Friday, May 22, 2020

BurpSuite Introduction & Installation



What is BurpSuite?
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.

In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.











Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.

BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.

Requirements and assumptions:

Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed

Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.

on for Firefox from   https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/


If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.


Video for setup and installation.




You need to install compatible version of java , So that you can run BurpSuite.
Related links

How To Build A "Burner Device" For DEF CON In One Easy Step

TL;DR: Don't build a burner device. Probably this is not the risk you are looking for.

Introduction

Every year before DEF CON people starts to give advice to attendees to bring "burner devices" to DEF CON. Some people also start to create long lists on how to build burner devices, especially laptops. But the deeper we look into the topic, the more confusing it gets. Why are we doing this? Why are we recommending this? Are we focusing on the right things?

What is a "burner device" used for?

For starters, the whole "burner device" concept is totally misunderstood, even within the ITSEC community. A "burner device" is used for non-attribution. You know, for example, you are a spy and you don't want the country where you live to know that you are communicating with someone else. I believe this is not the situation for most attendees at DEF CON. More info about the meaning of "burner" https://twitter.com/Viss/status/877400669669306369

Burner phone means it has a throwaway SIM card with a throwaway phone, used for one specific operation only. You don't use the "burner device" to log in to your e-mail account or to VPN to your work or home.
But let's forget this word misuse issue for a moment, and focus on the real problem.

The bad advice

The Internet is full of articles focusing on the wrong things, especially when it comes to "burner devices". Like how to build a burner laptop, without explaining why you need it or how to use it.
The problem with this approach is that people end up "burning" (lame wordplay, sorry) significant resources for building a secure "burner device". But people are not educated about how they should use these devices.

The threats

I believe the followings are some real threats which are higher when you travel:
1. The laptop getting lost or stolen.
2. The laptop getting inspected/copied at the border.

These two risks have nothing to do with DEF CON, this is true for every travel.

Some other risks which are usually mentioned when it comes to "burner devices" and DEF CON:
3. Device getting owned via physical access while in a hotel room.
4. Network traffic Man-in-the-middle attacked. Your password displayed on a Wall of Sheep. Or having fun with Shellshock with DHCP. Information leak of NTLM hashes or similar.
5. Pwning the device via some nasty things like WiFi/TCP/Bluetooth/LTE/3G/GSM stack. These are unicorn attacks.

6. Pwning your device by pwning a service on your device. Like leaving your upload.php file in the root folder you use at CTFs and Nginx is set to autostart. The author of this article cannot comment on this incident whether it happened in real life or is just an imaginary example. 

How to mitigate these risks? 

Laptop getting stolen/lost/inspected at the border?
1. Bring a cheap, empty device with you. Or set up a fake OS/fake account to log in if you really need your day-to-day laptop. This dummy account should not decrypt the real files in the real account.

Device getting owned while in a hotel room with physical access

1. Don't bring any device with you.
2. If you bring any, make it tamper-resistant. How to do that depends on your enemy, but you can start by using nail glitter and Full Disk Encryption. Tools like Do Not Disturb help. It also helps if your OS supports suspending DMA devices before the user logs in.
3. If you can't make the device tamper-resistant, use a device that has a good defense against physical attackers, like iOS.
4. Probably you are not that important anyway that anyone will spend time and resources on you. If they do, probably you will only make your life miserable with all the hardening, but still, get pwned.

Network traffic Man-in-the-middle attacked

1. Don't bring any device with you.
2. Use services that are protected against MiTM. Like TLS.
3. Update your OS to the latest and greatest versions. Not everyone at DEF CON has a 0dayz worth of 100K USD, and even the ones who have won't waste it on you. 
4. Use fail-safe VPN. Unfortunately, not many people talk about this or have proper solutions for the most popular operating systems.
5. For specific attacks like Responder, disable LLMNR, NBT-NS, WPAD, and IPv6 and use a non-work account on the machine. If you don't have the privileges to do so on your machine, you probably should not bring this device with you. Or ask your local IT to disable these services and set up a new account for you.

Pwning the device via some nasty thing like WiFi/TCP/Bluetooth/LTE/3G/GSM stack

1. Don't bring any device with you.
2. If you bring any, do not use this device to log in to work, personal email, social media, etc.
3. Don't worry, these things don't happen very often. 

Pwning your device by pwning a service on your device

Just set up a firewall profile where all services are hidden from the outside. You rarely need any service accessible on your device at a hacker conference.

Conclusion

If you are still so afraid to go there, just don't go there. Watch the talks at home. But how is the hotel WiFi at a random place different from a hacker conference? Turns out, it is not much different, so you better spend time and resources on hardening your daily work devices for 365 days, instead of building a "burner device".

You probably need a "burner device" if you are a spy for a foreign government. Or you are the head of a criminal organization. Otherwise, you don't need a burner device. Maybe you need to bring a cheap replacement device.

Related posts


  1. Ethical Hacking Certification
  2. Certificacion Ethical Hacking
  3. Curso De Hacking Gratis
  4. Nfc Hacking
  5. Programa De Hacking
  6. Ethical Hacking Course
  7. Raspberry Pi Hacking
  8. Curso Hacking Gratis
  9. Hacking Simulator
  10. Como Convertirse En Hacker
  11. Hacking Wifi
  12. Sdr Hacking
  13. Hacking 2019
  14. Hacking Ético
  15. Hacking Libro
  16. Hacking Language

Thursday, May 21, 2020

What Is A Vpn And How Is It Works ?

What Is A VPN?

VPN stands for Virtual Private Network, and maybe you have heard or read that term in association with privacy and geolocation. In this article we will learn and look into what exactly is it how does it work and what can it do for you.

How Does A VPN Work?

Let me explain it now but before we dive into VPNs, let me tell you a little bit about how the internet works now. At home, you have probably got some router or modem from your telephone company or your internet service provider. Then that is connected to your desktop, maybe by an Ethernet cable, to your smartphone over Wi-Fi, perhaps to your laptop over Wi-Fi and so on.

Inside your house when you do a laptop talk or your PC talk or your phone talk that is part of your private network, and that does not go out onto the internet. It stays inside your house, but the moment you open a web page somewhere out on the internet that data flows through your modem down into your local phone company or ISP and then out across the internet.

It will travel across the internet until it gets to the server the server will then reply with some information that will come back through the internet into your local telecommunications provider or ISP down through to your modem and then back onto your PC or your Android smartphone.

Now, while all that data is rushing around the internet, it needs to know where it is going and the things to know where they are going. They need an address it is the same with the postal service is the same when you want to go and visit somebody. It is the same with data on the internet.

There are different layers of addressing or different types of addressing that go on, but at the highest level, each of these packets of information has what is called an IP address. The IP address is you have probably seen them there those four digits from 0 to 255 with dots in between them so maybe like 178.304.67.

The modem or your router has probably been assigned an IP address from your ISP and what happens in is that when your data goes through the internet every piece of equipment, it touches every router every server it touches knows that your IP address. It is done that is not because they are trying to spy on you but because trying to connect collect data about the number of people that clicked into their website.

What a VPN does is it allows you to create a tunnel a connection from your home computer to a server somewhere else in the world. The connection is encrypted, and then when I access something on the Internet, it goes through that tunnel and then it arrived at that other server and then it goes on to the Internet, and it will finally arrive at the web server or the service. Your IP address will no longer be your IP address. The IP address of the VPN server protects your IP.

If you use a VPN, first of all, your local telecommunications provider and your local government have no idea about the sites that you are accessing. When you go through the VPN, it is all encrypted. VPN allows you to connect to another server in another country.


@£√£RYTHING NT

Related word


APPLE IPHONE X FACE ID CAN BE HACKED WITH SILICON MASK

Just a week after Apple released its brand new iPhone X on November 3, a team of researchers has claimed to successfully hack Apple's Face ID facial recognition technology with a mask that costs less than $150. They said Apple iPhone x face id can be hacked with silicon mask easily.

apple iPhone x face id hacked
Yes, Apple's "ultra-secure" Face ID security for the iPhone X is not as secure as the company claimed during its launch event in September this year.

"Apple engineering teams have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID," Apple's senior VP of worldwide marketing Phil Schiller said about Face ID system during the event.

"These are actual masks used by the engineering team to train the neural network to protect against them in Face ID."

However, the bad news is that researchers from Vietnamese cybersecurity firm Bkav were able to unlock the iPhone X using a mask.

Yes, Bkav researchers have a better option than holding it up to your face while you sleep. Bkav researchers re-created the owner's face through a combination of 3D printed mask, makeup, and 2D images with some "special processing done on the cheeks and around the face, where there are large skin areas" and the nose is created from silicone.

The researchers have also published a proof-of-concept video, showing the brand-new iPhone X first being unlocked using the specially constructed mask, and then using the Bkav researcher's face, in just one go.

"Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it," an FAQ on the Bkav website said.

"You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID's AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought."

Researchers explain that their "proof-of-concept" demo took about five days after they got iPhone X on November 5th. They also said the demo was performed against one of their team member's face without training iPhone X to recognize any components of the mask.

"We used a popular 3D printer. The nose was made by a handmade artist. We use 2D printing for other parts (similar to how we tricked Face Recognition 9 years ago). The skin was also hand-made to trick Apple's AI," the firm said.

The security firm said it cost the company around $150 for parts (which did not include a 3D printer), though it did not specify how many attempts its researchers took them to bypass the security of Apple's Face ID.

It should be noted that creating such a mask to unlock someone's iPhone is a time-consuming process and it is not possible to hack into a random person's iPhone.

However, if you prefer privacy and security over convenience, we highly recommend you to use a passcode instead of fingerprint or Face ID to unlock your phone.

Related news


Attacking Financial Malware Botnet Panels - SpyEye

This is the second blog post in the "Attacking financial malware botnet panels" series. After playing with Zeus, my attention turned to another old (and dead) botnet, SpyEye. From an ITSEC perspective, SpyEye shares a lot of vulnerabilities with Zeus. 

The following report is based on SpyEye 1.3.45, which is old, and if we are lucky, the whole SpyEye branch will be dead soon. 

Google dorks to find SpyEye C&C server panel related stuff:

  • if the img directory gets indexed, it is rather easy, search for e.g. inurl:b-ftpbackconnect.png
  • if the install directory gets indexed, again, easy, search for e.g. inurl:spylogo.png
  • also, if you find a login screen, check the css file (style.css), and you see #frm_viewlogs, #frm_stat, #frm_botsmon_country, #frm_botstat, #frm_gtaskloader and stuff like that, you can be sure you found it
  • otherwise, it is the best not to Google for it, but get a SpyEye sample and analyze it
And this is how the control panel login looks like, nothing sophisticated:


The best part is that you don't have to guess the admin's username ;)

This is how an average control panel looks like:


Hack the Planet! :)

Boring vulns found (warning, an almost exact copy from the Zeus blog post)


  • Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
  • No password policy - admins can set up really weak passwords
  • No anti brute-force - you can try to guess the admin's password. There is no default username, as there is no username handling!
  • Password autocomplete enabled - boring
  • Missing HttpOnly flag on session cookie - interesting when combining with XSS
  • No CSRF protection - e.g. you can upload new exe, bin files, turn plugins on/off :-( boring. Also the file extension check can be bypassed, but the files are stored in the database, so no PHP shell this time. If you check the following code, you can see that even the file extension and type is checked, and an error is shown, but the upload process continues. And even if the error would stop the upload process, the check can be fooled by setting an invalid $uptype. Well done ...
        if ($_FILES['file']['tmp_name'] && ($_FILES['file']['size'] > 0))
        {
                $outstr = "<br>";
                set_time_limit(0);
                $filename = str_replace(" ","_",$_FILES['file']['name']);
                $ext = substr($filename, strrpos($filename, '.')+1);
                if( $ext==='bin' && $uptype!=='config' ) $outstr .= "<font class='error'>Bad CONFIG extension!</font><br>";
                if( $ext==='exe' && $uptype!=='body' && $uptype!=='exe' ) $outstr .= "<font class='error'>Bad extension!</font><br>";

                switch( $uptype )
                {
                case 'body': $ext = 'b'; break;
                case 'config': $ext = 'c'; break;
                case 'exe': $ext = 'e'; break;
                default: $ext = 'e';
                }
                $_SESSION['file_ext'] = $ext;
                if( isset($_POST['bots']) && trim($_POST['bots']) !== '')
              {
                        $bots = explode(' ', trim($_POST['bots']));
                        //writelog("debug.log", trim($_POST['bots']));
                      $filename .= "_".(LastFileId()+1);
                }
                if( FileExist($filename) ) $filename .= LastFileId();
                $tmpName  = $_FILES['file']['tmp_name'];
                $fileSize = $_FILES['file']['size'];
                $fileType = $_FILES['file']['type'];
                ## reading all file for calculating hash
                $fp = fopen($tmpName, 'r');
  • Clear text password storage - the MySQL passwords are stored in php files, in clear text. Also, the login password to the form panel is stored in clear text.
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5. Just look at the pure simplicity of the login check, great work!
$query = "SELECT * FROM users_t WHERE uPswd='".md5($pswd)."'";
  • ClickJacking - really boring stuff

    SQL injection


    SpyEye has a fancy history of SQL injections. See details here, here, here, video here and video here.

    It is important to highlight the fact that most of the vulnerable functions are reachable without any authentication, because these PHP files lack user authentication at the beginning of the files.

    But if a C&C server owner gets pwned through this vuln, it is not a good idea to complain to the developer, because after careful reading of the install guide, one can see:

    "For searching info in the collector database there is a PHP interface as formgrabber admin panel. The admin panel is not intended to be found on the server. This is a client application."

    And there are plenty of reasons not to install the formgrabber admin panel on any internet reachable server. But this fact leads to another possible vulnerability. The user for this control panel is allowed to remotely login to the MySQL database, and the install guide has pretty good passwords to be reused. I mean it looks pretty secure, there is no reason not to use that.

    CREATE USER 'frmcpviewer' IDENTIFIED BY 'SgFGSADGFJSDGKFy2763272qffffHDSJ';

    Next time you find a SpyEye panel, and you can connect to the MySQL database, it is worth a shot to try this password.

    Unfortunately the default permissions for this user is not enough to write files (select into outfile):

    Access denied for user 'frmcpviewer' (using password: YES)

    I also made a little experiment with this SQL injection vulnerability. I did set up a live SpyEye botnet panel, created the malware install binaries (droppers), and sent the droppers to the AV companies. And after more and more sandboxes connected to my box, someone started to exploit the SQL injection vulnerability on my server!

    63.217.168.90 - - [16/Jun/2014:04:43:00 -0500] "GET /form/frm_boa-grabber_sub.php?bot_guid=&lm=3&dt=%20where%201=2%20union%20select%20@a:=1%20from%20rep1%20where%20@a%20is%20null%20union%20select%20@a:=%20@a%20%2b1%20union%20select%20concat(id,char(1,3,3,7),bot_guid,char(1,3,3,7),process_name,char(1,3,3,7),hooked_func,char(1,3,3,7),url,char(1,3,3,7),func_data)%20from%20rep2_20140610%20where%20@a=3%23 HTTP/1.1" 200 508 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"

    Although the query did not return any meaningful data to the attacker (only data collected from sandboxes), it raises some legal questions.

    Which company/organization has the right to attack my server? 
    • police (having a warrant)
    • military (if we are at war)
    • spy agencies (always/never, choose your favorite answer)
    • CERT organisations?

    But, does an AV company or security research company has the legal right to attack my server? I don't think so... The most problematic part is when they hack a server (without authorization), and sell the stolen information in the name of "intelligence service". What is it, the wild wild west?

    The SQLi clearly targets the content of the stolen login credentials. If this is not an AV company, but an attacker, how did they got the SpyEye dropper? If this is an AV company, why are they stealing the stolen credentials? Will they notify the internet banking owners about the stolen credentials for free? Or will they do this for money?

    And don't get me wrong, I don't want to protect the criminals, but this is clearly a grey area in the law. From an ethical point of view, I agree with hacking the criminal's servers. As you can see, the whole post is about disclosing vulns in these botnet panels. But from a legal point of view, this is something tricky ... I'm really interested in the opinion of others, so comments are warmly welcome.

    On a side note, I was interested how did the "attackers" found the SpyEye form directory? Easy, they brute-forced it, with a wordlist having ~43.000 entries.

    (Useless) Cross site scripting


    Although parts of the SpyEye panel are vulnerable to XSS, it is unlikely that you will to find these components on the server, as these codes are part of the install process, and the installer fails to run if a valid install is found. And in this case, you also need the DB password to trigger the vuln...



    Session handling


    This is a fun part. The logout button invalidates the session only on the server side, but not on the client side. But if you take into consideration that the login process never regenerates the session cookies (a.k.a session fixation), you can see that no matter how many times the admin logs into the application, the session cookie remains the same (until the admin does not close the browser). So if you find a session cookie which was valid in the past, but is not working at the moment, it is possible that this cookie will be valid in the future ...

    Binary server


    Some parts of the SpyEye server involve running a binary server component on the server, to collect the form data. It would be interesting to fuzz this component (called sec) for vulns.

    Log files revealed


    If the form panel mentioned in the SQLi part is installed on the server, it is worth visiting the <form_dir>/logs/error.log file, you might see the path of the webroot folder, IP addresses of the admins, etc.

    Reading the code


    Sometimes reading the code you can find code snippets, which is hard to understand with a clear mind:

    $content = fread($fp, filesize($tmpName));
    if ( $uptype === 'config' )
        $md5 = GetCRC32($content);
    else $md5 = md5($content);
    ....
    <script>
    if (navigator.userAgent.indexOf("Mozilla/4.0") != -1) {
    alert("Your browser is not support yet. Please, use another (FireFox, Opera, Safari)");
    document.getElementById("div_main").innerHTML = "<font class=\'error\'>ChAnGE YOuR BRoWsEr! Dont use BUGGED Microsoft products!</font>";
    }
    </script>

    Decrypting SpyEye communication

    It turned out that the communication between the malware and C&C server is not very sophisticated (Zeus does a better job at it, because the RC4 key stream is generated from the botnet password).

    function DeCode($content)
    {
    $res = '';
    for($i = 0; $i < strlen($content); $i++)
    {
    $num = ord($content[$i]);
    if( $num != 219) $res .= chr($num^219);
    }
    return $res;
    }
    Fixed XOR key, again, well done ...
    This means that it is easy to create a script, which can communicate with the SpyEye server. For example this can be used to fill in the SpyEye database with crap data.


    import binascii
    import requests
    import httplib, urllib

    def xor_str(a, b):
    i = 0
    xorred = ''
    for i in range(len(a)):
    xorred += chr(ord(a[i])^b)
    return xorred

    b64_data= "vK6yv+bt9er17O3r6vqPnoiPjZb2i5j6muvo6+rjmJ/9rb6p5urr6O/j/bK+5uP16/Xs7evq9ers7urv/bSo5u316vXs7evq/a6v5pq/trK1/bi4qbjm453j6uPv7Or9tr/u5um+uuvpve3p7eq/4+vsveLi7Lnqvrjr6ujs7rjt7rns/au3vOa5sre3srW8s7q2tr6p4Lm3tLiw4LmuvKm+q7Spr+C4uPu8qbq5ub6p4Li4vKm6ubm+qeC4qb6/sq+8qbq54LiuqK+0tri0tbW+uK+0qeC/v7So4L+1qLqrsuC+trqyt7ypurm5vqngvb24vqmvvKm6ubm+qeC9/aivuq/mtLW3srW+"
    payload =xor_str (binascii.a2b_base64(b64_data), 219)
    print ("the decrypted payload is: " + payload)
    params = (binascii.b2a_base64(xor_str(payload,219)))
    payload = {'data': params}
    r = requests.post("http://spyeye.localhost/spyeye/_cg/gate.php", data=payload)

    Morale of the story?


    Criminals produce the same shitty code as the rest of the world, and thanks to this, some of the malware operators get caught and are behind bars now. And the law is behind the reality, as always.

    Related articles

    An Overview Of Java



    CHAPTER
    2 An Overview of Java
    As in all other computer languages, the elements of Java do not exist in isolation. Rather, they work together to form the language as a whole. However, this interrelatedness can make it difficult to describe one aspect of Java without involving several others. Often a discussion of one feature implies prior knowledge of another. For this reason, this chapter presents a quick overview of several key features of Java. The material described here will give you a foothold that will allow you to write and understand simple programs. Most of the topics discussed will be examined in greater detail in the remaining chapters of Part I.

    Object-Oriented Programming
    Object-oriented programming (OOP) is at the core of Java. In fact, all Java programs are to at least some extent object-oriented. OOP is so integral to Java that it is best to understand its basic principles before you begin writing even simple Java programs. Therefore, this chapter begins with a discussion of the theoretical aspects of OOP.
    Two Paradigms
    All computer programs consist of two elements: code and data. Furthermore, a program can be conceptually organized around its code or around its data. That is, some programs are written around "what is happening" and others are written around "who is being affected." These are the two paradigms that govern how a program is constructed. The first way is called the process-oriented model. This approach characterizes a program as a series of linear steps (that is, code). The process-oriented model can be thought of as code acting on data. Procedural languages such as C employ this model to considerable success. However, as mentioned in Chapter 1, problems with this approach appear as programs grow larger and more complex.
    To manage increasing complexity, the second approach, called object-oriented programming, was conceived. Object-oriented programming organizes a program around its data (that is, objects) and a set of well-defined interfaces to that data. An object-oriented program can
    be characterized as data controlling access to code. As you will see, by switching the controlling entity to data, you can achieve several organizational benefits.

     
    Abstraction
    An essential element of object-oriented programming is abstraction. Humans manage complexity through abstraction. For example, people do not think of a car as a set of tens of thousands of individual parts. They think of it as a well-defined object with its own unique behavior. This abstraction allows people to use a car to drive to the grocery store without being overwhelmed by the complexity of the parts that form the car. They can ignore the details of how the engine, transmission, and braking systems work. Instead, they are free to utilize the object as a whole.
    A powerful way to manage abstraction is through the use of hierarchical classifications.
    This allows you to layer the semantics of complex systems, breaking them into more manageable pieces. From the outside, the car is a single object. Once inside, you see that the car consists of several subsystems: steering, brakes, sound system, seat belts, heating, cellular phone, and so on. In turn, each of these subsystems is made up of more specialized units. For instance, the sound system consists of a radio, a CD player, and/or a tape player. The point is that you manage the complexity of the car (or any other complex system) through the use of hierarchical abstractions.
    Hierarchical abstractions of complex systems can also be applied to computer programs.
    The data from a traditional process-oriented program can be transformed by abstraction into its component objects. A sequence of process steps can become a collection of messages between these objects. Thus, each of these objects describes its own unique behavior. You can treat these objects as concrete entities that respond to messages telling them to do something. This is the essence of object-oriented programming.
    Object-oriented concepts form the heart of Java just as they form the basis for human understanding. It is important that you understand how these concepts translate into programs. As you will see, object-oriented programming is a powerful and natural paradigm for creating programs that survive the inevitable changes accompanying the life cycle of any major software project, including conception, growth, and aging. For example, once you have well-defined objects and clean, reliable interfaces to those objects, you can gracefully decommission or replace parts of an older system without fear.
    The Three OOP Principles
    All object-oriented programming languages provide mechanisms that help you implement the object-oriented model. They are encapsulation, inheritance, and polymorphism. Let's take a look at these concepts now.
    Encapsulation
    Encapsulation is the mechanism that binds together code and the data it manipulates, and keeps both safe from outside interference and misuse. One way to think about encapsulation is as a protective wrapper that prevents the code and data from being arbitrarily accessed by other code defined outside the wrapper. Access to the code and data inside the wrapper is tightly controlled through a well-defined interface. To relate this to the real world, consider the automatic transmission on an automobile. It encapsulates hundreds of bits of information about your engine, such as how much you are accelerating, the pitch of the surface you are on, and the position of the shift lever. You, as the user, have only one method of affecting this complex encapsulation: by moving the gear-shift lever. You can't affect the transmission by using the turn signal or windshield wipers, for example. Thus, the gear-shift lever is a well-defined (indeed, unique) interface to the transmission. Further, what occurs inside the
     
    transmission does not affect objects outside the transmission. For example, shifting gears does not turn on the headlights! Because an automatic transmission is encapsulated, dozens of car manufacturers can implement one in any way they please. However, from the driver's point of view, they all work the same. This same idea can be applied to programming. The power of encapsulated code is that everyone knows how to access it and thus can use it regardless of the implementation details—and without fear of unexpected side effects.
    In Java, the basis of encapsulation is the class. Although the class will be examined in great detail later in this book, the following brief discussion will be helpful now. A class defines the structure and behavior (data and code) that will be shared by a set of objects. Each object of a given class contains the structure and behavior defined by the class, as if it were stamped out by a mold in the shape of the class. For this reason, objects are sometimes referred to as instances of a class. Thus, a class is a logical construct; an object has physical reality.
    When you create a class, you will specify the code and data that constitute that class.
    Collectively, these elements are called members of the class. Specifically, the data defined by the class are referred to as member variables or instance variables. The code that operates on that data is referred to as member methods or just methods. (If you are familiar with C/C++, it may help to know that what a Java programmer calls a method, a C/C++ programmer calls a function.) In properly written Java programs, the methods define how the member variables can be used. This means that the behavior and interface of a class are defined by the methods that operate on its instance data.
    Since the purpose of a class is to encapsulate complexity, there are mechanisms for hiding the complexity of the implementation inside the class. Each method or variable in a class may be marked private or public. The public interface of a class represents everything that external users of the class need to know, or may know. The private methods and data can only be accessed by code that is a member of the class. Therefore, any other code that is not a member of the class cannot access a private method or variable. Since the private members of a class may only be accessed by other parts of your program through the class' public methods, you can ensure that no improper actions take place. Of course, this means that the public interface should be carefully designed not to expose too much of the inner workings of a class (see Figure 2-1).
    Inheritance
    Inheritance is the process by which one object acquires the properties of another object. This is important because it supports the concept of hierarchical classification. As mentioned earlier, most knowledge is made manageable by hierarchical (that is, top-down) classifications. For example, a Golden Retriever is part of the classification dog, which in turn is part of the mammal class, which is under the larger class animal. Without the use of hierarchies, each object would need to define all of its characteristics explicitly. However, by use of inheritance, an object need only define those qualities that make it unique within its class. It can inherit its general attributes from its parent. Thus, it is the inheritance mechanism that makes it possible for one object to be a specific instance of a more general case. Let's take a closer look at this process.
    Most people naturally view the world as made up of objects that are related to each other in a hierarchical way, such as animals, mammals, and dogs. If you wanted to describe animals in an abstract way, you would say they have some attributes, such as size, intelligence, and type of skeletal system. Animals also have certain behavioral aspects; they eat, breathe, and sleep. This description of attributes and behavior is the class definition for animals.
     
     
    Figure 2-1 Encapsulation: public methods can be used to protect private data.

    If you wanted to describe a more specific class of animals, such as mammals, they would have more specific attributes, such as type of teeth and mammary glands. This is known as a subclass of animals, where animals are referred to as mammals' superclass.
    Since mammals are simply more precisely specified animals, they inherit all of the attributes from animals. A deeply inherited subclass inherits all of the attributes from each of its ancestors in the class hierarchy.
    Inheritance interacts with encapsulation as well. If a given class encapsulates some attributes, then any subclass will have the same attributes plus any that it adds as part of its specialization (see Figure 2-2). This is a key concept that lets object-oriented programs grow in complexity linearly rather than geometrically. A new subclass inherits all of the attributes of all of its ancestors. It does not have unpredictable interactions with the majority of the rest of the code in the system.

     

     
    Figure 2-2 Labrador inherits the encapsulation of all its superclasses.

    Polymorphism
    Polymorphism (from Greek, meaning "many forms") is a feature that allows one interface to be used for a general class of actions. The specific action is determined by the exact nature of the situation. Consider a stack (which is a last-in, first-out list). You might have a program that requires three types of stacks. One stack is used for integer values, one for floating- point values, and one for characters. The algorithm that implements each stack is the same, even though the data being stored differs. In a non–object-oriented language, you would be required to create three different sets of stack routines, with each set using different names. However, because of polymorphism, in Java you can specify a general set of stack routines that all share the same names.
     
    More generally, the concept of polymorphism is often expressed by the phrase "one interface, multiple methods." This means that it is possible to design a generic interface to a group of related activities. This helps reduce complexity by allowing the same interface to be used to specify a general class of action. It is the compiler's job to select the specific action (that is, method) as it applies to each situation. You, the programmer, do not need to make this selection manually. You need only remember and utilize the general interface.
    Extending the dog analogy, a dog's sense of smell is polymorphic. If the dog smells a cat, it will bark and run after it. If the dog smells its food, it will salivate and run to its bowl. The same sense of smell is at work in both situations. The difference is what is being smelled, that is, the type of data being operated upon by the dog's nose! This same general concept can be implemented in Java as it applies to methods within a Java program.
    Polymorphism, Encapsulation, and Inheritance Work Together
    When properly applied, polymorphism, encapsulation, and inheritance combine to produce a programming environment that supports the development of far more robust and scaleable programs than does the process-oriented model. A well-designed hierarchy of classes is the basis for reusing the code in which you have invested time and effort developing and testing. Encapsulation allows you to migrate your implementations over time without breaking the code that depends on the public interface of your classes. Polymorphism allows you to create clean, sensible, readable, and resilient code.
    Of the two real-world examples, the automobile more completely illustrates the power of object-oriented design. Dogs are fun to think about from an inheritance standpoint, but cars are more like programs. All drivers rely on inheritance to drive different types (subclasses) of vehicles. Whether the vehicle is a school bus, a Mercedes sedan, a Porsche, or the family minivan, drivers can all more or less find and operate the steering wheel, the brakes, and the accelerator. After a bit of gear grinding, most people can even manage the difference between a stick shift and an automatic, because they fundamentally understand their common superclass, the transmission.
    People interface with encapsulated features on cars all the time. The brake and gas pedals hide an incredible array of complexity with an interface so simple you can operate them with your feet! The implementation of the engine, the style of brakes, and the size of the tires have no effect on how you interface with the class definition of the pedals.
    The final attribute, polymorphism, is clearly reflected in the ability of car manufacturers to offer a wide array of options on basically the same vehicle. For example, you can get an antilock braking system or traditional brakes, power or rack-and-pinion steering, and 4-, 6-, or 8-cylinder engines. Either way, you will still press the brake pedal to stop, turn the steering wheel to change direction, and press the accelerator when you want to move. The same interface can be used to control a number of different implementations.
    As you can see, it is through the application of encapsulation, inheritance, and polymorphism that the individual parts are transformed into the object known as a car. The same is also true of computer programs. By the application of object-oriented principles, the various parts of a complex program can be brought together to form a cohesive, robust, maintainable whole.
    As mentioned at the start of this section, every Java program is object-oriented. Or, put more precisely, every Java program involves encapsulation, inheritance, and polymorphism. Although the short example programs shown in the rest of this chapter and in the next few chapters may not seem to exhibit all of these features, they are nevertheless present. As you
     
    will see, many of the features supplied by Java are part of its built-in class libraries, which do make extensive use of encapsulation, inheritance, and polymorphism.
    A First Simple Program
    Now that the basic object-oriented underpinning of Java has been discussed, let's look at some actual Java programs. Let's start by compiling and running the short sample program shown here. As you will see, this involves a little more work than you might imagine.
    /*
    This is a simple Java program. Call this file "Example.java".
    */
    class Example {
    // Your program begins with a call to main(). public static void main(String args[]) {
    System.out.println("This is a simple Java program.");
    }
    }

    NOTE The descriptions that follow use the standard Java SE 7 Development Kit (JDK 7), which is available from Oracle. If you are using a different Java development environment, then you may need to follow a different procedure for compiling and executing Java programs. In this case, consult your compiler's documentation for details.
    Entering the Program
    For most computer languages, the name of the file that holds the source code to a program is immaterial. However, this is not the case with Java. The first thing that you must learn about Java is that the name you give to a source file is very important. For this example,
    the name of the source file should be Example.java. Let's see why.
    In Java, a source file is officially called a compilation unit. It is a text file that contains (among other things) one or more class definitions. (For now, we will be using source files that contain only one class.) The Java compiler requires that a source file use the .java filename extension.
    As you can see by looking at the program, the name of the class defined by the program is also Example. This is not a coincidence. In Java, all code must reside inside a class. By convention, the name of the main class should match the name of the file that holds the program. You should also make sure that the capitalization of the filename matches the class name. The reason for this is that Java is case-sensitive. At this point, the convention that filenames correspond to class names may seem arbitrary. However, this convention makes it easier to maintain and organize your programs.
    Compiling the Program
    To compile the Example program, execute the compiler, javac, specifying the name of the source file on the command line, as shown here:
    C:\>javac Example.java
    The javac compiler creates a file called Example.class that contains the bytecode version of the program. As discussed earlier, the Java bytecode is the intermediate representation of
     
    your program that contains instructions the Java Virtual Machine will execute. Thus, the output of javac is not code that can be directly executed.
    To actually run the program, you must use the Java application launcher called java. To do so, pass the class name Example as a command-line argument, as shown here:
    C:\>java Example

    When the program is run, the following output is displayed:

    This is a simple Java program.

    When Java source code is compiled, each individual class is put into its own output file named after the class and using the .class extension. This is why it is a good idea to give your Java source files the same name as the class they contain—the name of the source file will match the name of the .class file. When you execute java as just shown, you are actually specifying the name of the class that you want to execute. It will automatically search for a file by that name that has the .class extension. If it finds the file, it will execute the code contained in the specified class.
    A Closer Look at the First Sample Program
    Although Example.java is quite short, it includes several key features that are common to all Java programs. Let's closely examine each part of the program.
    The program begins with the following lines:

    /*
    This is a simple Java program. Call this file "Example.java".
    */
    This is a comment. Like most other programming languages, Java lets you enter a remark into a program's source file. The contents of a comment are ignored by the compiler. Instead, a comment describes or explains the operation of the program to anyone who is reading its source code. In this case, the comment describes the program and reminds you that the source file should be called Example.java. Of course, in real applications, comments generally explain how some part of the program works or what a specific feature does.
    Java supports three styles of comments. The one shown at the top of the program is called a multiline comment. This type of comment must begin with /* and end with */. Anything between these two comment symbols is ignored by the compiler. As the name suggests, a multiline comment may be several lines long.
    The next line of code in the program is shown here:

    class Example {

    This line uses the keyword class to declare that a new class is being defined. Example is an identifier that is the name of the class. The entire class definition, including all of its members, will be between the opening curly brace ({) and the closing curly brace (}). For the moment, don't worry too much about the details of a class except to note that in Java,
    all program activity occurs within one. This is one reason why all Java programs are (at least a little bit) object-oriented.
     
    The next line in the program is the single-line comment, shown here:

    // Your program begins with a call to main().

    This is the second type of comment supported by Java. A single-line comment begins with a // and ends at the end of the line. As a general rule, programmers use multiline comments for longer remarks and single-line comments for brief, line-by-line descriptions. The third type of comment, a documentation comment, will be discussed in the "Comments" section later in this chapter.
    The next line of code is shown here:

    public static void main(String args[ ]) {

    This line begins the main( ) method. As the comment preceding it suggests, this is the line at which the program will begin executing. All Java applications begin execution by calling main( ). The full meaning of each part of this line cannot be given now, since it involves a detailed understanding of Java's approach to encapsulation. However, since most of the examples in the first part of this book will use this line of code, let's take a brief look at each part now.
    The public keyword is an access modifier, which allows the programmer to control the visibility of class members. When a class member is preceded by public, then that member may be accessed by code outside the class in which it is declared. (The opposite of public is private, which prevents a member from being used by code defined outside of its class.) In this case, main( ) must be declared as public, since it must be called by code outside of its class when the program is started. The keyword static allows main( ) to be called without having to instantiate a particular instance of the class. This is necessary since main( ) is called by the Java Virtual Machine before any objects are made. The keyword void simply tells the compiler that main( ) does not return a value. As you will see, methods may also return values. If all this seems a bit confusing, don't worry. All of these concepts will be discussed in detail in subsequent chapters.
    As stated, main( ) is the method called when a Java application begins. Keep in mind that Java is case-sensitive. Thus, Main is different from main. It is important to understand that the Java compiler will compile classes that do not contain a main( ) method. But java has no way to run these classes. So, if you had typed Main instead of main, the compiler would still compile your program. However, java would report an error because it would be unable to find the main( ) method.
    Any information that you need to pass to a method is received by variables specified within the set of parentheses that follow the name of the method. These variables are called parameters. If there are no parameters required for a given method, you still need to include the empty parentheses. In main( ), there is only one parameter, albeit a complicated one.
    String args[ ] declares a parameter named args, which is an array of instances of the class String. (Arrays are collections of similar objects.) Objects of type String store character strings. In this case, args receives any command-line arguments present when the program is executed. This program does not make use of this information, but other programs shown later in this book will.
    The last character on the line is the {. This signals the start of main( )'s body. All of the code that comprises a method will occur between the method's opening curly brace and its closing curly brace.
     
    One other point: main( ) is simply a starting place for your program. A complex program will have dozens of classes, only one of which will need to have a main( ) method to get things started. Furthermore, in some cases, you won't need main( ) at all. For example, when creating applets—Java programs that are embedded in web browsers—you won't use main( ) since the web browser uses a different means of starting the execution of applets.
    The next line of code is shown here. Notice that it occurs inside main( ).

    System.out.println("This is a simple Java program.");

    This line outputs the string "This is a simple Java program." followed by a new line on the screen. Output is actually accomplished by the built-in println( ) method. In this case, println( ) displays the string which is passed to it. As you will see, println( ) can be used to display other types of information, too. The line begins with System.out. While too complicated to explain in detail at this time, briefly, System is a predefined class that provides access to the system, and out is the output stream that is connected to the console.
    As you have probably guessed, console output (and input) is not used frequently in most real-world Java applications. Since most modern computing environments are windowed and graphical in nature, console I/O is used mostly for simple utility programs, demonstration programs, and server-side code. Later in this book, you will learn other ways to generate output using Java. But for now, we will continue to use the console I/O methods.
    Notice that the println( ) statement ends with a semicolon. All statements in Java end with a semicolon. The reason that the other lines in the program do not end in a semicolon is that they are not, technically, statements.
    The first } in the program ends main( ), and the last } ends the Example class definition.

    A Second Short Program
    Perhaps no other concept is more fundamental to a programming language than that of a variable. As you probably know, a variable is a named memory location that may be assigned a value by your program. The value of a variable may be changed during the execution of the program. The next program shows how a variable is declared and how it is assigned a value. The program also illustrates some new aspects of console output. As the comments
    at the top of the program state, you should call this file Example2.java.

    /*
    Here is another short example. Call this file "Example2.java".
    */

    class Example2 {
    public static void main(String args []) {
    int num; // this declares a variable called num num = 100; // this assigns num the value 100 System.out.println("This is num: " + num);
    num = num * 2;

    System.out.print("The value of num * 2 is ");
     
    System.out.println(num);
    }
    }
    When you run this program, you will see the following output:
    This is num: 100
    The value of num * 2 is 200

    Let's take a close look at why this output is generated. The first new line in the program is shown here:
    int num; // this declares a variable called num

    This line declares an integer variable called num. Java (like most other languages) requires that variables be declared before they are used.
    Following is the general form of a variable declaration:
    type var-name;
    Here, type specifies the type of variable being declared, and var-name is the name of the variable. If you want to declare more than one variable of the specified type, you may use a comma-separated list of variable names. Java defines several data types, including integer, character, and floating-point. The keyword int specifies an integer type.
    In the program, the line
    num = 100; // this assigns num the value 100

    assigns to num the value 100. In Java, the assignment operator is a single equal sign.
    The next line of code outputs the value of num preceded by the string "This is num:".
    System.out.println("This is num: " + num);

    In this statement, the plus sign causes the value of num to be appended to the string that precedes it, and then the resulting string is output. (Actually, num is first converted from an integer into its string equivalent and then concatenated with the string that precedes it. This process is described in detail later in this book.) This approach can be generalized. Using the + operator, you can join together as many items as you want within a single println( ) statement.
    The next line of code assigns num the value of num times 2. Like most other languages, Java uses the * operator to indicate multiplication. After this line executes, num will contain the value 200.
    Here are the next two lines in the program:
    System.out.print ("The value of num * 2 is "); System.out.println (num);
    Several new things are occurring here. First, the built-in method print( ) is used to display the string "The value of num * 2 is ". This string is not followed by a newline. This means that when the next output is generated, it will start on the same line. The print( ) method is just like println( ), except that it does not output a newline character after each call. Now look at the call to println( ). Notice that num is used by itself. Both print( ) and println( ) can be used to output values of any of Java's built-in types.
     
    Two Control Statements
    Although Chapter 5 will look closely at control statements, two are briefly introduced here so that they can be used in example programs in Chapters 3 and 4. They will also help illustrate an important aspect of Java: blocks of code.
    The if Statement
    The Java if statement works much like the IF statement in any other language. Further, it is syntactically identical to the if statements in C, C++, and C#. Its simplest form is shown here:
    if(condition) statement;
    Here, condition is a Boolean expression. If condition is true, then the statement is executed. If condition is false, then the statement is bypassed. Here is an example:

    if(num < 100) System.out.println("num is less than 100");

    In this case, if num contains a value that is less than 100, the conditional expression is true, and println( ) will execute. If num contains a value greater than or equal to 100, then the println( ) method is bypassed.
    As you will see in Chapter 4, Java defines a full complement of relational operators which may be used in a conditional expression. Here are a few:

    Operator Meaning
    < Less than
    > Greater than
    == Equal to

    Notice that the test for equality is the double equal sign. Here is a program that illustrates the if statement:
    /*
    Demonstrate the if.

    Call this file "IfSample.java".
    */
    class IfSample {
    public static void main(String args[]) { int x, y;

    x = 10;
    y = 20;
    if(x < y) System.out.println("x is less than y"); x = x * 2;
    if(x == y) System.out.println("x now equal to y");
     
    x = x * 2;
    if(x > y) System.out.println("x now greater than y");

    // this won't display anything
    if(x == y) System.out.println("you won't see this");
    }
    }
    The output generated by this program is shown here:
    x is less than y x now equal to y
    x now greater than y
    Notice one other thing in this program. The line
    int x, y;

    declares two variables, x and y, by use of a comma-separated list.
    The for Loop
    As you may know from your previous programming experience, loop statements are an important part of nearly any programming language. Java is no exception. In fact, as you will see in Chapter 5, Java supplies a powerful assortment of loop constructs. Perhaps the most versatile is the for loop. The simplest form of the for loop is shown here:
    for(initialization; condition; iteration) statement;
    In its most common form, the initialization portion of the loop sets a loop control variable to an initial value. The condition is a Boolean expression that tests the loop control variable. If the outcome of that test is true, the for loop continues to iterate. If it is false, the loop terminates. The iteration expression determines how the loop control variable is changed each time the loop iterates. Here is a short program that illustrates the for loop:
    /*
    Demonstrate the for loop.

    Call this file "ForTest.java".
    */
    class ForTest {
    public static void main(String args[]) { int x;

    for(x = 0; x<10; x = x+1) System.out.println("This is x: " + x);
    }
    }
    This program generates the following output:
    This is x: 0 This is x: 1 This is x: 2 This is x: 3
     
    This is x: 4 This is x: 5 This is x: 6 This is x: 7 This is x: 8 This is x: 9
    In this example, x is the loop control variable. It is initialized to zero in the initialization portion of the for. At the start of each iteration (including the first one), the conditional test x < 10 is performed. If the outcome of this test is true, the println( ) statement is executed, and then the iteration portion of the loop is executed. This process continues until the conditional test is false.
    As a point of interest, in professionally written Java programs you will almost never see the iteration portion of the loop written as shown in the preceding program. That is, you will seldom see statements like this:
    x = x + 1;

    The reason is that Java includes a special increment operator which performs this operation more efficiently. The increment operator is ++. (That is, two plus signs back to back.) The increment operator increases its operand by one. By use of the increment operator, the preceding statement can be written like this:
    x++;

    Thus, the for in the preceding program will usually be written like this:
    for(x = 0; x<10; x++)

    You might want to try this. As you will see, the loop still runs exactly the same as it did before.
    Java also provides a decrement operator, which is specified as – –. This operator decreases its operand by one.

    Using Blocks of Code
    Java allows two or more statements to be grouped into blocks of code, also called code blocks. This is done by enclosing the statements between opening and closing curly braces. Once a block of code has been created, it becomes a logical unit that can be used any place that a single statement can. For example, a block can be a target for Java's if and for statements. Consider this if statement:
    if(x < y) { // begin a block x = y;
    y = 0;
    } // end of block

    Here, if x is less than y, then both statements inside the block will be executed. Thus, the two statements inside the block form a logical unit, and one statement cannot execute without the other also executing. The key point here is that whenever you need to logically link two or more statements, you do so by creating a block.
     
    Let's look at another example. The following program uses a block of code as the target of a for loop.

    /*
    Demonstrate a block of code.

    Call this file "BlockTest.java"
    */
    class BlockTest {
    public static void main(String args[]) { int x, y;

    y = 20;

    // the target of this loop is a block for(x = 0; x<10; x++) {
    System.out.println("This is x: " + x); System.out.println("This is y: " + y); y = y - 2;
    }
    }
    }

    The output generated by this program is shown here:

    This is x: 0
    This is y: 20
    This is x: 1
    This is y: 18
    This is x: 2
    This is y: 16
    This is x: 3
    This is y: 14
    This is x: 4
    This is y: 12
    This is x: 5
    This is y: 10
    This is x: 6
    This is y: 8
    This is x: 7
    This is y: 6
    This is x: 8
    This is y: 4
    This is x: 9
    This is y: 2
    In this case, the target of the for loop is a block of code and not just a single statement. Thus, each time the loop iterates, the three statements inside the block will be executed. This fact is, of course, evidenced by the output generated by the program.
    As you will see later in this book, blocks of code have additional properties and uses.
    However, the main reason for their existence is to create logically inseparable units of code.
     
    Lexical Issues
    Now that you have seen several short Java programs, it is time to more formally describe the atomic elements of Java. Java programs are a collection of whitespace, identifiers, literals, comments, operators, separators, and keywords. The operators are described in the next chapter. The others are described next.
    Whitespace
    Java is a free-form language. This means that you do not need to follow any special indentation rules. For instance, the Example program could have been written all on one line or in any other strange way you felt like typing it, as long as there was at least one whitespace character between each token that was not already delineated by an operator or separator. In Java, whitespace is a space, tab, or newline.
    Identifiers
    Identifiers are used to name things, such as classes, variables, and methods. An identifier may be any descriptive sequence of uppercase and lowercase letters, numbers, or the underscore and dollar-sign characters. (The dollar-sign character is not intended for general use.) They must not begin with a number, lest they be confused with a numeric literal. Again, Java is case-sensitive, so VALUE is a different identifier than Value. Some examples of valid identifiers are

    AvgTemp count a4 $test this_is_ok

    Invalid identifier names include these:

    2count high-temp Not/ok

    Literals
    A constant value in Java is created by using a literal representation of it. For example, here are some literals:

    100 98.6 'X' "This is a test"

    Left to right, the first literal specifies an integer, the next is a floating-point value, the third is a character constant, and the last is a string. A literal can be used anywhere a value of its type is allowed.
    Comments
    As mentioned, there are three types of comments defined by Java. You have already seen two: single-line and multiline. The third type is called a documentation comment. This type of comment is used to produce an HTML file that documents your program. The documentation comment begins with a /** and ends with a */. Documentation comments are explained in the Appendix.
     
    Separators
    In Java, there are a few characters that are used as separators. The most commonly used separator in Java is the semicolon. As you have seen, it is used to terminate statements. The separators are shown in the following table:

    Symbol Name Purpose
    ( ) Parentheses Used to contain lists of parameters in method definition and invocation. Also used for defining precedence in expressions, containing expressions in control statements, and surrounding cast types.
    { } Braces Used to contain the values of automatically initialized arrays. Also used to define a block of code, for classes, methods, and local scopes.
    [ ] Brackets Used to declare array types. Also used when dereferencing array values.
    ; Semicolon Terminates statements.
    , Comma Separates consecutive identifiers in a variable declaration. Also used to chain statements together inside a for statement.
    . Period Used to separate package names from subpackages and classes. Also used to separate a variable or method from a reference variable.
    The Java Keywords
    There are 50 keywords currently defined in the Java language (see Table 2-1). These keywords, combined with the syntax of the operators and separators, form the foundation of the Java language. These keywords cannot be used as identifiers. Thus, they cannot be used as names for a variable, class, or method.
    The keywords const and goto are reserved but not used. In the early days of Java, several other keywords were reserved for possible future use. However, the current specification for Java defines only the keywords shown in Table 2-1.


    abstract continue for new switch
    assert default goto package synchronized
    boolean do if private this
    break double implements protected throw
    byte else import public throws
    case enum instanceof return transient
    catch extends int short try
    char final interface static void
    class finally long strictfp volatile
    const float native super while
    Table 2-1 Java Keywords
     
    In addition to the keywords, Java reserves the following: true, false, and null. These are values defined by Java. You may not use these words for the names of variables, classes, and so on.

    The Java Class Libraries
    The sample programs shown in this chapter make use of two of Java's built-in methods: println( ) and print( ). As mentioned, these methods are members of the System class, which is a class predefined by Java that is automatically included in your programs. In the larger view, the Java environment relies on several built-in class libraries that contain many built-in methods that provide support for such things as I/O, string handling, networking, and graphics. The standard classes also provide support for windowed output. Thus, Java as a totality is a combination of the Java language itself, plus its standard classes. As you will see, the class libraries provide much of the functionality that comes with Java. Indeed, part of becoming a Java programmer is learning to use the standard Java classes. Throughout Part I of this book, various elements of the standard library classes and methods are described as needed. In Part II, the class libraries are described in detail.

    @£V£RYTHING NT

    More information


    1. Blackhat Hacking
    2. Cómo Se Escribe Hacker
    3. Definicion De Hacker
    4. Life Hacking

    Kali Linux VM Installation And Setup

    Preface

    From time to time I realize that certain tasks that are trivial for me are not necessarily easy for others, especially if they are just getting started with IT security stuff.

    As I am going to be a Facilitator at SANS Munich 2015 on SEC 401, plus we have a few people at work who are just dipping their toe into the wonderful world of Kali Linux, it seemed like a good opportunity to make a short getting started / installation guide on the Kali VMWare VMs that you can download and quickly get started.

    On top of that, when I check the statistics of the blog, I always see that the most popular posts are the detailed howtos and tutorials and I assume that it is because there is a need for this kind of posts too, so here it goes! :)


    Step -1: Check in your BIOS/UEFI if virtualization is enabled

    We are going to use virtualization, so it would be nice to enable it, right?

    In BIOS/UEFI menus this is somewhere around "Security" and/or "Virtualization" and it is something like "Intel (R) Virtualization Technology" and "Intel (R) VT-d Feature" that needs to be set to "Enabled".


    Step 0: Install VMWare Player or VMWare Workstation

    The Kali Linux VMs are VMWare-based, so you need to install VMWare Player (free), VMWare Workstation (paid) or VMWare Fusion (paid, for OS-X).

    The more desirable choice is to use VMWare Workstation or VMWare Fusion, as they have a Snapshot feature, while with VMWare Player, you are forced to take a full copy in order to have a sort of rollback feature.


    Step 1: Download Kali VM

    We need to download the Kali VMs from the "Custom Kali Images" download site, where you can find a 64 bit (amd64) and a 32 bit PAE (i686) too.

    There are also Torrent files for the images and based on experience, using Torrent is much more faster and reliable than the HTTP download, so if you can, use that!

    Once you have downloaded the VMs, do not forget to check their SHA1 hash!!! On Linux, you can simply use the sha1sum command at a terminal. For Windows, you can use something like the MD5 & SHA Checksum Utility.


    Step 2: Change Kali VM default root password

    The Kali VM comes with a preset root password, which is "toor" (without the quotes), therefore, it has to be changed.

    Here is how you do it:
    root@kali:~# passwd
    Enter new UNIX password:
    Retype new UNIX password:
    passwd: password updated successfully


    Step 3: Change Kali VM default SSH keys

    The Kali VM also comes with SSH preinstalled, so we need to change the SSH keys to avoid SSH MiTM attacks.
    Here is how you do it:
    root@kali:~# cd /etc/ssh/
    root@kali:/etc/ssh# mkdir default_kali_keys
    root@kali:/etc/ssh# mv ssh_host_* default_kali_keys/
    root@kali:/etc/ssh# dpkg-reconfigure openssh-server
    Creating SSH2 RSA key; this may take some time ...
    Creating SSH2 DSA key; this may take some time ...
    Creating SSH2 ECDSA key; this may take some time ...
    insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5).
    insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty).

    Now we can check if the keys are really changed:

    root@kali:/etc/ssh# md5sum /etc/ssh/*key*
    md5sum: /etc/ssh/default_kali_keys: Is a directory
    6abe210732068fa7ca95854c3078dba5 /etc/ssh/ssh_host_dsa_key
    1b5f3c1a1b5c48cc3cce31b116e8b6f8 /etc/ssh/ssh_host_dsa_key.pub
    8f0f60855e5ab8cac8103d64faab090f /etc/ssh/ssh_host_ecdsa_key
    aace49ae9236815c9a1672f8ecb2b1e2 /etc/ssh/ssh_host_ecdsa_key.pub
    cf861a9f743fb4584ab246024465ddf1 /etc/ssh/ssh_host_rsa_key
    d5d65d8ad023a6cb1418ae05007bc6d3 /etc/ssh/ssh_host_rsa_key.pub
    root@kali:/etc/ssh# md5sum /etc/ssh/default_kali_keys/*key*
    c8d5b82320a4ddde59d0e2b6d9aad42a /etc/ssh/default_kali_keys/ssh_host_dsa_key
    6b12ddecd463677cde8097e23d0f219a /etc/ssh/default_kali_keys/ssh_host_dsa_key.pub
    fecf056571a3dfbf3635fc2c50bf23c5 /etc/ssh/default_kali_keys/ssh_host_ecdsa_key
    e44b7c50635de42e89b3297414f5047d /etc/ssh/default_kali_keys/ssh_host_ecdsa_key.pub
    e9e0267484e020878e00a9360b77d845 /etc/ssh/default_kali_keys/ssh_host_rsa_key
    ceee93d7bbc9f9b9706e18f23d4e81f1 /etc/ssh/default_kali_keys/ssh_host_rsa_key.pub

    Step 4: Update Kali VM

    Next you need to update your Kali VM so that everything is patched.

    Here is how you do it:

    root@kali:~# apt-get update
    Get 1 http://http.kali.org kali Release.gpg [836 B]
    Get:2 http://security.kali.org kali/updates Release.gpg [836 B]
    ********************************* SNIP *********************************
    Fetched 16.7 MB in 14s (1,190 kB/s)
    Reading package lists... Done
    root@kali:~# apt-get upgrade
    eading package lists... Done
    Building dependency tree
    Reading state information... Done
    The following packages have been kept back:
    ********************************* SNIP *********************************
    The following packages will be upgraded:
    ********************************* SNIP *********************************
    241 upgraded, 0 newly installed, 0 to remove and 16 not upgraded.
    Need to get 740 MB of archives.
    After this operation, 130 MB disk space will be freed.
    Do you want to continue [Y/n]? Y
    Get:1 http://security.kali.org/kali-security/ kali/updates/main libc6-i386 amd64 2.13-38+deb7u7 [4,044 kB]
    Get:2 http://http.kali.org/kali/ kali/main base-files amd64 1:1.1.0 [77.5 kB]
    ********************************* SNIP *********************************
    root@kali:~#


    Step 5: Create a Snapshot/Copy the VM

    Once you are done with all the above, you can make a Snapshot in case of VMWare Workstation or copy the files of the VM in case of VMWare Player, so that you can roll back to this clean stat in case you misconfigure something.

    Hope this was helpful. Happy hacking!


    Related articles