Archive for the ‘IT’ Category

List of Free Proxy Servers

Posted: March 25, 2012 in IT

Here is the list of free proxy servers. It is better to use with proxy chain || foxyproxy. Enjoy!

I put some time in and compiled a list in a course type layout to help people in process of learning exploit development. I hope my research will help others spend more time learning and less time searching.

First off I want to thank the corelan guys for the help they have provided me so far in the process.

layout: I will be posting in a hierarchical structure, each hierarchy structure should be fully understood before moving on to the next section. I will also post sets of Parallel learning topics that you can use to study in line with other topics to help prevent monotony. These Parallel areas will have a start and end mark which shows when they should be complete in perspective to the overall learning

desktop background Link to Backgrounds

Other Posts like this one:
Because of quality of these posts I wanted to put them at the top. I could not figure out where to put them in the list because they cover so much.
past-present-future of windows exploitation
smashing the stack in 2010
Part 1: Programming

Parallel learning #1:(complete this section before getting to the book “Hacking Art of exploitation”)

While going through the programming area I concentrate on core topics to help us later on with exploit writing. One area that is very good to pick up is some kind of scripting language. Listed below are some of the most popular scripting languages and ones I feel will prove to be the most useful.
Python: One of my favorite languages and growing in popularity python is a powerful language that is easy to use and well documented.
Learn Python the hard way

Wikibooks Python

Grey hat python

Ruby: If you plan on later on working inside of metasploit this may be the language you want to start with. I highly suggest this for exploit developers to learn.
Wikibooks Ruby


Ruby Programmers Guide
Perl: An older language that still has a lot of use perl is one of the highest used scripting languages and you will see it used in many exploits. (I would suggest python over perl)


O’Reilly Learning Perl


C and C++ programming:

It is very important to understand what you are exploiting so to get started let us figure out what we are exploiting. You do not need to go through all of these but when finished with this section you should have a good understanding of C and C++ programming.

X86 Assembly:

Ok now to understand what the computer reads when we compile C and C++. I am going to mostly stick to the IA-32(X86) assembly language. Read the first link to understand why. It explains it very well.
Skullsecurity: Assembly

Windows Assembly Programming Tutorial


The Art of Assembly

Assembly primer for hackers

PC Assembly Language

Windows Programming:

This is to help understand what we are programming in and the structure of libraries in the OS. This area is very important far down the line


Windows Internals 5


Windows Internals 4


Dissassembly is not as much programming as it is what the computer understands and the way it is interpreted from CPU and memory. This is where we start getting into the good stuff.

The Art of Disassembly

Part 2: Getting started

Now that we have a very good understanding of programming languages and what the machine is doing we can start working on task at hand, exploitation.

Here I will start a lot of the learning in very much a list format and adding in comments or Parallel learning areas when needed.
Smash the stack for fun and profit (Phrack 49)

C function call conventions and the stack

Anatomy of a program in memory

Function Calls, Part 1 (the Basics)

IA-32 Architecture


Code Audit from

(Parallel learning #1 finished:

You should now have finished on Parallel learning 1 and have a good understanding of one of the 3 languages)

Hacking art of exploitation [Chapter 1&2]

Corelan T1

Corelan T2

Parallel learning #2:(complete this section before end of part 2)

(Read the first few posts on this blog has some good info)
Kspice blog

(Read some of the post from this blog they are very helpful with starting out with fuzzers.)
Nullthreat’s blog

(I am linked directly to a demo exploit for this area but this is a useful blog to keep track of for many things)

A demo exploit Buffer overflow intro

The Tao of Windows Buffer Overflow

nsfsecurity on BOF

Hacker center: BOF

Buffer overflow Primer


Shellcoder’s Handbook Ch1&2


Hacking art of exploitation [Chapter 3]

Corelan T3A

Corelan T3B

SEH Based Exploits and the development process

SEH overwrite simplified

((Parallel learning #2 finished:)
Part 3:Tools of the trade

This is a list of tools I have started using and find very useful.
Immunity Debugger




explorer suite


And here are some corelan posts on how to use them. I will supply more in future but this is a very good start.

Corelan T5

Corelan: Immunity debugger cheatsheet

Part 4: Network and Metasploit

(Networking) network programming


Hacking art of exploitation [Chapter 4]

Socket Programming in ruby



Security Tube: Metasploit Megaprimer

Metasploit Unleashed

Metasploit Louisville Class

Metasploitable (a target)

Corelan T4

intern0t: developing my first exploit

DHAtEnclaveForensics: Exploit Creation in Metasploit

Wikibooks Metasploit/Writing Windows Exploit

Part 5: Shellcode
Corelan T9

projectShellcode: Shellcode Tutorial


Shellcoder’s Handbook Ch3


Hacking art of exploitation [Chapter 5]

Writing small shellcode

Shell-storm Shellcode database

Advanced shellcode

Part 6: Engineering in Reverse

Parallel Learning #3:(constant place to reference and use for reversing)
Understanding Code

Reverse Engineering the World

Reversing for Newbies reversing blog post intro to reverse engineering Intro to Reverse Engineering software


Reversing: secrets of reverse engineering

Reverse Engineering from

CrackZ’s Reverse Engineering Page

Reverse engineering techniques



Windows PE Header

OpenRCE Articles


Part 7: Getting a little deeper into BOF

Parallel Learning #4:(To the end of the course and beyond)

Find old exploits on


download them, test them, rewrite them, understand them.

(Part A: preventions)
Buffer overflow protection

The evolution of Microsoft’s Mitigations Canary Bit

Preventing the exploitation of SEH Overwrites with SEHOP

Bypassing SEHOP

Wikipedia Executable space protextion

Wikipedia DEP

Bypassing Hardware based DEP

Wikipedia ASLR

Symantec ASLR in Vista

Defeating the Stack Based Buffer Overflow Prevention

Corelan T6

Return to libc

microsoft protections video 

(Part B: Advanced BOF)

Exploitation from

Corelan T7

Corelan T8

Corelan T10

Virtual Worlds – Real Exploits


Gera’s Insecure Programming


Smash the stack wargaming network


Part 8: Heap overflow

Heap Overflows for Humans-101

rm -rf / on heap overflow

w00w00 on heap overflow


Shellcoder’s Handbook Ch4&5

h-online A heap of Risk

Defcon 15 remedial Heap Overflows

heap overflow: ancient art of unlink seduction

Memory corruptions part II — heap


Read the rest of Shellcoder’s Handbook

Part 9: Exploit listing sites


CVE Details




National Vulnerability Database

(bonus: site that lists types of vulnerabilties and info)
Common Weakness Enumberation

Part 10: To come

1. Fuzzing

2. File Format

3. and more
If anyone has any good links to add post a comment and I will try to add them or send me the link and I will review and add it.

If anyone finds any bad or false information in any of these tutorials please let me know. I do not want people reading this getting bad information.


I really love that post and I want to put into my collection. So, I copied from the link provided above.

Search Engine Poisoning

Posted: June 9, 2011 in IT
Search Engine Poisoning

Search Engine Poisoning

Geek’s Words of Wisdom

Posted: June 3, 2011 in IT

>There are 10 types of people in the world: those who understand binary, and those who don’t.

>If at first you don’t succeed; call it version 1.0

>Microsoft: “You’ve got questions. We’ve got dancing paperclips.”

>My pokemon bring all the nerds to the yard, and they’re like you wanna trade cards? Darn right, I wanna trade cards, I’ll trade this but not my charizard.

>1f u c4n r34d th1s u r34lly n33d t0 g37 l41d.

>I’m not anti-social; I’m just not user friendly.

>I would love to change the world, but they won’t give me the source code

>Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

>A computer lets you make more mistakes faster than any invention in human history – with the possible exceptions of handguns and tequila.

>My software never has bugs. It just develops random features.

>The box said ‘Requires Windows 95 or better’. So I installed LINUX.

>Roses are #FF0000
Violets are #0000FF
All my base
Are belong to you

>People say that if you play Microsoft CD’s backwards, you hear satanic things, but that’s nothing, because if you play them forwards, they install Windows.

>The speed of sound is defined by the distance from door to computer divided by the time interval needed to close the media player and pull up your pants when your mom shouts “OH MY GOD WHAT ARE YOU DOING!!!”

>The glass is neither half-full nor half-empty: it’s twice as big as it needs to be.

>In a world without fences and walls, who needs Gates and Windows?

>You have just received the Amish Computer Virus. Since the Amish don’t have computers, it is based on the honor system. So please delete all the files from your computer. Thank you for you cooperation.

>Passwords are like underwear. You shouldn’t leave them out where people can see them. You should change them regularly. And you shouldn’t loan them out to strangers.

>Failure is not an option — it comes bundled with Windows.

>Enter any 11-digit prime number to continue…

>Ethernet (n): something used to catch the etherbunny

>You know it’s love when you memorize her IP number to skip DNS overhead.


>Windows had detected you do not have a keyboard. Press ‘F9″ to continue.

>Use The Best…
Linux for Servers
Mac for Graphics
Palm for Mobility
Windows for Solitaire

>Artificial Intelligence is no match for Natural Stupidity.

>UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity.


>Hand over the calculator, friends don’t let friends derive drunk.

>MICROSOFT = Most Intelligent Customers Realize Our Software Only Fools Teenagers

>The code that is the hardest to debug is the code that you know cannot possibly be wrong.

>A thousand words are worth a picture, and they load a heck of a lot faster.

>Girls are like internet domain names, the ones I like are already taken.

>A Life? Cool! Where can I download one of those?

>Unix, DOS and Windows…the good, the bad and the ugly.

>How do I set a laser printer to stun?

>I spent a minute looking at my own code by accident. I was thinking “What the hell is this guy doing?”

>Software is like sex: It’s better when it’s free.

>Better to be a geek than an idiot.

>Alcohol & calculus don’t mix. Never drink & derive.

>The difference between e-mail and regular mail is that computers handle e-mail, and computers never decide to come to work one day and shoot all the other computers.

>Windows XP -now comes with free anger management courses.

>I see fragged people

>Who needs friends? My PC is user friendly.

>Windows does not detect a keyboard…Please press ‘ENTER’ to continue…

>Never make fun of the geeks, one day they will be your boss.

>Video games are bad for you? That’s what they said about Rock-n-Roll.

>ACs are like computers- Both work fine until you open Windows!

>I don’t care if the software I run is unstable crap, as long as it is the LATEST unstable crap.

>Who is General Failure and why is he reading my disk?

>”Concept: On the keyboard of life, always keep one finger on the escape button.”

>Computer Science is no more about computers than astronomy is about telescopes.

>Beware of computer programmers that carry screwdrivers.

>Whoa! I can submit my prayers via html based forms!

>Cool people are just idiots wearing pricy clothes

>Who wants to be cool when you can be a nerd

>Who needs the library? I’ve got google!

>You laugh at me because I’m differnt. I pity you because you all use the same damn quotes for your internet profiles.

A-Z bash commands

Posted: April 24, 2011 in IT

I’d like to point out to everyone before reading that this list is very far from completion and does not include all of the extendable possibilities. When I say this, nmap isn’t a built-in command until you install nmap. These commands just stand for those that come with a Linux/UNIX BASH installation.


adduser Add a user to the system
addgroup Add a group to the system
alias Create an alias •
apropos Search Help manual pages (man -k)
apt-get Search for and install software packages (Debian)
aspell Spell Checker
awk Find and Replace text, database sort/validate/index


basename Strip directory and suffix from filenames
bash GNU Bourne-Again SHell
bc Arbitrary precision calculator language
bg Send to background
break Exit from a loop •
builtin Run a shell builtin
bzip2 Compress or decompress named file(s)


cal Display a calendar
case Conditionally perform a command
cat Display the contents of a file
cd Change Directory
cfdisk Partition table manipulator for Linux
chgrp Change group ownership
chmod Change access permissions
chown Change file owner and group
chroot Run a command with a different root directory
chkconfig System services (runlevel)
cksum Print CRC checksum and byte counts
clear Clear terminal screen
cmp Compare two files
comm Compare two sorted files line by line
command Run a command – ignoring shell functions •
continue Resume the next iteration of a loop •
cp Copy one or more files to another location
cron Daemon to execute scheduled commands
crontab Schedule a command to run at a later time
csplit Split a file into context-determined pieces
cut Divide a file into several parts
date Display or change the date & time
dc Desk Calculator
dd Convert and copy a file, write disk headers, boot records
ddrescue Data recovery tool
declare Declare variables and give them attributes •
df Display free disk space
diff Display the differences between two files
diff3 Show differences among three files
dig DNS lookup
dir Briefly list directory contents
dircolors Colour setup for `ls’
dirname Convert a full pathname to just a path
dirs Display list of remembered directories
dmesg Print kernel & driver messages
du Estimate file space usage


echo Display message on screen •
egrep Search file(s) for lines that match an extended expression
eject Eject removable media
enable Enable and disable builtin shell commands •
env Environment variables
ethtool Ethernet card settings
eval Evaluate several commands/arguments
exec Execute a command
exit Exit the shell
expect Automate arbitrary applications accessed over a terminal
expand Convert tabs to spaces
export Set an environment variable
expr Evaluate expressions


false Do nothing, unsuccessfully
fdformat Low-level format a floppy disk
fdisk Partition table manipulator for Linux
fg Send job to foreground
fgrep Search file(s) for lines that match a fixed string
file Determine file type
find Search for files that meet a desired criteria
fmt Reformat paragraph text
fold Wrap text to fit a specified width.
for Expand words, and execute commands
format Format disks or tapes
free Display memory usage
fsck File system consistency check and repair
ftp File Transfer Protocol
function Define Function Macros
fuser Identify/kill the process that is accessing a file


gawk Find and Replace text within file(s)
getopts Parse positional parameters
grep Search file(s) for lines that match a given pattern
groups Print group names a user is in
gzip Compress or decompress named file(s)


hash Remember the full pathname of a name argument
head Output the first part of file(s)
help Display help for a built-in command •
history Command History
hostname Print or set system name


id Print user and group id’s
if Conditionally perform a command
ifconfig Configure a network interface
ifdown Stop a network interface
ifup Start a network interface up
import Capture an X server screen and save the image to file
install Copy files and set attributes


join Join lines on a common field


kill Stop a process from running
killall Kill processes by name


less Display output one screen at a time
let Perform arithmetic on shell variables •
ln Make links between files
local Create variables •
locate Find files
logname Print current login name
logout Exit a login shell •
look Display lines beginning with a given string
lpc Line printer control program
lpr Off line print
lprint Print a file
lprintd Abort a print job
lprintq List the print queue
lprm Remove jobs from the print queue
ls List information about file(s)
lsof List open files


make Recompile a group of programs
man Help manual
mkdir Create new folder(s)
mkfifo Make FIFOs (named pipes)
mkisofs Create an hybrid ISO9660/JOLIET/HFS filesystem
mknod Make block or character special files
more Display output one screen at a time
mount Mount a file system
mtools Manipulate MS-DOS files
mv Move or rename files or directories
mmv Mass Move and rename (files)


netstat Networking information
nice Set the priority of a command or job
nl Number lines and write files
nohup Run a command immune to hangups
nslookup Query Internet name servers interactively


open Open a file in its default application
op Operator access


passwd Modify a user password
paste Merge lines of files
pathchk Check file name portability
ping Test a network connection
pkill Stop processes from running
popd Restore the previous value of the current directory
pr Prepare files for printing
printcap Printer capability database
printenv Print environment variables
printf Format and print data •
ps Process status
pushd Save and then change the current directory
pwd Print Working Directory


quota Display disk usage and limits
quotacheck Scan a file system for disk usage
quotactl Set disk quotas


ram ram disk device
rcp Copy files between two machines
read Read a line from standard input •
readarray Read from stdin into an array variable •
readonly Mark variables/functions as readonly
reboot Reboot the system
rename Rename files
renice Alter priority of running processes
remsync Synchronize remote files via email
return Exit a shell function
rev Reverse lines of a file
rm Remove files
rmdir Remove folder(s)
rsync Remote file copy (Synchronize file trees)


screen Multiplex terminal, run remote shells via ssh
scp Secure copy (remote file copy)
sdiff Merge two files interactively
sed Stream Editor
select Accept keyboard input
seq Print numeric sequences
set Manipulate shell variables and functions
sftp Secure File Transfer Program
shift Shift positional parameters
shopt Shell Options
shutdown Shutdown or restart linux
sleep Delay for a specified time
slocate Find files
sort Sort text files
source Run commands from a file `.’
split Split a file into fixed-size pieces
ssh Secure Shell client (remote login program)
strace Trace system calls and signals
su Substitute user identity
sudo Execute a command as another user
sum Print a checksum for a file
symlink Make a new name for a file
sync Synchronize data on disk with memory


tail Output the last part of files
tar Tape ARchiver
tee Redirect output to multiple files
test Evaluate a conditional expression
time Measure Program running time
times User and system times
touch Change file timestamps
top List processes running on the system
traceroute Trace Route to Host
trap Run a command when a signal is set(bourne)
tr Translate, squeeze, and/or delete characters
true Do nothing, successfully
tsort Topological sort
tty Print filename of terminal on stdin
type Describe a command •


ulimit Limit user resources •
umask Users file creation mask
umount Unmount a device
unalias Remove an alias •
uname Print system information
unexpand Convert spaces to tabs
uniq Uniquify files
units Convert units from one scale to another
unset Remove variable or function names
unshar Unpack shell archive scripts
until Execute commands (until error)
useradd Create new user account
usermod Modify user account
users List users currently logged in
uuencode Encode a binary file
uudecode Decode a file created by uuencode


v Verbosely list directory contents (`ls -l -b’)
vdir Verbosely list directory contents (`ls -l -b’)
vi Text Editor
vmstat Report virtual memory statistics


watch Execute/display a program periodically
wc Print byte, word, and line counts
whereis Search the user’s $path, man pages and source files for a program
which Search the user’s $path for a program file
while Execute commands
who Print all usernames currently logged in
whoami Print the current user id and name (`id -un’)
Wget Retrieve web pages or files via HTTP, HTTPS or FTP
write Send a message to another user


xargs Execute utility, passing constructed argument list(s)
yes Print a string until interrupted
. Run a command script in the current shell
### Comment / Remark

Furthermore, if you would like to learn more of these commands simply type the command prepended with the “man” command. So if you would like to learn more of the “echo” command you would type “man echo”. This will then display any documentation and/or manuals for the command. Whilst it is not necessarily to replace the –help parameter, it can be useful for learning more of how the command works.

I’d also like to ad that “false : Do nothing, unsuccessfully” is my favourite command.

credit: NoX

DNS Poisoning

Posted: April 23, 2011 in IT

This is an introduction to DNS poisoning which also includes an example of quite a nifty application of it using the IP Experiment. It’s purely educational, so I’m not responsible for how you use the information in it. You’re free do redistribute this tutorial wherever you like, but please keep it in its original form and credit me.

To start, you’ll need

  • A computer running Linux (Ubuntu in my case)
  • A basic understanding of how the Domain Name System (DNS) works

Note that this is a more advanced topic; don’t try this if you don’t know what you’re doing.

Part 1 – Why DNS?

The DNS provides a way for computers to translate the domain names we see to the physical IPs they represent. When you load a webpage, your browser will ask its DNS server for the IP of the host you requested, and the server will respond. Your browser will then request the webpage from the server with the IP address that the DNS server supplied.

Here’s a pretty diagram to help explain it

DNS server

If we can find a way to tell the client the wrong IP address, and give them the IP of a malicious server instead, we can do some damage

Part 2 – Malicious DNS Server
So if we want to send clients to a malicious web server, first we need to tell them its IP, and so we need to set up a malicious DNS server.
The server I’ve selected is dnsmasq – its lightweight and the only one that works for this purpose (that I’ve found)
To install dnsmasq on Ubuntu, run sudo apt-get install dnsmasq, or on other distributions of Linux, use the appropriate package manager.

Once you’ve installed it you can go and edit the configuration file (/etc/dnsmasq.conf)

sudo gedit /etc/dnsmasq.conf

The values in there should be sufficient for most purposes. What we want to do is hard-code some IPs for certain servers we want to spoof

The format for this is address=/HOST/IP

So for example;


..where is the IP of your malicious web server

Save the file and restart dnsmasq by running

sudo /etc/init.d/dnsmasq restart

You now have a DNS server running which will redirect requests for to

Part 3 – Malicious Web Server
You probably already have a web server installed. If not, install apache. This is pretty basic, so I won’t cover it here.

There are a couple of things you can do with the web server. It will be getting all the traffic intended for the orignal website, so the most likely cause of action would be to set up some sort of phishing site

I’ll presume you know how to do that though ^_^

Another alternative is to set up some sort of transparent proxy which logs all activity. I might come back to this in the future.

Part 4 – I Can Be Ur DNS Server Plz?
Okay, so now you’ve got a DNS server pointing clients to your malicious server. But no one’s going to listen to it, because it’s not anyone’s DNS server.

You need to set your victim to use your malicious server as its DNS server. If you can access their router settings, this can normally be set. Normally there are two DNS servers specified; change one of them to the IP of your malicious DNS server, hit enter and voila!

Now just wait for your victim to browse to the spoofed website and you’ll have fun playing with their data!

An alternative is to, instead of a spoof webserver, set up a Metasploit browser_autopwn module as detailed here. You can have lots of fun with that ;)

But how do you get a victim? Well this is where my project, the IP Experiment could come in handy. (Link)
If you don’t know, the IP Experiment basically harvests people’s IPs through websites such as forums and scans them for open ports. A surprising number of these IPs have port 80 open and more often that not, that leads straight to a router configuration mini-site. ‘Admin’ and ‘password’ will get you far in life; its fairly easy to login and change the DNS settings, and BOOM. You have a victim!



Posted: April 23, 2011 in IT

NOTE: Some statements in here apply to beginners. If you read this and are an advanced user, you might say: “That is not true, I know a way….”. Correct. But it is impossible to include every exception and technique without creating confusion. Read this essay as if you are a beginner….

NOTE 2: Some basic rules all good crackers and exploiters adhere to: Do not change, alter, or delete any info you may find on a site. This is just not done, and can actually
result in prosecution if you get caught.

On your exploiting journey, you may also come across confidential information from members, such as home addresses, credit card info etc. I know I have, many times over. I even found a hole where I could have the checks of site referrals sent to my account! Never use this information to your personal gain! This will be considered theft and misuse of personal information, and can get you into serious trouble…

OK, now with that out of the way, let’s start the series on Exploiting…!


OK, so you are tired of bruteforcing, have spoofed a couple of sites, and have seen posts with custom passes or complete member lists…and you wanna know how… If so, this essay is for you.

This basic exploiting essay assumes you understand or master the following techniques and skills with respect to website security:

* – Basic HTML
* – Brute forcing
* – Proxy use
* – Basic URL handling
* – Basic website structures
* – Basic Spoofing
* – Good AD skills or similar

But most importantly, you need a good brain and have a sincere interest in website security. Exploiting takes a lot of time and requires research on a regular basis. On the other hand, the rewards are well worth the effort in my opinion!

When trying to test the security of websites, you can gain access in the following manners, listed in order of technical difficulty:

1. 1. Guess passwords
2. 2. Brute force attacks
3. 3. Spoof the site
4. 4. Get and decrypt passfiles or logs
5. 5. Using scripts to add passes
6. 6. Get admin access (via telnet or browser)
7. 7. Hack the server via telnet

As you can see in the list above, exploiting is really nothing more than increasing your chances of getting access. Guessing passwords…to bruteforcing…to decrypting passfiles or logs…you increase your chances of getting a working pass with less effort!


Since there are excellent tuts on this already, I am not going to spend a lot of time on this. One question I see a lot from newbies is that they “can not locate the htpasswd”….

A few notes on htaccess and htpasswd:

* – htaccess only sometimes shows the dir to the htpasswd (or passwd or different name)
* – the chances of getting this file are slim, as this vulnerability is well-known out there and most webmasters have denied you access, hidden the file, or placed the file on their home dir.

For the fans, here is some more detailed info on the subject I found:
In order to find the .htpasswd (or interpret the .htaccess) you need to understand the difference between the web root and the system root.

The AuthUserFile is specified in terms of the system root. That is, the directory structure you would see if you were actually logged into the computer through a terminal.

When a web browser accesses a machine, it is through a web server. The web server is configured so that the browser will start at some specific directory in the machine. I refer to that as the web root. It is specified in the web server configuration file, off in some directory you can’t browse to.

So, lets say that the web root is set to /home/users/ When you surf to http:/ you find yourself in the machine directory /home/users/ (but nothing really tells you that), and if there is an index.html there, you will display it.

So lets say that the web root is set as above, and that the .htaccess contains the line:


AuthUserFile /home/users/

(or something similar)

Applying what I said above, you would find the .htpasswd at:



Since the web root is /home/users/ You still may not be able to read it because it might be forbidden through some other method, say only accessible from certain IP addresses, or . files are not accessible through their web server.

Now, lets say the .htaccess said:


AuthUserFile /home/users/


Now, there is no way we can get to it since the web root puts us in home/users/ and we are well past the days when you could back up above a web root in an Apache web server.

If ../ worked, we would be in luck, since we could specify…dden/.htpasswd. This used to work, or the unicoded version worked, or the double unicoded version worked, or quotes worked, or unicoded quotes, etc., etc. Not so anymore….

Our only hope, when the .htpasswd is not on the web root, is to find another exploit that will allow us to access files. Such things exist but are hard to find, so read on….


Well, as you tried to get the passfile looking for it in the obvious locations, and failed…maybe there are other ways of obtaining it….

Using AD or another security scanner, you can start looking for so-called vulnerabilities. This means testing the website for security, and trying to find ways into the site. How does this work, you ask? We need a tool to test the security…

For these essays, I will be talking about a tool called WebSiteFinder, or WSF in short. Written by Wolfman, this is a great tool, in my opinion. AD or Passcraft can do the same, so use whatever you feel comfortable with. If you start out, use AD.

To make these tools really effective, you need an exploit list. This is a list of basic paths that will be tested for possible vulnerabilities or access against the website. AD offers a basic exploit list, at least the older versions did. Exploit lists can be found all over the web, but please realise these are very basic, and some of the holes (=vulnerabilities) they have in it, are old and will not work anymore on most sites.


Really good exploiters or crackers will not share their lists with you. The reason: Once some exploits are made public, chances are the holes will be discovered quickly and thus closed! And that is a bummer.

So you have to build your own list. How, you ask? Here are a few tips.

First place to start, is to analyze your current exploit list. What makes sense, and what does not. What paths do you understand? Why do you think that particular path is a vulnerability, and if you came accross it, how would you use it? If you don’t know, ask on a forum via PM, there are many people around that can and will help you. Moreover, read up on security sites (better get used to it), such as packetstorm, securiteam, etc.

NOTE: It is no use to just try exploits on sites if you don’t understand what you are doing. The results can be very bad. You could, unwillingly, do damage to the site!

Look at directory trees of sites you visit. Try to go up and down in levels in the dir to possibly find more holes…copy these to your exploit list.

These are KING in my book. Why? Stats show the requests made to a website, and some stats list all the requests….including those of someone trying to exploit the site. The paths that this person tried may not have worked on the site, but heh, copy them to your exploit list, they may come in handy for other sites! Access logs show the same thing…moreover, they might tell you alot about the server, home server (FTP logs), usernames, and the basic website structure.

INTERMEZZO: “What to do with the usernames?”
This is a question I get a lot. Someone has seen the stats, and now has a list of usernames. Now what? Well, half the battle is won! Remember the statement I made about increasing your chances in getting access? This is it! Proceed in two ways:
1. Use the usernames and one of your wordlists to do a BF attack
2. Match the usernames to working combos you have. There are tools for this, and try to see if the combos work. Many users use the same password for different sites…see where I am getting at?


I love google. I embrace googling. You should too. Make googling your hobby! Type in a path or exploit, and see what you get, you will be surprised! It will lead you to access logs, vulnerability reports, cool sites, etc. Whatever you find and think is useful, copy to your exploit list…

Credits: Adnan Anjum