Steps to give admin permission to kali 2020 and above

whoami
sudo su
passwd root
(it will ask to type the passwor for root account)
(type ther password and logout from the using account)
(then sign in with root cred)

Bug Bounty Websites

Hackerone.com

bugcrowd.com

What is hacking?

❖ It involves 3 steps
❏ 1st is we have to find the vulnerability. Vulnerable means weakness of a
system like open ports, bugs in softwares, poor code flow
❏ 2nd we had to write a script to penetrate the vulnerable area. Script may be
written in the same prog language used to write the software or any other
understandable language. Those scripts are said to be payloads
❏ 3rd we has to enter through the vulnerable area and successfully manage
to get the data from target and come out. Exploit means the method to
penetrate.

WHO IS HACKER?

● Person who have skills to do hacking are known as hackers

ZERO DAY

● A zero day vulnerability refers to a loophole in software that is unknown to the

vendor or software owner. This vulnerability is then exploited by hackers before
the vendor becomes aware. This exploit is called zero day attack
 HACKER CLASSES.

● BLACK HAT
● WHITE HAT
● GRAY HAT
● SUICIDAL HACKERS
● SCRIPT KIDDIES
● CYBER TERRORIST
● STATE SPONSORED HACKERS HACKTIVIST

ELEMENTS OF INFORMATION SECURITY.

CIA TRIAD

● CONFIDENTIALITY
● INTEGRITY
● AVAILABILITY

Types of WEBSITES

● Surface web
● Deep web
● Dark web
Google dork

inurl:”img/main.cgi?next file”→ we can find lots of exploits

inurl:”img/main.cgi?next file→ we can find google dorks

classification of IP address:
 1. Public IP address - This ip address is assigned by ISP. this will be common for all devices
present in the same network.

2. Private IP address - This ip address is assigned by our router. Most of the common ip
address assigned are 192.168.0.* or 192.168.1.*

TYPES

ipv4→ 192.168.10.25,,,,

ipv6→ 2001:0db8:85a3:0000:0000:8a2e:0370:73
CLASS RANGE

class-A 1-126

class-B 128-191

class-C 192-223

class-D 224-239

class-E 240-254

SUBNET MASK→ it is used to identify network and host

part

SUBNET MASK CLASS C→ 255.255.255.0

SUBNET MASK CLASS B→ 255.255.0.0

SUBNET MASK CLASS A→ 255.0.0.0

HIDING IDENTITY
● Using proxy website www.kproxy.com
● Using vpn
● Using TOR browser

RECONNAISSANCE.

● Active
● Passive

ACTIVE→ wappaalyzer

PASSIVE→ footprinting is a preparatory phase for an attack.

Methods of Footprinting
● Foot print Via Internet
Examples:
1. ● Facebook
2. ● Linkedin
3. ● Twitter
4. ● Naukri

● Email Footprinting
http://www.readnotify.com/

● Network Footprinting
● WHOIS Footprinting
Who.is
Enumeration :Gathering more information

Four Methods:

● DNS Enumeration

● SMTP Enumeration(Simple mail transfer protocol)

● SNMP Enumeration
● NETBIOS Enumeration

DNS Enumeration
 ● Process of locating all the DNS servers and their corresponding records for their
Organisation.

www.example.com--------- > DNS(Domain Name System) ------------>125.35.25.45

1. Dnsdumpster.com
2. DNS Zone Transfer Attack
3. host -t ns timepass.pk
4. host -l timepass.pk ns1 timepass.pk

https://hackertarget.com/zone-transfer/

SMTP ENUMERATION(Simple mail transfer protocol)

SMTP -------->protocol used to send mail to the mail servers.It users port
POP and IMAP-------> protocol used to retrieve mail from the mail server
SNMP:[Simple Network Management Protocol]
● Simple Network Management Protocol is an Internet Standard protocol for
collecting and organising information about managed devices on IP networks and
for modifying that information to change device behaviour.
NETBIOS ENUMERATION.

● NETBIOS-Network Basic Input Output System is a program that allows

applications on different computers to communicate over a Local Area Network.
nbtstat/?

nbtstat -n

nbtstat -A Ip address

METASPLOIT;

● It is a framework which has scanners, enumerations, exploits,

etc.
 msfconsole---->command to open metasploit
armitage--->GUI version of metasploit

SCANNING:
● Network Scanning→ angry ip scanner
● Port Scanning→ Nmap example→ nmap scanme.nmap.org
● Vulnerability Scanning(nessus)--> nessus scanner

REVERSE ENGINEERING: (JAVA DECOMPILERS.COM )

Types of password attacks:

● Guessing attack→
● Brute Force attack
● Dictionary attack
● Hybrid attack
● Keylogger k:

Brute Force:
A brute force attack tries every possible combination until it cracks the code.
Hybrid attack:
Brute force attack and dictionary attack
Keylogger attack:
A keylogger is a hardware device or a software program that records the real time
activity of a computer user including the keyboard keys they press
GUESSING ATTACK:
● DOB
● Pet name
● Mobile number
DICTIONARY ATTACK:
● Since most passwords are chosen by users,it stands to reason that most
passwords contain common words.
● There are a little over a million words in the english language,while there are
308,915,776 possible combination of 6 letters. Most attackers will take this into
account when attempting to intrude on your system,and make use of words lists
in combination with common password lists when trying to guess the password.
MALWARE THREATS:

Malicious + Software

1. User mode

2. Kernel mode

Ring 0(Kernel mode) highest privalage

Ring 1 -not used

Ring 2-not used

Ring 3(User mode for applications)lowest

X86 provides 4 privilege levels

Higher level can control lower levels and access more hardware resources

KERNEL MALWARE VS USER MALWARE:

● Kernel malware is more destructive
● Can control the whole system

● Including both hardware and software

Kernel malware is more difficult to detect or remove

● Many antivirus software runs in user mode

● Lower privilege than software

● Cannot scan or modify malware in kernel mode
Kernel malware is more difficult to develop
● Kernel is complex

● Kernel mode malware are more likely to have bugs ●

Even a minor bug in kernel mode can cause kernel crash
That’s why kernel mode malware is rare

MALWARE CATEGORIES:

● Virus

● Worm

● Trojan

● Backdoor

VIRUS MAKER:

● Terabit Virus maker

● Poison Virus maker
● Acid Virus maker

● Delme’s Batch Virus maker

TYPES OF VIRUS:

Stealth Virus:Hides is identity

Macro viruses:

● They are written in a macro programming language and are attached to document
files such as word or excel

Browser Hijacker virus:

● Hijacks certain browser functions in the form of re- directing the user automatically
to particular sites
METAMORPHIC VIRUS:

● Change the appearance of its code to an equal form.

POLYMORPHIC VIRUS.

● Automatically records itself each time it propagates or distributed.encrypts its

original code to avoid pattern recognition.

WORM

● Write once read many

TROJAN:

● Piece of malicious code acting as a benign application.

Types of Trojan

● Keylogger
● Backdoor -Piece of malicious code which will give us a permanent access to the target
system
❖ Legal
❖ Illegal

Ransomware→ is a type of malicious software, or malware, designed to deny access

to a computer system or data until a ransom is paid. Ransomware typically spreads
through phishing emails or by unknowingly visiting an infected website. Ransomware
can be devastating to an individual or an organization.
SOCIAL ENGINEERING:

Human based Social Engineering

● Eavesdropping
● Shoulder Surfing

DUMPSTER DIVING:
Looking for treasure in someone else's trash

Computer based

Phishing
Spear Phishing
 ● Targeted Phishing aimed at specific individuals with in an organization.

Mobile Based Social Engineering:

● Repacking Legitimate Apps

● Publishing Malicious Apps
● Using SMS
EVADING IDS/IPS,F/W AND HONEYPOTS.

IDS PLACEMENT

HOW ITS WORKS

GENERAL INDICATION OF INTRUSIONS

GENERAL INDICATION OF SYSTEM INTRUSIONS

IDS TOOL

IDS TOOL-2
IDS Attacks
DOS ATTACK
FALSE POSITIVE
SESSION SPLICING
UNICODE EVASION
POLYMORPHIC SHELLCODE
FIREWALL
A Firewall is a network security device that monitors and filters incoming and outgoing network
traffic based on an organization's previously established security policies. At its most basic, a
firewall is essentially the barrier that sits between a private internal network and the public
Internet.

FIREWALL ARCH
DMZ

TYPES OF FIREWALL

PACKET FILTERING FIREWALL→ work at the layer of the OSI model

CIRCUIT-LEVEL GATEWAY FIREWALL→ It works on session layer OSI model
APPLICATION-LEVEL FIREWALL→ WORKS ON APPLICATION LAYER OF the OSI
MODEL
STATEFUL MULTILAYER INSPECTION FIREWALL→ Combines the aspects of the
other three types of firewalls.

Different FIREWALLS

FIREWALL EVASION TECHNIQUES:

● IP ADDRESS IN PLACE OF URL
● ANONYMOUS WEBSITE SURFING SITES
HONEYPOT
Honeypot Tools:

● KFSensor
● SPECTOR
TYPES OF HONEYPOT
HACKING WEB Server:
● Web server is a program that hosts websites:
● Attackers usually target software vulnerable and configuration errors to
compromise web servers
why web server are compromised
impact of web server attacks

Web server attacks

● Dos/ddos attacks
● Dns server Hi-jacking
● Directory traversal attacks
● Man in the middle
 ● Phishing attack
● Website defacement
● Web server misconfiguration
● Web server password cracking

HACKING WEB APPLICATION:

HOW WEB APPLICATION WORKS

Open Web Application Security

Project Top 10 (OWASP Top
10)

The Open Web Application Security Project (OWASP) is a non-profit foundation dedicated to
improving the security of software. OWASP operates under an ‘open community’ model,
where anyone can participate in and contribute to projects, events, online chats, and more.
A guiding principle of OWASP is that all materials and information are free and easily
accessed on their website, for everyone. OWASP offers everything from tools, videos,
forums, projects, to events. In short, OWASP is a repository of all things
web-application-security, backed by the extensive knowledge and experience of its open
community contributors[i].

What is the OWASP Top 10?

OWASP Top 10 is an online document on OWASP’s website that provides ranking of and
remediation guidance for the top 10 most critical web application security risks. The report
is based on a consensus among security experts from around the world. The risks are
ranked and based on the frequency of discovered security defects, the severity of the
vulnerabilities, and the magnitude of their potential impacts. The purpose of the report is to
offer developers and web application security professionals insight into the most prevalent
security risks so that they may incorporate the report’s findings and recommendations into
their security practices, thereby minimizing the presence of these known risks in their
applications [i].

How does OWASP Top 10 work and why is it

important?

OWASP maintains the Top 10 list and has done so since 2003. Every 2-3 years the list is
updated in accordance with advancements and changes in the AppSec market.
OWASP’s
importance lies in the actionable information it provides; it serves as a key checklist and
internal Web application development standard for many of the world’s largest
organizations.

Auditors often view an organization’s failure to address the OWASP Top 10 as an indication
that it may be falling short with regards to compliance standards. Integrating the Top 10
into its software development life cycle (SDLC) demonstrates an overall commitment to
industry best practices for secure development [i].
Figure above, a comparison between 2013 and 2017 versions.
The most recent version was released in 2017 and it included significant changes to the 2013
version, as shown in the figure below. Injection issues remain one of the most vulnerable
security issues in the application, and sensitive data exposure rose in importance. Some new
issues were added, such as insecure deserialization, and some other issues were merged.

What are the latest OWASP Top 10 categories?

The OWASP Top 10 2017 includes the following:

1. Injection. A code injection occurs when invalid data is sent by an attacker into a web
application. The attacker’s intent in doing so is to make the application do something it was
not designed to do.

● Example: SQL injection is one of the most common injection flaws found in
applications. SQL injection flaws can be caused by use of untrusted data by an
 application when constructing a vulnerable SQL call.
● Solution: Source code review is the best way to prevent injection attacks. Including
SAST and DAST tools in your CI/CD pipeline helps to identify injection flaws that have
just been introduced. This allows you to identify and mitigate them before production
employment [i].

2. Broken Authentication. Certain applications are often improperly implemented.

Specifically, functions related to authentication and session management, when
implemented incorrectly, allow attackers to compromise passwords, keywords, and
sessions. This can lead to stolen user identity and moreii.

● Example: A web application allows the use of weak or well-known passwords (i.e.
“password1”).
● Solution: Multi-factor authentication can help reduce the risk of compromised
accounts. Automated static analysis is highly useful in finding such flaws while
manual static analysis can add strength in evaluating custom authentication
schemes. Synopsys’ Coverity SAST solution includes a checker that specifically
identifies broken authentication vulnerabilities.

3. Sensitive Data Exposure. Sensitive data exposure is when important stored or

transmitted data (such as social security numbers) is compromised.

● Example: Financial institutions that fail to adequately protect their sensitive data can
be easy targets for credit card fraud and identity theft.
● Solution: SAST tools such as Coverity and SCA tools such as Black Duck Binary
Analysis include features and checkers that identify security vulnerabilities that can
result in sensitive data exposure.

4. XML External Entities (XXE). Attackers are able to take advantage of web applications
that use vulnerable component processing XML’s. Attackers are able to upload XML or
include hostile commands or content within an XML document.

● Example: An application allows untrusted sources to perform XML uploads. ●

Solution: Static application security testing (SAST) is very helpful at detecting XXE in
source code. SAST helps inspect both application configuration and dependencies.

5. Broken Access Control. Broken access control is when an attacker is able to get access
to user accounts. The attacker is able to operate as the user or as an administrator in the
system.

● Example: An application allows a primary key to be changed. When the key is changed
to another user’s record, that user’s account can be viewed or modified. ● Solution: It is
critical to use penetration testing in order to detect unintended access-controls.
Changes in architecture and design may be warranted to create trust boundaries for
data access [iii].

6. Security Misconfiguration. Security misconfigurations are when design or configuration

weaknesses result from a configuration error or shortcoming.
● Example: A default account and its original password are still enabled, making the
system vulnerable to exploit.
● Solution: Solutions like Synopsys’ Coverity SAST include a checker that identifies
information exposure available through an error message [ii].

7. Cross-Site Scripting (XSS). XSS attacks occur when an application includes untrusted
data on a webpage. Attackers inject client-side scripts into this webpage.

● Example: Untrusted data in an application allow for an attacker to ‘steal a user

session’ and gain access to the system.
 ● Solution: SAST solutions well versed in data flow analysis can be a great tool to help
find these critical defects and suggest remedies. The OWASP website also provides a
cheat sheet to best practices to eliminate such defects from your code. For OWASP
Top 10 categories like XSS, that also have a Common Weakness Enumerator (CWE),
Black Duck will alert teams that this is the weakness that lead to the vulnerability,
enabling them to better understand the vulnerability and prioritize their remediation
efforts [ii].

8. Insecure Deserialization. Insecure Deserialization is a vulnerability where deserialization

flaws allow an attacker to remotely execute code in the system.

● Example: An application is vulnerable because it deserializes hostile objects that

were supplied by an attacker.
● Solution: Application security tools help detect deserialization flaws and Penetration
testing can be used to validate the problem [ii].

9. Using Components With Known Vulnerabilities. This vulnerability’s title states its
nature; it describes when applications are built and run using components that contain
known vulnerabilities.

● Example: Due to the volume of components used in development, a development

team may not even know or understand the components used in their application.
This can result in them being out-of-date and therefore vulnerable to attack. ● Solution:
Software composition analysis (SCA) tools like Black Duck can be used alongside static
analysis to identify and detect outdated and insecure components in your application
[ii].

10. Insufficient Logging And Monitoring. Logging and monitoring are activities that should
be performed to a website frequently, to guarantee it is secure. Failure to adequately log and
monitor a site leaves it vulnerable to more severe compromising activities.
● Example: Events that can be audited, like logins, failed logins, and other important
activities, are not logged, leading to a vulnerable application.
● Solution: After performing Penetration testing, developers can study the test logs to
identify possible shortcomings and vulnerabilities. SAST solutions can also help
identify unlogged security exceptions

CODE SANITATION :
(IT WILL sanitize the malicious content in the input field)

example:Malicious script→ <script>alert(‘1’)</script>

AFTER SANITATION→ @ !script!@alert(‘1’)@!/script!@

CROSS SITE SCRIPTING:(XSS)

● Cross-site scripting (XSS) is a type of computer security vulnerability typically

found in web applications. XSS enables attackers to inject client-side script into
web pages viewed by other users. A cross-site scripting vulnerability may be
used by attackers to bypass access controls such as the same-origin policy

Types:

● Persistent xss

● Non persistent XSS

● Dom based XSS

Persistent XSS:

● Persistent Xss the script will be executed and a resultant activity will be displayed
to everyone who visits that link.

Non Persistent XSS or Reflected XSS:

● In this type of XSS the resultant activity will be only shown to the attacker.
DOM Based XSS:
● Document object module in Web development
● The Document Object Model (DOM) is a cross-platform and language
-independent interface that treats an XML or HTML document as a tree structure
wherein each node is an object representing a part of the document. The DOM
represents a document with a logical tree.
1. Persistent DOM based XSS
2. Non persistent DOM based XSS
STRUCTURED QUERY LANGUAGE:
Types of SQL
DOS:
● A denial of service(DoS) attack is an attack meant to shut down a machine or
network,making it inaccessible to its intended users by flooding it with traffic.

● In a distributed denial of service attack(DDoS),the incoming traffic flooding the

victim originates from many different sources.This effectively makes it impossible
to stop the attack simply by blocking a single source.

SNIFFING:
● Active sniffing
● Passive sniffing
IT HAS THREE SECTIONS:
1. Capture the packets
2. Details about each packet
3. Show raw file of the packets
Types of filter:
1. Display filter:We can able to see the specific protocol content.
2. Capture filter
TYPES OF MODES:
1. Promiscuous mode
2. Non-promiscuous mode

SNIFFING THREATS:
● Email traffic
● Web traffic
● Chat session
● FTP passwords
● Router configurations
● DNS traffic
● Syslog traffic
● Telnet password

COUNTERMEASURES:
● Restriction of physical access to network media.
● Use the encryption method.
● Proper configuration of IDS.
● Enable port security features.

SESSION HIJACKING: ● Application level

● Network level → Hijacking of sessions by intercepting the communication
between hosts. The attacker usually intercepts the communication to obtain the
roles of the authenticated user or for the intention of man in the middle attack.
Cache→ It has a temporary virtual memory of the site which we have browsed earlier .
Cookie→ piece of information which holds users, secret or confidential information such
as his session timing, user IP address, browser name, browser version, display size. i.e
resolution cookie is also a temporary but it will not have username and password.
Session → it is embedded in cookie i.e session is in cookie. Log out timing will be in
inactive session like banking sessions.
Session Hijacking becomes successful because of weak session IDs or no blocking
upon receiving an invalid session ID.
They are of three types
● Stealing
● Guessing
● Brute-forcing
CRYPTOGRAPHY:
CLOUD COMPUTING: