KUMEL'S NOTE

If we want to create new account at some network aplication, we usually found some field to secure question.
The secure question used to resset password if we have forgotten the password of that account, but with the simple answer of secure question everyone can use it as a way to owned our account.

For example:
Vince make a problem with Andre, and Andre don't like Vince cause she haven't sorry about that problem. And Andre make a plan to owned all of Vince account.
Andre knows that Vince have an account in a social networking, so he make a fake account of that social networking with name Anton and try to close by Vince without Vince knows about Anton is Andre. (with social engineering tehnique)
After Vince believe that Anton is real.
And then Andre try to owned Vince's mail cause Andre had think there are more private information and some private mail in Vince's inbox mail. The simple way which Andre knew is reset password with secure question of Vince's account.

Now Andre go to mail server where Vince have account there, He opens feature forgot password which there's in that site, he's choosing secure question mode and try answer the question.
Example question is Where are your father born?
If andre didn't know the answer, he can direct ask it to Vince though Anton's account. Which one else way :
Anton : Where are you from Vince?
Vince : Tokyo
Anton : Is your father from there too?
Vince : No, my father born in Yokohama.

The first step is search vulnerable of sql injection at the site, and i've found at that site sql injection vulner in url : http://192.168.56.103/joomla/index.php?option=com_aardvertiser&cat_name=user&task=view

Now, try to inject it with sqlmap with syntax :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.103/joomla/index.php?" --data "option=com_aardvertiser&cat_name=user&task=view" -p cat_name --dbs

Than the result is :
[03:18:19] [WARNING] POST parameter 'cat_name' is not injectable
[03:18:19] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details
[*] shutting down at: 03:18:19

Socks is a generic proxy protocol for TCP/IP-based networking applications, the socks protocol provides a flexible framework for developing secure comunications by easily integrating other security technologies. When an application client need to connect to an application server, the client mechine connect to a socks proxy server. The proxy server connect to application server on behalf of th client, and relays data between the client and the application server. For the application server, the proxy server is the client.
Meanwhile of http's work, when a web browser initiates a request to a server, typical by openning a TCP/IP connection. The request it self comprises : a request line, a set of request headers, and an entity. And than the server sends a response that comprises : a status line, a set of response headers, and an entity. The entity in the request or response can be though of simply as the payload which may be binnary data. The other items are readable ascii characters. When the response has been completed, either the browser or the server may terminate the TCP/IP connections, or the browser can send another request.
References :
http://www.infosecwriters.com/text_resources/pdf/what_is_socks.pdf
http://www.silicon-press.com/briefs/brief.http/brief.pdf

Information Gathering
Take the ip target

Service Enumeration
Scanning with nmap and a result is :
Starting Nmap 5.51 ( http://nmap.org ) at 2011-07-14 10:25 WIT
Nmap scan report for 192.168.56.101
Host is up (0.0011s latency).
Not shown: 995 closed ports

.htaccess (hypertext access) is the default name of a directory-level configuration file that allows for decentralized management of web server configuration, with htaccess we able to override a subset of the server's global configuration. The original purpose of .htaccess was to allow per-directory access control (e.g. requiring a password to access the content), hence the name.

How to configure .htaccess ?
If you want to call your .htaccess file something else, you can change the name of the file using the AccessFileName directive. For example, if you would rather call the file .configthen you can put the following in your server configuration file: