Barcamp 2009-Ninjitsu Attack Hack For Fun and Profit
1. Ninjitsu Attack: Hack for Fun and
Profit
Prathan Phongthiproek
ACIS Professional Center
Information Security Consultant
May 24th, 2009
2. What I’ve done ?
Penetration Testing (BlackBox and WhiteBox)
Security Consultant
Active Security Researcher for Fun (and Profit)
Devoted Hacker
Exploits and Vulnerabilities Disclosure
(CWH Underground)
Hacking and Security Papers (WebApp, Wireless, OS)
Comments, Feedback ? >> prathan.ptr@gmail.com
(Don’t spam mail !! lol)
#w
03:19:18 up 1 min, 1 user, load average: 1.73, 0.71, 0.26
USER TTY FROM LOGIN@ IDLE JCPU PCPU
prathan phongthiproek tty1 - 03:18 0.00s 0.08s 0.01s
3. Overview
Exploit CMS Vulnerabilities
Web Browser’s Passive Attack
Wifi-Ninjitsu Attack For Profit
Lock Picking: Owned The Key
Other Techniques (Something Evil)
4. Exploit CMS Vulnerabilities
A content management system (CMS) is computer application used to
create, edit, manage, and publish content in a consistently organized
fashion.
12. How to protect CMS Hacking
Obey the Installer, and Remove /installation directory after install.
Security Issues are primarily caused by faulty third-party extensions.
Monitor HTTPD logs, bandwidth logs, and search terms for your
site, in addition to traditional Linux intrusion detection & defense
techniques to catch emerging threats before they hit your site.
Always patch New Version !!
17. Wifi-Ninjitsu Attack For Profit
Rouge AP (Evil Twin): Steal usernames, passwords and information
from public wireless hotspots.
Why we don’t steal something evil like credit card (Pay to Play) ??
Can we Exploit victim machine through Web Browser Vuln or MS08-
067 (Conficker Worms) ??
18. Wifi-Ninjitsu Attack For Profit
Rouge AP (Evil Twin): Steal usernames, passwords and
information from public wireless hotspots.
19. Wifi-Ninjitsu Attack For Profit
Can we Exploit victim machine through Web Browser
Vuln or MS08-067 (Conficker Worms) ??
20. Lock Picking: Owned The Key
Locks are not complicated mechanisms
Most locks are wildly easy to pick
Unpickable doesn’t mean invulnerable