0wn1ng The Web at www.wdcnz.com

Kim Carter

September 08, 2015

Tweet

More Decks by Kim Carter

See All by Kim Carter

Application Intrusion Detection

0

530

owaspnz-chch-meetup-2021-workshop-planning-and-covid

0

570

Security Regression Testing on OWASP Zap Node API

1

10k

Building purpleteam (a Security Regression Testing SaaS) - From PoC to Alpha

0

1.4k

OWASP Quiz Night

2

1.3k

The Art of Exploitation

2

1.2k

Developing a High Performance Security Focussed Agile Team (2 hr workshop)

1

820

OWASP NZ Day 2016

0

200

Infectious Media with Rubber Ducky

1

610

Other Decks in Technology

See All in Technology

SREじゃなかった僕らがenablingを通じて「SRE実践者」になるまでのリアル / SRE Kaigi 2026

6

2.5k

広告の効果検証を題材にした因果推論の精度検証について

PRO

0

210

Why Organizations Fail: ノーベル経済学賞「国家はなぜ衰退するのか」から考えるアジャイル組織論

PRO

1

140

量子クラウドサービスの裏側　〜Deep Dive into OQTOPUS〜

0

140

Bedrock PolicyでAmazon Bedrock Guardrails利用を強制してみた

0

250

コンテナセキュリティの最新事情 ~ 2026年版 ~

2

610

[CV勉強会@関東 World Model 読み会] Orbis: Overcoming Challenges of Long-Horizon Prediction in Driving World Models (Mousakhan+, NeurIPS 2025)

0

140

顧客の言葉を、そのまま信じない勇気

1

360

会社紹介資料 / Sansan Company Profile

PRO

15

400k

CDKで始めるTypeScript開発のススメ

1

510

30万人の同時アクセスに耐えたい！新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026

4

1.3k

Oracle Base Database Service 技術詳細

oracle4engineer

PRO

15

93k

Featured

See All Featured

Imperfection Machines: The Place of Print at Facebook

269

14k

Measuring & Analyzing Core Web Vitals

9

760

Balancing Empowerment & Direction

5

890

The B2B funnel & how to create a winning content strategy

PRO

1

280

The Web Performance Landscape in 2024 [PerfNow 2024]

12

1k

Code Reviewing Like a Champion

527

40k

Build The Right Thing And Hit Your Dates

39

3k

New Earth Scene 8

1

1.5k

It's Worth the Effort

188

29k

Designing Powerful Visuals for Engaging Learning

0

240

How to audit for AI Accessibility on your Front & Back End

0

180

B2B Lead Gen: Tactics, Traps & Triumph

0

56

Transcript

0wn1ng The Web
Why do We Care?
Reconnaissance
None
None
Vulnerability Scanning
Vulnerability Scanning NMAP
Vulnerability Scanning scanner/ssh/ssh_enumusers SSH Username Enumeration scanner/ssh/ssh_identify_pubkeys SSH Public Key
Acceptance Scanner scanner/ssh/ssh_login SSH Login Check Scanner scanner/ssh/ssh_login_pubkey SSH Public Key Login Scanner scanner/ssh/ssh_version SSH Version Scanner
Vulnerability Scanning
Vulnerability Scanning
Vulnerability Scanning
Vulnerability Searching https://github.com/offensive-security/exploit-database
Vulnerability Searching https://www.exploit-db.com/
None
Vulnerability Searching
Vulnerability Searching
Vulnerability Searching https://nodesecurity.io/advisories https://web.nvd.nist.gov/view/vuln/search
Exploitation
Exploitation
Exploitation
Exploitation
Veil - Framework Exploitation
Exploitation
Why These Tools?
Demo 1
Countermeasures
Countermeasures Fix XSS vulns
-
Demo 2
Countermeasures
Countermeasures Understanding of Social Engineering
None
None
Demo 3
Countermeasures
Countermeasures Spoofing
None
Exploitation Hooked Browsers... What now?
None
None
Demo 4
Demo 5
Countermeasures
Countermeasures • Long Complex Passwords • Disabling LM Hashing •
Using SysKey • Eval Physical Access
Documenting / Reporting
None
Following images are used under the Creative Commons: [1], [2]