Hacking

The Dark Arts

1Wednesday, February 4, 2009

About Speaker

Speaker @ JavaOne, NFJS, Devcon, BorconSun Certified Java 2 Architect.Instructor for VisiBroker for Java, OOAD, Rational Rose, and Java Development.

JBoss Certified Developer

Professor - Sipe

2Wednesday, February 4, 2009

Agenda

Security LandscapeHacking Philosophy

– The Sorting Hat Information Gathering

– Information leak– Finding the exploits

Security Threats– Brute Force– XSS– SQL Injection

Dos and Don’tsSummary

3Wednesday, February 4, 2009

Security Statistics

Gartner– 75% of all attacks are directed at the web application layer– 2/3 of all web applications are vulnerable– 80% of organizations will experience an application security

incident by 2010IBM

– 10% of IT dollars are spent on web application securityMitre

– XSS and SQL Injection are #1 and #2 reported vulnerabilities

4Wednesday, February 4, 2009

Alarming Truth

“Approximately 100 million Americans have been informed that they have suffered a security breach so this problem has reached epidemic proportions.”

– Jon Oltsik – Enterprise Strategy Group

“Up to 21,000 loan clients may have had data exposed”– Marcella Bombardieri, Globe Staff/August 24, 2006

“Personal information stolen from 2.2 million active-duty members of the military, the government said…”

– New York Times/June 7, 2006

“Hacker may have stolen personal identifiable information for 26,000 employees..”

– ComputerWorld, June 22, 2006

5Wednesday, February 4, 2009

High Level Application Architecture

6Wednesday, February 4, 2009

Top 07 Security Issues

7Wednesday, February 4, 2009

Hacking Philosophy

8Wednesday, February 4, 2009

Sorting Hat

Black hat– Has the advantage

Grey hatWhite hat

– Threat Modeling

9Wednesday, February 4, 2009

Black Hatters

Script KiddiesDisgruntled EmployeesWhackersSoftware CrackersCyber CriminalsSystem Hackers

10Wednesday, February 4, 2009

Black Hat Approach

Information Gathering– Sometimes targeted on a “client”– Sometimes targeting a vulnerability

Scanning– Network mapping– Ports

Gaining AccessElevate PrivilegesCover Tracks

11Wednesday, February 4, 2009

White Hat Approach

Assess– Threat Modeling

PoliciesImplement / TrainAudit

12Wednesday, February 4, 2009

Security Consequences

Security

Usability

low

high

low high

13Wednesday, February 4, 2009

Black Hat Principles

Inside Out AccessMost People

– Like free stuff!– Are curious– Are not security savvy– Choose usability over security– Choose performance over security

Expense– Too costly to secure everything

14Wednesday, February 4, 2009

Hacker

John Draper – “Captain Crunch”– Toy whistle provides free long distance calling

15Wednesday, February 4, 2009

Information Gathering

Determine Target– Looking for a opportunity

• Sans.org • or …

– Targeting a “customer”Google Magic

16Wednesday, February 4, 2009

Google Advanced Operators

Cache:Info:Intext:Intitle:Inurl:Link:Filetype:

Site:…

Looking for a cgi opportunity– allinurl:/index.cgi

Looking for 2000 IIS 5?– “Microsoft-IIS/5.0 server at” intitle:index.of

Apache Tomcat– "Apache Tomcat/" intitle:index.of

Specific Version of Apache– “Apache/2.0.45 server at” intitle:index.of

Password anyone– inurl:config.php dbuname dbpass– “Welcome to phpMyAdmin” “Create new database”

Perhaps you’re only looking for the government– Site:gov– site:mil filetype:xls "attendance"

http://www.googleguide.com/advanced_operators.html

17Wednesday, February 4, 2009

Trolling for Users

"@gmail.com" -www.gmail.com

filetype:reg intext:"internet account manager“

filetype:xls inurl:”email.xls”

inurl:admin inurl:userlist

"index of" lck + intext:webalizer + intext:Total Usernames + intext:"Usage Statistics for“

filetype:reg reg HKEY_CURRENT_USER username

18Wednesday, February 4, 2009

Trolling for Passwords

filetype:htpasswd htpasswd– HTTP htpasswd

"http://*:*@www" pmjones:– HTTP htpasswd

filetype:config config intext:appSettings "User ID“– .Net app credentials

intitle:”index of” intext:connect.incintitle:”index of” intext:globals.inc

– MySQL filetype:ini inurl:ws_ftpfiletype:inc intext:mysql_connect

– Php / mysql

19Wednesday, February 4, 2009

Network Mapping

site:google.com -www.google.com– Dns lookup… or ping

Looking for admins– Ip search– Whois

Easy Way– http://toolbar.netcraft.com/site_report

20Wednesday, February 4, 2009

Targeting

http://secunia.com/product/4021/?task=advisories_2004– Issue with CubeCart 2.0.1– Issue reported 10-10-2004

Google search: "Powered by CubeCart 2.0.1“– 16,400 hits 02-13-2008

21Wednesday, February 4, 2009

Hacker

Captain Midnight – John MacDougall– Knocked HBO off the air for 4 ½ hours

22Wednesday, February 4, 2009

Parameter Tampering

23Wednesday, February 4, 2009

Brute Force

Automated Trial and Error

24Wednesday, February 4, 2009

Cross Site Scripting (XSS)

Malicious script echoed back in browserConsequence:

– Internet Worm

• MySpace• Meebo

– Session Tokens stolen– Future surfing compromised

25Wednesday, February 4, 2009

XSS Testing

Submit a simple <script>alert(document.cookie)</script> to a web page

If alert pops, life is good!– Or bad

• Just depends on if you’re a white hat or black hat

26Wednesday, February 4, 2009

XSS Details

Common– Search– Error Pages– Returned Forms

Aiding Technologies– AJAX– Flash– IFrame

27Wednesday, February 4, 2009

XSS – The Exploit

1. Link to Account in email

2. Embedded scriptSent to target

3. Script executed on clientbrowser

4. Script provides cookie and session data

5. Hacker users credentials

28Wednesday, February 4, 2009

XSS Testing

29Wednesday, February 4, 2009

Cookie Poison

30Wednesday, February 4, 2009

SQL Injection Discovery

Username: ‘Password: a

31Wednesday, February 4, 2009

SQL Inject Errors

32Wednesday, February 4, 2009

SQL Inject Yourself In…

Username: access' or 1=1 --Password: a

33Wednesday, February 4, 2009

SQL Inject Yourself In

34Wednesday, February 4, 2009

SQL Inject Answers from Errors

' having 1=1 --

' group by login.primarykey having 1=1 --

' union select min(username),1,1,1,1 from login where username > 'a'--

35Wednesday, February 4, 2009

SQL Injection: Want a Password?

'union select min(password),1,1,1,1 from login where username = 'ab***ilr'--

36Wednesday, February 4, 2009

Insecure Directory

Remote Machine Details

37Wednesday, February 4, 2009

Failure to Restrict URL

This would be fine if it werean admin

38Wednesday, February 4, 2009

Hacker

Nick Jacobsen – Paris Hilton Phone Pictures

• SQL Injection or• Password Recovery

39Wednesday, February 4, 2009

Trojans

Beast

+

Tutorial:http://www.youtube.com/watch?v=KjbjPVG0BPU&feature=related

40Wednesday, February 4, 2009

Hiding your stuff

GooScan– Not Google Approved

41Wednesday, February 4, 2009

Dos & Don’ts

Don’t– Use Magic URL and Hidden fields for

private data– Use Security by ignorance– Rely on secrecy of the scheme– Reveal Passwords to User– Use Cookies for private data– Trust the client for anything

• Cookie expirationDo

– Tighten Security– Use Security Appliances

• Watchfire– Rely on secrecy of a set of keys– Tighten Passwords– Develop a policy– Enforce time limits on authenticators– Security Reviews

42Wednesday, February 4, 2009

Hacker

Adrian Lamo – “Homeless Hacker”– Hacked

• NY Times• MSFT• NBC

43Wednesday, February 4, 2009

Resources

Must watch program– http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar

Vulnerability and exploit info– www.cert.org– http://www.owasp.org/index.php/Top_10_2007– http://seclists.org/

Tools– http://www.elhacker.net/hacking-programas-hack.htm– http://www.tahribat.com/doc.asp?docid=87

Security Policy– http://www.sans.org/resources/policies/

44Wednesday, February 4, 2009

Links

http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt

45Wednesday, February 4, 2009

Summary

It’s a Scary World!

White Hats are always on the defense

Obtain skills in Defense against the Dark Arts

And Good Luck!

46Wednesday, February 4, 2009

Questions

Please Fill Out Surveys

kensipe@gmail.com

twitter: kensipe

blog: kensipe.blogspot.com

47Wednesday, February 4, 2009