SlideShare a Scribd company logo

The Web Application Hackers Toolchain

jasonhaddix
jasonhaddix

A cursory look at new tools and techniques for 2012

Technology
1 of 53
Download to read offline
About Me: • Twitter @jhaddix • jhaddix@securityaegis.com • I blog like I know stuff: • http://www.securityaegis.com • http://www.ethicalhacker.net • Former VA/Netpen turned Webpen • Currently work for HP Application Security Center • Webpen, Netpen, Mobile, etc… • Random Projects • Open Penetration Testers Bookmark Collection • http://code.google.com/p/pentest-bookmarks/ • Nmap Http-enum fingerprints • ghetto Nessus parsers • Burp hacking presentation • No I can’t get you a touchpad • I love talking about hacking, and I like to drink Beer & Gin and Tonics • I don’t know if that’s a girly drink in Brussels =( • You’re welcome to educate me…
Words for the Wise: “Until a man is twenty-five, he still thinks, every so often, that under the right circumstances he could be the baddest motherfucker in the world. If (he) moved to a martial-arts monastery in China and studied real hard for ten years. If (his) family was wiped out by Colombian drug dealers and (he) swore (himself) to revenge. If (he) got a fatal disease, had one year to live, and devoted it to wiping out street crime. If (he) just dropped out and devoted (his) life to being bad. Hiro used to feel this way, too, but then he ran into Raven. In a way, this was liberating. He no longer has to worry about being the baddest motherfucker in the world. The position is taken.” ― Neal Stephenson, Snow Crash
Workshop: Done a few conference talks, never done a workshop: • I’m going to move fast, you will get the slides from the con. • Videos for demos available shortly after the conference • If there’s something you want to know just pull me aside sometime or catch me around the con, I’ll do my best to answer all questions. • You’re pretty much getting a whole class converted to a workshop =). • Excuses! • http://code.google.com/p/owaspbwa/ • OK… lets do it.
• Web Hacking Tool Classes: • OSINT (Passive or Semi-Passive) • Discovery (usually dir brute-forcing or platform identification) • Brute Force (password bruting tools) • Proxies (usually include spider’s) • Fuzzers/Scanners (error or vuln identification tools) • Exploitation (vuln exploitation tools) • Data Aggregation
• What am I, a script kiddie? •Yes and no, you’re a pentester; Which means you have approximately 40hrs to do what a blackhat has months to do. •We need to identify technologies faster, vulns faster, and speed up the attack process. •We need to identify the best process and tools to use, even for our manual web pentesting.
GOAL: Gather data to be useful in a web pentest without (or minimally) interacting with the target. Google Hacking: SearchDiggity Metadata: FOCA Email Gathering: TheHarvester Metasploit
SearchDiggity: The SearchDiggity tools are basically automation of google/bing hacking queries. Think of about a thousand vulnerability checks executed against your target except they are not actually touching your target, only the search engine cache.
GOAL: Free vulnerability checks aka Google hacking. SearchDiggity: • Requires Ajax Search Query API key • 100 queries per day unless you register a CC • Buy a pre-paid visa for $10 • Find vulns fast
GOAL: Extract domain usernames, internal pathing, software versions, etc FOCA: FOCA is a windows tool to spider a domain for documents using google/bing/exalead, download them, and then extract relevant metadata and server information. • http://www.informatica64.com/DownloadFOCA/ I always go see these guys at DC: • http://vimeo.com/10602662 • http://vimeo.com/16706893
GOAL: Extract domain usernames, internal pathing, etc
GOAL: Gather email addresses for forms based logins, etc. One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc. Where do we get this info? Well without doing a full-blown Open Source Recon (OSINT) style assessment, we can use two simple scripts: • Metasploit's search_email_collector.rb and • theHarvester
Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses search techniques for Google, Bing, and Yahoo. http://www.metasploit.com/modules/auxiliary/gather/search_email_collector ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file E Running MSF search_email_collector... [*] Please wait while we load the module tree... [*] Harvesting emails ..... [*] Searching Google for email addresses from defcon.com [*] Extracting emails from Google search results... [*] Searching Bing email addresses from defcon.com [*] Extracting emails from Bing search results... [*] Searching Yahoo for email addresses from defcon.com [*] Extracting emails from Yahoo search results... [*] Located 7 email addresses for defcon.com [*] headsets@defcon.com [*] info@defcon.com [*] jobs@defcon.com [*] nick.s@defcon.com [*] nick@defcon.com [*] robert@defcon.com [*] spr@defcon.com
theHarvester (just updated to v2.1) has now fixed some of its previous bugs. It supports searching Google, Bing, PGP servers, shodan, dns- bruteforcing, and LinkedIn. https://code.google.com/p/theharvester/ zombie@haktop:/tools/email/theHarvester# ./theHarvester.py -d defcon.com -b google -l 500 Accounts found: =================== quietpro@defcon.com nick.s@defcon.com robert@defcon.com lynne@defcon.com joe@defcon.com info@defcon.com dtangent@defcon.com
theHarvester:
There’s also a ton of OSINT sites to help identify server information without ever touching your target yourself: • Netcraft (Uptime Survey, server info) • Domain Tools (Whois Lookup and Domain info) • Centralops.net (traceroute, nslookup, automatic whois lookup, ping, finger) • Hackerfantastic.com ( GeoIP, whois, host, dig, blacklists, ping, traceroute & nmap) • whois.webhosting.info (WHOIS and Reverse IP Service/virtual hosting info) • BING IP Search • SSL Labs – Projects / Public SSL Server Database – SSL Server Test • SHODAN – Computer Search Engine (indexed port scans and banner grabs) • Chris Gates presented on OSINT at Brucon 2009 • http://vimeo.com/6811411 • Other good OSINT resources: • http://www.slideshare.net/agent0x0/enterprise-open-source- intelligence-gathering • http://www.slideshare.net/Laramies/tactical-information-gathering
Now we need to map the site. Some issues that we need to deal with when mapping the site are poor ajax support for spidering (we go over this later) and finding non-linked resources. To find non linked resources we bruteforce common file/path names, framework paths, etc. Discovery Tools: • Dirbuster & Wfuzz • SVNDigger Lists • FuzzDB and RAFT Lists • (optionally) Nmap HTTP-Enum & CMS Explorer
Dirbuster is a cross platform directory bruteforcer written in java (GUI app). Tips: • Disable Recursion and Redirects for faster leaner bruting (our spiders will follow redirects later) • We can change threading on the fly • Dirbuster’s built-in lists are from a project that basically spidered the whole internet.
Wfuzz is a command line equivalent, with a bit more functionality for general web fuzzing (filter by resp code, wc, charc, etc): • http://www.edge-security.com/wfuzz.php Also has some lists!
301’s sometimes redirect to very interesting subdomains or promo pages.
Alright, so for non linked resources and discovery we can use Dirbuster’s lists or Wfuzz’s but they are very generic (that’s not necessarily a bad thing). Like I mentioned before, Dirbuster’s are based off of spidering the net and aggregating the most common directory data and common words (partially). But isn't that finding linked resources? Yes There are some more options for us as far as lists go: SVNDigger – a set of directory lists based of pathing of open source projects on Google Code and SourceForge. RAFT Lists: http://code.google.com/p/fuzzdb/ Within the Discovery/PredictableRes path
http://www.mavitunasecurity.com/blo g/svn-digger-better-lists-for-forced- browsing/ SourceForge and GoogleCode, 400k words (5000 projects), directories sorted by project: • Type • Extension contained • Context • DB Type Most coverage/success running the “all” lists, pick as you need.
RAFT is a recent proxy project released at BHUSA 2011, with a set of wordlists for content discovery based upon spidering 1.7 million “robots.txt” disallows and contextual framework paths. There’s some overlap with SVNDigger. The lists themselves are downloadable from the RAFT site but they are also contained in the FuzzDB Discovery/PredictableRes directory which we’ll be seeing in the tactical fuzzing section later. Broken down into directories, words, and files which takes us to smarter recursive content discovery…
1. Use raft-large-directories in Dirbuster or Burp 2. Take the successful output and add it to a Burp Intruder setup (clusterbomb) as payload set 1 3. Add raft-large-files.txt as 2nd payload set
Storytime
Hopefully at this point we have some logins or emails to try and bruteforce authentication from the OSINT section. I prefer Burp Suite’s Intruder Module for bruteforcing authentication. 1. Attempt Login 2. Go to Proxy History Tab 3. Find the POST request 4. Send to Intruder 5. Use Cluster Bomb payload 6. Clear all payload positions 7. Mark username and password fields as payload positions 8. Goto “payloads” tab 9. Set “payload set” 1 to your username list 10. Set “payload set” 2 to your password list 11. Click on the intruder Menu 12. Start Attack 13. Look for different lengths or grep possible successful auth messages under options
With some valid usernames we want to up our chances of bruting a valid password. Ron Bowes (@iagox86) has some fantastic password research and has archived many of the lists that have been leaked on the web. http://www.skullsecurity.org/blog/2010/the-ultimate-faceoff-between- password-lists Huge password repository. Actual user data from hacked sites: • RockYou (Rockyou 75 is a winner) • Phpbb • Myspace • Hotmail • Hak5 • Facebook • More…
Just a few…
GOAL: Spider the site, identify fuzz points, chain and feed scanner. For proxies and spidering I use Burp Suite. There exists some good Paros forks (ZAP) but Burp, even the free version, has much more power and extensibility.
Fiddler is a unique and powerful option as well due to some great plugins such as Watcher (for passively identifying user controllable )and x5s (for identifying possible xss insertion points). These can help us later when we want to start tacitly fuzzing.
Proxies sit between you and the browser but they can also enhance your testing by chaining them with your other tools. This is great if your scanner has a proxy mode, this way we get walk through the functionality of the site and hit it with two different spider engines and finally attack it with our scanner. Additionally, chaining proxies and scanners can help us deal with auth/session issues in hard to scan environments (NTLM/Kerberos). If you’re sticking with open source tools or non-proxy mode scanners you can export your spider results as links and import them into you scanner. Browser -> Burp -> Scanner (in proxy mode) -> Site 1. Walk app, executing all Ajax and rich functionality (snaplinks is handy) 2. Browse to anything from the discovery stage to populate proxy and scanner 3. Spider with Proxy of choice 4. (optional, this might pollute your site tree) Fuzz with fuzzer/proxy of choice 5. Run Scan This all gets fed to the scanner sitemap/tree. Now the scanner has the best chance of finding all fuzz points and vulns.
You said scanners! Which ones?! Shay Chen has some excellent research on the accuracy of open source and commercial scanners.  Only covers XSS and SQLi atm
Now that you have the blanket stuff out of the way, its time to interpret the proxy and scanner data for tactical fuzzing points.  Does this functionality display something back to the user?  Fuzz for XSS  Does it interact with a database?  Fuzz for SQLi or other injections  Does it call on the server file system?  Fuzz for LFI/PT  Does it call on a URL or external/internal site/domain?  Fuzz for RFI Tactical Fuzzing? Wtf?
Now we can fully utilize the project we mentioned a few times earlier, the Fuzz Database: “ The fuzzdb aggregates known attack patterns, predictable resource names, server response messages, and other resources like web shells into the most comprehensive Open Source database of malicious and malformed input test cases.”
1. Use Fuzzdb strings on all the afore mentioned forms and parameters 2. Re-fuzz all parameters that gave errors on the spidering/scanning results. 3. After concretely identifying the platform, re-fuzz/content discover with that platforms specific lists.
The fuzzdb also has an excellent error /vuln grep file for import into Burp:
When it comes to exploitation tools mostly we need some automagic tools to exploit different forms of SQL injection or file include vulnerabilities. For manual testing we also need a set of web shells. Our standards are SQLmap, Havij, SQLninja for sql injection fimap and metasploit for file include vulnerabilities. and a common set of web shells from the fuzzdb .
SQLmap is a comprehensive SQL injection tool with the ability to do many forms of injection. SQLmap Tips:  -l can import Burp logs to test your hosts (when saving in Burp use only your targets in scope) ./sqlmap -l /root/sqli.txt  Often we want to force POST parameters ,setting –data will force POST: -- data=userid=test&pass=test  We can specify parameters with -p : ./sqlmap –u TARGET-p userid,pass  --level=LEVEL Level of tests to perform (1-5, default 1) has to do with insertion points.  --risk=RISK Risk of tests to perform (0-3, default 1) has to do with test cases.  ./sqlmap -l /root/sqli.txt --level=5 --risk=3  You can max out speed at threads=10  --forms will parse and test all forms on target  --os-pwn for possible meterpreter shell
Other tools mentioned help us in edge cases:  Havij for very up to date WAF evasion (modsec) Use at your own risk.  http://itsecteam.com/en/projects/project1.htm  SQLNinja when SQLmap will not exploit  http://sqlninja.sourceforge.net/  Fimap for file include exploitation http://code.google.com/p/fimap/  Metasploit for remote file includes  exploit/unix/webapp/php_include
We also need some stand alone shells in several different languages for upload vulns. Luckily the FuzzDB has these as well.
What about taking XSS beyond alert(‘xss’)? BeEF is the best tool for javascript attacks. It’s more extensible now that it integrates with metasploit. We now can:  Hook the browser with invisible iframes  Inject/change content on the fly  Footprint the internal network  Sniff keystrokes  Deliver browser based exploits or metasploit meterpreter java payloads for full control of the target
Video
What about web services, SOAP, XML? With a wsdl and SOAPui proxied through Burp and tactically fuzzing with the Fuzzdb test cases we can do more than any script or tool I’ve seen released.
I don’t have a fancy portal to put my data =( The Dradis framework has been revamped to accept a ton for tool outputs allowing us to import data and keep working faster. Imports:  Nmap  Burp  Nessus  Metasploit  Netsparker  Openvas  w3af Mindmapping software works well too.
With all this out of the way semi-quickly we can now take more time to tactically fuzz and test for logic and more obscure manual checks!
Special thanks go out to:  Andre Gironda  Chris Gates, Armando Romeo, Joe McCray, James Fitts, Bernardo Damele, Daniel Miessler, Ferruh Mavituna, Shay Chen, Ron Bowes, Adam Muntner, and all tool authors.
The Web Application Hackers Toolchain

Recommended

A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
Christian Martorella
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
jikbal
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
dc612
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
Niranjanaa Ragupathy
 

Recommended

A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
Christian Martorella
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
jikbal
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
dc612
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
Niranjanaa Ragupathy
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1
robin_bene
 
Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration Testers
Christian Martorella
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
Lalit Kale
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Web attacks
Web attacksWeb attacks
Web attacks
husnara mohammad
 
L27
L27L27
L27
NathannyabvureMapisa
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
Andrew McNicol
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra
 

More Related Content

What's hot

WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1
robin_bene
 
Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration Testers
Christian Martorella
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
Lalit Kale
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Web attacks
Web attacksWeb attacks
Web attacks
husnara mohammad
 
L27
L27L27
L27
NathannyabvureMapisa
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 

What's hot (20)

WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
 
Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1
 
Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration Testers
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Web attacks
Web attacksWeb attacks
Web attacks
 
L27
L27L27
L27
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 

Similar to The Web Application Hackers Toolchain

OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
Andrew McNicol
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
lior mazor
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
Leo Loobeek
 
Learning to code
Learning to codeLearning to code
Learning to code
Sara-Jayne Terp
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
Abraham Aranguren
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionYury Chemerkin
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
Kiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalKiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalRomania Testing
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith Jones, PhD
 
Google Hacking 101
Google Hacking 101Google Hacking 101
Google Hacking 101
Sais Abdelkrim
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
Andrei KUCHARAVY
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
Sudhanshu Chauhan
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
Felipe Prado
 
Wp 3hr-course
Wp 3hr-courseWp 3hr-course
Wp 3hr-course
Rich Webster
 

Similar to The Web Application Hackers Toolchain (20)

OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Learning to code
Learning to codeLearning to code
Learning to code
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permission
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
 
Kiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalKiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-final
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
 
Google Hacking 101
Google Hacking 101Google Hacking 101
Google Hacking 101
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
 
Wp 3hr-course
Wp 3hr-courseWp 3hr-course
Wp 3hr-course
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 

The Web Application Hackers Toolchain

  • 1.
  • 2. About Me: • Twitter @jhaddix • jhaddix@securityaegis.com • I blog like I know stuff: • http://www.securityaegis.com • http://www.ethicalhacker.net • Former VA/Netpen turned Webpen • Currently work for HP Application Security Center • Webpen, Netpen, Mobile, etc… • Random Projects • Open Penetration Testers Bookmark Collection • http://code.google.com/p/pentest-bookmarks/ • Nmap Http-enum fingerprints • ghetto Nessus parsers • Burp hacking presentation • No I can’t get you a touchpad • I love talking about hacking, and I like to drink Beer & Gin and Tonics • I don’t know if that’s a girly drink in Brussels =( • You’re welcome to educate me…
  • 3. Words for the Wise: “Until a man is twenty-five, he still thinks, every so often, that under the right circumstances he could be the baddest motherfucker in the world. If (he) moved to a martial-arts monastery in China and studied real hard for ten years. If (his) family was wiped out by Colombian drug dealers and (he) swore (himself) to revenge. If (he) got a fatal disease, had one year to live, and devoted it to wiping out street crime. If (he) just dropped out and devoted (his) life to being bad. Hiro used to feel this way, too, but then he ran into Raven. In a way, this was liberating. He no longer has to worry about being the baddest motherfucker in the world. The position is taken.” ― Neal Stephenson, Snow Crash
  • 4. Workshop: Done a few conference talks, never done a workshop: • I’m going to move fast, you will get the slides from the con. • Videos for demos available shortly after the conference • If there’s something you want to know just pull me aside sometime or catch me around the con, I’ll do my best to answer all questions. • You’re pretty much getting a whole class converted to a workshop =). • Excuses! • http://code.google.com/p/owaspbwa/ • OK… lets do it.
  • 5.
  • 6. • Web Hacking Tool Classes: • OSINT (Passive or Semi-Passive) • Discovery (usually dir brute-forcing or platform identification) • Brute Force (password bruting tools) • Proxies (usually include spider’s) • Fuzzers/Scanners (error or vuln identification tools) • Exploitation (vuln exploitation tools) • Data Aggregation
  • 7. • What am I, a script kiddie? •Yes and no, you’re a pentester; Which means you have approximately 40hrs to do what a blackhat has months to do. •We need to identify technologies faster, vulns faster, and speed up the attack process. •We need to identify the best process and tools to use, even for our manual web pentesting.
  • 8. GOAL: Gather data to be useful in a web pentest without (or minimally) interacting with the target. Google Hacking: SearchDiggity Metadata: FOCA Email Gathering: TheHarvester Metasploit
  • 9. SearchDiggity: The SearchDiggity tools are basically automation of google/bing hacking queries. Think of about a thousand vulnerability checks executed against your target except they are not actually touching your target, only the search engine cache.
  • 10. GOAL: Free vulnerability checks aka Google hacking. SearchDiggity: • Requires Ajax Search Query API key • 100 queries per day unless you register a CC • Buy a pre-paid visa for $10 • Find vulns fast
  • 11. GOAL: Extract domain usernames, internal pathing, software versions, etc FOCA: FOCA is a windows tool to spider a domain for documents using google/bing/exalead, download them, and then extract relevant metadata and server information. • http://www.informatica64.com/DownloadFOCA/ I always go see these guys at DC: • http://vimeo.com/10602662 • http://vimeo.com/16706893
  • 12.
  • 13. GOAL: Extract domain usernames, internal pathing, etc
  • 14. GOAL: Gather email addresses for forms based logins, etc. One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc. Where do we get this info? Well without doing a full-blown Open Source Recon (OSINT) style assessment, we can use two simple scripts: • Metasploit's search_email_collector.rb and • theHarvester
  • 15. Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses search techniques for Google, Bing, and Yahoo. http://www.metasploit.com/modules/auxiliary/gather/search_email_collector ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file E Running MSF search_email_collector... [*] Please wait while we load the module tree... [*] Harvesting emails ..... [*] Searching Google for email addresses from defcon.com [*] Extracting emails from Google search results... [*] Searching Bing email addresses from defcon.com [*] Extracting emails from Bing search results... [*] Searching Yahoo for email addresses from defcon.com [*] Extracting emails from Yahoo search results... [*] Located 7 email addresses for defcon.com [*] headsets@defcon.com [*] info@defcon.com [*] jobs@defcon.com [*] nick.s@defcon.com [*] nick@defcon.com [*] robert@defcon.com [*] spr@defcon.com
  • 16. theHarvester (just updated to v2.1) has now fixed some of its previous bugs. It supports searching Google, Bing, PGP servers, shodan, dns- bruteforcing, and LinkedIn. https://code.google.com/p/theharvester/ zombie@haktop:/tools/email/theHarvester# ./theHarvester.py -d defcon.com -b google -l 500 Accounts found: =================== quietpro@defcon.com nick.s@defcon.com robert@defcon.com lynne@defcon.com joe@defcon.com info@defcon.com dtangent@defcon.com
  • 18. There’s also a ton of OSINT sites to help identify server information without ever touching your target yourself: • Netcraft (Uptime Survey, server info) • Domain Tools (Whois Lookup and Domain info) • Centralops.net (traceroute, nslookup, automatic whois lookup, ping, finger) • Hackerfantastic.com ( GeoIP, whois, host, dig, blacklists, ping, traceroute & nmap) • whois.webhosting.info (WHOIS and Reverse IP Service/virtual hosting info) • BING IP Search • SSL Labs – Projects / Public SSL Server Database – SSL Server Test • SHODAN – Computer Search Engine (indexed port scans and banner grabs) • Chris Gates presented on OSINT at Brucon 2009 • http://vimeo.com/6811411 • Other good OSINT resources: • http://www.slideshare.net/agent0x0/enterprise-open-source- intelligence-gathering • http://www.slideshare.net/Laramies/tactical-information-gathering
  • 19. Now we need to map the site. Some issues that we need to deal with when mapping the site are poor ajax support for spidering (we go over this later) and finding non-linked resources. To find non linked resources we bruteforce common file/path names, framework paths, etc. Discovery Tools: • Dirbuster & Wfuzz • SVNDigger Lists • FuzzDB and RAFT Lists • (optionally) Nmap HTTP-Enum & CMS Explorer
  • 20. Dirbuster is a cross platform directory bruteforcer written in java (GUI app). Tips: • Disable Recursion and Redirects for faster leaner bruting (our spiders will follow redirects later) • We can change threading on the fly • Dirbuster’s built-in lists are from a project that basically spidered the whole internet.
  • 21. Wfuzz is a command line equivalent, with a bit more functionality for general web fuzzing (filter by resp code, wc, charc, etc): • http://www.edge-security.com/wfuzz.php Also has some lists!
  • 22. 301’s sometimes redirect to very interesting subdomains or promo pages.
  • 23. Alright, so for non linked resources and discovery we can use Dirbuster’s lists or Wfuzz’s but they are very generic (that’s not necessarily a bad thing). Like I mentioned before, Dirbuster’s are based off of spidering the net and aggregating the most common directory data and common words (partially). But isn't that finding linked resources? Yes There are some more options for us as far as lists go: SVNDigger – a set of directory lists based of pathing of open source projects on Google Code and SourceForge. RAFT Lists: http://code.google.com/p/fuzzdb/ Within the Discovery/PredictableRes path
  • 24. http://www.mavitunasecurity.com/blo g/svn-digger-better-lists-for-forced- browsing/ SourceForge and GoogleCode, 400k words (5000 projects), directories sorted by project: • Type • Extension contained • Context • DB Type Most coverage/success running the “all” lists, pick as you need.
  • 25. RAFT is a recent proxy project released at BHUSA 2011, with a set of wordlists for content discovery based upon spidering 1.7 million “robots.txt” disallows and contextual framework paths. There’s some overlap with SVNDigger. The lists themselves are downloadable from the RAFT site but they are also contained in the FuzzDB Discovery/PredictableRes directory which we’ll be seeing in the tactical fuzzing section later. Broken down into directories, words, and files which takes us to smarter recursive content discovery…
  • 26. 1. Use raft-large-directories in Dirbuster or Burp 2. Take the successful output and add it to a Burp Intruder setup (clusterbomb) as payload set 1 3. Add raft-large-files.txt as 2nd payload set
  • 27.
  • 29. Hopefully at this point we have some logins or emails to try and bruteforce authentication from the OSINT section. I prefer Burp Suite’s Intruder Module for bruteforcing authentication. 1. Attempt Login 2. Go to Proxy History Tab 3. Find the POST request 4. Send to Intruder 5. Use Cluster Bomb payload 6. Clear all payload positions 7. Mark username and password fields as payload positions 8. Goto “payloads” tab 9. Set “payload set” 1 to your username list 10. Set “payload set” 2 to your password list 11. Click on the intruder Menu 12. Start Attack 13. Look for different lengths or grep possible successful auth messages under options
  • 30. With some valid usernames we want to up our chances of bruting a valid password. Ron Bowes (@iagox86) has some fantastic password research and has archived many of the lists that have been leaked on the web. http://www.skullsecurity.org/blog/2010/the-ultimate-faceoff-between- password-lists Huge password repository. Actual user data from hacked sites: • RockYou (Rockyou 75 is a winner) • Phpbb • Myspace • Hotmail • Hak5 • Facebook • More…
  • 32. GOAL: Spider the site, identify fuzz points, chain and feed scanner. For proxies and spidering I use Burp Suite. There exists some good Paros forks (ZAP) but Burp, even the free version, has much more power and extensibility.
  • 33. Fiddler is a unique and powerful option as well due to some great plugins such as Watcher (for passively identifying user controllable )and x5s (for identifying possible xss insertion points). These can help us later when we want to start tacitly fuzzing.
  • 34.
  • 35. Proxies sit between you and the browser but they can also enhance your testing by chaining them with your other tools. This is great if your scanner has a proxy mode, this way we get walk through the functionality of the site and hit it with two different spider engines and finally attack it with our scanner. Additionally, chaining proxies and scanners can help us deal with auth/session issues in hard to scan environments (NTLM/Kerberos). If you’re sticking with open source tools or non-proxy mode scanners you can export your spider results as links and import them into you scanner. Browser -> Burp -> Scanner (in proxy mode) -> Site 1. Walk app, executing all Ajax and rich functionality (snaplinks is handy) 2. Browse to anything from the discovery stage to populate proxy and scanner 3. Spider with Proxy of choice 4. (optional, this might pollute your site tree) Fuzz with fuzzer/proxy of choice 5. Run Scan This all gets fed to the scanner sitemap/tree. Now the scanner has the best chance of finding all fuzz points and vulns.
  • 36. You said scanners! Which ones?! Shay Chen has some excellent research on the accuracy of open source and commercial scanners.  Only covers XSS and SQLi atm
  • 37. Now that you have the blanket stuff out of the way, its time to interpret the proxy and scanner data for tactical fuzzing points.  Does this functionality display something back to the user?  Fuzz for XSS  Does it interact with a database?  Fuzz for SQLi or other injections  Does it call on the server file system?  Fuzz for LFI/PT  Does it call on a URL or external/internal site/domain?  Fuzz for RFI Tactical Fuzzing? Wtf?
  • 38. Now we can fully utilize the project we mentioned a few times earlier, the Fuzz Database: “ The fuzzdb aggregates known attack patterns, predictable resource names, server response messages, and other resources like web shells into the most comprehensive Open Source database of malicious and malformed input test cases.”
  • 39. 1. Use Fuzzdb strings on all the afore mentioned forms and parameters 2. Re-fuzz all parameters that gave errors on the spidering/scanning results. 3. After concretely identifying the platform, re-fuzz/content discover with that platforms specific lists.
  • 40. The fuzzdb also has an excellent error /vuln grep file for import into Burp:
  • 41. When it comes to exploitation tools mostly we need some automagic tools to exploit different forms of SQL injection or file include vulnerabilities. For manual testing we also need a set of web shells. Our standards are SQLmap, Havij, SQLninja for sql injection fimap and metasploit for file include vulnerabilities. and a common set of web shells from the fuzzdb .
  • 42. SQLmap is a comprehensive SQL injection tool with the ability to do many forms of injection. SQLmap Tips:  -l can import Burp logs to test your hosts (when saving in Burp use only your targets in scope) ./sqlmap -l /root/sqli.txt  Often we want to force POST parameters ,setting –data will force POST: -- data=userid=test&pass=test  We can specify parameters with -p : ./sqlmap –u TARGET-p userid,pass  --level=LEVEL Level of tests to perform (1-5, default 1) has to do with insertion points.  --risk=RISK Risk of tests to perform (0-3, default 1) has to do with test cases.  ./sqlmap -l /root/sqli.txt --level=5 --risk=3  You can max out speed at threads=10  --forms will parse and test all forms on target  --os-pwn for possible meterpreter shell
  • 43. Other tools mentioned help us in edge cases:  Havij for very up to date WAF evasion (modsec) Use at your own risk.  http://itsecteam.com/en/projects/project1.htm  SQLNinja when SQLmap will not exploit  http://sqlninja.sourceforge.net/  Fimap for file include exploitation http://code.google.com/p/fimap/  Metasploit for remote file includes  exploit/unix/webapp/php_include
  • 44.
  • 45. We also need some stand alone shells in several different languages for upload vulns. Luckily the FuzzDB has these as well.
  • 46. What about taking XSS beyond alert(‘xss’)? BeEF is the best tool for javascript attacks. It’s more extensible now that it integrates with metasploit. We now can:  Hook the browser with invisible iframes  Inject/change content on the fly  Footprint the internal network  Sniff keystrokes  Deliver browser based exploits or metasploit meterpreter java payloads for full control of the target
  • 47. Video
  • 48. What about web services, SOAP, XML? With a wsdl and SOAPui proxied through Burp and tactically fuzzing with the Fuzzdb test cases we can do more than any script or tool I’ve seen released.
  • 49. I don’t have a fancy portal to put my data =( The Dradis framework has been revamped to accept a ton for tool outputs allowing us to import data and keep working faster. Imports:  Nmap  Burp  Nessus  Metasploit  Netsparker  Openvas  w3af Mindmapping software works well too.
  • 50.
  • 51. With all this out of the way semi-quickly we can now take more time to tactically fuzz and test for logic and more obscure manual checks!
  • 52. Special thanks go out to:  Andre Gironda  Chris Gates, Armando Romeo, Joe McCray, James Fitts, Bernardo Damele, Daniel Miessler, Ferruh Mavituna, Shay Chen, Ron Bowes, Adam Muntner, and all tool authors.