Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Real life hacking101

326 views

Published on

Introduction to security

Published in: Engineering
  • Be the first to comment

Real life hacking101

  1. 1. Real Life Hacking 101 1
  2. 2. Who am I ? ● Batard Florent ● http://code-artisan.io ● @artisan_code ● Security Engineer – Ethical Hacker for 10 years – Security Contests (0daysober) – Globe Trotter (UK, USA, Swiss, France, Japan) – Lately on the Defense side as a programmer
  3. 3. test Summary ● Introduction ● Information gathering ● Indirect requests ● Direct requests ● System security ● Configuration errors ● Password policy ● Patching ● Web Security – XSS – SQL Injection – CSRF
  4. 4. test What is Hacking ? Use or abuse a resources in way that was not predicted by the creator in order to change the behavior
  5. 5. test Attack chronology ● Information gathering ● Getting information about the target ● Indirect / Direct requests ● Fingerprinting ● Analysis ● Determing the security flaw ● Discover the tools to perform the attack ● Attack ● Exploitation ● Expand in the network ● Spread in the internal network
  6. 6. test Information gathering • Introduction • Indirect requests • Direct requests • Fingerprinting
  7. 7. test Introduction ● The first step of any attack is the information gathering process ● Identify the entry point of the target ● List all the public information we can use ● Other information can be gathered with technical tools ● The most effective way is the « social engineering » – Contact the target and ask him sensitive information (Freshman, secretary...)
  8. 8. test Indirect requests ● « Whois » database listing ● All the information asked at registration process – Administrative informations ● Name, address, phone number – Technical information ● DNS server ● Email addresses for social engineering ● IP range of the target ● All these information are public
  9. 9. test WHOIS ● Use of the tool « whois » ● whois domain.tld ou whois IP address Domain Information: a. [Domain Name] WHIZZ-TECH.CO.JP g. [Organization] Whizz Technology Co., Ltd. l. [Organization Type] Company m. [Administrative Contact] HS9536JP n. [Technical Contact] HS9536JP p. [Name Server] ns1.whizz-tech.co.jp s. [Signing Key] [State] Connected (2015/03/31) [Registered Date] 2005/03/29 [Connected Date] 2005/06/18 [Last Update] 2014/04/01 01:41:01 (JST) Contact Information: [ 担当者情報 ] a. [JPNIC ハンドル ] HS9536JP b. [ 氏名 ] 杉本 展将 c. [Last, First] Sugimoto, Hi- royuki d. [ 電子メイル ] hiroyuki@whi- temap.net f. [ 組織名 ] 有限会社ウィズテ クノロジー g. [Organization] Whizz Techno- logy Co., Ltd. k. [ 部署 ] l. [Division] m. [ 肩書 ] 代表取締役 n. [Title] President o. [ 電話番号 ] 06-6242-7288 p. [FAX 番号 ] y. [ 通知アドレス ] [ 最終更新 ] 2005/03/29 12:02:01 (JST) form@dom.jprs.jp
  10. 10. test Indirect requests ● SNS – Every bit of public information published can be used against you – Information are used to build password bank tailo- red to hack you(https://github.com/Netflix/Scumblr) ● People Search – https://pipl.com/ – http://www.peekyou.com/
  11. 11. test Direct requests ● Active discoveries on the network ● Port scan – Identify open ports – Several methods can be used ● Fingerprinting – Getting the banner of services – Identify service and its version – Identify the Operating System
  12. 12. test Nmap scanning ● Nmap for fingerprinting ● Nmap -A x.x.x.x
  13. 13. test Nmap Example
  14. 14. test Other methods ● SNMP ● Identify SNMP community – Get information on the target ● Netbios ● Communication protocol for windows – Guest/Null account sometimes activated ● Enumerate shared_folder ● Enumerate users/groups/administrators
  15. 15. test Social Engineering ● The art of manipulating people to make them reveal sensitive information ● Phone the target pretending to be someone else ● The victim often doesn't realize what she is doing ● We will use everything we discovered on indirect requests ● Most of the time it's the most effective way to retrieve useful information ● Difficult to protect your company
  16. 16. test System vulnerabilities • Configuration mistakes • Passwords • Patching
  17. 17. test System vulnerability ● What is a « system » vulnerability ? ● Configuration mistake – Leave the default configuration – High privilege for low task ● Bad password policy – Default password – Weak password ● Bad patching policy – New vulnerabilities but OS are not up to date ● Easy exploitation
  18. 18. test System vulnerability
  19. 19. test Configuration error ● Development configuration kept after production de- ployment ● Devices – Default SNMP community – Installation password ● Applications – Default password – Debugging activated – Example files
  20. 20. test Password policy ● The most secure system will always be weak if protec- ted by a too simple password ● Usually people will choose the easiest password a system can accept – Hacking is even easier if passwords aren't strong enough ● Passwords should be encrypted in the application – If a hacker get into database, all passwords will be revealed ● Users usually re-use the same password everywhere
  21. 21. test Password types ● Not accessible (stored in database) ● Hacker must interactively break the password and cause noisy logs ● Encrypted/Hashed passwords ● Allow discrete offline attacks ● ClearText passwords ● = win!
  22. 22. test Password attacks ● Interactive ● No encrypted version of the password – Medusa – Hydra ● Slow and noisy ● Offline ● Possess an encrypted version of password – John The Ripper – Cain – L0phtcrack ● Quick and discrete but not always possible
  23. 23. test Patching ● Update management ● Need a security policy in the company ● Last patches should always be deployed on ALL machines ● One vulnerable computer can be the entry point for the whole network ● As an attacker it's always more convenient to attack the most vulnerable machine on the network ● Tools to know : Metasploit, Nessus
  24. 24. test Problems ● Vulnerabilities are often released publicly ● Accessible for anybody ● Automatic script to exploit them ● Typically ● Discovery through a vulnerability scanner like Nessus ● Exploit the vulnerability with Metasploit – At the end → total control of the target
  25. 25. test Web Application Vulnerabilities • Cross-Site Scripting • SQL Injection • CSRF Attack
  26. 26. test Application Vulnerabilities ● Target a specific application ● Out of scope for system administrator ● Developers responsability ● The hacker can modify the behavior of the application ● Use of the application that wasn't planned by the developers ● Nowadays, most likely in web applications
  27. 27. test Parameters ● User can interact with website through parameters : ● GET : parameters sent in the URL – search.php?query=toto ● POST : parameters sent in the message body – Usually for forms submission ● These parameters can ALWAYS be tampered by an attacker ● Tools to know : BurpSuite, Owasp ZAP, Postman
  28. 28. test Cross-Site Scripting ● Allow code execution in the browser , most likely in Javascript ● Problem occurs when user inputs are interpreted as regular client-side source code. ● Hacker can inject HTML tags and Javascript inside the page – Control over the display of the page ● Images ● Javascript (Framework & Components) ● Use your page for evil purpose http://beefproject.com
  29. 29. test XSS - Example ● Vulnerable source code ● Normal Behavior Hijacked
  30. 30. test SQL Injection ● Langage used to query databases ● To select data : – SELECT column_name FROM table WHERE condition ● Exemple – SELECT contenu FROM news WHERE id=1 ● Used by website to retrieve persistent information
  31. 31. test SQL Injection examples ● Original request : ● http://site/news.php?id=1 – SELECT * FROM news WHERE id = 1 – Return the news with the id : 1 ● Hijacked request : ● http://site/news.php?id=1 OR 1=1 – SELECT * FROM news WHERE id = 1 OR 1=1 // TRUE – Return all the news !
  32. 32. test SQL Injection example ● Vulnerable code ● Normal behavior Hijacked
  33. 33. test Goal for the hacker ● Hijack authentication process ● Explore the database ● Retrieve hidden information – Passwords of users and admin ● Interaction with the system through database ● Read file ● Write files ● Command execution
  34. 34. test Cross Site Request Forgery ● Scenario : ● http://mybank.com/?transfer=100&from=123&to=321 ● You have a session active => request accepted ● What if I send you that link in a iframe or a mail ? – I can forge an address to compromise you – Session is still active so it will be accepted – CSRF-token = unpredictable token we cannot forge ● We set email or reset password
  35. 35. test What to do as a developer ? ● Learn the basics of security (www.owasp.org) – OWASP Top 10 ● Check your application source code – OWASP ASVS http://code-artisan.io/owasp-asvs-3-0-cheatsheet/ ● Add security tests case to your unit tests – « OR 1 = 1 » – « <script>alert(‘hello’)</script> » ● Check the security updates of your tools – Web Frameworks Security Releases – Change default configuration ! ● Check your security with professional services – Www.detectify.com OR https://vaddy.net/ – Yours truly
  36. 36. test How to become a hacker ? Train and learn – WebGoat – DVWA (Damn Vulnerable Web App) – Kali Linux (Security Distribution with all tools) ● Check the tools : – Metasploit – SkipFish – Nikto – Wpscan
  37. 37. test Conclusion • Questions ?

×