hostmap 0.1 released

Posted on May 14, 2009 in Tools • Tagged with discovery, dns enumeration, dns name, virtual host • 1 min read

I am happy to announce hostmap:

hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Python by Alessandro `jekil` Tanasi and licensed under GNU General Public License version 3 (GPLv3). It’s goal is to enumerate all hostnames and configured virtual hosts on an IP address. The primary users of hostmap are professionals performing vulnerability assessments and penetration tests.

Take a look at http://hostmap.lonerunners.net/


Continue reading

Binary data fetching through SQLi

Posted on February 23, 2009 in Research • Tagged with binary data, blob, data casting, SQL Injection • 5 min read

Table of contents

1. Introduction
2. How BLOB storage works
3. Casting binary data
3.1 MySQL
3.2 PostgreSQL
3.3 SQL Server
4. References

1. Introduction

Exploiting a SQL injection flaw in a web application can give the attacker full control of the remote DBMS. One of the major consequences of exploiting consists in fetching all or part of the data stored in the database.

In several cases, like a web application that stores images on the database, the attacker has to deal with binary data.

Follows some techniques to fetch binary data via a SQL injection flaw …


Continue reading

Virtual host and DNS names enumeration techniques

Posted on January 24, 2009 in Research • Tagged with discovery, dns alias, dns name, enumeration, hostmap, virtual host • 3 min read

Table of Contents

1. Why you need to enumerate
2. Techniques
2.1 DNS enumeration techniques
2.2 Banner grabbing
2.3 SSL/TLS Protocol enumeration techniques
2.4 HTTP Protocol enumeration techniques
2.5 Passive web enumeration techniques
2.6 Active web enumeration techniques

1. Why you need to enumerate

The host name discovery phase is an information gathering act to get a complete and detailed view of target resources and attack points.

During an attack or a penetration test, the attacker needs to known  as much information as possible about the entry points to attack. An entry point …


Continue reading

Using Wikipedia as brute forcing dictionary

Posted on January 08, 2009 in Blog • Tagged with brute forcer, brute forcing, dictionary, wikipedia, words • 2 min read

The success and the time elapsed in a brute forcing attack depends by the number of discovered brute forcing points, the quality of the tool used (like THC-hydra, brutus or medusa) and the quality of the dictionary used.

Sometimes using a incremental dictionary is a waste of time, a good dictionary can be the success key to a fast brute forcing attack. Get a dictionary of common words and keep it updated is an hard work.

Wikipedia is a free multilingual encyclopedia, it currently contains 2,683,099 articles. This is a really good database to generate a dictionary …


Continue reading

SQLi: Writing files to disk under PostgreSQL

Posted on December 21, 2008 in Research • Tagged with exploiting, PostgreSQL, SQL Injection, SQLi, writing file • 6 min read

Table of Contents

1. Introduction
2. Default configuration
3. COPY Function
3.1 COPY function abusing
4. BLOB functions
4.1 BLOB functions abusing
5. User defined functions
5.1 User defined functions abusing
6. Conclusions
7. References

1. Introduction

The following examples assume access to the database has been achieved through SQL Injection vulnerability in a web application.

Sometimes, against best practice, the application has connected to the database using superuser credentials.

2. Default configuration

In some systems the configuration files of PostgreSQL are owned by the user used to run the PostgreSQL process.

For example in my Ubuntu …


Continue reading