I want to be a hacker... but I only look good in a white hat

Transcript

1. I WANT TO BE A HACKER But I only look

   good in a white hat

2. JAKUB GADKOWSKI Back-end developer at Helping to make awesome @jakubga

   WHOAMI

3. WHAT IS PENTESTING?

4. When you break (into) a website legally (and you get

   paid for it).

5. COMMON ATTACK VECTORS

6. PERSISTENT XSS

7. REFLECTED XSS

8. SQL (BLIND) INJECTION

9. CSRF (CROSS SERVER REQUEST FORGERY)

10. DATA MINING

11. MANY MORE (DIRECTORY TRAVERSAL, REMOTE CODE EXECUTION, PRIVILEGE ESCALATION, SESSION

    STEALING, REMOTE FILES INCLUSION)

12. TOOLS

13. None

14. GOOGLE

15. GOOGLE • Data mining:
 site:target.com filetype:doc • SQL Injection/DB identification:


    site:target.com "supplied argument is not a valid MySQL” • For more check “Exploit Database”:
 https://www.exploit-db.com/

16. WPSCAN

17. WPSCAN First of all, update WPscan database:
 wpscan --update Quickscan

    (may require `sudo` on Ubuntu) only enumerate vulnerable plugins:
 wpscan -u domaintocheck.com -e vp

18. WPSCAN Most popular plugins with plugin folder given (more accurate

    results):
 wpscan -u domaintocheck.com -e p --wp-plugins-dir content/plugins/ WPscan can also ‘brute force’ using dictionaries with passwords :
 wpscan -u domaintocheck.com --wordlist popularpass.txt --username admin

19. OWASP ZAP PROXY

20. ZAP PROXY QUICK SCAN • Might be a good idea

    to persist your session for future reference • Be sure you have plenty of memory and space as these sessions can grow quite large (200mb-500mb is standard)

21. ZAP PROXY QUICK SCAN • fill in “URL to attack”

    field with your target address • press “Attack”

22. ZAP PROXY QUICK SCAN • wait until finished • explore

    “Alerts” tab

23. W3AF

24. W3AF QUICK SCAN • Backbox version does not work ‘out

    of the box’ • you need to update it manually.

25. W3AF QUICK SCAN • First select scan type (e.g. OWASP

    Top 10) • Put the address in the “Target” field • Press “Start”

26. W3AF QUICK SCAN • After scan finishes investigate “Results” tab.

27. SQLMAP

28. SQLMAP Once you have a suspect parameter for injection:
 sqlmap

    -u “http://domaintocheck.com/search?search=1” --threads=3 --risk=2 --level=2 If you know your target platform (say MySQL) and want only table names, you can speedup the process:
 sqlmap -u "http://domaintocheck.com/search?search=1" --threads=3 --risk=2 --level=2 --tables --dbms=MySQL
29. None

30. RESOURCES

31. BACKBOX http://www.backbox.org/

32. KALI (AKA BACKTRACK) https://www.kali.org/

33. OWASP The Open Web Application Security Project https://www.owasp.org/

34. WPSCAN VULNERABILITY DATABASE https://wpvulndb.com/

35. ETHICAL HACKING http://www.ehacking.net/

36. OFFENSIVE SECURITY EXPLOIT DATABASE ARCHIVE https://www.exploit-db.com/

37. FOR CONFERENCES & TUTORIALS Do you really need the address?

38. GOOGLE if you do not know the address just google

    it.

39. THANK YOU!