Follow us on Twitter!
The measure of a mans life is not how well he dies, but how well he lives.
Sunday, April 20, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 33
Guests Online: 28
Members Online: 5

Registered Members: 82848
Newest Member: aIjundi
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Page 1 of 2 1 2 >
Author

My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-07 05:05
Okay, so I'm beginning to get ideas of a possibly much better method of teaching/practicing hacking techniques.

Basically, in my opinion, missions like those found on common hacking sites don't really do justice for properly teaching technique. They just accept a single attack string, the user is like 'alright, mission beaten!' then they move on without learning much. Too much simulation.

I was just thinking, maybe something like this would be a better idea (im just going to talk about xss/sql inject but this could be applied to anything):

XSS

So there is a guestbook (input field, submit button, and all previous entries)

Above this, there is a drop down <options> menu, with different filter types. Lets just take some common PHP functions for example strip_tags() and htmlentities().

You choose one of the filter types you are going to try to penetrate, and enter your injection.

The page then outputs the HTML input and output, so the user can see exactly how the filter changed the input and output. Personally i believe this would promote learning.

SQL inject
Next, for teaching SQL injection technique, there would be a very similar setup (and a real, not simulated SQL engine). An input field, a dropdown menu of different sql injection filtering techniques, and fields showing the input, filtered input, and output.

This way the user could see the exact query that was being submitted, how the filter affected it, and what the resulting set of values was.

there would not be points involved, just goals with checkmarks and hints.

would anybody be interested in using this/ helping code it/ providing input? other opinions? (especially from Zephyr, flame_1221, lloh, skunkfoot)


Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-07 05:07
yes, I think it's a great idea and I'd love to help. My last exam is Thursday so I'll have about a month after that to help. Just hit me up on AIM or MSN. Smile


EDIT: oh, and by the way, pirates < ninjas in almost every way. (short of sailing ability)




Edited by on 12-12-07 05:13
Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-07 05:21
Awesome. Once we get a few more people on board we could really get this thing into action.

Then we have to ask ourselves:

What would the site be called (or maybe a new section of hbh or something?)

How would we host it (freehostia.com is pretty awesome. thats what im thinkin with free php,sql,database space)

Should there be a login, or just cookies to track progress.


[offtopic] ahh see, i disagree. Ninjas are great at killing and being sneaky and stuff, but they do this because they are told. pirates travel the seas with the free spirit and belong to no nation. they do what they want. the pirates are free people. bein a pirate is all about the spirit of it all.[/offtopic]


Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-07 05:24
I'm thinking it should be a new section on HBH. (A new series of challenges) Although I don't quite know how that would work.

[offtopic]
Historically, you are correct, ninjas do what they are told. However, that doesn't mean that a ninja is not free. Smile
[/offtopic]


Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-07 05:32
Okay, that sounds good.

Well have to talk to Cheese, or maybe a section on DMZ and talk to R0me0.

Maybe it would work by,

well let me say something else first. wouldnt it be more logical to group missions by attack type? i think it would be a lot more constructive if there was an 'xss' category rather than 'basic' and 'realistic' categories.

anyways, i think it would be the best if there was an xss category, and you had to sequentially penetrate different filters. if you penetrated them all, you get an 'xss master' badge on your profile, but no points or something.

or possibly there are no points and no awards at all, it is just for your own personal benefit. under the 'training ground' section of the site. i dont know i just think learning is so inhibited by the simulated challenges. like people learn so much by guessing and checking and getting feedback.


Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-07 05:36
yeah. Like a section for XSS with different levels of challenges. (Like the basic challenges, only with XSS for all the challenges with varying degrees of difficulty)

Also, I was just thinking, we can't just change everything about HBH. Maybe it would be better, but that's not our decision. Pfft

Oh, and DarkMindZ already has a web wars thing going on. They're not really focusing on challenges right now. (the web wars should prove more educational than challenges anyway)


Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-07 05:36
Sounds like a good idea to me, might be hard to work out with a real SQL engine though,but eh, i'll lend a hand where i can if u want.


Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-07 05:53
Skunkfoot wrote:
Also, I was just thinking, we can't just change everything about HBH. Maybe it would be better, but that's not our decision. :P

this is true, but frustrating.

Skunkfoot wrote:
Oh, and DarkMindZ already has a web wars thing going on. They're not really focusing on challenges right now. (the web wars should prove more educational than challenges anyway)


ah i see. not sure if i like the idea tho. on the one hand, the individuals involved will learn loads. but on the other hand, it makes it much more difficult for less devoted and less involved individuals to learn anything at all. maybe if teams wrote articles about how the attack was executed, and they left the servers up for others to try after the web war was over?

Yeah, an XSS section would be a really cool idea.

maybe something along the lines of.

level 1:

no filter. try to get <script>alert(1)</script> thru. just copy and paste.


level 2:

quote striping filter in place. try to get <script>alert('hello')</script> thru. solve by A) javascript CharCode ascii B)convert from hex C) convert from base 64



level 3:

maybe there is an example, where you enter a username, and it is presented in the title at
<title>Welcome, $username</title>

you solve by breaking out of the <title> tag, to inject an alert('xss') tag.

etc, etc im sure we could come up with tons of ideas that would really have users learn what they are doing.


[edit]
and heres a good example of an SQL engine http://www.w3schools.com/sql/trysql.asp
that is something along the lines of what i was thinking
[/edit]





Edited by on 12-12-07 05:58
Author

RE: My idea for a web hacking training ground

Uber0n
Member



Posts: 1963
Location: Sweden‭‮
Joined: 13.06.06
Rank:
Hacker Level 3
Posted on 12-12-07 14:02
A XSS testing area like this already exists.

http://h4k.in/xss. . .

An unfiltered SQL injection area like this would be damn fun but still dangerous, and if it had filters or restricted permissions etc it wouldn't be very useful Frown


img230.imageshack.us/img230/724/uber0nsig3hj6.gif
http://uber0n.web. . .
Nope http://uber0n.webs.com/
Author

RE: My idea for a web hacking training ground

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 12-12-07 15:57
Your process of thinking is flawed, you do are not the book of all, you do not contain every attack.

Anyway, your suggestions are already done, on every degree/level. There's loads of testing things out there.

Stop thinking challenges, stop thinking levels. It's one board. One game.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-07 17:31
Skunkfoot wrote:
EDIT: oh, and by the way, pirates < ninjas in almost every way. (short of sailing ability)


Well, pirates steal software.
Ninjas just kinda, sit there.

Wink

[ontopic]
I suppose I could help, although, based on that previous link, it does seem to be a concept that's been previously visited.

Also, do you plan to actually bypass the php functions such as strip_tags() and htmlentities(), or just demonstrate how they filter? Because, you're going to have one hell of a time trying to get around them.

The SQL injection one sounds a lot more promising, but can you really simulate EVERY type of filtering?

There will always be some left by the wayside.

Edited by on 12-12-07 17:33
Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-07 22:19
Ah thanks for the feedback.

@uber0n: ah thanks for the link i will enjoy that Grin and although it has been done, most users are not going to find that link, and will not learn very much. i think hbh should link to that. Anyways, I see where you are coming from.

What if i set up a site with a basic registration/login system, but SQL injections running rampant. Then every 24 hours or so, the database would revert to a default to restore all the damage that has been done. Any opinions on this?

@spyware: thanks for the confidence and support :happy:

@lloh: i meant a strip quote function, not strip tags my bad. And both, demonstrate strip_tags() and htmlentities(), but also have addslashes() and magic quotes and things that will have more possible vulnerabilities.


Author

RE: My idea for a web hacking training ground

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 12-12-07 22:22
@DigitalFire, thanks for the sarcastic comments without providing any information or serious reply to my post :happy:



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-12-07 23:38
Alright, fine. let me redo that.

@spyware: okay, so im not the book of all nor do i contain every attack... :right: anyways, although it may have been done on every degree/level, it has not been done on every degree/level in our community. personally i have never encountered anything of the sort during my experience on hbh or hts. i was suggesting that it would be beneficial for our members. And please expand on "your process of thinking is flawed". Im not trying to fight, just get feedback.




Edited by on 12-12-07 23:39
Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-12-07 02:18
@DigitalFire
Its a good idea, I created something similar (but not the same) as this when I ran my own website (learn2hack.net).
I had a couple XSS "challenges" and I was working on an SQL area (unfortunately I had to stop as my grades plummeted as I stopped doing any work on anything but this).
Personally I had the XSS stored within text files (which was a major mistake to start off with) and had several different pages each one with a different level of security. But this idea of having a drop down menu with the possible levels of security is something I hadn't thought of nor have I seen anywhere that does this, so it would be interesting to see how well this would work.
My SQL area (which never got released unfortunately), used a collection of I think it was 50 databases, each with its own user (which could only access that database) and stored the details within a separate database. Then the if a user wanted to access the SQL area it would look for a free database then assign that database to the user (until they logged out or was idle for 10 minutes) then the user could perform basically all the SQL commands they wanted on the database. Once the database was finished with a script was run which deleted all the data/tables from the database and then created a default set of tables and inserted a default amount of data.
The idea with the SQL area was to have that as a basis and then use that system with a variety of different front ends, with varying levels of security on it.

I dont know whether that information would have been of any use, but either way I would be interested to see how this "training ground" works out

Satal Smile
Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-12-07 04:38
@satal: very cool, i wish the site was still up :happy:

interesting idea of multiple databases, where a user 'rents' one for a little while, then once they are done it is reset so the next user can access it. this would take more resources tho.


what about this: one database, which all users have access to. the only restriction is that users cannot access the basic user table which contains user/pass of everybody (so you dont have to re-register after somebody drops it).

to make things more fun, there should also be an admin table, news tables, and shit like that.

this way people can add their usernames to the admin table to gain access, remove other people (king of the hill style?), add/delete news, try to extract passwords from the admin table to login as the one and only super administrator. just lots of random things like that going on to practice SQL injection.

and users would have access to the source (of at least some pages, of the easier tasks) so that they can see the exact query and learn how to interpret/exploit code.


Author

RE: My idea for a web hacking training ground

richohealey
Member



Posts: 1022
Location: #!/usr/local/bin/python
Joined: 01.05.06
Rank:
Monster
Posted on 13-12-07 04:43
didn't have time to read this whole thread, if you want some help getting it up i can help.

Also i can knock up a csrf one if you want.


bitchohealey at hotmail dot com skype:richohealey www.psych0tik.net
Author

RE: My idea for a web hacking training ground


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-12-07 05:01
that could be a really awesome addition. our community seems also very csrf ignorant.

ill have to put some thought into this (and evaluate how much time i can put in) and ill get back to you and skunkfoot.


[edit] and Rank: Ninja? whaa? thats fucking awesome! [/edit]




Edited by on 13-12-07 05:02
Author

RE: My idea for a web hacking training ground

Uber0n
Member



Posts: 1963
Location: Sweden‭‮
Joined: 13.06.06
Rank:
Hacker Level 3
Posted on 13-12-07 06:27
Now this project is begining to sound really interesting :happy:


img230.imageshack.us/img230/724/uber0nsig3hj6.gif
http://uber0n.web. . .
Nope http://uber0n.webs.com/
Author

RE: My idea for a web hacking training ground

richohealey
Member



Posts: 1022
Location: #!/usr/local/bin/python
Joined: 01.05.06
Rank:
Monster
Posted on 13-12-07 06:46
I've been coding some other challenges, which are in some ways quite similar to this as well, but you'll have to wait and see Pfft


bitchohealey at hotmail dot com skype:richohealey www.psych0tik.net
Page 1 of 2 1 2 >