Hacker’s Practice Ground

Lokesh Pidawekar

The road ahead

● Why learn this?● Creating the lab environment● How to learn● Caveats ● What next, opportunity?● Conclusion

● Information Security Engineer ● Mastered Science of Information

Assurance from Northeastern University, Boston (MA)

● Occasionally blog at infosecforever.blogspot.com

● @MaverickRocky02● lokesh [dot] pidawekar [at] gmail [dot]

com

Disclaimer The tools and techniques covered in the presentation can be dangerous and are being shown only for educational purposes.

It is a violation of Federal and some states’ laws to attempt to gain unauthorized access to information assets or systems belonging to others, or to exceed authorized on systems for which access have not been granted.

Only use these tools with/on systems you own or with written permission from the owner. Speaker does not assume any responsibility and shall not be held liable for any illegal use of these tools.

These are my views, not associated with my employer.

Why learn this

http://www.wordstream.com/images/attention-economy-zoidberg-why.png

Penetration Testing

“Penetration testing is security testing in which assessors mimic real world attacks to identify methods for circumventing the security features of an application, system or network1”

http://kcdigitalarts.net/wp-content/uploads/2013/01/simulation-network-security-consultation.jpg

Why Pentest?

● Its always better (cost and effort) to find holes before attackers exploit them

● Vulnerability assessment is not enough ● Requirement from compliance standards such as PCI

DSS2

● Increases the security of the computing resources being tested

Why building practice ground ● One can not attack a target in wild

● They don’t teach how to break systems in schools but employers expect to defend all attacks as if we know how to do it

● There is need to develop penetration testing skill for students to understand attacker’s mindset. But we cannot just start penetration testing on random target

Know thy self, know thy enemy. A thousand battles, a thousand victories

- Sun Tzu

Let the show begins

Recipe for making a hacking lab ● Some virtualization platform● installing required software for attack ● installing vulnerable software ● learning key concepts

The infrastructure

● Raspberry Pi, old laptop

● Virtualization Software -

o VMware fusion/workstation (if the school is giving free license), otherwise vmware player, Oracle Virtualbox, Qemu

http://catstechnology.com/wp-content/uploads/2014/03/0FVNM9EASJX.jpg

Attacking OS

Dedicated OS● Kali Linux (Formerly known as Backtrack) ● Samurai WTF● Santoku Linux● Backbox Linux● Pentoo● Android Tamer (because it’s the age of mobile)

Recent developments to build frameworks for pentesting is exciting for e.g. Pentestbox, Appie, Pentester’s framework etc.

Vulnerable Platforms for practice

Operating System Metasploitable 2

Vulnerability Specific Images Pentesterlab, vulnhub, CTFs images

Web Application WebGoat, BwaPP, DVWA, OWASP Bricks

Mobile Applications GoatDroid, InsecureBankv2, DVIA

Custom Cloud based Hack.me

Learning, how to:

● Hacking is not point and shoot ● Fundamental from OWASP● Security Researchers blogs e.g. Project Zero3, etc. ● Conference talks, videos (anyone heard of @irongeek or

@securitytube)● Online courses on Coursera, udemy etc.

Practice and Dedication

SQLi, XSS, Password Cracking etc.

Demo

1. Port scanning - Metasploitable2. SQL Injection - WebGoat3. Cross-site Scripting – DVWA4. FTP exploitation - Metasploitable5. PostgreSQL Exploitation - Metasploitable

Wargames and Capture the Flag

● There are plenty of CTF games happening throughout the year (Check any Con)

● Some CTF are live round the year

o http://overthewire.org/wargames/ - Challenges ranging from web app to Linux command and overflows

o http://io.smashthestack.org/

Online challenges

The researchers, companies put online challenges for various attacks● https://xss-game.appspot.com/● https://github.com/yahoo/webseclab● https://google-gruyere.appspot.com/● https://github.com/cure53/xss-challenge-wiki/wiki/Older-Challenges-and-Wr

ite-Ups

Responsible Disclosure

● Because we are white hats :)● Builds trust between vendors

and security community● Name and fame or even some

money

http://web.securityinnovation.com/Portals/49125/images/Disclosure.jpg

Opportunities

Huge Opportunity

http://money.cnn.com/pf/best-jobs/2015/list/

Bug Bounty

Most of the companies have started to reward researchers as part of bug bounty program Example - Google, Facebook, LinkedIn etc.

Responsible disclosed vulnerabilities to Sony, Prezi.com, Eventbrite etc.

There are platforms such as BugCrowd, HackerOne, Synack, CrowdCurity etc. to mediate for crowdsourcing bug bounty

Some guidelines to follow

● Write a concise report with proper steps to reproduce the vulnerability

● Test security for the targets that are where you have permissions explicitly

● Respect the vendor, do not indulge in malpractice against them

● Do not copy paste other researcher’s report (there are hell lot of bugs yet to be found)

● Rapid skill development is key to success in security

● They can’t teach everything in class

● It’s not easy to gain experience of exploiting all vulnerabilities in real world

● Defense can be designed well if we will know attacking techniques

Conclusion

References

1. http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

2. https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf

3. http://googleprojectzero.blogspot.com/4. http

://www.zdnet.com/article/pwn2own-2015-the-year-every-browser-went-down/

5. http://www.google.com/about/appsecurity/reward-program/

6. https://www.facebook.com/whitehat?_rdr

7. https://community.rapid7.com/docs/DOC-1875

8. https://pentesterlab.com/

Questions

Email - lokesh[dot]pidawekar[at]gmail[dot]com

Thanks

Big thanks to Wall of Sheep!