1. Web Security Workshop
A Jumpstart!
Satria Ady Pradana
http://xathrya.id/ 1
Lightweight and Powerful Penetration Testing OS
Xathrya
2. # whoami?
• Satria Ady Pradana
– Junior Security Analyst at MII (Metrodata Group)
– Researcher at dracOS Dev Team
– Staff ad Reversing.ID
– Interest in low level stuffs
http://xathrya.id/ 2
Lightweight and Powerful Penetration Testing OS
Xathrya
3. • Now tell me yours
http://xathrya.id/ 3
Lightweight and Powerful Penetration Testing OS
Xathrya
4. Dracos Linux is an open source operating system provides to penetration testing. Packed with a ton of pentest tools including
information gathering, forensics, malware analysis, mantaining access, and reverse engineering.
We Live by Code and Rise by Ethic
Lightweight and Powerful Penetration Testing OS
Xathrya
5. Lightweight and Powerful Penetration Testing OS
Unix-like operating system for various device and
hardware.
Free and open source, under the license of GNU.
Made by Linux Torvalds in 1991.
LINUX :*
#screetsec Xathrya
6. Lightweight and Powerful Penetration Testing OS
Making Linux Distro
great again
#screetsec Xathrya
7. Lightweight and Powerful Penetration Testing OS
Derivate or making a new distro base on
existing other distro.
Had undergo some modification from the
author that make it different from the
parent distro.
Remastering
#screetsec Xathrya
8. Lightweight and Powerful Penetration Testing OS
• A way to build linux from the very
start.
• Not derivating from existing distro,
• Initiated by Gerad Beckmans,
• Develop & assembly all part of
system by yourself.
Linux From Scratch
#screetsec Xathrya
9. Lightweight and Powerful Penetration Testing OS
• Teach yourself the inner of operating system.
• Flexible, do as you wish.
• Positively have full control of your system.
Advantages
#screetsec Xathrya
12. Lightweight and Powerful Penetration Testing OS
The name dracOs comes from Dragon Comodos
A rare species and can only be found in Indonesia archipelago.
Inspired by Comodo character
• Strong enough to kill its prey with minimum force.
• Its mouth has various bactery and virus to immediately kill the prey.
#screetsec Xathrya
14. • Initiate the project on 12 June 2012 by Zico Ekel
• Remastering of Ubuntu 10.04
• Update dracOs v2.0 Beta still use Ubuntu
• Reinitiate the project on Desember 2015, did radical change, adopting LFS
HISTORY
#screetsec Xathrya
30. # In this Lab
• Install dracOs
• Configure network (use NAT or bridge)
• Ping my machine from dracOs
• Try the user interface (DWM)
• Install a package
http://xathrya.id/ 30
Lightweight and Powerful Penetration Testing OS
Xathrya
32. Information Security is Like Football
32
Formation = Framework
- ISO/IEC 27001
- NIST SP 800
(Computer Security)
- PCI DSS
- HIPAA
- ISMF
GK-DEFENDER
MIDFIELDER
STRIKER
COACH
Sysadmin, Network,
Firewall, SIEM, etc.
InfoSec Officer, Risk
Management Internal,
Compliance, etc.
InfoSec Consultant,
Pentester, etc.
Top Management, CISO
Supporter
Soccer
Stakeholder
rungga_reksya
I am sure you are interest in offensive penetration tester.
Lightweight and Powerful Penetration Testing OS
33. 33
Three Critical Components for an Information
Security
Integrity I A
C
Availability
Confidentiality
rungga_reksya
Lightweight and Powerful Penetration Testing OS
34. Penetration Testing Methodologies and
Standards
34
PENETRATION
TESTINGBLACKBOX WHITE BOX
GRAY
BOX
rungga_reksy
a
Lightweight and Powerful Penetration Testing OS
35. Framework
Penetration Testing
35
Web Application Security
Consortium Threat Classification
Open Source Security Testing
Methodology Manual
WASC
Open Web Application Security
Project Testing Guide
OSSTMM OWASP
rungga_reksya
36. 36
@rungga_reks
ya
OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New)
2010-A1 – Injection 2013-A1 – Injection
2010-A2 – Cross Site Scripting (XSS) 2013-A2 – Broken Authentication and Session Management
2010-A3 – Broken Authentication and Session Management 2013-A3 – Cross Site Scripting (XSS)
2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References
2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration
2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure
2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control
2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF)
2010-A9 – Insufficient Transport Layer Protection 2013-A9 – Using Known Vulnerable Components (NEW)
2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards
3 Primary Changes: Merged: 2010-A7 and 2010-A9 -> 2013-A6
Added New 2013-A9: Using Known Vulnerable Components 2010-A8 broadened to 2013-A7
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Lightweight and Powerful Penetration Testing OS
37. Lightweight and Powerful Penetration Testing OS
• Injecting snippet of SQL syntax to make the
database give information to us, unintended by
developer.
• Unsanitized input.
• Things you should know
• Basic of SQL
• Union
• Specific things for DBMS
• Unicode and character representation
SQL Injection
#screetsec Xathrya
38. Lightweight and Powerful Penetration Testing OS
• Injecting client-side script into web page viewed by
(other) user.
• Unsanitized input.
• Things you should know
• Reflected
• Persistent
Cross-Site Scripting (XSS)
#screetsec Xathrya
39. Lightweight and Powerful Penetration Testing OS
• Unauthorized commands transmitted from a user
that the website trusts thus tricking it as a valid and
authorized command.
• Exploit the trust that a site has in user’s browser.
• Things you should know
• Reflected
• Persistent
Cross-Site Request Forgery (CSRF)
#screetsec Xathrya
40. # In this Lab
• Trying SQL Injection
• Trying XSS
• Trying CSRF
Your target is ...
http://xathrya.id/ 40
Lightweight and Powerful Penetration Testing OS
Xathrya
42. Exploit Database
36845 Exploit Archieved, 82454 CVE ID, 3000 Modules on Metasploit, etc.
https://www.exploit-
db.com
https://packetstormsecurity.com https://cve.mitre.org https://www.rapid7.com/db/
modules
Exploit DB Packet Storm
Common
Vulnerabilities
& Exposures
Rapid 7
rungga_reksya
42
41 2 3
Lightweight and Powerful Penetration Testing OS
43. Bug Bounty Programs
43
https://bugcrowd.co
m
Bug Crowd
http://bugsheet.com
Bug Sheet
https://hackerone.com
Hacker One
https://firebounty.co
m
Fire Bounty
https://bountyfactory.io
Bounty
Factory
https://www.openbugbounty.
org
Open Bug
Bounty
rungga_reksya
Lightweight and Powerful Penetration Testing OS
44. 44
Concept of Takeover System
PWN
SVR
SQL Injection
Make Form
Upload
Phishing
XSS
Login to
MYSQL
SHELL
Login to
APP
Upload
File
rungga_reksya
Lightweight and Powerful Penetration Testing OS
45. 45
PORT
STATE
S
1
Open:
This indicates that an
application is listening
for connections on this
port.
3
Filtered:
This indicates that the
probes were not
received and the
state could not be
established. It also
indicates that the
probes are being
dropped by some
kind of filtering. 5
Open/Filtered:
This indicates that the
port was filtered or open
but Nmap couldn't
establish the state.
2
Closed:
This indicates that the
probes were received
but there is no
application listening on
this port.
4
Unfiltered:
This indicates that the
probes were received
but a state could not
be established.
6
Closed/Filtered:
This indicates that the
port was filtered or
closed but Nmap
couldn't establish the
state.
rungga_reksy
a
NMAP Features
45
Lightweight and Powerful Penetration Testing OS
46. # In this Lab
• Good Luck!
http://xathrya.id/ 46
Lightweight and Powerful Penetration Testing OS
Xathrya