Kim Carter - Meetup #7

For this meetup Kim Carter has kindly agreed to do a talk that he is presenting at WDCNZ in Wellington. Kim has an interest in functional programming, but for this talk he will be talking about techniques he uses for owning the web.

From Kim:

"There's no code in the talk. It's basically the process I take to exploit a client in a penetration testing assignment, but with a focus on why and how web developers should be doing the same."

We will be covering:

1. Why we even care about breaking our or a clients code and/or system(s)

2. Reconnaissance (information gathering), tools and tips

3. Vulnerability scanning, tools and tips

4. Vulnerability searching, tools and tips

5. Exploitation, where to start, how to start, tools (and why) and tips

6. Demo 1: Exploiting an XSS vulnerable web app and what you can get from it. The whole reason being here is to be able to show your employer, boss, client and why they need to do something about it. After seeing how easy it is and what you can do, few will deny that it just needs to be fixed.

7. Discuss countermeasures

8. Demo 2: Exploiting people with spear phishing, obtaining their credentials by cloning, spoofing a website they frequently login at with the Social Engineer Toolkit's (SET) Credential Harvester.

9. Discuss countermeasures

10. doppelganger domains (domains that look like the real thing but are fakes)

11. Demo 3: Add ARP and DNS spoofing to the mix. Now when a victim browsers to a website that they like to spend time at, they will be visiting our spoofed website. In this demo, we add a Browser Exploitation Framework (BeEF) hook.js to the cloned website. This hook converts the victims browser into a zombie that continually polls the BeEF comms server requesting commands to execute on the victims machine. This is the window of time we use to install a root-kit and pwn the victims machine.

12. Discuss countermeasures

13. Discuss what BeEF can do

14. Demo 4: Again we clone and host a website we know the victim likes to visit with SET. We use a couple of Metasploit attack methods and exploit memory injection. Then select a collection of payloads to deliver via shellcode injection. Encrypt the payloads and configure the reverse shells. launch Metasploit and watch the reverse shells connect. Attempt to escalate privileges to system account. anti-virus (AV) stops us.

15. Demo 5: We use Veil-Evasion to get around AV by creating our payload. We encrypt the payload with Hyperion using a weak 128-bit AES key, which decrypts itself by brute force at the time of execution on the victims machine. We use Metasploit to deliver our psexec exploit that we created with Veil-Evasion and Hyperion. We watch the attackers reverse shell connect straight to the system account.

16. Discuss countermeasures Each of the demo's shows what's going on on the victims machine at the same time that the attacker is attempting to exploit the victim.