Web hacking 1.0
- 1. Web Hacking 1.0
root@localhost# whoami
Q Fadlan
Information Security Engineer
root@localhost# whereis q.fadlan
/PT GLOBAL DIGITAL NIAGA/IT/INFRASTRUCTURE/q.fadlan
- 4. 2. INTRODUCTION WEB HACKING
Who is a hacker?
Hacker is someone who seeks and exploits weaknesses in a computer
system or computer network.
Hackers may be motivated by a multitude of reasons, such as profit,
protest, challenge, enjoyment, or to evaluate those weaknesses to
assist in removing them
- 5. 2. INTRODUCTION WEB HACKING
White Hat Hackers: These are the good guys, computer security experts who
specialize in penetration testing and other methodologies to ensure that a
company’s information systems are secure. These IT security professionals
rely on a constantly evolving arsenal of technology to battle hackers.
Black Hat Hackers: These are the bad guys, who are typically referred to
as just plain hackers. The term is often used specifically for hackers who
break into networks or computers, or create computer viruses. Black hat
hackers continue to technologically outpace white hats. They often manage
to find the path of least resistance, whether due to human error or
laziness, or with a new type of attack. Hacking purists often use the term
“crackers” to refer to black hat hackers. Black hats’ motivation is
generally to get paid.
Hacker Classification
- 6. Script Kiddies: This is a derogatory term for black hat hackers who use borrowed
programs to attack networks and deface websites in an attempt to make names for
themselves.
Hacktivists: Some hacker activists are motivated by politics or religion, while
others may wish to expose wrongdoing, or exact revenge, or simply harass their
target for their own entertainment.
State Sponsored Hackers: Governments around the globe realize that it serves their
military objectives to be well positioned online. The saying used to be, “He who
controls the seas controls the world,” and then it was, “He who controls the air
controls the world.” Now it’s all about controlling cyberspace. State sponsored
hackers have limitless time and funding to target civilians, corporations, and
governments.
Spy Hackers: Corporations hire hackers to infiltrate the competition and steal
trade secrets. They may hack in from the outside or gain employment in order to
act as a mole. Spy hackers may use similar tactics as hacktivists, but their only
agenda is to serve their client’s goals and get paid.
- 7. Cyber Terrorists: These hackers, generally motivated by religious or
political beliefs, attempt to create fear and chaos by disrupting critical
infrastructures. Cyber terrorists are by far the most dangerous, with a wide
range of skills and goals. Cyber Terrorists ultimate motivation is to spread
fear, terror and commit murder.
- 8. 3. Step by Step Web Hacking
Reconnaissance Scanning Exploitation
Maintaining
Access
Information Gathering
(about the system,
Environment, etc)
• Scan the system
• Threat Analysis
• Usage the static
analyzer (Nessus, nmap,
Appscan, etc)
• Vulnerability Analysis
• Fuzz Testing
• Penetration Testing
• Use/Develop right
set of tools to attack
Raise Defect
- 9. Reconnaissance
Reconnaissance is the act of gathering preliminary data or intelligence on
your target. The data is gathered in order to better plan for your attack.
Reconnaissance can be performed actively (meaning that you are directly
touching the target) or passively (meaning that your recon is being
performed through an intermediary).
- 10. Reconnaissance
There are two main goals in this phase:
• First, we need to gather as much information as possible about the
target.
• Second, we need to sort through all the information gathered and create
a list of attackable IP addresses.
- 11. Reconnaissance
Reconnaissance Output :
• Identifying IP Addresses and Sub-domains — usually one of the first steps in passive
reconnaissance, it’s important to identify the net ranges and sub-domains associated with your
target(s) as this will help scope the remainder of your activities.
• Identifying External/3rd Party sites — although they may not be in scope for any active penetration
testing activities, it is important to understand the relationships between your target and other
3rd party content providers.
• Identifying People — Identifying names, email addresses, phone numbers, and other personal
information can be valuable for pretexting, phishing or other social engineering activities.
• Identifying Technologies — Identifying the types and versions of the systems and software
applications in use by an organization is an important precursor to identifying potential
vulnerabilities.
• Identifying Content of Interest — Identifying web and email portals, log files, backup or archived
files, or sensitive information contained within HTML comments or client-side scripts is important
for vulnerability discovery and future penetration testing activities.
• Identifying Vulnerabilities — it’s possible to identify critical vulnerabilities that can be
exploited with further active penetration testing activities soley by examining publicly available
information
- 12. Reconnaissance
Reconnaissance Tools :
• Whois - performs the registration record for the domain name or IP
address that you specify
• Shodan - a search engine that lets the user find specific types of
computers (routers, servers, etc.) connected to the internet using a
variety of filters.
• Google – Search engine
• Netcraft - tool for identifying subdomains
• HTTrack – Website Copier
• Social Engineering - process of exploiting the “human” weakness that is
inherent in every organization
• etc
- 13. Scanning
The phase of scanning requires the application of technical tools to
gather further intelligence on your target, but in this case, the intel
being sought is more commonly about the systems that they have in place.
A good example would be the use of a vulnerability scanner on a target
network.
- 14. Scanning
1. Checking whether the target is alive: Use the Internet Control Message
Protocol (ICMP) to ping the target system and check whether the target is
alive.
2. Scanning the ports: Check for open ports that can be attacked. Perform the
scan in stealth mode for a particular period of time. Test the ports by
sending them harmful information.
3. Identifying the potential vulnerabilities and generating a report: Use a
network vulnerability scanner to identify the potential vulnerabilities and
to obtain a report about these vulnerabilities.
4. Classifying vulnerabilities and building responses: Classify
vulnerabilities and build responses accordingly. Many times, the response
chosen for a vulnerability is nonactionable because of complexities and
risks. The assessment process gives complete information about these issues,
and this information is helpful during the risk management process.
- 15. Scanning
5. Classifying key assets and performing risk management: The vulnerability
assessment process classifies the key assets and makes a hierarchy of the
key assets, which helps to drive the risk management process.
- 16. Scanning
Determining if a system is alive
• Ping - ping uses the ICMP protocol's mandatory ECHO_REQUEST
datagram to elicit an ICMP ECHO_RESPONSE from a host or gateway
• Fping - fping differs from ping in that you can specify any number
of targets on the command line, or specify a file containing the
lists of targets to ping.
- 17. Scanning
Port scanning the system
Nmap - security scanner originally written by Gordon Lyon (also known by
his pseudonym Fyodor Vaskovich) used to discover hosts and services on a
computer network, thus creating a "map" of the network. To accomplish its
goal, Nmap sends specially crafted packets to the target host and then
analyzes the responses.
- 18. Scanning
Scanning the system for vulnerabilities
Nessus – popular vulnerability scanning tool. It detects and identifies
software bugs in computers. It is an open-source tool that determines
security threats. Nessus contains some specific measures to minimize the
chance of a system crash. The two parts of this tool are a server
(nessusd) and a client (nessus).
• Nikto -
• ZAP -
• Acunetix -
- 19. Scanning
The following are some of the classifications of vulnerabilities:
• Misconfigurations: Disabling security settings and features, due to
lack of adequate knowledge about their functions, leads to
vulnerabilities in network devices. Incorrect device configuration can
also cause vulnerabilities.
• Default installations: Not changing the default settings when deploying
software or hardware allows an attacker to easily guess the settings in
order to break into the systems.
• Buffer overflows: Buffer overflows occur when a system’s applications
write content that is beyond the allocated buffer size.
• Unpatched servers: Hackers identify vulnerabilities in servers that are
not patched and exploit them. Servers should be updated by applying
patches.
- 20. Scanning
• Default passwords: Default passwords are common to various operating
systems and applications. During configuration, the passwords need to be
changed. Passwords should be kept secret; failing to protect the
confidentiality of a password allows an attacker to easily compromise a
system.
• Open services: Open services are insecure and are open to attacks such as
DoS.
• Application flaws: Applications should be secured using user validation
and authorization. Applications pose security threats such as data
tampering and unauthorized access to configuration stores. If applications
are not secured, sensitive information may be lost or corrupted.
• Operating systems flaws: Due to vulnerabilities in operating systems,
Trojans, worms, and viruses pose serious threats. Flaws lead to system
crashes and instabilities.
• Design flaws: Design flaws can leave a piece of hardware or software open
to attack if these flaws are discovered.
- 21. Exploit
Exploit is an attack on a computer system, especially one that takes
advantage of a particular vulnerability that the system offers to
intruders.
- 22. Exploit
1. Compare vulnerability finding with risk rating framework.
- National Vulnerability Database (NVD)
- Common Vulnerability Scoring System (CVSS)
- Common Vulnerabilities and Exposure (CVE)
- Common Weakness Enumeration (CWE)
- Bugtraq ID (BID)
- Open Source Vulnerability Database (OSVDB)
2. Compare vulnerability finding with exploit db.
- https://www.exploit-db.com/
- http://www.hackersforcharity.org/ghdb/
- etc
3. Intercepting request to webserver
4. Exploite the vurnerablity with your style
- 23. Exploit
Common Vulnerability* :
* : OWASP Top 10 2013
1. Injection
example : SQL Injection, LDAP Injection, XPATH
2. Broken Authentication and Session Management
3. Cross Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
10.Unvalidated Redirects and Forwards
- 24. Maintaining Access
Maintaining access requires taking the steps involved in being able to
be persistently within the target environment in order to gather as much
data as possible. The attacker must remain stealthy in this phase, so as
to not get caught while using the host environment.
- 25. Maintaining Access
1. Netcat - an incredibly simple and unbelievably flexible tool that allows
communication and network traffic to flow from one machine to another
2. Rootkit – Rootkits are computer programs that are designed by attackers
to gain root or administrative access to your computer. Once an attacker
gains admin privilege, it becomes a cakewalk for him to exploit your
system
3. ssh tunnel
4. Create user on system
5. Put backdoor script
6. Install malicious software on server
7. etc
- 26. Covering Tracks
The final phase of covering tracks simply means that the attacker must
take the steps necessary to remove all semblance of detection. Any
changes that were made, authorizations that were escalated etc. all
must return to a state of non-recognition by the host network’s
administrators.
Editor's Notes
- Active reconnaissance includes interacting directly with the target. It is important to note that during this process, the target may record our IP address and log our activity.
Passive reconnaissance makes use of the vast amount of information available on the web. When we are conducting passive reconnaissance, we are not interacting directly with the target and as such, the target has no way of knowing, recording, or logging our activity.
- IP : ping, whois
3rd party :
Identify People :
Identify Technology :
Identify Vulnerability :
- Passive reconnaissance : http://www.securitysift.com/passive-reconnaissance/
Shodan : http://colesec.inventedtheinternet.com/passive-reconnaissance-with-shodan/
Google hacking db : http://www.hackersforcharity.org/ghdb/
- Determining system alive : ping
Port scanning : nmap
Vurnerability scan : nessus, ZAP Proxy, Acunetix,
- Source : https://www.exploit-db.com
- https://www.owasp.org/index.php/Top_10_2013-Top_10