web security workshop : a jumpstart

http://xathrya.id/ 1

Web Security WorkshopA Jumpstart!

Satria Ady Pradana

Lightweight and Powerful Penetration Testing OS

Xathrya

2

# whoami?• Satria Ady Pradana

– Junior Security Analyst at MII (Metrodata Group)– Researcher at dracOS Dev Team– Staff ad Reversing.ID– Interest in low level stuffs

http://xathrya.id/


Xathrya


• Now tell me yours


Xathrya

Dracos Linux is an open source operating system provides to penetration testing. Packed with a ton of pentest tools including information gathering, forensics, malware analysis, mantaining access, and reverse engineering.

We Live by Code and Rise by Ethic


Xathrya


Unix-like operating system for various device and hardware.

Free and open source, under the license of GNU.

Made by Linux Torvalds in 1991.

LINUX :*

#screetsec Xathrya


Making Linux Distrogreat again

#screetsec Xathrya


Derivate or making a new distro base on existing other distro.

Had undergo some modification from the author that make it different from the parent distro.

Example : Remastering

#screetsec Xathrya


• A way to build linux from the very start.

• Not derivating from existing distro,

• Initiated by Gerad Beckmans,

• Develop & assembly all part of system by yourself.

Linux From Scratch

#screetsec Xathrya


• Teach yourself the inner of operating system.

• Flexible, do as you wish.

• Positively have full control of your system.

Advantages

#screetsec Xathrya

• Open source

• Built from scratch

• Specially crafted for Cyber Security

INTRODUCING

#screetsec Xathrya



THE PHILOSOPHY

#screetsec Xathrya


The name dracOs comes from Dragon Comodos A rare species and can only be found in Indonesia archipelago. Inspired by Comodo character

• Strong enough to kill its prey with minimum force.• Its mouth has various bactery and virus to immediately kill the prey.

#screetsec Xathrya


#screetsec Xathrya

• Initiate the project on 12 June 2012 by Zico Ekel

• Remastering of Ubuntu 10.04

• Update dracOs v2.0 Beta still use Ubuntu

• Reinitiate the project on Desember 2015, did radical change, adopting LFS

HISTORY

#screetsec Xathrya


STYLE OLD SCHOOL

#screetsec Xathrya


WHY ?Xathrya


I am a l33t h@ckerLMAO

#screetsec

Doing something But do not know what they are doing

Xathrya


SOMEWHERE

Xathrya


#screetsec Xathrya

IT HAPPENS


#screetsec

So... DRACOS LINUX

Xathrya


#screetsec Xathrya

FEATURES IN DRACOS

GTK MENU

#screetsec Xathrya

FEATURES IN DRACOS

#screetsec Xathrya

FIRE UP THE VM

# In this Lab• Install dracOs• Configure network (use NAT or bridge)• Ping my machine from dracOs• Try the user interface (DWM)• Install a package



Xathrya

ARE YOU A HACKER?

You might be, but I am not

32

Information Security is Like Football

Formation = Framework- ISO/IEC 27001- NIST SP 800

(Computer Security)- PCI DSS- HIPAA- ISMF

GK-DEFENDER

MIDFIELDER

STRIKER

COACHSysadmin, Network, Firewall, SIEM, etc.

InfoSec Officer, Risk Management Internal,

Compliance, etc.

InfoSec Consultant, Pentester, etc.

Top Management, CISO

Supporter Soccer

Stakeholder

rungga_reksya

I am sure you are interest in offensive penetration tester.


33

Three Critical Components for an Information Security

Integrity I A

C

Availability

Confidentiality

rungga_reksya


34

Penetration Testing Methodologies and Standards

PENETRATIONTESTINGBLACKBOX WHITE BOX

GRAYBOX

rungga_reksya


35

FrameworkPenetration Testing

Web Application Security Consortium Threat

Classification

Open Source Security Testing Methodology Manual

WASCOpen Web Application

Security Project Testing Guide

OSSTMM OWASP

rungga_reksya

36

@rungga_reksya

OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New)

2010-A1 – Injection 2013-A1 – Injection

2010-A2 – Cross Site Scripting (XSS) 2013-A2 – Broken Authentication and Session Management

2010-A3 – Broken Authentication and Session Management 2013-A3 – Cross Site Scripting (XSS)

2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References

2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration

2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure

2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control

2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF)

2010-A9 – Insufficient Transport Layer Protection 2013-A9 – Using Known Vulnerable Components (NEW)

2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards

3 Primary Changes: Merged: 2010-A7 and 2010-A9 -> 2013-A6 Added New 2013-A9: Using Known Vulnerable

Components 2010-A8 broadened to 2013-A7

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project



• Injecting snippet of SQL syntax to make the database give information to us, unintended by developer.

• Unsanitized input.• Things you should know

• Basic of SQL• Union• Specific things for DBMS• Unicode and character representation

SQL Injection

#screetsec Xathrya


• Injecting client-side script into web page viewed by (other) user.

• Unsanitized input.• Things you should know

• Reflected• Persistent

Cross-Site Scripting (XSS)

#screetsec Xathrya


• Unauthorized commands transmitted from a user that the website trusts thus tricking it as a valid and authorized command.

• Exploit the trust that a site has in user’s browser.• Things you should know

• Reflected• Persistent

Cross-Site Request Forgery (CSRF)

#screetsec Xathrya

# In this Lab• Trying SQL Injection• Trying XSS• Trying CSRF

Your target is ...



Xathrya

When you are aimingProfessional Career

42

Exploit Database36845 Exploit Archieved, 82454 CVE ID, 3000 Modules on Metasploit, etc.

https://www.exploit-db.com

https://packetstormsecurity.com

https://cve.mitre.org https://www.rapid7.com/db/

modules

Exploit DB Packet Storm

Common Vulnerabiliti

es & Exposures

Rapid 7

rungga_reksya

41 2 3


43

Bug Bounty Programs

https://bugcrowd.com

Bug Crowd

http://bugsheet.comBug Sheet

https://hackerone.comHacker One

https://firebounty.com

Fire Bounty

https://bountyfactory.io

Bounty Factory

https://www.openbugbounty.org

Open Bug Bounty

rungga_reksya


44

Concept of Takeover System

PWN

SVR

SQL Injection

Make FormUpload

Phishing

XSS

Login toMYSQL

SHELL

Login toAPP

UploadFile

rungga_reksya


45

PORTSTATE

S

1Open: This indicates that an application is listening for connections on this port.

3Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by somekind of filtering.

5Open/Filtered:This indicates that the port was filtered or open but Nmap couldn't establish the state.

2Closed: This indicates that the probes were received but there is no application listening on this port.

4 Unfiltered: This indicates that the probes were received but a state could not be established.

6Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn't establish the state.

rungga_reksya

NMAP Features

45Lightweight and Powerful Penetration Testing OS

# In this Lab• Good Luck!



Xathrya

web security workshop : a jumpstart

Technology