Sql injection

SQL Injection:

SQL stands for structured query language. It is used to design databases. Sql injection is the vulnerability occurring in database layer of application which allow the attacker to see the contents stored in the database. This vulnerability occurs when the user's input is not filtered or improperly filtered.

The main goal of attacker is use to access the information stored in website's database. It can be done both manually and by using tools.

Now we will go through using a tool. We need sql injector for that. You can download it here.

Steps of attack:

Vulnerable website> Database> tables> columns> data

key loggers

Keyloggers:

 One of the best use of keyloggers is that we can spy on any computer easily. Key loggers are of different types. They are 

• Remote keyloggers and 
• Stealth keyloggers

Remote keyloggers are those which can be remotely operated from our system whereas stealth keyloggers are those which can be operated directly on the system. Remote keyloggers are more useful than that of stealth keyloggers.

Remote keyloggers:

As we know that remote keyloggers are very easy to use when compared with trojans where all the ip addresses and port numbers are involved.

Keylogger records the keystrokes of the victim. It records each and every data that was being communicated with the victim's system. It records and takes the screenshots and saved it into the attacker's personal data space. It is generally used for spying on children by parents and for some other useful purpose. But nowadays it is used for malicious activities and to find passwords and reduce confidentiality of the victim. Many antivirus detects keyloggers and prevent them from losing data. But many keyloggers are still in use.

methodology of attacker in using remote keylogger:

• First the attacker needs to create an executable file of size in kbs
• Attacker may hide this exe file behind any genuine file like iso file or a song..... The victim is now supposed to double click on this image file and hence download it.. here the attacker follows trojan process
• As the victim clicks it the keylogger gets installed in the victim's system and secretly records the information or the text typed by the victim or keystrokes.. As the victim is connected to the internet the information collected will be transferred through FTP protocol to the attacker's database.

Step by step process to operate a remote keylogger:

• Download a free remote keylogger Ardamax with it's serial key. password: explorehacking.com. Antivirus detect it as a virus but don't worry
• sign up at FTP supporting web hosting to upload your files
• Now you need to click on remote installation on victim's computer
• After successful installation the key logger will run on hidden mode in victims computer and the data will be transferred to the attacker through file transfer protocol.

windows logon password

Windows Logon password:

  Getting a windows logon password is not so difficult. It is very easy process and self explanatory. We can get many offline password crackers which can change or clear the existing passwords. You can download it here.

Just download their ISO images, burn them, insert to CD ROM and then things are simply self explanatory. So first we need to know how authentication system works in windows.

  When you set windows login password, It should obviously stored in a file somewhere. 

The password is stored in SAM file placed in %systemroot%\system32\config. 

Why don't we try to open SAM file and look at the passwords. let's try that.Open  c:\windows\system32\config and open SAM. You must get an error shown in the image below.

 

We can't open SAM file when windows is running it. Even if anyhow we manage to access the contents in the SAM file it won't get in a clear text. We can see that in an encrypted format.

SAM file:

SAM means security accounts manager. It is a database stored as a registry in windows and stores windows users and passwords in hashed format.

    Hashing is a kind of encryption which is a one way function. i.e, if plain text is converted to hash it cannot be converted back to plain text.

Windows authentication procedure:

 Whenever the user creates new account in windows, the password is converted to hash value and is stored in SAM database. Every time when the user used to logon to the system the password you entered is converted to hash and compares with the password stored in the SAM database.

If both the hashes match then the user is successfully authenticated.

How to access SAM files?

SAM files cannot be moved or copied to another source while windows is running. It can be accessed only when windows is not running. Got confused? here we go, let's talk about concept of live operating systems concept. A live CD containing a bootable OS should be inserted into the CD ROM  and can be used without installation.

How to open a hash file?

It is impossible to convert hash one way hash function to plain text format. But automated tools can do two things:

1) clear or change the password:

2)crack password

back door for windows using cmd

Can we get access to windows without knowing victim's password? If we got encountered with such question my answer is YES. 

This can be possible through Windows Back Door Entry. 

Setting backdoor for windows using command prompt:

 Maintaining access into victim's system without the knowledge of victim is called backdoor. Let us assume that we got the victim's windows system unlocked by the victim. We want to take command over the admin account of the victim. So now we can make it possible by simply following a few steps.

• open command prompt
• type as follows net user user_name *

                      example: net user administrator *

• hit enter and set any password for the account.

hurray! a new password has been set.  Observe one thing that windows doesn't ask you to confirm old password through command prompt.

But what if the system has not been unlocked. If the system was unlocked and you want to open it without password. Is that possible?

  Finally the answer is again YES. How? let's see

Do you have any idea over sticky keys? If your answer is no then just press shift key five times in your windows system. You will definitely look into a pop up showing that "Do you want to turn on sticky keys?".




 Sticky keys are generally used for the persons having physical disabilities. But how can we make use of those sticky keys. We can by setting the back door for windows using sticky keys and command prompt.

When we press shift key five times it actually open the executable file placed in system32 i.e, sethc.exe so if we replace this position with cmd.exe and rename that cmd.exe to sethc.exe so that we can easily open command prompt at the logon screen and can change the password.

Tutorial:

• Go to c:\windows\system32
• copy cmd.exe on your desktop and rename it to sethc.exe
• now copy that file and paste it again in system32 directory

So now you created a backdoor for windows successfully.

You can open the local disk c on log screen through boot menu. It will be discussed in the next tutorial soon.

Email Attacks

Now a days usage of email writings have increased. On the other hand these emails can be spoofed, spammed. Some of the major threats have been discussed here.

Email spoof, identify attack, Email bombing and email spoofing:

First of all let us discuss about the basic working of email. You can skip this topic if you are familiar with email. Email stands for electronic mail service. It helps us to send and receive digital mails. Sending and Receiving the emails can be controlled by servers. 

• Let us say abc is registered with gmail sever by name abc@gmail.com and xyz registered with yahoo server. 
• if abc sends a mail to xyz the process is as follows:
• mail sent by abc is received to gmail server and then this gmail server checks for the xyz' s yahoo account and later forwards the mail to xyz@yahoo.com

Spoofed mail:

  Spoofed email is also called as fake email. This fake email may come from any sender with some other's identity. The fake sender mail id may or may not exists. It doesn't matters.

  

Different methods can be used to spoof an email. Some of them are discussed below:

• Using open relay servers:   This is the process which may not works. In this we can maintain a open server which can allow people to send emails by connecting to it. User can connect it via telnet. This is an outdated technique which is used once, so it is not necessary to discuss more about open relay server.

• Using websites:  Many websites provide us to send fake emails. Many of them provide free service but the problem is that they attach advertisements along with the mails. Best of them that provide free service without any advertisements are given below:

              www.emkei.cz

              

• Using mail sending scripts: The PHP contains mail sending function which allows us to send fake mails with headers. For that we need to upload the php script into the hosting sites. Many hosting sites doesn't allow you to upload such malicious content. some of the working hosting sites are x10hosting.com , 000webhost.com . 

            You can download the php script here.

Email Spamming and Email Bombing:

    Email spamming and bombing are the techniques used to collect information. Bombing means sending large number of emails in a single click. These activities can be performed by spammers and advertisers. Many spammers send mails asking to fill the details and claim your prize type emails. These spammers steal the information and sell it to the business people who need information. 

How to identify whether the email is real or spoofed:

  We can easily find such type of emails by viewing email headers. Email headers are the headers which show us the travelling path of the email from sender to receiver. It contains a lot of other information also. The name of the headers vary from server to server. In gmail it can be seen by clicking show original whereas on yahoo it can seen by clicking  full headers. 

If an email received from gmail server and originated from other server is a spoofed mail. So first we need to check the origination of a received mail. If it came from unknown hosting site then simply we should ignore the mail

dark side web

Though phishing and desktop phishing sounds similar, there is a lot of difference between the two terms. desktop phishing is an advanced form of phishing. Now in this tutorial we will have a close look on both  terms.

normal phishing:

Phishing is nothing but convincing the attacker to login to the fake page. It follows a sequence of steps. they are as follows:

Step:1  Attacker convinces the victim to login to the fake page which resemble to the genuine web page.

Step:2 victim enters his/her credentials in the fake page send by the attacker.

Step 3 All the credentials entered in the fake page will be received to the attacker.

Step 4 The victim is now redirected to an error page or the genuine website depending on the attacker.

   The main drawback of phishing is that the victim can easily difference between the fake page and the original page by looking at the domain name. So in order to overcome this problem desktop phishing is introduced.

Desktop phishing:

 This process is as simple as phishing but instead of sending a fake link to the victim, the attacker sends an executable batch file i.e, dot exe file

   The victim needs to double click on the received executable file. The attacker's job is now done.

Major advantage of this type of phishing is that the victim enters the original web address but he will be redirected to the fake attacker's page. The domain name remains same as the original address.

Rest of the things are same as normal phishing.

What is a host file?

   The host file is a text file containing domain names and IP address associated with them.

  Location of host file in windows:   C:\Windows\System32\drivers\etc\

Whenever we visit any website say www.sample.com , a query is sent to domain name server DNS. to lookup for IP address associated with that website/domain. But before doing this the host file on our local computer is checked for the ip address associated to the domain name.

Suppose we make an entry in the host file as shown say www.sample.com it would be taken to 115.124.124.50  No query for resolving ip adress associated with www.sample.com would be sent to domain name server.

So now the attack can be divided into two parts: 

Firstly we need to create and host a phishing page on your computer.

Second one is to modify victim's host file.

Step 1} we need to host the phishing page on our computer using a webserver softwares like xampp or wampp. This is because hosting sites we used to upload phishing code will points to the ip address of the webserver but not towards the website.

Step 2) Modifying the host site can be implemented in two different ways:

Method 1)  Send victim a zip file containing a modified host file. When zip file would be clicked it would automatically replace victims original file to modified host file.

Copy your host file and paste it anywhere. modify it according to yourself. Edit it with any text editor and associate your public address with domain you wish as show

When the victim would visit gmail.com, he would be taken to the website hosted on ip xxx.xxx.xxx.xxx. replace it with your public IP. Compress host's file such that when victim opens it, it automatically gets copied to default location C:\Windows\system32\drivers\etc    and victim's hosts file gets replaced by our modified host's file.

Then we can bind this file to an exe like using any binder software. He is supposed to click it and our job done.

Method 2)  Create a batch file which would modify our host file as per our need.

 open your notepad and enter the following:

echo xxx.xxx.xxx.xxx. www.watever.com >> C:\windows\system32\drivers\etc\hosts

echo xxx.xxx.xxx.xxx watever.com >> C:\windows\system32\drivers\etc\hosts 

save the file with .bat extension(mandatory). 

When victim would run this file a new entry will be made in host file.

limitations of attack:

1) We need to purchase static ip and isp, since our public ip address id dynamic. so it probably connect and disconnect when it changes everytime 

2) The browser may detect the digital certificate.

countermeasures:

Never just blindly enter the credentials in a  login page even if you yourself typed a domain name in the web browser. check the protocol whether it is http or https. https is more secure.