0wn1ng The Web at www.wdcnz.com

Kim Carter

September 08, 2015

More Decks by Kim Carter

See All by Kim Carter

Application Intrusion Detection

0

560

owaspnz-chch-meetup-2021-workshop-planning-and-covid

0

590

Security Regression Testing on OWASP Zap Node API

1

10k

Building purpleteam (a Security Regression Testing SaaS) - From PoC to Alpha

0

1.4k

OWASP Quiz Night

2

1.3k

The Art of Exploitation

2

1.2k

Developing a High Performance Security Focussed Agile Team (2 hr workshop)

1

850

OWASP NZ Day 2016

0

210

Infectious Media with Rubber Ducky

1

630

Other Decks in Technology

See All in Technology

管理アカウント単一運用からAWS Organizationsに移行するの大変で滅

0

230

なぜハノーバーメッセに行くべきなのか〜初参加だから語れること〜

0

110

Anthropic AIネイティブ・スタートアップ構築のプレイブックを理解する

0

180

情シスがMCP環境導入時に打ちのめされる認可の崖

0

450

[みん強]AIの価値を最大化するデータ基盤戦略：Self-Service型Data Meshへの転換とAgentic AI Meshに向けた取り組み with Snowflake他

1

180

Geek Woman の育ち方〜コミュニティとAIと〜

0

410

脅威をエンジニアリングの糧にして：恐怖を乗り越えた先にあったもの / Turn threats into fuel for engineering: what lay beyond overcoming fear

1

270

類似画像検索モデルの開発ノウハウ

PRO

3

840

layerx-fde-practices

6

2.7k

ルール・ロール・ツールを創る / Creating Rules, Roles and Tools

PRO

0

160

イベントストーミングとKiroの仕様駆動開発で実現する要件の認識合わせプロセス

5

400

ビジュアルプログラミングIoTLT vol.23

PRO

0

120

Featured

See All Featured

Have SEOs Ruined the Internet? - User Awareness of SEO in 2025

0

350

89

10k

New Earth Scene 8

3

2.3k

How to audit for AI Accessibility on your Front & Back End

0

380

My Coaching Mixtape

0

130

Code Reviewing Like a Champion

528

40k

Fashionably flexible responsive web design (full day workshop)

408

66k

Measuring & Analyzing Core Web Vitals

9

830

GraphQLとの向き合い方2022年版

50

15k

Dealing with People You Can't Stand - Big Design 2015

367

27k

[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails

38

2.9k

How to Ace a Technical Interview

281

24k

Transcript

0wn1ng The Web
Why do We Care?
Reconnaissance
None
None
Vulnerability Scanning
Vulnerability Scanning NMAP
Vulnerability Scanning scanner/ssh/ssh_enumusers SSH Username Enumeration scanner/ssh/ssh_identify_pubkeys SSH Public Key
Acceptance Scanner scanner/ssh/ssh_login SSH Login Check Scanner scanner/ssh/ssh_login_pubkey SSH Public Key Login Scanner scanner/ssh/ssh_version SSH Version Scanner
Vulnerability Scanning
Vulnerability Scanning
Vulnerability Scanning
Vulnerability Searching https://github.com/offensive-security/exploit-database
Vulnerability Searching https://www.exploit-db.com/
None
Vulnerability Searching
Vulnerability Searching
Vulnerability Searching https://nodesecurity.io/advisories https://web.nvd.nist.gov/view/vuln/search
Exploitation
Exploitation
Exploitation
Exploitation
Veil - Framework Exploitation
Exploitation
Why These Tools?
Demo 1
Countermeasures
Countermeasures Fix XSS vulns
-
Demo 2
Countermeasures
Countermeasures Understanding of Social Engineering
None
None
Demo 3
Countermeasures
Countermeasures Spoofing
None
Exploitation Hooked Browsers... What now?
None
None
Demo 4
Demo 5
Countermeasures
Countermeasures • Long Complex Passwords • Disabling LM Hashing •
Using SysKey • Eval Physical Access
Documenting / Reporting
None
Following images are used under the Creative Commons: [1], [2]