Cloud Computing (part 1)

What is cloud computing, in simple terms

Cloud computing is the delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence—over the Internet ("the cloud") to offer faster innovation, flexible resources, and economies of scale.

How does cloud computing work

Rather than owning their own computing infrastructure or data centers, companies can rent access to anything from applications to storage from a cloud service provider. One benefit of using cloud-computing services is that firms can avoid the upfront cost and complexity of owning and maintaining their own IT infrastructure, and instead simply pay for what they use when they use it. In turn, providers of cloud-computing services can benefit from significant economies of scale by delivering the same services to a wide range of customers.

Cloud-computing services cover a vast range of options now, from the basics of storage, networking, and processing power, to natural language processing and artificial intelligence as well as standard office applications. Pretty much any service that doesn't require you to be physically close to the computer hardware that you are using can now be delivered via the cloud – even quantum computing.

What are examples of cloud computing

Cloud computing underpins a vast number of services. That includes consumer services like Gmail or the cloud backup of the photos on your smartphone, though to the services that allow large enterprises to host all their data and run all of their applications in the cloud. For example, Netflix relies on cloud-computing services to run its video-streaming service and its other business systems, too.

Cloud computing is becoming the default option for many apps: software vendors are increasingly offering their applications as services over the internet rather than standalone products as they try to switch to a subscription model. However, there are potential downsides to cloud computing, in that it can also introduce new costs and new risks for companies using it.

Why is it called cloud computing

A fundamental concept behind cloud computing is that the location of the service, and many of the details such as the hardware or operating system on which it is running, are largely irrelevant to the user. It's with this in mind that the metaphor of the cloud was borrowed from old telecoms network schematics, in which the public telephone network (and later the internet) was often represented as a cloud to denote that the location didn't matter – it was just a cloud of stuff. This is an over-simplification of course; for many customers, the location of their services and data remains a key issue.

What is the history of cloud computing

Cloud computing as a term has been around since the early 2000s, but the concept of computing as a service has been around for much, much longer – as far back as the 1960s, when computer bureaus would allow companies to rent time on a mainframe, rather than have to buy one themselves.

These 'time-sharing' services were largely overtaken by the rise of the PC, which made owning a computer much more affordable, and then in turn by the rise of corporate data centers where companies would store vast amounts of data.

But the concept of renting access to computing power has resurfaced again and again – in the application service providers, utility computing, and grid computing of the late 1990s and early 2000s. This was followed by cloud computing, which really took hold with the emergence of software as a service and hyper-scale cloud-computing providers such as Amazon Web Services.

How important is the cloud

Building the infrastructure to support cloud computing now accounts for a significant chunk of all IT spending, while spending on traditional, in-house IT slides as computing workloads continue to move to the cloud, whether that is public cloud services offered by vendors or private clouds built by enterprises themselves.

Tech analyst Gartner predicts that as much as half of spending across application software, infrastructure software, business process services, and system infrastructure markets will have shifted to the cloud by 2025, up from 41% in 2022. It estimates that almost two-thirds of spending on application software will be via cloud computing, up from 57.7% in 2022.

That's a shift that only gained momentum in 2020 and 2021 as businesses accelerated their digital transformation plans during the pandemic. The lockdowns throughout the pandemic showed companies how important it was to be able to access their computing infrastructure, applications, and data from wherever their staff was working – and not just from an office.

Gartner said that demand for integration capabilities, agile work processes, and composable architecture will drive the continued shift to the cloud.

The scale of cloud spending continues to rise. For the full year 2021, tech analyst IDC expects cloud infrastructure spending to have grown 8.3% compared to 2020 to $71.8 billion, while non-cloud infrastructure is expected to grow just 1.9% to $58.4 billion. Long term, the analyst expects spending on compute and storage cloud infrastructure to see a compound annual growth rate of 12.4% over the 2020-2025 period, reaching $118.8 billion in 2025, and it will account for 67.0% of total compute and storage infrastructure spend. Spending on non-cloud infrastructure will be relatively flat in comparison and reach $58.6 billion in 2025.

All predictions around cloud-computing spending are pointing in the same direction, even if the details are slightly different. The momentum they are describing is the same: tech analyst Canalys reports that worldwide cloud infrastructure services expenditure topped $50 billion in a quarter for the first time in Q4 2021. For the full year, it has cloud infrastructure services spending growing 35% to $191.7 billion

Canalys argues that there is already a new growth opportunity for the cloud on the horizon, in the form of augmented and virtual reality and the metaverse. "This will be a significant driver for both cloud services spend and infrastructure deployment over the next decade

What are the core elements of cloud computing

Cloud computing can be broken down into a number of different constituent elements, focusing on different parts of the technology stack and different use cases. Let's take a look at some of the best known in a bit more detail.

What is Infrastructure as a Service

Platform as a Service (PaaS) is the next layer up – as well as the underlying storage, networking, and virtual servers, this layer also includes the tools and software that developers need to build applications on top, which could include middleware, database management, operating systems, and development tools

What is Software as a Service

Software as a Service (SaaS) is the delivery of applications as a service, probably the version of cloud computing that most people are used to on a day-to-day basis. The underlying hardware and operating system is irrelevant to the end-user, who will access the service via a web browser or app; it is often bought on a per-seat or per-user basis.

SaaS is the largest chunk of cloud spending simply because the variety of applications delivered via SaaS is huge, from CRM such as Salesforce to Microsoft's Office 365. And while the whole market is growing at a furious rate, it's the IaaS and PaaS segments that have consistently grown at much faster rates, according to analyst IDC: "This highlights the increasing reliance of enterprises on a cloud foundation built on cloud infrastructure, software-defined data, compute and governance solutions as a Service, and cloud-native platforms for application deployment for enterprise IT internal applications." IDC predicts that IaaS and PaaS will continue growing at a higher rate than the overall cloud market "as resilience, flexibility, and agility guide IT platform decisions".

to be continued........

Website Traffic Secrets

One of the easiest ways to attract new business is by getting more visitors to your website. Increasing traffic to your website can be the most cost-effective way to increase your sales, which means you need a solid strategy for growing your online audience.
In that spirit, I wanted to explain some of the best ways to drive traffic to your website. For those of you who’ve been in business for a while, you may know several of these options, but even experienced online entrepreneurs can learn how to optimize these promotional techniques.

Evergreen Content

Creating and posting evergreen content helps you establish your authority in a particular subject, which is critical for attracting new customers.

Blogging not only keeps your website fresh for visitors, but every page you add to your site helps increase your visibility on Google. To further help your SEO, you should be embedding links and keywords specific to your industry in all of your content.  
A word of warning: Many businesses go too far with keywords, serving up content that’s nothing more than marketing jargon. That’s an easy way to turn off visitors.

Social Media

It’s pretty obvious that many small businesses now use social media to help drive traffic to their websites, with many businesses using Facebook as their channel of choice. While organic social growth doesn’t necessarily require money, it does take time and patience.

When using social media to drive traffic, make sure you keep a consistent posting schedule and share content from other pages as well as your own. Too many small businesses refuse to share any info that doesn’t directly relate to their business.

Guest Posting

In addition to creating evergreen content for your own site, take the time to write for someone else’s. This can give you a large sudden boost in traffic (since you’re tapping into an entirely new audience) but can require lots of work to set up. You’ll need to network with and earn the trust of the outlet you’re trying to write for.  

If you’re just looking for another place to post content, many businesses choose Medium.com, which is easy to write for but can leave your content buried. Creating a relationship with someone in your field and guest writing for his or her audience is much more fruitful.

Paid Ads

If you’re looking to generate traffic as quickly as possible, paid ads can be a great option. Generating organic traffic can take weeks or months, whereas paid ads if done correctly, can create an immediate influx of visitors.

That said, there are a few pieces of advice to keep in mind. For example, you should never pay for banner ads. Banner ads have a notoriously low rate of return, and most people only click on them by accident at this point.
For small businesses, Facebook advertising is the best place to get an easy return on investment. Or try an email newsletter directed to an audience that closely matches your customer base. Both of these options will allow you to easily measure results and adjust your ads on the fly.
If you want to dip your toe into social media ads, see if you can get some free ad coupons to start and avoid paying money for your early mistakes.  

Press Releases

Distributing press releases can help you build brand awareness and generate traffic to your site since they are still widely used by news outlets looking for stories to cover.
If done correctly, your press release can be picked up by multiple outlets, which means more eyes on your business and your content. In addition to attracting visitors, your release may also lead to contact with a  reporter or two, which can certainly help with marketing down the line.
Depending on the distribution service you use, your press release can be sent to vastly different outlets. While the distributed press release may not have much SEO value, it does generate great exposure for your story.

Affiliate Programs

An affiliate program is a deal between a marketer and a content publisher and is sometimes referred to as “performance marketing.” Why? Because you can set the terms of engagement, paying the publisher who is promoting your content based on the number of clicks or sales he or she sends your way.
Usually, these are partnerships are set up through a network, such as CJ Affiliate or the Google Affiliate network. The network will help ensure your promotions get in front of an interested audience, but you should vet the options thoroughly to see if they’re a good match for your business.

Digital Marketing Tools

1. MailChimp
2. Google Analytics
3. Google Ads
4. Canvas 
5. Trello
6. Slack
7. Yoast SEO
8. Survey Anyplace
9. Ahrefs
10.  SEMRUSH

1. MailChimp

MailChimp is a social advertising and email marketing tool designed to orchestrate and automate digital marketing campaigns. It is one of the best digital marketing tools you can get to improve your campaigns and track the traffic generated. Moreover, the platform allows multiple integrations with different SaaS companies. The tool is quite efficient for email campaigns, using which you can engage with your audience. MailChimp is a well-renowned name in the world of email marketing. 

The features of MailChimp:

• Creates better content with easy-to-use design tools
• Use an Ai-powered assistant for generating custom designs.
• Create personalized emails and get up to 6 times more orders using marketing automation
• Provides tools for getting insights and analytics in one place
• Also, provide a free plan for small marketers.

MailChimp incorporates pre-built, customizable email automation that makes it easy for you to reach the right audience at the right moment. The best part is that you can keep your brand top of mind and delight your customers with happy birthday messages, welcome automation, and order notifications. 

Online retail and e-commerce businesses can significantly benefit from MailChimp, as it can help you drive traffic, increase conversions, and grow sales.

2. Google Analytics

Google Analytics is a powerful digital marketing tool that can help you with numerous marketing decisions. You can easily track your e-commerce business as well as goals that can help keep your company on track. Using the innumerable data insights that Google Analytics provides, it is easy for marketers to understand the directions required to take with the website modifications and changes. All you have to do is install Google Analytics on your site, and you are ready to go. 

The features of Google Analytics: 

• Provides you with information about traffic on your website that is divided by devices, products, pages, and more. 
• Let you create your metrics, dimensions, and dashboard for easy access to data and information. 
• Helps you understand your target audience in a better way. You will get real-time updates about your website’s customers, including the pages they are currently exploring. This can help you make your landing page more engaging by providing the customers with a more intuitive experience. 
• Let you uncover insights into how the business is performing. 
• Let you share the insights with the help of various reporting tools. 
• Let you organize and visualize the data suiting business requirements.

Last but not least, Google Analytics comes with tons of features, functionalities, the ability to create customized reports and dashboard. 

3. Google Ads

Google Ads can work for almost any business; it doesn’t matter whether it is small, medium, or large. While many marketers think that Google Ads is too expensive, it is one of the most powerful digital marketing tools that can help your business reach new heights. 

The features of Google Ads:

• Drive website visits
• Increase the call calls from customers through a click-to-call button
• Increase footfall in your shops

People need to learn Google Ads first in order to use it effectively; else you will be wasting your money. The best part about Google Ads is that return on investment (ROI) is relatively easy to measure. Moreover, new artificial intelligence features make the platform a lot faster and easier to use. The AI features can help you get results faster in Display advertising.  

The multiple targeting options allow you to target your customer base based on different factors like age, gender, location, profession, etc. This is something that you will not find in other digital marketing tools. 

Most importantly, you can access Google Agency Account Strategist, where you can learn about the latest features that Google provides. Moreover, access to this means access to some beta testing as well. 

4. Canva Business

If you are in digital marketing, you will understand the need for a quality design tool that can help you create impressive social media posts and other things in marketing. Canva is a prominent design tool that allows you to develop effective marketing campaigns through visual content that can be shared on your blogs, websites, social networks, and other platforms. Visual content is the backbone of any digital marketing campaign. In order to entice the targeted customer base, you need to design compelling posts. 

The features of Canva:

• Canva allows you to edit posts and create graphs or any type and kind. 
• The tool incorporates numerous templates. It boasts a massive library of stock images, photos, designs, icons, and vectors that you can use to create any type of visual content for your marketing campaign. 
• It allows you to choose from a massive collection of designs, such as postcard, brochure, CD cover, wallpaper, book cover, resume, certificate, magazine cover, letterhead, presentation graphic, blog banner, card, poster, flyer, presentation, logo, and social media. 

Its simple drag-and-drop design allows you to create visual pieces according to your campaign. The best part is that you don’t need an experienced designer to create visual content for your digital marketing campaign. It is so simple that anyone with no design background can use it. 

5. Trello

If you are looking for a content management tool that will help you brainstorm and strategize content for your digital marketing campaign, you can opt for Trello. It is one of the most popular content management tools used by hundreds and thousands of digital marketers worldwide to create, schedule, and organize content online. 

The platform keeps the whole team together, making communication a lot easier and more manageable. You can assign multiple members from your team to a single card so that they can work on a project together. This way, you will know who’s in charge of designing, writing, editing, posting, and adding call-to-action offers to a post. 

The features of Trello:

• Allows you to create cards and incorporate notes on the card topic while creating deadlines and assigning topics to specific teams. 
• Facilitates remote working where your teams can access their tasks and projects from anywhere.

6. Slack

Digital marketers use Slack every single day. With Slack, you can discuss client work, new articles, new projects, new support tickets, share useful content and send messages. 

If you have a distinct team of digital marketers, you will need a powerful medium to make effective communication with them. This is where Slack comes into the play.

The features of Slack: 

• Makes it easier to communicate with team members over the web in real-time. 
• Let you follow everything related to the projects, teams, and channels.
• Let you do message and video conferencing too.
• Assist the teams in collaborating from anywhere

While it seems like a messaging app, it does a lot more than that. Slack can potentially tighten up your organizational efficiency. It is not a collaboration or a project management tool. It serves as a messaging platform with a rich collection of options and settings. It lets you have group conversations that are searchable and public, including private conversations. You can change the color scheme of the interface and create different groups. 

7. Yoast SEO

You probably have heard of Yoast SEO. It is one of the most talked-about and used WordPress plugins that help digital marketers to optimize their websites to perform better in search results. 

Yoast SEO helps with the details where WordPress cannot do much: submitting sitemaps, managing keywords, creating content, and using webmaster tools, among other aspects.

The features of Yoast SEO:

The tool comes with a plethora of features that helps in optimizing your website. 

• Incorporates built-in content analysis, description management, meta keywords, rich snippets, social features, XML sitemaps, as well as features to manage duplicate content. 
• Allows you to write better content for your digital marketing campaigns. The plugin provides you access to the Yoast SEO meta box to add meta description and meta title for your content. Moreover, you don’t have to install a third-party plugin for XML sitemaps. 
• It automatically produces XML sitemaps for websites and submits them to search engines.   

The best part, you can protect your RSS feed from plagiarism and content scrapers. This protects you from other websites copying your content and publishing it as theirs.  

8. Survey Anyplace

SurveyAnyplace is the best tool for marketing professionals to create fun and interactive quizzes, assessments, and surveys for their targeted customer base. It is a great digital marketing tool that will enable you to engage with your target audience and help build brand identity and personality. 

If you are bored of traditional surveys to know the current demand for a product or business, you can use this tool to implement some quality surveys for your digital marketing campaigns that will help you in the long run. 

The features of SurveyAnyplace:

• Allows you to create questionnaires that return valuable insights
• Provides personalized advice in return to the respondents
• Helps in understanding the market demands, what customers want, what features are they looking for, and more. 

With SurveyAnyplace, you can reflect your branding on questionnaires and surveys and build your own brand. In simple terms, based on the user experience, you can create your own brand that stands up to your customers’ expectations. The best part is that the platform allows you to formulate your own questions, and you can include images as well in your surveys.  

The surveys you provide are well-designed, simple, and compatible with mobile devices. 

9. Ahrefs

Ahrefs offer a suite of search engine optimization tools, making it easier for you to optimize your website based on your marketing requirements. It is primarily used for checking backlinks, and with its massive data index, the tool is definitely one of the most sought after digital marketing tools in the market. 

The features of Ahrefs:

• Let you optimize your website.
• Let you find the right websites for your content and strategically choose content topics. 
• Helps in analyzing the competitors
• It is a comprehensive SaaS tool that offers snippets of testimonials, a data indexes, and a free trial as well. 
• Let you manage your projects.
• Let you track your ranking progress.

10. SEMRUSH

SEMRUSH is an all-in-one marketing toolkit that helps grow the online visibility of the business with SEO, content marketing, market research, advertising, social media management, and search engine reputation management. 

The features of SEMRUSH:

• Helps in boosting organic traffic with the SEO tools and workflow
• Assist in creating the content which ranks
• Unveils competitors’ strategies and tactics
• Helps you discover the ways of reaching more prospects with less spending
• Supports in building social media strategies. 

As per their official website, 7 million marketing professionals like to use SEMRUSH as their digital marketing tool. The tool has won many awards as the best SEO software. The tool is very easy to use where you just have to search out your keyword strategies, apply them and start tracking them. The tool is free for trial, but the user has to opt for paid plans after seven days.

SQL injection detection tools

Netsparker

Netsparker is a web vulnerability management solution that includes SQLi detection as one of its many features. It also focuses on scalability, automation, and integration. The suite is built around a web vulnerability scanner and can be integrated with third-party tools. Operators don’t need to be knowledgeable in source code. The company also offers an SQL injection cheat sheet to help in mitigation efforts.

The Netsparker platform uses Proof-based Scanning technology to identify and confirm vulnerabilities, indicating results that are definitely not false positives. In addition to SQL injection, it can identify cross-site scripting (XSS) and other vulnerabilities in web applications, web services, and web APIs.

The platform also has security testing tools and a reports generator and can be integrated into DevOps environments. It checks web servers such as Apache, Nginx, and IIS and supports AJAX and JavaScript-based applications.

SQLMap

SQL Map is an automatic SQLi and database takeover tool available on GitHub. This open-source penetration testing tool automates the process of detecting and exploiting SQLi flaws or other attacks that take over database servers.

It includes a detection engine; several ways to conduct penetration testing, and tools for database fingerprinting, data fetching, accessing underlying file systems, and executing commands on the operating system (OS) via out-of-band connections.

jSQL Injection

 JSQL Injection is a Java-based tool that helps IT teams find database information from distant servers. It is another of the many free, open-source ways to address SQLi. It supports Windows, Linux, and Mac operating systems and Java versions 11–17.

It is such an effective SQLi deterrent that it is included inside many other vulnerability scanning and penetration testing products and distributions. This includes kali Linux, Pentest Box, Parrot Security OS, ArchStrike, And BlackArch Linux.

It also offers automatic injection of 33 database engines including Access, DB2, Hana, Ingres, MySQL, Oracle, PostgreSQL, SQL Server, Sybase, and Teradata. It provides the user with ways to address multiple injection strategies and processes and offers script sandboxes for SQL and tampering.

Havij

Havij was developed by an Iranian security company. It provides a graphical user interface (GUI) and is an automated SQLi tool, supporting several SQLi techniques. It has particular value in supporting penetration testers in finding vulnerabilities on web pages. While it is primarily for Windows, there are workarounds to get it functioning on Linux, too.

Burp

The web vulnerability scanner within Burp  Suite uses research from PortSwigger to help users find a wide range of vulnerabilities in web applications automatically. For example, Burp Collaborator identifies interactions between its target and an external server to check for bugs invisible to conventional scanners, such as asynchronous SQL injection and blind server-side request forgery (SSRF).

Sitting at the core of large suites such as Burp Suite Enterprise Edition and Burp Suite Professional, the crawl engine in the Burp Scanner cuts through obstacles like cross-site request forgery (CSRF) tokens, stateful functionality, and overloaded or volatile URLs. Its embedded Chromium browser renders and crawls JavaScript. A crawling algorithm builds up a profile of its target in a similar way to a tester.

Burp is also designed to handle dynamic content, unstable internet connections, API definitions, and web applications. Additionally, scan checks can be selected individually or by group, and custom configurations can be saved — such as a scan configuration to report only vulnerabilities appearing in the OWASP Top 10

BBQSQL

BBQSQL is a Python-based injection exploitation tool that takes a lot of the tedium out of writing custom code and scripting to address SQLi issues. It is mostly used when dealing with more sophisticated SQL injection vulnerabilities. As it is semi-automatic and database agnostic, it simplifies customization and is relatively easy to use.

It also makes use of Python-based tools to boost performance. Users provide data such as the URL impacted, the HTTP method, and other inputs as part of the setup. They must also specify where the injection is going, as well as the syntax being injected.

Blisqy

Blisqy deals with time-based blind SQL injection on HTTP headers. This kind of exploit enables slow data siphon from a database using bitwise operation on printable ASCII characters, via a blind-SQL injection. It supports the MySQL and MariaDB databases.

As it is written in Python, it can be imported into other Python-based scripts. Blisqy is a fast and efficient way to compensate for network lags and other delays, as its time comparison is dynamic and calculated at runtime for each test.

Acunetix Web Vulnerability Scanner

 Acunetix by Invicti does SQL injection testing as part of its overall function, which is to scan web-based applications. Its multi-threaded scanner can crawl across hundreds of thousands of pages rapidly for both Windows and Linux. It identifies common web server configuration issues and is particularly adept at scanning WordPress.

It automatically creates a list of all websites, applications, and APIs, and keeps it up to date. This tool also scans SPAs, script-heavy sites, and applications built with HTML5 and JavaScript, as well as offers macros to automate scanning in password-protected and hard-to-reach areas.

Blind SQL Injection via Bit Shifting

 Blind SQL Injection via Bit Shifting performs blind SQL injection by using the bit shifting method to calculate characters instead of guessing them. Bit shifting moves the position of the bits to the left or right. For example, 00010111 can be shifted to 00101110. The blind SQL module requires seven or eight requests per character, depending on the configuration.

Damn Small SQLi Scanner

 (DSSS), composed by one of the creators of SQLMap, is a compact SQLi vulnerability scanner composed of less than 100 lines of code. In addition to its use as a vulnerability scanner, this tool emphasizes its ability to perform some of the same tasks as tools that take up larger amounts of code.

However, as expected from its size, it has definite limitations. For instance, it only supports GET parameters and not POST parameters.

Leviathan

 Leviathan is characterized as a mass audit collection of tools. As such, it contains a range of capabilities for service discovery, brute force, SQL injection detection, and running custom exploit capabilities. It includes several open source tools inside, including masscan, ncrack, and DSSS, which can be used individually or in combination.

In addition, it can discover FTP, SSH, Telnet, RDP, and MySQL services running in a specific country or in an IP range. The discovered services can then be subjected to brute force via ncrack. Commands can be run remotely on compromised devices. Specific to SQLi vulnerabilities, it can detect them on websites with country extensions.

NoSQLMap

NoSQLMap is a Python tool that can be used in audits. It is often used in the automation of SQL injection attacks and in finding exploit default configuration weaknesses in NoSQL Databases and web applications that use NoSQL to disclose or clone data from a database.

This open-source tool is well maintained and could be looked upon as a cousin of SQLMap. As the name suggests, NoSQL addresses data models that are different from the tabular approach used in relational databases. But NoSQL databases do support SQL-like query languages and so are subject to SQLi. NoSQLMap focuses mainly on MongoDB and CouchDB. Future releases will expand its repertoire.

Tyrant SQL

 Tyrant SQL  is a Python-based GUI SQL injection tool similar to SQLMap. Its GUI allows for greater simplicity. This makes it easier use for beginners to analyze vulnerable links and determine where weaknesses lie

Whitewidow

Whitewidow is another open-source SQL vulnerability scanner. As it is automated, it can run through a long file list rapidly or scrape Google for potentially vulnerable websites.

Whitewidow also offers other features such as automatic file formatting, random user agents, IP addresses, server information, and multiple SQL injection syntaxes. This tool also offers the ability to launch SQLMap from within it.

However, Whitewidow isn’t so much a remediation tool as an educational one. It helps teach users what vulnerabilities look like, but it relies on SQLMap for greater SQLi detection capabilities.

explo

explo is a basic tool that was designed to describe web security issues in a human and machine-readable format. It defines a request/condition workflow, which allows it to exploit security issues without the need for writing a script.

Thus, it can address complex vulnerabilities, yet share them in a simple readable, and executable format.

Intrusion Detection Evasive Techniques

Most attackers are aware of IDSs and use evasive techniques to dodge them. These evasive techniques include flooding, fragmentation, encryption, and obfuscation.

Flooding

IDSs depend on resources such as memory and processor power to effectively capture packets, analyze traffic, and report malicious attacks. By flooding a network with noise traffic, an attacker can cause the IDS to exhaust its resources examining harmless traffic. In the meantime, while the IDS is distracted and occupied by the volume of noise traffic, the attacker can target its system with little or no intervention from the IDS.

Fragmentation

Because different network media allow variable maximum transmission units (MTUs), you must allow for the fragmentation of these transmission units into differently sized packets or cells. Hackers can take advantage of this fragmentation by dividing attacking packets into smaller and smaller portions that evade the IDS but cause an attack when reassembled by a target host.

Encryption

Network-based intrusion detection (covered later in this chapter) relies on the analysis of the traffic that is captured as it traverses the network from a source to its destination. If a hacker can establish an encrypted session with its target host using Secure Shell (SSH), Secure Socket Layer (SSL), or a virtual private network (VPN) tunnel, the IDS cannot analyze the packets and the malicious traffic will be allowed to pass. Obviously, this technique requires that the attacker establish a secure encrypted session with its target host.

Obfuscation

Obfuscation, an increasingly popular evasive technique, involves concealing an attack with special characters. It can use control characters such as the space, tab, backspace, and Delete. Also, the technique might represent characters in hex format to elude the IDS. Using Unicode representation, where each character has a unique value regardless of the platform, program, or language, is also an effective way to evade IDSs. For example, an attacker might evade an IDS by using the Unicode character c1 to represent a slash for a Web page request.

Web Server Attack Tools

Web Server Attack Tools are now familiar with the methodology that an attacker uses to hack an internet server. This section will introduce web server hacking took that an attacker may use within the web server hacking methodology described in the previous section. These tools extract critical information during the hacking process.

Web Server Attack Tool: Metasploit

The Metasploit Framework may be a penetration-testing toolkit, exploit development platform, and research tool that has hundreds of working remote exploits for a spread of platforms. It supports fully automated exploitation of web servers by abusing known vulnerabilities and leveraging weak passwords via Telnet, H, HTTP, and SNM.

The features of Metasploit that an attacker may use to perform web server attack

1)  Closed-loop Vulnerability Validation

2) Phishing Simulations

3) Social Engineering

4) Manual Brute Forcing

5) Manual Exploitation

6) Evade-leading defensive solutions

Metasploit Architecture

The Metasploit framework is an open-source exploitation framework that gives security researchers and pen testers a consistent model for the rapid development of exploits, payloads, encoders, NOP generators, and reconnaissance tools. The framework reuses large chunks of code that a user would need to otherwise copy or re-implement on a per-exploit basis. The framework is modular in architecture and encourages the reuse of code across various projects. The framework itself is broken down into a couple of different pieces, the most low-level being the framework core. The framework core is liable for implementing all of the specified interfaces that allow interaction with exploit modules, sessions, and plugins. It supports vulnerability research, exploits development, and therefore the creation of custom security tools.

Metasploit modules

1. Metasploit Exploit Module

It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit. This module comes with simplified meta-information fields. Using a Mixins feature users can also dynamically modify exploit behavior, brute force attacks, and attempt passive exploits.

Steps to exploit a system follow the Metasploit Framework :

– Configuring active exploit

– Verifying the exploit options

– Selecting a target

– Selecting the payload

– Launching the exploit

2. Metasplolt Payload Module

An exploit carries the payload in its backpack when it breaks into the system and then leaves the backpack there.

There are three types of payload modules provided by the Metasploit:

• Singles: It is self-contained and completely standalone
• Stagers: It sets up a network connection between the attacker and the victim
• Stages: It is downloaded by stagers modules

Metasploit Payload Module can upload and download files from the system, take screenshots, and collect password hashes. It can even take over the screen, mouse, and keyboard to regulate a foreign computer. The payload module establishes a communication channel between the Metasploit framework and therefore the victim host. It combines the arbitrary code that’s executed because the results of an exploit succeed. to generate payloads first select a payload using the command as shown within the screenshot below.

3. Metasploit Auxiliary Module

The Auxiliary Module of Metasploit is often wont to perform arbitrary, one-off actions like port scanning, DoS, and even fuzzing. It includes tools and modules that assess the security of the target, auxiliary modules like scanners, DOS Modules, fuzzes, and so on. To list all the available auxiliary modules in Metasploit, use shows the auxiliary command in Metasploit. All the other modules in Metasploit are auxiliary modules except modules used to exploit. The tool uses the auxiliary modules as an extension for a spread of purposes aside from exploitation. Auxiliary modules reside within the modules/auxiliary/ directory of the framework’s main directory. To run the auxiliary module, either use the run command or use the exploit command.

The basic definition of an auxiliary module is:

Metasploit NOPS Module

NOP modules generate no-operation instructions used for blocking out buffers. Use generate command to generate a NOP sled of arbitrary size and display it in a given format.

OPTIONS:

-b <opt>: The list of characters to avoid: 1\x00\xff’

-h: Help banner

-s <opt>: The comma-separated list of registers to save

-t <opt>: The output type: ruby, Perl, c, or raw

MSF nop(opty2)>