Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Real life hacking101

344 vues

Publié le

Introduction to security

Publié dans : Ingénierie
  • Soyez le premier à commenter

Real life hacking101

  1. 1. Real Life Hacking 101 1
  2. 2. Who am I ? ● Batard Florent ● http://code-artisan.io ● @artisan_code ● Security Engineer – Ethical Hacker for 10 years – Security Contests (0daysober) – Globe Trotter (UK, USA, Swiss, France, Japan) – Lately on the Defense side as a programmer
  3. 3. test Summary ● Introduction ● Information gathering ● Indirect requests ● Direct requests ● System security ● Configuration errors ● Password policy ● Patching ● Web Security – XSS – SQL Injection – CSRF
  4. 4. test What is Hacking ? Use or abuse a resources in way that was not predicted by the creator in order to change the behavior
  5. 5. test Attack chronology ● Information gathering ● Getting information about the target ● Indirect / Direct requests ● Fingerprinting ● Analysis ● Determing the security flaw ● Discover the tools to perform the attack ● Attack ● Exploitation ● Expand in the network ● Spread in the internal network
  6. 6. test Information gathering • Introduction • Indirect requests • Direct requests • Fingerprinting
  7. 7. test Introduction ● The first step of any attack is the information gathering process ● Identify the entry point of the target ● List all the public information we can use ● Other information can be gathered with technical tools ● The most effective way is the « social engineering » – Contact the target and ask him sensitive information (Freshman, secretary...)
  8. 8. test Indirect requests ● « Whois » database listing ● All the information asked at registration process – Administrative informations ● Name, address, phone number – Technical information ● DNS server ● Email addresses for social engineering ● IP range of the target ● All these information are public
  9. 9. test WHOIS ● Use of the tool « whois » ● whois domain.tld ou whois IP address Domain Information: a. [Domain Name] WHIZZ-TECH.CO.JP g. [Organization] Whizz Technology Co., Ltd. l. [Organization Type] Company m. [Administrative Contact] HS9536JP n. [Technical Contact] HS9536JP p. [Name Server] ns1.whizz-tech.co.jp s. [Signing Key] [State] Connected (2015/03/31) [Registered Date] 2005/03/29 [Connected Date] 2005/06/18 [Last Update] 2014/04/01 01:41:01 (JST) Contact Information: [ 担当者情報 ] a. [JPNIC ハンドル ] HS9536JP b. [ 氏名 ] 杉本 展将 c. [Last, First] Sugimoto, Hi- royuki d. [ 電子メイル ] hiroyuki@whi- temap.net f. [ 組織名 ] 有限会社ウィズテ クノロジー g. [Organization] Whizz Techno- logy Co., Ltd. k. [ 部署 ] l. [Division] m. [ 肩書 ] 代表取締役 n. [Title] President o. [ 電話番号 ] 06-6242-7288 p. [FAX 番号 ] y. [ 通知アドレス ] [ 最終更新 ] 2005/03/29 12:02:01 (JST) form@dom.jprs.jp
  10. 10. test Indirect requests ● SNS – Every bit of public information published can be used against you – Information are used to build password bank tailo- red to hack you(https://github.com/Netflix/Scumblr) ● People Search – https://pipl.com/ – http://www.peekyou.com/
  11. 11. test Direct requests ● Active discoveries on the network ● Port scan – Identify open ports – Several methods can be used ● Fingerprinting – Getting the banner of services – Identify service and its version – Identify the Operating System
  12. 12. test Nmap scanning ● Nmap for fingerprinting ● Nmap -A x.x.x.x
  13. 13. test Nmap Example
  14. 14. test Other methods ● SNMP ● Identify SNMP community – Get information on the target ● Netbios ● Communication protocol for windows – Guest/Null account sometimes activated ● Enumerate shared_folder ● Enumerate users/groups/administrators
  15. 15. test Social Engineering ● The art of manipulating people to make them reveal sensitive information ● Phone the target pretending to be someone else ● The victim often doesn't realize what she is doing ● We will use everything we discovered on indirect requests ● Most of the time it's the most effective way to retrieve useful information ● Difficult to protect your company
  16. 16. test System vulnerabilities • Configuration mistakes • Passwords • Patching
  17. 17. test System vulnerability ● What is a « system » vulnerability ? ● Configuration mistake – Leave the default configuration – High privilege for low task ● Bad password policy – Default password – Weak password ● Bad patching policy – New vulnerabilities but OS are not up to date ● Easy exploitation
  18. 18. test System vulnerability
  19. 19. test Configuration error ● Development configuration kept after production de- ployment ● Devices – Default SNMP community – Installation password ● Applications – Default password – Debugging activated – Example files
  20. 20. test Password policy ● The most secure system will always be weak if protec- ted by a too simple password ● Usually people will choose the easiest password a system can accept – Hacking is even easier if passwords aren't strong enough ● Passwords should be encrypted in the application – If a hacker get into database, all passwords will be revealed ● Users usually re-use the same password everywhere
  21. 21. test Password types ● Not accessible (stored in database) ● Hacker must interactively break the password and cause noisy logs ● Encrypted/Hashed passwords ● Allow discrete offline attacks ● ClearText passwords ● = win!
  22. 22. test Password attacks ● Interactive ● No encrypted version of the password – Medusa – Hydra ● Slow and noisy ● Offline ● Possess an encrypted version of password – John The Ripper – Cain – L0phtcrack ● Quick and discrete but not always possible
  23. 23. test Patching ● Update management ● Need a security policy in the company ● Last patches should always be deployed on ALL machines ● One vulnerable computer can be the entry point for the whole network ● As an attacker it's always more convenient to attack the most vulnerable machine on the network ● Tools to know : Metasploit, Nessus
  24. 24. test Problems ● Vulnerabilities are often released publicly ● Accessible for anybody ● Automatic script to exploit them ● Typically ● Discovery through a vulnerability scanner like Nessus ● Exploit the vulnerability with Metasploit – At the end → total control of the target
  25. 25. test Web Application Vulnerabilities • Cross-Site Scripting • SQL Injection • CSRF Attack
  26. 26. test Application Vulnerabilities ● Target a specific application ● Out of scope for system administrator ● Developers responsability ● The hacker can modify the behavior of the application ● Use of the application that wasn't planned by the developers ● Nowadays, most likely in web applications
  27. 27. test Parameters ● User can interact with website through parameters : ● GET : parameters sent in the URL – search.php?query=toto ● POST : parameters sent in the message body – Usually for forms submission ● These parameters can ALWAYS be tampered by an attacker ● Tools to know : BurpSuite, Owasp ZAP, Postman
  28. 28. test Cross-Site Scripting ● Allow code execution in the browser , most likely in Javascript ● Problem occurs when user inputs are interpreted as regular client-side source code. ● Hacker can inject HTML tags and Javascript inside the page – Control over the display of the page ● Images ● Javascript (Framework & Components) ● Use your page for evil purpose http://beefproject.com
  29. 29. test XSS - Example ● Vulnerable source code ● Normal Behavior Hijacked
  30. 30. test SQL Injection ● Langage used to query databases ● To select data : – SELECT column_name FROM table WHERE condition ● Exemple – SELECT contenu FROM news WHERE id=1 ● Used by website to retrieve persistent information
  31. 31. test SQL Injection examples ● Original request : ● http://site/news.php?id=1 – SELECT * FROM news WHERE id = 1 – Return the news with the id : 1 ● Hijacked request : ● http://site/news.php?id=1 OR 1=1 – SELECT * FROM news WHERE id = 1 OR 1=1 // TRUE – Return all the news !
  32. 32. test SQL Injection example ● Vulnerable code ● Normal behavior Hijacked
  33. 33. test Goal for the hacker ● Hijack authentication process ● Explore the database ● Retrieve hidden information – Passwords of users and admin ● Interaction with the system through database ● Read file ● Write files ● Command execution
  34. 34. test Cross Site Request Forgery ● Scenario : ● http://mybank.com/?transfer=100&from=123&to=321 ● You have a session active => request accepted ● What if I send you that link in a iframe or a mail ? – I can forge an address to compromise you – Session is still active so it will be accepted – CSRF-token = unpredictable token we cannot forge ● We set email or reset password
  35. 35. test What to do as a developer ? ● Learn the basics of security (www.owasp.org) – OWASP Top 10 ● Check your application source code – OWASP ASVS http://code-artisan.io/owasp-asvs-3-0-cheatsheet/ ● Add security tests case to your unit tests – « OR 1 = 1 » – « <script>alert(‘hello’)</script> » ● Check the security updates of your tools – Web Frameworks Security Releases – Change default configuration ! ● Check your security with professional services – Www.detectify.com OR https://vaddy.net/ – Yours truly
  36. 36. test How to become a hacker ? Train and learn – WebGoat – DVWA (Damn Vulnerable Web App) – Kali Linux (Security Distribution with all tools) ● Check the tools : – Metasploit – SkipFish – Nikto – Wpscan
  37. 37. test Conclusion • Questions ?

×