Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I want to be a hacker... but I only look good in a white hat

I want to be a hacker... but I only look good in a white hat

Lightning Uncon talk at Dutch PHP Conference 2015

Jakub Gadkowski

June 27, 2015
Tweet

More Decks by Jakub Gadkowski

Other Decks in Programming

Transcript

  1. I WANT TO BE A HACKER
    But I only look good in a white hat

    View Slide

  2. JAKUB GADKOWSKI
    Back-end developer at
    Helping to make awesome
    @jakubga
    WHOAMI

    View Slide

  3. WHAT IS PENTESTING?

    View Slide

  4. When you break (into) a website
    legally (and you get paid for it).

    View Slide

  5. COMMON ATTACK VECTORS

    View Slide

  6. PERSISTENT XSS

    View Slide

  7. REFLECTED XSS

    View Slide

  8. SQL (BLIND) INJECTION

    View Slide

  9. CSRF
    (CROSS SERVER REQUEST FORGERY)

    View Slide

  10. DATA MINING

    View Slide

  11. MANY MORE
    (DIRECTORY TRAVERSAL, REMOTE CODE EXECUTION, PRIVILEGE
    ESCALATION, SESSION STEALING, REMOTE FILES INCLUSION)

    View Slide

  12. TOOLS

    View Slide

  13. View Slide

  14. GOOGLE

    View Slide

  15. GOOGLE
    • Data mining:

    site:target.com filetype:doc
    • SQL Injection/DB identification:

    site:target.com "supplied argument is not a valid
    MySQL”
    • For more check “Exploit Database”:

    https://www.exploit-db.com/

    View Slide

  16. WPSCAN

    View Slide

  17. WPSCAN
    First of all, update WPscan database:

    wpscan --update
    Quickscan (may require `sudo` on Ubuntu) only enumerate
    vulnerable plugins:

    wpscan -u domaintocheck.com -e vp

    View Slide

  18. WPSCAN
    Most popular plugins with plugin folder given (more accurate results):

    wpscan -u domaintocheck.com -e p --wp-plugins-dir content/plugins/
    WPscan can also ‘brute force’ using dictionaries with passwords :

    wpscan -u domaintocheck.com --wordlist popularpass.txt --username admin

    View Slide

  19. OWASP ZAP PROXY

    View Slide

  20. ZAP PROXY QUICK SCAN
    • Might be a good idea to
    persist your session for
    future reference
    • Be sure you have plenty of
    memory and space as these
    sessions can grow quite large
    (200mb-500mb is standard)

    View Slide

  21. ZAP PROXY QUICK SCAN
    • fill in “URL to attack” field
    with your target address
    • press “Attack”

    View Slide

  22. ZAP PROXY QUICK SCAN
    • wait until finished
    • explore “Alerts” tab

    View Slide

  23. W3AF

    View Slide

  24. W3AF QUICK SCAN
    • Backbox version does not
    work ‘out of the box’
    • you need to update it
    manually.

    View Slide

  25. W3AF QUICK SCAN
    • First select scan type (e.g.
    OWASP Top 10)
    • Put the address in the
    “Target” field
    • Press “Start”

    View Slide

  26. W3AF QUICK SCAN
    • After scan finishes investigate
    “Results” tab.

    View Slide

  27. SQLMAP

    View Slide

  28. SQLMAP
    Once you have a suspect parameter for injection:

    sqlmap -u “http://domaintocheck.com/search?search=1” --threads=3 --risk=2
    --level=2
    If you know your target platform (say MySQL) and want only table
    names, you can speedup the process:

    sqlmap -u "http://domaintocheck.com/search?search=1" --threads=3 --risk=2
    --level=2 --tables --dbms=MySQL

    View Slide

  29. View Slide

  30. RESOURCES

    View Slide

  31. BACKBOX
    http://www.backbox.org/

    View Slide

  32. KALI (AKA BACKTRACK)
    https://www.kali.org/

    View Slide

  33. OWASP
    The Open Web Application Security Project
    https://www.owasp.org/

    View Slide

  34. WPSCAN VULNERABILITY
    DATABASE
    https://wpvulndb.com/

    View Slide

  35. ETHICAL HACKING
    http://www.ehacking.net/

    View Slide

  36. OFFENSIVE SECURITY EXPLOIT
    DATABASE ARCHIVE
    https://www.exploit-db.com/

    View Slide

  37. FOR CONFERENCES &
    TUTORIALS
    Do you really need the address?

    View Slide

  38. GOOGLE
    if you do not know the address just google it.

    View Slide

  39. THANK YOU!

    View Slide