Penetration Testing

Penetration testing (also called pen testing) is the practice of testing a computer system, network or  Web  application  to  find  vulnerabilities  that  an  attacker  could  exploit.  Pen  tests  can  be automated with software applications or they can be performed manually. Either way, the process includes  gathering  information  about  the  target  before  the  test  (reconnaissance),  identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.

The main objective of penetration testing is to determine security weaknesses. A pen test can also  be  used  to  test  an  organization’s  security  policy  compliance,  its  employees’  security awareness and the organization’s ability to identify and respond to security incidents.

Targeted testing

Targeted  testing is performed by the  organization’s  IT team and the penetration testing team working together. It’s sometimes referred to as a “lights-turned-on” approach because everyone can see the test being carried out.

External testing

This type of pen test targets a company’s externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they’ve gained access.

Internal testing

This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

Blind testing

A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

THEMOLE – Penetration Testing Tool

Introduction to TheMole

TheMole is a Python based command line interface for Automatic SQL Injection exploitation tool developed by Nasel. This application is able to exploit both union-based and blind Boolean- based injections. Every action The Mole can execute is triggered by a specific command.

All  this  application  requires  in  order  to  exploit  a  SQL  Injection  is  the  URL  (including  the parameters) and a needle (a string) that appears in the server’s response whenever the injection parameter generates a valid query, and does not appear otherwise. So far, The Mole supports MySQL, MS-SQL and PostgreSQL, but we expect to include other DBMSs.

In order to execute The Mole, you require only python3 and python3-lxml. Once we execute it, a shell prompt will be printed, waiting for commands.

Features of TheMole:

Support for injections using MySQL, SQL Server, PostgreSQL and Oracle databases.

Command line interface. Different commands trigger different actions.

Auto-completion  for commands,  command  arguments  and  database,  table  and  columns names.

Support for filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.

Exploits SQL Injections through GET/POST/Cookie parameters.

Developed in python 3.

Exploits SQL Injections that return binary data.

Powerful command interpreter to simplify its usage.

Requirements

Kali Linux (Also supports in Ubuntu)

Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and  Security  Auditing. Kali contains  several  hundred  tools  which  are  geared  towards various  information  security  tasks,  such  as  Penetration  Testing,  Security  research, Computer Forensics and Reverse Engineering.

Python

Python is an object-oriented, high level language, interpreted, dynamic and multipurpose programming language.

TheMole (Kali Tool) – SQL Injection

TheMole  is  a  Python  based  command  line  interface  for  Automatic  SQL  Injection exploitation  tool.  This  is  able  to  exploit  both  union-based  and  blind  Boolean-based injections.

HashID (Kali Tool) – Hash type identification

Software to  identify the  different  types of hashes  used to  encrypt  data  and especially passwords.

PyBozoCrack (Kali Tool) – Decrypt Hash (MD5)

PyBozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load written in Python.

Psiphon3 – Anonymous Proxy browsing.

Psiphon3 is   an   open-source   Internet   censorship   circumvention   tool   that   uses   a combination  of  secure  communication  and  obfuscation  technologies  (VPN,  SSH,  and HTTP Proxy)

Finding Vulnerable Website

We can’t SQLi attack on all websites. The websites need a SQLi vulnerability in order to do this technique. Website URL need a parameter like php?id=4 / php?id=any number to inject.

http://www.example.com/login.php?id=3

Once     you     find     a     website,     then     you     can     check     for     SQLi     vulnerability. Put an ‘ (Apostrophe) at the end of the URL Parameter.

http://www.example.com/login.php?id=3’

Commands Used in TheMole

themole

To start TheMole.

url < Vulnerable url >

To provide vulnerable website url

method (GET|POST <param_post>) [vulnerable_param]

Sets the method of the request to GET or POST.

needle < String displayed only when true return >

To provide a needle or keyword that must be in the website only runs correctly. It should not visible in error page.

auth [<basic> <USERNAME: PASSWORD>]

Sets/gets the authentication information used by The Mole in each request.

dbinfo

Fetch current user name, database name and DBMS version.

schemas

To retrieve all database schemas

table <schema>

List out tables

columns <schema> <table>

List out columns

query <schema> <table> <columns>

To show all data from the schema – column wise

recursive (schemas|tables <SCHEMA>)

Recursively fetches the structure of all schemas or just of the SCHEMA if used with tables.

headers <set|del> <HEADER> [VALUE]

Sets/removes the given HTTP header. Use this to set the User-Agent, cookie, or whatever additional header you want to send.

encoding [ENCODING]

Gets/sets the encoding use to decode the response received.

Complete Execution of TheMole

Primary Steps:

1. Install

Here, we need to install 3 tools to execute

TheMole

TheMole is a Python based command line interface for Automatic SQL Injection exploitation tool

apt-get install themole

PyBozoCrack

PyBozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load written in Python.

git clone https://github.com/ikkebr/PyBozoCrack.git

HashID

Software  to  identify  the  different  types  of  hashes  used  to  encrypt  data  and especially passwords.

git clone https://github.com/psypanda/hashID.git/

2. Find Vulnerable Website.

We can’t SQLi attack on all websites. The websites need a SQLi vulnerability in order to  do  this  technique.  Website  URL  need  a  parameter  like  php?id=4  /  php?id=any number to inject.

http://www.example.com/login.php?id=3

Once    you    find    a    website,    then    you    can    check    for    SQLi    vulnerability. Put an ‘ (Apostrophe) at the end of the URL Parameter.

http://www.example.com/login.php?id=3’

3. Start TheMole.

Use themole command.

4. Provide URL and Needle. url < Your URL >

url http://www.example.com/login.php?id=3

needle < String >

needle Contacts

5. Retrieve all Schemas.

Use schemas command.

6. Select a schema and retrieve all its tables

Use tables <Schema_Name> command.

7. Select a table and retrieve all its columns.

Use columns <Schema_Name> <Table_Name> command.

8. Select a table and retrieve all its columns.

Use query <Schema_Name> <Table_Name> <Column_Names> command.

Column_Names can be separated with commas.

9. Find the username and password combination.

Steps to decrypt hashed password:

1. Start Hash ID

Move to HashID Directory using cd command

Use   python   Hash_ID_vX.X.py   command.   (X.X   is   the   version   Eg:   1.1)

2. Provide your hashed password

Give your hashed password after HASH: in terminal

3. Decrypt using PyBozoCrack (MD5)

Move to PyBozoCrack Directory using cd command

Use python Pybozocrack.py –s < hashed code > command.

CONCLUSION

TheMole is a Python based command line interface for Automatic SQL Injection exploitation tool. This application is able to exploit both union-based and blind Boolean-based injections. Every action The Mole can execute is triggered by a specific command.

Every action TheMole can execute is triggered by a specific command. All this application requires in order to exploit a SQL Injection is the URL (including the parameters) and a needle (a string) that appears in the server’s response whenever the injection parameter generates a valid query, and does not appear otherwise. So far, The Mole supports MySQL, MS-SQL and PostgreSQL, but we expect to include other DBMSs.