This specifies an HTTP proxy to be used for the request as a dictionary. {"http": "10.10.1.10:3128","https":
"10.10.1.10:1080"}.
data: This specifies post data to be sent along with the request. This can be a string or a dictionary.
method: This specifies the method for the HTTP request (for example, get, options, head, post, put, patch, delete).
auth: This specifies a tuple of a username and password to be used for HTTP basic authentication.
("myusername","mypassword")
2. Secondly, we will set up BBQSQL options. They are:
Query: The query input is where we will construct our query used to exfiltrate data from the database. The assumption is that we already have identified SQL injection on a vulnerable parameter, and have tested a query that is successful. In this example, the attacker is looking to select the database version:
vulnerable_parameter'; if(ASCII(SUBSTRING((SELECT @@version LIMIT 1 OFFSET ${row_index}) , ${char_index} ,1)))
${comparator:>}ASCII(${char_val}) WAITFOR DELAY '0\:0\:0${sleep}';
-- The csv_output file: This is the name of a file to output the results to.
Leave this blank if you don't want output to a file.
technique: We can specify either binary_search or frequency_
search as the value for this parameter.
Comparison_attr: This specifies the type of SQL injection you have discovered. Here, you can set which attribute of the HTTP response BBQSQL should look at to determine true/false. You can specify: status_code, URL, time, size, text, content, encoding, cookies, headers, or history. 3. Then, move on to Export Config. After we have set up the attack, we can export
the configuration file. We will see the option while running the tool. The exported configuration file actually uses ConfigParser, which is easy to read. An example configuration file is as follows:
'[Request Config] url =
http://example.com/sqlivuln/index.php?
username=user1&password=secret${injection} method = GET [HTTP Config] query = ' and ASCII(SUBSTR((SELECT data FROM data LIMIT 1 OFFSET
${row_index:1}),${char_index:1},1))${comparator:>}$
{char_val:0} # technique = binary_search comparison_attr = size concurrency = 30'
4. Let us see how we can import Config. We can import a configuration file from the command line or from the user interface:
bbqsql –c config_file
When we load a config file either via command line or the user interface, the same validation routines are applied on the parameters to ensure that they are valid.
5. Finally, we will run the exploit by selecting option 5, and the exploit will run. We can export attack results as a csv file.
The BBQSQL framework installer can be downloaded from https://pypi.python.org/
pypi/BBQSQL. BBQSQL uses two techniques while executing an attack. They are as follows:
1. Binary search: This technique is used by default. We can specify details of characters in the row or the queue to be used, and information regarding the targeted character in a row.
2. Frequency search: It is based on an analysis of the English language to determine the frequency of the occurrence of a letter. This search method works fast against nonentropic data, but can be slow against non-English or obfuscated data.
How to do it...
To work with BBQSQL, use the following instructions:
1. Install BBQSQL using the following command:
sudo pip install bbqsql
2. On a fresh BackTrack 5 R3, install pip is not available. The user will need to run the following to install pip:
sudo apt-get install python-pip 3. Type bbqsql and press Enter to start BBQSQL.
While working with BBQSQL, the screen will look like the following screenshot:
How it works...
The injection can work on any of the following:
f URL: "http://google.com?vuln=$ {query}"
f data: "user=foo&pass=$ {query}"
f cookies: {'PHPSESSID' : '123123 ' , ' foo ' , ' BAR $ {query}'}
BBQSQL UI is built using the source from the Social-Engineer Toolkit (SET). We do not have to wait until we type a huge request on the command-line interface, as it pre-ensures that an input validation is performed on each and every configuration option.
Information Gathering 2
and Scanning
In this chapter, we will cover:
f Passive information gathering
f Port scanning – the Nmap way
f Port scanning – the DNmap way
f Using keimpx – an SMB credential scanner
f Detecting SSH versions with the SSH version scanner
f FTP scanning
f SNMP sweeping
f Vulnerability scanning with Nessus
f Scanning with NeXpose
f Working with OpenVAS – a vulnerability scanner
Introduction
Information gathering is the first basic step toward penetration testing. This step is carried out in order to find out as much information about the target machine as possible. The more information we have, the better our chances will be of exploiting the target. During the information gathering phase, our main focus is to collect facts about the target machine, such as the IP address, available services, and open ports. This information plays a vital role in the process of penetration testing. To achieve this goal, we will be learning certain scanning
Information gathering, footprinting and enumeration terms are often used interchangeably.
But they are still different. According to the SANS standard, footprinting is the ability to obtain essential information about an organization. This information includes the technologies that are being used, such as Internet, intranet, remote access, and extranet. In addition to the technologies, the security policies and procedures must be explored. Scanning consists of basic steps in mapping out whether a network is performing an automated ping sweep on a range of IP addresses and network blocks to determine if individual systems are alive.
Enumeration involves active connections to a system and directed queries. The type of information enumerated by hackers can be loosely grouped into categories, such as network resources and shares, users and groups, applications and banners, and network blocks.
There are basically three types of techniques used in information gathering:
f Passive information gathering
f Active information gathering
f Social engineering
Let us take a quick look at these processes:
f Passive information gathering: This technique is used to gain information about the target without having any physical connectivity or access to it. This means that we use other sources to gain information about the target, such as by using the whois query, Nslookup, and so on. Suppose our target is an online web application; then, a simple whois lookup can provide us a lot of information about the web application, such as its IP address, its domains and subdomains, the location of the server, the hosting server, and so on. This information can be very useful during penetration testing as it can widen our track of exploiting the target.
f Active information gathering: In this technique, a logical connection is set up with the target in order to gain information. This technique provides us with the next level of information, which can directly supplement us in our understanding of the target security. In port scanning, the target is the most widely used active scanning technique in which we focus on the open ports and available services running on the target.
f Social engineering: This type of information gathering is similar to passive information gathering, but relies on human error and the information leaked out in the form of printouts, telephone conversations, incorrect e-mail IDs, and so on. The techniques for utilizing this method are numerous and the ethos of information gathering is very different, hence; social engineering is a category in itself. For example, hackers register domain names that sound similar with spelling mistakes, and set up a mail server to receive such erroneous e-mails. Such domains are known as Doppelganger Domains; that is, the evil twin.
f The victims of social engineering are tricked into releasing desired information that they do not realize will be used to attack an enterprise network. For example, an employee in an enterprise may be tricked into revealing an employee identification number to someone who is pretending to be someone he/she trusts. While that employee number may not seem valuable to the employee, which makes it easier for him to reveal the information in the first place; the social engineer can use that employee number in conjunction with other information that has been gathered to get closer to finding a way into the enterprise network.
There are few very common information gathering tools such as GHDB, SHODAN search, netcraft.com, and so on.
Let's review them briefly:
f GHDB (Google Hacking Database): The GHDB is a compiled list of common mistakes that web/server admins make, which can be easily searched by using Google. As a result, you can find things such as administrator consoles, password files, credit card numbers, unprotected webcams, and so on.
The GHDB was started by Johnny Long, who also published books on the matter, but is now maintained and updated at Exploit Database.
f SHODAN search: SHODAN is similar to Google for hackers. Typical search engines, such as Google, Yahoo, Bingo Crawl for data on web pages and then index it for searching, whereas SHODAN searches for ports and grabs the resulting banners, then indexes the banners for searching.
We can create and login using a SHODAN account or using one of the several other options (Google, Twitter, Yahoo, AOL, Facebook, and OpenID. Login is not required, but country and net filters are not available until and unless we login.
f Netcraft.com: Netcraft provides web server and web hosting market-share analysis, including web server and operating system detection. Depending on the queried server's OS, sometimes it is able to monitor uptimes in determining the reliability of a web hosting provider.
Netcraft also provides security testing, free anti-phishing toolbar for the Firefox, and Internet Explorer browsers. Starting with Version 9.5, the built-in anti-phishing filter in the Opera browser uses the same data as Netcraft's toolbar, eliminating the need for a separately installed toolbar. A study commissioned by Microsoft concluded that Netcraft's toolbar was among the most effective tools to combat
In this chapter, we will analyze the various passive and active techniques of information gathering in detail. From the beginning, we will analyze the most commonly used and most commonly neglected techniques of passive information gathering, and then in later recipes, we will focus on gaining information through port scanning. Metasploit has several built-in scanning capabilities, as well as some third-party tools integrated with it to further enhance the process of port scanning. We will analyze both the inbuilt scanners, as well as some of the popular third-party scanners which work over the Metasploit framework. Let us move on to the recipes and start our process of gaining information about our target.