The internet is a huge sea of knowledge and other weird stuffs. When we get connected to the Internet, we got entered in a new world where limits become limitless. But it seems that internet is also full of predators who are continuously trying to steal and attack your data. So today we are going to discuss some various weapons or techniques used by these predators as well as how to avoid those attacks.
DOS & DDOS
Denial of service is a effective hacking technique used by hacking groups at large level. Typically hackers use this technique to send a lot of traffic to a server. Because of which the server can not handle such load and people can not open that website. That means the server is down.
Denial of service can slow down a website or even shut down for some time. Denial of service or distribute denial of service technology was discovered in 1998.
1.Why DDoS Attacks are used?
i. To eliminate server bandwidth, disk space and processor time.
ii. To corrupt the confirguration information.
iii. To keep users away from the site.
Attack Types
Ping of Death: In Ping of Death the server is sent to illegal ping of packet, due to which the system may crash.
SYM Flood: In SIM Flood, TCP / IP packets are sent to the server with a large number of incorrect sender addresses.
Teardrop Attacks: The Teardro attack, the operating system's bugs are exploited.
Peer-to-Peer: Peer-to-Peer attack does not include the attacker directly, instead he acts as a master and dictates the client to connect to victim's website.
In today's Ethical Hacking Beginner tutorial, we will talk about what happens to the man in middle attack of hackers and how dangerous this attack is.
So in this post we are also going to tell you how to avoid man in middle attack, so that you can keep your data safe from hackers.
What is the man in the middle attack in this post today? How to do a hacker man in middle attack and how we can avoid this will discuss these three important issues. So let's start.
First of all, man in middle attack knows what it is all about.
2.What is Man In Middle Attack? How does this happen?
Friends, this attack of hackers is called Middle Man Attack, someone means a person who is in the middle. The work of this attack is similar.
In this hacking technique, a black hat hacker is sitting between two people and he accesses the data of both the people first and then read the draft and then changes it and then returns it to the next person.
EXAMPLES
For example, suppose I sent you an email in which I wrote that I loved your nature and I want to be your friend.
After writing such an email, I sent it to you and it will go away from my computer but before reaching you, the message will reach someone else's person, and then after that, he will change that message according to your own accordingly, and send it to you.
For example, suppose I sent you in a message that I liked your nature and wanted to be your friend.
So if he wants a hacker he can write that I do not like you!
The message of email that you will get from this will be mine, but the message that has been changed will be changed by the hacker.
Similarly if you reply to my email saying such a quote? Then again this message will go to hacker from where it will change it and then forward it to me.
In such a situation, both of us will think that we are talking about both, but in reality our every thing will go through a black hat hacker sitting in the middle and the messages that we both will get will be sent by the hacker.
In this way, this man is in the middle attack, which is very dangerous. This can be easily fought between anyone or any hacker can misuse it.
Example - If you have sent a message to a man and he goes to the message hacker, then the hacker can ask for money from you in his reply. He can say that you will have to pay fifty thousand rupees to join our company.
In such a situation, we will feel that this email has come from the man whom we had mailed for jobs, when in reality it was sent by the hacker.
If it is to be mentioned briefly, there is no communication between us and the person in front of the man in middle attack. Instead of sitting in between the two, the hacker only looks at both the messages and modifies it accordingly, and then forwards the forward.
Now it is common for two people to talk, a hacker can read their words and change. But as much as you are thinking, man in middle attack is more dangerous and fatal than him.
Even if the hacker also changes our message, we can tell that person by talking to the phone or meeting face to face, that whatever happened has happened due to man in middle attack. But if this is the same thing about a big named company ??
Suppose a hacker needs your bank's confidential information, then he can easily get that information from man using these middle attack.
You will not even notice that when you handed over your bank account information to a hacker with your own hands.
Example - a hacker that the user name and password, such as your bank's sensitive information should, then you have to change the password of your bank caused some emails or will message to the registered mobile number directly.
And by giving a link to that message or email, they will ask you to click on it. And when you open those links, you will be shown a fake website that looks exactly like your bank's website.
You'll also see the URL in your browser as well as on your bank's website. HTTPS Security will also be seen but the website will be fake which we call masking or fishing. Through this, you will be confused that you are on your bank's website but in reality you will be on a different website.
When you reset your password, your username and old password will be stored, which will be stored in the database of the hacker's site directly, so that it can do anything with your bank account.
Now when the upi system was new, 4 boys in Maharashtra hacked the UPI app and removed 9 crore more than the bank's bank accounts.
I just gave you an example of how much harm a hacker can make to us from man in the middle attack. Using this technique, more such things can be done which we can not think of.
Now you might have come to know how dangerous man is in attack and how a hacker man in middle attack. So let's also know the solution of how to avoid it.
How to Avoid Prevent Man In Middle Attack?
To keep yourself safe from this attack, I am telling you some effective methods that you can use to prevent man in the middle attack.
1. Mutual Authentication - If you want the hacker to not read or change your message, you can use the manual authentication. With this you will be able to see any data you share with others.
2. Encryption -The second way is encryption. This protects our data to a great extent. Because if we encrypt a document, file, picture or any type of data, then it translates into a binary language. Meaning if any of the decryption is opened to him, then it will be seen in both digits 0 and 1, which can be understood only by the computer, not the person.
And only that computer can translate that document into a human language that has the decryption key you have defined.
3. Password -If your data is not so secret then you can just keep it safe by putting a password. Because in most cases the middle man is attacked when the data is quite secret or appropriate.
4. Digital Signature -Just like encryption, digital signature is a great way to keep your data safe ...!
You can create your digital signature from any trusted third party site. For this you have to scan the retina and fingerprint which will act as a digital signature.
5. Be Sure Before Clicking -If you come to email or text messages from any company or site first you know that something like this has happened and the message has come from the real company, after getting the full information, then open that link.
If you also suspect that email is spam, then do not open that link and do not share your intelligence passwords with anyone.
3.MY SQL INJECTION
When we accept User Data through a User Form on an HTML Page, then instead of inserting the normal data in the HTML form, the user gives Data Insert several times, which can be used by the Directly Server Side Script without checking it. If the entire database is corrupted, after the deletion of a table, the Blog / Site is hacked, or Stored Security Related Sensitive Data is likely to leak in the Blog / Site database, Can be used from
When a user specifies a SQL Query in place of a Site / Blog in such a way as to replace Normal Data on the HTML Form or to enter the Sensitive Section of the Database, this method is called the SQL Injection Attack. And we must use Web Developer to use all possible precautions to protect your Site / Blog from the SQL Injection Attack.
Let us first try to understand this SQL Injection Attack properly.
Let's say that there is a Login Webpage in our Web Site, by specifying Username and Password, any valid user can access the Secure Area of our Website.
When User submits your Username and Password to Login to this form and submits Login Form, then Username and Password of that HTML User Form is extracted on the Web server, and this Username and Password will be backed up on MySQL Database as follows. By using a query, it is detected that the Specified Username and Password is the Username Password of a Valid Authenticated User or not%
SELECT * FROM usertable WHERE username = '$ input_user' AND password = '$ input_pass';
If there is a Record Return on the above Query Fire, it means Existing in the Specified Username and PasswordDatabase. That means a user having Specified Username / Password can be redirected to the website's Secure Area.
If the above username and password are coming to the user form before the above Query Fire, then it is okay. But if the username and password coming through the User Form is not sanitized, then user can submit the form to Username as "anything" OR 1 = 1 - "and password as" anything "Insert and If the user does this, then the above will be the fire in the SSQL query actually the form will be in the fire%
SELECT * FROM usertable WHERE username = 'anything' OR 1 = 1; - AND password = 'anything';
When the above query will be Execute, it will pass the query user to the Secure Web site, whereas Use Tum has not specified any valid information in the form of Username and Password.
This is because "-" is used for commenting in MySQL and many other Databases. That is, everything written after "-", MySQL ignores it.
Whereas, in the above query, "nothing 'OR 1 = 1;" For specifying MySQL database, that's either username =' anything 'or 1 = 1 is true.
Now if the current database will have a user named 'anything' then condition will also be true, and if there is no user named 'anything' in the current database, then OR will be 1 = 1Statement Execute, which will return True True because we have 1 Is equal to 1 Not only that, by specifying "-", just after 1 = 1, the user has converts the entire SQL Query into a Comment.
As a result, MySQL Database will not check password by executing this statement further, and by making Final True Return it will assume that Current User is a valid user and will redirect it to the website's Secure Area.
In this way, the SQL Statement, written in the Sensitive and Secure area of a Site / Blog, without valid Valid Username / Password, is called the SQL Injection Attack and to avoid such a SQL Injection Attack For WordPress, we provide prepare () method, which we have used in previous sections.
This method follows the syntactic method of printf () method of "C language". But while using this method, we can set the% strings or the% strings with their order. like:
<?php
global $wpdb;
$name = "Kuldeep";
$email = "admin@bccfalna.com";
$wpdb->query($wpdb->prepare(
"INSERT INTO registration(name, email) VALUES ( %1$s, %2$s )", $name, $email
));
?>
As we can see in the above code, how we specify% s Control String with n $ and when we specify Control Strings in this way, we can set the values to any position. You can specify. That is, we do not need to take care of the sequence. For example if we modify our previous code's SQL Statement as follows:
"INSERT INTO registration (name, email) VALUES (% 2 $ s,% 1 $ s)", $ email, $ name
Then instead of% 2 $ s, the value of the $ name variable will be Replace, because it is the value of the second Argument in the list of Argument, which is $ name. Similarly, instead of the% $ 1 $ value, the value of the $ email variable will be Replace, as it is in the list of arguments, to be replaced by the value of Argument, which is $ email.
As a result, the above statement will also store Stored Values in $ name and $ email variables in the name and email fields in the Registration Table in the same manner as the SQL Statement specified in the previous code.
DOS & DDOS
Denial of service is a effective hacking technique used by hacking groups at large level. Typically hackers use this technique to send a lot of traffic to a server. Because of which the server can not handle such load and people can not open that website. That means the server is down.
Denial of service can slow down a website or even shut down for some time. Denial of service or distribute denial of service technology was discovered in 1998.
1.Why DDoS Attacks are used?
i. To eliminate server bandwidth, disk space and processor time.
ii. To corrupt the confirguration information.
iii. To keep users away from the site.
Attack Types
Ping of Death: In Ping of Death the server is sent to illegal ping of packet, due to which the system may crash.
SYM Flood: In SIM Flood, TCP / IP packets are sent to the server with a large number of incorrect sender addresses.
Teardrop Attacks: The Teardro attack, the operating system's bugs are exploited.
Peer-to-Peer: Peer-to-Peer attack does not include the attacker directly, instead he acts as a master and dictates the client to connect to victim's website.
In today's Ethical Hacking Beginner tutorial, we will talk about what happens to the man in middle attack of hackers and how dangerous this attack is.
So in this post we are also going to tell you how to avoid man in middle attack, so that you can keep your data safe from hackers.
What is the man in the middle attack in this post today? How to do a hacker man in middle attack and how we can avoid this will discuss these three important issues. So let's start.
First of all, man in middle attack knows what it is all about.
2.What is Man In Middle Attack? How does this happen?
Friends, this attack of hackers is called Middle Man Attack, someone means a person who is in the middle. The work of this attack is similar.
In this hacking technique, a black hat hacker is sitting between two people and he accesses the data of both the people first and then read the draft and then changes it and then returns it to the next person.
EXAMPLES
For example, suppose I sent you an email in which I wrote that I loved your nature and I want to be your friend.
After writing such an email, I sent it to you and it will go away from my computer but before reaching you, the message will reach someone else's person, and then after that, he will change that message according to your own accordingly, and send it to you.
For example, suppose I sent you in a message that I liked your nature and wanted to be your friend.
So if he wants a hacker he can write that I do not like you!
The message of email that you will get from this will be mine, but the message that has been changed will be changed by the hacker.
Similarly if you reply to my email saying such a quote? Then again this message will go to hacker from where it will change it and then forward it to me.
In such a situation, both of us will think that we are talking about both, but in reality our every thing will go through a black hat hacker sitting in the middle and the messages that we both will get will be sent by the hacker.
In this way, this man is in the middle attack, which is very dangerous. This can be easily fought between anyone or any hacker can misuse it.
Example - If you have sent a message to a man and he goes to the message hacker, then the hacker can ask for money from you in his reply. He can say that you will have to pay fifty thousand rupees to join our company.
In such a situation, we will feel that this email has come from the man whom we had mailed for jobs, when in reality it was sent by the hacker.
If it is to be mentioned briefly, there is no communication between us and the person in front of the man in middle attack. Instead of sitting in between the two, the hacker only looks at both the messages and modifies it accordingly, and then forwards the forward.
Now it is common for two people to talk, a hacker can read their words and change. But as much as you are thinking, man in middle attack is more dangerous and fatal than him.
Even if the hacker also changes our message, we can tell that person by talking to the phone or meeting face to face, that whatever happened has happened due to man in middle attack. But if this is the same thing about a big named company ??
Suppose a hacker needs your bank's confidential information, then he can easily get that information from man using these middle attack.
You will not even notice that when you handed over your bank account information to a hacker with your own hands.
Example - a hacker that the user name and password, such as your bank's sensitive information should, then you have to change the password of your bank caused some emails or will message to the registered mobile number directly.
And by giving a link to that message or email, they will ask you to click on it. And when you open those links, you will be shown a fake website that looks exactly like your bank's website.
You'll also see the URL in your browser as well as on your bank's website. HTTPS Security will also be seen but the website will be fake which we call masking or fishing. Through this, you will be confused that you are on your bank's website but in reality you will be on a different website.
When you reset your password, your username and old password will be stored, which will be stored in the database of the hacker's site directly, so that it can do anything with your bank account.
Now when the upi system was new, 4 boys in Maharashtra hacked the UPI app and removed 9 crore more than the bank's bank accounts.
I just gave you an example of how much harm a hacker can make to us from man in the middle attack. Using this technique, more such things can be done which we can not think of.
Now you might have come to know how dangerous man is in attack and how a hacker man in middle attack. So let's also know the solution of how to avoid it.
How to Avoid Prevent Man In Middle Attack?
To keep yourself safe from this attack, I am telling you some effective methods that you can use to prevent man in the middle attack.
1. Mutual Authentication - If you want the hacker to not read or change your message, you can use the manual authentication. With this you will be able to see any data you share with others.
2. Encryption -The second way is encryption. This protects our data to a great extent. Because if we encrypt a document, file, picture or any type of data, then it translates into a binary language. Meaning if any of the decryption is opened to him, then it will be seen in both digits 0 and 1, which can be understood only by the computer, not the person.
And only that computer can translate that document into a human language that has the decryption key you have defined.
3. Password -If your data is not so secret then you can just keep it safe by putting a password. Because in most cases the middle man is attacked when the data is quite secret or appropriate.
4. Digital Signature -Just like encryption, digital signature is a great way to keep your data safe ...!
You can create your digital signature from any trusted third party site. For this you have to scan the retina and fingerprint which will act as a digital signature.
5. Be Sure Before Clicking -If you come to email or text messages from any company or site first you know that something like this has happened and the message has come from the real company, after getting the full information, then open that link.
If you also suspect that email is spam, then do not open that link and do not share your intelligence passwords with anyone.
3.MY SQL INJECTION
When we accept User Data through a User Form on an HTML Page, then instead of inserting the normal data in the HTML form, the user gives Data Insert several times, which can be used by the Directly Server Side Script without checking it. If the entire database is corrupted, after the deletion of a table, the Blog / Site is hacked, or Stored Security Related Sensitive Data is likely to leak in the Blog / Site database, Can be used from
When a user specifies a SQL Query in place of a Site / Blog in such a way as to replace Normal Data on the HTML Form or to enter the Sensitive Section of the Database, this method is called the SQL Injection Attack. And we must use Web Developer to use all possible precautions to protect your Site / Blog from the SQL Injection Attack.
Let us first try to understand this SQL Injection Attack properly.
Let's say that there is a Login Webpage in our Web Site, by specifying Username and Password, any valid user can access the Secure Area of our Website.
When User submits your Username and Password to Login to this form and submits Login Form, then Username and Password of that HTML User Form is extracted on the Web server, and this Username and Password will be backed up on MySQL Database as follows. By using a query, it is detected that the Specified Username and Password is the Username Password of a Valid Authenticated User or not%
SELECT * FROM usertable WHERE username = '$ input_user' AND password = '$ input_pass';
If there is a Record Return on the above Query Fire, it means Existing in the Specified Username and PasswordDatabase. That means a user having Specified Username / Password can be redirected to the website's Secure Area.
If the above username and password are coming to the user form before the above Query Fire, then it is okay. But if the username and password coming through the User Form is not sanitized, then user can submit the form to Username as "anything" OR 1 = 1 - "and password as" anything "Insert and If the user does this, then the above will be the fire in the SSQL query actually the form will be in the fire%
SELECT * FROM usertable WHERE username = 'anything' OR 1 = 1; - AND password = 'anything';
When the above query will be Execute, it will pass the query user to the Secure Web site, whereas Use Tum has not specified any valid information in the form of Username and Password.
This is because "-" is used for commenting in MySQL and many other Databases. That is, everything written after "-", MySQL ignores it.
Whereas, in the above query, "nothing 'OR 1 = 1;" For specifying MySQL database, that's either username =' anything 'or 1 = 1 is true.
Now if the current database will have a user named 'anything' then condition will also be true, and if there is no user named 'anything' in the current database, then OR will be 1 = 1Statement Execute, which will return True True because we have 1 Is equal to 1 Not only that, by specifying "-", just after 1 = 1, the user has converts the entire SQL Query into a Comment.
As a result, MySQL Database will not check password by executing this statement further, and by making Final True Return it will assume that Current User is a valid user and will redirect it to the website's Secure Area.
In this way, the SQL Statement, written in the Sensitive and Secure area of a Site / Blog, without valid Valid Username / Password, is called the SQL Injection Attack and to avoid such a SQL Injection Attack For WordPress, we provide prepare () method, which we have used in previous sections.
This method follows the syntactic method of printf () method of "C language". But while using this method, we can set the% strings or the% strings with their order. like:
<?php
global $wpdb;
$name = "Kuldeep";
$email = "admin@bccfalna.com";
$wpdb->query($wpdb->prepare(
"INSERT INTO registration(name, email) VALUES ( %1$s, %2$s )", $name, $email
));
?>
As we can see in the above code, how we specify% s Control String with n $ and when we specify Control Strings in this way, we can set the values to any position. You can specify. That is, we do not need to take care of the sequence. For example if we modify our previous code's SQL Statement as follows:
"INSERT INTO registration (name, email) VALUES (% 2 $ s,% 1 $ s)", $ email, $ name
Then instead of% 2 $ s, the value of the $ name variable will be Replace, because it is the value of the second Argument in the list of Argument, which is $ name. Similarly, instead of the% $ 1 $ value, the value of the $ email variable will be Replace, as it is in the list of arguments, to be replaced by the value of Argument, which is $ email.
As a result, the above statement will also store Stored Values in $ name and $ email variables in the name and email fields in the Registration Table in the same manner as the SQL Statement specified in the previous code.
No comments:
Post a Comment