HACKER’S PRACTICE GROUNDCAROLINACON 11

MARCH 2015, RALEIGH, NC

LOKESH PIDAWEKAR

• Masters student in Information Assurance program at Northeastern University (Boston)

• Interested in penetration testing, vulnerability assessment and responsible disclosure

• Occasionally blog at Infosecforever.blogspot.com• @MaverickRocky02, lokeshpidawekar[at]gmail.com

Lokesh Pidawekar 2

The tools and techniques covered in the presentation can be dangerous and are being shown only for educational purposes. They can cause system corruption, denial of service or can be used to conduct illegal activities.

It is a violation of Federal and some states’ laws to attempt to gain unauthorized access to information assets or systems belonging to others, or to exceed authorized on systems for which access have not been granted.

Only use these tools with/on systems you own or with written permission from the owner. Use them with extreme caution at your own risk.

Speaker does not assume any responsibility and shall not be held liable for any illegal use of these tools.

Disclaimer

Lokesh Pidawekar 3

• Why do we need it • Creating the practice ground• Learn it by doing it • The matches • Real awards • Conclusion

Agenda

Lokesh Pidawekar 4

Why do we need it

Lokesh Pidawekar 5

Penetration Testing or pen-testing

According to NIST SP800-115, “Penetration testing is security testing in which assessors mimic real world attacks to identify methods for circumventing the security features of an application, system or network.”

The main thing that separates penetration tester from an attacker is permission.

What’s in the name

Lokesh Pidawekar 6

• Its always better to find holes before attackers exploit them

• It increases the security of the computing resources being tested

• Requirement from compliance standards such as PCI DSS

• Because vulnerability assessment is not enough

Why pen-test ?

Lokesh Pidawekar 7

There is need to develop penetration testing skill for students to understand attacker’s mindset. But we cannot just start penetration testing on random target.

It is illegal I repeat it ILLEGAL to attack any website in wild.

So how will curious student like me learn the techniques

That’s the premise of this presentation. We will see how one can start learning pentesting in a controlled environment and LEGALLY.

How to get started?

Lokesh Pidawekar 8

Know thy self, know thy enemy. A thousand battles, a thousand victories

- Sun Tzu

Lokesh Pidawekar 9

Creating the practice ground

Lokesh Pidawekar 10

Lokesh Pidawekar 11

• Recipe of pen-testing lab aka practice ground• Some infrastructure

Virtualization environment (Vmware/virtualBox)

The attacker The targetSome brains

Let the show begins

Lokesh Pidawekar 12

• The famous – Kali Linux (formerly known as Backtrack)– Samurai WTF– Santoku Linux – BackBox Linux– Pentoo– Android Tamer (Because it’s the age of

Mobile)

The Attacker

Lokesh Pidawekar 13

• Scapegoat are numerous Metaspoitable 2 (Yes it got upgrades)DVWA,DVIA etc. – Its Damn VulnerableWebGoat – Learn web app sec in tutorials formatVulnHub & Pentestesterlab - Images based on

specific vulnerabilityAndroid-InsecureBankv2 & GoatdroidHack.me – No need to install

The Target

Lokesh Pidawekar 14

Some brains!!

Lokesh Pidawekar 15

Learn it by doing it

Lokesh Pidawekar 16

• As the famous quote goes, lets try to see if we can learn from the demo

• Watch tutorials at securitytube.net

Demo Time

1. Kali Linux and Metasploitable2

2. WebGoat

3. Accessing Kali Linux and Metasploitable2 from local machine

Involve me, I will Learn

Lokesh Pidawekar 17

Lokesh Pidawekar 18

The Matches

Lokesh Pidawekar 19

• Time to test the skills learned in the practice ground

• CCDC (Collegiate Cyber Defense Competition) and ISTS (Information Security Talent Search)

CTF tym• Capture the Flag (CTF) or war-games were

traditionally the outdoor games to uncover mysteries. Is there a digital substitute?

So now you have practiced hard!!

Lokesh Pidawekar 20

• There are plenty of CTF games happening throughout the year (Check any Con)

• Some CTF are live 365 days http://captf.com/practice-ctf/ http://overthewire.org/wargames/ - Challenges ranging from web

app to Linux command and overflows http://io.smashthestack.org/ http://www.wechall.net/challs/

CTF / wargames

Lokesh Pidawekar 21

• The researchers, companies put online challenges for various attacks

• https://xss-game.appspot.com/• https://github.com/yahoo/webseclab• https://google-gruyere.appspot.com/• https://github.com/cure53/xss-challenge-wiki/wiki/Older-

Challenges-and-Write-Ups

Online Challenges

Lokesh Pidawekar 22

Lokesh Pidawekar 23

• Because we are white hats • Learn cool techniques by participating in bug bounty

programs of big targets like Facebook and Google• Name and fame • It gives you chance to make some money • Security community needs trust from vendors

Responsible Disclosure

Lokesh Pidawekar 24

Real Awards

Lokesh Pidawekar 25

Lokesh Pidawekar 26

Google has started vulnerability research grant program to encourage researchers to research vulnerabilities in their products (anybody heard about Pwn2Own!! $442,500 paid out to researchers)

Some portals provide you list and make it easy for reporting

• Hackerone• BugCrowd• Synack• Crowdcurity

Bug Bounty Programs

Lokesh Pidawekar 27

Lokesh Pidawekar 28

• Write a concise report with proper steps to reproduce the vulnerability

• Test security for the targets that are where you have permissions explicitly

• Respect the vendor, do not indulge in mal-practice against them

• Do not copy paste other researcher’s report (there are hell lot of bugs yet to be found)

Some rules to follow

Lokesh Pidawekar 29

Conclusion

Lokesh Pidawekar 30

• Rapid skill development is key to success in security

• They can’t teach everything in class• Its not easy to gain experience of

exploiting all vulnerabilities in real world• Defense can be designed well if we will

know attacking techniques

Conclusion

Lokesh Pidawekar 31

Questions?

Lokesh Pidawekar 32