· 6 years ago · Dec 18, 2019, 02:46 AM
1
2Session 17 :
3
4Introduction to BurpSuite
5Post Parameter Injection
6File Upload Vulnerability - Shell File
7
8----------------
9
10---------------------------------------------
11Union Based Injection : |
12 |
13GET Method --> ?something=something |
14---------------------------------------------
15
16Post Parameter Injection
17
18Firstly we ll hack the website ---> vulnerable ---> Getting accees to the server
19
20Server --> That computer, in which our website is placed/hosted
21
22--------
23
24Legal Testing Website --> DVWA (Damn vulnerable Web Application)
25
26This is given by one of uk company for security professional. so that we can practice our skills on legal environment.
27
28
29Download Link : https://github.com/ethicalhack3r/DVWA/archive/v1.0.8.zip
30
31This will download a folder --> Just copy - paste that in htdocs
32
33C:\xampp\htdocs\ <-- Paste Here (Similar to WAVE)
34
35Browser :
36
37privateip/dvwa
38
39
40(privateip = cmd --> ipconfig)
41
42
43username : admin
44password : password
45
463 Levels of Security
47
481. Low Level : Websites with Zero Security <--- Break This
49
502. Medium Level : Security but still vulnerable <--- Break This
51
523. High Level : Completely Secure <-- Learn, how secure website looks alike (Use coding in Developing Websites)
53
54---
55
56Vulnerability : Upload File
57
58
59If any website is having Upload option, how hacker can take advantage of this
60.
61
62Upload Profile Picture
63
64Upload Resume
65
66Upload Video
67
68etc
69
70-----
71
72Many times, File upload option is not checking which file is gettig upload.
73
74Here we have an option to upload image(.jpg), but we ll try to upload Notepad file (.txt)
75
76
77If file got successfully Upload ---> This mean it is vulnerable to File Upload Attack
78
79Also called as, Arbitrary File Upload or Shell File Upload.
80
81
82Shell File (Arbitrary File) --> This is the File, which is coded by the Hacker, in such a way that when this file got uploaded in some server & when we open a file ---> This file will gives us the access to the server without any password.
83
84Download Link : b374k.php (other c99.php, R57.php etc)
85
86https://raw.githubusercontent.com/tennc/webshell/master/php/b374k/b374k-2.2.min.php
87
88
89
90We can shutdown the Server
91
92Delete all Website on Servers
93
94Edit any Data of Server
95
96-------------------------------------
97
98
99We are going to Upload this file in the Website, check if we can access the Website or not.
100
101
102------
103
104We successfully Upload & Got Server Access
105
106Goes to htdocs ---> WAVE ---> index.php
107
108We changes the code of Index.php
109
110This file is reponsible for Website Look
111
112---> Write our own code --> This Process is called Defacing the Website
113
114---------------------------------------------------
115
116Lets Try same on Medium Security :
117
118Medium --> Only jpg are allowed
119
120Tomorrow ---> We ll bypass this
121
122----------------------------------------------------
123
124Tool Name : BurpSuite (Legitimate Software - Every company - )
125
126This tool, will capture all the packet which going out from the browser.
127
128Once we capture a packet in BurpSuite --> We can Edit that Packet, Drop, Let it Go.
129
130[ Packet : All Data which is going out from the present website (Traffic) ]
131
132This tool is generated by company : PortSwigger
133
134Free : trial version
135
136Paid : Company <--
137
138How to Connect : BurpSuite with the Browser
139
140Step 1: Start the BurpSuite
141
142Step 2: Start the Browser
143
144Step 3: Browser ---> Setting ---> Network Setting | Proxy Setting
145
146Step 4: Goto Configure ---> Manual Proxy
147
148IP : 127.0.0.1
149
150Port : 8080
151
152Check Mark- Use this proxy server for all protocols
153
154
155Step 5: Click --> Apply & ok.
156
157Step 6: Now goto BurpSuite --> Proxy --> Intercept --> Intercept is ON
158
159Now every traffic going out from the Browser , will get capture by BurpSuite
160
161---------------------------
162
163DVWA <-- Security
164
165Only -> Images are allow <-- Only Extension = .jpg
166
167No other files can be uploaded
168
169This security is in the Website
170
171--
172
173my task is to upload : b374k.php
174
175Tries to upload --> gives me Error
176---
177
178I am going to rename : b374k.php to b374k.jpg
179
180Genuine file : b374k.php <--
181
182Not Allow to upload : b374k.php
183
184Allow me to upload : b374k.jpg , but problem is, this is not opening
185
186
187--> BurpSuite is used only for checking website security
188
189Website is Secured <-- Perfect
190
191Website is not Secured <-- Developing Team again work on it.
192
193----
194100% <--- Correct,
195
196Payment
197
198Ecommerce --> 1000$ --> Pay Now --> Intercept ---> using BurpSuite --> Change the amount --> 1$ ---> Foward ---> Payment Gateway (PayPal, Paytm, Bank etc) ---> deduction will happen of 1$
199
200May b audit --> they think --> Coupon is applied
201
202Indian --> Student --> Already DID -->
203
204
205
206----
207
208Day 19:
209
210
211Introduction to Javascript
212Cross Site Scripting (XSS)
213Reflected & Stored XSS
214
215----------------------
216
217XSS : Cross Site Scripting Attack
218-----------------------------------
219
220This attack gives option to the hacker to make chnages in the code of the wesbsite via the Front End.
221
222
223Front End ; This is the part, with which user can be connected. This is called as Look of the website.
224
225
226Back End : This is the part of coding, with this only website owner/developer/administrator can be connected.
227
228Any change if we have to make in the website, we have to make in the back end of the website.
229
230
231
232Now, if any website gives us an option to put a code from the front end of the website & its got updated in the back end of the website.
233
234Such website called as : Vulnerable to XSS
235
236
237How to Testing:
238================
239
240In actual we can test by using any website coding language : HTML, PHP, ASP, Javascript etc
241
242
243Legal Testing language : JavaScript (This will not make any bad effect on website while testing)
244
245HTML : <html>***********</html>
246
247PHP : <?php*******?>
248
249Javascript : <script>********</script>
250
251
252Legal Testing script :
253
254We always test any website, by having a script of Pop-Up (ALert Box)
255
256If alert box is coming --> XSS Vulnerability
257
258No Pop-Up --> No XSS
259
260-----------------------------------------------
261
262
263<script>window.alert("Ade Hi Yemi Bye");</script>
264
265
266
267Demo :
268
269Genuine Function : We are adding in the BackEnd of the website
270
271w3schools.com (To Learn Backend COding Language - HTML PHP etc)
272
273
274How to Find XSS in Front End
275============================
276
277We have to look for some input parameters in the website
278
279Input Parameter : Where we can enter/type/write some thing.
280Eg : Search BOX
281URL
282Sign In
283Registration Form
284Contact US
285Message
286Comment
287etc
288
289
290
291Legal XSS testing website : testphp.vulnweb.com
292
293search box :
294
295<script>window.alert("Ade Hi Yemi Bye");</script>
296
297
298This show us a pop-up --> Its vulnerable
299
300Two Types of XSS :
301
3021. Temperarory XSS (Reflected XSS)
303
304Once we enter a code, it got executed. If our code execute only for once or only for time, when i enter the script.
305
306In this case, our code did not get write in the back end code of website.
307
308Eg: Search BOX, website URL etc
309
310
3112. Permanent XSS (Stored XSS)
312
313Once we enter a code, it got executed. This code will get write in the coding of the website for permanently.
314
315Everytime, when someone will open this website, will see an alert box.
316
317This can only be deleted by website owner/developer/administrator
318
319This can create problem for website.
320
321
322if anyone will get this pop-up in Amazon.
323
324No one will go for Shopping
325
326Who will be in Loss.?? Amazon
327
328These companies are saying if u r able to find XSS on our website, plz don;t play with it, instead plz inform us,
329
330We ll reward you, <-- This Program(Process of reward) is called as Bug Bounty Program
331
332Every big company is already running this Program. (Apple - 1 Million USD)
333
334Eg; Message Box, Comments, or Registration Form etc
335
336------
337
338They are giving us Right to test their website --> If we found any bug --> Just inform them.
339
340Facebook, Micosoft, Twitter, Google etc
341
342
343
344Find XSS in : testasp.vulnweb.com
345
346which XSS you have found.
347
348------------------------
349
350
351
352Security :
353
354In all input parameters of the websites:
355
3561. They will Blocked : <script>
357
358window.alert("Ade Hi Yemi Bye");
359
360This is no more script & this will not works
361
362
3632. They will block, all HTML Special Character
364
365Not allow us, to enter any special character , (), /, !, "", <>, etc
366
367These will not get execute.
368
369
3703. websites will have Firewall, that if any one will try to use any such above things.
371
372Just simply block that IP Address, to access our Website.
373
374Configuration :
375
376i. <script>
377
378ii. alert("***")
379
380iii. <html>
381
382iv. <?php
383
384v. <>?!@#$%^&*
385
386Just block that Public IP Address.
387
388
389
390Gmail.com
391
392ade
393
394-------------------------------------------------------------------
395
396Day 20 : Doubt Queries
397
398XSS <--
399
400
401Day 21 : Linux Operating System
402
403Installation + Commands
404
405---
406
407Microsoft --> Product (MSoffice, """""Windows"""", Phone, Tablet etc)
408
409Windows OS : Paid <--
410
411Windows Operating System :
412
413My Computer ---> C:\ D:\ F:\ ....
414
415We cannot see their coding, so we always doubt may be Microsoft is monitoring people worldwide (working with FBI)
416
417Windows --> XP, 7, 8, 8.1, 10 etc
418
419
420
421
422Linux : Free to use
423
424This is open source (We can see its complete coding also )
425
426My Computer ---> etc var usr bin root
427
428Linux -->
429
430
431Ubuntu, Mint, Kali Linux, MAC, Android, iOS etc
432
433
434
435
436Apple --> Modification in Code --> Product -> MAC OS
437
438Google --> Modification in code --> Product --> Android (Open Source)
439
440Offensive Security --> Modification in Code --> Kali Linux
441
442
443https://haveibeenpwned.com/ <-- Email ID
444
445
446---
447
448
449Operating System to be Used:
450
451Kali Linux <-- Hacker Operating System
452==============
453
454because, many tools which are required for Penetratin Testing are already pre installed in Kali Linux
455
456This Kali Linux is provided by company --> Offensive Security
457
458
459Training Online + Exam <--- 800 $
460
461Online Labs to Practice our Skills <-- 40$ / month (SQLi, XSS, Metasploit etc)
462
463
464Kali Linux --> Free to Use
465
466Download Link : www.kali.org/downloads/ ( Download in your main System & Install in Vmware )
467
468https://cdimage.kali.org/kali-2019.4/kali-linux-2019.4-amd64.iso <----
469
470This will download iso file
471
472We can install this is in Vmware <--
473
474----->
475
476For Installation :
477
478i. Iso File
479
480ii. Vmware
481
482------
483
484Inst
485
486ade
487
488yemi
489
490palvinder
491
492-----
493
494Basic Command for Terminal :
495
496
4971. For Checking IP
498
499#ifconfig
500
501
5022. For Check WIFI Router IP (if we are connected)
503
504#route -n
505
506This is also called default Gateway
507
508
5093. For Calender
510
511#cal
512
513or
514
515#cal jan 2020
516
517or
518
519#cal 2060
520
521
5223. For current Date & time
523
524#date
525
526
5274. Looking the location of Terminal (It keep changes from C:\ D;\ E:\ <-- Example- (Folder to Folder-))
528
529#pwd
530
531Print Working Directory
532
533
534
5355. For Network Scanning
536
537To Find how many people are using our WiFi
538
539Step 1: Check ur IP Address
540
541#ifconfig
542
543192.168.100.77 <-- Example of our IP
544
545Interface Name <--- wlp2s0
546
547
548Step 2: Let Scan for other Machine, connected in our Network
549
550#sudo netdiscover -i wlp2s0 -r 192.168.100.77/24
551
552-i = Interface
553
554-r = Range
555
556/24 --> Means Scan for Complete Network (All Machine)
557
558sudo --> means run as administrator
559
560For Stopping This - Control + C
561-----------------------------------------------------------
562
563
564
5656. For Website Scanning for Bugs (OWASP Top 10)
566
567#owasp-zap
568
569--------
570
571Day 22 :
572
573Network Attack :
574
575ARP Poisoning (Address Resolution Protocol)
576
577--
578
579These attack happens, when we are woking in Network (WIFI, Lan Cables etc)
580
581When we are using Public WIFI - Free Internet - McD, Coffee Points etc
582
583You are using Internet --> Windows 7 ---> 172.16.19.218
584
585default Gateway : 172.16.19.2
586
587Hacker is also connected to same WIFI ---> Kali Linux ---> 172.16.19.209
588
589default Gateway : #route -n --> 172.16.19.2
590
591Note : default Gateway is same, bcz they are using same WiFi
592
593----
594ARP Poison Attack : Demo
595
596
597Kali Linux :
598Terminal
599
600Step 1:
601
602#ettercap -G
603
604This will open a graphical tool --> Ettercap
605
606
607Step 2: Goto Sniff --> Unified Sniffing ---> OK
608
609Step 3: Scanning for Network
610
611Host --> Scan for Host
612
613Step 4: Host --> Host List
614
615
616Step 5 :
617
618Select default Gateway ---> Add to Target 1
619
620
621Step 6 :
622
623Select victim IP (Multiple IP;s) --> Add to Target 2
624
625
626Step 7 :
627
628Goto MITM *Man in the Middle Attack ---> ARP Poison
629
630
631Tick --> Remote Packet SNiffing -> ok
632
633
634Step 8 :
635
636Start -->Start sniffing
637
638Let this keep running
639---------------------------------------
640
641Open New Terminal
642
6433 Commands
644
645#echo "1" > /proc/sys/net/ipv4/ip_forward
646
647#iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
648
649#sslstrip -l 8080
650
651Keep it running
652---
653
654Open New terminal - 3
655
656#urlsnarf -i eth0
657
658This will show us all the url's which are getting Open in the victim System
659
660
661Keep it running
662
663--
664
665Open New Terminal - 4
666
667#driftnet -i eth0
668
669To see images, which victim is opening in Browser
670
671-----------------
672
673This Attack is Called ARP Poison
674
675
676
677Preacaution :
678
6791. Avoid using Public WiFi
680
6812. If we are connected, never login into any website (Account)
682
6833. Use Puclic Wifi only for Surfing (Youtube. Google. etc)
684
6854. Always Check for HTTPS when login into some sensitive Website (Bank Website)
686
687---
688
689Session 23 <-- WiFi Hacking
690Session 24 <-- WiFi Hacking
691
692
693---
694Session 25 :
695
696Cryptography
697Steganography
698
699---
700
701Session 26 :
702
703Hashes - Md5 | SHA1 | PHP(MD5) | Wordpress(Md5) | Salt
704These are basically used, when we have to store the data in the website(Database)
705
706Never plain text Data is stored
707
708Cracking the Hashes
709
710
711---------------------------------------------------------------
712
713Session 25 :
714
715Cryptography:
716
717This is the method of securing the Digital Communication
718
719Whatsapp | Email | VOIP Call(Whatsapp/Skype/etc)
720
721Every message that we send --> Does not travel in the Plain Text
722
723Hi Yemi, good to see You. -----> Hi Yemi, good to see You.
724
725
726
727Source ---> Router --> ISP --> Indian ---> USA --> ISP --> Router --> Phone
728
72999% they always monitor the Communication <-- NSA | FBI | Indian etc
730
731---
732
733First Phase :
734
735Encoding : We have to follow the algorithm (Set of Rules), which would be converting our Plain text data into non-readable form
736
737Plain : Hi Yemi <--
738
739Cipher Text : %^&iUHB() <--
740
741
742
743Plain Text ---> Encoding (algorithm)----> CIPHER Text
744
745
746algorithm :
747
748A --> B
749B --> C
750D --> E
751--
752--
753Every Character will get change with Next Character
754
755
756Palvinder --> QBMWJOEFS
757
758is --> jt
759
760is bad person. He is not intelligent. He is nothing
761jt jt jt
762----------------
763
764Whatsapp will have differnt algorithm
765
766Skype will have differnt
767
768Yahoo etc......
769
770
771Encoding is Popular & widely getting Used.
772
773Problem :
774
775i. Everytime we have to use same algorithm, so this is easy for someone for decode back & get the plain text.
776
777ii. For Decoding : No authentication is required, so anyone from anywhere can decode.
778
779Demo : Base64 Encoding
780
781Hi Yemi -->
782
783SGkgWWVtaQ== https://www.base64encode.net/
784
785SGkgWWVtaQ== https://www.base64encode.org/
786
787SGkgWWVtaQ== http://www.utilities-online.info/base64/
788
789
790
791Second Phase :
792
793Encryption : All companies are only using this
794
795Whatsapp --> End to End Encryption
796
797
798Everytime, differnt algorithm will get follow.
799
800Hi Yemi --> abc123
801
802Hi Yemi --> qwer12333
803
804Hi Yemi --> auytr543
805
806
807For Decryption --> Passwod is required, which we have given during encryption
808
809Even single charcter "t" --> will get change into 90-100 Characters
810
811
812Demo :
813
814https://encipher.it/
815
816
817Hi Yemi
818
819EnCt2f3f80720e9706a1e53e41fdedbf814754f9a5bc6f3f80720e9706a1e53e41fdefsjAjzy+BgM
820Xpb2P+V2hV51/9v14Iw==IwEmS
821
822EnCt2ad193973c80a0d9cdff3e73eab34a56a1c3f3987ad193973c80a0d9cdff3e73e96dJvxoItwD
823VYOmP+V3Uzbjdz1Z4Gw==IwEmS
824
825a
826
827EnCt2b97f27a0c4d255f8115850a9634d6324a8922d1bb97f27a0c4d255f8115850a9GjN3gSBWxgL
828D7RGQ+V1FIwEmS
829
830
831123 <--
832
833-----------------------------------------------------------
834
835More Advanced
836
837Stegnagraphy <---