My Project

What is network forensics? It seems that hearing the word ‘network forensics’ will make us think that it would be really cool and in the same time difficult. So what is this ‘network forensics’ to be exact?

Basically, Network forensics is a part of digital forensics with focus to monitor and analyze network traffic. Network forensics is usually used when there’s an intrusion detection/prevention, information gathering and legal evidence.

Although sound similar, network security and network forensics are two different thing. Network security is used against an attack which happen real time and works 24h. you can think as a security personnel in front of a bank. While in network forensics, there are no protection against system attack, happens after the incident happened and after the crime happened . You can think as a detective who works after an incident happens or a case is found.

So, why network forensics is really important? Network forensics could be used as a part of incident response. This means that network forensics can be used to find many things regarding a case. Such as When incident occurred, How long incident occurred, How many systems were affected, What data was taken, also if the incident still going. Also, Network forensics could play a really important role in finding an evidence which could be used in court.

Speaking of evidence in network forensics, what is actually an evidence? According to Oxford English Dictionary. Evidence is  information or signs indicating whether a
belief or proposition is true or valid. While the word Digital Evidence according to National Institute of Justice US means that Information stored or transmitted in binary form that may be relied on in court.

So, what are the sources for the evidence could be found in network forensics. Evidence for network forensics could be found on Network’s devices logs, Mirroring Network, ISP’s Logs, IP usage history, WiFI usage history, and CCTV/IP Based Camera.

Network forensics is a part of digital forensics which specific to network related. There are some challenges in network forensics such as questioning evidence admissibility and technical issue during acquisition evidence. Therefore, investigators must develop a
realistic strategy to meet the investigation goals and available resources.
With a methodology of investigation in network forensics will help investigators to perform network forensics and achieve investigation goals.

SQL Injection is a type of attack that happens when the attacker inject a SQL Query to gain any important data that available on the web application. Here, we would learn how to do the SQL injection and how to prevent it.

First, let’s open the DVWA and set it into low

Now, let’s try what a normal user would do. We will fill it with an user id

Now, we will try to inject our SQL query. First, we will get the available users in the database. We will inject 1′ OR 1=1# into the textbox.

As you can see above, we are able to gain the data of available users. We also can gain any other data that we want. I will give some example and query to gain any data

• To gain the database’s version: %’ or 1=1 union select null, version() #

• Getting database’s user: %’ or 1=1 union select null, user() #

• Getting database’s name: %’ or 1=1 union select null, database() #

• Getting all tables from database: 1′ OR 1=1 UNION SELECT null, table_name FROM INFORMATION_SCHEMA.tables#

• Getting all columns from tables which related with users: 1′ OR 1=1 UNION SELECT null, column_name FROM INFORMATION_SCHEMA.columns WHERE table_name=’users’#

• Displaying all users with password: 1′ OR 1=1 UNION SELECT null, concat(user,0x0a,password) FROM users#

Now, we already do the attack on low level, let’s do it on the medium level of security and fill it as usual. This time, you will see a little difference on how the data is inputted. On the low level, it’s a textbox. Now, it’s changed into a dropbox. The reason is so the attacker aren’t able to write the SQL query straight to the application

This time, we will use the burp-suite to do SQLi Attack. Like on the XSS Attack blog, we shouldn’t turn on intercept until when we want to get the request query. Now, we will search for user id = 2, only this time we will intercept it.

On the last line of the query, we see how the SQL query is sent to the server. Now, we only need to change the query and forward it. We change the ID into 1 OR 1=1 and we forward it to the web application

In medium level, there just a little difference on the syntax that we use. In medium level, we just change the 1′ OR 1=1# into 1 OR 1=1

We can get the database version of the web app.

We also able to get the password of users of the web application

Now, we are ready to go and use SQL Injection on high level security. After you change it into high level, you will see another difference on how to input the query. This time, it will open another page when you want to search on database.

Here, there are not really that much difference with both other level below

Now that we already learn how to do SQL injection. We will also learn how to prevent any SQL Injection Attack. There are many ways to stop SQL Injection. First, escape the ‘ (tick) sign. Since you see in SQLi the tick sign is really important. We can escape the sign to make SQLi attack not working. Another way is by Test your Web applications. Spot-check the work done by your developers. One simple check that you can do is to place single quotation marks within the data sent to your server. If you receive an error response of any kind, chances are you’re vulnerable to an SQL injection attack.

Sources:

https://searchsecurity.techtarget.com/tip/Preventing-SQL-Injections

Brute-Force Attack is a attack that happens when the attacker doing trial-and-error to find the authentication username and password of the web application. Here, we will try to demonstrate using brute-force attack to attack a system. And we will also learn how to prevent our system from being brute-force

First, open preferences of the web browser, the set the proxy into 127.0.0.1 port 8080

Now, open burp-suite. This is the tool we will use to do brute-force. Open the proxy tab and make sure to turn off the intercept first. We will turn this on later

Open again the browser, and set the DVWA security into low

Now, we start by go to the brute-force page and then turning on the intercept

We then input any data to the username and password. After we input the data, we then go to the burp-suite to see how the request works.

Now, after we intercept the request and find out how it works, we then send the request to the intruder (using Ctrl+I)

In the intruder, we will do some tweaks to make the brute-force attack works properly. First, we will set the payload positions into only the username and password area.

Then, we set the payloads data based on any possible username and password. There are many ways to do this. Some just fill it manually, some use the text file available on their system. In this case, i will fill it manually.

Lastly, we will fill the Grep-Match on options tab. We clear all the text there, and we add “welcome” What it does is to check if there is the word “welcome” in it.

We then ready to start our attack. When we do the attack, we will shown the list of the username and password that we fill on the payloads area. And it will check if it the correct one or not.

And we can see on the above, we already find our username and password. We know it because the welcome part is ticked. Means that there are the word welcome in it. Another sign is, it have a different length from the other. All that left is to input the username and password to the system. (Note: Make sure to turn of the intercept on burp-suite)

There is no difference on doing it whether on the low, medium or high level. It’s because we just need the request syntax and change the username and password payloads which are available on it. We use the low one to make it look simpler.

Brute-force attack could be one of the most simplest way to get into the system if we don’t prevent it. The way to prevent it is actually really simple. Just don’t use any easy password or passwords that related to you. Because the attacker must guess what are the possible passwords available to attack

XSS (Cross-Site Scripting) Attack is a type of attack where a malicious script will be injected into a web server. XSS attack is usually happens when an attacker sending a malicious script to an unsuspecting user. XSS is used to get cookies, sessions, or maybe any sensitive information from users of the web application.

There are 2 types of XSS Attack: Stored and Reflected Attack. Stored Attack is where the script is permanently stored on the web servers, such as database, forums, comments, etc. The victim will then retrieves the script from the server when request the information.

The difference of Stored and Reflected Attack is not how it’s done, it’s more to where it’s done. If the input is sent and stored to the server or database, then it’s a stored attack. Which resulted to the script will be sent back every time the page is load and become “permanent”. While a reflected attack is happening on the input text that only able to read the database, such as search box. Which makes the reflected attack is not permanent, but still dangerous if not prevented carefully.

So, In this blog. we will learn how to make an XSS Stored attack and how we can prevent it.

First, lets open the DVWA and set the security into low. And open the XSS (Stored)

Now, lets just filled the data as it should be.

Here, the data is saved back on the database. As we can see that our input is being retrieved back. Now, let’s do our “hacking” by sending a simple malicious script to the page

We can see that we have successfully gain the cookie of the page. Now, let’s see the source code to find out what’s really happening on the back.

We can see from the source code, that in the message box, it only removes the backslash and escape any special characters. Which means that we can insert the script as usual.

Now, lets make the security to medium and once again do the attack as the above (Note: Reset the database again. Since it’s a stored attack, it will store the attack that we done before)

We can see here, that the attack is failed. There are no popup happening here, and the data is stored just like usual. Let’s see the source code to see what’s happening.

Here we can see that on the message input, the code will removing any tags and giving a backslash, resulting on the data is sent as usual to the database. While in the name area, we can see that the it only change the <script> into blank space.

The way to do this is to attack on the name box. This mean to have a uppercase/random-case letter of SCRIPT. But, we must also do something to the DOM if we want to do this type of attack. Because the page is stating that the max character is 10. We will delete it to make sure there are no limitations about how many character we input. Then we do the attack

Now, let’s take it up a notch and make the security into high. Now, we will check the codes first then decide how to attack the page.

Here, we can see that on the name box, it uses a regular expression to find <script on the input. So the way to attack this type of security is not to use script tag. We will demonstrate 2 ways to do it. By using <body onload> and <img> tag. (Note: We will attack the name box. so we will change the maxCharacters every time we do the attack)

First, we will use the <body onload> tag. Means when we load the page, it will show what it done on the tag.

Another way is to use the <img> tag. Well, it’s normally used for an image. But, we will purposely sending no image and we will put a ode that said if there are no image, then do this thing (In this case a popup).

XSS (Cross-Site Scripting) Attack is a type of attack where a malicious script will be injected into a web server. XSS attack is usually happens when an attacker sending a malicious script to an unsuspecting user. XSS is used to get cookies, sessions, or maybe any sensitive information from users of the web application.

There are 2 types of XSS Attack: Stored and Reflected Attack. Reflected XSS is where the injected script is reflected of the web server. Such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web site. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server.

Stored Attack is where the script is permanently stored on the web servers, such as database, forums, comments, etc. The victim will then retrieves the script from the server when request the information.

So, our goal here is to learn how to do the XSS Reflected Attack and how to prevent it to happen in case we want to create a web application. (XSS Stored Attack will be done in the next blog.)

1. Reflected XSS

So first, let’s open the DVWA that we already installed on before, and set the security to low.

We then go to the Reflected XSS Tab. Let’s just fill our name first then.

Well, we can see our name is displayed below. Let’s start do some “hacking”. Inject a simple code to alert the cookie of the page.

We can see the cookie of the website. Now, we will look on the source code how could it be happening.

We can see, the input box is just taking the input as it is, meaning they wouldn’t change anything that is inputted. Resulted on a simple malicious script is able to be send. We can now “fooling” a little then now that we understand the source code. Let’s just change the HTML Interface. Let’s make the output to be a header and blue in color.

There, because it doesn’t change anything n the input box, we can even change the interface of the web application. Now let’s take it up the notch and make the security into medium. and lets do another XSS Attack.

Let’s insert a script as usual. just as what we do on the low level.

We can see here that the result is not the same as before. It wouldn’t make an alert, instead, it will sent a as you can see above. Now, lets see the reason by looking at the source code.

We can see from the source code that if we input an usual script. It will change the <script> tag with a blank space. We can pick one of the 2 most easiest way to penetrate it. One is by making the script tag into uppercase or random it between uppercase and lowercase. Remember that HTML Tag is not case-sensitive. Meaning we could just change the script tag into SCRIPT.

Second is by using <body onload = alert(‘XSS’);> This is a usual script that works the same with the usual, but instead using script tag, it will asked when the page is loaded, it will alert the XSS

Next, lets take it up a notch again and make the security level into high. And let’s see to the source code of XSS (Reflected) on level high.

We can see from the source code, that it uses regular expression to remove any <script from the input. Meaning, we couldn’t use any script tag from before. But, we still can use the body onload tag to do the XSS Attack. let’s try it then.

Another way to do it is by using an <img> tag. Well, it’s normally used for images, but if we put onerror to do the popup. It will work the same with the above. The reason is there are no pictures uploaded. Meaning, if the picture is unable to be uploaded or error, it will trigger what’s inside the onerror.

Obviously, XSS Attack could be dangerous, it could disturb the user experience, take the session of a logged in user, or even take any sensitive data from users. There are ways to prevent XSS attack to be happened. By Escaping and Sanitizing user input and also by Validate user input. Escaping and sanitizing means to taking the data and make sure it’s secure before render. Validating is to check the user input if there are anything that could be used to attack.

References:

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Learning the Law of the Land about technologies and information is REALLY IMPORTANT for doing any penetration testing in any countries in the world. The reason is that you don’t want to be end up in prison just because you do your job as an ethical hacker. You don’t want to offend any of the law inside any countries you working in.

Each countries have a different laws about technologies and information in their countries. In this blog, I would talk specifically about the laws that available in Indonesia.

In Indonesia, the available law for technologies and information is on UNDANG-UNDANG REPUBLIK INDONESIA NOMOR 19 TAHUN 2016 TENTANG PERUBAHAN ATAS UNDANG-UNDANG NOMOR 11 TAHUN 2008 TENTANG INFORMASI DAN TRANSAKSI ELEKTRONIK. Here is the link for the law in Indonesia:

https://web.kominfo.go.id/sites/default/files/users/4761/UU%2019%20Tahun%202016.pdf

Well, you could read by yourself through the link above if you want learn deeper about the law in Indonesia. Here, I will only summarize what is inside the law here.

1. Do not share, create or giving out any content that violate morality. (Pasal 27 -28)
2. Do not carelessly threatened, blackmailing or defiling other people. (Pasal 29)
3. Do not tap on other people information or accessing other computer without any authorization. (Pasal 30 – 31)
4. Do not create any hoax content, in this case changing or creating any false information (Pasal 32).

All of the above are a brief about UU No. 19 Tahun 2016 Tentang Informasi dan Transaksi Elektronik. We should really understand about the law above if we want to having a job on ethical hacking and cyber security. Because, we don’t want to go beyond what the law says in the country.

The law above is just available in Indonesia. It would probably be different in other countries.

Since we do most of our hacking process on kali linux. We should learn about how to use linux itself. Although nowadays, linux had a better user experience than before, we should also learn how to use it from the terminal. The terminal is a type of CLI (Command-Line Interface) that help user to use the computer just by using some command line. The goal here is to learn some basic linux command to help you use the linux system.

We start with the 3 simplest and probably the most used commands on linux. They are pwd, ls, and cd. pwd is used to look in which directory are you in. It will give you a string about where are you on the system. ls is used to look what files and folder that is inside on the directory. cd is used to move from the directory. cd /foldername is used to go inside the folder. While cd .. is used to get out from the folder.

Another one is mkdir and rmdir. mkdir is used to create a folder/directory while rmdir is to remove/delete a folder/directory

To remove a file, we can use rm filename to delete the filename. If we want to delete a folder, we use rm -r foldername.

Another command that available on linux CLI is cp. cp is used to copy a file into another directory. the syntax will be cp filename another/folder/to/be

mv is used to move any file to another directories. the syntax will be mv file another/folder

nano is used to kinda like using a text editor. the way to used is nano textfile

cat is used just to see what is inside the file.

hostname  is used to find out the name of the computer. ping is used to ping another IP Address.

So, in this blog, we learn some basic linux command to operate it using CLI. Those are cd, ls, pwd, mkdir, rmdir, mv, cp, rm, nano, cat, hostname, and ping.

Social Engineering is really important on doing penetration testing. Especially, if one is doing it using black-box model. The reason is simple. Because person keeps making mistakes. A person could make mistakes without they realize.

The goal of social engineering is to obtain any important and/or confidential information through human communication. There are 2 common tactics on doing social engineering: Interview and Interrogation. Both of the tactics are done on relation of “trust, meaning the person we want to get data from must “believe” in us before we can get any important data from them.

The process of doing social engineering are:

1. Intelligence gathering
2. Identifying any vulnerable points
3. Planning how to attack the vulnerable points
4. Execution

There are also a lot of methods that could be done to gain information. The most known one are:

• By impersonating a person (Usually done not face-to-face)
• Reciprocation (exchange favors in terms of getting mutual advantage)
• Influential Authority (Becoming a “figure of authority”)
• Scarcity (Make the person have no other option but to give you the information by scaring them)
• Social Relationship (By making a relationship to the target)

But, there are more ways than the above to find important data about the target. We could do it by peeking through their phone, looking at their web history, or just looking through the files could help you find any important data about the target

There are some tools known to do social engineering. Here, I would explain using SET (Social Engineering Toolkit) to gain information from user of a website. Basically, it’s copying another website to our IP Address to gain information about the target.

We start by typing ‘setoolkit’ on the terminal

Type ‘1’ for Social Engineering Attacks

Type ‘2’ for website attack vectors

Type ‘3’ for Credential Harvester Attack

Type ‘2’ for Site Cloner

Insert the IP Address where the website will be copied (In this case, we would use Kali IP. But, it’s also possible to use an external IP)

Insert the copied website (in this case, we will copy facebook.com. But, we may use any other website that have login access)

Now, open the IP that we just copied the website. And, we will see the copy of the website. Let’s see how does the information is taken from it. So we insert our ‘data’ inside and look at the terminal what will happen inside the terminal.

In the terminal, we can see the user data that we just input inside. Imagine how many data we could take if we share the website to others. This is called phising, where we gaining any credentials information from an user without their permission.

We could prevent being the victim of phising by simply taking time to carefully look around the website. First, we can see that the domain name is wrong. It will be different from the real website. Second of all, after we input our file, it will once again show the login page of the real website (But, this one means they probably have our data).

Port Scanning is a way to find out which service are offered by a host. Port scanning is able to identifies vulnerabilities. Port scanning can be really useful, because port scanning are able to find any open services available and found any vulnerable port, which we could launch our exploit from.

There are 7 known types of port scanning

1. SYN Scan -> Stealthy scan
2. Connect Scan -> completes the 3-way handshake
3. NULL Scan -> packet flags are turned off
4. XMAS Scan -> FIN, PSH, URG flags are set on (Feels like Christmas Presents!!!!)
5. ACK Scan -> Sending ACK Flag, Used to past a firewall
6. FIN Scan -> Send FIN Flag, Closed port will respond with RST flag
7. UDP Scan -> Closed port will respond with ICMP “Port Unreachable” message

One of the most famous tool to do port scanning is called nmap. Nmap (Network Mapper) is a security scanner used to discover hosts and services on a computer network.

The most simplest command that usually used on nmap is

nmap *IP Address/Domain name* -> used to scan a single website / IP Address

nmap *IP-Add IP-Add* -> used to scan more than 1 IP Address

Those 2 scanning type is by default a SYN Scan. We can specify the type of scan that we would like to use.

We also could check for the website version and to give all data about the website

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

In this blog, I would explain how to install DVWA to be used on Kali Linux

1. Change directory into /var/www/html

2. Download the DVWA installer from https://github.com/ethicalhack3r/DVWA/archive/master.zip

3. After we download the DVWA Installer,  we then move the file directory to the web root directory.

4.Start service web server (apache2) and database (mysql)

5. This time, we will securing the installation of mysql

Now, try open the DVWA page. Go to your web browser and go for http://*ip-address*/setup.php

Sometimes, it will be succeed. But, If it gives an error message. Then, just copy confg/confg.inc.php.dist to confg/confg.inc.php

If it succeed, it will gives a DVWA page that looks like this

Now, we would like to get recaptcha from google

Before we going to the next step, It would be better to have no problem on the DVWA. Make sure that you fulfill all requirements by fixing all red notice. Next step is create database of DVWA.

Edit fle confg.inc.php and provide database access and recaptcha key which you get from Google.

After that, back to your DVWA installation in your browser and click “Create/Reset Database”. It will show DVWA Login page. Just fill it with :

Username: admin

Password: password

It will show the page of DVWA. There, you can learn how to go past through system via many ways. SQL Injection, Command Injection and many more!