The Exploited & the Exploiters - Case Study of a Real Cyber Hack and Demo's

OWASP New Zealand Chapter - Christchurch
OWASP New Zealand Chapter - Christchurch
Public group
Location image of event venue


This is going to be a play off based around two presentations. Both taking quite different view points. Salinda is going to be discussing the perspective of the organisations that get compromised by cyber criminals. How much these types of attacks cost them on a yearly basis in terms of assets. At a high level, how these attacks are played out. Kim is going to be taking the perspective of the penetration tester hired in by the target to find the defects in their security defences before the cyber criminals do.

First up we're hosting a talk by

Salinda Lekamge

Year 2014 is considered as the year of security breaches with 783 reported incidents and an average of a data breach estimated at US $3.5M ( ( Target Corporation, USA had to face one of the worst cyber-attacks in the history where more than 40 Million credit cards were compromised along with 70 Million customer data. The estimated cost of this security breach was over US$ 200 million.

This presentation is a case study of how adversaries able to penetrate Target IT systems, aftermath of the incident and lessons we can learn from this.

About the Presenter

Salinda is the IT Security Manager at Tait Communications. He also coordinates the Security Incident Response Team (SIRT) and co-leads the ISO 27001 implementation project at Tait.

He is a Certified Information Systems Security Professional (CISSP) with more than 8 years in Information Security along with implementation of ISO 27001 projects in Sri Lanka and New Zealand.

Kim will follow up with his presentation and demo from WDCNZ (


JavaScript is an incredibly powerful tool for good. With great power comes great responsibility. Are we taking our responsibility seriously? JavaScript is also an incredibly powerful tool for evil. As a developer it's time to empower your tech sense and see how easy it is for those hiding in the shadows to own not only you, but your friends, family, clients, customers... Anyone that uses a browser. New advances in technology look shiny... until we stop believing the hype, open our minds and start poking at them. Let me show you what happens when we start poking.

The Play:

The presentation is basically the process I take to carry out a small client penetration testing assignment, but with a focus on why and how web developers should be doing the same within their teams. It goes through:

• Why we even care about breaking our or a clients code and/or system(s)

• Reconnaissance (information gathering), tools and tips.

• Vulnerability scanning, tools and tips

• Vulnerability searching, tools and tips

• Exploitation, where to start, how to start, tools (and why) and tips

• Demo 1: Exploiting an XSS vulnerable web app and what you can get from it. The whole reason being here is to be able to show your employer / boss / client and why they need to do something about it. After seeing how easy it is and what you can do, few will deny that it just needs to be fixed.

• Discuss countermeasures

• Demo 2: Exploiting people with spear phishing, obtaining their credentials by cloning, spoofing a website they frequently login at with the Social Engineer Toolkit's (SET) Credential Harvester.

• Discuss countermeasures

• doppelganger domains (domains that look like the real thing but are fakes)

• Demo 3: Add ARP and DNS spoofing to the mix. Now when a victim browsers to a website that they like to spend time at, they will be visiting our spoofed website. We add the Browser Exploitation Framework (BeEF) hook.js to the cloned website. This hook converts the victims browser into a zombie that continually polls the BeEF comms server requesting commands to execute on the victims machine. This is the window of time we use to install a root-kit and pwn the victims machine.

• Discuss countermeasures

• Discuss what BeEF can do

• Demo 4: Again we clone and host a website we know the victim likes to visit with SET. We use a couple of Metasploit attack methods and exploit memory injection. Then select a collection of payloads to deliver via shellcode injection. Encrypt the payloads and configure the reverse shells. launch Metasploit and watch the reverse shells connect. Attempt to escalate privileges to system account. anti-virus (AV) stops us.

• Demo 5: We use Veil-Evasion to get around AV by creating our payload. We encrypt the payload with Hyperion using a weak 128-bit AES key, which decrypts itself by brute force at the time of execution on the victims machine. We use Metasploit to deliver our psexec exploit that we created with Veil-Evasion and Hyperion. We watch the attackers reverse shell connect straight to the system account.

• Discuss countermeasures