I want to be a hacker... but I only look good in a white hat v2.0

Transcript

1. I WANT TO BE A HACKER But I only look

   good in a white hat

2. JAKUB GADKOWSKI Back-end developer at Helping to make awesome @jakubga

   WHOAMI

3. WHAT IS PENTESTING?

4. When you break (into) a website legally (and you get

   paid for it). WHAT IS PENTESTING?

5. COMMON ATTACK VECTORS

6. PERSISTENT XSS Malicious JS script persists (e.g. in the database)

   and web app loads it on user visit.

7. REFLECTED XSS Malicious JS script is loaded through vulnerable form

   or headers. Requires crafted link passed to victim.

8. SQL (BLIND) INJECTION Leverages unescaped access to the database allows

   retrieving database information or more.

9. CSRF (CROSS SERVER REQUEST FORGERY) Through unsecured endpoints allows executing

   actions on the target website.

10. DATA MINING Using search engines or special scripts to retrieve

    sensitive data from the website.

11. MANY MORE (DIRECTORY TRAVERSAL, REMOTE CODE EXECUTION, PRIVILEGE ESCALATION, SESSION

    STEALING, REMOTE FILES INCLUSION)

12. TOOLS

13. None

14. GOOGLE

15. GOOGLE • Data mining:
 site:target.com filetype:doc • SQL Injection/DB identification:


    site:target.com "supplied argument is not a valid MySQL” • For more check “Exploit Database”:
 https://www.exploit-db.com/

16. WPSCAN

17. WPSCAN First of all, update WPscan database:
 wpscan --update Quickscan

    (may require `sudo` on Ubuntu) only enumerate vulnerable plugins:
 wpscan -u domaintocheck.com -e vp

18. WPSCAN Most popular plugins with plugin folder given (more accurate

    results):
 wpscan -u domaintocheck.com -e p --wp-plugins-dir content/plugins/ WPscan can also ‘brute force’ using dictionaries with passwords :
 wpscan -u domaintocheck.com --wordlist popularpass.txt --username admin

19. OWASP ZAP PROXY

20. ZAP PROXY QUICK SCAN • Might be a good idea

    to persist your session for future reference • Be sure you have plenty of memory and space as these sessions can grow quite large (200mb-500mb is standard)

21. ZAP PROXY QUICK SCAN • fill in “URL to attack”

    field with your target address • press “Attack”

22. ZAP PROXY QUICK SCAN • wait until finished • explore

    “Alerts” tab

23. W3AF

24. W3AF QUICK SCAN • Backbox version does not work ‘out

    of the box’ • you need to update it manually.

25. W3AF QUICK SCAN • First select scan type (e.g. OWASP

    Top 10) • Put the address in the “Target” field • Press “Start”

26. W3AF QUICK SCAN • After scan finishes investigate “Results” tab.

27. SQLMAP

28. SQLMAP Once you have a suspect parameter for injection:
 sqlmap

    -u “http://domaintocheck.com/search?search=1” --threads=3 -- risk=2 --level=2 If you know your target platform (say MySQL) and want only table names, you can speedup the process:
 sqlmap -u "http://domaintocheck.com/search?search=1" --threads=3 -- risk=2 --level=2 --tables --dbms=MySQL

29. AFTER TESTS

30. WRITE A REPORT

31. WRITE A REPORT Write down all vulnerabilities. Write down all

    vulnerable address. Describe how to replicate vulnerabilities. (give strings used during pentests). Describe ways to mitigate the vulnerabilities.

32. RESOURCES

33. BACKBOX http://www.backbox.org/

34. KALI (AKA BACKTRACK) https://www.kali.org/

35. OWASP The Open Web Application Security Project https://www.owasp.org/

36. WPSCAN VULNERABILITY DATABASE https://wpvulndb.com/

37. DAMN VULNERABLE WEB APP https://github.com/RandomStorm/DVWA

38. THE HACKER NEWS (THN) http://thehackernews.com/

39. ETHICAL HACKING http://www.ehacking.net/

40. OFFENSIVE SECURITY EXPLOIT DATABASE ARCHIVE https://www.exploit-db.com/

41. FOR CONFERENCES & TUTORIALS Do you really need the address?

42. GOOGLE if you do not know the address just google

    it.

43. THANK YOU!