Real Life Hacking 101

1

Who am I ?

● Batard Florent● http://code-artisan.io

● @artisan_code

● Security Engineer

– Ethical Hacker for 10 years

– Security Contests (0daysober)

– Globe Trotter (UK, USA, Swiss, France, Japan)

– Lately on the Defense side as a programmer

test

Summary

● Introduction

● Information gathering

● Indirect requests● Direct requests

● System security

● Configuration errors● Password policy● Patching

● Web Security

– XSS

– SQL Injection

– CSRF

test

What is Hacking ?

Use or abuse a resources in way that was not predicted by thecreator in order to change the behavior

test

Attack chronology

● Information gathering

● Getting information about the target● Indirect / Direct requests● Fingerprinting

● Analysis

● Determing the security flaw● Discover the tools to perform the attack

● Attack

● Exploitation● Expand in the network

● Spread in the internal network

test

Information gathering

• Introduction

• Indirect requests

• Direct requests

• Fingerprinting

test

Introduction

● The first step of any attack is the information gatheringprocess

● Identify the entry point of the target● List all the public information we can use● Other information can be gathered with technical

tools● The most effective way is the « social

engineering »– Contact the target and ask him sensitive

information (Freshman, secretary...)

test

Indirect requests

● « Whois » database listing

● All the information asked at registration process– Administrative informations

● Name, address, phone number– Technical information

● DNS server● Email addresses for social engineering● IP range of the target

● All these information are public

test

WHOIS

● Use of the tool « whois »

● whois domain.tld ou whois IP address

Domain Information:a. [Domain Name] WHIZZ-TECH.CO.JPg. [Organization] Whizz Technology Co., Ltd.l. [Organization Type] Companym. [Administrative Contact] HS9536JPn. [Technical Contact] HS9536JPp. [Name Server] ns1.whizz-tech.co.jps. [Signing Key] [State] Connected (2015/03/31)[Registered Date] 2005/03/29[Connected Date] 2005/06/18[Last Update] 2014/04/01 01:41:01 (JST)

Contact Information: [担当者情報 ]a. [JPNICハンドル ] HS9536JPb. [氏名 ] 杉本 展将c. [Last, First] Sugimoto, Hi-royukid. [電子メイル ] hiroyuki@whi-temap.netf. [組織名 ] 有限会社ウィズテクノロジーg. [Organization] Whizz Techno-logy Co., Ltd.k. [部署 ] l. [Division] m. [肩書 ] 代表取締役n. [Title] Presidento. [電話番号 ] 06-6242-7288p. [FAX番号 ] y. [通知アドレス ] [最終更新 ] 2005/03/2912:02:01 (JST) form@dom.jprs.jp

test

Indirect requests

● SNS

– Every bit of public information published can beused against you

– Information are used to build password bank tailo-red to hack you(https://github.com/Netflix/Scumblr)

● People Search

– https://pipl.com/

– http://www.peekyou.com/

test

Direct requests

● Active discoveries on the network

● Port scan – Identify open ports– Several methods can be used

● Fingerprinting– Getting the banner of services– Identify service and its version– Identify the Operating System

test

Nmap scanning

● Nmap for fingerprinting

● Nmap -A x.x.x.x

test

Nmap Example

test

Other methods

● SNMP

● Identify SNMP community– Get information on the target

● Netbios

● Communication protocol for windows– Guest/Null account sometimes activated

● Enumerate shared_folder● Enumerate users/groups/administrators

test

Social Engineering

● The art of manipulating people to make them revealsensitive information

● Phone the target pretending to be someone else● The victim often doesn't realize what she is

doing● We will use everything we discovered on indirect

requests● Most of the time it's the most effective way to retrieve

useful information

● Difficult to protect your company

test

System vulnerabilities

• Configuration mistakes

• Passwords

• Patching

test

System vulnerability

● What is a « system » vulnerability ?

● Configuration mistake– Leave the default configuration– High privilege for low task

● Bad password policy– Default password– Weak password

● Bad patching policy– New vulnerabilities but OS are not up to date

● Easy exploitation

test

System vulnerability

test

Configuration error

● Development configuration kept after production de-ployment

● Devices– Default SNMP community– Installation password

● Applications– Default password– Debugging activated– Example files

test

Password policy

● The most secure system will always be weak if protec-ted by a too simple password

● Usually people will choose the easiest passworda system can accept

– Hacking is even easier if passwords aren'tstrong enough

● Passwords should be encrypted in theapplication

– If a hacker get into database, all passwordswill be revealed

● Users usually re-use the same passwordeverywhere

test

Password types

● Not accessible (stored in database)

● Hacker must interactively break the passwordand cause noisy logs

● Encrypted/Hashed passwords

● Allow discrete offline attacks● ClearText passwords

● = win!

test

Password attacks

● Interactive

● No encrypted version of the password– Medusa– Hydra

● Slow and noisy ● Offline

● Possess an encrypted version of password– John The Ripper– Cain– L0phtcrack

● Quick and discrete but not always possible

test

Patching

● Update management

● Need a security policy in the company● Last patches should always be deployed on ALL

machines

● One vulnerable computer can be the entry pointfor the whole network

● As an attacker it's always more convenient toattack the most vulnerable machine on thenetwork

● Tools to know : Metasploit, Nessus

test

Problems

● Vulnerabilities are often released publicly

● Accessible for anybody● Automatic script to exploit them

● Typically

● Discovery through a vulnerability scanner likeNessus

● Exploit the vulnerability with Metasploit– At the end → total control of the target

test

Web Application Vulnerabilities

• Cross-Site Scripting

• SQL Injection

• CSRF Attack

test

Application Vulnerabilities

● Target a specific application

● Out of scope for system administrator● Developers responsability

● The hacker can modify the behavior of the application

● Use of the application that wasn't planned by thedevelopers

● Nowadays, most likely in web applications

test

Parameters

● User can interact with website through parameters :

● GET : parameters sent in the URL– search.php?query=toto

● POST : parameters sent in the message body– Usually for forms submission

● These parameters can ALWAYS be tampered byan attacker

● Tools to know : BurpSuite, Owasp ZAP,Postman

test

Cross-Site Scripting

● Allow code execution in the browser , most likely inJavascript

● Problem occurs when user inputs are interpretedas regular client-side source code.

● Hacker can inject HTML tags and Javascriptinside the page

– Control over the display of the page● Images● Javascript (Framework & Components)● Use your page for evil purpose

http://beefproject.com

test

XSS - Example

● Vulnerable source code

● Normal Behavior Hijacked

test

SQL Injection

● Langage used to query databases

● To select data :– SELECT column_name FROM table WHERE

condition● Exemple

– SELECT contenu FROM news WHERE id=1

● Used by website to retrieve persistent information

test

SQL Injection examples

● Original request :

● http://site/news.php?id=1– SELECT * FROM news WHERE id = 1– Return the news with the id : 1

● Hijacked request :

● http://site/news.php?id=1 OR 1=1– SELECT * FROM news WHERE id = 1 OR

1=1 // TRUE– Return all the news !

test

SQL Injection example

● Vulnerable code

● Normal behavior Hijacked

test

Goal for the hacker

● Hijack authentication process

● Explore the database

● Retrieve hidden information– Passwords of users and admin

● Interaction with the system through database

● Read file● Write files● Command execution

test

Cross Site Request Forgery

● Scenario :

● http://mybank.com/?transfer=100&from=123&to=321

● You have a session active => request accepted

● What if I send you that link in a iframe or a mail ?

– I can forge an address to compromise you

– Session is still active so it will be accepted

– CSRF-token = unpredictable token we cannot forge

● We set email or reset password

test

What to do as a developer ?

● Learn the basics of security (www.owasp.org)

– OWASP Top 10

● Check your application source code

– OWASP ASVS http://code-artisan.io/owasp-asvs-3-0-cheatsheet/

● Add security tests case to your unit tests

– « OR 1 = 1 »

– « <script>alert(‘hello’)</script> »

● Check the security updates of your tools

– Web Frameworks Security Releases

– Change default configuration !

● Check your security with professional services

– Www.detectify.com OR https://vaddy.net/

– Yours truly

test

How to become a hacker ?

Train and learn

– WebGoat

– DVWA (Damn Vulnerable Web App)

– Kali Linux (Security Distribution with all tools)

● Check the tools :

– Metasploit

– SkipFish

– Nikto

– Wpscan

test

Conclusion

• Questions ?