Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Web Penetration
and Hacking Tools
David Epler
Security Architect
depler@aboutweb.com
About Me
• Application Developer originally
• Contributor to Learn CF In a Week
• OWASP Individual Member
• OWASP Zed Atta...
About the Session
• What will NOT be covered
• How to fix your code
• How to secure your OS, Web Server,
Database Server, ...
About the Session
• What will be covered
• Recent events in security and hacking
• Demonstration of various penetration
te...
About the Demos
• Virtual Machines, not live servers
• BackTrack/Kali Linux
• OWASP Broken Web Apps
• Windows 7 & Server 2...
205Average number of days a network is
compromised by a hacker before discovery

Down from 229 days in 2014 as reported by...
Broken SSL/TLS
goto$fail;$
goto$fail;
Heartbleed
• At disclosure 615,268 of the Internet's
secure web servers were vulnerable
• May 8, 2014 - 318,239
• June 21,...
Qualys SSL Server Test
https://www.ssllabs.com/ssltest/
OWASP Top Ten (2013)
A1: Injection
A6: Sensitive Data
Exposure
A3: Cross-Site
Scripting (XSS)
A2: Broken
Authentication
an...
Vulnerability Prevalence
from VeraCode SoSS
Cross Site Scripting!
(XSS)
SQL Injection
Information Leakage
Directory Traver...
Things you’ll never
see in logs
• Internet search engines used for passive
reconnaissance
• Google Hacks
• Internet Archiv...
OWASP Top Ten (2013)
A1: Injection
A6: Sensitive Data
Exposure
A3: Cross-Site
Scripting (XSS)
A2: Broken
Authentication
an...
OWASP Top Ten (2013)
A1: Injection
A6: Sensitive Data
Exposure
A3: Cross-Site
Scripting (XSS)
A2: Broken
Authentication
an...
• Stacked Queries
• http://www.victim.com/products.asp?id=1;exec
+master..xp_cmdshell+'dir'
• Tautology
• http://www.victi...
Demo
• Tool
• sqlmap
• Target
• OWASP Broken Web Apps
• Apache 2.2.14 + PHP 5.3.2
• MySQL 5.1.41
sqlmap Demo
• http://www.youtube.com/watch?
v=8Id6XUOcw3E
Adobe Password
Analysis
From http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-
disaster-adobes-giant-sized...
Adobe Password
Analysis
From http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-
disaster-adobes-giant-sized...
Adobe Password
Analysis
From http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-
disaster-adobes-giant-sized...
Password Cracking
• Techniques
• Rainbow Tables
• Brute Force
• Dictionary/Word Lists
• Hybrid
!
• RockYou.com (Dec 2009)
...
25 GPU HPC Cluster
• Presented by Jeremi Gosney at
Passwords^12 Conference
• 5 - 4U Servers
• 25 Radeon GPUs
• Hashcat
Reported Benchmarks of
25 GPU HPC cluster
MD5
SHA1
BCrypt (05)
Attempts per Second
0 100,000,000,000 200,000,000,000
71,00...
Gosney vs
LinkedIn Password Hashes
PercentCracked
0%
20%
40%
60%
80%
100%
30 seconds 2 hours 1 day 6 days
90%
64%
53%
21%
OWASP Top Ten (2013)
A3: Cross-Site
Scripting (XSS)
A1: Injection
A6: Sensitive Data
Exposure
A2: Broken
Authentication
an...
OWASP Top Ten (2013)
A3: Cross-Site
Scripting (XSS)
A1: Injection
A6: Sensitive Data
Exposure
A2: Broken
Authentication
an...
• Stored
• Attacker’s script is stored on the server
(e.g. blog comments, forums) and later
displayed in HTML pages, witho...
Cross-Site Scripting (XSS)
Demo
• Tools
• BeEF (Browser Exploitation Framework)
• Metasploit
• Target
• OWASP Broken Web Apps
• Apache 2.2.14 + PHP 5...
BeEF Demo
• http://www.youtube.com/watch?
v=U27bEwZixN4
OWASP Top Ten (2013)
A5: Security
Misconfiguration
A4: Insecure
Direct Object
References
A2: Broken
Authentication
and Ses...
OWASP Top Ten (2013)
A5: Security
Misconfiguration
A4: Insecure
Direct Object
References
A2: Broken
Authentication
and Ses...
• Stolen Data Headers from the Federal Reserve Hack
(Feb 2013)
• Downed US vuln catalog infected for at least TWO
MONTHS (...
Demo
• Tool
• Published Exploit Script
• Target
• Windows Server 2008 R2
• IIS 7.5 + ColdFusion 10 w/ Update 9
• Secure Pr...
Exploit Script Demo
• http://www.youtube.com/watch?
v=XsQWK_UaASk
If you don’t secure your stuff, you are just making it easy for hackers 

and they DON’T mostly come at night.
So should you just turn
everything off and unplug it?
• Web application firewall (WAF) are used to
protect web applications without the need to
modify them
• Can be an applianc...
• Open source, free web application firewall
• Apache, IIS 7, Nginx, reverse proxy
• Security Models
• Negative Security M...
• Provide automated way to test web
application for vulnerabilities
• Static vs Dynamic Analysis
• Can be challenging to s...
Book
The Web Application Hacker's
Handbook: Finding and Exploiting
Security Flaws, Second Edition
by  Dafydd Stuttard and ...
• Blog: http://www.dcepler.net
• Email: depler@aboutweb.com
• Twitter: @dcepler
Q&A - Thanks
• Tools
• sqlmap
• BeEF
• Metasploit
!
• Virtual Machines/Live CDs
• Kali Linux
• Samurai Web Testing Framework
• OWASP Br...
• Security Benchmarks/Guides
• CIS Benchmarks
• DISA STIG
• Microsoft Security Compliance Manager
!
• Securing/Patching Co...
• OWASP Top Ten 2013
• Shodan: The scariest search engine on
the Internet
• Report: Crematoriums To Caterpillars
Shodan Re...
• Web Application Firewalls
• Commercial
• Trustwave - WebDefend Web Application Firewall
• Cisco - ACE Web Application Fi...
• Web Vulnerability Scanners
• Dynamic Scanner
• Cenzic Hailstorm
• HP WebInspect
• IBM Security AppScan
• Static Scanner
...
Books
SQL Injection Attacks and Defense,
Second Edition
by  Justin Clarke"
Syngress Publishing © 2012 (576 pages) "
ISBN: ...
• Free Commercial Reports
• Mandiant
• M-Trends 2015 (April 2015)
• APT1: Exposing One of China’s Cyber
Espionage Units (F...
• Heartbleed
• More than 300k systems 'still
vulnerable' to Heartbleed attacks
• Heartbleed Hack Still a Threat Six
Months...
• Target
• Sources: Target Investigating Data
Breach
• Email Attack on Vendor Set Up Breach
at Target
• Data breach hits T...
• Home Depot
• Home Depot Hit By Same Malware as
Target
• Home Depot: 56M Cards Impacted,
Malware Contained
References
• Adobe Password Hack
• Adobe Breach Impacted At Least 38
Million Users
• How an epic blunder by Adobe could
strengthen ha...
• Password Cracking
• Jeremi Gosney - Password Cracking HPC - Passwords^12 Presentation
(pdf)
• Jens Steube - Exploiting a...
• Recent Hacks
• SQL Injection Flaw Haunts All Ruby on Rails Versions (Jan 2013)
• Critics: Substandard crypto needlessly ...
• Recent Hacks
• New York Times Hacked Again, This Time Allegedly by Chinese (Jan
2013)
• AP Twitter feed hacked; no attac...
• XSS Attacks
• Persistent XSS Vulnerability Plagues WordPress Plugin (April
2015)
• Researcher Gets $5,000 for XSS Flaw i...
Shellshock
• Series of vulnerabilities in how Bash
processes environment variables
• CVE-2014-6271, CVE-2014-6277,
CVE-201...
• Shellshock
• What is #shellshock?
• RedHat: Mitigating the shellshock
vulnerability (CVE-2014-6271 and
CVE-2014-7169)
• ...
Web hackingtools 2015
Web hackingtools 2015
Web hackingtools 2015
Web hackingtools 2015
Web hackingtools 2015
Web hackingtools 2015
Web hackingtools 2015
Web hackingtools 2015
Prochain SlideShare
Chargement dans…5
×

Web hackingtools 2015

584 vues

Publié le

Web Hacking

Publié dans : Technologie
  • Soyez le premier à commenter

Web hackingtools 2015

  1. 1. Web Penetration and Hacking Tools David Epler Security Architect depler@aboutweb.com
  2. 2. About Me • Application Developer originally • Contributor to Learn CF In a Week • OWASP Individual Member • OWASP Zed Attack Proxy (ZAP) Evangelist • Security Certifications - CEH, GWAPT
  3. 3. About the Session • What will NOT be covered • How to fix your code • How to secure your OS, Web Server, Database Server, or Application Server
  4. 4. About the Session • What will be covered • Recent events in security and hacking • Demonstration of various penetration testing tools used against web applications • Quick overview of Web Application Firewalls and Web Vulnerability Scanners
  5. 5. About the Demos • Virtual Machines, not live servers • BackTrack/Kali Linux • OWASP Broken Web Apps • Windows 7 & Server 2008 R2
 DO NOT perform any activities shown on any network/system or network connected device without proper permission!
  6. 6. 205Average number of days a network is compromised by a hacker before discovery
 Down from 229 days in 2014 as reported by Mandiant M-Trends Report
  7. 7. Broken SSL/TLS goto$fail;$ goto$fail;
  8. 8. Heartbleed • At disclosure 615,268 of the Internet's secure web servers were vulnerable • May 8, 2014 - 318,239 • June 21, 2014 - 309,197 • Contributed to Community Health Systems theft of 4.5 million patient records
  9. 9. Qualys SSL Server Test https://www.ssllabs.com/ssltest/
  10. 10. OWASP Top Ten (2013) A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  11. 11. Vulnerability Prevalence from VeraCode SoSS Cross Site Scripting! (XSS) SQL Injection Information Leakage Directory Traversal 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 47% 29% 27% 60% 56% 60% 30% 61% 49% 58% 31% 57% 22% 62% 72% 95% ColdFusion Java .NET PHP
  12. 12. Things you’ll never see in logs • Internet search engines used for passive reconnaissance • Google Hacks • Internet Archive • Netcraft • Alexa • Shodan • Not quite passive but can be hard to spot • Web Crawler/Spider/Mirroring
  13. 13. OWASP Top Ten (2013) A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  14. 14. OWASP Top Ten (2013) A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  15. 15. • Stacked Queries • http://www.victim.com/products.asp?id=1;exec +master..xp_cmdshell+'dir' • Tautology • http://www.victim.com/logon.aspx?username=admin' or 1=1;-- • UNION Statements • http://www.victim.com/products.asp?id=12+UNION +SELECT +userid,first_name,second_name,password+FROM +customers • Blind SQL Injection (SQLi)
  16. 16. Demo • Tool • sqlmap • Target • OWASP Broken Web Apps • Apache 2.2.14 + PHP 5.3.2 • MySQL 5.1.41
  17. 17. sqlmap Demo • http://www.youtube.com/watch? v=8Id6XUOcw3E
  18. 18. Adobe Password Analysis From http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password- disaster-adobes-giant-sized-cryptographic-blunder/
  19. 19. Adobe Password Analysis From http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password- disaster-adobes-giant-sized-cryptographic-blunder/
  20. 20. Adobe Password Analysis From http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password- disaster-adobes-giant-sized-cryptographic-blunder/
  21. 21. Password Cracking • Techniques • Rainbow Tables • Brute Force • Dictionary/Word Lists • Hybrid ! • RockYou.com (Dec 2009) • 14.3 million unique clear text passwords
  22. 22. 25 GPU HPC Cluster • Presented by Jeremi Gosney at Passwords^12 Conference • 5 - 4U Servers • 25 Radeon GPUs • Hashcat
  23. 23. Reported Benchmarks of 25 GPU HPC cluster MD5 SHA1 BCrypt (05) Attempts per Second 0 100,000,000,000 200,000,000,000 71,000 63,000,000,000 180,000,000,000
  24. 24. Gosney vs LinkedIn Password Hashes PercentCracked 0% 20% 40% 60% 80% 100% 30 seconds 2 hours 1 day 6 days 90% 64% 53% 21%
  25. 25. OWASP Top Ten (2013) A3: Cross-Site Scripting (XSS) A1: Injection A6: Sensitive Data Exposure A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  26. 26. OWASP Top Ten (2013) A3: Cross-Site Scripting (XSS) A1: Injection A6: Sensitive Data Exposure A2: Broken Authentication and Session Management A4: Insecure Direct Object References A8: Cross Site Request Forgery (CSRF) A5: Security Misconfiguration A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  27. 27. • Stored • Attacker’s script is stored on the server (e.g. blog comments, forums) and later displayed in HTML pages, without proper filtering • Reflected • HTML page reflects user input data back to the browser, without sanitizing the response • DOM Based Cross-Site Scripting (XSS)
  28. 28. Cross-Site Scripting (XSS)
  29. 29. Demo • Tools • BeEF (Browser Exploitation Framework) • Metasploit • Target • OWASP Broken Web Apps • Apache 2.2.14 + PHP 5.3.2 • Victim • Windows 7 • IE 9 + Java 7 Plugin
  30. 30. BeEF Demo • http://www.youtube.com/watch? v=U27bEwZixN4
  31. 31. OWASP Top Ten (2013) A5: Security Misconfiguration A4: Insecure Direct Object References A2: Broken Authentication and Session Management A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A8: Cross Site Request Forgery (CSRF) A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  32. 32. OWASP Top Ten (2013) A5: Security Misconfiguration A4: Insecure Direct Object References A2: Broken Authentication and Session Management A1: Injection A6: Sensitive Data Exposure A3: Cross-Site Scripting (XSS) A8: Cross Site Request Forgery (CSRF) A7: Missing Function Level Access Controls A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards
  33. 33. • Stolen Data Headers from the Federal Reserve Hack (Feb 2013) • Downed US vuln catalog infected for at least TWO MONTHS (March 2013) • Web host Linode, hackers clash over credit-card raid claim (April 2013) • Washington Court Data Breach Exposes 160K SSNs (May 2013) • Alleged Hacker Indicted In New Jersey For Data Breach Conspiracy Targeting Government Agency Networks (Oct 2013) Notable ColdFusion Hacks in 2013
  34. 34. Demo • Tool • Published Exploit Script • Target • Windows Server 2008 R2 • IIS 7.5 + ColdFusion 10 w/ Update 9 • Secure Profile Enabled
  35. 35. Exploit Script Demo • http://www.youtube.com/watch? v=XsQWK_UaASk
  36. 36. If you don’t secure your stuff, you are just making it easy for hackers 
 and they DON’T mostly come at night.
  37. 37. So should you just turn everything off and unplug it?
  38. 38. • Web application firewall (WAF) are used to protect web applications without the need to modify them • Can be an appliance, server plugin, or filter • Provide an additional layer of security • Can react faster than changing application code • More common in front of legacy applications Web Application Firewall
  39. 39. • Open source, free web application firewall • Apache, IIS 7, Nginx, reverse proxy • Security Models • Negative Security Model • Positive Security Model • Virtual Patching • Extrusion Detection Model • OWASP ModSecurity Core Rule Set Project ModSecurity
  40. 40. • Provide automated way to test web application for vulnerabilities • Static vs Dynamic Analysis • Can be challenging to setup authentication and session management • Can’t improvise, every web application is unique • Usually integrated as part of Secure Software Development Life Cycle (SSDLC) Web Vulnerability Scanners
  41. 41. Book The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, Second Edition by  Dafydd Stuttard and Marcus Pinto" John Wiley & Sons © 2012 (912 pages)" ISBN: 9781118026472"
  42. 42. • Blog: http://www.dcepler.net • Email: depler@aboutweb.com • Twitter: @dcepler Q&A - Thanks
  43. 43. • Tools • sqlmap • BeEF • Metasploit ! • Virtual Machines/Live CDs • Kali Linux • Samurai Web Testing Framework • OWASP Broken Web Apps Resources
  44. 44. • Security Benchmarks/Guides • CIS Benchmarks • DISA STIG • Microsoft Security Compliance Manager ! • Securing/Patching ColdFusion • ColdFusion 9 Server Lockdown Guide (pdf) • ColdFusion 10 Server Lockdown Guide (pdf) • ColdFusion 11 Server Lockdown Guide (pdf) • Unofficial Updater 2 Resources
  45. 45. • OWASP Top Ten 2013 • Shodan: The scariest search engine on the Internet • Report: Crematoriums To Caterpillars Shodan Reveals Internet Of Things • Google Hacking Database (GHDB) Resources
  46. 46. • Web Application Firewalls • Commercial • Trustwave - WebDefend Web Application Firewall • Cisco - ACE Web Application Firewall • Citrix - NetScaler App Firewall • F5 - BIG-IP Application Security Manager • Privacyware - ThreatSentry IIS Web Application Firewall • Fuseguard - Foundeo • Free • Trustwave - ModSecurity • Microsoft - URLScan 3.1 Resources
  47. 47. • Web Vulnerability Scanners • Dynamic Scanner • Cenzic Hailstorm • HP WebInspect • IBM Security AppScan • Static Scanner • HP Fortify Static Code Analyzer • VeraCode Static • Intercepting Proxies • Burp Suite • OWASP Zed Attack Proxy (ZAP) Resources
  48. 48. Books SQL Injection Attacks and Defense, Second Edition by  Justin Clarke" Syngress Publishing © 2012 (576 pages) " ISBN: 9781597499637 Web Application Obfuscation: '-/ WAFs..dEvasion..dFilters//alert (/ Obfuscation/)-' by  Mario Heiderich, Eduardo AlbertoVela Nava, Gareth Heyes and David Lindsay" Syngress Publishing © 2011 (290 pages)" ISBN: 9781597496049 XSS Attacks: Cross Site Scripting Exploits and Defense by  Jeremiah Grossman, Robert “RSnake” Hansen, Petko “pdp” D. Petkov and Anton Rager" Syngress Publishing © 2007 (479 pages)" ISBN: 9781597491549" Penetration Tester's Open Source Toolkit, Third Edition by  Jeremy Faircloth" Syngress Publishing © 2011 (465 pages) ISBN: 9781597496278
  49. 49. • Free Commercial Reports • Mandiant • M-Trends 2015 (April 2015) • APT1: Exposing One of China’s Cyber Espionage Units (Feb 2013) ! • VeraCode • State of Software Security Report Volume 5 (April 2013) References
  50. 50. • Heartbleed • More than 300k systems 'still vulnerable' to Heartbleed attacks • Heartbleed Hack Still a Threat Six Months After Discovery References
  51. 51. • Target • Sources: Target Investigating Data Breach • Email Attack on Vendor Set Up Breach at Target • Data breach hits Target’s profits, but that’s only the tip of the iceberg References
  52. 52. • Home Depot • Home Depot Hit By Same Malware as Target • Home Depot: 56M Cards Impacted, Malware Contained References
  53. 53. • Adobe Password Hack • Adobe Breach Impacted At Least 38 Million Users • How an epic blunder by Adobe could strengthen hand of password crackers • Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder • Top 100 Adobe Passwords • XKCD Crossword Puzzle References
  54. 54. • Password Cracking • Jeremi Gosney - Password Cracking HPC - Passwords^12 Presentation (pdf) • Jens Steube - Exploiting a SHA1 Weakness in Password Cracking - Passwords^12 Presentation (pdf) • New 25 GPU Monster Devours Passwords In Seconds • Oh great: New attack makes some password cracking faster, easier than ever • Why passwords have never been weaker—and crackers have never been stronger • The Final Word on the LinkedIn Leak • How I became a password cracker • Project Erebus v2.5 • SHA-1 crypto protocol cracked using Amazon cloud computing resources References
  55. 55. • Recent Hacks • SQL Injection Flaw Haunts All Ruby on Rails Versions (Jan 2013) • Critics: Substandard crypto needlessly puts Evernote accounts at risk (March 2013) • Huge attack on WordPress sites could spawn never-before-seen super botnet (April 2013) • Why LivingSocial’s 50-million password breach is graver than you may think (April 2013) • Yahoo! Blind SQL Injection could lead to data leakage (April 2013) • Common Web Vulnerabilities Plague Top WordPress Plug-Ins (June 2013) • WordPress Fixes Remote Code Execution Flaw With 3.6.1 Release (Sept 2013) References
  56. 56. • Recent Hacks • New York Times Hacked Again, This Time Allegedly by Chinese (Jan 2013) • AP Twitter feed hacked; no attack at White House (April 2013) • Dev site behind Apple, Facebook hacks didn’t know it was booby- trapped (Feb 2013) • IE 8 Zero Day Found as DoL Watering Hole Attack Spreads to Nine Other Sites (May 2013) • Hackers exploit critical IE bug; Microsoft promises patch (Sept 2013) • Many Flash, Java Users Running Older, Vulnerable Versions (Sept 2013) • Adobe To Announce Source Code, Customer Data Breach (Oct 2013) • Thousands of Sites Hacked Via vBulletin Hole (Oct 2013) References
  57. 57. • XSS Attacks • Persistent XSS Vulnerability Plagues WordPress Plugin (April 2015) • Researcher Gets $5,000 for XSS Flaw in Google Apps Admin Console (Jan 2015) • Drupal Patches XSS Vulnerability in Spam Module (Sept 2014) • Details on Patched Microsoft Office 365 XSS Vulnerability Disclosed (Jan 2014) • Security company says Nasdaq waited two weeks to fix XSS flaw (Sept 2013) • Apple Store Vulnerable to XSS (June 2013) • PayPal Site Vulnerable to XSS Attack (May 2013) References
  58. 58. Shellshock • Series of vulnerabilities in how Bash processes environment variables • CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 • Allows for remote code execution
  59. 59. • Shellshock • What is #shellshock? • RedHat: Mitigating the shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) • How do I secure Apache against the Bash Shellshock vulnerability? • Shellshock Exploits Spreading Mayhem Botnet Malware References

×