Académique Documents
Professionnel Documents
Culture Documents
Preface
In Todays World the Cyber Crime is increasing rapidly and the limelight of such situation we can
see in media, news papers and television also. The most comman cyber crimes are email Hacking,
fake profile, data deft, banking frauds, Numeraous websites are getting hacked. To prevent such
attach and provide strong security, we came with the solution through this book. This Book will
give you complete scenario about all ethical concepts of hacking
This is specially written for the people who have no understanding about cyber crime and internet
related frauds. It will help them to understand all offensive technique to prevent from all cyber
attacks. After going through this book people will come to some special skills like vulnerability
assessment, Penetration Testing, Email Security, System and Network Security, Mobile Security etc
Disclaimer
All the contents in this book is only for education purpose only. We dont take any responsibility for
any illegal activity in future . We give credits to FLS team and Reference Material taken from
Internet.
Course Content in Details
Hacking Methodology
1. Reconnaissance
Reconnaissance is the firstly preparatory phase where an attacker makes a systematic attempt to
locate, gather, identify, and record information about the target of evaluation prior to launching an
attack. It involves network scanning either external or internal without authorization. Here, hackers
use to find out as much information as possible about the victim. There are two categories of
reconnaissance techniques which consist of active and passive reconnaissance.
Passive reconnaissance involves gathering information regarding a potential target without the
targeted individuals or companys knowledge. Passive reconnaissance can be as simple as watching
a building to identify what time employees enter the building and when they leave. However, its
usually done using Internet searches or by Googling an individual or company to gain information.
This process is generally called information gathering methods. Sniffing the network is another
means of passive reconnaissance and can yield useful information such as IP address ranges,
naming conventions, hidden servers or networks, and other available services on the system or
network. Sniffing network traffic is similar to building monitoring: A hacker watches the flow of
data to see what time certain transactions take place and where the traffic is going.
Active reconnaissance involves probing the network to discover individual hosts, IP addresses,
and services on the network. This usually involves more risk of detection than passive
reconnaissance and is sometimes called rattling the doorknobs. Active reconnaissance can give a
hacker an indication of security measures in place, but the process also increases the chance of
being caught or at least raising suspicion. Both Passive and Active reconnaissance can lead to the
discovery of useful information to use in an attack. For example, its usually easy to find the type of
web server and the operating system (OS) version number that a company is using. This
information may enable a hacker to find vulnerability in that OS version and exploit the
vulnerability to gain more access.
2.Scanning
Scanning involves taking the information discovered during reconnaissance and using it to examine
the network. Tools that a hacker may employ during the scanning phase can include dialers, port
scanners, network mappers, sweepers, and vulnerability scanners. Hackers are seeking any
information that can help them perpetrate attack such as computer names, IP addresses and user
accounts.
3.GainingAccess
This is the phase where the real hacking takes place. Vulnerabilities discovered during the
reconnaissance and scanning phase are now exploited to gain access. The method of connection the
hacker uses for an exploit can be local area network (LAN, either wired or wireless), local access to
a PC, the Internet, or offline. Examples include stack-based buffer overflows, denial of service
(DOS), and session hijacking. These topics will be discussed in later posts. Gaining access is known
in the hacker world as owning the system.
4. Maintaining Access
Once a hacker has gained access, they want to keep that access for future exploitation and attacks.
Sometimes, hackers harden the system from other hackers or security personnel by securing their
exclusive access with backdoors, rootkits, and Trojans. Once the hacker owns the system, they can
use it as a base to launch additional attacks. In this case, the owned system is sometimes referred to
as zombie system.
5. Covering Tracks
Once hackers have been able to gain and maintain access, they cover their tracks to avoid detection
by security personnel, to continue to use the owned system, to remove evidence of hacking, or to
avoid legal action. Hackers try to remove all traces of the attack, such as log files or intrusion
detection system (IDS) alarms. Examples of activities during this phase of the attack include
steganography, the use of tunneling protocols, and altering log files. Steganography and use of
tunneling for purposes of hacking will be discussed in later posts.
Top 10 Hackers in the World
1. Gary McKinnon:
USA declared him as the biggest military computer hacker ever. He whacked the security system of
NASA and Pentagon. This made him one of the great black hat hacker celebrities and got his name
into the hacker's community. The nerd is now facing 70 years of imprisonment and is deprived from
accessing internet. He has illegally accessed 97 computers and has caused around $700,000 damage
to the economy.
He is the creator of first internet worm ?Morris worm? he was a student at Cornell and from that
where he started writing codes to create worms as he wanted to know how large the internet world
is. But the worm lead to the slow speed of internet and made the systems no longer usable. There
was no ways to know how many computers were affected but the experts alleged that around 6000
machines. He was sent to 3 years imprisonment, 400 hours of community service and was fined
$10,500. At present he is a professor at Massachusetts institute of technology, computer science and
artificial intelligence laboratory. He was the first person prosecuted under the 1986 Computer Fraud
and Abuse Act.
The computer security consultant, author and a hacker was accused of many cases. He broke into
the computer of top technology and telecommunications like Nokia, Motorola, Fujitsu Siemens and
sun Microsystems. He termed his activity as ?social engineering? to legalize his acts. He hacked the
Los Angeles bus transfer system to get free rides the biggest hacking was the breaking into the DEC
system to view the VMS source code (open virtual memory system which lead to the clean-up cost
of around $160,000. He also gained the full administration privileges to IBM minicomputers at the
computer learning institute in Los Angeles for a bet.
4. Kevin Poulson:
He is best known for his takeover of the KIIS-FM phone lines, a Los Angeles based radio station.
He was also known as dark Dante. The former black hat hacker is currently a senior editor at wired
news
5. Jonathan James:
He is maestro of all hackers who broke into the server of department of defense in the year 1999
which gave him a nick name c0mrade at the age of 16. He also got into the hacking of NASA.
Stealing softwares of NASA and DoD later put him into big trouble. As he was a minor the
punishment was for for 6 months imprisonment and has to pledge that he won?t be using computers
forever.
6. Adrian Lamo:
The threat analyst and grey hat hacker broke into various high profile computers like New York
Times, yahoo and Microsoft that lead to his arrest in the year 2003. He used his internet connections
at libraries and coffee shops. The black hat hacker was sentenced to six month home confinement
and two years of probation and two years of probation which is expired on January 16, 2007. Now
he a great public speaker and a award winning journalist.
7. Vladimir Levin:
The Russian born Jewish became famous for being involved in an attempt to fraudulent transfer of
$10.7 million through Citibank?s computers. He and his 4 other members with him were involved
in this activity. He used a laptop computer in London, England for the access. He stole the
customers? codes and passwords. He made a transaction of $3.7 million via wires to accounts his
group controlled in United States, Finland, the Netherlands, Germany and Israel. He was arrested in
London airport in March 1995, was convicted upto 3 years in jail. He had to pay Citibank of amount
$240,015.
8. Raphael Gray:
He hacked the computer systems around the world in over six weeks. He was 19 years when he
performed the hacking. His mission was to make a multi- million pound credit card. He published
about 6,500 credit cards as an example of weak security in the consumer websites.
9. The Deceptive Duo:
In the year 2002 two young boys namely Benjamin stark,20 and Robert Lyttle,18 who broke into
government networks, including the U.S. navy, NASA, FAA and Department of Defense (DoD).
They argued that they were merely trying to expose security failures and protect Americans because
of the 9/11 incident. Stark was sentenced to 2 years imprisonment and Lyttle severed 4 months in
prison with 3 years? probation and was fined with an amount of ten thousand dollars each.
Famously knows as mafia boy in the hackers? world as he was a minor, his name was not disclosed.
A high school student from west island, Quebec who launched service attacks in the year 2000
against the top commercial websites including yahoo!, amazon.com, Dell.Inc, E*trade, E-Bay and
CNN. On September 12, 2001, the Montreal Youth Court sentenced him to 8 months of open
custody, one year probation, a small fine. He was restricted from accessing the internet.
Module 2
Careers In Cyber Security
Why Cyber Security is essential?
The security of computer systems is important to the world for two reasons. The increased role of
Information Technology (IT) and the growth of the e-commerce sector, have made cybersecurity
essential to the economy.cybersecurity is vital to the operation of safety critical systems, such as
emergency response, and to the protection of infrastructure systems, such as the national power
grid.
2.http://www.offensive-security.com/information-security-certifications/oscp-offensive-security-cert
ified-professional/
3. http://www.sans.org/
4. http://www.ili.ac.in/e-learn10.htm
5. http://www.asianlaws.org/index.php
6. http://www.ifs.edu.in/course-details
Link:- http://www.unom.ac.in/index.php?route=academic/coursehighlights
Link:- http://ms.iiita.ac.in
Link:- http://www.amrita.edu/cyber/mtech.html
Link:- http://www.drmgrdu.ac.in/Engineering/CSECourses/mtechftISCF.htm
5. M.S In Cyber Law and Security
Link:- http://www.imtcdl.ac.in/mscs_about.htm
Link:- http://www.ignou.ac.in/ignou/aboutignou/school/sol/programmes/detail/37/2
Link:- http://study.taaza.com/study/list-colleges-in-india-providing-m-tech-cyber-security
14. Section 78
Power to investigate offenses
A police officer not below the rank of Inspector shall investigate any offence under this Act.
Module 4
Kali Linux Terminology
Introduction
Kali Linuxis an advanced Penetration Testing and Security Auditing Linux based OS. It is a
complete re-build of BackTrack, completely to Debian development standards. All the new
infrastructure has been developed, all tools were reviewed and packaged, and only top 10 tools took
to develop as advanced penetration Testing OS.
=> http://kali.org/downloads
Vmware tool:- By defualt there will no support for hardware, due to lack of vmware tool. Once we
install vmware tool, we will get all hardware support along with full screen and mouse integration.
Following are the steps to install vmware tools for kali linux.
4. Extract files.
5. Move to extracted files directory.
5. Install vmware tool and keep press enter if ask for anything untill u get the command promt back.
After successfully done restart system.
Module 5
Information Gathering
Introduction
Information gathering is first step of Tenetration Testing. It is the act collecting the required
information about the target by using various resources.
Dnsdict6: It is used to gather and enumerate information which are publicly restricted.It is avilable
in kali linux and back track
Feautures:
Detects information about sub domain
Enumeration of Ipv4 and Ipv6
Enumeration of SRV records
Enumeration of Name Server and Mail Server records
Procedure:
To open Dnsdict6 in shell just type dnsdict6.It will show the help guide.
To find sub domains: dinsdict6 -4 domainname
ex: dinsdict6 -4 yahoo.com
Conclusion:
dnsdict6 is used for enumerating DNS records.it reaveals vast inforation related to DNS and
subdomains.
Dnsenum:
It is use to gather information regarding the domain.it is available in kali linux and backtrack.
Features:
Gives the host address
Name server information
Mx record information
Time zone transfer information
Sub domains information via google scraping
Brute force the sub domains from the files
Reverse lookups
To open dnsenum,type dnsenum in shell prompt
ex:dnsenum
-p -> pages
-s -> scrap
To brute force the sub domain ,type dnsenum -f dnslist.txt domain name
-f ->file name
Dnsmap
It is the passive network mapper usually used to brute force the subdoamins.we can find the
sub domains associated to doamin.it is helpful to find remote access servers ,misconfigured servers
and new domain names.
Features:
It supports Ipv6
Gives complete ip addresses of successfully bruteforced subdoamins
Discovers connected embedded devices configured with DNS services
Bruteforcing by using wordlist
Delay option added to save bandwidth
Results can be saved in CSV format
Fierce:
Feautures:
It used for discover non-contiguous IP address and reconnaissance
It used for DNS transfer zone,DNS brute force, reverse lookups
It used for enumeration and gather much information regarding the target system
It is available in kali linux and backtarck
To find the Name Server,Zone Transfer etc information about target.Type fierce dns
domain
ex: fierce -dns google.com
Maltego:
Features:
To open Maltego, Applications -> Kali linux -> Information Gathering -> DNS analysis
->Maltego
At first we need to register,if there is no account in maltego and we need to activate our
account
Maltego while running,at first we need to login
Right click on domain icon and click ->Run Trandform ->All Transforms->To
website(Quick lookup)
To find the ipaddress if our target website
Right click on the icon which appeared -> Run Transform -> Resolve to IP -> To Ip
Address(DNS)
To find Ip Address related to domain
->Run Transform -> All Tranforms ->Mirror:Email address found
To remove items completly,press cntrl + A and press Delete key
Google and its working
Google is world famous search engine.It is famous for simplicity,searching methodologies,relevant
results,identifying ads ,sponsored links,identifying cyber attacks and filtering spam.
How it works ?
Google bot for web crawling.It uses the web crawling bot to find and retrive pages relative to the
search results from the web and gives them to google indexer.
Google bot finds pages in two ways:
Through an add url form www.google.com/addurl.htm
Finding the links by crawling the web.
Google indexer:
It gives the indexer to the full text for pages it finds.These all pages are stored in googles
index database.
Index stores alphabetically by search item with each index entry storing a list of documents.
Google query processor:
Types of Scanning
Port Scanning: To find open ports and services
Network Scanning: To find Ip address and their ranges
Vulnerability Scanning:To find the weaknesses
NMAP
Network Mapped (Nmap) is a network scanning and host detection tool that is very useful during
several steps of penetration testing.It scans the network by sending different types of packet
requests.it is also powerful utility that can be used as a vulnerability detector or a security scanner.
Host discovery
Discovery or enumeration
Service discovery
Operating system, hardware address, and the software version
Nmap scripts
Resource:http://nmap.org
NMAP scaning techniques:
To start scan using nmap, just type nmap along with ip address.
It is also called half-open scanning because this technique allows Nmap to get information
from the remote host without the complete TCP handshake process.
Nmap sends SYN packets to the destination, but it does not create any sessions.
The target computer cant create any log of the interaction because no session was initiated.
It completes the normal TCP three way handshake process and requires the system to call
connect.
To find an open UDP port of the target machine. It does not require any SYN packet to be
sent because it is targeting the UDP ports.
A FIN scan sends the packet only set with a FIN flag, so it is not required to complete the
TCP handshaking.
Firewalls and IDS (intrusion detection systems) normally play an important role to defend
the remote target very well from a security point of view
There are two types of firewall that might be installed on the target computer:
Host based firewall (A firewall is running on a single target computer, for example you are
running a firewall on your computer)
Network based firewall (A firewall has been installed and is running to protect the entire
network and has been deployed at the node of the network, it might be LAN)
TCP Window Scan (-sW) the TCP window scan has been designed to differentiate between
open and closed ports instead of showing unfiltered.
nmap -sW 192.168.1.9
TCP ACK Scan (-sA):Send the ACK packets rather than the SYN packets.
Four types of responses:
MAC address spoofing creates a very difficult situation for the victim to identify the
computer who originated the incoming request.
Nmap scripting
Nmap scripts can perform so many different functions from vulnerability scanning to
exploitation and from malware detection to brute forcing. In this section I will discuss some
of the best Nmap scripts and their usage:
Crafting TCP packets is the default behavior of Hping. By specifying the TCP flags, a destination
port and a target IP address, one can easily construct TCP packets.
-F fin set FIN flag
-S syn set SYN flag
-R rst set RST flag
-P push set PUSH flag
-A ack set ACK flag
-U urg set URG flag
-X xmas set X unused flag (040)
-Y ymas set Y unused flag (080)
Enumeration
Enumeration is the first attack on target network, enumeration is the process to gather the
information about a target machine by actively connecting to it.It means to identify the user
account, system account and admin account. Enumerating windows active directory to find out
these stuffs.
MIB (Management Information Base) provides a standard representation of the SNMP agents
available information and where it is stored.
NMS (Network Management Station) A device designed to poll SNMP agents for information.
SNMP Agent a device running some software that understands the language of SNMP. Almost
any network device could potentially run SNMP, but typically you will find SNMP agents running
on internetworking devices (eg. routers, hubs, switches, bridges). Some operating systems (UNIX,
Windows NT) can also run SNMP agents.
Snmpcheck
Snmpcheck allows you to enumerate the SNMP devices . It could be useful for penetration testing
or systems monitoring. Distributed under GPL license and based on "Athena-2k" script by jshaw.
Ex:snmpcheck -t ipaddress
Snmpenum
Ex:perl snmpenum.pl ip address Public windows.txt
Module 7
Hiding Identity
Hiding Identity
Why Hackers Use Proxy and VPNs?
Hackers use proxy and VPN to hide their identity while performing Attacks so that instead of
original IP proxy IP will be stored on logs.
UltraSurf
UltraSurf is a product of Ultrareach Internet Corporation. Originally created to help internet users in
China find security and freedom online, UltraSurf has now become one of the world's most popular
anti-censorship, pro-privacy software, with millions of people using it to bypass internet censorship
and protect their online privacy.
VPN creates a secure tunnel between our machine and VPN Gateway, allow you to surf internet
securely. This VPN is Available for free and paid users both.
All the Social Engineering Tricks Combined together and made a took kit to Hacker's called SET
( Social engineering tool kit ) in Back track and Kali linux
Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking
unauthorized access to confidential data. Those are not typically initiated by "random hackers" but
more likely to be conducted by perpetrators out for financial gain, trade secrets or military
information. As with the e-mail messages used in regular phishing messages appear to come from a
trusted source. Phishing messages usually appear to come from a large and well-known company or
Web site.
It is a path or means by which a hacker (or) cracker can gain access to a computer or network
server in order to deliver a payload or something malicious which harm pc/server. Attack vectors
enable hackers to exploit system vulnerabilities, including the human element. It includes viruses,
e-mail attachments, Web pages, pop-up windows, instant messages, chat rooms, adn adds. All the
methods involve programming and in a few cases uses hardwares too. To some xtent, firewalls and
anti virus can block attack vectors. But no protection method is totally attack-proof. Defense
method is effective today it may not remain so long, because hackers are constantly updating attack
vectors and seeking new things, in their quest to gain unauthorized access to computers and servers.
The most common malicious payloads are virus, trojan, worms, and spyware.
The most majority of people having at least one USB drive to transfer files and a common
characteristic of all humans is curiosity. These two things together can create a huge threat which
can affect any company. This type of attack allows hacker to create a USB,DVD/CD with a
malicious content when user opens the file in his company then the payload will executed and it
will return a shell in to pc of user. This type of attack doesnt require any knowledge and it is very
fast and easy to implemented by anyone. This means that anyone that can plant a malicious USB
stick inside a company can be a potential threat. It also points out how a simple USB or DVD can
bypass the network perimeter and can become a threat for any company if the employees are not
following the security policies. For example companies should have a policy that would protect
them against any mobile threats and the employees should follow that policy.
Mass Mailer Attack
Sending emails in bluk to large number. Sending some malicious or harmfull mails to number of
people at a time. For mass mailing we can create a file with one email address per line, So you can
create a template and use it when you need it. Finally for sending the emails you have two options
GMAIL or your own server and open relay.
This Attack Vector utilizes the Arduin-based device to program the device. You can leverage the
Teensys, which have onboard storage and can allow for remote code execution on the physical
system. Since the devices are registered as USB Keyboards it will bypass any autorun disabled or
endpoint protection on the system. You will need to purchase the Teensy USB device; its roughly
$22 dollars. This attack vector will auto generate the code needed in order to exploit the payload on
the system for you. This attack vector will create the .pde files necessary to import into Arduino.The
attack vectors range from Powershell based downloaders, wscript attacks, and other methods.
SMS Spoofing Attack allows you to send a crafted SMS messages to a person. You can spoof the
SMS source. You can use a predefined template or create your own template. The main method for
this would be to convince a user to click the link in their browser and steal credentials or perform
other attack vectors. You can send SMS to a single number or import a file that will send the SMS
to all of them.
This will create a fake access point to your wireless card and redirect to all DNS queries to you.
SET will create a wireless access point, dhcp server, and spoof DNS to redirect traffic to the
attacker machine from network plcae. You can run any attack vector you want, when a victim joined
to attackers access point tries going to a website, the DNS spoof will redirect the victim to
attackers machine.
It a type of attack on the base of QRcode. In this attack vector a Qrcode genrates with malicious
link. Now send it to victim by mail using SET. When Victim scan Qrcode the attack payload will
deploy in to victim machine, Now we can get the access of the victim machine.
The Powershell Attack Vector allows you to create PowerShell specific attacks. These attacks will
allow you to use PowerShell which is available by default in all operating systems Windows
Vista/win7 all versions and above. PowerShell provides a fruitful landscape for deploying payloads
and performing functions that do not get triggered by preventative technologies.
How to Perform Social Engineering Attack
We are having 7 different opitions. Use 1st opition as Social engineering attacks.
Now we can fine 11 opitions in Social engineering Attacks, choose opition 2nd for website attack
vector
Under Website attack vector we can find 9 opitions. Select 6st opition as web jacking attack method.
Select 2nd opition as site cloner
Asking to enter ip address to reverse connetion mentions the bt ip and enter a site you want to clone
example www.gamil.com and enter
Now make the victim to enter your ip in url bar to open gmail as shown below
Aafter clicking the url which appears in the above windows a fake gmail.com will appears.
Commonly victim enters his Username and password. Once he entered the username and password
automaticly those credientials displays in attacker machine as shown below image.
Prevention Against Social Engineering
Social engineering describes primarily non-technical threats to company security. The broad
nature of these potential threats necessitates providing information about threats and potential
defenses to a range of management and technical staff within a company, including
Best Antivirus
Should not download any software or any stuff from untrusted sites
Download only from offical pages
Always scan for virus, worms and trojans
Scan and download updates for Os
Module 9
Advance Metasploit Exploitation
Metasploit
Metasploit was created by HD Moore in 2003 as a portable network tool using Perl. In year 2007,
the Metasploit Framework had been completely rewritten in Ruby. Metasploit is available in
Backtrack and kali linux.
Metasploit Terms
Exploit security flaw within a system, network, or application.
Payload- code executed in victime system by metasploit
Module- code can be added to the metasploit framework to execute an attack.
Shellcode code used as a payload.
Metasploit Framework
steps for exploiting a system using the Framework :
Choosing and configuring an exploit
Check the target system is exploit or not
Choosing and configuring a payload
Choosing the encoding technique to bypass IDS/IPS
Executing the exploit
Metasploit Interfaces
Metasploit Framework Edition
Metasploit Community Edition
Metasploit Express
Metasploit Pro
Armitage
Cobalt Strike
Payloads
Metasploit conatains many different types of payloads,each have the unique identity
Inline(Non staged)
Staged
Meterpreter
PassiveX
NoNX(No execute)
Ordinal Payloads
IPv6
Reflective DLL injection
Opcode Database
Opcode Database is an important resource for writers of new exploits.For Buffer overflow exploits
on Windows often require knowledge of the position of certain machine language opcodes in
program.Positions differ in the various versions and patch-levels of a given operating system. They
all are documented and conveniently searchable in the Opcode Database. This is useful to write
buffer overflow exploits that work across different versions of the target.
Shellcode Database
The Shellcode database contains the payloads used by the Metasploit Framework for the
exploitation.
After succesful exploitation,it will shows that particular system in red color,means its
attacked.
Fasttrack
Fast-Track is a tool for exploiting.it uses other pentest tools to make easy exploration.
It is available in three different forms:
CLI
Web interface
Interactive
To start Fasttrack web , Menu -> Backtrack -> Exploitation Tools -> Network Exploitation
Tools -> Fast track ->Fasttrack -interactive
This the main menu of the Fast track
Select option '8' to create payload
A programe or a device that capture vital information from the network traffic specific to a
particular network. Its is data interception technology.
Wireshark
It is a network packet sniffer and analyzer. A network packet analyzer will try to capture network
packets and tries to display that packet data as detailed as possible.You could think of a network
packet analyzer as a measuring device used to examine what's going on inside a network cable, just
like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at
a higher level, of course). In the past, such tools were either very expensive, proprietary, or both.
However, with the advent of Wireshark, all that has changed.Wireshark is perhaps one of the best
open source packet analyzers available today.
How to install wireshark
Click next
Click I Agree
You can Run application by just checking the box, click Finish.
This is how interface of wireshark looks.
1 Interface list : where we can select to sniff a particular interface packets
2 start : after selecting the interface just click it, to start sniffing
3 capture options : selection for types of packets
4 open : we can open a dump file of saved packets
host 192.168.x.x
Capture only traffic to or from IP address 192.168.x.x
It is a Network Forensic Analysis Tool (NFAT) for Windows but alsoworks on Linux and Mac OS.
It can be used as a passive network sniffer or packet capturing tool in order to detect operating
systems, sessions, hostnames, open ports etc. without putting any traffic on the network. It collects
data like forensic evidence about hosts on the network rather than to collect data regarding the
traffic on the network. It has, since the first release in 2007, become popular tool among incident
response teams as well as law enforcement.
How to install
Extract Networkminor
After starting sniffing we can see the list of host as well as we can extract .
We can see complete details of host just by extracting the host.
Another few more options we can check it out like Frames, files, images, Messages, Credentials,
Session s, DNS and Parameters.
5. Next is Arp Poisoning where we will route all Network to go through from our PC and then
To outside World So that We can Sniff All traffic. To Do Arp poisoning Follow these Steps.
Click On Arp TAB at the bottom of Cain & Abel and then Select Host Whose traffic we
want to sniff by clicking on + Sign Before Click On + button click on any white space
Area to Activate + Sign.
Now Finally click on Start/Stop Arp to Poison Traffic.
6. Analyse traffic and Get Sensitive information like Password, URL Visited etc.
Click on Password tab located just Above the Status Bar. At the left hand side you can
choose which traffic you want analyse.
It will show username and password if anyone entered.
Module 12
System Hacking
How to bypass Windows Security
For this we need KON boot tool which is freely available. Just prepare a bootable pen drive with
the konboot image file. Preparing a bootable USB with Konboot in it
The just follow the steps below,
1. Open UNetbootin tool and follow the steps
1. Now we a have a USB drive which has been prepared for booting up.
2. Restart the computer in which you have forgotten your password or the system which is
password protected.
3. Get in to Boot menu when the computer restarts by pressing the F12 key (
This may differ in some computer )
5. Once you have booted from your USB Pendrive, You will see a page of Konboot.
Then just press Enter. You will be taken to a screen like this.
6. After this screen your computer will resume its normal booting and you will be
logged in the admin account without the login screen, It temporarily removes the passwords of the
computer. This is how a Hacker gets into a system by bypassing the security of Windows Security
Logon .
Upgrade Version of Konboot can be used to bypass Windows Security of Windows Vista, 7 & 8
Cracking Passwords is difficult if we have only limited time on a machine, But a new technique
which extracts the password in plaint text is possible by exploiting a windows flaw. This method
works in all windows version from windows XP to the latest windows 8.
The tool can be found online or in the tool kit. The Tool and its other use can be found
online at http://blog.gentilkiwi.com/mimikatz
Then Right Click on the Tool mimikatz and run as Administrator. Once we run
the tool, we get a command prompt like interface.
To protect your computer from these attacks, the following steps are to be
followed.
1. Create a Hard-Disk BOOT Password, in the Boot menu which comes during the
Startup.
2. Use SAM Lock Tool to Encrypt your Passwords ( Type syskey in run command
box to get it )
3. Create a complex password which has Numbers, Symbols and Both cases of
Alphabets.
Like this one P@.s5w%0Rdfl$ and not like this password123 !
4. Use Drive Encryption Tools to protect your Data from being modified or
damaged.
5. Do not keep your password written on the table of your computer or anywhere
nearby !
Setting up a Secure System
A system can be secured if the following methods are followed while setting up a
system.
1. Use Original Operating Systems and not Pirated.
2. Dont use Pirated or Cracked versions of Antivirus.
3. Setup a Boot Password for BIOS and Hard-disk to prevent intruders
4. Update your OS, Antivirus and Firewall programs regularly.
5. Install Add-ons which help you to be secure in web (E.g., WOT, Antiphishing, No
script etc., )
6. Use updated Browsers and use password protected browsers
7. Use Drive Encryption tools to protect your data .
8. Secure your Important documents and files using Encryption methods
9. Be careful when installing software downloaded from free forums or websites.
Module 13
Virus, Trojans and Keyloggers
What is a Trojan
A Trojan or a Trojan Horse is a is a malicious application that acts like a legitimate file or helpful
program but whose real purpose is, for example, to grant a hacker unauthorized access to a
computer. Trojans do not attempt to inject themselves into other files like a computer virus. Trojan
horses may steal information, or harm their host computer systems.
A Trojan is mostly designed in such a way that it appears to be a legitimate software and it can
infect your system silently. There are several methods that a Trojan can implement to infect your PC
DarkComet
Darkcomet is Remote Access Trojan which can perform several functions in the victims PC once
infected. It has the following functionalities,
1. Keylogger
2. Webcam Control
3. File Manager
4. Initiate FTP Connection
5. Monitor all process
6. Open any WebPages remotely
Use a Virtual machine to try and create a Trojan, because the Trojan creator can itself be a Trojan.
Once we have created the Server part send the server is distributed by some
means and when the victim executes the Trojan, we get a reverse connection at the
specified IP address mentioned in the settings , i.e your IP address.
Now clikc on the Listen button to start listening to a particular port number
Once the connection is established, options are displayed to control the infected system from our
computer. This is how a simple Trojan is created. Since this is already available in the internet,
almost all Anti-Virus detects this as a Trojan. We will see how hackers bypass Anti-Virus Protection
and run their malicious codes in next part.
How Attacker Bypass Your Antivirus By Trojans
Anti-Virus software are bypassed by Hackers by the use of programs called Crypters . Crypters
are nothing but Programs/Tools which can change the signature of your Trojan file and /or add some
random bits and encrypt your code in such a way that the Antivirus program cannot detect it as a
virus. Most Antiviruses are signature based and if it doesnt have the signature in its database, it
cannot detect it.
We will see the functioning of Ritalin Crypter. It is a very simple crypter which can modify your
code and produce a new file which is undetectable by most of the antivirus.
1. Install a good antivirus. Free or Paid is good, but dont used cracked or pirated versions.
2. Install real-time anti-spyware protection
3. Update your Anti-virus programs daily.
4. Perform scans on your computer daily.
5. Disable autorun to prevent infection from pendrives.
6. Disable image previews if using Outlook
7. Use good anti-virus which has browser plug-ins and scans all URL's for malicious content.
8. Use Hardware based Firewall.
9. Dont click on any mail links or attachments from unknown sources or malicious users.
10. Never download software from third-party sites. Download from original website.
11. Dont use cracks or keygens which may be a virus/Trojan itself.
Module 14
Website Hacking
Authentication/Authorization Bypass
Authentication Bypass Flaw can be find in websites which jave the unsecured authorization script.
Example:
<?php
$sql = "SELECT * FROM users WHERE username='" . $_POST['username'] . "' AND
password='" . $POST_['password'] . "'";
response = mysql_query($sql);
?>User input is not filtered here properly.
How it works ?
Instead of giving proper user name and password simply give this string 1'or'1'='1,The query
seems to be like SELECT * FROM users WHERE user='1'or'1'='1' AND
password='1'or'1'='1'Here, '1'='1' is always true,so it executes the user name and password
Method to Secure:
Use the php function mysql_real_escape_string, It changes that every of this characters: \x00, \n, \r,
\, ' replaced with a simple Backslash /
Example:
<?php
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
$sql = "SELECT * FROM users WHERE username='" . $username . "' AND password='" .
$password . "'";
$response = mysql_query($sql);
?>
SQL Injection
Sql injection is one of the most popular vulnerability.we can inject a SQL query via input
datafrom .It may leads to gain the sensitive data from the databse,modify database data,execute
administration operations on database.
Categorized SQL injection:
Put quote ( ' ), you will find some content is missing.so, the website is vulnerable to SQL
injection.
Its like php?id=48'
We need to order the columns using order by statement.we need to change the number, upto
some blank page will appear.
When we put order by 17--, its shows the blank page.so we guess this is the page to perform
our further attack.
Use UNION SELECT to find vulnerable column numbers
So,we can get table name by using the following query,but we can only one table name.
To get complete table names, use group_concat(table_name).It will display the complete
table information.
From the above information we can predict that admin credentials may be available in
admin_user table.So,we need to grab columns information from that table.instead of giving
table name directly we need to give in hex format
We got the columns of admin table
To get the column information,change string as follows.
The obtained out put is merged ,so we put separator : in hex decimal 0x3a
SQL map
sqlmap is an open source penetration testing tool.The injection process of detecting and exploiting
SQL injection flaws will be automated.it has a rich set of detection engine,database finger
printing,fetching data from the database,accesing and executing the commands.
Features:
It supports MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM
DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
It supports enumerate users, password hashes, privileges, roles, databases, tables and
columns.
It executes the arbitary commands and retrive their standard output on the databse server.
Types of XSS
Non-persistent(or) Reflective:
When the data provided by user, most commonly in HTTP query parameters or in HTML form
submissions, is used immediately by server-side scripts to parse and display a page of results for
and to that user, without properly sanitizing the request.
A reflected attack is typically delivered via email or a neutral web site. The bait is an
innocent-looking URL, pointing to a trusted site but containing the XSS vector. If the trusted site is
vulnerable to the vector, clicking the link can cause the victim's browser to execute the injected
script.
Persistent(or)Stored:
When the data provided by the attacker is saved by the server, and then permanently displayed on
"normal" pages returned to other users in the course of regular browsing, without proper HTML
escaping.This is most commonly with online message boards where users are allowed to post
HTML formatted messages for other users to read.
Module 15
Data Hiding
Steganography
Steganography is the art and science of writing hidden messages in such a way that no one apart
from the sender and intended recipient, suspects the existence of the message. It uses various
methods to hide a secret message in any other data, it may be a picture , a mp3, a pdf, a video etc.,
In the olden days, secret messages were sent in normal papers or pictures using some invisible ink,
or writing in wax and such methods. But now, sophisticated tools can hide your messages in any
files you want. It works on the principle that all files have some insignificant bits in it. So replacing
it with our secret data produces only minor changes to the picture and hence our data can be
embedded. Similar techniques are used to conceal data in various other formats. We will see some
of the methods used in steganography , and some tools which are used for that.
1. Open S-tools
2. First drag and drop image and after that text file and supply password to protect it from others
4. Now if want to reveal the data. Drag and drop image to S-tool and Right click on that, choose
reveal
5. Supply Password and save hidden file.
Module 16
Wireless Hacking
Introduction
Cracking of wireless networks is the defeating of security devices in Wireless local-area networks.
Wireless local-area networks(WLANs) also called Wi-Fi networks are vulnerable to security
failure that wired networks. Cracking is a kind of information network attack that is similar to a
direct intrusion. There are two basic types of vulnerabilities associated with WLANs those caused
by poor configuration and those caused by weak encryption of password.
WEP Cracking
Wired Equivalent Privacy (WEP) it is an easily cracked security algorithm for 802.11 wireless
networks. WAP introduced as part of the original 802.11 standard ratified. WAP main intention was
to provide data confidentiality comparable to that of a traditional wired network. It is recognizabke
by the key of 10 ot 26 hexadecimal digits and it was at one time widely used the first security
choice presented to users by router configuration tools.
Two methods of authentication is used with WEP Open System authentication and Shared Key
authentication. For the sake of clarity, we discuss WEP authentication in the Infrastructure mode
(that is, between a WLAN client and an Access Point). In Open System authentication, the WLAN
client need not provide its credentials to the Access Point during authentication. Any client can
authenticate with the Access Point and then attempt to associate. In effect, no authentication occurs.
Subsequently WEP keys can be used for encrypting data frames. At this point, the client must have
the correct keys.
In Shared Key authentication, the WEP key is used for authentication in a four step
challenge-response handshake:
The test of injection works like this and shows 100% completed.
Now click on WEP attacks to start attacking
Click Autoload Victim clients to load the victims mac address in to fields and also click Client
deauthentication to capture the handshake packets.
Now 3 way handshake is going on. Once its done then close the window.
Click Cracking tab and select they type of attack you wish to do. Basically select bruteforce
cracking.
Now select the path of your word list from your disk which contain more word which can break the
key.
Now click Aircrack-ng to crack the password,
Note : before cracking the password, packets number should cross 5000.
Key found in encrypted form just decrypt it or you can use as password too.
WPA2 Password Cracking :
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols
and security certification programs developed by the Wi-Fi Alliance to secure wireless computers
and networks. WPA/WPA2 defined these in response to serious weaknesses and researchers had
found in the previous system, WEP (Wired Equivalent Privacy).
WPA (sometimes referred to as the draft IEEE 802.11i standard) became available in 2003. The
Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more
secure and complex WPA2. WPA2 became available in 2004 and is a common shorthand for the full
IEEE 802.11i (or IEEE 802.11i-2004) standard.
Every step is same as we done in previous one just try with WPA instead of WEP.
Wireless Security Measures
Your home computer and office wireless network might be at risk and if you dont take the
necessary precautions to your wireless network, theres a possibility of encountering a bigger
problem in future. Hackers do not discriminate and they can attack any wifis where the security
leve is low. Once the you attacked all the personal information and important data will steal by
hackers from and many more in proper activities will be done from your network.
Below are some of precaution to be take to protect your wireless network access points.
o Change the default name and password. Routers come with a default username
which is normally the brand name. It is very important to change such information
once you have set up your wireless network. Having a password or a security key
also keeps unauthorized computers from accessing your wireless connection.
o
Keep your MAC address filtering option enabled. This will prevent hackers from
getting access to your internet connection as it only allows known users or devices to
gain internet access.
o Access points and routers all use a network name called the SSID. Manufacturers
normally ship their products with the same SSID set. For example, the SSID for
Linksys devices is normally "linksys." True, knowing the SSID does not by itself
allow your neighbors to break into your network, but it is a start. More importantly,
when someone finds a default SSID, they see it is a poorly configured network and
are much more likely to attack it. Change the default SSID immediately when
configuring wireless security on your network.
o The Private Shared Key (PSK) mode for WPA uses a single password for all devices
that connect to the wireless network. It is intended for home use where the set of
users and devices does not change often. It is not intended for business use, yet many
companies use WPA-PSK because it is easier to get up and running than WPA
Enterprise, which requires a RADIUS server.
Module 17
Mobile Hacking
Installation Of Voip Server
Requirement:-
Step:-
2.Start the virtual machine.You will see cool green screen of trixbox installation.Now
press ENTER to install trixbox
3.It will ask you to select the language so select the language you want use.4.It will now ask for
timezone.Please Select the Correct timezone.
5.Now it will ask for Root Password.Enter the password whatever you want and
confirmed it.Press ok
6.Installation will be started within 1 Minute and it will reformat your hard-disk and
install trixbox.
7.After installation machine will be restarted and you will see following screen.
8.At this point is asking for username and password
Username:-root
Password:-You supplied during installation.
http://www.zoiper.com/
16.Enter the password whatever you enter in the Secret field at the time of adding
user on server.
This is one of the easiest attacks on VoIP networks. Caller ID spoofing creates a scenario where an
unknown user may impersonate a legitimate user to call other legitimate users on VoIP network. For
demonstration, lets use metasploitsxi auxiliary module named sip_invite_spoof.
Scenario:-
Step 1:- Start Your metasploit and load voip/sip_invite_spoof auxiliary module.
Step 2:-Configure the option.
In my case
Set MSG 201-------------------------------Caller ID
Set RHOSTS 192.168.0.104---------- -Victim IP Address
Set SRCADDR 192.168.0.122--------Caller IP Address
Step 3:- Auxiliary module will send a spoofed invite request to the victim
Step 4:- Victim considers it as legitimate call from other legitimate user.
Module 18
Honeypot
KFSensor
KFSensor is windows based Honeypot which is designed to attract and trap hackers by opening
weak and exploitable services. It doesnt open actual service just simulate them.
Configuration
3. Now Scan your system from any remote PC which is having proper connectivity with
your system using software called Zenmap.
** Now No ports and services are open here.
4. Now Double click on Kfsensor to install.
5. Welcome screen will come. Just click next to proceed.
7. Choose destination folder or else keep default and then click next to continue
8. Click next to continue.
11. After reboot got to Start-->All Programs-->KfSensor. Right click on KfSensor and run
as administrator.
12. Kfsensor home screen will come and set up wizard will guide you to configure
Kfsensor for your machine.
13. Click on Next
14. Select only windows Port classes because we installed it on windows platform.
15. Specify domain name if not then keep it default.
16. Give E-mail address if you want to get updates On your E mail account.
23. Select the services and click on delete to delete particular service.
24. Here you can see we have opened only one service i.e. FTP which is running on port
25. Now if any hacker tries to scan your system he will find some open ports which we
open in KFsensor. But these ports are only virtual port not actual ports.
26. At Kfsensor you will get all the details that scanned your system. In this way we trap
the hackers using Kfsensor.
HoneyPot Tools
Following are common HoneyPots demanding in market.
1. KFsenor
Site: - http://www.keyfocus.net/kfsensor/
2. Honeyd
Site: - http://www.honeyd.org/
3. HoneyMonkey
Site: - http://research.microsoft.com/en-us/um/redmond/projects/strider/honeymonkey/
4. Snort
Site: - http://www.snort.org
Module 19
Buffer Overflow, DOS and DDOS
Buffer Overflow
Buffer overflows become one of the biggest security problem on the internet and modern
computing.It is the anomaly where program writing data to buffer it overruns the buffer boundary
and overwrites adjacent memory.
Buffer overflows invoked by inputs that are designed to execute code and change the program
execution.It results to erratic program behavior, including memory access errors, crash, or a breach
of system security.
The common programming languages associated with buffer overflows are c and c++ which
provide no build-in protection accessing or overwriting data.
Example :
#include <stdio.h>
int main()
{
char buffer[30];
printf("Enter Data: ");
gets(buffer);
printf("Data entered by you%s\n", buffer);
return 0;
}
It normally displays the content which you entered while execution.
If we are going to give the data beyond the buffer size that it leads to the buffer overflow
This problem due to lack of proper checking the bound values. This problem can also find
in the folowing functions strcpy() strcat() sprintf() vsprintf() scanf() getchar() etc in c
Memory structure:
-------------------------------------------------------------------------------------------------------------
STACK Higher Memory [0xFFFFFFFF]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HEAP
--------------------------------------------------------------------------------------------------------------
DATA
---------------------------------------------------------------------------------------------------------------
TEXT
---------------------------------- Lower Memory [0x00000000] --------------------------------------
---------------------------------------------------------------------------------------------------------------
TEXT : The area where the executable code or the program code store.It Includes 'read-only data.
In an executable file we usually have a text section. ttempt to write data in the text region will cause
a 'segmentation violation.'
DATA : The region of memory where static variables are stored. Executable file have 'data-bss
sections.The region which holds the information.
HEAP: This region of memory holds dynamic length data. This area of memory is allocated
dynamically at run time for process.
STACK: This region is used to dynamically allocate the local variables used in functions, to pass
parameters to the functions.Stack works with LIFO [last in, first out] queue concept. It means the
last object placed on the stack will be the first object removed.
RET : Saved Return Address: when a function or procedure is called ,then the system saves where
it was called from. when the function ends, it will read the return address and program return to
where is left off. This address is also known as the "saved return address"
======================================================================
BUFFER[ ] <----- 30 bytes
======================================================================
RETURN ADDRESS
======================================================================
Hping
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the
ping(8) unix command.Hping supports ICMP echo requests,TCP,UDP,ICMP and RAW-IP
protocols.
Feautures:
hping3 --icmp --spoof <target address> <broadcast address> --flood:Flooding with ICMP
packets by spoofed IP (--spoof)
Slowris
It is the DOS attacking tool entire script is wrriten in perl wrriten by Rsnake.It supports Ipv4 and
Ipv6 versions.
Functionality:
Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent
headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly
tied up.
Install Slowloris
Get a Copy http://ha.ckers.org/slowloris/slowloris.pl
sudo apt-get install libio-socket-ssl-perl
Now you should be ready to run slowloris.pl
cd /pathto/slowloris
perl slowloris.pl -dns example.target.com
./slowloris.pl -dns www.example.com -port 80
perl slowloris.pl -dns www.example.com -port 80 -num 500 : Number of Sockets you want
to open.
perl slowloris.pl -dns www.example.com -port 443 -timeout 30 -num 500 -https
perl slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -tcpto 1 -shost
www.virtualhost.com
LOIC
Low Orbit Ion Cannon (LOIC) is an open source network stress testing and denial-of-service attack
application, written in C#. LOIC was initially developed by Praetox Technologies.It perfom DOS
on target site by flooding the server with TCP or UDP packets with the intention of disrupting the
service
Features:
To run Loic ->install Loic ->install donetfx 4.0(no need if already installed ) ->click on icon
LOIC
Steps to run:
step 4:Choose which method you are going use for request like HTTP,TCP,UDP
step 5:you can move the cursor for chaging requesting speed
It is done to retrieve the source code of a program because the source code was lost, to study how
the program performs certain operations, to improve the performance of a program, to fix a bug
(correct an error in the program when the source code is not available), to identify malicious content
in a program such as a virus or to adapt a program written for use with one microprocessor for use
with another. Reverse engineering for the purpose of copying or duplicating programs may
constitute a copyright violation. In some cases, the licensed use of software specifically prohibits
reverse engineering.
Engineerings constructed a building we break that structure on use on our own way
Introduction
It is the most basic programming language available for any processor. With assembly language, a
programmer works only with operations implemented directly on the physical . Assembly language
lacks high-level conveniences such as variables and functions, and it is not portable between
various families of processors. Nevertheless, assembly language is the most powerful computer
programming language available, and it gives programmers the insight required to write effective
code in high-level languages. Learning assembly language is well worth the time and effort of every
serious programmer.
The fields in the square brackets are optional. A basic instruction has two parts, the first one is the
name of the instruction, which is to be executed, and the second are the operands or the parameters
of the command.
Example program:
After installing a application in to computer, normally every application asks to register with it. We
need a key are serial number to get registered with that application to activate full version and to use
more befits with usage in real time. So we need to give a serial key in to field to get activate.
Now if we try to enter some user name and some registration code we get a error like this saying
The username and serial number is not valid
This is the error message what we got from the application. Now search for the error in to the
application.
Debuggers
A debugger or debugging tool is a computer program that is used to test and debug other programs.
The code to be examined might alternatively be running on an instruction set simulator (ISS), a
technique that allows great power in its ability to halt when specific conditions are encountered but
which will typically be somewhat slower than executing the code directly on the appropriate
processor.
List of debuggers:
Now go to
File and open .exe file from where it got installed to extract the Hex values in to ollydbg.
This is how the values are seen in ollyDbg. Now here search for the flaw what we got pop up when
we tried to register with users name and serial key.
Now right click and go for search for opition and All referenced text strings. Now a new window
appears.
Right click and select option search for a text. Search in the field for the error which we got while
trying to register the application, check entire Scope box and ok. After clicking ok you will find the
error in field.
After finding the messages, now double click on the flaw other window appears showing you error
message.
Now change JNP SHORT 00456236 value in to JNP SHORT 00456236 and click Assemble.
Right click go to Copy to executable option and click on All modifications and click copy to all.
Right click and Save file and copy the cracked .exe file and paste in to installed folder. Now run the
application and enter some junk in to user name field and serial number field.
After copy and replacing the exe file in to programme files now enter your registration details as
some junk as shown in above image and enter. The application says Thank you for your registration.
The different methods to protect a binary can be divided into passive and active measures. The
passive one story to disturb or complicate the static analysis approach,
while the active measurements aim at the dynamic analysis process.
The scope defines a process of collecting information on all assets operating in the target
environment
Channel
A channel determines the type of communication and interaction with these assets, which can be
physical, spectrum, and communication. All of these channels depict a unique set of security
components that has to be tested and verified during the assessment period. These components
comprise of physical security, human psychology, data networks, wireless communication medium,
and telecommunication
Index
The index is a method which is considerably useful while classifying these target assets
corresponding to their particular identifications, such as, MAC Address, and IP Address
Vector
vector concludes the direction by which an auditor can assess and analyze each functiona asset. This
whole process initiates a technical road map towards evaluating the targetenvironment thoroughly
and is known as Audit Scope. There are different forms of security testing which have been
classified under
Blind: The blind testing does not require any prior knowledge about the target system. But the
target is informed before the execution of an audit scope. Ethical hacking and war gaming are
examples of blind type testing. This kind of testing is also widely accepted because of its ethical
vision of informing a target in advance.
Double blind: In double blind testing, an auditor does not require any knowledge about the target
system nor is the target informed before the test execution. Black-box auditing and penetration
testing are examples of double blind testing. Most of the security assessments today are carried out
using this strategy, thus, putting a real challenge for auditors to select the best of
breed tools and techniques in order to achieve their required goal.
Gray box: In gray box testing, an auditor holds limited knowledge about the target system and the
target is also informed before the test is executed. Vulnerability assessment is one of the basic
examples of gray box testing.
Double gray box: The double gray box testing works in a similar way to gray box testing, except
the time frame for an audit is defined and there are no channels and vectors being tested. White-box
audit is an example of double gray box testing.
Tandem: In tandem testing, the auditor holds minimum knowledge to assess the target system and
the target is also notified in advance before the test is executed. It is fairly noted that the tandem
testing is conducted thoroughly.
Reversal: In reversal testing, an auditor holds full knowledge about the target system and the target
will never be informed of how and when the test will be conducted. Red-teaming is an example of
reversal type testing.
A1 - Injection: A malicious data input given by an attacker to execute arbitrary commands in the
context of a web server is known as injection attack. SQL, XML, and LDAP injections are some of
its well-known types. Escaping the special characters from user input can prevent the application
from malicious data injection.
A2 - Cross-Site Scripting (XSS): An application that does not properly validate the user input and
forwards those malicious strings to the web browser, which once executed may result in session
hijacking, cookie stealing, or website defacement is known as cross-site scripting (XSS). By
escaping all the untrusted meta characters based on HTML, JavaScript, or CSS output can prevent
the application from cross-site scripting attack.
A4 - Insecure Direct Object References: Providing a direct reference to the internal application
object can allow an attacker to manipulate such references and access the unauthorized data, unless
authenticated properly. This internal object can refer to a user account parameter value, filename, or
directory. Restricting each user-accessible object before validating its access control check should
ensure an authorized access to the requested object.
A5 - Cross-Site Request Forgery (CSRF): Forcing an authorized user to execute forged HTTP
requests against a vulnerable web application is called a cross-site request forgery attack. These
malicious requests are executed in terms of a legitimate user session so that they can not be
detected. Binding a unique unpredictable token to every HTTP request per user session can provide
mitigation against CSRF.
A6 - Security Misconfiguration: Sometimes using a default security configuration can leave the
application open to multiple attacks. Keeping the entire best known configuration for the deployed
application, web server, database server, operating system, code libraries, and all other application
related components is vital. This transparent application security configuration can be achieved by
introducing a repeatable process for software updates, patches, and hardened environment rules.
A8 - Failure to Restrict URL Access: Those web applications that do not check for the access
permissions based on the URL being accessed can allow an attacker to access unauthorized pages.
In order to resolve this issue, restrict the access to private URLs by implementing the proper
authentication and authorization controls, and develop a policy for specific users and roles that are
only allowed to access the highly sensitive area.
A10 - Unvalidated Redirects and Forwards: There are many web applications which use dynamic
parameter to redirect or forward a user to a specific URL. An attacker can use the same strategy to
craft a malicious URL for users to be redirected to phishing or malware websites. The same attack
can also be extended by forwarding a request to access local unauthorized web pages. By simply
validating a supplied parameter value and checking the access control rights for the users making a
request can avoid illegitimate redirects and forwards.
1. Enumeration View: This view is dedicated to provide the basis for web application attacks and
weaknesses. Each of these attacks and weaknesses has been discussed individually with their
concise definition, types, and examples of multiple programming platforms. Additionally, they are
inline with their unique identifier which can be useful for referencing. There are a total of 49 attacks
and weaknesses collated with a static WASC-ID number (1 to 49). It is important to note that this
numeric representation does not focus on risk severity but instead serves the purpose of referencing.
2. Development View: The development view takes the developer's panorama forward by
combining the set of attacks and weaknesses into vulnerabilities which may likely to occur at any
of three consecutive development phases. This could be a design, implementation, or deployment
phase. The design vulnerabilities are introduced when the application requirements do not fulfill the
security at the initial stage of requirements gathering. The implementation vulnerabilities occur due
to insecure coding principles and practices. And, the deployment vulnerabilities are the result of
misconfiguration of application, web server, and other external systems. Thus, the view broadens
the scope for its integration into a regular development lifecycle as a part of best practices.
3. Taxonomy Cross Reference View: Referring to a cross reference view of multiple web
application security standards which can help auditors and developers to map the terminology
presented in one standard with another.With a little more effort, the same facility can also assist in
achieving multiple standard compliances at the same time. However, in general, each application
security standard defines it own criteria to assess the applicationsfrom different angles and
measures their associated risks. Thus, each standard requires different efforts to be made to scale up
the calculation for risks and their severity levels. The WASC-TC attacks and weaknesses presented
in this category are mapped with OWASP top ten, Mitre'sCommon Weakness Enumeration (CWE),
Mitre's Common Attack Pattern Enumeration and Classification (CAPEC) and SANS-CWE Top 25
list.
The illustration for the BackTrack testing process is also given below.
1. Target scoping
2. Information gathering
3. Target discovery
4. Enumerating target
5. Vulnerability mapping
6. Social engineering
7. Target exploitation
8. Privilege escalation
9. Maintaining access
6. Scope of Pen-testing
Scope defines what we can test.?
1. A single system
2. Multiple system
3. Whole network
4. Networking Devices
5. Web Application
6. System Application
The scope of VA & PT is very wide we can perform VA & PT on almost every device and every
type of network.
Example:- http://www.abc.com/index.php?id=1
Example:- http://www.abc.com/index.php?id=1'
**Here we are getting SQL syntax error. It means it is vulnerable to SQL Injection.
To Test XSS manually
Visit any site and find input boxes like Search Box, Comment, URL accepting arguments etc. And
put this simple java script "><script>alert("Test")</script> in Input Boxes of website and if Get
Pop-up. It means site is vulnerable to XSS.
Here we have sample site where we input a simple java script in Find Box.
and when we click on Find. Here is a pop-up which means this site is vulnerable to XSS
Testing each and every vulnerability manually it will take lot of time. So the solution is Testing by
Tools. In market we have lots of tools some of them are below.
Acunetix WVS (web vulnerability scanner) automatically checks web applications for
vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, and weak
password strength on authentication pages. It boasts a comfortable GUI, an ability to create
professional security audit and compliance reports, and tools for advanced manual webapp testing
AppScan
AppScan provides security testing throughout the application development lifecycle, easing unit
testing and security assurance early in the development phase. Appscan scans for many common
vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden
field manipulation, backdoors/debug options, buffer overflows and more.
Nessus
Nessus is a remote security scanning tool, which scans a computer and raises an alert if it discovers
any vulnerabilities that malicious hackers could use to gain access to any computer you have
connected to a network. It does this by running over 1200 checks on a given computer, testing to
see if any of these attacks could be used to break into the computer or otherwise harm it.
Requirement
1. A Computer
2. Nessus
3. Human effort.
4. Internet
Nessus is a good tool for VA-PT and widely used in many scenario. It is multi Platform tool can be
used for testing different flavours of Operating system like Windows, Linux, Solaris, FreeBSD etc,
Network Pentest like Router, Switch testing.
12. After that Web interface will come that will ask to connect via SSL.
13. Click on "I Understand the Risks" and then click on "Add Exception" to start Secure
connection.
14. Click on Confirm Security Exception.
15. Welcome screen will come. click on Get started.
16. Create an User here.
17. Next it will ask for Activation. You can purchase it and get it. But you can get Activation key
For 15 days free.
**open your Email ID you will find Activation key Either in INBOX or SPAM folder. Put that key
in Nessus Activation Window.
20. Once Activation is Done. It will prompt for download plugins. Click on it to start downloading
updated plugins.
21. It will start downloading plugins.
22. After it will start installing in your system.
23. Once Done. Home screen of Nessus will come and ask you to login with Username and
Password.
24. Login with Username and Password created above.
25. Click on Scan--> New Scan
26. With Nessus you can test Web Application as well Network also. Specify what to test in Scan
Policy. After that Mention Target IP address or URL. Click On Create Scan to start scanning.
27. Scan will start. when completed Double click on your scan to explore it.
28. Click on Vulnerability to explore it. It will list all your target vulnerability and loop holes.
3. Reporting a VA-PT
Reporting is nothing but the detail Report about the scan in a proper way so that it can be easily
understand by everyone
1. Click On Export.
4. Right click on Saved file and Choose "Open" to open with Firefox browser.
5. Now here is the detail Report of Target. Scroll down to see more.