Real life hacking101
-
Upload
florent-batard -
Category
Engineering
-
view
128 -
download
2
Transcript of Real life hacking101
Real Life Hacking 101
1
Who am I ?
● Batard Florent● http://code-artisan.io
● @artisan_code
● Security Engineer
– Ethical Hacker for 10 years
– Security Contests (0daysober)
– Globe Trotter (UK, USA, Swiss, France, Japan)
– Lately on the Defense side as a programmer
test
Summary
● Introduction
● Information gathering
● Indirect requests● Direct requests
● System security
● Configuration errors● Password policy● Patching
● Web Security
– XSS
– SQL Injection
– CSRF
test
What is Hacking ?
Use or abuse a resources in way that was not predicted by thecreator in order to change the behavior
test
Attack chronology
● Information gathering
● Getting information about the target● Indirect / Direct requests● Fingerprinting
● Analysis
● Determing the security flaw● Discover the tools to perform the attack
● Attack
● Exploitation● Expand in the network
● Spread in the internal network
test
Information gathering
• Introduction
• Indirect requests
• Direct requests
• Fingerprinting
test
Introduction
● The first step of any attack is the information gatheringprocess
● Identify the entry point of the target● List all the public information we can use● Other information can be gathered with technical
tools● The most effective way is the « social
engineering »– Contact the target and ask him sensitive
information (Freshman, secretary...)
test
Indirect requests
● « Whois » database listing
● All the information asked at registration process– Administrative informations
● Name, address, phone number– Technical information
● DNS server● Email addresses for social engineering● IP range of the target
● All these information are public
test
WHOIS
● Use of the tool « whois »
● whois domain.tld ou whois IP address
Domain Information:a. [Domain Name] WHIZZ-TECH.CO.JPg. [Organization] Whizz Technology Co., Ltd.l. [Organization Type] Companym. [Administrative Contact] HS9536JPn. [Technical Contact] HS9536JPp. [Name Server] ns1.whizz-tech.co.jps. [Signing Key] [State] Connected (2015/03/31)[Registered Date] 2005/03/29[Connected Date] 2005/06/18[Last Update] 2014/04/01 01:41:01 (JST)
Contact Information: [担当者情報 ]a. [JPNICハンドル ] HS9536JPb. [氏名 ] 杉本 展将c. [Last, First] Sugimoto, Hi-royukid. [電子メイル ] [email protected]. [組織名 ] 有限会社ウィズテクノロジーg. [Organization] Whizz Techno-logy Co., Ltd.k. [部署 ] l. [Division] m. [肩書 ] 代表取締役n. [Title] Presidento. [電話番号 ] 06-6242-7288p. [FAX番号 ] y. [通知アドレス ] [最終更新 ] 2005/03/2912:02:01 (JST) [email protected]
test
Indirect requests
● SNS
– Every bit of public information published can beused against you
– Information are used to build password bank tailo-red to hack you(https://github.com/Netflix/Scumblr)
● People Search
– https://pipl.com/
– http://www.peekyou.com/
test
Direct requests
● Active discoveries on the network
● Port scan – Identify open ports– Several methods can be used
● Fingerprinting– Getting the banner of services– Identify service and its version– Identify the Operating System
test
Nmap scanning
● Nmap for fingerprinting
● Nmap -A x.x.x.x
test
Nmap Example
test
Other methods
● SNMP
● Identify SNMP community– Get information on the target
● Netbios
● Communication protocol for windows– Guest/Null account sometimes activated
● Enumerate shared_folder● Enumerate users/groups/administrators
test
Social Engineering
● The art of manipulating people to make them revealsensitive information
● Phone the target pretending to be someone else● The victim often doesn't realize what she is
doing● We will use everything we discovered on indirect
requests● Most of the time it's the most effective way to retrieve
useful information
● Difficult to protect your company
test
System vulnerabilities
• Configuration mistakes
• Passwords
• Patching
test
System vulnerability
● What is a « system » vulnerability ?
● Configuration mistake– Leave the default configuration– High privilege for low task
● Bad password policy– Default password– Weak password
● Bad patching policy– New vulnerabilities but OS are not up to date
● Easy exploitation
test
System vulnerability
test
Configuration error
● Development configuration kept after production de-ployment
● Devices– Default SNMP community– Installation password
● Applications– Default password– Debugging activated– Example files
test
Password policy
● The most secure system will always be weak if protec-ted by a too simple password
● Usually people will choose the easiest passworda system can accept
– Hacking is even easier if passwords aren'tstrong enough
● Passwords should be encrypted in theapplication
– If a hacker get into database, all passwordswill be revealed
● Users usually re-use the same passwordeverywhere
test
Password types
● Not accessible (stored in database)
● Hacker must interactively break the passwordand cause noisy logs
● Encrypted/Hashed passwords
● Allow discrete offline attacks● ClearText passwords
● = win!
test
Password attacks
● Interactive
● No encrypted version of the password– Medusa– Hydra
● Slow and noisy ● Offline
● Possess an encrypted version of password– John The Ripper– Cain– L0phtcrack
● Quick and discrete but not always possible
test
Patching
● Update management
● Need a security policy in the company● Last patches should always be deployed on ALL
machines
● One vulnerable computer can be the entry pointfor the whole network
● As an attacker it's always more convenient toattack the most vulnerable machine on thenetwork
● Tools to know : Metasploit, Nessus
test
Problems
● Vulnerabilities are often released publicly
● Accessible for anybody● Automatic script to exploit them
● Typically
● Discovery through a vulnerability scanner likeNessus
● Exploit the vulnerability with Metasploit– At the end → total control of the target
test
Web Application Vulnerabilities
• Cross-Site Scripting
• SQL Injection
• CSRF Attack
test
Application Vulnerabilities
● Target a specific application
● Out of scope for system administrator● Developers responsability
● The hacker can modify the behavior of the application
● Use of the application that wasn't planned by thedevelopers
● Nowadays, most likely in web applications
test
Parameters
● User can interact with website through parameters :
● GET : parameters sent in the URL– search.php?query=toto
● POST : parameters sent in the message body– Usually for forms submission
● These parameters can ALWAYS be tampered byan attacker
● Tools to know : BurpSuite, Owasp ZAP,Postman
test
Cross-Site Scripting
● Allow code execution in the browser , most likely inJavascript
● Problem occurs when user inputs are interpretedas regular client-side source code.
● Hacker can inject HTML tags and Javascriptinside the page
– Control over the display of the page● Images● Javascript (Framework & Components)● Use your page for evil purpose
http://beefproject.com
test
XSS - Example
● Vulnerable source code
● Normal Behavior Hijacked
test
SQL Injection
● Langage used to query databases
● To select data :– SELECT column_name FROM table WHERE
condition● Exemple
– SELECT contenu FROM news WHERE id=1
● Used by website to retrieve persistent information
test
SQL Injection examples
● Original request :
● http://site/news.php?id=1– SELECT * FROM news WHERE id = 1– Return the news with the id : 1
● Hijacked request :
● http://site/news.php?id=1 OR 1=1– SELECT * FROM news WHERE id = 1 OR
1=1 // TRUE– Return all the news !
test
SQL Injection example
● Vulnerable code
● Normal behavior Hijacked
test
Goal for the hacker
● Hijack authentication process
● Explore the database
● Retrieve hidden information– Passwords of users and admin
● Interaction with the system through database
● Read file● Write files● Command execution
test
Cross Site Request Forgery
● Scenario :
● http://mybank.com/?transfer=100&from=123&to=321
● You have a session active => request accepted
● What if I send you that link in a iframe or a mail ?
– I can forge an address to compromise you
– Session is still active so it will be accepted
– CSRF-token = unpredictable token we cannot forge
● We set email or reset password
test
What to do as a developer ?
● Learn the basics of security (www.owasp.org)
– OWASP Top 10
● Check your application source code
– OWASP ASVS http://code-artisan.io/owasp-asvs-3-0-cheatsheet/
● Add security tests case to your unit tests
– « OR 1 = 1 »
– « <script>alert(‘hello’)</script> »
● Check the security updates of your tools
– Web Frameworks Security Releases
– Change default configuration !
● Check your security with professional services
– Www.detectify.com OR https://vaddy.net/
– Yours truly
test
How to become a hacker ?
Train and learn
– WebGoat
– DVWA (Damn Vulnerable Web App)
– Kali Linux (Security Distribution with all tools)
● Check the tools :
– Metasploit
– SkipFish
– Nikto
– Wpscan
test
Conclusion
• Questions ?