The Dark Arts of Hacking.

870
-1

Published on

Explaining the arts of hacking.

Published in: Internet, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
870
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
53
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

The Dark Arts of Hacking.

  1. 1. Hacking The Dark Arts 1Wednesday, February 4, 2009
  2. 2. About Speaker Speaker @ JavaOne, NFJS, Devcon, Borcon Sun Certified Java 2 Architect. Instructor for VisiBroker for Java, OOAD, Rational Rose, and Java Development. JBoss Certified Developer Professor - Sipe 2Wednesday, February 4, 2009
  3. 3. Agenda Security Landscape Hacking Philosophy – The Sorting Hat Information Gathering – Information leak – Finding the exploits Security Threats – Brute Force – XSS – SQL Injection Dos and Don’ts Summary 3Wednesday, February 4, 2009
  4. 4. Security Statistics Gartner – 75% of all attacks are directed at the web application layer – 2/3 of all web applications are vulnerable – 80% of organizations will experience an application security incident by 2010 IBM – 10% of IT dollars are spent on web application security Mitre – XSS and SQL Injection are #1 and #2 reported vulnerabilities 4Wednesday, February 4, 2009
  5. 5. Alarming Truth “Approximately 100 million Americans have been informed that they have suffered a security breach so this problem has reached epidemic proportions.” – Jon Oltsik – Enterprise Strategy Group “Up to 21,000 loan clients may have had data exposed” – Marcella Bombardieri, Globe Staff/August 24, 2006 “Personal information stolen from 2.2 million active-duty members of the military, the government said…” – New York Times/June 7, 2006 “Hacker may have stolen personal identifiable information for 26,000 employees..” – ComputerWorld, June 22, 2006 5Wednesday, February 4, 2009
  6. 6. High Level Application Architecture 6Wednesday, February 4, 2009
  7. 7. Top 07 Security Issues 7Wednesday, February 4, 2009
  8. 8. Hacking Philosophy 8Wednesday, February 4, 2009
  9. 9. Sorting Hat Black hat – Has the advantage Grey hat White hat – Threat Modeling 9Wednesday, February 4, 2009
  10. 10. Black Hatters Script Kiddies Disgruntled Employees Whackers Software Crackers Cyber Criminals System Hackers 10Wednesday, February 4, 2009
  11. 11. Black Hat Approach Information Gathering – Sometimes targeted on a “client” – Sometimes targeting a vulnerability Scanning – Network mapping – Ports Gaining Access Elevate Privileges Cover Tracks 11Wednesday, February 4, 2009
  12. 12. White Hat Approach Assess – Threat Modeling Policies Implement / Train Audit 12Wednesday, February 4, 2009
  13. 13. Security Consequences Security Usability low high low high 13Wednesday, February 4, 2009
  14. 14. Black Hat Principles Inside Out Access Most People – Like free stuff! – Are curious – Are not security savvy – Choose usability over security – Choose performance over security Expense – Too costly to secure everything 14Wednesday, February 4, 2009
  15. 15. Hacker John Draper – “Captain Crunch” – Toy whistle provides free long distance calling 15Wednesday, February 4, 2009
  16. 16. Information Gathering Determine Target – Looking for a opportunity • Sans.org • or … – Targeting a “customer” Google Magic 16Wednesday, February 4, 2009
  17. 17. Google Advanced Operators Cache: Info: Intext: Intitle: Inurl: Link: Filetype : Site: … Looking for a cgi opportunity – allinurl:/index.cgi Looking for 2000 IIS 5? – “Microsoft-IIS/5.0 server at” intitle:index.of Apache Tomcat – "Apache Tomcat/" intitle:index.of Specific Version of Apache – “Apache/2.0.45 server at” intitle:index.of Password anyone – inurl:config.php dbuname dbpass – “Welcome to phpMyAdmin” “Create new database” Perhaps you’re only looking for the government – Site:gov – site:mil filetype:xls "attendance" http://www.googleguide.com/advanced_operators.html 17Wednesday, February 4, 2009
  18. 18. Trolling for Users "@gmail.com" -www.gmail.com filetype:reg intext:"internet account manager“ filetype:xls inurl:”email.xls” inurl:admin inurl:userlist "index of" lck + intext:webalizer + intext:Total Usernames + intext:"Usage Statistics for“ filetype:reg reg HKEY_CURRENT_USER username 18Wednesday, February 4, 2009
  19. 19. Trolling for Passwords filetype:htpasswd htpasswd – HTTP htpasswd "http://*:*@www" pmjones: – HTTP htpasswd filetype:config config intext:appSettings "User ID“ – .Net app credentials intitle:”index of” intext:connect.inc intitle:”index of” intext:globals.inc – MySQL filetype:ini inurl:ws_ftp filetype:inc intext:mysql_connect – Php / mysql 19Wednesday, February 4, 2009
  20. 20. Network Mapping site:google.com -www.google.com – Dns lookup… or ping Looking for admins – Ip search – Whois Easy Way – http://toolbar.netcraft.com/site_report 20Wednesday, February 4, 2009
  21. 21. Targeting http://secunia.com/product/4021/?task=advisories_2004 – Issue with CubeCart 2.0.1 – Issue reported 10-10-2004 Google search: "Powered by CubeCart 2.0.1“ – 16,400 hits 02-13-2008 21Wednesday, February 4, 2009
  22. 22. Hacker Captain Midnight – John MacDougall – Knocked HBO off the air for 4 ½ hours 22Wednesday, February 4, 2009
  23. 23. Parameter Tampering 23Wednesday, February 4, 2009
  24. 24. Brute Force Automated Trial and Error 24Wednesday, February 4, 2009
  25. 25. Cross Site Scripting (XSS) Malicious script echoed back in browser Consequence: – Internet Worm • MySpace • Meebo – Session Tokens stolen – Future surfing compromised 25Wednesday, February 4, 2009
  26. 26. XSS Testing Submit a simple <script>alert(document.cookie)</ script> to a web page If alert pops, life is good! – Or bad • Just depends on if you’re a white hat or black hat  26Wednesday, February 4, 2009
  27. 27. XSS Details Common – Search – Error Pages – Returned Forms Aiding Technologies – AJAX – Flash – IFrame 27Wednesday, February 4, 2009
  28. 28. XSS – The Exploit 1. Link to Account in email 2. Embedded script Sent to target 3. Script executed on client browser 4. Script provides cookie and session data 5. Hacker users credentials 28Wednesday, February 4, 2009
  29. 29. XSS Testing 29Wednesday, February 4, 2009
  30. 30. Cookie Poison 30Wednesday, February 4, 2009
  31. 31. SQL Injection Discovery Username: ‘ Password: a 31Wednesday, February 4, 2009
  32. 32. SQL Inject Errors 32Wednesday, February 4, 2009
  33. 33. SQL Inject Yourself In… Username: access' or 1=1 -- Password: a 33Wednesday, February 4, 2009
  34. 34. SQL Inject Yourself In 34Wednesday, February 4, 2009
  35. 35. SQL Inject Answers from Errors ' having 1=1 -- ' group by login.primarykey having 1=1 -- ' union select min(username),1,1,1,1 from login where username > 'a'-- 35Wednesday, February 4, 2009
  36. 36. SQL Injection: Want a Password? 'union select min(password),1,1,1,1 from login where username = 'ab***ilr'-- 36Wednesday, February 4, 2009
  37. 37. Insecure Directory Remote Machine Details 37Wednesday, February 4, 2009
  38. 38. Failure to Restrict URL This would be fine if it were an admin  38Wednesday, February 4, 2009
  39. 39. Hacker Nick Jacobsen – Paris Hilton Phone Pictures • SQL Injection or • Password Recovery 39Wednesday, February 4, 2009
  40. 40. Trojans Beast + Tutorial: http://www.youtube.com/watch?v=KjbjPVG0BPU&feature=related 40Wednesday, February 4, 2009
  41. 41. Hiding your stuff GooScan – Not Google Approved  41Wednesday, February 4, 2009
  42. 42. Dos & Don’ts Don’t – Use Magic URL and Hidden fields for private data – Use Security by ignorance – Rely on secrecy of the scheme – Reveal Passwords to User – Use Cookies for private data – Trust the client for anything • Cookie expiration Do – Tighten Security – Use Security Appliances • Watchfire – Rely on secrecy of a set of keys – Tighten Passwords – Develop a policy – Enforce time limits on authenticators – Security Reviews 42Wednesday, February 4, 2009
  43. 43. Hacker Adrian Lamo – “Homeless Hacker” – Hacked • NY Times • MSFT • NBC 43Wednesday, February 4, 2009
  44. 44. Resources Must watch program – http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar Vulnerability and exploit info – www.cert.org – http://www.owasp.org/index.php/Top_10_2007 – http://seclists.org/ Tools – http://www.elhacker.net/hacking-programas-hack.htm – http://www.tahribat.com/doc.asp?docid=87 Security Policy – http://www.sans.org/resources/policies/ 44Wednesday, February 4, 2009
  45. 45. Links http://xss-proxy.sourceforge.net/ Advanced_XSS_Control.txt 45Wednesday, February 4, 2009
  46. 46. Summary  It’s a Scary World!  White Hats are always on the defense  Obtain skills in Defense against the Dark Arts  And Good Luck! 46Wednesday, February 4, 2009
  47. 47. Questions  Please Fill Out Surveys kensipe@gmail.com twitter: kensipe blog: kensipe.blogspot.com 47Wednesday, February 4, 2009

×