Explaining the arts of hacking.

1. Hacking
The Dark Arts
1Wednesday, February 4, 2009

2. About Speaker
Speaker @ JavaOne, NFJS, Devcon, Borcon
Sun Certified Java 2 Architect.
Instructor for VisiBroker for Java, OOAD, Rational Rose,
and Java Development.
JBoss Certified Developer
Professor - Sipe
2Wednesday, February 4, 2009

3. Agenda
Security Landscape
Hacking Philosophy
– The Sorting Hat
Information Gathering
– Information leak
– Finding the exploits
Security Threats
– Brute Force
– XSS
– SQL Injection
Dos and Don’ts
Summary
3Wednesday, February 4, 2009

4. Security Statistics
Gartner
– 75% of all attacks are directed at the web application layer
– 2/3 of all web applications are vulnerable
– 80% of organizations will experience an application security
incident by 2010
IBM
– 10% of IT dollars are spent on web application security
Mitre
– XSS and SQL Injection are #1 and #2 reported
vulnerabilities
4Wednesday, February 4, 2009

5. Alarming Truth
“Approximately 100 million Americans have been
informed that they have suffered a security breach so
this problem has reached epidemic proportions.”
– Jon Oltsik – Enterprise Strategy Group
“Up to 21,000 loan clients may have had data exposed”
– Marcella Bombardieri, Globe Staff/August 24, 2006
“Personal information stolen from 2.2 million active-duty
members of the military, the government said…”
– New York Times/June 7, 2006
“Hacker may have stolen personal identifiable
information for 26,000 employees..”
– ComputerWorld, June 22, 2006
5Wednesday, February 4, 2009

6. High Level Application Architecture
6Wednesday, February 4, 2009

7. Top 07 Security Issues
7Wednesday, February 4, 2009

8. Hacking Philosophy
8Wednesday, February 4, 2009

9. Sorting Hat
Black hat
– Has the advantage
Grey hat
White hat
– Threat Modeling
9Wednesday, February 4, 2009

10. Black Hatters
Script Kiddies
Disgruntled Employees
Whackers
Software Crackers
Cyber Criminals
System Hackers
10Wednesday, February 4, 2009

11. Black Hat Approach
Information Gathering
– Sometimes targeted on a “client”
– Sometimes targeting a vulnerability
Scanning
– Network mapping
– Ports
Gaining Access
Elevate Privileges
Cover Tracks
11Wednesday, February 4, 2009

12. White Hat Approach
Assess
– Threat Modeling
Policies
Implement / Train
Audit
12Wednesday, February 4, 2009

13. Security Consequences
Security
Usability
low
high
low high
13Wednesday, February 4, 2009

14. Black Hat Principles
Inside Out Access
Most People
– Like free stuff!
– Are curious
– Are not security savvy
– Choose usability over security
– Choose performance over security
Expense
– Too costly to secure everything
14Wednesday, February 4, 2009

15. Hacker
John Draper – “Captain Crunch”
– Toy whistle provides free long distance calling
15Wednesday, February 4, 2009

16. Information Gathering
Determine Target
– Looking for a opportunity
• Sans.org
• or …
– Targeting a “customer”
Google Magic
16Wednesday, February 4, 2009

17. Google Advanced Operators
Cache:
Info:
Intext:
Intitle:
Inurl:
Link:
Filetype
:
Site:
…
Looking for a cgi opportunity
– allinurl:/index.cgi
Looking for 2000 IIS 5?
– “Microsoft-IIS/5.0 server at” intitle:index.of
Apache Tomcat
– "Apache Tomcat/" intitle:index.of
Specific Version of Apache
– “Apache/2.0.45 server at” intitle:index.of
Password anyone
– inurl:config.php dbuname dbpass
– “Welcome to phpMyAdmin” “Create new database”
Perhaps you’re only looking for the government
– Site:gov
– site:mil filetype:xls "attendance"
http://www.googleguide.com/advanced_operators.html
17Wednesday, February 4, 2009

18. Trolling for Users
"@gmail.com" -www.gmail.com
filetype:reg intext:"internet account manager“
filetype:xls inurl:”email.xls”
inurl:admin inurl:userlist
"index of" lck + intext:webalizer + intext:Total
Usernames + intext:"Usage Statistics for“
filetype:reg reg HKEY_CURRENT_USER username
18Wednesday, February 4, 2009

19. Trolling for Passwords
filetype:htpasswd htpasswd
– HTTP htpasswd
"http://*:*@www" pmjones:
– HTTP htpasswd
filetype:config config intext:appSettings "User ID“
– .Net app credentials
intitle:”index of” intext:connect.inc
intitle:”index of” intext:globals.inc
– MySQL
filetype:ini inurl:ws_ftp
filetype:inc intext:mysql_connect
– Php / mysql
19Wednesday, February 4, 2009

20. Network Mapping
site:google.com -www.google.com
– Dns lookup… or ping
Looking for admins
– Ip search
– Whois
Easy Way
– http://toolbar.netcraft.com/site_report
20Wednesday, February 4, 2009

21. Targeting
http://secunia.com/product/4021/?task=advisories_2004
– Issue with CubeCart 2.0.1
– Issue reported 10-10-2004
Google search: "Powered by CubeCart 2.0.1“
– 16,400 hits 02-13-2008
21Wednesday, February 4, 2009

22. Hacker
Captain Midnight – John MacDougall
– Knocked HBO off the air for 4 ½ hours
22Wednesday, February 4, 2009

23. Parameter Tampering
23Wednesday, February 4, 2009

24. Brute Force
Automated Trial and Error
24Wednesday, February 4, 2009

25. Cross Site Scripting (XSS)
Malicious script echoed back in browser
Consequence:
– Internet Worm
• MySpace
• Meebo
– Session Tokens stolen
– Future surfing compromised
25Wednesday, February 4, 2009

26. XSS Testing
Submit a simple <script>alert(document.cookie)</
script> to a web page
If alert pops, life is good!
– Or bad
• Just depends on if you’re a white hat or black hat 
26Wednesday, February 4, 2009

27. XSS Details
Common
– Search
– Error Pages
– Returned Forms
Aiding Technologies
– AJAX
– Flash
– IFrame
27Wednesday, February 4, 2009

28. XSS – The Exploit
1. Link to Account
in email
2. Embedded script
Sent to target
3. Script executed on client
browser
4. Script provides cookie
and session data
5. Hacker users credentials
28Wednesday, February 4, 2009

29. XSS Testing
29Wednesday, February 4, 2009

30. Cookie Poison
30Wednesday, February 4, 2009

31. SQL Injection Discovery
Username: ‘
Password: a
31Wednesday, February 4, 2009

32. SQL Inject Errors
32Wednesday, February 4, 2009

33. SQL Inject Yourself In…
Username: access' or 1=1 --
Password: a
33Wednesday, February 4, 2009

34. SQL Inject Yourself In
34Wednesday, February 4, 2009

35. SQL Inject Answers from Errors
' having 1=1 --
' group by login.primarykey having 1=1 --
' union select min(username),1,1,1,1 from login
where username > 'a'--
35Wednesday, February 4, 2009

36. SQL Injection: Want a Password?
'union select min(password),1,1,1,1 from login
where username = 'ab***ilr'--
36Wednesday, February 4, 2009

37. Insecure Directory
Remote Machine Details
37Wednesday, February 4, 2009

38. Failure to Restrict URL
This would be fine if it were
an admin 
38Wednesday, February 4, 2009

39. Hacker
Nick Jacobsen
– Paris Hilton Phone Pictures
• SQL Injection or
• Password Recovery
39Wednesday, February 4, 2009

40. Trojans
Beast
+
Tutorial:
http://www.youtube.com/watch?v=KjbjPVG0BPU&feature=related
40Wednesday, February 4, 2009

41. Hiding your stuff
GooScan
– Not Google Approved 
41Wednesday, February 4, 2009

42. Dos & Don’ts
Don’t
– Use Magic URL and Hidden fields for
private data
– Use Security by ignorance
– Rely on secrecy of the scheme
– Reveal Passwords to User
– Use Cookies for private data
– Trust the client for anything
• Cookie expiration
Do
– Tighten Security
– Use Security Appliances
• Watchfire
– Rely on secrecy of a set of keys
– Tighten Passwords
– Develop a policy
– Enforce time limits on authenticators
– Security Reviews
42Wednesday, February 4, 2009

43. Hacker
Adrian Lamo – “Homeless Hacker”
– Hacked
• NY Times
• MSFT
• NBC
43Wednesday, February 4, 2009

44. Resources
Must watch program
– http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar
Vulnerability and exploit info
– www.cert.org
– http://www.owasp.org/index.php/Top_10_2007
– http://seclists.org/
Tools
– http://www.elhacker.net/hacking-programas-hack.htm
– http://www.tahribat.com/doc.asp?docid=87
Security Policy
– http://www.sans.org/resources/policies/
44Wednesday, February 4, 2009

45. Links
http://xss-proxy.sourceforge.net/
Advanced_XSS_Control.txt
45Wednesday, February 4, 2009

46. Summary
 It’s a Scary World!
 White Hats are always on the defense
 Obtain skills in Defense against the
Dark Arts
 And Good Luck!
46Wednesday, February 4, 2009

47. Questions
 Please Fill Out Surveys
kensipe@gmail.com
twitter: kensipe
blog: kensipe.blogspot.com
47Wednesday, February 4, 2009