0wn1ng The Web at www.wdcnz.com

September 08, 2015

1.9k

0wn1ng The Web at www.wdcnz.com

Kim Carter

September 08, 2015

Tweet

More Decks by Kim Carter

See All by Kim Carter

Application Intrusion Detection

0

500

owaspnz-chch-meetup-2021-workshop-planning-and-covid

0

550

Security Regression Testing on OWASP Zap Node API

1

10k

Building purpleteam (a Security Regression Testing SaaS) - From PoC to Alpha

0

1.3k

OWASP Quiz Night

2

1.2k

The Art of Exploitation

2

1.2k

Developing a High Performance Security Focussed Agile Team (2 hr workshop)

1

790

OWASP NZ Day 2016

0

190

Infectious Media with Rubber Ducky

1

580

Other Decks in Technology

See All in Technology

Oracle Base Database Service 技術詳細

oracle4engineer

PRO

13

82k

Observability — Extending Into Incident Response

1

260

入院医療費算定業務をAIで支援する：包括医療費支払い制度とDPCコーディング (公開版)

0

110

OCIjp_Oracle AI World_Recap

1

180

serverless team topology

3

230

CNCFの視点で捉えるPlatform Engineering - 最新動向と展望 / Platform Engineering from the CNCF Perspective

0

140

AI時代におけるデータの重要性 ~データマネジメントの第一歩~

0

710

ViteとTypeScriptのProject Referencesで大規模モノレポのUIカタログのリリースサイクルを高速化する

3

200

Linux カーネルが支えるコンテナの仕組み / LF Japan Community Days 2025 Osaka

1

120

SCONE - 動画配信の帯域を最適化する新プロトコル

1

370

個人でデジタル庁のデザインシステムをVue.jsで作っている話

nishiharatsubasa

3

5.1k

ソースを読む時の思考プロセスの例-MkDocs

PRO

1

170

Featured

See All Featured

Stop Working from a Prison Cell

272

21k

RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub

140

34k

Building a Modern Day  E-commerce SEO Strategy

44

7.8k

Java REST API Framework Comparison - PWX 2021

34

8.9k

Sharpening the Axe: The Primacy of Toolmaking

46

2.5k

Designing Dashboards & Data Visualisations in Web Apps

231

53k

The Pragmatic Product Professional

36

7k

Into the Great Unknown - MozCon

40

2.1k

How GitHub (no longer) Works

315

140k

Rails Girls Zürich Keynote

95

14k

41

3.7k

Distributed Sagas: A Protocol for Coordinating Microservices

333

22k

Transcript

0wn1ng The Web
Why do We Care?
Reconnaissance
None
None
Vulnerability Scanning
Vulnerability Scanning NMAP
Vulnerability Scanning scanner/ssh/ssh_enumusers SSH Username Enumeration scanner/ssh/ssh_identify_pubkeys SSH Public Key
Acceptance Scanner scanner/ssh/ssh_login SSH Login Check Scanner scanner/ssh/ssh_login_pubkey SSH Public Key Login Scanner scanner/ssh/ssh_version SSH Version Scanner
Vulnerability Scanning
Vulnerability Scanning
Vulnerability Scanning
Vulnerability Searching https://github.com/offensive-security/exploit-database
Vulnerability Searching https://www.exploit-db.com/
None
Vulnerability Searching
Vulnerability Searching
Vulnerability Searching https://nodesecurity.io/advisories https://web.nvd.nist.gov/view/vuln/search
Exploitation
Exploitation
Exploitation
Exploitation
Veil - Framework Exploitation
Exploitation
Why These Tools?
Demo 1
Countermeasures
Countermeasures Fix XSS vulns
-
Demo 2
Countermeasures
Countermeasures Understanding of Social Engineering
None
None
Demo 3
Countermeasures
Countermeasures Spoofing
None
Exploitation Hooked Browsers... What now?
None
None
Demo 4
Demo 5
Countermeasures
Countermeasures • Long Complex Passwords • Disabling LM Hashing •
Using SysKey • Eval Physical Access
Documenting / Reporting
None
Following images are used under the Creative Commons: [1], [2]