SlideShare a Scribd company logo

Common hacking practices

Marian Marinov
Marian Marinov

Describing the most common practices used in web applications cracking

Technology
1 of 10
Download to read offline
What happens on our machines  and why? Common hacking practices Marian Marinov - mm@1h.com
      Physical  Hardware  Network  Software Attack vectors
  cross-site scripting cross-site request forgery information disclosure denial of service distributed denial of service remote code execution code injection SQL injection Typical web application attacks
    Vulnerability scanners Botnet scanners Google and Yahoo How attackers find vulnerable apps
    Full Disclosure Security Mailing Lists www.exploit-db.com www.securityfocus.com packetstormsecurity.org Where attackers find their exploits
    Try Gruyere         http://google-gruyere.appspot.com/  Life cycle of a web attack
  Joomla exploit -> http://www.joomlaexploit.com/  Joomla YJ Contact us Component Local File Inclusion Vulnerability -> http://www.exploit-db.com/exploits/18033/ Proof of Concept: http://localhost/[path]/ index.php?option=com_yjcontactus & view=../../../../../../../../../../../../../../etc/passwd%00 Google it, and crack them.... Using google as a “hacker” :)
  Nikto2 - http://www.cirt.net/nikto2 ParoProxy - http://www.parosproxy.org/ OWASP WebScrab - https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project Blurb - http://portswigger.net/burp/ Vulnerability scanners
  Nmap - port scanner  Hping2,3,4 - port scanner and packet generator Nessus - comprehensive security analysis tool I LOVE IT!  I HATE THEM!!! Snort -Traffic analyzer with a lot of plug-ins Wireshark - Traffic analyzer Other general security tools
It is pretty easy to crack  web apps these days :)   And most of the work is already done by someone else! :( Conclusion

Recommended

AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlassian
 
XSS filter on Server side
XSS filter on Server sideXSS filter on Server side
XSS filter on Server sidecuteboysmith
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackersKirill Ermakov
 
Vulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comVulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comKirill Ermakov
 
Security Protection for WordPress
Security Protection for WordPressSecurity Protection for WordPress
Security Protection for WordPressSamuel Soon
 
State of WordPress Security: Today and Beyond
State of WordPress Security: Today and BeyondState of WordPress Security: Today and Beyond
State of WordPress Security: Today and BeyondBlogVault Inc
 
DEFINING A SPYWARE
DEFINING A SPYWAREDEFINING A SPYWARE
DEFINING A SPYWAREunnecessary34
 
Why vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelWhy vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelKirill Ermakov
 

Recommended

AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlassian
 
XSS filter on Server side
XSS filter on Server sideXSS filter on Server side
XSS filter on Server sidecuteboysmith
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackersKirill Ermakov
 
Vulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comVulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comKirill Ermakov
 
Security Protection for WordPress
Security Protection for WordPressSecurity Protection for WordPress
Security Protection for WordPressSamuel Soon
 
State of WordPress Security: Today and Beyond
State of WordPress Security: Today and BeyondState of WordPress Security: Today and Beyond
State of WordPress Security: Today and BeyondBlogVault Inc
 
DEFINING A SPYWARE
DEFINING A SPYWAREDEFINING A SPYWARE
DEFINING A SPYWAREunnecessary34
 
Why vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelWhy vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelKirill Ermakov
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Adversary tactics config mgmt-&-logs-oh-my
Adversary tactics config mgmt-&-logs-oh-myAdversary tactics config mgmt-&-logs-oh-my
Adversary tactics config mgmt-&-logs-oh-myJesse Moore
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
JMonitoring : How to keep an eye on more than 50 websites ? Joomla Beyond 2011
JMonitoring : How to keep an eye on more than 50 websites ? Joomla Beyond 2011JMonitoring : How to keep an eye on more than 50 websites ? Joomla Beyond 2011
JMonitoring : How to keep an eye on more than 50 websites ? Joomla Beyond 2011Pierre-André Vullioud
 
Spyware And Anti Virus Software Presentation
Spyware And Anti Virus Software PresentationSpyware And Anti Virus Software Presentation
Spyware And Anti Virus Software Presentationamy.covington215944
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRFPotato
 
Is it good to be paranoid ?
Is it good to be paranoid ?Is it good to be paranoid ?
Is it good to be paranoid ?Subramanyan Murali
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsAmmar WK
 
Bug Bounty Hunter's Confession
Bug Bounty Hunter's ConfessionBug Bounty Hunter's Confession
Bug Bounty Hunter's ConfessionAMol NAik
 
Open Source CMS : How secure are they?
Open Source CMS : How secure are they?Open Source CMS : How secure are they?
Open Source CMS : How secure are they?Yassine Aboukir
 
Spyware
SpywareSpyware
SpywareFarheen Naaz
 
Spyware
SpywareSpyware
Spywaresubharock
 
Maine Judicial Conference
Maine Judicial ConferenceMaine Judicial Conference
Maine Judicial Conferenceantivirusdownload
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The EnterpriseAyed Al Qartah
 
Top Ten Ways to Shockproof Your Use of Social Media
Top Ten Ways to Shockproof Your Use of Social MediaTop Ten Ways to Shockproof Your Use of Social Media
Top Ten Ways to Shockproof Your Use of Social MediaBen Woelk, CISSP, CPTC
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Virus encryption
Virus encryptionVirus encryption
Virus encryptionssusere0e9b7
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 

More Related Content

What's hot

A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Adversary tactics config mgmt-&-logs-oh-my
Adversary tactics config mgmt-&-logs-oh-myAdversary tactics config mgmt-&-logs-oh-my
Adversary tactics config mgmt-&-logs-oh-myJesse Moore
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
JMonitoring : How to keep an eye on more than 50 websites ? Joomla Beyond 2011
JMonitoring : How to keep an eye on more than 50 websites ? Joomla Beyond 2011JMonitoring : How to keep an eye on more than 50 websites ? Joomla Beyond 2011
JMonitoring : How to keep an eye on more than 50 websites ? Joomla Beyond 2011Pierre-André Vullioud
 
Spyware And Anti Virus Software Presentation
Spyware And Anti Virus Software PresentationSpyware And Anti Virus Software Presentation
Spyware And Anti Virus Software Presentationamy.covington215944
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRFPotato
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsAmmar WK
 
Bug Bounty Hunter's Confession
Bug Bounty Hunter's ConfessionBug Bounty Hunter's Confession
Bug Bounty Hunter's ConfessionAMol NAik
 
Open Source CMS : How secure are they?
Open Source CMS : How secure are they?Open Source CMS : How secure are they?
Open Source CMS : How secure are they?Yassine Aboukir
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The EnterpriseAyed Al Qartah
 
Top Ten Ways to Shockproof Your Use of Social Media
Top Ten Ways to Shockproof Your Use of Social MediaTop Ten Ways to Shockproof Your Use of Social Media
Top Ten Ways to Shockproof Your Use of Social MediaBen Woelk, CISSP, CPTC
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 

What's hot (20)

A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
Adversary tactics config mgmt-&-logs-oh-my
Adversary tactics config mgmt-&-logs-oh-myAdversary tactics config mgmt-&-logs-oh-my
Adversary tactics config mgmt-&-logs-oh-my
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System Security
 
JMonitoring : How to keep an eye on more than 50 websites ? Joomla Beyond 2011
JMonitoring : How to keep an eye on more than 50 websites ? Joomla Beyond 2011JMonitoring : How to keep an eye on more than 50 websites ? Joomla Beyond 2011
JMonitoring : How to keep an eye on more than 50 websites ? Joomla Beyond 2011
 
Spyware And Anti Virus Software Presentation
Spyware And Anti Virus Software PresentationSpyware And Anti Virus Software Presentation
Spyware And Anti Virus Software Presentation
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRF
 
Is it good to be paranoid ?
Is it good to be paranoid ?Is it good to be paranoid ?
Is it good to be paranoid ?
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dips
 
Bug Bounty Hunter's Confession
Bug Bounty Hunter's ConfessionBug Bounty Hunter's Confession
Bug Bounty Hunter's Confession
 
Open Source CMS : How secure are they?
Open Source CMS : How secure are they?Open Source CMS : How secure are they?
Open Source CMS : How secure are they?
 
Spyware
SpywareSpyware
Spyware
 
Spyware
SpywareSpyware
Spyware
 
Maine Judicial Conference
Maine Judicial ConferenceMaine Judicial Conference
Maine Judicial Conference
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The Enterprise
 
Top Ten Ways to Shockproof Your Use of Social Media
Top Ten Ways to Shockproof Your Use of Social MediaTop Ten Ways to Shockproof Your Use of Social Media
Top Ten Ways to Shockproof Your Use of Social Media
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
Virus encryption
Virus encryptionVirus encryption
Virus encryption
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 

Similar to Common hacking practices

Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpJoann Davis
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert TrendSC Leung
 
What is Remote Buffer Overflow Attack.pdf
What is Remote Buffer Overflow Attack.pdfWhat is Remote Buffer Overflow Attack.pdf
What is Remote Buffer Overflow Attack.pdfuzair
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsnooralmousa
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptxVIRAJDEY1
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3Folio3 Software
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 

Similar to Common hacking practices (20)

Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert Trend
 
What is Remote Buffer Overflow Attack.pdf
What is Remote Buffer Overflow Attack.pdfWhat is Remote Buffer Overflow Attack.pdf
What is Remote Buffer Overflow Attack.pdf
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptx
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 

More from Marian Marinov

Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingMarian Marinov
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsMarian Marinov
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Marian Marinov
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDBMarian Marinov
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMarian Marinov
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfMarian Marinov
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home eraMarian Marinov
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefsMarian Marinov
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd Marian Marinov
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storageMarian Marinov
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Marian Marinov
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL serverMarian Marinov
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKMarian Marinov
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networksMarian Marinov
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automationMarian Marinov
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingMarian Marinov
 
Managing a lot of servers
Managing a lot of serversManaging a lot of servers
Managing a lot of serversMarian Marinov
 
Let's Encrypt failures
Let's Encrypt failuresLet's Encrypt failures
Let's Encrypt failuresMarian Marinov
 

More from Marian Marinov (20)

Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & Logging
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDB
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdf
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home era
 
Managing sysadmins
Managing sysadminsManaging sysadmins
Managing sysadmins
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefs
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storage
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL server
 
Sysadmin vs. dev ops
Sysadmin vs. dev opsSysadmin vs. dev ops
Sysadmin vs. dev ops
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networks
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automation
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel tracking
 
Managing a lot of servers
Managing a lot of serversManaging a lot of servers
Managing a lot of servers
 
Let's Encrypt failures
Let's Encrypt failuresLet's Encrypt failures
Let's Encrypt failures
 

Recently uploaded

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 

Recently uploaded (20)

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 

Common hacking practices

  • 1. What happens on our machines  and why? Common hacking practices Marian Marinov - mm@1h.com
  • 2.       Physical  Hardware  Network  Software Attack vectors
  • 3.   cross-site scripting cross-site request forgery information disclosure denial of service distributed denial of service remote code execution code injection SQL injection Typical web application attacks
  • 4.     Vulnerability scanners Botnet scanners Google and Yahoo How attackers find vulnerable apps
  • 5.     Full Disclosure Security Mailing Lists www.exploit-db.com www.securityfocus.com packetstormsecurity.org Where attackers find their exploits
  • 6.     Try Gruyere         http://google-gruyere.appspot.com/  Life cycle of a web attack
  • 7.   Joomla exploit -> http://www.joomlaexploit.com/  Joomla YJ Contact us Component Local File Inclusion Vulnerability -> http://www.exploit-db.com/exploits/18033/ Proof of Concept: http://localhost/[path]/ index.php?option=com_yjcontactus & view=../../../../../../../../../../../../../../etc/passwd%00 Google it, and crack them.... Using google as a “hacker” :)
  • 8.   Nikto2 - http://www.cirt.net/nikto2 ParoProxy - http://www.parosproxy.org/ OWASP WebScrab - https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project Blurb - http://portswigger.net/burp/ Vulnerability scanners
  • 9.   Nmap - port scanner  Hping2,3,4 - port scanner and packet generator Nessus - comprehensive security analysis tool I LOVE IT!  I HATE THEM!!! Snort -Traffic analyzer with a lot of plug-ins Wireshark - Traffic analyzer Other general security tools
  • 10. It is pretty easy to crack  web apps these days :)   And most of the work is already done by someone else! :( Conclusion