Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Database honeypot by design

4,957 views

Published on

Published in: Technology

Database honeypot by design

  1. 1. Vote
  2. 2. Vote
  3. 3. Database honeypot by design @GiftsUngiven @cyberpunkych
  4. 4. Pre-history
  5. 5.
  6. 6.
  7. 7. bla bla bla
  8. 8. Data analysis Бро, не забудь надеть очки, дальше хэкерская правда
  9. 9. Data analysis #1 client request LOAD DATA LOCAL INFILE "C:Windowssystem32driversetchosts" INTO TABLE mysql.test
  10. 10. Data analysis #2 server response
  11. 11. Data analysis #3 client answer
  12. 12. Data analysis #? What if we skip client request and just send server response to get a file for any request?
  13. 13. Data analysis #?
  14. 14. Data analysis #! 1 – client send ‘select’ query request 2 – server send response ‘I want a file’ 3 – client send file content
  15. 15. Profit! - a little bit of script language to automate process - A lot of fun
  16. 16. Remember me? Now you know what to do!
  17. 17. Honeypot? Want to hack my mysql? Okay… I will exchange your requests for your files. Please, run ‘msfconsole’ under root.
  18. 18. Whhyyyyyy?
  19. 19. Good guy Ares We: MiTM? Ares: No problems! http://intercepter.nerf.ru/
  20. 20. Good guy Ares
  21. 21. Is it vulnerable?
  22. 22. Tnhx. questions?

×