Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security Fundamentals

Published byCorey Chambers Modified over 6 years ago

Similar presentations

Presentation on theme: "Computer Security Fundamentals"— Presentation transcript:

1 Computer Security Fundamentals
by Chuck Easttom Chapter 6 Techniques Used by Hackers-2

2 Cain and Abel © 2016 Pearson, Inc Chapter 6 Techniques Used by Hackers

3 SQL Injection One of the most common attacks
Depends on knowledge of SQL Basics are easy Versatile and can do a lot more than many realize © 2016 Pearson, Inc Chapter 6 Techniques Used by Hackers

4 What Is SQL? A relational database contains one or more tables identified each by a name. Tables contain records (rows) with data. For example, the following table is called "users" and contains data distributed in rows and columns: SQL (Structured Query Language) uses commands like such as SELECT, UPDATE, DELETE, INSERT, WHERE, and others. Example: SELECT * FROM tblUsers WHERE USERNAME = ‘admin’ © 2016 Pearson, Inc Chapter 6 Techniques Used by Hackers

5 More on SQL Web sites are written in some programming language such as PHP, ASP, JSP, ASP.net. Those programming languages have their own syntax (NOT SQL). So programmers put the SQL into their code in strings. So lets say you type your username into a text field called txtUsername and your password into a text field called txtPassword. The code in their program has to put SQL statements into a string and append whatever you entered in those two text fields. It will look something like this: string sSQLstatement; sSQLstatement = “SELECT * FROM tblUSERS WHERE UserName = ‘ “ + txtUsername.Text +’” + “ AND Password = ‘” + txtPassword.Text +”’”; so the string will contain ‘SELECT * FROM tblUSERS WHERE UserName =‘admin’ AND Password = ‘password’’; However whatever you type in, gets put into the text field. © 2016 Pearson, Inc Chapter 6 Techniques Used by Hackers

6 SQL Script Injection ' or ‘1' =‘1 OR ' or 'a' ='a
Single quote added to password: Add the following to the username box and the password: ' or ‘1' =‘1 OR ' or 'a' ='a Also try password’ or (1=1) Or people try anything' OR 'x'='x or people try password:’1=1- - Try using double quote (") if single quote (') is not working © 2016 Pearson, Inc Chapter 6 Techniques Used by Hackers

7 What Does This Cause? Well you would have had
‘SELECT * FROM tblUSERS WHERE UserName =‘admin’ AND Password = ‘password’’; Instead you have ‘SELECT * FROM tblUSERS WHERE UserName =‘' or ‘1' =‘1 ’ AND Password = ‘' or ‘1' =‘1 ’’; So now it says to get all entries from table = tblUsers if the username is ‘’ (blank) OR IF 1 =1. And if password = ‘’ (blank) OR IF 1=1! © 2016 Pearson, Inc Chapter 6 Techniques Used by Hackers

8 Cross Site Scripting An attacker injects client-side script into web pages viewed by other users. The term cross-site scripting originally referred to the act of loading the attacked, third-party web application from an unrelated attack site, in a manner that executes a fragment of JavaScript prepared by the attacker in the security context of the targeted domain Essentially you enter scripts into an area that other users interact with. So that when they go to that part of the site, you have your own script run, rather than the intended Web site functionality. This can include redirecting them. © 2016 Pearson, Inc Chapter 6 Techniques Used by Hackers

9 OphCrack- How It Works Download OphCrack and burn the image to a CD.
Put the CD in the target computer and boot through CD. It boots as Linux, grabs the Windows password file, and then uses cracking tools to crack that file and produces a text file with username and passwords. You cannot even consider yourself a hacker without this tool in your toolkit. © 2016 Pearson, Inc Chapter 6 Techniques Used by Hackers

10 Malware Creation GUI tools Batch Files Writing your own
© 2016 Pearson, Inc Chapter 6 Techniques Used by Hackers

11 Malware Creation © 2016 Pearson, Inc Chapter 6 Techniques Used by Hackers

12 Other Attacks Pass the hash Scripts
© 2016 Pearson, Inc Chapter 6 Techniques Used by Hackers

13 Pen Testing NIST National Security Agency Information Assessment Methodology PCI Penetration Testing Standard © 2016 Pearson, Inc Chapter 6 Techniques Used by Hackers

Download ppt "Computer Security Fundamentals"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Computer Security Fundamentals

Computer Security Fundamentals
Understand Database Security Concepts

Understand Database Security Concepts
The Collections Keeper A collections management system Brian J. Mullen.

The Collections Keeper A collections management system Brian J. Mullen.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
1 Chapter 12 Working With Access 2000 on the Internet.

1 Chapter 12 Working With Access 2000 on the Internet.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Chapter Extension 6 Using Microsoft Access © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 6 Using Microsoft Access © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
MIS2502: Data Analytics MySQL and SQL Workbench David Schuff

MIS2502: Data Analytics MySQL and SQL Workbench David Schuff
E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.

E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
SJSU CS157B Dr. Lee1  2004 Jenny Mitchell Two Useful Tools You Can’t Live Without by Jenny Mitchell SJSU CS157B Section 1 09-21-04 PHP and MySQL.

SJSU CS157B Dr. Lee1  2004 Jenny Mitchell Two Useful Tools You Can’t Live Without by Jenny Mitchell SJSU CS157B Section PHP and MySQL.
A Guide to SQL, Eighth Edition Chapter Three Creating Tables.

A Guide to SQL, Eighth Edition Chapter Three Creating Tables.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Server Side Programming ASP1 Server Side Programming Database Integration (cont.) Internet Systems Design.

Server Side Programming ASP1 Server Side Programming Database Integration (cont.) Internet Systems Design.
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition

Similar presentations

Ads by Google