Search engines are a very innocent and useful tool that has emerged when the web hit the world by storm. However did you know that these search engines such as Google, Bing, DuckDuckGo, and many more can be used for revealing sensitive information? First lets analyze how these search engines work. SERP otherwise known as Search Engine Results Page prompt you with the most organically relevant results based on your search query not including Paid Advertising. These result pages are determined by Crawling, Indexing, and Ranking however we will only cover Crawling.

Crawling- is the discovery process when the search engine sends out a team of robots known as crawlers to find new updated content. Content can vary such as a web page, an image, a video, pdf, etc. – content is discovered by links. The bots start out by fetching webpages and then follow links to those webpages to find new URLS. By link hopping the crawler is able to find new content and adds it to the index called Caffeine. Robots.txt files are located in the root directory of websites and suggest which parts of your site search engine should and shouldn’t crawl. However google allows us to modify this crawling process with advanced operators. The usage of these operators along with the google search engine is referred to as Google Dorking.

Google Dorking–  is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google hacking involves using advanced operators in the Google search engine to locate specific errors of text within search results. Here are some examples of Google Dorking our professor had us do for exercise.

Summary- as you can see google dorking and utilizing search engines can be very rewarding in finding information on the target and even finding points of interests for which routes to attack. We can go a step further in utilizing search engines with Shodan.

Shodan -is basically a search engine that crawls the Internet while Google and Bing crawl the World Wide Web. In essence Shodan gives you information about devices that are connected to the internet , These devices can vary tremendously such as small desktops, computer labs, etc. Shodan collects information from banners so it banner grabs the metadata about a software that’s running on a device. This can be server software information, services capability, etc. Using Shodan can reveal servers, ports, location, services, and even vulnerabilities.

Target Scoping – a process for gathering target assessment, requirements, and characterizing each of it’s parameters to generate a test plan, limitations, business objectives, and time schedule. To give an example what the end result of Target Scoping would look like here are what the parameters are.

-Company Name
-Address
-Website
-E-mails and Phone Numbers
-Penetration Testing Objectives and Penetration Testing Type
-Devices to be Tested: Servers, Workstations, Network Devices, etc.
-Operating Systems Supported

Target Scoping can be done with enumeration tools that are pre-installed on our Kali Linux machines. Such tools are

-whois command: provides when the website was created, the expiration date of the website, status of the website, the name of the servers, potential location of the company, phone number and email of Sponsoring Registrar.

-nslookup command: provides the potential IP Address and how many web servers are accepting requests

-dig command: provides about the same thing as nslookup but it doesn’t hurt to try

-whatweb command: provides Country, HTTP Server, IP Address, Web Servers, Technologies Used, Potential Operating System.

-theHarvester command: this tool crawls a search engine with your target in mind and provides Emails and Subdomains.

All these tools and strategy of Target Scoping can give us insight of how the network topology of the target is arranged. But what is Network Topology??

Network Topology
arrangement of the links, nodes, etc. of a communication network. The network topology is the structure of a network and may be depicted physically or logically. The physical topology is the placement of the various components of a network. Logical topology illustrates how data flows within a network. There is also something called and OSI Model that divides part of a networks communication functions into layers.

OSI Model – this is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to its underlying structure and technology. The goal of the OSI model is interoperability. This model partitions the flow of data in a communication system into seven abstraction layers. This model represents the physical implementation of transmitting bits across a communications medium to the highest level representation of a distributed application. Each intermediate layer serves a class of functionality to the layer above it and served by the layer below it

Types of Hackers

-Ethical Hacker: these hackers are employed by companies to perform penetration tests

-Hackers: these are people who access computer systems or networks without permission. This is considered breaking the law and can result in prison time.

-Crackers: these people break into systems to steal or destroy data and make it very obvious that a system has been breached.

-Script Kiddies/Packet Monkeys: young inexperienced hackers who copy codes and techniques from knowledgeable hackers.

The Role of Security and Penetration Testing

Penetration Testing – This is a legal procedure that is intended to break into a company’s network to find it’s vulnerabilities.

Security Testing – This is more valuable than an attempt to break in, it also includes analyzing a company’s security policy and procedures. The tester also offers solutions to protect the network.

Value of Testing – testing is important because it lets companies see where their IT infrastructure is most vulnerable and exposes weaknesses in their security. Penetration testing should inspire companies to fix these issues in security before a bad actor tries to penetrate their system. 

Tigerbox

Tiger box is a collection of OS’s and hacking tools that is usually used on a laptop. This helps penetration testers and security testers conduct vulnerability assessments and attacks.

Penetration Testing Methodologies

White Box Model – The tester is told and everything about the network topology and technology. Additionally the network diagram is given to the tester and is authorized to interview IT personnel and company employees. This makes the tester’s job a little easier.

Black Box Model – Company doesn’t know about the test. The tester isn’t given details about the network. Instead the burden is on the tester to find these missing variables. Lastly tests if security personnel are able to detect an attack.

Gray Box Model – Hybrid of the white and black box model where the tester is given partial information from the company.

Penetration Testing Process

• Define the Scope of the Test: this is where the tester determines the extent of testing, what will be tested, where the testing will occur, and by whom will it be tested by
• Performing the Test: Detailing the hacking cycle
• Reporting and Delivering Results

Penetration Testing Techniques

• Passive Research – gathering information about the system configuration of the institution.
• Open Source Monitoring – this is public software that is used to monitor aspects of a institutions IT infrastructure to ensure confidelity and integrity
• Network Mapping – These are easy to understand graphics to show the devices on a network and how it is structured.
• OS Fingerprinting – this is the detection of the operating system of an end host by analyzing packets. It is used by security professionals and hackers for mapping remote networks and determining the vulnerabilities to exploit.
• Spoofing – this is the act of disguising a communication from an unknown and untrusted source as being from a known trusted source. Spoofing applies to emails, phone calls, websites, IP Address, Address Resolution Protocol, or Domain Name System.
• Network Sniffing – monitors network usage and can be used to track down someone using excessive bandwidth at a university or business. They can also be used to find security holes. Black hat hackers have been using network sniffing tools that allow hackers with little to no hacking skills to monitor traffic over unsecured WIFI networks and steal private information.
• Trojan Attacks – this is a type of malicious code or software that looks legitimate but can take control of your computer. A trojan is designed to damage, disrupt, steal, or inflict harmful action on your data and network. There are a various amount of trojan attacks.
• Brute Force Attack – this is a cyberattack that is directly trying to figure out a password and gain authorization via a dictionary of possible password.
• Vulnerability Scanning – A vulnerability scanner is an application that identifies and creates an inventory of all the systems (including servers, desktops, laptops, virtual machines, containers, firewalls, switches, and printers) connected to a network. For each device that it identifies it also attempts to identify the operating system it runs and the software installed on it, along with other attributes such as open ports and user accounts.

Port Scanning

Port Scanning is a method of determining which ports on a network are open and could be receiving or sending data. This can be also a process for sending packets to specific ports on a host and analyzing the responses to identify vulnerabilities. To initiate Port Scanning you have to identify a list of active hosts and map those hosts to their IP addresses. This is called host discovery and starts by doing a network scan. Ultimately the goal of Port Scanning is to identify the organizations IP addresses, hosts, and ports to properly determine open or vulnerable server locations. (https://www.avast.com/en-us/business/resources/what-is-port-scanning)

by Fabio Espinoza

Screenshot of Gameplay

How to Play

The way to play SliceCraver is very simple. First decide if you want to play the game with music or not. Then press the play button. Once you’re in the play stage press the “START” button, the game will prompt you with a fraction from the Pizza Sprite and there will be a multiple choice selection of answers you can choose from. Once you click on your answer the game will repeat and give you another Pizza Sprite animation with a different fraction. Additionally the game will give you another selection of questions. The game has a 30 second limit and after it ends it will go back to the main menu. That is how to play SliceCraver and there is also a help page, an about page, and a resources page. The help page tells you how to play the game, the about page tells you about the game creator, and the resources page which contains a list of third party sources that helped create the SliceCraver game.

Player Control

The player is in control only with their mouse. This means SliceCraver relies on only click events from the user.

Self Created Items

This was the help page I created all by myself in Photoshop. The background, the texts, and button is all made by me and no external sources

This is the pizza sprite that I didn’t create by myself BUT I made the red fraction outline on the pizza by using the pen tool in Photoshop.

This is the bar I created in Photoshop. Usually this is to hold a button or hold some text like the fraction selections. Every bar and button in SliceCraver was self created and not taken from the internet

This is the About Page. All of it is self created using texts and text styling in Photoshop. Also the gradient tool and some shape tool objects in there too.

This is the Main Menu Page which the background, food sprites, and electric orb sprites, I didn’t make myself. however everything else I did. Which includes the track marks across the mountain, the buttons you see on the page, the color changing of the orbs, and the SliceCraver Title Text

Items from Internet

Sprites

The first thing I realized I had to work on was sprites so in order to do make good quality sprites I used photoshop. From class I understood how GIFS work and that they were composed of multiple frames to make a moving picture. My first approach was to use Photoshop to make the GIF files and import to Construct 2 but for some reason my Construct2 version wasn’t accepting my GIF files. Instead I had to do the tedious way and import picture by picture but it paid off in the long run. These sprites include the moving and nonmoving objects in my pages.

Backgrounds

Backgrounds are done on Photoshop. I made sure to get the resolution to match my Construct 2 project when I made the photoshop project which is 1708×960. I used some royalty free pictures from the internet and also edited a little bit on photoshop such as the colors and added some shapes of my own with the Photoshop pen tool. This project has taught me how to use this phot editing software more efficiently.

Event Sheets and Pages

My project was getting very clustered so I made sure to rename my Event Sheets and Pages. Additionally I had to make sure which event sheet and page was linked together so I named them accordingly.

Design

The design I was going for was a bitmap design and some animations on every page to make it feel like a dynamic game and not a static app. I used animations by importing every frame into my sprites. I made sure to also have a bright color scheme to make the player more alert and engaged.

Timer

To get a timer into my game I used a global variable in my event sheet and tied the integer value to a text box. I made the value go down every second through the system properties event.

Navigating Through Pages

Navigating through pages was going to be essential to everyone’s project since we have to include a contact page, a help page, reference page, and our actual game. The way I did this is by using a button or text object as my event handler to see if someone clicks on it. On click of the object, there is an action from the event sheet that lets the system go to another layout. This is also a reason why my design in my pages all have buttons to navigate through my game.

Fractions

The Fractions were represented by outlines I added to the pizza sprite via Photoshop. The slices of the pizza is highlighted red and the user is prompted with options of what the possible answer can be. The game is all about the user answering and being exposed to new fractions. Once the user clicks an answer a new fraction is displayed

Score

I realized this game is not about trying to get the highest score but it is about learning fractions. So the scoring system is based on attempts. The more the user answers the higher his score will be, this means the more exposure to fractions is what rewards your score. This game is intended to be educational and for little children so I didn’t want it to be competitive instead I wanted it to be a very relaxed game.

Idea : Fractions and Food!

Imagine a game that teaches your kids math and a variety of different kinds of food at the same time?! This game “SliceCraver 101” is just the game for that! This game displays many levels to the user with each level being a food that can be sliced up into pieces. To discover more foods you have to complete every level, and with every level you learn how to identify, simplify, and modify fractions! This is an assignment given to me in Multimedia Class and has to be done on a game maker software “Construct 2”. This game will be made with no programming, only done with the GUI and tools given to me. The aim for this game is to help children learn a mathematical section, that is hard to understand at first, named fractions. While at the same time the kids learn all types of foods from every culture that can be sliced into pieces for people to enjoy. This game will hopefully make children more interested in mathematics and also be able to identify foods that they will come across they’re daily lives.

This game will teach not only the kids but also teach me the ways of making a good UI, finding an audience, and also understanding a new type of software. What I learned in multimedia class is that I have to use colors that are easy on the eyes, images that are compressed by their pixel dimensions, bit-depth, or file format for efficient run time on my game. (The less the file size the better for the images!). Additionally I will have to use game sounds and myabe background music! Wish me luck guys, my progress will come soon in the following blog posts.

Guide For SliceCraver!

SliceCraver Documentation