web security workshop : a jumpstart
TRANSCRIPT
http://xathrya.id/ 1
Web Security WorkshopA Jumpstart!
Satria Ady Pradana
Lightweight and Powerful Penetration Testing OS
Xathrya
2
# whoami?• Satria Ady Pradana
– Junior Security Analyst at MII (Metrodata Group)– Researcher at dracOS Dev Team– Staff ad Reversing.ID– Interest in low level stuffs
http://xathrya.id/
Lightweight and Powerful Penetration Testing OS
Xathrya
http://xathrya.id/ 3
• Now tell me yours
Lightweight and Powerful Penetration Testing OS
Xathrya
Dracos Linux is an open source operating system provides to penetration testing. Packed with a ton of pentest tools including information gathering, forensics, malware analysis, mantaining access, and reverse engineering.
We Live by Code and Rise by Ethic
Lightweight and Powerful Penetration Testing OS
Xathrya
Lightweight and Powerful Penetration Testing OS
Unix-like operating system for various device and hardware.
Free and open source, under the license of GNU.
Made by Linux Torvalds in 1991.
LINUX :*
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
Making Linux Distrogreat again
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
Derivate or making a new distro base on existing other distro.
Had undergo some modification from the author that make it different from the parent distro.
Example : Remastering
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
• A way to build linux from the very start.
• Not derivating from existing distro,
• Initiated by Gerad Beckmans,
• Develop & assembly all part of system by yourself.
Linux From Scratch
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
• Teach yourself the inner of operating system.
• Flexible, do as you wish.
• Positively have full control of your system.
Advantages
#screetsec Xathrya
• Open source
• Built from scratch
• Specially crafted for Cyber Security
INTRODUCING
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
Lightweight and Powerful Penetration Testing OS
THE PHILOSOPHY
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
The name dracOs comes from Dragon Comodos A rare species and can only be found in Indonesia archipelago. Inspired by Comodo character
• Strong enough to kill its prey with minimum force.• Its mouth has various bactery and virus to immediately kill the prey.
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
#screetsec Xathrya
• Initiate the project on 12 June 2012 by Zico Ekel
• Remastering of Ubuntu 10.04
• Update dracOs v2.0 Beta still use Ubuntu
• Reinitiate the project on Desember 2015, did radical change, adopting LFS
HISTORY
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
STYLE OLD SCHOOL
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
WHY ?Xathrya
Lightweight and Powerful Penetration Testing OS
I am a l33t h@ckerLMAO
#screetsec
Doing something But do not know what they are doing
Xathrya
Lightweight and Powerful Penetration Testing OS
SOMEWHERE
Xathrya
Lightweight and Powerful Penetration Testing OS
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
#screetsec Xathrya
IT HAPPENS
Lightweight and Powerful Penetration Testing OS
#screetsec
So... DRACOS LINUX
Xathrya
Lightweight and Powerful Penetration Testing OS
#screetsec Xathrya
FEATURES IN DRACOS
GTK MENU
#screetsec Xathrya
FEATURES IN DRACOS
#screetsec Xathrya
FEATURES IN DRACOS
#screetsec Xathrya
FIRE UP THE VM
# In this Lab• Install dracOs• Configure network (use NAT or bridge)• Ping my machine from dracOs• Try the user interface (DWM)• Install a package
http://xathrya.id/ 30
Lightweight and Powerful Penetration Testing OS
Xathrya
ARE YOU A HACKER?
You might be, but I am not
32
Information Security is Like Football
Formation = Framework- ISO/IEC 27001- NIST SP 800
(Computer Security)- PCI DSS- HIPAA- ISMF
GK-DEFENDER
MIDFIELDER
STRIKER
COACHSysadmin, Network, Firewall, SIEM, etc.
InfoSec Officer, Risk Management Internal,
Compliance, etc.
InfoSec Consultant, Pentester, etc.
Top Management, CISO
Supporter Soccer
Stakeholder
rungga_reksya
I am sure you are interest in offensive penetration tester.
Lightweight and Powerful Penetration Testing OS
33
Three Critical Components for an Information Security
Integrity I A
C
Availability
Confidentiality
rungga_reksya
Lightweight and Powerful Penetration Testing OS
34
Penetration Testing Methodologies and Standards
PENETRATIONTESTINGBLACKBOX WHITE BOX
GRAYBOX
rungga_reksya
Lightweight and Powerful Penetration Testing OS
35
FrameworkPenetration Testing
Web Application Security Consortium Threat
Classification
Open Source Security Testing Methodology Manual
WASCOpen Web Application
Security Project Testing Guide
OSSTMM OWASP
rungga_reksya
36
@rungga_reksya
OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New)
2010-A1 – Injection 2013-A1 – Injection
2010-A2 – Cross Site Scripting (XSS) 2013-A2 – Broken Authentication and Session Management
2010-A3 – Broken Authentication and Session Management 2013-A3 – Cross Site Scripting (XSS)
2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References
2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration
2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure
2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control
2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF)
2010-A9 – Insufficient Transport Layer Protection 2013-A9 – Using Known Vulnerable Components (NEW)
2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards
3 Primary Changes: Merged: 2010-A7 and 2010-A9 -> 2013-A6 Added New 2013-A9: Using Known Vulnerable
Components 2010-A8 broadened to 2013-A7
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Lightweight and Powerful Penetration Testing OS
Lightweight and Powerful Penetration Testing OS
• Injecting snippet of SQL syntax to make the database give information to us, unintended by developer.
• Unsanitized input.• Things you should know
• Basic of SQL• Union• Specific things for DBMS• Unicode and character representation
SQL Injection
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
• Injecting client-side script into web page viewed by (other) user.
• Unsanitized input.• Things you should know
• Reflected• Persistent
Cross-Site Scripting (XSS)
#screetsec Xathrya
Lightweight and Powerful Penetration Testing OS
• Unauthorized commands transmitted from a user that the website trusts thus tricking it as a valid and authorized command.
• Exploit the trust that a site has in user’s browser.• Things you should know
• Reflected• Persistent
Cross-Site Request Forgery (CSRF)
#screetsec Xathrya
# In this Lab• Trying SQL Injection• Trying XSS• Trying CSRF
Your target is ...
http://xathrya.id/ 40
Lightweight and Powerful Penetration Testing OS
Xathrya
When you are aimingProfessional Career
42
Exploit Database36845 Exploit Archieved, 82454 CVE ID, 3000 Modules on Metasploit, etc.
https://www.exploit-db.com
https://packetstormsecurity.com
https://cve.mitre.org https://www.rapid7.com/db/
modules
Exploit DB Packet Storm
Common Vulnerabiliti
es & Exposures
Rapid 7
rungga_reksya
41 2 3
Lightweight and Powerful Penetration Testing OS
43
Bug Bounty Programs
https://bugcrowd.com
Bug Crowd
http://bugsheet.comBug Sheet
https://hackerone.comHacker One
https://firebounty.com
Fire Bounty
https://bountyfactory.io
Bounty Factory
https://www.openbugbounty.org
Open Bug Bounty
rungga_reksya
Lightweight and Powerful Penetration Testing OS
44
Concept of Takeover System
PWN
SVR
SQL Injection
Make FormUpload
Phishing
XSS
Login toMYSQL
SHELL
Login toAPP
UploadFile
rungga_reksya
Lightweight and Powerful Penetration Testing OS
45
PORTSTATE
S
1Open: This indicates that an application is listening for connections on this port.
3Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by somekind of filtering.
5Open/Filtered:This indicates that the port was filtered or open but Nmap couldn't establish the state.
2Closed: This indicates that the probes were received but there is no application listening on this port.
4 Unfiltered: This indicates that the probes were received but a state could not be established.
6Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn't establish the state.
rungga_reksya
NMAP Features
45Lightweight and Powerful Penetration Testing OS
# In this Lab• Good Luck!
http://xathrya.id/ 46
Lightweight and Powerful Penetration Testing OS
Xathrya