"An introduction to Penetration Testing using Kali Linux" - Marcus Herstik (LCA 2020)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

let me introduce Marcus acoustic okay [Applause] hi guys just a few things to kind of start the green Network which is a guest sort of you know color was probably different to what we would normally show in this kind of thing that's the network we're allowed to hack on you can connect to the Wi-Fi sorry typo with let's do this with a capital o not hacking in this section okay this is where your Wi-Fi is and stuff will connect to there is no internet connection there is one IP I'd prefer you not to break at the start you're allowed to break it at the end if you really want there might be a few minutes but just to kind of get get a little started I'm hoping you guys have all and girls and have already got a Kali Linux distribution if you don't have one look you can use a life of USB stick version those of you I've given it to please give them back I mean they're not worth that much I guess but you can use a VM look there's an OVA file I've got that I can give you guys if you don't know what it is you can follow along with a friend you can watch you can take notes or if you're on you can try and install the packages yourself so that's a little caveat there as I said no hacking on anything outside the 191 6:8 1.0 network don't be evil nice little we had a little discussion about whether that's actually still part of Google or not last night so I thought it would be a nice one to throw in and our dinner table but uh but try not to break stuff until the end if you if you can so these are the wires that you're allowed to join I'll bring that back in a sec so so does anyone need to either install setup go through try to get Carly going yeah so did you a can you boot off for us pasty perfect yeah yep just in import that in to your VM software sure who said that alright new um they're fresh from office works they've got a nice fresh USB smell and I just put summer and I just loaded the ISAs to make them bootable I haven't tested all of them I tested a few and then just kind of got sick and tired of rebooting those of you that don't know the default username and password for Carlie is root and tor I tried sort of explaining that to my wife yesterday when I ran her through the things she didn't quite understand what tor was excuse me so a little bit about Who am I look I'm a teacher I'm a lecturer and now in SCU although if you look at my LinkedIn profile I think it says I'm a shooter or academic tutor or something recently moved up to the Gold Coast I was NIT I'm about a year and a half ago two years ago became a sort of a full-time ish teacher after doing it part-time at nights and stuff like that for about six or seven years I got lots of certifications as you can kind of see some of them are interesting I didn't put my Microsoft ones on there cuz I gather you guys don't really care so look I started many years ago in tech support I've worked my way through as a contractor I've been a business owner being IT manager in some startups and stuff like that does anyone know who Paul Brown is one's ever heard of Paul Brown so most of you guys don't have any certification or looking to get books and stuff like that for it cuz if you have especially if you looking at the more network he sort of side you might have heard of Paul Brown anyway of help with what a few tip a few books but um so that's I guess a little about me what I'd like is so I'll just jump ahead for a sec it's the those of you that are actually going to be participating so hopefully you've joined the Wi-Fi how many people are hoping to kind of follow along Oh lots of people ok it should be fun excellent no pressure so you've got pen test 2 or pen test 3 password is let's do this if you're using a virtual machine look it shouldn't really matter whether you are using bridged or NAT most of your virtual machines will probably default in that the only thing to check is can you ping the 192 168 1 network so one on two one six eight one not one if you can ping that you can you should be able to see the stuff behind all it's in that Network now a few ideas as to what we're going to be doing so I kind of put in there a little bit about the a little bit about the idea of using the cyber kill chain but running through it and setting it all up and stuff like that I guess this is one of the vagaries of writing something about three months ago is we're not going to necessarily go through all of the steps but the cyber kill chain is one of the I guess the those frameworks that a lot of people use developed by Lockheed Martin as you could see kind of seven steps we're going to be sort of looking at number one a little bit sort of around number three four we're not going to be installing any malware or commander catch also know five or six but we will be looking at again sort of at option seven so the idea is we're gonna try and find some servers there are some virtual machines sitting inside our little network I'm gonna try and find some vulnerabilities maybe check some information I know a little bit of a fun one in there as well that doesn't really actually come out in the real world unless you're a spy or something crazy where we're gonna try and check an image for some information find some passwords maybe crack some passwords try a bit of an SQL it exploit it's not going to be actually an SQL injection although there is an another virtual machine that you can do that kind of stuff on there if you can find it it's not too hard to find now we're going to try and gain access to a user account then hopefully escalate ourselves to route all in 19 minutes maybe we'll see how far we go hopefully shortly after sort of BI around the point of finding and cracking some passwords and stuff I'm hoping that we'll be able to at that point if anyone sort of what has another talk they want to go to you can probably exit out at that kind of point I can make available there is actually a walkthrough which I will be going through as well step-by-step kind of guide this is all based on something I wrote for TAFE so I work for TAFE New South Wales and this is all based on a guided walk through that I did a capture the flag start a child style activity for them and so you can get a copy of this and I'm happy for you guys if you want look you can either hit me up or we can you know I can give you copies of the vulnerable machines etc that are in there so you just need to be able to import some ovios and stuff at home I'm happy to give you guys that stuff because I feel it's a good idea to do it now quick caveat I'm more of a teacher these days than a techie and I'm definitely not a hacker for you know for hire kind of stuff so if you've got an X that you want to get some information out of I'm not the person to ask cool that is at this point does anyone have any quick questions or any issues with getting stuff up and running people feeling pretty happy alright so as I said this is out the network we're going to be going there are some vm's there we don't you guys don't know how many there are depending on the type of scans and stuff that you do you may or may not find a number of different machines but of course one of the things we we're bound by is time.he and sometimes when we're trying to scan networks and stuff these things can take a while it's not like in the TV and movies and stuff like that where you know they're bash away and then all of a sudden hey look I mean but I have got some shortcuts and stuff for us to try and try and get through some things okay I guess are we really go now if there's any problems with stuff at the time by the way look I'm happy for you guys let me know but we can always you can always catch up at other points as well so there's it's just there's there's a number of steps and as such we can kind of you know you can jump back in at a later point now what's one of the first things we need to do when we're trying to get into a network we're trying to see what's going on what was the first step because anyone remember step one yeah some reconnaissance so look I've got my machine up and running I got Carly hopefully you guys can see that at the back is that big enough so the first thing we need to try and do is I guess have a look at what is out there how are we going to discover it now one of the problems with Carly I find that when I when we're starting to introduce people is first of all people go to Kali it's going to be amazing and it's going to be hacking him and then they look at it and go it just looks like another Linux distribution yes it is it's not my daily driver I don't recommend it as a daily driver although I know some people that do use it as a daily driver and I don't think there's any right or wrong with it I just find it sometimes the updates break Carly a bit so if you're going to be doing that as a daily driver make sure you've got lots of backups or store your data somewhere else but the other thing with Carly is they start looking at stuff and they go okay well she let's maybe go I start looking at it and go all right well what about God and there's too many wouldn't say it's like too many but as in there's a lot of different options available when you're trying to find out what we've got so you're like okay well how can i out of all these options what can I use work you know there's net discover there's nmap know people have probably heard of nmap but there's also net discover there so has anyone used net discover no so I mean there's there's two options the other good part about it is when you click on one of them in Carly look it has a tendency to give you a little bit of the help file which is very nice and it sort of runs it for you straight away so scanning takes a fairly long period of time and so I'm going to kind of shortcut up a little bit and we'll use nmap - SP so hopefully we can try and scan the network okay that's our network there as I said earlier can you ping it hmm and Noah cut just to make life interesting for me don't you see Lois it's it's probably cuz I've disconnected and reconnected oh no oil is that you yeah okay why can't I get there what is unreachable does anyone moon able to successfully stop their skin okay good all right I was here early and I tested it over four hand supposedly that's good yeah I can't see come on oh yeah yeah sure okay looks like I got a new way oh yeah there we go now I'm in Matt sorry about that and map is one of those tools that's really commonly used it's built into obviously Carly it's Carly's nothing special though right you could build effectively something like Carly into Debian on the fly if you want just to install the packages as you need them so it's not it's one of those things that I think is hyped up a lot more than it used to be or that it should be so many years ago when I first heard about Linux in sort of the late nineties early noughties I was like ah you know what's Linux and then I heard people talking about Linux boxes as they are can I have a Linux box I thought it was like something different but and then someone handed me a computer I'm like oh okay so um it's it's nothing special but it's I guess it's all the tools in one location which makes it unique but there are other ones out there so does anyone know some of the other ones or anyone tried any other sort of the hacking os's backtrack that is Carly right okay parent yeah that's a one that seems to be quite popular these days anyone heard of or tried black arch oh sorry so look there's a number of them out there that will actually allow you to do the same thing so it doesn't matter you could install nmap pretty easy to install now what are we hoping to find what if people found so far if they've done they're there in map has anyone's completed No so a bucket load of different stuff how many different machines have we found four or five not counting the one we're not supposed to cure you okay so what ip's have we found so far so 1.1 1.5 101 and 102 okay no one found got 50 so one pound got 50 so you would do it you did a deeper scanned in as well so look there are some there that might be harder to find as well and this is a common thing on a network as well so the deeper you do a your scan the more likely you are to find stuff so dot 50 is actually one of these that I've tried to disable some of the the settings on it to make it a little bit harder to find so it doesn't have the P and P and all that sort of stuff running on it nor the you know the DNA and the NLA server and all that sort of stuff okay so we found dot one obviously that's actually just the router itself we found dot five look that's my main box that's the one I don't want you to kill yet dot 40 m dot 50 if you found that 50 that's they are both our better wireless routers and then we've got 101 and 102 was it okay so with 101 how many different things are on there I don't actually know what the IP addresses are reset and all the Macs and stuff like that so they'll just come up wherever does that have lots of options available now 15 all right actually know what see if that is a little faster what's the difference between these two scans by the way does anyone know what the - f yeah so that yes so the SV will tell us a bit more information about what version of the software and stuff like that so that really can help us pinpoint which ones might be available for us to try and get in the - f is just listening for or looking for some common ports depending on which scans you run you may or may not find extra extra pieces okay so that's going to take a little bit so it's decreasing okay thank you all right so one of the first things we probably need to try and figure out is what ports are open so when this hopefully comes up if it does come up we've got two machines there one of them is going to have quite a lot of ports open and we've got one machine which doesn't have very many ports open and if I had to take a guess it's a 101 on 102 that's got the shortlist and so one or two is gonna be the one that I think we should probably have a bit of a no it's not there at all yeah that's got very slow isn't it this is a problem I guess it's trying to do it all live I'm directly plugged in so I should be good okay so I might have to get a few people to try and stop some of the scanning so how many people still scanning at the moment oh geez all right yeah yeah all right so it wasn't part of it okay I really should have thought that one through a little bit better let's see if we can page so if we can get a few of you and say if every second row wants to stop their scan so the front front row I guess can kind of do it if they want I guess in every second row and then maybe we'll swap through a few little pieces and to give you guys a bit of a bit of a chance to kind of have it have a crack there are some things that you guys will be able to for example if once we get onto this page the image that's there we could download that that image for example in them we could do a quick check to see what's on there we will need to find out with that scan a little bit later we're going to use some of the information from one of those scans so if someone wants to either take a bit of a screenshot or note what the ports are for 102 that would come in handy for us a little bit later hackings not normally a group thing either by the way I don't know if you've penny so it's lonely isn't it typically one person that's just paid a lot of money for access to some BOTS okay so look up this is one of our pages and a Metasploit see if we can run that one a little bit again so built into this now this is a bit of as I said of capture the flag kind of I don't think so what we can do is not very much no username no password and login details you know sometimes web pages have got like you know a little login buttons down the bottom and stuff has anyone come across those cool ones with you know people that got WordPress sites that don't want to remember WP - admin for example so if we save this image because this is a bit kind of weed for us I'm gonna save this image just because it might have some information in there what kind of things might people put into for example an image why would you it yeah there might be some metadata in there so yeah and then there's student so what's stenography yeah so for example you know if you wanted to find some really smart people you could put a crossword puzzle in there that like you know in a newspaper or something and then lo and behold you know the smart people figure it all out and then maybe they can you know contact someone has anyone seen that in a movie at all so look obviously there's exif data in there so we can have things like you know metadata which is obviously a good way for us to for example if i want to find where my sister is and she puts photos online like I know she's overseas somewhere at the moment but could be America could be Canada puts a photo up if I can get a copy of it or she is she you know it sends it to me by whatsapp or something I can find out where she was now there is a tool that's not actually built into Kali Linux which I find is kind of an interesting option called exif tool well you would have to install it if it's not already there and it can give you all kinds of extra little information in there now there's anyone see some information in there that could be interesting yeah yeah a little bit of a comment there why if you don't have XF tool you're using my bootable USB stick there is one that's built into Carly it's not very good and right up the very top just after the image file type we can actually see that comment string there so we could see the same thing so what is it about this that could be interesting what is it about this sort of stuff well first of all what do we think that is okay yeah it's type of smiley and then a winky smile so let's see if we can grab grab this and have a bit of a look at what what could we do with this maybe I reckon maybe I'll take you to a web page another hidden page now what could we've done to try and find all these kinds of directories yeah look there are tools in there called der Buster there's a number of tools we could use to try and find the names of directories if you use that would it have found this one y-yeah Sodor Buster uses a dictionary you can have some pretty cool dictionaries right but the chance of something like kaizad capital M lowercase B kind of stuff right being an addiction is pretty low I would say almost impossible look if you were doing a just an absolute brute force where you ticked through every combination of letters and stuff you'd probably get there that I don't know whether or not you'd be around to see it okay so we've got a page here now if you guys want I guess look we can bring it up you could have a look at the page there's nothing very special there what is it is it out of database back-end that's one of the first things normally hackers will start looking at though this database I can do some kind of SQL injection the SQL injection is a really common way of trying to get into stuff we won't do actual SQL injection will we use a SQL map tool to to take a dump over database but if you want on the Metasploit able on the other server if people want to have a bit of a play on you know utility and stuff there are SQL injections and stuff available there so if you want to go down your own kind of path well you know what you're doing feel free to have a bit of a crack on on number 101 so what is this though well it's obviously asking for a key so okay it's not giving me any letters it's not showing me what's in there which means those of you that have done some hates you know any kind of stuff what kind of a form field we probably looking at yeah look a password field so we can go in to look at the elements a little bit and go okay oh they've left me a comment there what's that comment say well this forum isn't connected to MySQL so that's very nice that they've done that for us but is there otherwise we could have checked to see what it is but you can use things like burp suite and stuff like that we're not going to use burp suite there's lots of tutorials out there on how to use this kind of stuff but we can see for example in this case that we've got a bit of a form field it's using a post' action and we can also see that we've got you know some PHP running in the background and we can even see that there's it's the password type field and there's a name near time the name type is key now if we wanted to see a little bit more this is not necessarily a hacking tool right but your browser's have some very interesting information that you can get gather so using something as simple as you know your browser you can start to see okay yep I've got a request one of them there's a fab icon that didn't actually come down as well so that's kind of interesting but we've got a form field here and I've got a bit of HTML and I can see they're just working on normal HTTP no age yes ok so to bring this up I right clicked and I chose inspect element so we don't actually have an SQL Server in there if we don't have a MySQL server what else could we do with this well we can try and actually crack the password a bit but getting like the comment fields a little bit you know it's kind of fun and interesting the only people as I said that kind of use it is maybe a spy might try and put some stuff in there you know like hidden in in an image just like that these days you don't need it anyway so we we could use burp suite but we're not going to use burp suite to check this out a little bit when I type the word test or anything else in there hello or something like that I can see that I'm getting some parameters here a key the key in this case my word test so that's what we're it dropped the word in there so what can I use to try and get in here hmm a timing attack yeah look I could try something like a timing attack yeah look we can just throw a dictionary at it so why don't we use something like that instead then we know I know that there's this word invalid key that comes up when I type something wrong so using this we can actually use another tool built into college to try and figure out okay what words can I place in there from a dictionary so getting the fact that I need to know a few things to get this working number one I need to know what is the field that it's using so in this case we've got a key field I've got a fear I've got a response invalid key and based on those two things I can try and put in a word list into that that field however we need a word list now so do we have a word list finally yeah we've got a word lists built in so this is not the one we're looking at not the one we're looking at this is the one that we're looking at has anyone done a deeper scan on this one on 102 do we do an SD lowercase s capital V do an SB on 102 some of you may be the the second rows like you know every second row or whatever that didn't do the other scans because we might need this a little bit later okay so let's locate a word list alright I got a folder called user share word lists already built in there what's a word list in there now when you take a look at that you won't have roll you number one and you won't have Rock you dot txt you should just have rock you dot GZ so it'll already be zipped for you it is a massive file with 14 million lines in it so what I've done is I've stripped out a few of them this is my you know here's one I prepared earlier with only about 1200 lines if you throw the Rakhi txt it will get it but to give you a bit of a hint it's around about 25,000 ish but it's not too far through the list but it's far enough that'll take a few minutes for it to pump it in but if you want to kind of get rid of the first 20 23,000 kind of things out of a list you could probably catch up if you know how to delete so they're divided into they're used for different tools as well so you can see for example there's dur Buster and the and Metasploit we're not going to touch Metasploit by the way because you know there's lots of stuff out there and everyone's kind of cool and interested in you know Metasploit Metasploit Metasploit but you can find that stuff out there and so I normally get my students to do a little project where they try and figure out how to do it but so there's different tools and word lists that work better for some things than others and then you can also download bigger ones from the internet and stuff like that as well some of them you've got to pay for these days they're kind of even behind paywalls and crazy stuff like that which is interesting and rainbow lists and some other stuff you can get to Sara answer the question sort of yes so but they're also put into categories for usage oh and in the very top yes so quite often they're put up in you know the higher ones if you take a look I left the first few in there so these are the first kind of ones that they've got in there of course the word lists change or like you know that can change so if you've looked at have I been poned or something like that you know and it tells you are you know your password in the top 10 all your passwords and so it just depends on what people are doing and stuff as well but that's for example you know the top list I don't think that Luis Antonio is probably a number 10 though so just that could also be me slicing that I think I sliced it at Rock you so I don't know if princess is really like you know number seven or something but they try and I guess put it into some semblance of order eventually it actually does there are chunks as well if you take a good look at it there are chunks of word lists that are basically in alphabetical order as well I guess to try and get am know sort of a continuous roll going all right so I've got a slightly smaller word list you guys have rocky dot X so you'll need to unzip it if you want to gain and if you want to use it as I said you can chop off about the first you know 29,000 now what can we use to do it look there's a number of different tools you can use to try and you know crack a password but and that's I guess one of the biggest issues I find with a lot of students and stuff is when we're teaching them is there's just too many different things so my suggestion is for people to start with a few simple tools use or use all of the capabilities of that tool and then when the tool doesn't have that capability then find something else right so really explore what it is that that tool can do before you start moving on to new ones like I said nmap and net discover but two different tools that can do the same thing so in this case we're going to look at Hydra well it's a Hydra is a password attack I don't understand why in some respects they've put it under an online attack because it's not going online to do anything it's I guess their labeling is saying look you can do against something online rather than a password file or something that you've downloaded for example but so well some people get a bit confused about you know I need to be able to attack something you know I need to be able to gain access to the Internet to use it you don't need the internet access but online attacks we could see there's Hydra and a few others in there so we're gonna I'm gonna choose Hydra and it pops me up a few options again you know how to use it etc etc probably one of my favorite things about Kali is is choosing those options from the list obviously if you don't if you just type you know if you just go grab your terminal and type Hydra or whatever you know you can use it but it's very nice that when you click it on click on it in the list it the first thing it does it it actually just gives you all your help so we're gonna try Hydra what are we going to do with Hydra well first of all do I have a username or a password so if you have a look at the foot of the examples there we don't have a username field Dewey so we want to ignore that so I'm gonna say - I'll ignore then I'm gonna say - P now it needs to be capital what's the difference between capital and lowercase the main difference is lowercase will do single pass capital will allow us to do multiple passes of passwords through it okay then I can put in my word list so use a share my lists I'm gonna use roll you so at this point I've said okay I want Hydra to ignore the username this is the list of passwords you're going to use I then need to point it to my location then HTTP POST forum so that's telling it what type of information it's using so it was using a post and we could see we can get this kind of information from in here when we were doing our tests the other thing I need to figure out whoops is if I've got a post form I need to tell it where it's going to go from so I'm just gonna copy the so we don't need the the IP address I need to know the location of the page that it's going against notice I put it in quotes as well common little issue that I've come across is I forget to put quotes etc then I'm saying okay the field is called a key right and at this point I'm saying when you're you're going to be putting in a key and we're going to be replacing the this past that's the carrot past carrot we're going to replace that with the items from our word list that's the point there and then we say oops and then we said this is the response you're looking for when you don't get him valid key you've got a password but so try your passwords until basically you don't get this second part and we can give it a little bit of a bit of a crack probably takes should take mine around about a minute or two if you're doing the big attack I think yesterday I was running on a slightly slower computer it probably took about three to four minutes with just rokkyo txt with this many people it might take a little longer so it's a brute-force attack it's not very nice but some sort of intrusion detection system intrusion prevention systems should find this out but however you're just learn attack inquiry s website or something like that you know it's hosted by I don't know some web hosting company they may or may not see that it's happening it's hosted on you know little home servers or something like that self-hosted etc most likely would actually happen so people won't necessarily know what's going on bigger organizations will have stuff to be able to try and do it there are mitigation techniques to try and get around IDS's and IPS and stuff but I just want us to kind of see a progression step by step if you are having to go around any stuff like that the testing things at your work obviously if it's at your workplace and stuff like that and assuming you you're allowed to kind of have a bit of a bash in it one of the things is you already kind of know what's there so it can help you sort of get around some of those pieces but you won't necessarily know about it if you're attacking someone else's sort of system obviously are we allowed to attack other people's systems yeah you are allowed to attack other people's systems as long as you've got permission was one of the first lines in the certified ethical handbook I'm pretty sure make sure you get it in writing too so this one can take look it would probably take similar up to maybe 10-15 minutes for it to try and try and get the password so we've indicated I'm doing roll you on oh yeah so it shouldn't take me too long it's probably everyone having an having a go at it now how likely is it that someone's going to have a field for example with a pass with just a password field in there unlikely isn't it built into WordPress one of the options is for you to have like you know your your pages and you can have pages that have a password field I mean you just kind of there's basically a list a tick box er you know hide this this page without a password so that's a really common one I've seen a few people try and do are look will hide it it's probably not super conference with a common obviously what are we seeing most of the time usernames and passwords which we will have a little bit of a go out in a moment so it should try and find our password and see how it goes 30-ish tries per minute let's see I guess how much slower it gets it dropped out and came back capital L capital D capital T let's do this this here with thi s so I don't that should be it should be the password Pinterest for pin test two and three okay I know what the password is already been on that one does anyone found it you know I've gotten the password yet how many people were trying a few okay so no one's got it yet though hmm that's the password sitting around about 25,000 to 24,000 okay yeah that'll take one yeah that's seeming like it's gonna take quite a while to get through all of them because it's only doing I'm getting 3040 a minute nothing at the moment yeah no these things just get sir and I gave it a bit more RAM and cranked it up a little I didn't know how many would do it I can shortcut it because I know what it is [Music] for the just want to see roughly where it is so I noticed by the way I mean as I said little chunks that are sort of in in some kind of order that should be a lot faster someone got it excellent so yet it's the password is actually elite but said the password is the word elite someone got it it ran through you were using the actual or did you jump you got rid of about the first okay excellent and how long it take to tell you yeah okay so the password was the word elite now is this by the way what time is it right on change time okay fair enough so if anyone's looking at going at the moment or going to another talk I guess now is probably not a bad time to consider doing it it's good to change over however our next thing we're going to be doing is then we've gotten a password so we can try the word elite in there what does it do now it takes me to a page asking for your username a little little backwards here all right I'm just gonna mmm no that didn't work let's try something that shouldn't actually help or give me any information a blank field now obviously they should be doing some kind of sanitation of their information in this but it hasn't worked if so if someone's not sanitizing information and we're getting things like this what does it probably mean is actually there this time yeah now this time it looks like we've probably got a database so the previous one we had a little hint saying there's no database and look at that was probably very handy because I know some people that have spent you know an hour to three hours trying to hack away at that very first key box trying to see you know the assuming it's SQL so in this case I've got two I've got Ramses and I've got Isis and we had a bit of an eye beforehand so I guess someone's got a little bit of an Egyptian mythology kind of piece going on here so I've got two users that's potentially that's what it's telling me I've got employee ID one employee ID - no password fields or anything like that but you know thankfully it didn't spit that out but I could see there's a name in a position so what can we do with this well we can try it look we could try doing some SQL injection for example or we could just cheat a little bit what's another tool why would we look at one of the issues with SQL injection is it's quite a manual sort of process to see what you can and can't get away with it the start and however there are other ways to do it so we can use it what about done database attacks no I can use SQL map now SQL maps are really common one what it allows us to do is to test against common techniques to find out can I access a database and then if you can access it you might be able to do some things such as take a dump of a database etc but probably one of the biggest issues these days with modern data leaks and stuff like that is people just take dumps of databases well I find them randomly online like has been found with say the ABC I don't know if anyone saw the ABC a few years ago had just like a completely unprotected - AWS s3 bucket with all their backups of databases sitting there nice handy people just downloaded yes there was like some automated script that was just you know dumping them straight in there and people had you know there was potentially years worth you can look it up if you want to find out a bit more about it so SQL map is a really handy way of trying to do it so I know I've got a username and a password field lots of tabs going I've successfully found my password now thankfully all right so there we go didn't take too long once I had a very very short list so that's how we were able to bring up the page but I know there's a database there now so I'm going to use SQL map to try and see to try and get into it it's a very handy little hint here and under the target there we can see at least one of these options has to be provided so I've got a tell at a target so SQL map - you and I can give it the location of the of the webpage now this is the webpage URL and did anyone notice that when I actually typed something in it puts it in the search string there alright so we could see up the top there the search string has my field so it successfully worked but if I put nothing there when it's got a blank search it just gives me everything so that's letting me know I could probably do something here com another ways for people to test and do stuff is you know they'll put closed quotes and then try and sort of see what they can do and see if see if it'll spit something out however this one what what it's done up there is it's tried to change it unis coded it so there's still ways around it but it's not the sort of more basic common test that you sort of see so I'm going to grab this search field this whole URL and I'm going to use SQL map against this SQL map will allow us to basically map to try and find out what database types etc it has and based on that if it finds something that it thinks are this is a bit of a good database type or if you already know what it is all right you could probably try and narrow it down a bit and I'll try and see okay what kind of target do we have here and I've got some automated tests that I can use and if so then let's it'll it'll let me know it should say something like you know I found my SQL or something possible database type why I asked well there's okay testing for some sort of injection do I want to test for other types of payloads for different databases a common issue might be something like MySQL you go ah well you know I'll test just for MySQL but there is obviously the drag-and-drop replacement for MySQL these days so yeah so we've got Maria DB for example look while they say that their binary compatible well the inner workings are a bit different so you might find that for example some stuff will work via MySQL that won't work with Maria DB and vice-versa different exports and the work that will or won't work so however I'm going to say yes here so do I want to skip the specific payloads for other databases yes I'm want to try and streamline this a little bit do you want to include all tests for my X SQL and I'll choose yes there sometimes if you choose no at this point I find what happens is it doesn't find anything and sometimes it has and we can see there it's doing some some blind searching and the like it's okay doing some tests found something is injectable found this is injectable okay we've got some good now it's found a number of different options here as well quite often it might give you an option there to say something like do you want to test all the the availabilities or do you want to keep testing and you can choose no and it'll kind of skip out at this point so we can see there's actually a number of different tests that it can use so do I want to keep testing or probably not but I found a number of different ways to do it that's so guys okay we've got the backend is MySQL yeah and I've got a few databases there so an inflammation schemer - co-op schemer they're all pretty standard ones if you've played with databases leather before PHP myadmin well that's kind of an interesting thing to check if you've done something like do buster but you would have found that by the way if you did do buster I've got it in kind of the notes on how to use it if you want to get a copy of these notes let me know and I know I can you know maybe put them online or something cuz people can download them but and it shows how to do during Buster but it takes just a really really long time because it's again one of those brute-force ones but we found some stuff and it says I've logged some information so look there's two there that I think are kind of interesting PHP my admin and Seth you control through all of them if you want you can take a look at them but for my sake I'm gonna look at it and go you know what what Seth anyone know what Seth is it were another another Egyptian guy what so I don't know this there's a comedian or something I think with that name as well so what else can we do using the same base weren't saying alright I'm gonna use this URL with SQL map we can actually just do a straight dump - - dump and then what do we want to get look let's get the columns cuz I want to see what their what they're called get all the tables from the database set is that big enough for people to read it back now one my wife by this point is his kind of yesterday sort of go and sweetheart why are they always so long lower all the clients getting really low blah blah blah keep in mind carly is built primarily actually is a bit of a script econ and like you know a lot of this stuff is script based so it's just accepting you know different variables into it so I can try jumping this database we'll see how long it takes to do if there's lots and lots of people shouldn't take too long because once we've done it it'll come through so I'm trying to fetch tables and what are we got well there was a few different things in their position user ID and a pass okay right so before when we looked at it we saw like their user in their position and stuff but we didn't actually see there we didn't see the passwords but now I can see there's a password field is Ramsay and his password Isis doesn't actually happen he's not allowed to log in even though an employee so we've got a got a password of some kind here I guess the question is what is it md5 hash it can't be okay what if I told you it is an md5 hash how yes its base64 so we're going to take it turn it from base64 into utf-8 format and then we'll be able to see it as an md5 hash right Sudhir look they've tried to be a little bit nice huh and and secure people's passwords because md5 hopefully most of us understand not a very good way of securing your passwords I've mentioned the system already once or twice today what's one of the major systems that uses something like md5 to store their passwords in their database WordPress ah so look like the number one kind of you know blogging eco know if anyone's done any web development any kind of stuff they were bound to have been asked to do WordPress or look at WordPress to start does it work this look I mean it comes down to how much how much power and stuff do you wanna throw at stuff as well it's not impossible that the higher they get like you know start getting to char to 565 twelve kind of stuff you're starting to get you know very very slow sorry so they're really so you guys can should be able to run that dumb if you want the deal with the whole command here's the command if you want to want to grab it so you can I mean the big talk these days is how consum is gonna cause problems and bah-bah-bah look passwords still these days I guess one of the big things is you know people are always talking about encryption and this and that and yet we still see for example asymmetric encryption used in places we see broken forms of encryption used as a default system so I find yes or you know some ways you can get into some stuff so there are something almost impossible to break or they just take so long you need so much computing power that really it's unrealistic to do it yeah but so we've got a password what are we gonna do with this password try it just like that so I got to decode it some way okay so it's that's it does that look a little bit more like a md5 yep okay so we can try and crack that down and now we're getting into real past witty kind of territory right so I'm just going to pump that so if you got something different ah notice I put an equal after the capital e without that funnily enough without that it doesn't actually work I haven't figured out exactly why what it is that's doing it yeah to be able to okay does that make sense did people hear that so the reason why and we needed to put that there is for padding to get it out to an even length of beads so I'm gonna put that into a file is it's really - I've got hash - in there so I've got my password now you know you're in a file that I can look at there's one small problem and that's that you know it doesn't have a I didn't have a line break at the end so nice to put a bit of a line break there at the end please be aware of course single versus double a curb but so I've got my password back from a base64 to an md5 so what could we use to try and break in defy Google ah but I didn't give you access to the Internet look you're like md5 online not org or something like that you know there's like you know just just throw that straight into Google that's crazy okay yeah I haven't tried that yeah look so there's a number of different different tools we've got built into Carly to do it so I mean Google's be too easy so why would we do something as so you might as well just say hey Google Bret wall cheese break into this computer for me I guess eventually it might actually happen all right so we've got a few options someone said John the Ripper hash cat sorry yeah yep so if we've got a rainbow table we could just use a rainbow table to match it up and then it'll find like you know what it is it's an md5 format and you know tell us the the corresponding things rainbow tables the problem there's a big not a big problem there's a problem with rainbow tables in that it's just literally a you know a find a search field so depending on how big the rainbow tables are and stuff like that like it's not unheard of for people to be searching through you know for five days or something to find what it is and there's a lot of computing power that's going in to try and make those rainbow tables as well so some of them are a bit harder to get your hands on especially some of the really big ones so I don't know I I try not to download those kinds of things for from some places on the internet because you just don't know what else they've stuck in there with it and all that kind of stuff once it's computed it's done no but then you got to sort through or you got a list you know basically you've got to do a search to find that exact match all the way through it's a it's a quite a fast search it's way faster than join it just brute force figure out what it is but it's still like us it's effectively I find ok so you're looking through it's a fast there's faster searches yeah it's it is it's sorted so it'll find it relatively quickly hopefully yeah so someone's already done it ok so what did you do you use cache cat okay anyone else done it yeah what did you use but let's he's John the Ripper then so DuckDuckGo hash cat all right so what which is faster what what is the fastest way probably DuckDuckGo the first page of results yeah it's too easy so I'm gonna try and tell it to hey I want you to search for using John John the Ripper against hash - double hyphens and there we go it's one I I kind of cheated a little bit and did it a little bit earlier to put it in the database common issues at this point as well as people try and use John and it doesn't have a word list or something there so you might have to say - - word list equals and then point it to say for example you're you know rock you or whatever it is that you're using as your word list and that's a common issue right at the start so people will try it in that case you can get rid of the the show and you can put in the - - word list okay so I've got a password now I Omega R we we're happy with that what can we do with it what can I do with Omega I've got a password do I have a username yep so we got we got a username there there's only one of them will work we saw in our database Isis is not allowed to log in so we're gonna have to use Ramses and what are we going to try and log into right there was no pass like yeah we could try SSH well this isn't gonna do very much so that need to do anything so we need to SSH all right say SSH Ramses and none - you don't want one no no - it's not me tell them different port yeah okay so they've obfuscated a little bit black will be tricky all right instead of running it on port 22 like you know a common world like I'll run it on tutu tutu or something no or so they've put it on port 777 that would have come up if if when we did our port scan if we'd done a deeper scan we would have found the ports in the 777 so now it's letting in okay and as everyone tries to log in once we're in what kind of stuff can we do we can what changes partner okay yeah well a common thing we want to try and do if we think back to that you know sort of chain but one of the last things we want to try and do is we want to get the ability to install software for example now Ramses may or may not be allowed to do that kind of stuff we want to be able to try and get to root but that's what most people want right so I've got to try and get to root so what kind of stuff can I do I can start you know a little bit of black boxing try and figure out what I can do we can work oh yeah yeah it's just the tables a little slow for some unknown reason I'd have thought it to be a good idea to have 50 people hacking the one box at the same time so that is yeah no Christmas presents for you so look that didn't work looking through hopefully that would be a really good way of doing it and most people who have some sort of pseudo accesses and stuff like that if you're an administrator it's probably one of the best reasons I know to have two usernames to user accounts and stuff so if any of your workplaces have it this is one of the really good reasons why okay so that's that's not gonna work right yeah let's take a look at the bash history before like a hundred people log out or something okay so I've got a few things in here who's Eric I don't know and why is he in my computer why am i trying to get there I look we could have a bit of a crack at that see what it is is Eric in the passwords file if you have a look yes he is anyone else got any other things that they think might be interesting to look at okay so we got a backup folder for some sort of proc watch script yeah so we could take a look at what you knew there's another machine there that he's ping we don't have it there that I can guarantee there is no dot five six network so look there's a few different things to different our paths we can go down for example at this point I've got access to say the password file right I can take a look at that to see what accounts you in there and maybe try having a bit of a bash at that if we want we could potentially try and see if we can see the shadow file or something I mean we shouldn't be able to see it but maybe they've configured something wrongly but someone's kind of pointed out the backup file and how are we doing for time what time do we finish 12 ish 20 minutes okay here nothing easy we wished we should be finished this is depending on how long it goes maybe 10 15 minutes so all right so you could have a look at Eric try and see what it is so let's try a see you Eric what doesn't work I don't know it's password yeah there's other users like Bob but then so we can see Bob there we can see Eric yeah so we could take a look at the home folders ok so we can see barbaric Ramses so we could maybe have a bit of a crack around that kind of stuff but for time yes so I've got a folder here I got a folder there call backup and it's a really big issue when you see stuff on the internet where people say oh I'm having a problem with more commissions and they go I just chmod 777 but lo and behold what do we got we've got a backup folder but then what I'm often introducing a lot of students to Linux typically my class to do with Linux is normally the first time they've ever come across it and it's one of these things that I find I've got it like I've got to make sure that I don't keep teaching people or allow them to see stuff on the internet but you know they shouldn't really be looking at besides all the other lawdy sort of stuff on the internet that they should be looking at so for example something like saying hey chmod 777 I'm like guys this is this is a really big issue and normally through one of the last kind of classes like trying you know run them through this kind of a sort of scenario capture-the-flag kind of afternoon and to show them what kind of stuff it can do so what's in our backup folder well there's a fire there called proc watch and a file called readme and who is it and what if they're done yeah so when I run proc watch I'm running it as root setting the user ID so in other words when I when I run it the first part there where it says root but that's who it'll actually run as and the issue with it's gonna be it's potentially going to call something else so we can mine we can take a look at it and go cat proc much oops okay not a very handy file to look at so it's an executable file not particularly smart the way they've done this so they've given me a fully readable for folder right readwrite executable and then they've given me something that's going to run as a root user so how can we use this to try and get around it what can I do sorry okay so watch yes we'll run PS so that's my path at the moment now there's a few options available at this point right one of the easiest things to do is basically copy the BNs H well copy the PS as well put them in your path at the at the beginning and it'll get you through to a shell it'll load the show rather than the then the PS command actually running so what we could see is this is a bit of path manipulation as well or because they've left something that they shouldn't actually have okay now at this point depending on how many people are logged in not too many so at this point we can there's a few different ways someone's actually gotten there already yeah three from the two different ones now notice by the way see this so some people are coming from 1.50 summer coming from 1.40 so that was one of the ones that didn't sort of show up as I said but we can see it there so those of you that have got in what what did you do okay copy bean Sh okay so copies been bash so you sending someone else bash won't work who Emily what did it say okay okay yeah ah yeah yeah it's um who I II so you're not you're kind of in like a weed quasi stash at the moment but but can you access the roots home directory for example yeah you could still access everything but it's these sort of halfway there so it's in fact that one I think's a little bit like when you're pseudo with sq without a without the - you're kind of like halfway between like you sort of haven't loaded their full profile yet yeah so you're not um he's still you know still got access yeah but where happen do we really want clean we don't really care how clean or not I just want access right so I mean probably yes that's a nice way to do it you know and it gives you a better idea format but it's not necessarily going to you know change his abilities okay let's see where if people started putting stuff there we go not at Nick I'm not rude yeah to try and stop it so whose was whose was I using okay after he's done it okay so let's go yeah yeah see how many people still in there someone else has done it that a different person can't tell for now all right now that should work oh my let's just take a look and see what people won't go so I still have information let's take I'll take a quick look at my cheat notes ah yeah people have made an executable they look right I've got that no yeah yeah the cat root again that's guy [Music] see if that works there and now I've got it so I'm not exactly sure with that many people what what they were copying and stuff like that but you can see what of what I've done is I've coupled the shell and I've copied the the PS command so when it to try to run it it's written it's ended up running my shell for me loading loading me into letting me into the ability to move into route but I'm not actually kind of route on the sort of in that halfway format but I'm still kind of Ramsey there but I'm rude so this point have we got that we got access to the box yeah well it's really can we do anything we want yeah look we can create our own user accounts I guess you know install some sort of route kids put it in you know or anything whether we want now proof dot txt by the way we'll give you some information and you can email the person this came from I think was from no bites was it was downloaded from balm hub a while ago there's anyone heard of um hum few people vuln the hub so one of these is to locate it's a website that you can go to and people put on like you know they're vulnerable systems and little capture-the-flag challenges and all kinds of stuff like that so it's fun it's kind of a fun place to go to be able to download some virtual machines and the like that you can kind of have a bit of a bit of a crack at rather than something like Metasploit able so Metis portable is a good tool and it's good for people to learn what to do version 2 is easier to get version 3 you kind of got to build yourself a bit so but they're both very good the problem is a although they're not necessarily real-world examples like they're deliberately kind of vulnerable there's lots of cool stuff in it so they're really good to learn but unlike say this kind of a thing business you know there's not like this doesn't have 300 different ways you can try and get into the system whereas something like Metasploit able will give you many many many different ways to try and do stuff a lots of different tools and if you go to multi lad a yeah you can see that there's is anyone sort of having a bit of a go at 101 so that that's Metasploit able therefore you version 2 which was on the network if anyone was having a bit of fun with it or something so you could have seen that as it says but with the one that we were playing with 101 was a custom-built someone built it I think for as I said from Mel bytes and I got it I don't know a year and a year a year and a half ago or so and then allowed me to like you know sort of have a bit of fun with it and see what it is and there weren't really a lot of write up - you're fine sometimes are some write ups but some of the stuff you see from Volvo if you see them they're thinking and then so you can download them run them be a bit careful where you ran them of course because if you're downloading any virtual machines and stuff like that I don't put them on trusted networks be don't trust them yourself so I normally put them on I got like a crappy little machine so that way I don't really sort of infect my network but this was a bit of a I guess an introduction into some of the stuff that we could do so did we find the servers yeah look we found some we didn't find all of them there was one kind of device that you know only one or two people found but obviously it was a bit of an issue I think with scanning for that much stuff did we find some vulnerabilities definitely look the checking the image for information is just a little bit of fun and why not not really a real-world kind of stuff but we found a few different ways to try and grab some passwords and the like we did a little bit of an SQL exploit we using that we were able to dump a database look at that point some hackers like sweet I've got a database yeah I've got usernames passwords things like that or like you know I've got credit card details if then especially if they're not following proper PCI DSS kind of formats and the like so you know there's there's a lot of issues with people just grabbing a database they don't necessarily need to keep going but then we we sort of went a little bit further and kind of owned the box so to speak so yeah I guess I don't know any quick questions we've got a minute or two the MySQL exploit worked because they were taking input and not sanitizing and then sending to the microwave yes and it gives you it gives you a lot of information they're showing you which kind of exports and stuff like that that we were successful know if there's anything decent still allow that I mean unfortunately yes so if you take a look at our wasp for top-10 kind of stuff right you'll still see those kinds of things still sitting there in the top easy top 10 yeah yeah it's it's unfortunate but yes it is okay thanks yeah any more questions any other questions quick questions all right if you've got sorry sure promo for sad wonder powder yep meetup comm sick talks I had actually come I only just moved up here a few months okay and I WS had some some guys that do do some AWS sort of security talks stuff like that there's a few other ones if you've got my USB sticks please do me a favor you can shut down your machines whatever and then give me the US based expect preferably I don't know actually should I really want them back you know and you can keep him so I'm probably just thrown out anyway what else look thank you very much look thanks for trying it out having a bit of fun with it I hope you sort of started to see that look some of these tools that are built in they're relatively easy to use they're a bit arcane with some of the the Voodoo that goes with it but once you know the commands stuff it's relatively easy and yeah thank you very much for for the coming in you

Info

Channel: linux.conf.au

Views: 14,008

Rating: undefined out of 5

Keywords: lca, lca2020, #linux.conf.au#linux#foss#opensource, MarcusHerstik

Id: ng1bvXsp9ZA

Channel Id: undefined

Length: 100min 49sec (6049 seconds)

Published: Thu Jan 16 2020