SlideShare une entreprise Scribd logo

The Web Application Hackers Toolchain

jasonhaddix
jasonhaddix

A cursory look at new tools and techniques for 2012

Technologie
1  sur  53
Télécharger pour lire hors ligne
About Me: • Twitter @jhaddix • jhaddix@securityaegis.com • I blog like I know stuff: • http://www.securityaegis.com • http://www.ethicalhacker.net • Former VA/Netpen turned Webpen • Currently work for HP Application Security Center • Webpen, Netpen, Mobile, etc… • Random Projects • Open Penetration Testers Bookmark Collection • http://code.google.com/p/pentest-bookmarks/ • Nmap Http-enum fingerprints • ghetto Nessus parsers • Burp hacking presentation • No I can’t get you a touchpad • I love talking about hacking, and I like to drink Beer & Gin and Tonics • I don’t know if that’s a girly drink in Brussels =( • You’re welcome to educate me…
Words for the Wise: “Until a man is twenty-five, he still thinks, every so often, that under the right circumstances he could be the baddest motherfucker in the world. If (he) moved to a martial-arts monastery in China and studied real hard for ten years. If (his) family was wiped out by Colombian drug dealers and (he) swore (himself) to revenge. If (he) got a fatal disease, had one year to live, and devoted it to wiping out street crime. If (he) just dropped out and devoted (his) life to being bad. Hiro used to feel this way, too, but then he ran into Raven. In a way, this was liberating. He no longer has to worry about being the baddest motherfucker in the world. The position is taken.” ― Neal Stephenson, Snow Crash
Workshop: Done a few conference talks, never done a workshop: • I’m going to move fast, you will get the slides from the con. • Videos for demos available shortly after the conference • If there’s something you want to know just pull me aside sometime or catch me around the con, I’ll do my best to answer all questions. • You’re pretty much getting a whole class converted to a workshop =). • Excuses! • http://code.google.com/p/owaspbwa/ • OK… lets do it.
• Web Hacking Tool Classes: • OSINT (Passive or Semi-Passive) • Discovery (usually dir brute-forcing or platform identification) • Brute Force (password bruting tools) • Proxies (usually include spider’s) • Fuzzers/Scanners (error or vuln identification tools) • Exploitation (vuln exploitation tools) • Data Aggregation
• What am I, a script kiddie? •Yes and no, you’re a pentester; Which means you have approximately 40hrs to do what a blackhat has months to do. •We need to identify technologies faster, vulns faster, and speed up the attack process. •We need to identify the best process and tools to use, even for our manual web pentesting.
GOAL: Gather data to be useful in a web pentest without (or minimally) interacting with the target. Google Hacking: SearchDiggity Metadata: FOCA Email Gathering: TheHarvester Metasploit
SearchDiggity: The SearchDiggity tools are basically automation of google/bing hacking queries. Think of about a thousand vulnerability checks executed against your target except they are not actually touching your target, only the search engine cache.
GOAL: Free vulnerability checks aka Google hacking. SearchDiggity: • Requires Ajax Search Query API key • 100 queries per day unless you register a CC • Buy a pre-paid visa for $10 • Find vulns fast
GOAL: Extract domain usernames, internal pathing, software versions, etc FOCA: FOCA is a windows tool to spider a domain for documents using google/bing/exalead, download them, and then extract relevant metadata and server information. • http://www.informatica64.com/DownloadFOCA/ I always go see these guys at DC: • http://vimeo.com/10602662 • http://vimeo.com/16706893
GOAL: Extract domain usernames, internal pathing, etc
GOAL: Gather email addresses for forms based logins, etc. One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc. Where do we get this info? Well without doing a full-blown Open Source Recon (OSINT) style assessment, we can use two simple scripts: • Metasploit's search_email_collector.rb and • theHarvester
Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses search techniques for Google, Bing, and Yahoo. http://www.metasploit.com/modules/auxiliary/gather/search_email_collector ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file E Running MSF search_email_collector... [*] Please wait while we load the module tree... [*] Harvesting emails ..... [*] Searching Google for email addresses from defcon.com [*] Extracting emails from Google search results... [*] Searching Bing email addresses from defcon.com [*] Extracting emails from Bing search results... [*] Searching Yahoo for email addresses from defcon.com [*] Extracting emails from Yahoo search results... [*] Located 7 email addresses for defcon.com [*] headsets@defcon.com [*] info@defcon.com [*] jobs@defcon.com [*] nick.s@defcon.com [*] nick@defcon.com [*] robert@defcon.com [*] spr@defcon.com
theHarvester (just updated to v2.1) has now fixed some of its previous bugs. It supports searching Google, Bing, PGP servers, shodan, dns- bruteforcing, and LinkedIn. https://code.google.com/p/theharvester/ zombie@haktop:/tools/email/theHarvester# ./theHarvester.py -d defcon.com -b google -l 500 Accounts found: =================== quietpro@defcon.com nick.s@defcon.com robert@defcon.com lynne@defcon.com joe@defcon.com info@defcon.com dtangent@defcon.com
theHarvester:
There’s also a ton of OSINT sites to help identify server information without ever touching your target yourself: • Netcraft (Uptime Survey, server info) • Domain Tools (Whois Lookup and Domain info) • Centralops.net (traceroute, nslookup, automatic whois lookup, ping, finger) • Hackerfantastic.com ( GeoIP, whois, host, dig, blacklists, ping, traceroute & nmap) • whois.webhosting.info (WHOIS and Reverse IP Service/virtual hosting info) • BING IP Search • SSL Labs – Projects / Public SSL Server Database – SSL Server Test • SHODAN – Computer Search Engine (indexed port scans and banner grabs) • Chris Gates presented on OSINT at Brucon 2009 • http://vimeo.com/6811411 • Other good OSINT resources: • http://www.slideshare.net/agent0x0/enterprise-open-source- intelligence-gathering • http://www.slideshare.net/Laramies/tactical-information-gathering
Now we need to map the site. Some issues that we need to deal with when mapping the site are poor ajax support for spidering (we go over this later) and finding non-linked resources. To find non linked resources we bruteforce common file/path names, framework paths, etc. Discovery Tools: • Dirbuster & Wfuzz • SVNDigger Lists • FuzzDB and RAFT Lists • (optionally) Nmap HTTP-Enum & CMS Explorer
Dirbuster is a cross platform directory bruteforcer written in java (GUI app). Tips: • Disable Recursion and Redirects for faster leaner bruting (our spiders will follow redirects later) • We can change threading on the fly • Dirbuster’s built-in lists are from a project that basically spidered the whole internet.
Wfuzz is a command line equivalent, with a bit more functionality for general web fuzzing (filter by resp code, wc, charc, etc): • http://www.edge-security.com/wfuzz.php Also has some lists!
301’s sometimes redirect to very interesting subdomains or promo pages.
Alright, so for non linked resources and discovery we can use Dirbuster’s lists or Wfuzz’s but they are very generic (that’s not necessarily a bad thing). Like I mentioned before, Dirbuster’s are based off of spidering the net and aggregating the most common directory data and common words (partially). But isn't that finding linked resources? Yes There are some more options for us as far as lists go: SVNDigger – a set of directory lists based of pathing of open source projects on Google Code and SourceForge. RAFT Lists: http://code.google.com/p/fuzzdb/ Within the Discovery/PredictableRes path
http://www.mavitunasecurity.com/blo g/svn-digger-better-lists-for-forced- browsing/ SourceForge and GoogleCode, 400k words (5000 projects), directories sorted by project: • Type • Extension contained • Context • DB Type Most coverage/success running the “all” lists, pick as you need.
RAFT is a recent proxy project released at BHUSA 2011, with a set of wordlists for content discovery based upon spidering 1.7 million “robots.txt” disallows and contextual framework paths. There’s some overlap with SVNDigger. The lists themselves are downloadable from the RAFT site but they are also contained in the FuzzDB Discovery/PredictableRes directory which we’ll be seeing in the tactical fuzzing section later. Broken down into directories, words, and files which takes us to smarter recursive content discovery…
1. Use raft-large-directories in Dirbuster or Burp 2. Take the successful output and add it to a Burp Intruder setup (clusterbomb) as payload set 1 3. Add raft-large-files.txt as 2nd payload set
Storytime
Hopefully at this point we have some logins or emails to try and bruteforce authentication from the OSINT section. I prefer Burp Suite’s Intruder Module for bruteforcing authentication. 1. Attempt Login 2. Go to Proxy History Tab 3. Find the POST request 4. Send to Intruder 5. Use Cluster Bomb payload 6. Clear all payload positions 7. Mark username and password fields as payload positions 8. Goto “payloads” tab 9. Set “payload set” 1 to your username list 10. Set “payload set” 2 to your password list 11. Click on the intruder Menu 12. Start Attack 13. Look for different lengths or grep possible successful auth messages under options
With some valid usernames we want to up our chances of bruting a valid password. Ron Bowes (@iagox86) has some fantastic password research and has archived many of the lists that have been leaked on the web. http://www.skullsecurity.org/blog/2010/the-ultimate-faceoff-between- password-lists Huge password repository. Actual user data from hacked sites: • RockYou (Rockyou 75 is a winner) • Phpbb • Myspace • Hotmail • Hak5 • Facebook • More…
Just a few…
GOAL: Spider the site, identify fuzz points, chain and feed scanner. For proxies and spidering I use Burp Suite. There exists some good Paros forks (ZAP) but Burp, even the free version, has much more power and extensibility.
Fiddler is a unique and powerful option as well due to some great plugins such as Watcher (for passively identifying user controllable )and x5s (for identifying possible xss insertion points). These can help us later when we want to start tacitly fuzzing.
Proxies sit between you and the browser but they can also enhance your testing by chaining them with your other tools. This is great if your scanner has a proxy mode, this way we get walk through the functionality of the site and hit it with two different spider engines and finally attack it with our scanner. Additionally, chaining proxies and scanners can help us deal with auth/session issues in hard to scan environments (NTLM/Kerberos). If you’re sticking with open source tools or non-proxy mode scanners you can export your spider results as links and import them into you scanner. Browser -> Burp -> Scanner (in proxy mode) -> Site 1. Walk app, executing all Ajax and rich functionality (snaplinks is handy) 2. Browse to anything from the discovery stage to populate proxy and scanner 3. Spider with Proxy of choice 4. (optional, this might pollute your site tree) Fuzz with fuzzer/proxy of choice 5. Run Scan This all gets fed to the scanner sitemap/tree. Now the scanner has the best chance of finding all fuzz points and vulns.
You said scanners! Which ones?! Shay Chen has some excellent research on the accuracy of open source and commercial scanners.  Only covers XSS and SQLi atm
Now that you have the blanket stuff out of the way, its time to interpret the proxy and scanner data for tactical fuzzing points.  Does this functionality display something back to the user?  Fuzz for XSS  Does it interact with a database?  Fuzz for SQLi or other injections  Does it call on the server file system?  Fuzz for LFI/PT  Does it call on a URL or external/internal site/domain?  Fuzz for RFI Tactical Fuzzing? Wtf?
Now we can fully utilize the project we mentioned a few times earlier, the Fuzz Database: “ The fuzzdb aggregates known attack patterns, predictable resource names, server response messages, and other resources like web shells into the most comprehensive Open Source database of malicious and malformed input test cases.”
1. Use Fuzzdb strings on all the afore mentioned forms and parameters 2. Re-fuzz all parameters that gave errors on the spidering/scanning results. 3. After concretely identifying the platform, re-fuzz/content discover with that platforms specific lists.
The fuzzdb also has an excellent error /vuln grep file for import into Burp:
When it comes to exploitation tools mostly we need some automagic tools to exploit different forms of SQL injection or file include vulnerabilities. For manual testing we also need a set of web shells. Our standards are SQLmap, Havij, SQLninja for sql injection fimap and metasploit for file include vulnerabilities. and a common set of web shells from the fuzzdb .
SQLmap is a comprehensive SQL injection tool with the ability to do many forms of injection. SQLmap Tips:  -l can import Burp logs to test your hosts (when saving in Burp use only your targets in scope) ./sqlmap -l /root/sqli.txt  Often we want to force POST parameters ,setting –data will force POST: -- data=userid=test&pass=test  We can specify parameters with -p : ./sqlmap –u TARGET-p userid,pass  --level=LEVEL Level of tests to perform (1-5, default 1) has to do with insertion points.  --risk=RISK Risk of tests to perform (0-3, default 1) has to do with test cases.  ./sqlmap -l /root/sqli.txt --level=5 --risk=3  You can max out speed at threads=10  --forms will parse and test all forms on target  --os-pwn for possible meterpreter shell
Other tools mentioned help us in edge cases:  Havij for very up to date WAF evasion (modsec) Use at your own risk.  http://itsecteam.com/en/projects/project1.htm  SQLNinja when SQLmap will not exploit  http://sqlninja.sourceforge.net/  Fimap for file include exploitation http://code.google.com/p/fimap/  Metasploit for remote file includes  exploit/unix/webapp/php_include
We also need some stand alone shells in several different languages for upload vulns. Luckily the FuzzDB has these as well.
What about taking XSS beyond alert(‘xss’)? BeEF is the best tool for javascript attacks. It’s more extensible now that it integrates with metasploit. We now can:  Hook the browser with invisible iframes  Inject/change content on the fly  Footprint the internal network  Sniff keystrokes  Deliver browser based exploits or metasploit meterpreter java payloads for full control of the target
Video
What about web services, SOAP, XML? With a wsdl and SOAPui proxied through Burp and tactically fuzzing with the Fuzzdb test cases we can do more than any script or tool I’ve seen released.
I don’t have a fancy portal to put my data =( The Dradis framework has been revamped to accept a ton for tool outputs allowing us to import data and keep working faster. Imports:  Nmap  Burp  Nessus  Metasploit  Netsparker  Openvas  w3af Mindmapping software works well too.
With all this out of the way semi-quickly we can now take more time to tactically fuzz and test for logic and more obscure manual checks!
Special thanks go out to:  Andre Gironda  Chris Gates, Armando Romeo, Joe McCray, James Fitts, Bernardo Damele, Daniel Miessler, Ferruh Mavituna, Shay Chen, Ron Bowes, Adam Muntner, and all tool authors.
The Web Application Hackers Toolchain

Recommandé

A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 

Recommandé

A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1robin_bene
 
Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration TestersChristian Martorella
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Web attacks
Web attacksWeb attacks
Web attackshusnara mohammad
 
L27
L27L27
L27NathannyabvureMapisa
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsHarsh Bothra
 

Contenu connexe

Tendances

WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1robin_bene
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 

Tendances (20)

WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
 
Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1
 
Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration Testers
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Web attacks
Web attacksWeb attacks
Web attacks
 
L27
L27L27
L27
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 

Similaire à The Web Application Hackers Toolchain

OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsHarsh Bothra
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxlior mazor
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permissionAbraham Aranguren
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionYury Chemerkin
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonKenneth Kwon
 
Kiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalKiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalRomania Testing
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith Jones, PhD
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Andrei KUCHARAVY
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Sudhanshu Chauhan
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
 

Similaire à The Web Application Hackers Toolchain (20)

OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Learning to code
Learning to codeLearning to code
Learning to code
 
Legal and efficient web app testing without permission
Legal and efficient web app testing without permissionLegal and efficient web app testing without permission
Legal and efficient web app testing without permission
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permission
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
 
Kiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-finalKiran karnad rtc2014 ghdb-final
Kiran karnad rtc2014 ghdb-final
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
 
Google Hacking 101
Google Hacking 101Google Hacking 101
Google Hacking 101
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
 
Wp 3hr-course
Wp 3hr-courseWp 3hr-course
Wp 3hr-course
 

Dernier

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Dernier (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

The Web Application Hackers Toolchain

  • 1.
  • 2. About Me: • Twitter @jhaddix • jhaddix@securityaegis.com • I blog like I know stuff: • http://www.securityaegis.com • http://www.ethicalhacker.net • Former VA/Netpen turned Webpen • Currently work for HP Application Security Center • Webpen, Netpen, Mobile, etc… • Random Projects • Open Penetration Testers Bookmark Collection • http://code.google.com/p/pentest-bookmarks/ • Nmap Http-enum fingerprints • ghetto Nessus parsers • Burp hacking presentation • No I can’t get you a touchpad • I love talking about hacking, and I like to drink Beer & Gin and Tonics • I don’t know if that’s a girly drink in Brussels =( • You’re welcome to educate me…
  • 3. Words for the Wise: “Until a man is twenty-five, he still thinks, every so often, that under the right circumstances he could be the baddest motherfucker in the world. If (he) moved to a martial-arts monastery in China and studied real hard for ten years. If (his) family was wiped out by Colombian drug dealers and (he) swore (himself) to revenge. If (he) got a fatal disease, had one year to live, and devoted it to wiping out street crime. If (he) just dropped out and devoted (his) life to being bad. Hiro used to feel this way, too, but then he ran into Raven. In a way, this was liberating. He no longer has to worry about being the baddest motherfucker in the world. The position is taken.” ― Neal Stephenson, Snow Crash
  • 4. Workshop: Done a few conference talks, never done a workshop: • I’m going to move fast, you will get the slides from the con. • Videos for demos available shortly after the conference • If there’s something you want to know just pull me aside sometime or catch me around the con, I’ll do my best to answer all questions. • You’re pretty much getting a whole class converted to a workshop =). • Excuses! • http://code.google.com/p/owaspbwa/ • OK… lets do it.
  • 5.
  • 6. • Web Hacking Tool Classes: • OSINT (Passive or Semi-Passive) • Discovery (usually dir brute-forcing or platform identification) • Brute Force (password bruting tools) • Proxies (usually include spider’s) • Fuzzers/Scanners (error or vuln identification tools) • Exploitation (vuln exploitation tools) • Data Aggregation
  • 7. • What am I, a script kiddie? •Yes and no, you’re a pentester; Which means you have approximately 40hrs to do what a blackhat has months to do. •We need to identify technologies faster, vulns faster, and speed up the attack process. •We need to identify the best process and tools to use, even for our manual web pentesting.
  • 8. GOAL: Gather data to be useful in a web pentest without (or minimally) interacting with the target. Google Hacking: SearchDiggity Metadata: FOCA Email Gathering: TheHarvester Metasploit
  • 9. SearchDiggity: The SearchDiggity tools are basically automation of google/bing hacking queries. Think of about a thousand vulnerability checks executed against your target except they are not actually touching your target, only the search engine cache.
  • 10. GOAL: Free vulnerability checks aka Google hacking. SearchDiggity: • Requires Ajax Search Query API key • 100 queries per day unless you register a CC • Buy a pre-paid visa for $10 • Find vulns fast
  • 11. GOAL: Extract domain usernames, internal pathing, software versions, etc FOCA: FOCA is a windows tool to spider a domain for documents using google/bing/exalead, download them, and then extract relevant metadata and server information. • http://www.informatica64.com/DownloadFOCA/ I always go see these guys at DC: • http://vimeo.com/10602662 • http://vimeo.com/16706893
  • 12.
  • 13. GOAL: Extract domain usernames, internal pathing, etc
  • 14. GOAL: Gather email addresses for forms based logins, etc. One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc. Where do we get this info? Well without doing a full-blown Open Source Recon (OSINT) style assessment, we can use two simple scripts: • Metasploit's search_email_collector.rb and • theHarvester
  • 15. Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses search techniques for Google, Bing, and Yahoo. http://www.metasploit.com/modules/auxiliary/gather/search_email_collector ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file E Running MSF search_email_collector... [*] Please wait while we load the module tree... [*] Harvesting emails ..... [*] Searching Google for email addresses from defcon.com [*] Extracting emails from Google search results... [*] Searching Bing email addresses from defcon.com [*] Extracting emails from Bing search results... [*] Searching Yahoo for email addresses from defcon.com [*] Extracting emails from Yahoo search results... [*] Located 7 email addresses for defcon.com [*] headsets@defcon.com [*] info@defcon.com [*] jobs@defcon.com [*] nick.s@defcon.com [*] nick@defcon.com [*] robert@defcon.com [*] spr@defcon.com
  • 16. theHarvester (just updated to v2.1) has now fixed some of its previous bugs. It supports searching Google, Bing, PGP servers, shodan, dns- bruteforcing, and LinkedIn. https://code.google.com/p/theharvester/ zombie@haktop:/tools/email/theHarvester# ./theHarvester.py -d defcon.com -b google -l 500 Accounts found: =================== quietpro@defcon.com nick.s@defcon.com robert@defcon.com lynne@defcon.com joe@defcon.com info@defcon.com dtangent@defcon.com
  • 18. There’s also a ton of OSINT sites to help identify server information without ever touching your target yourself: • Netcraft (Uptime Survey, server info) • Domain Tools (Whois Lookup and Domain info) • Centralops.net (traceroute, nslookup, automatic whois lookup, ping, finger) • Hackerfantastic.com ( GeoIP, whois, host, dig, blacklists, ping, traceroute & nmap) • whois.webhosting.info (WHOIS and Reverse IP Service/virtual hosting info) • BING IP Search • SSL Labs – Projects / Public SSL Server Database – SSL Server Test • SHODAN – Computer Search Engine (indexed port scans and banner grabs) • Chris Gates presented on OSINT at Brucon 2009 • http://vimeo.com/6811411 • Other good OSINT resources: • http://www.slideshare.net/agent0x0/enterprise-open-source- intelligence-gathering • http://www.slideshare.net/Laramies/tactical-information-gathering
  • 19. Now we need to map the site. Some issues that we need to deal with when mapping the site are poor ajax support for spidering (we go over this later) and finding non-linked resources. To find non linked resources we bruteforce common file/path names, framework paths, etc. Discovery Tools: • Dirbuster & Wfuzz • SVNDigger Lists • FuzzDB and RAFT Lists • (optionally) Nmap HTTP-Enum & CMS Explorer
  • 20. Dirbuster is a cross platform directory bruteforcer written in java (GUI app). Tips: • Disable Recursion and Redirects for faster leaner bruting (our spiders will follow redirects later) • We can change threading on the fly • Dirbuster’s built-in lists are from a project that basically spidered the whole internet.
  • 21. Wfuzz is a command line equivalent, with a bit more functionality for general web fuzzing (filter by resp code, wc, charc, etc): • http://www.edge-security.com/wfuzz.php Also has some lists!
  • 22. 301’s sometimes redirect to very interesting subdomains or promo pages.
  • 23. Alright, so for non linked resources and discovery we can use Dirbuster’s lists or Wfuzz’s but they are very generic (that’s not necessarily a bad thing). Like I mentioned before, Dirbuster’s are based off of spidering the net and aggregating the most common directory data and common words (partially). But isn't that finding linked resources? Yes There are some more options for us as far as lists go: SVNDigger – a set of directory lists based of pathing of open source projects on Google Code and SourceForge. RAFT Lists: http://code.google.com/p/fuzzdb/ Within the Discovery/PredictableRes path
  • 24. http://www.mavitunasecurity.com/blo g/svn-digger-better-lists-for-forced- browsing/ SourceForge and GoogleCode, 400k words (5000 projects), directories sorted by project: • Type • Extension contained • Context • DB Type Most coverage/success running the “all” lists, pick as you need.
  • 25. RAFT is a recent proxy project released at BHUSA 2011, with a set of wordlists for content discovery based upon spidering 1.7 million “robots.txt” disallows and contextual framework paths. There’s some overlap with SVNDigger. The lists themselves are downloadable from the RAFT site but they are also contained in the FuzzDB Discovery/PredictableRes directory which we’ll be seeing in the tactical fuzzing section later. Broken down into directories, words, and files which takes us to smarter recursive content discovery…
  • 26. 1. Use raft-large-directories in Dirbuster or Burp 2. Take the successful output and add it to a Burp Intruder setup (clusterbomb) as payload set 1 3. Add raft-large-files.txt as 2nd payload set
  • 27.
  • 29. Hopefully at this point we have some logins or emails to try and bruteforce authentication from the OSINT section. I prefer Burp Suite’s Intruder Module for bruteforcing authentication. 1. Attempt Login 2. Go to Proxy History Tab 3. Find the POST request 4. Send to Intruder 5. Use Cluster Bomb payload 6. Clear all payload positions 7. Mark username and password fields as payload positions 8. Goto “payloads” tab 9. Set “payload set” 1 to your username list 10. Set “payload set” 2 to your password list 11. Click on the intruder Menu 12. Start Attack 13. Look for different lengths or grep possible successful auth messages under options
  • 30. With some valid usernames we want to up our chances of bruting a valid password. Ron Bowes (@iagox86) has some fantastic password research and has archived many of the lists that have been leaked on the web. http://www.skullsecurity.org/blog/2010/the-ultimate-faceoff-between- password-lists Huge password repository. Actual user data from hacked sites: • RockYou (Rockyou 75 is a winner) • Phpbb • Myspace • Hotmail • Hak5 • Facebook • More…
  • 32. GOAL: Spider the site, identify fuzz points, chain and feed scanner. For proxies and spidering I use Burp Suite. There exists some good Paros forks (ZAP) but Burp, even the free version, has much more power and extensibility.
  • 33. Fiddler is a unique and powerful option as well due to some great plugins such as Watcher (for passively identifying user controllable )and x5s (for identifying possible xss insertion points). These can help us later when we want to start tacitly fuzzing.
  • 34.
  • 35. Proxies sit between you and the browser but they can also enhance your testing by chaining them with your other tools. This is great if your scanner has a proxy mode, this way we get walk through the functionality of the site and hit it with two different spider engines and finally attack it with our scanner. Additionally, chaining proxies and scanners can help us deal with auth/session issues in hard to scan environments (NTLM/Kerberos). If you’re sticking with open source tools or non-proxy mode scanners you can export your spider results as links and import them into you scanner. Browser -> Burp -> Scanner (in proxy mode) -> Site 1. Walk app, executing all Ajax and rich functionality (snaplinks is handy) 2. Browse to anything from the discovery stage to populate proxy and scanner 3. Spider with Proxy of choice 4. (optional, this might pollute your site tree) Fuzz with fuzzer/proxy of choice 5. Run Scan This all gets fed to the scanner sitemap/tree. Now the scanner has the best chance of finding all fuzz points and vulns.
  • 36. You said scanners! Which ones?! Shay Chen has some excellent research on the accuracy of open source and commercial scanners.  Only covers XSS and SQLi atm
  • 37. Now that you have the blanket stuff out of the way, its time to interpret the proxy and scanner data for tactical fuzzing points.  Does this functionality display something back to the user?  Fuzz for XSS  Does it interact with a database?  Fuzz for SQLi or other injections  Does it call on the server file system?  Fuzz for LFI/PT  Does it call on a URL or external/internal site/domain?  Fuzz for RFI Tactical Fuzzing? Wtf?
  • 38. Now we can fully utilize the project we mentioned a few times earlier, the Fuzz Database: “ The fuzzdb aggregates known attack patterns, predictable resource names, server response messages, and other resources like web shells into the most comprehensive Open Source database of malicious and malformed input test cases.”
  • 39. 1. Use Fuzzdb strings on all the afore mentioned forms and parameters 2. Re-fuzz all parameters that gave errors on the spidering/scanning results. 3. After concretely identifying the platform, re-fuzz/content discover with that platforms specific lists.
  • 40. The fuzzdb also has an excellent error /vuln grep file for import into Burp:
  • 41. When it comes to exploitation tools mostly we need some automagic tools to exploit different forms of SQL injection or file include vulnerabilities. For manual testing we also need a set of web shells. Our standards are SQLmap, Havij, SQLninja for sql injection fimap and metasploit for file include vulnerabilities. and a common set of web shells from the fuzzdb .
  • 42. SQLmap is a comprehensive SQL injection tool with the ability to do many forms of injection. SQLmap Tips:  -l can import Burp logs to test your hosts (when saving in Burp use only your targets in scope) ./sqlmap -l /root/sqli.txt  Often we want to force POST parameters ,setting –data will force POST: -- data=userid=test&pass=test  We can specify parameters with -p : ./sqlmap –u TARGET-p userid,pass  --level=LEVEL Level of tests to perform (1-5, default 1) has to do with insertion points.  --risk=RISK Risk of tests to perform (0-3, default 1) has to do with test cases.  ./sqlmap -l /root/sqli.txt --level=5 --risk=3  You can max out speed at threads=10  --forms will parse and test all forms on target  --os-pwn for possible meterpreter shell
  • 43. Other tools mentioned help us in edge cases:  Havij for very up to date WAF evasion (modsec) Use at your own risk.  http://itsecteam.com/en/projects/project1.htm  SQLNinja when SQLmap will not exploit  http://sqlninja.sourceforge.net/  Fimap for file include exploitation http://code.google.com/p/fimap/  Metasploit for remote file includes  exploit/unix/webapp/php_include
  • 44.
  • 45. We also need some stand alone shells in several different languages for upload vulns. Luckily the FuzzDB has these as well.
  • 46. What about taking XSS beyond alert(‘xss’)? BeEF is the best tool for javascript attacks. It’s more extensible now that it integrates with metasploit. We now can:  Hook the browser with invisible iframes  Inject/change content on the fly  Footprint the internal network  Sniff keystrokes  Deliver browser based exploits or metasploit meterpreter java payloads for full control of the target
  • 47. Video
  • 48. What about web services, SOAP, XML? With a wsdl and SOAPui proxied through Burp and tactically fuzzing with the Fuzzdb test cases we can do more than any script or tool I’ve seen released.
  • 49. I don’t have a fancy portal to put my data =( The Dradis framework has been revamped to accept a ton for tool outputs allowing us to import data and keep working faster. Imports:  Nmap  Burp  Nessus  Metasploit  Netsparker  Openvas  w3af Mindmapping software works well too.
  • 50.
  • 51. With all this out of the way semi-quickly we can now take more time to tactically fuzz and test for logic and more obscure manual checks!
  • 52. Special thanks go out to:  Andre Gironda  Chris Gates, Armando Romeo, Joe McCray, James Fitts, Bernardo Damele, Daniel Miessler, Ferruh Mavituna, Shay Chen, Ron Bowes, Adam Muntner, and all tool authors.