Emerging Tools & Trends in Hacking



Similar documents
A CISO s Guide to Ethical Hacking

Course Content: Session 1. Ethics & Hacking

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

WEB ATTACKS AND COUNTERMEASURES

The Top Web Application Attacks: Are you vulnerable?

Network Monitoring using MMT:

SANS Dshield Webhoneypot Project. OWASP November 13th, The OWASP Foundation Jason Lam

Web Vulnerability Scanner by Using HTTP Method

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Penetration Testing Service. By Comsec Information Security Consulting

State of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Introduction: 1. Daily 360 Website Scanning for Malware

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Ethical Hacking as a Professional Penetration Testing Technique

Rational AppScan & Ounce Products

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist

Web Application Security

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Hackers: Detection and Prevention

Network Security Testing using MMT: A case study in IDOLE project

Topic 1 Lesson 1: Importance of network security

Introduction to Ethical Hacking and Network Defense. Objectives. Hackers

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Web Application Worms & Browser Insecurity

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Using Free Tools To Test Web Application Security

Quarterly Report: Symantec Intelligence Quarterly

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

GlobalSign Malware Monitoring

Thomas Röthlisberger IT Security Analyst

June 2014 WMLUG Meeting Kali Linux

Adobe Systems Incorporated

Web Application Security

ReadySpace Limited Unit J, 16/F Reason Group Tower, Castle PeakRoad, Kwai Chung, N.T.

NETWORK PENETRATION TESTING

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

RIA SECURITY TECHNOLOGY

McAfee Certified Assessment Specialist Network

The Key to Secure Online Financial Transactions

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Bypassing Internet Explorer s XSS Filter

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

Ethical Phishing Case Study

white SECURITY TESTING WHITE PAPER

CYBERTRON NETWORK SOLUTIONS

Ethical Hacking Course Layout

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

UVic Department of Electrical and Computer Engineering

SOFTARE SECURTY OF WEB APPLICATION AND WEB ATTACKS

Cisco Advanced Services for Network Security

Cross-Site Scripting

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Loophole+ with Ethical Hacking and Penetration Testing

Metasploit The Elixir of Network Security

WEB APPLICATION SECURITY

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Information Security Threat Trends

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Current counter-measures and responses by CERTs

Phishing Scams Security Update Best Practices for General User

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

Network Security and the Small Business

HTTPParameter Pollution. ChrysostomosDaniel

Computer Networks & Computer Security

Honeypot that can bite: Reverse penetration

About Botnet, and the influence that Botnet gives to broadband ISP

Web Maniac Hacking Trust. Aditya K Sood [adi_ks [at] secniche.org] SecNiche Security

HACKING RELOADED. Hacken IS simple! Christian H. Gresser

Magento Security and Vulnerabilities. Roman Stepanov

How-To Guide: Cyber Security. Content Provided by

Reducing Application Vulnerabilities by Security Engineering

Keyloggers ETHICAL HACKING EEL-4789 GROUP 2: WILLIAM LOPEZ HUMBERTO GUERRA ENIO PENA ERICK BARRERA JUAN SAYOL

A Small Business Approach to Big Business Cyber Security. Brent Bettis, CISSP 23 September, 2014

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

A Decision Maker s Guide to Securing an IT Infrastructure

Hands-On Ethical Hacking and Network Defense - Second Edition Chapter 1. After reading this chapter and completing the exercises, you will be able to:

THE WEB HACKING INCIDENTS DATABASE 2009

Transcription:

Version 2007-09 See http://resources.mavensecurity.com for the most recent version Emerging Tools & Trends in Hacking Maven Security Consulting Inc. +1-877-MAVEN-HQ (+1-877-628-3647) www.mavensecurity.com These slides were presented at the IT Security Showcase in Hong Kong in September 2007. It covers some recent developments in IT security, including tools, trends, and news. Agenda - Short and Sweet: We only have 35 min Objective Ask questions. You might win a monkey! Recent developments in hacking techniques and trends slide 2 XSS DNS Pinning, Anti-Pinning, Anti- Anti-Pinning SQL Injection tools

Warning Hazards to your Freedom Unauthorized access to systems & data is illegal in most places. slide 3 Get permission in writing before performing scans, audits, assessments, etc! For details see http://www.lightlink.com/ spacenka/fors/ WARNING: The Surgeon General has deemed hacking to be hazardous to your freedom. The ethically challenged, morally flexible, and honor deficient should beware. The difference between a cracker (or malicious hacker) and a security consultant is PERMISSION (and salary range :-) ). Before you blow off this whole permission thing and assume it s OK because you think it s part of your job description, please read about the Randal Schwartz case at http://www.lightlink.com/spacenka/fors/

About the Instructor/Author (I m the one on the right.) slide 4 David Rhoades PSU - B.S. Computer Engineering Info Sec since 1996 david.rhoades@ mavensecurity.com Maven Security Consulting, Inc. www.mavensecurity.com +1-877-MAVEN-HQ (1-877-628-3647) I am the one on the right. <PROPAGANDA> David Rhoades is a senior consultant with Maven Security Consulting Inc. (www.mavensecurity.com). David s expertise includes web application security, network security, and ethical hacking. David has been active in information security consulting since 1996, when he began his career with the computer security and telephony fraud group at Bell Communications Research (Bellcore). David teaches domestically and internationally at various security conferences, and teaches for USENIX (www.usenix.org), MIS Training Institute (www.misti.com), ISACA (www.isaca.org), and previously for the SANS Institute (www.sans.org). David has a Bachelor of Science degree in Computer Engineering from the Pennsylvania State University (psu.edu). Maven Security Consulting Inc. is a vendor-independent security consulting firm that helps companies secure their information assets and digital infrastructure by providing a variety of customized consulting and training services. Services include ethical hacking; web application security testing; network security architecture reviews; training; expert testimony (civil and criminal); and architecture analysis, design, and security testing for Next Generation Networks (NGN), including VoIP. Maven Security has a global client base across the US, Canada, Europe, and Asia; including government, banking, insurance, aerospace, software, and recreation.

Maven Security is a privately held company headquartered in northern Virginia near Washington DC. </PROPAGANDA> Two big trends: XSS & SQL Injections Not new, just growing WASC Web Application Security Statistics Project 2006 Results slide 5 http://www.webappsec.org /projects/statistics/ XSS Viruses - You Never Forget Your First slide 6 Theory: The Cross-site Scripting (XSS) Virus Whitepaper published 27-Sept-2005: tinyurl.com/3ykekk First case: Oct-2005 XSS virus hits MySpace.com tinyurl.com/8xw8e Automatically added Samy (and his script) to your hero list 1 million friends in 24 hours!

Section 2 - Current Trends XSS Viruses Cross-Domain XSS Virus/Worm Video slide 7 July 2007: Proof of concept called "Nduja Connection" demonstrates how XSS in webmail services allow a worm to spread to other webmail domains via emails. Victim only opens infected email message. No need to open attachments nor click a link in email message. It forwards itself to everyone in your contacts. PoC worked for: Libero.it Tiscali.it Lycos.it Excite.com http://rosario.v alotta.googlepa ges.com/home

XSS: No One is Immune slide 8 igoogle, Aug 2007 Facebook, Aug 2007 Digg, July 2007 PayPal, June 2007 GaiaOnline, January 2007 (XSS Worm) igoogle: http://www.xssed.com/news/39/xss_vulnerability_in_igooglegmodules_when_calling_external_ widgets/ Facebook: http://www.xssed.com/news/38/white_paper_on_facebook_xss/ PayPal: http://www.xssed.com/news/36/paypal_xss_adventure_has_finally_come_to_an_end/ GaiaOnline: http://blogs.securiteam.com/index.php/archives/786

XSS Resources: XSSed.com XSS Search Engine http://www.xssed.com/ Find known vulnerable sites Report vulnerable sites Latest XSS news slide 9 XSSed.com Samples slide 10

Famous XSS Victims by Page Rank Source: www.xssed.com /pagerank Demo slide 11 XSS: Latest Buzz - DNS Pinning; Anti- Pinning; Anti-Anti-Pinning, etc Threat: Attacker site sends malicious script to user's browser that forces browser to attack/connect to victim site. slide 12 Defense: same origin policy Client script cannot talk to 3 rd party sites; only can talk to origin site

DNS Pinning slide 13 Attack #1: Attacker changes their IP address Attacker = 1.2.3.4 Target = 6.7.8.9 Victim gets evil script from Attacker Script says to attack the Attacker site, but Attacker changes their IP to be same as Victim This does not work because browser locks (or pins) the host-to-ip mapping so no changes are allowed ("DNS Pinning"). Anti-DNS Pinning Attacker = 1.2.3.4 Target = 6.7.8.9 slide 14 But, if Attacker site goes offline briefly, then victim browser will lookup DNS again! Now browser sees Attacker = 6.7.8.9 Now Attacker script can talk to 3 rd party site (Target) because they have same IP But this can be defensed against since browser sends HTTP header to Target that says "I'm trying to talk to Attacker". Target can/should ignore such requests Host: Attacker

Anti-Anti DNS Pinning But it turns out that HTTP headers can be faked with XmlHttpRequest (included in the original script served by Attacker site. slide 15 Conclusion: Same origin policy is defeated; internal web apps are now susceptible to attach by internal victims that surf to malicious Internet sites References: http://ha.ckers.org/blog/20060815/circumventing-dns-pinning-for-xss/ And http://www.securityfocus.com/archive/1/445490/30/0/threaded XSS Resources Defense for users: NoScript http://noscript.net/ slide 16 "Audit" tool: XSS Assistant (Firefox extension) www.whiteacid.org/ greasemonkey/ XSS Cheat Sheets Rsnake: ha.ckers.org/xss.html Mario: mario.heideri.ch/xss.xml

SQL Injection Many SQL Hacking Tools Many free SQL hacking auditing tools are available Many are new or updated in the last 6 months slide 18

SQL Injection Tool List slide 19 Absinthe (formerly SQueaL); Updated Jan 2007? (still old and busted? But one of the fiirst of it's kind) www.0x90.org/releases/absinth SQLiX (Updated June 2007?) http://www.owasp.org/index.php/category:ow ASP_SQLiX_Project SQLBrute (Updated July 2007) http://www.justinclarke.com Priamos; Released March 2007 http://www.priamos-project.com FG-Injector; Updated April 2007 http://www.flowgate.net/?lang=en&seccion=he rramientas# SQL Power Injector; Updated July 2007 http://www.sqlpowerinjector.com Exploiter; Released??? 2007!axf.watchfire.com/extensions/exploiter.aspx Reference: Top 15 free SQL Injection Scanners May 2007 http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners SQL Power Injector Schema slide 20 Use of some of these tools is quite complex, and requires the user to essentially develop the exploit by hand The tool simply automates leveraging the user's exploit E.g. Automates pulling out all data

SQL Power Injector Schema slide 21 SQL Exploiter - Demo Exploiter Demo slide 22 SQL Exploiter axf.watchfire.com/extensio ns/exploiter.aspx But newer tools are making it easy for my grand mother to hack your database via SQL injection

Priamos - Demo Priamos Demo - see browser slide 23 Priamos - SQL scanner & exploiter http://www.priamosproject.com/ Priamos is even easier (if that is possible) It scans an entire web site But only works on GET requests, not POSTs Conclusion Class Survey: What are the latest tools you ve seen? Extra Time Filler

Questions? Fill out Evals! Download slides! See no exposure, hear no intrusion, speak no incident slide 25 Fill out the session eval These slides change often - Download them from http://mavensecurity.com/inject.asp=<scri pt+src=evil.fr> Just kidding, try www.mavensecurity.com (look under Resources section) Contact me at David Rhoades david.rhoades@mavensecurity.com Assessments, onsite training, etc www.mavensecurity.com Auditing web apps (and more) since 1996 Thank you www.mavensecurity.com Auditing web app security and more since 1996

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information