I want to be a hacker... but I only look good in a white hat

I want to be a hacker... but I only look good in a white hat

Lightning Uncon talk at Dutch PHP Conference 2015

13ecf06e9e84fc8d15c03e1c2565e8c4?s=128

Jakub Gadkowski

June 27, 2015
Tweet

Transcript

  1. I WANT TO BE A HACKER But I only look

    good in a white hat
  2. JAKUB GADKOWSKI Back-end developer at Helping to make awesome @jakubga

    WHOAMI
  3. WHAT IS PENTESTING?

  4. When you break (into) a website legally (and you get

    paid for it).
  5. COMMON ATTACK VECTORS

  6. PERSISTENT XSS

  7. REFLECTED XSS

  8. SQL (BLIND) INJECTION

  9. CSRF (CROSS SERVER REQUEST FORGERY)

  10. DATA MINING

  11. MANY MORE (DIRECTORY TRAVERSAL, REMOTE CODE EXECUTION, PRIVILEGE ESCALATION, SESSION

    STEALING, REMOTE FILES INCLUSION)
  12. TOOLS

  13. None
  14. GOOGLE

  15. GOOGLE • Data mining:
 site:target.com filetype:doc • SQL Injection/DB identification:


    site:target.com "supplied argument is not a valid MySQL” • For more check “Exploit Database”:
 https://www.exploit-db.com/
  16. WPSCAN

  17. WPSCAN First of all, update WPscan database:
 wpscan --update Quickscan

    (may require `sudo` on Ubuntu) only enumerate vulnerable plugins:
 wpscan -u domaintocheck.com -e vp
  18. WPSCAN Most popular plugins with plugin folder given (more accurate

    results):
 wpscan -u domaintocheck.com -e p --wp-plugins-dir content/plugins/ WPscan can also ‘brute force’ using dictionaries with passwords :
 wpscan -u domaintocheck.com --wordlist popularpass.txt --username admin
  19. OWASP ZAP PROXY

  20. ZAP PROXY QUICK SCAN • Might be a good idea

    to persist your session for future reference • Be sure you have plenty of memory and space as these sessions can grow quite large (200mb-500mb is standard)
  21. ZAP PROXY QUICK SCAN • fill in “URL to attack”

    field with your target address • press “Attack”
  22. ZAP PROXY QUICK SCAN • wait until finished • explore

    “Alerts” tab
  23. W3AF

  24. W3AF QUICK SCAN • Backbox version does not work ‘out

    of the box’ • you need to update it manually.
  25. W3AF QUICK SCAN • First select scan type (e.g. OWASP

    Top 10) • Put the address in the “Target” field • Press “Start”
  26. W3AF QUICK SCAN • After scan finishes investigate “Results” tab.

  27. SQLMAP

  28. SQLMAP Once you have a suspect parameter for injection:
 sqlmap

    -u “http://domaintocheck.com/search?search=1” --threads=3 --risk=2 --level=2 If you know your target platform (say MySQL) and want only table names, you can speedup the process:
 sqlmap -u "http://domaintocheck.com/search?search=1" --threads=3 --risk=2 --level=2 --tables --dbms=MySQL
  29. None
  30. RESOURCES

  31. BACKBOX http://www.backbox.org/

  32. KALI (AKA BACKTRACK) https://www.kali.org/

  33. OWASP The Open Web Application Security Project https://www.owasp.org/

  34. WPSCAN VULNERABILITY DATABASE https://wpvulndb.com/

  35. ETHICAL HACKING http://www.ehacking.net/

  36. OFFENSIVE SECURITY EXPLOIT DATABASE ARCHIVE https://www.exploit-db.com/

  37. FOR CONFERENCES & TUTORIALS Do you really need the address?

  38. GOOGLE if you do not know the address just google

    it.
  39. THANK YOU!