Kim Carter is a Software Engineer, Architect, Entrepreneur and founder of BinaryMist, with a strong focus on security. Kim loves designing and creating robust software and networks, breaking software and networks, then fixing them and helping organisations increase productivity.
The presentation is basically the process I take to carry out a small client penetration testing assignment, but with a focus on why and how web developers should be doing the same within their teams. It goes through:
Why we even care about breaking our or a clients code and/or system(s)
Reconnaissance (information gathering), tools and tips. What can the public actually get their hands on?
Vulnerability scanning, tools and tips
Vulnerability searching, tools and tips
Exploitation, where to start, how to start, tools (and why) and tips
Demo 1: Exploiting an XSS vulnerable web app and what you can get from it. The whole reason being here is to be able to show your employer, boss, client and why they need to do something about it. After seeing how easy it is and what you can do, few will deny that it just needs to be fixed.
Demo 2: Exploiting people with spear phishing, obtaining their credentials by cloning, spoofing a website they frequently login at with the Social Engineer Toolkit's (SET) Credential Harvester.
doppelganger domains (domains that look like the real thing but are fakes)
Demo 3: Add ARP and DNS spoofing to the mix. Now when a victim browsers to a website that they like to spend time at, they will be visiting our spoofed website. In this demo, we add a Browser Exploitation Framework (BeEF) hook.js to the cloned website. This hook converts the victims browser into a zombie that continually polls the BeEF comms server requesting commands to execute on the victims machine. This is the window of time we use to install a root-kit and pwn the victims machine.
Discuss what BeEF can do
Demo 4: Again we clone and host a website we know the victim likes to visit with SET. We use a couple of Metasploit attack methods and exploit memory injection. Then select a collection of payloads to deliver via shellcode injection. Encrypt the payloads and configure the reverse shells. launch Metasploit and watch the reverse shells connect. Attempt to escalate privileges to system account. anti-virus (AV) stops us.
Demo 5: We use Veil-Evasion to get around AV by creating our payload. We encrypt the payload with Hyperion using a weak 128-bit AES key, which decrypts itself by brute force at the time of execution on the victims machine. We use Metasploit to deliver our psexec exploit that we created with Veil-Evasion and Hyperion. We watch the attackers reverse shell connect straight to the system account.
Each of the demo's shows what's going on on the victims machine at the same time that the attacker is attempting to exploit the victim.
No machines will be harmed in the session. Usual $5 fee applies for covering drinks/nibbles.