Upgrade to Pro — share decks privately, control downloads, hide ads and more …

0wn1ng The Web at www.wdcnz.com

Avatar for Kim Carter Kim Carter
September 08, 2015
Technology
2
1.9k

0wn1ng The Web at www.wdcnz.com

Avatar for Kim Carter

Kim Carter

September 08, 2015
Tweet

More Decks by Kim Carter

See All by Kim Carter
Application Intrusion Detection
Avatar for Kim Carter binarymist
0
500
owaspnz-chch-meetup-2021-workshop-planning-and-covid
Avatar for Kim Carter binarymist
0
550
Security Regression Testing on OWASP Zap Node API
Avatar for Kim Carter binarymist
1
10k
Building purpleteam (a Security Regression Testing SaaS) - From PoC to Alpha
Avatar for Kim Carter binarymist
0
1.3k
OWASP Quiz Night
Avatar for Kim Carter binarymist
2
1.2k
The Art of Exploitation
Avatar for Kim Carter binarymist
2
1.2k
Developing a High Performance Security Focussed Agile Team (2 hr workshop)
Avatar for Kim Carter binarymist
1
790
OWASP NZ Day 2016
Avatar for Kim Carter binarymist
0
190
Infectious Media with Rubber Ducky
Avatar for Kim Carter binarymist
1
580

Other Decks in Technology

See All in Technology
可観測性は開発環境から、開発環境にもオブザーバビリティ導入のススメ
Avatar for LayerX layerx
PRO
2
1k
あなたの知らない Linuxカーネル脆弱性の世界
Avatar for Recruit recruitengineers
PRO
3
160
serverless team topology
Avatar for kensh _kensh
3
230
AI時代におけるデータの重要性 ~データマネジメントの第一歩~
Avatar for 太田 涼一 ryoichi_ota
0
720
AI駆動で進める依存ライブラリ更新 ─ Vue プロジェクトの品質向上と開発スピード改善の実践録
Avatar for sayn0 sayn0
1
320
QA業務を変える(!?)AIを併用した不具合分析の実践
Avatar for ma2ri__ ma2ri
0
150
CREが作る自己解決サイクルSlackワークフローに組み込んだAIによる社内ヘルプデスク改革 #cre_meetup
Avatar for 弁護士ドットコム bengo4com
0
350
ラスベガスの歩き方 2025年版(re:Invent 事前勉強会)
Avatar for JunjiKoide junjikoide
0
270
CNCFの視点で捉えるPlatform Engineering - 最新動向と展望 / Platform Engineering from the CNCF Perspective
Avatar for hhiroshell hhiroshell
0
140
AI時代、“平均値”ではいられない
Avatar for uhyo uhyo
8
2.6k
入院医療費算定業務をAIで支援する:包括医療費支払い制度とDPCコーディング (公開版)
Avatar for Takashi Nishibayashi hagino3000
0
110
What's new in OpenShift 4.20
Avatar for Red Hat Livestreaming redhatlivestreaming
0
290

Featured

See All Featured
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
190
55k
Done Done
Avatar for chrislema chrislema
185
16k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
25k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
84
9.2k
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
514
110k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
354
21k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
57
6.6k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
285
14k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
269
13k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
32
1.7k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
162
15k

Transcript

  1. 0wn1ng The Web

  2. Why do We Care?

  3. Reconnaissance

  4. None
  5. None

  6. Vulnerability Scanning

  7. Vulnerability Scanning NMAP

  8. Vulnerability Scanning scanner/ssh/ssh_enumusers SSH Username Enumeration scanner/ssh/ssh_identify_pubkeys SSH Public Key

    Acceptance Scanner scanner/ssh/ssh_login SSH Login Check Scanner scanner/ssh/ssh_login_pubkey SSH Public Key Login Scanner scanner/ssh/ssh_version SSH Version Scanner

  9. Vulnerability Scanning

  10. Vulnerability Scanning

  11. Vulnerability Scanning

  12. Vulnerability Searching https://github.com/offensive-security/exploit-database

  13. Vulnerability Searching https://www.exploit-db.com/

  14. None

  15. Vulnerability Searching

  16. Vulnerability Searching

  17. Vulnerability Searching https://nodesecurity.io/advisories https://web.nvd.nist.gov/view/vuln/search

  18. Exploitation

  19. Exploitation

  20. Exploitation

  21. Exploitation

  22. Veil - Framework Exploitation

  23. Exploitation

  24. Why These Tools?

  25. Demo 1

  26. Countermeasures

  27. Countermeasures Fix XSS vulns

  28. -

  29. Demo 2

  30. Countermeasures

  31. Countermeasures Understanding of Social Engineering

  32. None
  33. None

  34. Demo 3

  35. Countermeasures

  36. Countermeasures Spoofing

  37. None

  38. Exploitation Hooked Browsers... What now?

  39. None
  40. None

  41. Demo 4

  42. Demo 5

  43. Countermeasures

  44. Countermeasures • Long Complex Passwords • Disabling LM Hashing •

    Using SysKey • Eval Physical Access

  45. Documenting / Reporting

  46. None

  47. Following images are used under the Creative Commons: [1], [2]