Upgrade to Pro — share decks privately, control downloads, hide ads and more …

0wn1ng The Web at www.wdcnz.com

Kim Carter
September 08, 2015
Technology
2
1.7k

0wn1ng The Web at www.wdcnz.com

Kim Carter

September 08, 2015
Tweet

More Decks by Kim Carter

See All by Kim Carter
Application Intrusion Detection
binarymist
0
430
owaspnz-chch-meetup-2021-workshop-planning-and-covid
binarymist
0
480
Security Regression Testing on OWASP Zap Node API
binarymist
1
9.5k
Building purpleteam (a Security Regression Testing SaaS) - From PoC to Alpha
binarymist
0
1.2k
OWASP Quiz Night
binarymist
2
1.2k
The Art of Exploitation
binarymist
2
1.1k
Developing a High Performance Security Focussed Agile Team (2 hr workshop)
binarymist
1
750
OWASP NZ Day 2016
binarymist
0
150
Infectious Media with Rubber Ducky
binarymist
1
510

Other Decks in Technology

See All in Technology
コンテナセキュリティのためのLandlock入門
nullpo_head
2
320
レンジャーシステムズ | 会社紹介(採用ピッチ)
rssytems
0
150
AWS re:Invent 2024で発表された コードを書く開発者向け機能について
maruto
0
180
サービスでLLMを採用したばっかりに振り回され続けたこの一年のあれやこれや
segavvy
2
360
TSKaigi 2024 の登壇から広がったコミュニティ活動について
tsukuha
0
160
組織に自動テストを書く文化を根付かせる戦略(2024冬版) / Building Automated Test Culture 2024 Winter Edition
twada
PRO
8
3.2k
Storage Browser for Amazon S3
miu_crescent
1
120
スタートアップで取り組んでいるAzureとMicrosoft 365のセキュリティ対策/How to Improve Azure and Microsoft 365 Security at Startup
yuj1osm
0
210
KubeCon NA 2024 Recap: How to Move from Ingress to Gateway API with Minimal Hassle
ysakotch
0
200
成果を出しながら成長する、アウトプット駆動のキャッチアップ術 / Output-driven catch-up techniques to grow while producing results
aiandrox
0
180
LINEスキマニにおけるフロントエンド開発
lycorptech_jp
PRO
0
330
生成AIをより賢く エンジニアのための RAG入門 - Oracle AI Jam Session #20
kutsushitaneko
4
210

Featured

See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
2
290
Documentation Writing (for coders)
carmenintech
66
4.5k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Keith and Marios Guide to Fast Websites
keithpitt
410
22k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.3k
GitHub's CSS Performance
jonrohan
1030
460k
Designing for Performance
lara
604
68k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.6k
Practical Orchestrator
shlominoach
186
10k
Why Our Code Smells
bkeepers
PRO
335
57k
Thoughts on Productivity
jonyablonski
67
4.4k
Writing Fast Ruby
sferik
628
61k

Transcript

  1. 0wn1ng The Web

  2. Why do We Care?

  3. Reconnaissance

  4. None
  5. None

  6. Vulnerability Scanning

  7. Vulnerability Scanning NMAP

  8. Vulnerability Scanning scanner/ssh/ssh_enumusers SSH Username Enumeration scanner/ssh/ssh_identify_pubkeys SSH Public Key

    Acceptance Scanner scanner/ssh/ssh_login SSH Login Check Scanner scanner/ssh/ssh_login_pubkey SSH Public Key Login Scanner scanner/ssh/ssh_version SSH Version Scanner

  9. Vulnerability Scanning

  10. Vulnerability Scanning

  11. Vulnerability Scanning

  12. Vulnerability Searching https://github.com/offensive-security/exploit-database

  13. Vulnerability Searching https://www.exploit-db.com/

  14. None

  15. Vulnerability Searching

  16. Vulnerability Searching

  17. Vulnerability Searching https://nodesecurity.io/advisories https://web.nvd.nist.gov/view/vuln/search

  18. Exploitation

  19. Exploitation

  20. Exploitation

  21. Exploitation

  22. Veil - Framework Exploitation

  23. Exploitation

  24. Why These Tools?

  25. Demo 1

  26. Countermeasures

  27. Countermeasures Fix XSS vulns

  28. -

  29. Demo 2

  30. Countermeasures

  31. Countermeasures Understanding of Social Engineering

  32. None
  33. None

  34. Demo 3

  35. Countermeasures

  36. Countermeasures Spoofing

  37. None

  38. Exploitation Hooked Browsers... What now?

  39. None
  40. None

  41. Demo 4

  42. Demo 5

  43. Countermeasures

  44. Countermeasures • Long Complex Passwords • Disabling LM Hashing •

    Using SysKey • Eval Physical Access

  45. Documenting / Reporting

  46. None

  47. Following images are used under the Creative Commons: [1], [2]