Ethical Hacking Course For Beginners

Ethical Hacking Tutorial Ethical hacking is a process of intruding into a network to find out threats. It is a process to find out the attacker who is causing a damage or loss of data , financial loss or other major problems. Let’s find out what is hacking ?Hacking is process by which an unknown authority is entering your system without permission for some negative purpose or to cause damage.

hacking is also a same process in which hacker is entering into the system with the owner’s permission to find out the weakness of the computer. Types Of Hackers The terms “HACKER” refers to the person who takes sensitive information out without the consent of the user. There are “ETHICAL HACKER” also who generally works to protect the data. People think that hacking is illegal but if done with the consent of the user it provides security and privacy also. Even we have several sorts of jobs available for hackers. Categories of Ethical Hackers Black Hat Hacker White Hat Hacker Gray Hat Hacker Green Hat Hacker Script Kiddies Black Hat Hacker:They are those hackers whose main motto is to hack for financial gains and for a thrill. They create various types of malware which are used for accessing the crucial and vital information. They steal all kinds of information from the user and blackmail the users. Whatever these hackers do they do it illegally. They work outside the reach of the government and against them too. Their main intent is a violation of policy and hacking personal and sensitive data. White Hat Hacker: They are called Ethical Hacker. Their main intent is to protect the data and contribute toward making the society a safe place to live. They find out the sensitive information which can be accessed by the unethical hackers thereby resulting in the protection. They do the job as a security researcher, penetration tester and access the data with the consent of the person so to protect them from the next hacking. Grey Hat Hacker: They are the combination of both Black and White Hat Hacker. They do provide security but with some incentive. They also take out the information from the user without the consent which makes them illegal too. They simply want some money rather than asking a lot of amounts. Green Hat Hacker: They are the newbies in the hacking world. They want to become a fully blown hacker but they are at the beginning of the phase. In other words, they are the Wannabees hackers. They are very curious in terms of learning coding also which is required for hacking. Script Kiddies: They are also the amateur hackers of the online world. They don’t want to learn much coding skills required to do all sorts of hacking. They simply download the tools and codes written by hackers and use them to get the attention of their friends. Ethical Hacking Terminologies Vulnerability: A bug or glitch in the system which leads to the system getting compromised Exploit: A code that takes exploits the vulnerability of the software or the system. Phishing: It is a technique that is used to trick the user in order to get the crucial information out from the user that crucial information includes sensitive password, credit card information. Encryption: It is a process in which we will encode the message into human-readable data. Sometimes the data is encrypted to demand the ransom from the user. Brute force attack: This kinds of attack mean trial and error attack where software is used to guess the password. Bot: It is a software robot that runs some scripted code to read the content and information of the user.this can be used to get the sensitive data of the user. DDoS attack: They are done by the software or bots where several computers at a time will be sending the request to the website for accessing the website which will cause overloading of the system and thereby resulting in the crashing and shutting down of the servers. SQL injection: Using SQL to get sensitive information from the database is called SQL injection. Spam: This terminology means getting junk information like spam emails. This can also cause the introduction of malware into the system which resulted in the phrasing. Attack − An attack is an action that is done on a system to get its access and extract sensitive data. Back door − A back door, or trap door, is a hidden entry to a computing device or software that bypasses security measures, such as logins and password protections. Rootkit − Rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. Social engineering − Social engineering implies deceiving someone with the purpose of acquiring sensitive and personal information, like credit card details or user names and passwords. Worms − A worm is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Cross-site Scripting − Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. Zombie Drone − A Zombie Drone is defined as a hi-jacked computer that is being used anonymously as a soldier or 'drone' for malicious activity, for example, distributing unwanted spam e-mails. Threat − A threat is a possible danger that can exploit an existing bug or vulnerability to compromise the security of a computer or network system. Trojan − A Trojan, or Trojan Horse, is a malicious program disguised to look like a valid program, making it difficult to distinguish from programs that are supposed to be there designed with an intention to destroy files, alter information, steal passwords or other information. Virus − A virus is a malicious program or a piece of code which is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data. Ethical Hacking Tools John the Ripper: It is the password cracker tool used for breaking the password or for testing the strength of the password. for the enc­­rytpion of the password, we used the password encryption algorithm and in order to break the password this tool first finds out the algorithm used and then decrypts the password accordingly. Metasploit: Metasploit is one of the most powerful exploit tools. It’s a product of Rapid7 and most of its resources can be found at: www.metasploit.com. It comes in two versions − commercial and free edition. Matasploit can be used with command prompt or with Web UI. With Metasploit, you can perform the following operations − Conduct basic penetration tests on small networks Run spot checks on the exploitability of vulnerabilities Discover the network or import scan data Browse exploit modules and run individual exploits on hosts NMAP: Nmap stands for Network Mapper. It is an open source tool that is used widely for network discovery and security auditing. Nmap was originally designed to scan large networks, but it can work equally well for single hosts. Network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets to determine − what hosts are available on the network, what services those hosts are offering, what operating systems they are running on, what type of firewalls are in use, and other such characteristics. Nmap runs on all major computer operating systems such as Windows, Mac OS X, and Linux. Burp Suit: Burp Suite is a popular platform that is widely used for performing security testing of web applications. It has various tools that work in collaboration to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Burp is easy to use and provides the administrators full control to combine advanced manual techniques with automation for efficient testing. Burp can be easily configured and it contains features to assist even the most experienced testers with their work. Angry IP Scanner Angry IP scanner is a lightweight, cross-platform IP address and port scanner. It can scan IP addresses in any range. It can be freely copied and used anywhere. In order to increase the scanning speed, it uses multithreaded approach, wherein a separate scanning thread is created for each scanned IP address. Angry IP Scanner simply pings each IP address to check if it’s alive, and then, it resolves its hostname, determines the MAC address, scans ports, etc. The amount of gathered data about each host can be saved to TXT, XML, CSV, or IP-Port list files. With help of plugins, Angry IP Scanner can gather any information about scanned IPs. Cain & Abel: Cain & Abel is a password recovery tool for Microsoft Operating Systems. It helps in easy recovery of various kinds of passwords by employing any of the following methods − sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. Cain & Abel is a useful tool for security consultants, professional penetration testers and everyone else who plans to use it for ethical reasons. Ettercap: Ettercap stands for Ethernet Capture. It is a network security tool for Man-in-the-Middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. Ettercap has inbuilt features for network and host analysis. It supports active and passive dissection of many protocols. You can run Ettercap on all the popular operating systems such as Windows, Linux, and Mac OS X. Aircrack –ng : This is a tool that provides features like cracking a password, brute force attack, access point attack, and network monitoring. Acunetix: These tools used for the purpose of scanning javascript, html5, and single page applications. It generates the compliance reports too. Wireshark: It is used for analyzing the traffic in the network.it is used for solving any issues which happened across the network. any kind of malicious activity, packet issues can be solved by the above tool. Any kind of intrusion is also detected by the analyzer tool. Nikto: It is also a scanner that is used to scan the vulnerability and web server scanner.it also do the server configuration checks. Ethical Hacking – Skills As responsible for the hacker it is your need to develop or upgrade the skills which internet skills, programming skills, good analytic problems resolving, etc. Very efficient programming knowledge for the expert hacker Networking knowledge for an expert hacker Database related knowledge for an expert hacker Prebuilt hacking tools become expert in hacking Ethical Hacking – Process The ethical hacking process is mainly divided into 5 types, it is not mandatory to follow a hacker in sequence but it is good. ethical_hacking_process Reconnaissance is the phase where the attacker gathers information about a target using active or passive means. The tools that are widely used in this process are NMAP, Hping, Maltego, and Google Dorks. Scanning In this process, the attacker begins to actively probe a target machine or network for vulnerabilities that can be exploited. The tools used in this process are Nessus, Nexpose, and NMAP. Gaining Access In this process, the vulnerability is located and you attempt to exploit it in order to enter into the system. The primary tool that is used in this process is Metasploit. Maintaining Access It is the process where the hacker has already gained access into a system. After gaining access, the hacker installs some backdoors in order to enter into the system when he needs access in this owned system in future. Metasploit is the preferred tool in this process. Clearing Tracks This process is actually an unethical activity. It has to do with the deletion of logs of all the activities that take place during the hacking process. Reporting is the last step of finishing the ethical hacking process. Here the Ethical Hacker compiles a report with his findings and the job that was done such as the tools used, the success rate, vulnerabilities found, and the exploit processes. Quick Tip The processes are not standard. You can adopt a set of different processes and tools according to your techniques that you are comfortable with. The process is of least significance as long as you are able to get the desired results. Ethical Hacking – Reconnaissance Information Gathering and getting to know the target systems is the first process in ethical hacking. Reconnaissance is a set of processes and techniques (Footprinting, Scanning & Enumeration) used to covertly discover and collect information about a target system. During reconnaissance, an ethical hacker attempts to gather as much information about a target system as possible, following the seven steps listed below − Gather initial information Determine the network range Identify active machines Discover open ports and access points Fingerprint the operating system Uncover services on ports Map the network We will discuss in detail all these steps in the subsequent chapters of this tutorial. Reconnaissance takes place in two parts − Active Reconnaissance and Passive Reconnaissance. Active Reconnaissance In this process, you will directly interact with the computer system to gain information. This information can be relevant and accurate. But there is a risk of getting detected if you are planning active reconnaissance without permission. If you are detected, then system admin can take severe action against you and trail your subsequent activities. Passive Reconnaissance In this process, you will not be directly connected to a computer system. This process is used to gather essential information without ever interacting with the target systems. Ethical Hacking – Sniffing It is a process of capturing or monitoring the data packets which is passing the packets in the network. It will capture the data like account information, password, etc. It is in two types. Active sniffing: This sniffing we can do by using the switch on the LAN network. Passive Sniffing: This sniffing we can do by using the hub on the LAN network. Ethical Hacking – FingerPrinting Footprinting is a part of reconnaissance process which is used for gathering possible information about a target computer system or network. Footprinting could be both passive and active. Reviewing a company’s website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering. Footprinting is basically the first step where hacker gathers as much information as possible to find ways to intrude into a target system or at least decide what type of attacks will be more suitable for the target. During this phase, a hacker can collect the following information − Domain name IP Addresses Namespaces Employee information Phone numbers E-mails Job Information Ethical Hacking Sniffing Tools There are so many tools available to perform sniffing over a network, and they all have their own features to help a hacker analyze traffic and dissect the information. Sniffing tools are extremely common applications. We have listed here some of the interesting ones − BetterCAP − BetterCAP is a powerful, flexible and portable tool created to perform various types of MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in real-time, sniff for credentials, and much more. Ettercap − Ettercap is a comprehensive suite for man-in-the-middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis. Wireshark − It is one of the most widely known and used packet sniffers. It offers a tremendous number of features designed to assist in the dissection and analysis of traffic. Tcpdump − It is a well-known command-line packet analyzer. It provides the ability to intercept and observe TCP/IP and other packets during transmission over the network. Available at www.tcpdump.org. WinDump − A Windows port of the popular Linux packet sniffer tcpdump, which is a command-line tool that is perfect for displaying header information. OmniPeek − Manufactured by WildPackets, OmniPeek is a commercial product that is the evolution of the product EtherPeek. Dsniff − A suite of tools designed to perform sniffing with different protocols with the intent of intercepting and revealing passwords. Dsniff is designed for Unix and Linux platforms and does not have a full equivalent on the Windows platform. EtherApe − It is a Linux/Unix tool designed to display graphically a system's incoming and outgoing connections. MSN Sniffer − It is a sniffing utility specifically designed for sniffing traffic generated by the MSN Messenger application. NetWitness NextGen − It includes a hardware-based sniffer, along with other features, designed to monitor and analyze all traffic on a network. This tool is used by the FBI and other law enforcement agencies. Ethical Hacking - ARP Poisoning Address Resolution Protocol (ARP) is a stateless protocol used for resolving IP addresses to machine MAC addresses. All network devices that need to communicate on the network broadcast ARP queries in the system to find out other machines’ MAC addresses. ARP Poisoning is also known as ARP Spoofing. Here is how ARP works − When one machine needs to communicate with another, it looks up its ARP table. If the MAC address is not found in the table, the ARP_request is broadcasted over the network. All machines on the network will compare this IP address to MAC address. If one of the machines in the network identifies this address, then it will respond to the ARP_request with its IP and MAC address. The requesting computer will store the address pair in its ARP table and communication will take place. What is ARP Spoofing? ARP packets can be forged to send data to the attacker’s machine. ARP spoofing constructs a large number of forged ARP request and reply packets to overload the switch. The switch is set in forwarding mode and after the ARP table is flooded with spoofed ARP responses, the attackers can sniff all network packets. Attackers flood a target computer ARP cache with forged entries, which is also known as poisoning. ARP poisoning uses Man-in-the-Middle access to poison the network. What is MITM? The Man-in-the-Middle attack (abbreviated MITM, MitM, MIM, MiM, MITMA) implies an active attack where the adversary impersonates the user by creating a connection between the victims and sends messages between them. In this case, the victims think that they are communicating with each other, but in reality, the malicious actor controls the communication. third_person A third person exists to control and monitor the traffic of communication between two parties. Some protocols such as SSL serve to prevent this type of attack. Exploitation in Ethical Hacking Exploitation is a piece of programmed software or script which can allow hackers to take control over a system, exploiting its vulnerabilities. Hackers normally use vulnerability scanners like Nessus, Nexpose, OpenVAS, etc. to find these vulnerabilities. Metasploit is a powerful tool to locate vulnerabilities in a system. metasploit Based on the vulnerabilities, we find exploits. Here, we will discuss some of the best vulnerability search engines that you can use. Exploit Database www.exploit-db.com is the place where you can find all the exploits related to a vulnerability. exploit-db Common Vulnerabilities and Exposures (CVE) is the standard for information security vulnerability names. CVE is a dictionary of publicly known information security vulnerabilities and exposures. It’s free for public use. https://cve.mitre.org cve-mitre National Vulnerability Database (NVD) is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance. You can locate this database at − https://nvd.nist.gov NVD includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics. ncdgov In general, you will see that there are two types of exploits − Remote Exploits − These are the type of exploits where you don’t have access to a remote system or network. Hackers use remote exploits to gain access to systems that are located at remote places. Local Exploits − Local exploits are generally used by a system user having access to a local system, but who wants to overpass his rights. Ethical Hacking - Enumeration Enumeration belongs to the first phase of Ethical Hacking, i.e., “Information Gathering”. This is a process where the attacker establishes an active connection with the victim and try to discover as much attack vectors as possible, which can be used to exploit the systems further. Enumeration can be used to gain information on − Network shares SNMP data, if they are not secured properly IP tables Usernames of different systems Passwords policies lists Enumerations depend on the services that the systems offer. They can be − DNS enumeration NTP enumeration SNMP enumeration Linux/Windows enumeration SMB enumeration Metasploit Metasploit is one of the most powerful exploit tools. Most of its resources can be found at: https://www.metasploit.com. It comes in two versions − commercial and free edition. There are no major differences in the two versions, so in this tutorial, we will be mostly using the Community version (free) of Metasploit. As an Ethical Hacker, you will be using “Kali Distribution” which has the Metasploit community version embedded in it along with other ethical hacking tools. But if you want to install Metasploit as a separate tool, you can easily do so on systems that run on Linux, Windows, or Mac OS X. The hardware requirements to install Metasploit are − 2 GHz+ processor 1 GB RAM available 1 GB+ available disk space Matasploit can be used either with command prompt or with Web UI. Metasploit Payloads Payload, in simple terms, are simple scripts that the hackers utilize to interact with a hacked system. Using payloads, they can transfer data to a victim system. Metasploit payloads can be of three types − Singles − Singles are very small and designed to create some kind of communication, then move to the next stage. For example, just creating a user. Staged − It is a payload that an attacker can use to upload a bigger file onto a victim system. Stages − Stages are payload components that are downloaded by Stagers modules. The various payload stages provide advanced features with no size limits such as Meterpreter and VNC Injection. Trojan Attacks Trojans are non-replication programs; they don’t reproduce their own codes by attaching themselves to other executable codes. They operate without the permissions or knowledge of the computer users. Trojans hide themselves in healthy processes. However we should underline that Trojans infect outside machines only with the assistance of a computer user, like clicking a file that comes attached with email from an unknown person, plugging USB without scanning, opening unsafe URLs. Trojans have several malicious functions − They create backdoors to a system. Hackers can use these backdoors to access a victim system and its files. A hacker can use Trojans to edit and delete the files present on a victim system, or to observe the activities of the victim. Trojans can steal all your financial data like bank accounts, transaction details, PayPal related information, etc. These are called Trojan-Banker. Trojans can use the victim computer to attack other systems using Denial of Services. Trojans can encrypt all your files and the hacker may thereafter demand money to decrypt them. These are Ransomware Trojans. They can use your phones to send SMS to third parties. These are called SMS Trojans. Reason of Getting Trojan: Clicking on file present on the internet. Downloading the malicious files from the internet. Opening an email attachments. Opening a USB directly without using any antivirus. How to be Protectd from Trojan Attacks? Proper use of antivirus is required. Opening a file from internet which can harm our computer is strictly prohibited. The email attachment should be checked before opening. Use of USB should be done only after scanning with the proper antivirus. Proper use of firewall and DNS. TCP/IP Hijacking TCP/IP Hijacking is when an authorized user gains access to a genuine network connection of another user. It is done in order to bypass the password authentication which is normally the start of a session. In theory, a TCP/IP connection is established as shown below − tcp_ip To hijack this connection, there are two possibilities − Find the seq which is a number that increases by 1, but there is no chance to predict it. The second possibility is to use the Man-in-the-Middle attack which, in simple words, is a type of network sniffing. For sniffing, we use tools like Wireshark or Ethercap. Example: Usually two devices participate in a connection and in that the attacker will be monitoring the data transmission between these over a network and through which discovers the IP address of two devices. The moment he discovering the ip of any one of the user, by DoS attack the hacker will put the other users connection and communication will be resumed by spoofing the disconnected user’s IP Shijack In practice, one of the best TCP/IP hijack tools is Shijack. It is developed using Python language and you can download it from the following link − https://packetstormsecurity.com/sniffers/shijack.tgz Here is an example of a Shijack command − root:/home/root/hijack# ./shijack eth0 192.168.0.100 53517 192.168.0.200 23 shijack Here, we are trying to hijack a Telnet connection between the two hosts. Hunt Hunt is another popular tool that you can use to hijack a TCP/IP connection. It can be downloaded from − https://packetstormsecurity.com/sniffers/hunt/ hunt Email Hijacking Email Hijacking, or email hacking, is a widespread menace nowadays. It works by using the following three techniques which are email spoofing, social engineering tools, or inserting viruses in a user computer. Email Spoofing In email spoofing, the spammer sends emails from a known domain, so the receiver thinks that he knows this person and opens the mail. Such mails normally contain suspicious links, doubtful content, requests to transfer money, etc. emailspoofing Social Engineering Spammers send promotional mails to different users, offering huge discount and tricking them to fill their personal data. You have tools available in Kali that can drive you to hijack an email. SEToolkit Email hacking can also be done by phishing techniques. See the following screenshot. phishing The links in the email may install malware on the user’s system or redirect the user to a malicious website and trick them into divulging personal and financial information, such as passwords, account IDs or credit card details. Phishing attacks are widely used by cybercriminals, as it is far easier to trick someone into clicking a malicious links in the email than trying to break through a computer’s defenses. Inserting Viruses in a User System The third technique by which a hacker can hijack your email account is by infecting your system with a virus or any other kind of malware. With the help of a virus, a hacker can take all your passwords. How to detect if your email has been hijacked? The recipients of spam emails include a bunch of people you know. You try to access your account and the password no longer works. You try to access the “Forgot Password” link and it does not go to the expected email. Your Sent Items folder contains a bunch of spams you are not aware of sending. Password Hacking We have passwords for emails, databases, computer systems, servers, bank accounts, and virtually everything that we want to protect. Passwords are in general the keys to get access into a system or an account. In general, people tend to set passwords that are easy to remember, such as their date of birth, names of family members, mobile numbers, etc. This is what makes the passwords weak and prone to easy hacking. Hacking passwords are not very easy unless we have a vulnerable user. Finding a password using all possible combinations will take years. Password hacking will be easily done using keyloggers or while accessing spoofed website. Most common way of compromising the password is Using Most common passwords. (ex. Name, phone number, etc..) Sharing passwords with others (ex. sharing with friends.) Writing down the passwords (ex. writing pin numbers in ATM Card, writing password in note book, etc.) saving the passwords in browsers. Password Hacking Attacks Dictionary Attack In a dictionary attack, the hacker uses a predefined list of words from a dictionary to try and guess the password. If the set password is weak, then a dictionary attack can decode it quite fast. Hydra is a popular tool that is widely used for dictionary attacks. Take a look at the following screenshot and observe how we have used Hydra to find out the password of an FTP service. Hybrid dictionary attack uses a set of dictionary words combined with extensions. For example, we have the word “admin” and combine it with number extensions such as “admin123”, “admin147”, etc. Crunch is a wordlist generator where you can specify a standard character set or a character set. Crunch can generate all possible combinations and permutations. This tool comes bundled with the Kali distribution of Linux. Brute-Force Attack In a brute-force attack, the hacker uses all possible combinations of letters, numbers, special characters, and small and capital letters to break the password. This type of attack has a high probability of success, but it requires an enormous amount of time to process all the combinations. A brute-force attack is slow and the hacker might require a system with high processing power to perform all those permutations and combinations faster. John the Ripper or Johnny is one of the powerful tools to set a brute-force attack and it comes bundled with the Kali distribution of Linux. Rainbow Tables A rainbow table contains a set of predefined passwords that are hashed. It is a lookup table used especially in recovering plain passwords from a cipher text. During the process of password recovery, it just looks at the pre-calculated hash table to crack the password. The tables can be downloaded from http://project-rainbowcrack.com/table.htm RainbowCrack is the tool to use the rainbow tables. It is available again in Kali distribution. Wireless Hacking A wireless network is a set of two or more devices connected with each other via radio waves within a limited space range. The devices in a wireless network have the freedom to be in motion, but be in connection with the network and share data with other devices in the network. One of the most crucial point that they are so spread is that their installation cost is very cheap and fast than the wire networks. Wireless networks are widely used and it is quite easy to set them up. They use IEEE 802.11 standards. A wireless router is the most important device in a wireless network that connects the users with the Internet. In a wireless network, we have Access Points which are extensions of wireless ranges that behave as logical switches. access_point Although wireless networks offer great flexibility, they have their security problems. A hacker can sniff the network packets without having to be in the same building where the network is located. As wireless networks communicate through radio waves, a hacker can easily sniff the network from a nearby location. Most attackers use network sniffing to find the SSID and hack a wireless network. When our wireless cards are converted in sniffing modes, they are called monitor mode. Tools For Wireless Hacking Kismet is a powerful tool for wireless sniffing that is found in Kali distribution. It can also be downloaded from its official webpage − https://www.kismetwireless.net NetStumbler is another tool for wireless hacking that is primarily meant for Windows systems. It can be downloaded from http://www.stumbler.net/ Wired Equivalent Privacy (WEP) is a security protocol that was invented to secure wireless networks and keep them private. It utilizes encryption at the data link layer which forbids unauthorized access to the network. The key is used to encrypt the packets before transmission begins. An integrity check mechanism checks that the packets are not altered after transmission. Note that WEP is not entirely immune to security problems. It suffers from the following issues − CRC32 is not sufficient to ensure complete cryptographic integrity of a packet. It is vulnerable to dictionary attacks. WEP is vulnerable to Denial of Services attacks too. WEPcrack is a popular tool to crack WEP passwords. It can be downloaded from − https://sourceforge.net/projects/wepcrack/ Aircrak-ng is another popular tool for cracking WEP passwords. It can be found in the Kali distribution of Linux. Wireless DoS Attacks In a wireless environment, an attacker can attack a network from a distance and therefore, it is sometimes difficult to collect evidences against the attacker. The first type of DoS is Physical Attack. This type of attack is very basic and it is in the base of radio interferences which can be created even from cordless phones that operate in 2.4 GHz range. Another type is Network DoS Attack. As the Wireless Access Point creates a shared medium, it offers the possibility to flood the traffic of this medium toward the AP which will make its processing more slow toward the clients that attempt to connect. Such attacks can be created just by a ping flood DoS attack. Pyloris is a popular DoS tool that you can download from − https://sourceforge.net/projects/pyloris/ Social Engineering Social Engineering is a technique. There are multiple ways to do this. The ultimate aim of the hacker is to get the user sensitive information. Using that data the hacker will pretend like original user and will get more or sometimes unlimited access of the organization or system. For example, human social engineering includes getting sensitive information like account number, phone number, name, address from the old document or carbon copy paper. Computer social engineering is mostly done by phishing technique. I will give a practical example of phishing attack which will be helpful you to understand completely. Phishing is a technique, hacker will create a copy of an application which is very similar to a original application. Hacker will send a invite to the targeted user in any way. If the user is not aware of the attack, the user will visit the application created by hacker and will give any sensitive data asked in the hacker&#39;s application. Because as per user it is original application which he/she can believe. Once the required data is obtained, the application will redirect the user to original application page. So the user mostly won&#39;taware of attack. I use Gmail application for demonstrating phishing attack. I have created a webpage which is very similar to Gmail signin webpage. Please click here to try. Hacker will send a mobile message like the user&#39;s gmail account is at risk and need his attention. Hacker will provide this link https://bit.ly/2F8FDMs in the message. User is unaware of this attack and will visit this link. He/she will provide the information asked in the webpage, after obtaining the data the webpage will redirect the user to original gmail page. So the user will not be aware of attack. Techniques to avoid it To avoid human social engineering, the users should have a knowledge about social engineering and should not disclose his sensitive data to anyone. Properly dispose any old document or carbon copy paper from the company. To avoid computer social engineering please check whether the application invite is from correct source, check site information before giving any data in it. DDOS Attacks A Distributed Denial of Service (DDoS) attack is an attempt to make an online service or a website unavailable by overloading it with huge floods of traffic generated from multiple sources. Unlike a Denial of Service (DoS) attack, in which one computer and one Internet connection is used to flood a targeted resource with packets, a DDoS attack uses many computers and many Internet connections, often distributed globally in what is referred to as a botnet. A large scale volumetric DDoS attack can generate a traffic measured in tens of Gigabits (and even hundreds of Gigabits) per second. We are sure your normal network will not be able to handle such traffic. What are Botnets? Attackers build a network of hacked machines which are known as botnets, by spreading malicious piece of code through emails, websites, and social media. Once these computers are infected, they can be controlled remotely, without their owners' knowledge, and used like an army to launch an attack against any target. ddos_system A DDoS flood can be generated in multiple ways. For example − Botnets can be used for sending more number of connection requests than a server can handle at a time. Attackers can have computers send a victim resource huge amounts of random data to use up the target's bandwidth. Due to the distributed nature of these machines, they can be used to generate distributed high traffic which may be difficult to handle. It finally results in a complete blockage of a service. Types of DDoS Attacks DDoS attacks can be broadly categorized into three categories − Volume-based Attacks Protocol Attacks Application Layer Attacks Volume-based attacks include TCP floods, UDP floods, ICMP floods, and other spoofedpacket floods. These are also called Layer 3 & 4 Attacks. Here, an attacker tries to saturate the bandwidth of the target site. The attack magnitude is measured in Bits per Second (bps). UDP Flood − A UDP flood is used to flood random ports on a remote host with numerous UDP packets, more specifically port number 53. Specialized firewalls can be used to filter out or block malicious UDP packets. ICMP Flood − This is similar to UDP flood and used to flood a remote host with numerous ICMP Echo Requests. This type of attack can consume both outgoing and incoming bandwidth and a high volume of ping requests will result in overall system slowdown. HTTP Flood − The attacker sends HTTP GET and POST requests to a targeted web server in a large volume which cannot be handled by the server and leads to denial of additional connections from legitimate clients. Amplification Attack − The attacker makes a request that generates a large response which includes DNS requests for large TXT records and HTTP GET requests for large files like images, PDFs, or any other data files. Protocol attacks include SYN floods, Ping of Death, fragmented packet attacks, Smurf DDoS, etc. This type of attack consumes actual server resources and other resources like firewalls and load balancers. The attack magnitude is measured in Packets per Second. DNS Flood − DNS floods are used for attacking both the infrastructure and a DNS application to overwhelm a target system and consume all its available network bandwidth. SYN Flood − The attacker sends TCP connection requests faster than the targeted machine can process them, causing network saturation. Administrators can tweak TCP stacks to mitigate the effect of SYN floods. To reduce the effect of SYN floods, you can reduce the timeout until a stack frees memory allocated to a connection, or selectively dropping incoming connections using a firewall or iptables. Ping of Death − The attacker sends malformed or oversized packets using a simple ping command. IP allows sending 65,535 bytes packets but sending a ping packet larger than 65,535 bytes violates the Internet Protocol and could cause memory overflow on the target system and finally crash the system. To avoid Ping of Death attacks and its variants, many sites block ICMP ping messages altogether at their firewalls. Application Layer Attacks include Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Here the goal is to crash the web server. The attack magnitude is measured in Requests per Second. Application Attack − This is also called Layer 7 Attack, where the attacker makes excessive log-in, database-lookup, or search requests to overload the application. It is really difficult to detect Layer 7 attacks because they resemble legitimate website traffic. Slowloris − The attacker sends huge number of HTTP headers to a targeted web server, but never completes a request. The targeted server keeps each of these false connections open and eventually overflows the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients. NTP Amplification − The attacker exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm the targeted server with User Datagram Protocol (UDP) traffic. Zero-day DDoS Attacks − A zero-day vulnerability is a system or application flaw previously unknown to the vendor, and has not been fixed or patched. These are new type of attacks coming into existence day by day, for example, exploiting vulnerabilities for which no patch has yet been released. Cross Site Scripting Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash, but the most used XSS is malicious JavaScript. These attacks also can gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising and create DoS attacks. Example Let’s take an example to understand how it works. We have a vulnerable webpage that we got by the metasploitable machine. Now we will test the field that is highlighted in red arrow for XSS. metasploitable First of all, we make a simple alert script <script> alert(‘I am Vulnerable’) </script> It will produce the following output − simple_alert Types of XSS Attacks XSS attacks are often divided into three types − See Also : Create Own Dark Website (.onion) on Linux in 5 Minutes Ddosify – High Performance ddos Attack Tool RAASNet - Make RansomeWare For Windows,Linux And Mac | Super Fast Encryption! Persistent XSS, where the malicious string originates from the website's database. Reflected XSS, where the malicious string originates from the victim's request. DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code. Generally, cross-site scripting is found by vulnerability scanners so that you don’t have to do all the manual job by putting a JavaScript on it like <script> alert('XSS') </script> Burp Suite and acunetix are considered as the best vulnerability scanners. SQL Injection SQL injection is a set of SQL commands that are placed in a URL string or in data structures in order to retrieve a response that we want from the databases that are connected with the web applications. This type of attacks generally takes place on webpages developed using PHP or ASP.NET. An SQL injection attack can be done with the following intentions − To dump the whole database of a system, To modify the content of the databases, or To perform different queries that are not allowed by the application. This type of attack works when the applications don’t validate the inputs properly, before passing them to an SQL statement. Injections are normally placed put in address bars, search fields, or data fields. The easiest way to detect if a web application is vulnerable to an SQL injection attack is to use the " ‘ " character in a string and see if you get any error. Example 1 Let’s try to understand this concept using a few examples. As shown in the following screenshot, we have used a " ‘ " character in the Name field. name_field Now, click the Login button. It should produce the following response − login It means that the “Name” field is vulnerable to SQL injection. Example 2 We have this URL − http://10.10.10.101/mutillidae/index.php?page=site-footer-xssdiscussion.php And we want to test the variable “page” but observe how we have injected a " ‘ " character in the string URL. variable-page When we press Enter, it will produce the following result which is with errors. result_with_errors Tools For Sql Testing SQLMAP is one of the best tools available to detect SQL injections. It can be downloaded from http://sqlmap.org/ It comes pre-compiled in the Kali distribution. You can locate it at − Applications → Database Assessment → Sqlmap. SQLNinja is another SQL injection tool that is available in Kali distribution. JSQL Injection is in Java and it makes automated SQL injections. Pen Testing Pen Testing or Penetration Testing is a procedure of testing followed by many organizations to reduce the security flaws in the system. Since it is a theory topic, there is no demonstration and will be similar to the tutorial link you sent. Usually, pen testing is done by certified persons. They will perform various testing in various scenarios as per procedures. Since pen testing is done on production system or development system, the environment will be unavailable for general use during this process. So there should be proper planning. Also the pen tester will attack the system in all aspect, so there should be proper signing before the process start. Professional Ethical Hackers or pen tester use open source tools or automated tools to perform testing on a field on a particular time. If the tester found any security breach, then he/she will report the organization about the security hole. Types of penetration Testing A pen tester will perform testing based on various scenarios. For example, in one scenario the tester will have no data access to system, in another case the user will get partial access to the system. They are differentiated using following type Black Box In this method, pen tester will not have any data about organization. Thus the attacker will act like public user. Gray Box In this method, pen tester will have partial data about organization like domain name server. White Box In this method, pen tester will have all data about organization like domain name. network, etc. External Penetration Testing In this method, pen tester will be in outside of the organization and will tries to attack server, webpage, public DNS server, etc. Internal Penetration Testing In this method, pen tester will be in inside the organization and tries to attack system. Penetration Testing is costly, so usually organizations performs it annually or if any new application or new infrastructure is added or if any major update or security patch applied to the system.