Download - The Dark Arts of Hacking
Hacking
The Dark Arts
1Wednesday, February 4, 2009
About Speaker
Speaker @ JavaOne, NFJS, Devcon, BorconSun Certified Java 2 Architect.Instructor for VisiBroker for Java, OOAD, Rational Rose, and Java Development.
JBoss Certified Developer
Professor - Sipe
2Wednesday, February 4, 2009
Agenda
Security LandscapeHacking Philosophy
– The Sorting Hat Information Gathering
– Information leak– Finding the exploits
Security Threats– Brute Force– XSS– SQL Injection
Dos and Don’tsSummary
3Wednesday, February 4, 2009
Security Statistics
Gartner– 75% of all attacks are directed at the web application layer– 2/3 of all web applications are vulnerable– 80% of organizations will experience an application security
incident by 2010IBM
– 10% of IT dollars are spent on web application securityMitre
– XSS and SQL Injection are #1 and #2 reported vulnerabilities
4Wednesday, February 4, 2009
Alarming Truth
“Approximately 100 million Americans have been informed that they have suffered a security breach so this problem has reached epidemic proportions.”
– Jon Oltsik – Enterprise Strategy Group
“Up to 21,000 loan clients may have had data exposed”– Marcella Bombardieri, Globe Staff/August 24, 2006
“Personal information stolen from 2.2 million active-duty members of the military, the government said…”
– New York Times/June 7, 2006
“Hacker may have stolen personal identifiable information for 26,000 employees..”
– ComputerWorld, June 22, 2006
5Wednesday, February 4, 2009
High Level Application Architecture
6Wednesday, February 4, 2009
Top 07 Security Issues
7Wednesday, February 4, 2009
Hacking Philosophy
8Wednesday, February 4, 2009
Sorting Hat
Black hat– Has the advantage
Grey hatWhite hat
– Threat Modeling
9Wednesday, February 4, 2009
Black Hatters
Script KiddiesDisgruntled EmployeesWhackersSoftware CrackersCyber CriminalsSystem Hackers
10Wednesday, February 4, 2009
Black Hat Approach
Information Gathering– Sometimes targeted on a “client”– Sometimes targeting a vulnerability
Scanning– Network mapping– Ports
Gaining AccessElevate PrivilegesCover Tracks
11Wednesday, February 4, 2009
White Hat Approach
Assess– Threat Modeling
PoliciesImplement / TrainAudit
12Wednesday, February 4, 2009
Security Consequences
Security
Usability
low
high
low high
13Wednesday, February 4, 2009
Black Hat Principles
Inside Out AccessMost People
– Like free stuff!– Are curious– Are not security savvy– Choose usability over security– Choose performance over security
Expense– Too costly to secure everything
14Wednesday, February 4, 2009
Hacker
John Draper – “Captain Crunch”– Toy whistle provides free long distance calling
15Wednesday, February 4, 2009
Information Gathering
Determine Target– Looking for a opportunity
• Sans.org • or …
– Targeting a “customer”Google Magic
16Wednesday, February 4, 2009
Google Advanced Operators
Cache:Info:Intext:Intitle:Inurl:Link:Filetype:
Site:…
Looking for a cgi opportunity– allinurl:/index.cgi
Looking for 2000 IIS 5?– “Microsoft-IIS/5.0 server at” intitle:index.of
Apache Tomcat– "Apache Tomcat/" intitle:index.of
Specific Version of Apache– “Apache/2.0.45 server at” intitle:index.of
Password anyone– inurl:config.php dbuname dbpass– “Welcome to phpMyAdmin” “Create new database”
Perhaps you’re only looking for the government– Site:gov– site:mil filetype:xls "attendance"
http://www.googleguide.com/advanced_operators.html
17Wednesday, February 4, 2009
Trolling for Users
"@gmail.com" -www.gmail.com
filetype:reg intext:"internet account manager“
filetype:xls inurl:”email.xls”
inurl:admin inurl:userlist
"index of" lck + intext:webalizer + intext:Total Usernames + intext:"Usage Statistics for“
filetype:reg reg HKEY_CURRENT_USER username
18Wednesday, February 4, 2009
Trolling for Passwords
filetype:htpasswd htpasswd– HTTP htpasswd
"http://*:*@www" pmjones:– HTTP htpasswd
filetype:config config intext:appSettings "User ID“– .Net app credentials
intitle:”index of” intext:connect.incintitle:”index of” intext:globals.inc
– MySQL filetype:ini inurl:ws_ftpfiletype:inc intext:mysql_connect
– Php / mysql
19Wednesday, February 4, 2009
Network Mapping
site:google.com -www.google.com– Dns lookup… or ping
Looking for admins– Ip search– Whois
Easy Way– http://toolbar.netcraft.com/site_report
20Wednesday, February 4, 2009
Targeting
http://secunia.com/product/4021/?task=advisories_2004– Issue with CubeCart 2.0.1– Issue reported 10-10-2004
Google search: "Powered by CubeCart 2.0.1“– 16,400 hits 02-13-2008
21Wednesday, February 4, 2009
Hacker
Captain Midnight – John MacDougall– Knocked HBO off the air for 4 ½ hours
22Wednesday, February 4, 2009
Parameter Tampering
23Wednesday, February 4, 2009
Brute Force
Automated Trial and Error
24Wednesday, February 4, 2009
Cross Site Scripting (XSS)
Malicious script echoed back in browserConsequence:
– Internet Worm
• MySpace• Meebo
– Session Tokens stolen– Future surfing compromised
25Wednesday, February 4, 2009
XSS Testing
Submit a simple <script>alert(document.cookie)</script> to a web page
If alert pops, life is good!– Or bad
• Just depends on if you’re a white hat or black hat
26Wednesday, February 4, 2009
XSS Details
Common– Search– Error Pages– Returned Forms
Aiding Technologies– AJAX– Flash– IFrame
27Wednesday, February 4, 2009
XSS – The Exploit
1. Link to Account in email
2. Embedded scriptSent to target
3. Script executed on clientbrowser
4. Script provides cookie and session data
5. Hacker users credentials
28Wednesday, February 4, 2009
XSS Testing
29Wednesday, February 4, 2009
Cookie Poison
30Wednesday, February 4, 2009
SQL Injection Discovery
Username: ‘Password: a
31Wednesday, February 4, 2009
SQL Inject Errors
32Wednesday, February 4, 2009
SQL Inject Yourself In…
Username: access' or 1=1 --Password: a
33Wednesday, February 4, 2009
SQL Inject Yourself In
34Wednesday, February 4, 2009
SQL Inject Answers from Errors
' having 1=1 --
' group by login.primarykey having 1=1 --
' union select min(username),1,1,1,1 from login where username > 'a'--
35Wednesday, February 4, 2009
SQL Injection: Want a Password?
'union select min(password),1,1,1,1 from login where username = 'ab***ilr'--
36Wednesday, February 4, 2009
Insecure Directory
Remote Machine Details
37Wednesday, February 4, 2009
Failure to Restrict URL
This would be fine if it werean admin
38Wednesday, February 4, 2009
Hacker
Nick Jacobsen – Paris Hilton Phone Pictures
• SQL Injection or• Password Recovery
39Wednesday, February 4, 2009
Trojans
Beast
+
Tutorial:http://www.youtube.com/watch?v=KjbjPVG0BPU&feature=related
40Wednesday, February 4, 2009
Hiding your stuff
GooScan– Not Google Approved
41Wednesday, February 4, 2009
Dos & Don’ts
Don’t– Use Magic URL and Hidden fields for
private data– Use Security by ignorance– Rely on secrecy of the scheme– Reveal Passwords to User– Use Cookies for private data– Trust the client for anything
• Cookie expirationDo
– Tighten Security– Use Security Appliances
• Watchfire– Rely on secrecy of a set of keys– Tighten Passwords– Develop a policy– Enforce time limits on authenticators– Security Reviews
42Wednesday, February 4, 2009
Hacker
Adrian Lamo – “Homeless Hacker”– Hacked
• NY Times• MSFT• NBC
43Wednesday, February 4, 2009
Resources
Must watch program– http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar
Vulnerability and exploit info– www.cert.org– http://www.owasp.org/index.php/Top_10_2007– http://seclists.org/
Tools– http://www.elhacker.net/hacking-programas-hack.htm– http://www.tahribat.com/doc.asp?docid=87
Security Policy– http://www.sans.org/resources/policies/
44Wednesday, February 4, 2009
Links
http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt
45Wednesday, February 4, 2009
Summary
It’s a Scary World!
White Hats are always on the defense
Obtain skills in Defense against the Dark Arts
And Good Luck!
46Wednesday, February 4, 2009
Questions
Please Fill Out Surveys
twitter: kensipe
blog: kensipe.blogspot.com
47Wednesday, February 4, 2009