2. Who am I ?
● Batard Florent
● http://code-artisan.io
● @artisan_code
● Security Engineer
– Ethical Hacker for 10 years
– Security Contests (0daysober)
– Globe Trotter (UK, USA, Swiss, France, Japan)
– Lately on the Defense side as a programmer
3. test
Summary
● Introduction
● Information gathering
● Indirect requests
● Direct requests
● System security
● Configuration errors
● Password policy
● Patching
● Web Security
– XSS
– SQL Injection
– CSRF
4. test
What is Hacking ?
Use or abuse a resources in way that was not predicted by the
creator in order to change the behavior
5. test
Attack chronology
● Information gathering
● Getting information about the target
● Indirect / Direct requests
● Fingerprinting
● Analysis
● Determing the security flaw
● Discover the tools to perform the attack
● Attack
● Exploitation
● Expand in the network
● Spread in the internal network
7. test
Introduction
● The first step of any attack is the information gathering
process
● Identify the entry point of the target
● List all the public information we can use
● Other information can be gathered with technical
tools
● The most effective way is the « social
engineering »
– Contact the target and ask him sensitive
information (Freshman, secretary...)
8. test
Indirect requests
● « Whois » database listing
● All the information asked at registration process
– Administrative informations
● Name, address, phone number
– Technical information
● DNS server
● Email addresses for social engineering
● IP range of the target
● All these information are public
9. test
WHOIS
● Use of the tool « whois »
● whois domain.tld ou whois IP address
Domain Information:
a. [Domain Name] WHIZZ-TECH.CO.JP
g. [Organization] Whizz Technology Co., Ltd.
l. [Organization Type] Company
m. [Administrative Contact] HS9536JP
n. [Technical Contact] HS9536JP
p. [Name Server] ns1.whizz-tech.co.jp
s. [Signing Key]
[State] Connected (2015/03/31)
[Registered Date] 2005/03/29
[Connected Date] 2005/06/18
[Last Update] 2014/04/01 01:41:01 (JST)
Contact Information: [ 担当者情報 ]
a. [JPNIC ハンドル ] HS9536JP
b. [ 氏名 ] 杉本 展将
c. [Last, First] Sugimoto, Hi-
royuki
d. [ 電子メイル ] hiroyuki@whi-
temap.net
f. [ 組織名 ] 有限会社ウィズテ
クノロジー
g. [Organization] Whizz Techno-
logy Co., Ltd.
k. [ 部署 ]
l. [Division]
m. [ 肩書 ] 代表取締役
n. [Title] President
o. [ 電話番号 ] 06-6242-7288
p. [FAX 番号 ]
y. [ 通知アドレス ]
[ 最終更新 ] 2005/03/29
12:02:01 (JST)
form@dom.jprs.jp
10. test
Indirect requests
● SNS
– Every bit of public information published can be
used against you
– Information are used to build password bank tailo-
red to hack you(https://github.com/Netflix/Scumblr)
● People Search
– https://pipl.com/
– http://www.peekyou.com/
11. test
Direct requests
● Active discoveries on the network
● Port scan
– Identify open ports
– Several methods can be used
● Fingerprinting
– Getting the banner of services
– Identify service and its version
– Identify the Operating System
14. test
Other methods
● SNMP
● Identify SNMP community
– Get information on the target
● Netbios
● Communication protocol for windows
– Guest/Null account sometimes activated
● Enumerate shared_folder
● Enumerate users/groups/administrators
15. test
Social Engineering
● The art of manipulating people to make them reveal
sensitive information
● Phone the target pretending to be someone else
● The victim often doesn't realize what she is
doing
● We will use everything we discovered on indirect
requests
● Most of the time it's the most effective way to retrieve
useful information
● Difficult to protect your company
17. test
System vulnerability
● What is a « system » vulnerability ?
● Configuration mistake
– Leave the default configuration
– High privilege for low task
● Bad password policy
– Default password
– Weak password
● Bad patching policy
– New vulnerabilities but OS are not up to date
● Easy exploitation
19. test
Configuration error
● Development configuration kept after production de-
ployment
● Devices
– Default SNMP community
– Installation password
● Applications
– Default password
– Debugging activated
– Example files
20. test
Password policy
● The most secure system will always be weak if protec-
ted by a too simple password
● Usually people will choose the easiest password
a system can accept
– Hacking is even easier if passwords aren't
strong enough
● Passwords should be encrypted in the
application
– If a hacker get into database, all passwords
will be revealed
● Users usually re-use the same password
everywhere
21. test
Password types
● Not accessible (stored in database)
● Hacker must interactively break the password
and cause noisy logs
● Encrypted/Hashed passwords
● Allow discrete offline attacks
● ClearText passwords
● = win!
22. test
Password attacks
● Interactive
● No encrypted version of the password
– Medusa
– Hydra
● Slow and noisy
● Offline
● Possess an encrypted version of password
– John The Ripper
– Cain
– L0phtcrack
● Quick and discrete but not always possible
23. test
Patching
● Update management
● Need a security policy in the company
● Last patches should always be deployed on ALL
machines
● One vulnerable computer can be the entry point
for the whole network
● As an attacker it's always more convenient to
attack the most vulnerable machine on the
network
● Tools to know : Metasploit, Nessus
24. test
Problems
● Vulnerabilities are often released publicly
● Accessible for anybody
● Automatic script to exploit them
● Typically
● Discovery through a vulnerability scanner like
Nessus
● Exploit the vulnerability with Metasploit
– At the end → total control of the target
26. test
Application Vulnerabilities
● Target a specific application
● Out of scope for system administrator
● Developers responsability
● The hacker can modify the behavior of the application
● Use of the application that wasn't planned by the
developers
● Nowadays, most likely in web applications
27. test
Parameters
● User can interact with website through parameters :
● GET : parameters sent in the URL
– search.php?query=toto
● POST : parameters sent in the message body
– Usually for forms submission
● These parameters can ALWAYS be tampered by
an attacker
● Tools to know : BurpSuite, Owasp ZAP,
Postman
28. test
Cross-Site Scripting
● Allow code execution in the browser , most likely in
Javascript
● Problem occurs when user inputs are interpreted
as regular client-side source code.
● Hacker can inject HTML tags and Javascript
inside the page
– Control over the display of the page
● Images
● Javascript (Framework & Components)
● Use your page for evil purpose
http://beefproject.com
30. test
SQL Injection
● Langage used to query databases
● To select data :
– SELECT column_name FROM table WHERE
condition
● Exemple
– SELECT contenu FROM news WHERE id=1
● Used by website to retrieve persistent information
31. test
SQL Injection examples
● Original request :
● http://site/news.php?id=1
– SELECT * FROM news WHERE id = 1
– Return the news with the id : 1
● Hijacked request :
● http://site/news.php?id=1 OR 1=1
– SELECT * FROM news WHERE id = 1 OR
1=1 // TRUE
– Return all the news !
33. test
Goal for the hacker
● Hijack authentication process
● Explore the database
● Retrieve hidden information
– Passwords of users and admin
● Interaction with the system through database
● Read file
● Write files
● Command execution
34. test
Cross Site Request Forgery
● Scenario :
● http://mybank.com/?transfer=100&from=123&to=321
● You have a session active => request accepted
● What if I send you that link in a iframe or a mail ?
– I can forge an address to compromise you
– Session is still active so it will be accepted
– CSRF-token = unpredictable token we cannot forge
● We set email or reset password
35. test
What to do as a developer ?
● Learn the basics of security (www.owasp.org)
– OWASP Top 10
● Check your application source code
– OWASP ASVS http://code-artisan.io/owasp-asvs-3-0-cheatsheet/
● Add security tests case to your unit tests
– « OR 1 = 1 »
– « <script>alert(‘hello’)</script> »
● Check the security updates of your tools
– Web Frameworks Security Releases
– Change default configuration !
● Check your security with professional services
– Www.detectify.com OR https://vaddy.net/
– Yours truly
36. test
How to become a hacker ?
Train and learn
– WebGoat
– DVWA (Damn Vulnerable Web App)
– Kali Linux (Security Distribution with all tools)
● Check the tools :
– Metasploit
– SkipFish
– Nikto
– Wpscan