0wn1ng The Web at www.wdcnz.com

Kim Carter

September 08, 2015

Tweet

More Decks by Kim Carter

See All by Kim Carter

Application Intrusion Detection

0

530

owaspnz-chch-meetup-2021-workshop-planning-and-covid

0

570

Security Regression Testing on OWASP Zap Node API

1

10k

Building purpleteam (a Security Regression Testing SaaS) - From PoC to Alpha

0

1.4k

OWASP Quiz Night

2

1.3k

The Art of Exploitation

2

1.2k

Developing a High Performance Security Focussed Agile Team (2 hr workshop)

1

820

OWASP NZ Day 2016

0

200

Infectious Media with Rubber Ducky

1

610

Other Decks in Technology

See All in Technology

20260208_第66回コンピュータビジョン勉強会

0

190

クレジットカード決済基盤を支えるSRE - 厳格な監査とSRE運用の両立 (SRE Kaigi 2026)

6

2.8k

SREのプラクティスを用いた3領域同時マネジメントへの挑戦〜SRE・情シス・セキュリティを統合したチーム運営術〜

coconala_engineer

2

730

CDKで始めるTypeScript開発のススメ

1

510

FinTech SREのAWSサービス活用/Leveraging AWS Services in FinTech SRE

0

130

PRO

0

120

10Xにおける品質保証活動の全体像と改善 #no_more_wait_for_test

PRO

2

330

AWS Network Firewall Proxyを触ってみた

1

240

What happened to RubyGems and what can we learn?

0

310

GitHub Issue Templates + Coding Agentで簡単みんなでIaC/Easy IaC for Everyone with GitHub Issue Templates + Coding Agent

1

260

生成AIを活用した音声文字起こしシステムの2つの構築パターンについて

PRO

3

210

配列に見る bash と zsh の違い

3

160

Featured

See All Featured

WENDY [Excerpt]

9

36k

Kristin Tynski - Automating Marketing Tasks With AI

PRO

0

150

How to Grow Your eCommerce with AI & Automation

PRO

1

110

Money Talks: Using Revenue to Get Sh*t Done

0

150

Crafting Experiences

1

50

SEO Brein meetup: CTRL+C is not how to scale international SEO

0

2.3k

Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth

0

54

Between Models and Reality

1

190

B2B Lead Gen: Tactics, Traps & Triumph

0

57

Stewardship and Sustainability of Urban and Community Forests

0

110

Testing 201, or: Great Expectations

46

8.1k

Rails Girls Zürich Keynote

96

14k

Transcript

0wn1ng The Web
Why do We Care?
Reconnaissance
None
None
Vulnerability Scanning
Vulnerability Scanning NMAP
Vulnerability Scanning scanner/ssh/ssh_enumusers SSH Username Enumeration scanner/ssh/ssh_identify_pubkeys SSH Public Key
Acceptance Scanner scanner/ssh/ssh_login SSH Login Check Scanner scanner/ssh/ssh_login_pubkey SSH Public Key Login Scanner scanner/ssh/ssh_version SSH Version Scanner
Vulnerability Scanning
Vulnerability Scanning
Vulnerability Scanning
Vulnerability Searching https://github.com/offensive-security/exploit-database
Vulnerability Searching https://www.exploit-db.com/
None
Vulnerability Searching
Vulnerability Searching
Vulnerability Searching https://nodesecurity.io/advisories https://web.nvd.nist.gov/view/vuln/search
Exploitation
Exploitation
Exploitation
Exploitation
Veil - Framework Exploitation
Exploitation
Why These Tools?
Demo 1
Countermeasures
Countermeasures Fix XSS vulns
-
Demo 2
Countermeasures
Countermeasures Understanding of Social Engineering
None
None
Demo 3
Countermeasures
Countermeasures Spoofing
None
Exploitation Hooked Browsers... What now?
None
None
Demo 4
Demo 5
Countermeasures
Countermeasures • Long Complex Passwords • Disabling LM Hashing •
Using SysKey • Eval Physical Access
Documenting / Reporting
None
Following images are used under the Creative Commons: [1], [2]