C.N.S

C.U.Shah Polytechnic Surendranagar (Computer Department)

5th evening

Viral Parmar

Phishing

• Phishing is the use of fraudulent e-mails or instant messages that appear to be genuine but are designed to trick users.

• Goal obtain user information that can be used as an attack.

• Phishing is a type of social-engineering attack that involves using e-mail or other types of messages in an attempt to trick others intoproviding sensitive information, such as credit card numbers orpasswords.

•Role of phishermailer, collector and casher.

•Types of phishing cloned, spear, phone phishing.

• Spear phishing• Phishing attacks directed at specific individuals, roles, or organizations are referred to as "spear

phishing". Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.

• Whaling• The term "whaling" is used to describe phishing attacks (usually spear phishing) directed

specifically at executive officers or other high-profile targets within a business, government, or other organization.

• Some steps to avoid phishing scam• Well the first step to avoid phishing Is avoid to open spam mail.

• Don’t click on cheap email link (like cheap shopping etc.)

• Don’t open any type of social media via mail.

• Always go with HTTPS (use extension like https everywhere)

• For shopping use app instead of use browser (for newbie)

• Don’t use social media login option in unknown web.

• And lastly common sense (my favourite)

Live example of phishing

DDOS

• A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic.

• The sudden increase in traffic can cause the site to load very slowly for legitimate users. Sometimes the traffic is enough to shut the site down completely. We call this kind of an attack a Distributed Denial of Service (DDoS) attack. Some particularly tricky botnets use uncorrupted computers as part of the attack.

• Low Orbit Ion Cannon (LOIC) is an open source network stress testing and denial-of-service attack application, written in C#. LOIC was initially developed by Praetox Technologies, but was later released into the public domain, and now is hosted on several open source platforms (u can make change in it ).

• Is Ddos illegal? • Infecting and harvesting a botnet is illegal in the US. Moreover, controlling the

botnet to target victims with Distributed Denial of Services attacks is illegal, too. Be sure to report the attack to your service provider (if they aren't already aware) and to your local authorities.

• Now a days mostly used attack( ex. Country war )

• Who can do this attack?• Obviously Hacker or system tester.

How to avoid DDos• DDoS are growing. Designed to take down a website or network infrastructure, they can be

volumed based, where a service is swarmed with requests, or protocol request based, which use TCP/IP requests from false IP addresses to wear down resources.

• There are some tolls which help server to prevent Ddos.

1.Cloudflare : Cloudfare’s layer 3 and 4 protection absorbs an attack before it reaches a server, which load balancers, firewalls, and routers do not.

2. F5 Networks: F5 Networks Silverline has a huge traffic scrubbing capacity, and offers protection either onsite, in the cloud, or a combination of the two.

3. Black Lotus: The firm’s Protection for Networks service was designed with a focus on the hosting industry, and can be white labelled for their use.

4. Arbor networks: From the security division of Netscout, Arbor Cloud offers both on site cloud protection for state-exhausting attacks against security infrastructure.

5. Incapsula: The Top Ten Reviews listing site gave Incapsula a gold award for its DDoS protection service this year. It has a global network of data centres, so can provide more scrubbing centres than many other providers.

Live DDOS

SQL injection• SQL injection is a code injection technique that might destroy your database.

• SQL injection is one of the most common web hacking techniques.

• SQL injection is the placement of malicious code in SQL statements, via web page input.

• SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.

• So how is that possible lets see.

• How Attackers Exploit SQLi Vulnerabilities

• Attackers provide specially-crafted input to trick an application into modifying the SQL queries that the application asks the database to execute. This allows the attacker to:• Control application behaviour that’s based on data in the database, for example by tricking

an application into allowing a login without a valid password.

• Alter data in the database without authorization,

for example by creating fraudulent records,

adding users or “promoting” users to higher

access levels, or deleting data.

• Access data without authorization, for example

by tricking the database into providing too many

results for a query.

How can we found this vulnerability • Found injection point (like this).

• Find admin database and collect user_id and password (its encrypted by MD5/SHA-3 or other you can crack it via Kali-tools)

• Then find admin using Google dork and find admin panel over internet and bypass it then upload shell on it and deface site.

• So that’s all about SQL injection.

Different Type of SQL injection

• Error based SQL Injection

• Boolean Based SQL Injection

• Time based SQL Injection

• Out-of-Band SQL Injection Vulnerability

• Impacts of the SQL Injection Vulnerability

• Best tool to penetrate Sqli is havij. (as my point of view).

Thank You…

For more detail open: viralhezard.wordpress.com