Hacker's Practice Ground - CarolinaCon - 2015
-
Upload
lokeshpidawekar -
Category
Internet
-
view
31 -
download
0
Transcript of Hacker's Practice Ground - CarolinaCon - 2015
HACKER’S PRACTICE GROUNDCAROLINACON 11
MARCH 2015, RALEIGH, NC
LOKESH PIDAWEKAR
• Masters student in Information Assurance program at Northeastern University (Boston)
• Interested in penetration testing, vulnerability assessment and responsible disclosure
• Occasionally blog at Infosecforever.blogspot.com• @MaverickRocky02, lokeshpidawekar[at]gmail.com
Lokesh Pidawekar 2
The tools and techniques covered in the presentation can be dangerous and are being shown only for educational purposes. They can cause system corruption, denial of service or can be used to conduct illegal activities.
It is a violation of Federal and some states’ laws to attempt to gain unauthorized access to information assets or systems belonging to others, or to exceed authorized on systems for which access have not been granted.
Only use these tools with/on systems you own or with written permission from the owner. Use them with extreme caution at your own risk.
Speaker does not assume any responsibility and shall not be held liable for any illegal use of these tools.
Disclaimer
Lokesh Pidawekar 3
• Why do we need it • Creating the practice ground• Learn it by doing it • The matches • Real awards • Conclusion
Agenda
Lokesh Pidawekar 4
Why do we need it
Lokesh Pidawekar 5
Penetration Testing or pen-testing
According to NIST SP800-115, “Penetration testing is security testing in which assessors mimic real world attacks to identify methods for circumventing the security features of an application, system or network.”
The main thing that separates penetration tester from an attacker is permission.
What’s in the name
Lokesh Pidawekar 6
• Its always better to find holes before attackers exploit them
• It increases the security of the computing resources being tested
• Requirement from compliance standards such as PCI DSS
• Because vulnerability assessment is not enough
Why pen-test ?
Lokesh Pidawekar 7
There is need to develop penetration testing skill for students to understand attacker’s mindset. But we cannot just start penetration testing on random target.
It is illegal I repeat it ILLEGAL to attack any website in wild.
So how will curious student like me learn the techniques
That’s the premise of this presentation. We will see how one can start learning pentesting in a controlled environment and LEGALLY.
How to get started?
Lokesh Pidawekar 8
Know thy self, know thy enemy. A thousand battles, a thousand victories
- Sun Tzu
Lokesh Pidawekar 9
Creating the practice ground
Lokesh Pidawekar 10
Lokesh Pidawekar 11
• Recipe of pen-testing lab aka practice ground• Some infrastructure
Virtualization environment (Vmware/virtualBox)
The attacker The targetSome brains
Let the show begins
Lokesh Pidawekar 12
• The famous – Kali Linux (formerly known as Backtrack)– Samurai WTF– Santoku Linux – BackBox Linux– Pentoo– Android Tamer (Because it’s the age of
Mobile)
The Attacker
Lokesh Pidawekar 13
• Scapegoat are numerous Metaspoitable 2 (Yes it got upgrades)DVWA,DVIA etc. – Its Damn VulnerableWebGoat – Learn web app sec in tutorials formatVulnHub & Pentestesterlab - Images based on
specific vulnerabilityAndroid-InsecureBankv2 & GoatdroidHack.me – No need to install
The Target
Lokesh Pidawekar 14
Some brains!!
Lokesh Pidawekar 15
Learn it by doing it
Lokesh Pidawekar 16
• As the famous quote goes, lets try to see if we can learn from the demo
• Watch tutorials at securitytube.net
Demo Time
1. Kali Linux and Metasploitable2
2. WebGoat
3. Accessing Kali Linux and Metasploitable2 from local machine
Involve me, I will Learn
Lokesh Pidawekar 17
Lokesh Pidawekar 18
The Matches
Lokesh Pidawekar 19
• Time to test the skills learned in the practice ground
• CCDC (Collegiate Cyber Defense Competition) and ISTS (Information Security Talent Search)
CTF tym• Capture the Flag (CTF) or war-games were
traditionally the outdoor games to uncover mysteries. Is there a digital substitute?
So now you have practiced hard!!
Lokesh Pidawekar 20
• There are plenty of CTF games happening throughout the year (Check any Con)
• Some CTF are live 365 days http://captf.com/practice-ctf/ http://overthewire.org/wargames/ - Challenges ranging from web
app to Linux command and overflows http://io.smashthestack.org/ http://www.wechall.net/challs/
CTF / wargames
Lokesh Pidawekar 21
• The researchers, companies put online challenges for various attacks
• https://xss-game.appspot.com/• https://github.com/yahoo/webseclab• https://google-gruyere.appspot.com/• https://github.com/cure53/xss-challenge-wiki/wiki/Older-
Challenges-and-Write-Ups
Online Challenges
Lokesh Pidawekar 22
Lokesh Pidawekar 23
• Because we are white hats • Learn cool techniques by participating in bug bounty
programs of big targets like Facebook and Google• Name and fame • It gives you chance to make some money • Security community needs trust from vendors
Responsible Disclosure
Lokesh Pidawekar 24
Real Awards
Lokesh Pidawekar 25
Lokesh Pidawekar 26
Google has started vulnerability research grant program to encourage researchers to research vulnerabilities in their products (anybody heard about Pwn2Own!! $442,500 paid out to researchers)
Some portals provide you list and make it easy for reporting
• Hackerone• BugCrowd• Synack• Crowdcurity
Bug Bounty Programs
Lokesh Pidawekar 27
Lokesh Pidawekar 28
• Write a concise report with proper steps to reproduce the vulnerability
• Test security for the targets that are where you have permissions explicitly
• Respect the vendor, do not indulge in mal-practice against them
• Do not copy paste other researcher’s report (there are hell lot of bugs yet to be found)
Some rules to follow
Lokesh Pidawekar 29
Conclusion
Lokesh Pidawekar 30
• Rapid skill development is key to success in security
• They can’t teach everything in class• Its not easy to gain experience of
exploiting all vulnerabilities in real world• Defense can be designed well if we will
know attacking techniques
Conclusion
Lokesh Pidawekar 31
Questions?
Lokesh Pidawekar 32