The document provides an overview of real life hacking 101, beginning with information gathering techniques like WHOIS lookups and port scanning to identify entry points and vulnerabilities. It discusses indirect requests like searching public records and direct requests like fingerprinting systems. It covers common system vulnerabilities from configuration errors to weak password policies and out-of-date patching. The document also explains common web application vulnerabilities like cross-site scripting, SQL injection, and CSRF attacks that abuse user inputs. It emphasizes the importance of secure development practices and security testing to prevent exploits.

1. Real Life Hacking 101
1

2. Who am I ?
● Batard Florent
● http://code-artisan.io
● @artisan_code
● Security Engineer
– Ethical Hacker for 10 years
– Security Contests (0daysober)
– Globe Trotter (UK, USA, Swiss, France, Japan)
– Lately on the Defense side as a programmer

3. test
Summary
● Introduction
● Information gathering
● Indirect requests
● Direct requests
● System security
● Configuration errors
● Password policy
● Patching
● Web Security
– XSS
– SQL Injection
– CSRF

4. test
What is Hacking ?
Use or abuse a resources in way that was not predicted by the
creator in order to change the behavior

5. test
Attack chronology
● Information gathering
● Getting information about the target
● Indirect / Direct requests
● Fingerprinting
● Analysis
● Determing the security flaw
● Discover the tools to perform the attack
● Attack
● Exploitation
● Expand in the network
● Spread in the internal network

6. test
Information gathering
• Introduction
• Indirect requests
• Direct requests
• Fingerprinting

7. test
Introduction
● The first step of any attack is the information gathering
process
● Identify the entry point of the target
● List all the public information we can use
● Other information can be gathered with technical
tools
● The most effective way is the « social
engineering »
– Contact the target and ask him sensitive
information (Freshman, secretary...)

8. test
Indirect requests
● « Whois » database listing
● All the information asked at registration process
– Administrative informations
● Name, address, phone number
– Technical information
● DNS server
● Email addresses for social engineering
● IP range of the target
● All these information are public

9. test
WHOIS
● Use of the tool « whois »
● whois domain.tld ou whois IP address
Domain Information:
a. [Domain Name] WHIZZ-TECH.CO.JP
g. [Organization] Whizz Technology Co., Ltd.
l. [Organization Type] Company
m. [Administrative Contact] HS9536JP
n. [Technical Contact] HS9536JP
p. [Name Server] ns1.whizz-tech.co.jp
s. [Signing Key]
[State] Connected (2015/03/31)
[Registered Date] 2005/03/29
[Connected Date] 2005/06/18
[Last Update] 2014/04/01 01:41:01 (JST)
Contact Information: [ 担当者情報 ]
a. [JPNIC ハンドル ] HS9536JP
b. [ 氏名 ] 杉本 展将
c. [Last, First] Sugimoto, Hi-
royuki
d. [ 電子メイル ] hiroyuki@whi-
temap.net
f. [ 組織名 ] 有限会社ウィズテ
クノロジー
g. [Organization] Whizz Techno-
logy Co., Ltd.
k. [ 部署 ]
l. [Division]
m. [ 肩書 ] 代表取締役
n. [Title] President
o. [ 電話番号 ] 06-6242-7288
p. [FAX 番号 ]
y. [ 通知アドレス ]
[ 最終更新 ] 2005/03/29
12:02:01 (JST)
form@dom.jprs.jp

10. test
Indirect requests
● SNS
– Every bit of public information published can be
used against you
– Information are used to build password bank tailo-
red to hack you(https://github.com/Netflix/Scumblr)
● People Search
– https://pipl.com/
– http://www.peekyou.com/

11. test
Direct requests
● Active discoveries on the network
● Port scan
– Identify open ports
– Several methods can be used
● Fingerprinting
– Getting the banner of services
– Identify service and its version
– Identify the Operating System

12. test
Nmap scanning
● Nmap for fingerprinting
● Nmap -A x.x.x.x

13. test
Nmap Example

14. test
Other methods
● SNMP
● Identify SNMP community
– Get information on the target
● Netbios
● Communication protocol for windows
– Guest/Null account sometimes activated
● Enumerate shared_folder
● Enumerate users/groups/administrators

15. test
Social Engineering
● The art of manipulating people to make them reveal
sensitive information
● Phone the target pretending to be someone else
● The victim often doesn't realize what she is
doing
● We will use everything we discovered on indirect
requests
● Most of the time it's the most effective way to retrieve
useful information
● Difficult to protect your company

16. test
System vulnerabilities
• Configuration mistakes
• Passwords
• Patching

17. test
System vulnerability
● What is a « system » vulnerability ?
● Configuration mistake
– Leave the default configuration
– High privilege for low task
● Bad password policy
– Default password
– Weak password
● Bad patching policy
– New vulnerabilities but OS are not up to date
● Easy exploitation

18. test
System vulnerability

19. test
Configuration error
● Development configuration kept after production de-
ployment
● Devices
– Default SNMP community
– Installation password
● Applications
– Default password
– Debugging activated
– Example files

20. test
Password policy
● The most secure system will always be weak if protec-
ted by a too simple password
● Usually people will choose the easiest password
a system can accept
– Hacking is even easier if passwords aren't
strong enough
● Passwords should be encrypted in the
application
– If a hacker get into database, all passwords
will be revealed
● Users usually re-use the same password
everywhere

21. test
Password types
● Not accessible (stored in database)
● Hacker must interactively break the password
and cause noisy logs
● Encrypted/Hashed passwords
● Allow discrete offline attacks
● ClearText passwords
● = win!

22. test
Password attacks
● Interactive
● No encrypted version of the password
– Medusa
– Hydra
● Slow and noisy
● Offline
● Possess an encrypted version of password
– John The Ripper
– Cain
– L0phtcrack
● Quick and discrete but not always possible

23. test
Patching
● Update management
● Need a security policy in the company
● Last patches should always be deployed on ALL
machines
● One vulnerable computer can be the entry point
for the whole network
● As an attacker it's always more convenient to
attack the most vulnerable machine on the
network
● Tools to know : Metasploit, Nessus

24. test
Problems
● Vulnerabilities are often released publicly
● Accessible for anybody
● Automatic script to exploit them
● Typically
● Discovery through a vulnerability scanner like
Nessus
● Exploit the vulnerability with Metasploit
– At the end → total control of the target

25. test
Web Application Vulnerabilities
• Cross-Site Scripting
• SQL Injection
• CSRF Attack

26. test
Application Vulnerabilities
● Target a specific application
● Out of scope for system administrator
● Developers responsability
● The hacker can modify the behavior of the application
● Use of the application that wasn't planned by the
developers
● Nowadays, most likely in web applications

27. test
Parameters
● User can interact with website through parameters :
● GET : parameters sent in the URL
– search.php?query=toto
● POST : parameters sent in the message body
– Usually for forms submission
● These parameters can ALWAYS be tampered by
an attacker
● Tools to know : BurpSuite, Owasp ZAP,
Postman

28. test
Cross-Site Scripting
● Allow code execution in the browser , most likely in
Javascript
● Problem occurs when user inputs are interpreted
as regular client-side source code.
● Hacker can inject HTML tags and Javascript
inside the page
– Control over the display of the page
● Images
● Javascript (Framework & Components)
● Use your page for evil purpose
http://beefproject.com

29. test
XSS - Example
● Vulnerable source code
● Normal Behavior Hijacked

30. test
SQL Injection
● Langage used to query databases
● To select data :
– SELECT column_name FROM table WHERE
condition
● Exemple
– SELECT contenu FROM news WHERE id=1
● Used by website to retrieve persistent information

31. test
SQL Injection examples
● Original request :
● http://site/news.php?id=1
– SELECT * FROM news WHERE id = 1
– Return the news with the id : 1
● Hijacked request :
● http://site/news.php?id=1 OR 1=1
– SELECT * FROM news WHERE id = 1 OR
1=1 // TRUE
– Return all the news !

32. test
SQL Injection example
● Vulnerable code
● Normal behavior Hijacked

33. test
Goal for the hacker
● Hijack authentication process
● Explore the database
● Retrieve hidden information
– Passwords of users and admin
● Interaction with the system through database
● Read file
● Write files
● Command execution

34. test
Cross Site Request Forgery
● Scenario :
● http://mybank.com/?transfer=100&from=123&to=321
● You have a session active => request accepted
● What if I send you that link in a iframe or a mail ?
– I can forge an address to compromise you
– Session is still active so it will be accepted
– CSRF-token = unpredictable token we cannot forge
● We set email or reset password

35. test
What to do as a developer ?
● Learn the basics of security (www.owasp.org)
– OWASP Top 10
● Check your application source code
– OWASP ASVS http://code-artisan.io/owasp-asvs-3-0-cheatsheet/
● Add security tests case to your unit tests
– « OR 1 = 1 »
– « <script>alert(‘hello’)</script> »
● Check the security updates of your tools
– Web Frameworks Security Releases
– Change default configuration !
● Check your security with professional services
– Www.detectify.com OR https://vaddy.net/
– Yours truly

36. test
How to become a hacker ?
Train and learn
– WebGoat
– DVWA (Damn Vulnerable Web App)
– Kali Linux (Security Distribution with all tools)
● Check the tools :
– Metasploit
– SkipFish
– Nikto
– Wpscan

37. test
Conclusion
• Questions ?