Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I want to be a hacker... but I only look good in a white hat v2.0

I want to be a hacker... but I only look good in a white hat v2.0

Bigger, longer and uncut version of the Uncon talk with the same title. Presented at PHPAmersfoort meetup in July 2015.

Jakub Gadkowski

July 21, 2015
Tweet

More Decks by Jakub Gadkowski

Other Decks in Programming

Transcript

  1. When you break (into) a website legally (and you get

    paid for it). WHAT IS PENTESTING?
  2. REFLECTED XSS Malicious JS script is loaded through vulnerable form

    or headers. Requires crafted link passed to victim.
  3. GOOGLE • Data mining:
 site:target.com filetype:doc • SQL Injection/DB identification:


    site:target.com "supplied argument is not a valid MySQL” • For more check “Exploit Database”:
 https://www.exploit-db.com/
  4. WPSCAN First of all, update WPscan database:
 wpscan --update Quickscan

    (may require `sudo` on Ubuntu) only enumerate vulnerable plugins:
 wpscan -u domaintocheck.com -e vp
  5. WPSCAN Most popular plugins with plugin folder given (more accurate

    results):
 wpscan -u domaintocheck.com -e p --wp-plugins-dir content/plugins/ WPscan can also ‘brute force’ using dictionaries with passwords :
 wpscan -u domaintocheck.com --wordlist popularpass.txt --username admin
  6. ZAP PROXY QUICK SCAN • Might be a good idea

    to persist your session for future reference • Be sure you have plenty of memory and space as these sessions can grow quite large (200mb-500mb is standard)
  7. ZAP PROXY QUICK SCAN • fill in “URL to attack”

    field with your target address • press “Attack”
  8. W3AF QUICK SCAN • Backbox version does not work ‘out

    of the box’ • you need to update it manually.
  9. W3AF QUICK SCAN • First select scan type (e.g. OWASP

    Top 10) • Put the address in the “Target” field • Press “Start”
  10. SQLMAP Once you have a suspect parameter for injection:
 sqlmap

    -u “http://domaintocheck.com/search?search=1” --threads=3 -- risk=2 --level=2 If you know your target platform (say MySQL) and want only table names, you can speedup the process:
 sqlmap -u "http://domaintocheck.com/search?search=1" --threads=3 -- risk=2 --level=2 --tables --dbms=MySQL
  11. WRITE A REPORT Write down all vulnerabilities. Write down all

    vulnerable address. Describe how to replicate vulnerabilities. (give strings used during pentests). Describe ways to mitigate the vulnerabilities.