HACKING 101 – CREATING A HACKING LAB

Introduction & Agenda

• Disclaimer
• About the instructor
• What you should do
• Setting up a Hacking Environment (Live Demos and Explanations)
• Setting up a Virtualized Environment
• Setting up Kali Linux
• Setting up Damn Vulnerable Web Application (DVWA)
• Setting up Webgoat
• Other external hacking targets
• Conclusion
DISCLAIMER
Disclaimer

THIS IS FOR EDUCATIONAL PURPOSES ONLY

ABOUT THE INSTRUCTOR
About the Instructor
• Name: Arif Gani
• Formal Education:
• Associate’s Degree in Accounting
• Bachelor’s Degree in MIS and Finance
• Master’s Degree in Marketing
• Master’s Degree in Cybersecurity
• Certifications:
• Certified Information Systems Auditor (CISA)
• Certified Information Systems Security Professional (CISSP)
• Certified Ethical Hacker (CEH)
• Cloud Computing Security Professional (CCSP)
• Six Sigma (Green Belt)
About the Instructor
• Name: Arif Gani
• Professional Experience:
• Working professional with 15 Years of IT Security experience
• Work Experience: GE, Ernst & Young, Ethical Hacker
• Other Teaching Experience:
• Internet Safety
• Data Backup & Recovery
• “Cutting the Cord”
• Contact: [email protected]
• Facebook: IS Training Camp
WHAT YOU SHOULD DO
What You SHOULD Do
• Set up your own lab environment
• Turn off any services you turn on in your lab
• Segregate your network from the outside world
• Take your time trying to exploit
• Research what you don’t understand
• Think about remediation
• Do not hack external websites (without a contract)
• Learn to hack – but understand how to remediate
 INTRODUCTION

VIRTUALIZED ENVIRONMENT (VMWARE)

VIRTUALIZED ENVIRONMENTS - INTRODUCTION
• Virtualization is the process of creating a software-based, or
virtual, representation of something, such as virtual applications,
servers, storage and networks
• A virtual computer system is known as a “virtual machine” (VM)
• VMWare
• VirtualBox
• Parallels Desktop
• MobaLiveCD
• VMLite XP Mode
• VirtualBox
• Parallels Workstation
VMWARE – INSTALLATION DEMO
INTRODUCTION

KALI LINUX
KALI LINUX - INTRODUCTION
• Kali Linux is a Debian-derived Linux distribution designed for
digital forensics and penetration testing
• has over 600 preinstalled penetration-testing programs

• Requirements:
• requires a minimum of 20GB hard disk space for installation
• a minimum of 1GB RAM for i386 and AMD64 architectures
KALI LINUX – INSTALLATION DEMO
 INTRODUCTION

DAMN VULNERABLE WEB APPLICATION (DVWA)

Damn Vulnerable Web Application (DVWA) - Introduction

• Damn Vulnerable Web App (DVWA) is a PHP/MySQL web

application that is damn vulnerable.
• Its main goals are to be an aid for security professionals to test
their skills and tools in a legal environment, help web developers
better understand the processes of securing web applications and
aid teachers/students to teach/learn web application security in a
class room environment.
Damn Vulnerable Web Application (DVWA) -– INSTALLATION DEMO
 EXPLANATION

DAMN VULNERABLE WEB APPLICATION (DVWA)

Damn Vulnerable Web Application (DVWA) - Explanation
• Brute Force
• We are going to brute force a password of a web application
• We are going to do some reconnassaince work using BurpSuite to understand how
the authentication on this site works
• We are then going to do a dictionary brute force attack using THC Hydra
• Command Execution
• What is Command Execution? - Command Execution is where a website application
provides the ability to execute system commands.
• This section of DVWA has a web application that allows you to ping IP addresses.
• We are not going to be using any Kali Linux tools - just fooling the system into giving
us information
Damn Vulnerable Web Application (DVWA) - Explanation
• CSRF
• CSRF stands for Cross Site Request Forgery. Essentially, with this type of attack you
ride a users session and force them to take unwanted actions on a web
application?—?providing they are currently authenticated with the application.
• We are going to replay the session ID to make it look like an authenticated user is
performing an action
• Here we are going to change the password based just on the session ID
• File Inclusion
• File Inclusion attack is similar to file upload attack. The difference is that file
uploading attack uses “uploading function” on a target’s website but file inclusion
attack uses user-supplied input maliciously.
• We are going to trick the server into using this same function to actually read the
files on the server
• Wouldn't it be nice to read a password file?
Damn Vulnerable Web Application (DVWA) - Explanation
• SQL Injection
• SQL injection is the placement of malicious code in SQL statements, via web page
input.
• In this, at least on the low security level, we are going to fool a web application in
giving us database information just by simply changing what we put in the search
bar
• You can figure out the table, the column names, and then go at it to get whatever
information you want

• SQL Injection Blind

• Blind SQL injection is nearly identical to normal SQL Injection, the only difference
being the way the data is retrieved from the database.
• In this we will be using SQLMap to exploit the database
Damn Vulnerable Web Application (DVWA) - Explanation
• Upload
• This is where the server allows you to upload files
• We are going to find a vulnerable target and upload malicious files right to the
server
• XSS Reflected
• XSS = Cross Site Scripting. XSS occurs when one of two things happen
• Data enters a Web application through an untrusted source, most frequently a
web request.
• The data is included in dynamic content that is sent to a web user without being
validated for malicious content.
• A Reflected attacks are those where the injected script is reflected off the web server,
such as in an error message
• A little harder to use as this requires you to have the user click a link with the XSS code
in it
• We are simply going to take an input box and put javascript code in there. If that holds
in the URL, you can send that to another user to click and be exploited
Damn Vulnerable Web Application (DVWA) - Explanation
• XSS Stored
• A stored attack is where you actually upload your code to sit on the server
• Now this is where it gets interesting because it's not just your one target that you
can hit, but everyone that comes to this website
• Here I'm going to show you how to gain shell access to the server and upload your
script
INTRODUCTION

WEBGOAT
WebGoat - Introduction

• WebGoat is a deliberately insecure web application maintained by

OWASP
• Designed to teach web application security lessons
• This program is a demonstration of common server-side
application flaws.
• The exercises are intended to be used by people to learn about
application security and penetration testing techniques
WebGoat-– INSTALLATION DEMO
EXPLANATION

WEBGOAT
WebGoat - Explanation
WebGoat - Explanation
HTTP Basics
HTTP Splitting and Cache Poisoning
How to Exploit Thread Safety Problems
How to Discover Clues in the HTML
How to Exploit Hidden Fields
How to Exploit Unchecked Email
How to Bypass Client Side JavaScript Validation
How to Force Browser Web Resources
How to Bypass a Role Based Access Control Scheme
How to Bypass a Path Based Access Control Scheme
LAB: Role based Access Control
Using an Access Control Matrix
How to Exploit the Forgot Password Page
How to Spoof an Authentication Cookie
How to Hijack a Session
Basic Authentication
LAB: Cross Site Scripting
How to Perform Stored Cross Site Scripting (XSS)
How to Perform Reflected Cross Site Scripting (XSS)
How to Perform Cross Site Trace Attacks (XSS)
Buffer Overflow (TBD)
HTTPOnly Test
How to Perform Command Injection
How to Perform Parameter Injection
How to Perform Blind SQL Injection
How to Perform Numeric SQL Injection
How to Perform String SQL Injection
How to Perform Log Spoofing
How to Perform XPATH Injection Attacks
LAB: SQL Injection
How to Bypass a Fail Open Authentication
Scheme
How to Perform Basic Encoding
Denial of Service from Multiple Logins
How to Create a SOAP Request
How to Perform WSDL Scanning
How to Perform Web Service SAX Injection
How to Perform Web Service SQL Injection
How to Perform DOM Injection Attack
How to Perform XML Injection Attacks
How to Perform JSON Injection Attack
 INTRODUCTION

EXTERNAL VULNERABLE WEBSITES

HACKTHISSITE.ORG
HACKTHISSITE.ORG- Explanation
Hackthissite.org

• HackThisSite.org, commonly referred to as HTS, is an online hacking and security

website founded by Jeremy Hammond
• Jerry has moved on and the site is now maintained by a members of the community
• This site provides users with a way to learn and practice basic and advanced
"hacking" skills through a series of challenges in a safe and legal environment
• The organization has a user base of over 1,800,000
• HackThisSite is hostS to a series of "missions" aimed at simulating real world hacks.
These range from ten basic missions where one attempts to exploit relatively simple
server-side scripting errors, to difficult programming and application cracking
missions
• The missions works on a system of points where users are awarded scores based on
their completion of missions. In general, the missions become steadily more difficult
as the user advances through a particular mission category
HACKTHISSITE.ORG- Explanation
• Basic and realistic challenges
• The Web hacking challenges includes eleven Basic Web Challenges. Each
challenge consists of an authentication page with a password entry box, plus
other files which are to be exploited or attacked in order to gain the correct
password
• Programming missions
• A Programming Challenges section also exists. This section currently consists of
twelve challenges charging the user to write a program which will perform a
specified function within a certain number of seconds after activation.
• Application missions
• The goal of application challenges is generally to extract a key from an application,
usually involving some form of reverse-engineering.
• Code Review missions
• Also of recent creation are the "extended basic" missions. These are designed to
be code review missions where you learn how to read code and look for flaws.
HACKTHISSITE.ORG- Explanation
• Easter Eggs
• A set of 10 easter eggs hidden around HTS were known as the "HTS missions".
One of these "missions" was the fake Admin Panel, for example. Developers later
decided to remove HTS easter eggs: some allowed XSS and SQL exploits and many
members submitted false bug reports because of them.
• Steganography missions
• Steganography missions are also available on the website. The goal in these
missions is to extract the hidden message from the media file provided. There are
17 steganography missions available.
HACKTHISSITE.ORG- Controversies
phpBB/HowDark incident
In November 2004 the (now defunct) HackThisSite-based HowDark Security Group
notified the phpBB Group, makers of the phpBB bulletin software, of a serious
vulnerability in the product. The vulnerability was kept under wraps while it was
brought to the attention of the phpBB admins, who after reviewing, proceeded to
downplay its risks. Unhappy with the Groups' failure to take action, HowDark then
published the bug on the bugtraq mailing-list. Malicious users found and exploited the
vulnerability which led to the takedown of several phpBB-based bulletin boards and
websites. Only then did the admins take notice and release a fix. Slowness to patch the
vulnerability by end-users led to an implementation of the exploit in the Perl/Santy
worm (read full article) which defaced upwards of 40,000 websites and bulletin boards
within a few hours of its release.
HACKTHISSITE.ORG- Controversies
Protest Warrior incident
On March 17, 2005 Jeremy Hammond, the founder of HackThisSite, was arrested
following an FBI investigation into an alleged hacking of conservative political activist
group Protest Warrior. His apartment was raided by the Chicago FBI, and all electronic
equipment was seized. The federal government claimed that a select group of
HackThisSite hackers gained access to the Protest Warrior user database, procured user
credit-card information and conspired to run scripts that would automatically wire
money to a slew of non-profit organizations. The plot was uncovered when a hacker
said to have been disgruntled with the progress of the activities turned informant.
HACKTHISSITE.ORG- Controversies
Internal problems
Administrators, developers, and moderators on HackThisSite are arranged in a
democratic but highly anarchical fashion. While this structure appears to work at most
times, when disputes arise, loyalties tend to become very confusing. Subsequently,
HackThisSite has a long history of administrators, developers, and moderators turning
darkside and severely impairing or completely taking down the site. In one incident, and
the last major attack to occur, several blackhat dissidents gained root-level access to the
website and proceeded to "rm -rf" the entire site. This led to HTS being down for
months.
 INTRODUCTION

EXTERNAL VULNERABLE WEBSITES

TESTFIRE.NET
TESTFIRE.NET- Explanation
TESTFIRE.NET- Explanation
• Mock banking website
• I have NOT used this site before nor was I able to find much documentation on it
• Exploits you can expect here:
• XSS
• Brute Force
• SQL Injection
• Session Hijacking
• Application Authentication
CONCLUSION
Conclusion
• Set up your own lab environment
• Turn off any services you turn on in your lab
• Segregate your network from the outside world
• Take your time trying to exploit
• Research what you don’t understand
• Think about remediation
• Do not hack external websites (without a contract)
• Work your way up

IS Training Camp
https://www.facebook.com/groups/180281662729813/

4/4