Thoughts of a coder

It’s how I think! It’s how I code!

Archive for February, 2006

SQL Injection

Feb 22

Posted by Sandaruwan Gunathilake in Hacking and Cracking | 8 Comments

LAMP, a commonly used web development combination. Linux, Apache, MySql and PHP. Since, the language, PHP is designed for web developing, the language is very simple and anyone can learn it easily. And combining it with MySQL allows you to build very powerfull web sites.

There is one dangerous mistake that some people may do. Directly passing the values from the user to the database. How it could be so dangerous? I’ll show you an example.

Let’s say you have a login form and line like this in the action page.

$result=mysql_query(“SELECT * FROM users WHERE username=’”.$_POST['username'].”‘ AND pwd=’”.$_POST['password'].”‘”) ;

Normally, The script will add the values from the user into the sql query. So, It will be something like :

SELECT * FROM users WHERE username=’sandaruwan’ AND pwd=’secret’

There is nothing wrong with it. But let’s say, Instead of typing my username, if i type something like :

sandaruwan’#
What would happen? The script will insert this statement into the query. So, It will be something like :

SELECT * FROM users WHERE username=’sandaruwan’#’ AND pwd=’secret’

The symbol # means, comment out the rest of the query. In that case, the final query is like :

SELECT * FROM users WHERE username=’sandaruwan’

So, no matter what is the password, The script will allow you to login. Very simple!!! but effective.

Tags: , ,

Social Engineering

Feb 13

Posted by Sandaruwan Gunathilake in Hacking and Cracking | 3 Comments

One day, in an afternoon, when you are relaxing in your home, you get a call from HSBC and they tell you they are rechecking credit cards. “Could you please tell me, your credit card number?”. Just without thinking much, most probably what you’ll do is tell it. And your personal details, etc. So, next month when the bill comes, you know someone has illegally used your credit card.

Basically, that’s social engineering; Gathering information by talking to the people. This is easier than hacking, and probably more effective. Because in a computer system, system admin can patch the vulnerable products but there is no patch for human stupidity.

Just wanted to tell you, “Beware of Social Engineers”.

Tags: ,

FreeCell – Allow any move

Feb 12

Posted by Sandaruwan Gunathilake in Hacking and Cracking | No Comments

“That move is not allowed” – most probally you have got this message several times when you are playing freecell. This message is bit of a headache. I wanted get rid of it. With the great help of W32Dasm, it was pretty easy.

The first step was disassembling the game. Then, I searched through the code for “That move….”. It only appeared only once which makes our job much easier. backtrack, backtrack, backtrack, it was really easy. Then I was able to find out a jump : “jbe 01003C2B” at offset 2F7C. Changing those into ‘nop’s will allow you to make any move except the moves on top bars. So, I was going around here and there in the code and managed to change the top bar. Since it is 3:23 AM, I’m not going to explain how to do it. If you want to change the top bars, you can apply the same theory. It is also changing few jumps. Hint : Try to use debugging feature of W32DASM.

Tags: ,

Arp Poisoning

Feb 8

Posted by Sandaruwan Gunathilake in Hacking and Cracking | 4 Comments

When you guys wants to do packet sniffing what do you do? Just running a packet sniffer? That’ll work if your network is connected using a hub. Not in a switched enviroment. So, the solution is arp poisoning.

Arp Poisoning, one great method of hacking. The basic idea behind arp poisoning is changing the packet destination by fooling the computer. In a local area network the computers are uniqly identifical by the MAC address and IP address. The top level software communicate using the IP addresses. So, when a software wants to connect to another machine, it creates a data packet and put the destination IP address. Then, the kernel takes the packet. The kernel have a table called ARP table which have information about ip address againts the mac addresses. So, the kernel looks at the ARP table and then takes the relevent MAC address. If MAC address is not available in the table, it sends an arp request saying “Hey, xxx.xxx.xxx.xxx, send me your MAC address”. So, the other computer sends an arp reply. At that point first computer update it’s arp table. Then the kernel inject that MAC into the packet and give it to the network card. The network card only look at the MAC address. So, the packet’s final destination is the computer pointed by the MAC address; no matter what the ip address is.

Now think like this. Let’s say there are three computers. A,B and C. You are in the computer A and your MAC address is 00:00:00:FF:FF:FF. So, we want to track messages between computer B and C. What we have to do is create two fake arp replies. One is saying “I’m computer B, my MAC address is 00:00:00:FF:FF:FF” and other saying “I’m computer C, my MAC address is 00:00:00:FF:FF:FF”. So, you keep broadcasting both messages, the first message to the computer C and other to the computer B. Then you have to put an ip forwarding program and configure it to redirect the packets to it’s original destination. Now all packets go through your computer. It’s time to sniff.

You can also do some other interesting stuffs. If you want to ban someone from the network, what you have to do is send an arp reply to the gateway saying “Hey, I’m computer X, my MAC address is 00:00:00:00:00:00″. Since there is no MAC address like that, messages from the gateway won’t reach the computer. Ya, finally, you banned them.

Tags: ,

Cracking the passwords

Feb 6

Posted by Sandaruwan Gunathilake in Hacking and Cracking | 2 Comments

Admin password, the dream of everyone. Specially, when you are in an environment where you are not the system administrator. Today, what I’m going to show you is how to take Windows Administrator passwords. You might have even noticed, if we can find out where windows stores the password, we can just look at it. But unfortunately, it is not that easy.

Windows stores the passwords in the Windows\System32\Config\SAM file. But windows prevent you from accessing that file. So, the answer is LINUX. Take a Knoppix CD, put it into your CDROM and restart the machine. Make sure your first boot device is CD-Rom. Then, it’ll boot into the Linux. Then the best option would be a USB pen. Just mount it and copy the SAM file into it. And make sure you also copy the Windows\System3\Config\System file. Then, restart again, you need Windows now.

Now you have to take a key called syskey from the system file. There are some windows utilities to do that, but I can’t remember the names. Anyway, once after you get it, you can use that key to decrypt the SAM file. Now the password!!! NO!! It’s not.

Again you have some hashes. What do we do now? Now, you have the time consuming part. You have to download and run John the ripper on these hashes. Please note this may take few hours, depending on the length of the password.

After that ***you*** are the system admin!!!

Tags: ,

Get Adobe Flash playerPlugin by wpburn.com wordpress themes