<img class="banner-img" src="/images/fulls/HandsOnPen-flyer.webp" alt="Hands On Penetration Testing"> --- name: Title class: middle, center # Introduction *** Who we are! <img src="/images/fulls/books.webp" alt="books" style="min-width:150px; max-width:300px;"/> OWASP Kerala lead OWASP Testing Guide Maintainer OWASP SecureTea Project Lead Developer AppSec Browser Bundle ### Join Chat: https://cutt.ly/sec-suyati --- name: restting-vs-reverting class: middle, center, changebg # Day 1 --- # Why web application security is of high importance *** -- - World Wide Web has become a powerful platform for application delivery -- -- - Sensitive data increasingly made available through web applications -- -- - <a href="http://breachlevelindex.com">breachlevelindex</a> -- -- - 98 % of the web applications are vulnerable. -- -- - 78% of easily exploitable weakness occur in web applications. -- --- # Famous last words... *** -- - “Nobody would bother to hack us.” -- -- - “Our network firewall will keep us safe.” -- -- - “We will add security to the system later.” -- -- - “What's the worst that could actually happen?” -- --- # Basic Methodology of Security testing *** -- 1. Information Gathering -- -- 2. Scanning -- -- 3. Gaining Access -- -- 4. Post Exploitation -- -- 5. Reporting -- --- # Information Gathering *** - The reconnaissance phase is the most important phase of the hacking methodology. - The importance of reconnaissance is to accumulate important information and facts about the selected target. Two types of reconnaissance 1. Active reconnaissance 2. Passive reconnaissance --- # Passive reconnaissance *** Passive reconnaissance is what happens when you don’t communicate with the target. This is accomplished by inspecting the webpage, exploring Google, studying social media accounts for information and much more. In short, you’re watching for any data that can be applied to hold against the target. Search for common user names for the website. If its an indian website there will be some - Rahul - Manu :) --- # Robots.txt *** <a href="www.google.com/robots.txt">www.google.com/robots.txt</a> - shows files that the administrator does not want search engines to crawl - Don’t show confidential information in this file --- # Search engine discovery *** ## Google Dorks - Site: - Inurl: - Intext: - Cache: - Filetype: - link: <img src="/images/fulls/hackser.webp" alt="hackser" style="min-width:200px; max-width:600px;"/> --- # To Do *** <a href="https://bit.ly/2s4Gieh">https://bit.ly/2s4Gieh</a> <a href="https://bit.ly/35l2D5r">https://bit.ly/35l2D5r</a> <a href="https://addons.mozilla.org/en-US/firefox/addon/hacksearch-pro/">HackSearch</a> --- # Public and Restricted Websites *** - <a href=https://www.netcraft.com/>www.netcraft.com</a> - <a href=https://archive.org/>www.archive.org</a> - <a href=https://shodan.io/>www.shodan.io</a> - <a href=https://osint.link>https://osint.link</a> - <a href=https://osintframework.com>https://osintframework.com</a> - <a href=https://web.archive.org/web/19981202230410/http://www.google.com/>https://web.archive.org/web/19981202230410/http://www.google.com/</a> --- # shodan *** ## TO_DO ### Basic Search Filters **port**: Search by specific port **net**: Search based on an IP/CIDR **hostname**: Locate devices by hostname **os**: Search by Operating System **city**: Locate devices by city --- # shodan *** ### Basic Search Filters **country**: Locate devices by country **geo**: Locate devices by coordinates **org**: Search by organization **before/after**: Timeframe delimiter **hash**: Search based on banner hash **has_screenshot**:true Filter search based on a screenshot being present **title**: Search based on text within the title --- # To Do - <a href="https://builtwith.com/"></a>www.builtwith.com - <a href="https://www.netcraft.com/">www.netcraft.com</a> - wappalyzer --- # Active reconnaissance *** - Active reconnaissance is the phase you apply when you are investigating your target. - It involves communicating directly with the target. It is necessary to perceive that during this method, the target may log your IP address and log your movement. --- # Scanning *** - After footprinting and reconnaissance, scanning is the next stage of information gathering that hackers apply. Scanning is where hackers enter into the system to scan for relevant data and settings in a particular IP address series. --- # Nmap *** Nmap, short for Network Mapper, is a free, open-source tool for vulnerability scanning and network discovery. Network administrators use Nmap to identify what devices are running on their systems, discovering hosts that are available and the services they offer, finding open ports and detecting security risks. --- # Hands_on *** ## nmap - Tcp scan - Udp scan - Packet fragmentation for evading IDS/IPS - MAC Spoofing - Full Port scan --- # CVE *** - https://cve.mitre.org/ - https://www.cvedetails.com/vulnerability-list/vendor_id-10938/Unrealircd.html --- # Gaining Access/exploitation *** In the simplest words, exploitation is the method of gaining authority over a system. However, it is necessary to know that not every exploit points to complete system compromise. More precisely described, an exploit is a method to avoid a security defect or bypass security checks. This method can take many diverse patterns. --- # Hands_on *** ## Metasploit Hacking linux server running unreal irc client. Exploit server using metasploit. and getting touch with the tool. --- # Post Exploitation *** post exploitation essentially means the stages of the ethical hacking job once a sufferer’s system has been jeopardized by the hacker. The condition of the endangered system is defined by the utility of the real data stored in it and how a hacker may gain the advantage of it for wicked ideas. --- # Reporting *** - Like every other phase we have mentioned, drafting a sound ethical hacking report is crucial. - Mastering to put a well-written report is important for getting clients and getting a prospective job. <a href="https://www.owasp-risk-rating.com/">https://www.owasp-risk-rating.com/</a> <a href="https://www.first.org/cvss/calculator/3.1">https://www.first.org/cvss/calculator/3.1</a> --- # Password Attacks *** ## Password Cracking Password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. Ex: Hashcat(tool) ## Brute-Force A brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies. Ex: John the ripper(tool) --- # Password Attack *** ## Cracking Hash cracking md5 hash using john the ripper. --- # Password Attack *** ## Brute Forcing Bruteforcing Wordpress admin panel using wpscan tool. --- # Packet Sniffing *** When any data has to be transmitted over the computer network, it is broken down into smaller units at the sender’s node called data packets and reassembled at receiver’s node in original format. It is the smallest unit of communication over a computer network. It is also called a block, a segment, a datagram or a cell. The act of capturing data packet across the computer network is called packet sniffing. --- # Wireshark *** Wireshark is a network or protocol analyzer. Wireshark intercepts traffic and converts that binary traffic into human-readable format. This makes it easy to identify what traffic is crossing your network --- # Packet Sniffing *** ## Wireshark - Capturing telnet packets, analysing and retrieving password in plain text. - Capturing HTTPS packets, and analysing --- # Malware *** The term malware is a contraction of malicious software. Put simply, malware is any piece of software that was written with the intent of damaging devices, stealing data, and generally causing a mess. Types of malwares are - Viruses - Worms - Ransomware --- # Virus *** A computer virus is a malicious program that self-replicates by copying itself to another program. In other words, the computer virus spreads by itself into other executable code or documents. The purpose of creating a computer virus is to infect vulnerable systems, gain admin control and steal user sensitive data. --- # Worms *** A computer virus is a malicious program that self-replicates by copying itself to another program. In other words, the computer virus spreads by itself into other executable code or documents. The purpose of creating a computer virus is to infect vulnerable systems, gain admin control and steal user sensitive data. --- # Ransomware *** - Ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. - There are a number of vectors ransomware can take to access a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. --- # Cryptography *** Cryptography refers to secure information and communication techniques derived from mathematical concepts and a set of rule-based calculations called algorithms to transform messages in ways that are hard to decipher. - Symmetric-key Cryptography - Public-Key Cryptography - Hash Functions --- # Encryption *** Encryption is the method by which information is converted into secret code that hides the information's true meaning. The science of encrypting and decrypting information is called cryptography. Encryption algorithms: - AES - Diffie-Hellman key exchange - RSA --- name: restting-vs-reverting class: middle, center, changebg # THANK YOU --- name: restting-vs-reverting class: middle, center, changebg # Day 2 --- # SSL Testing *** A Secure Socket Layer test (SSL test) is the testing of an SSL server, certificate or site. SSL tests help to indicate the approval of an SSL certificate, or whether an SSL system is set up correctly. --- # How HTTPS works *** Why we need: - Privacy - Integrity - Identification --- # HTTPS Explained *** - https://howhttps.works/why-do-we-need-https/ - https://howhttps.works/the-handshake/ --- # To Do *** - https://pypi.org/project/sslcheck/ - https://observatory.mozilla.org/ - https://www.ssllabs.com/ - https://github.com/nabla-c0d3/sslyze - SSLscan - Kali --- # Web vulnerability and exploitation *** ## Cross-Site Scripting Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. ## Types of XSS - Reflected XSS, where the malicious script comes from the current HTTP request. - Stored XSS, where the malicious script comes from the website's database. - DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code. --- # XSS *** ## Hands_on real world examples to for xss. Google dorks: - inurl:”.php?file=” - inurl:”.php?from=” - inurl:”.php?keyword=” - inurl:”.php?mail=” --- # Content Security Policy (CSP) *** Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware. --- # Content Security Policy (CSP) *** `Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com` Here, by default, content is only permitted from the document's origin, with the following exceptions: Images may load from anywhere (note the "*" wildcard). Media is only allowed from media1.com and media2.com (and not from subdomains of those sites). Executable script is only allowed from userscripts.example.com. --- # Cross-Origin Resource Sharing (CORS) *** Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own. --- # SameOriginPolicy *** To explain the CORS header, first we need to understand SameOriginPolicy. If `xyzapp.com` wants to access details from abcapp.com/userinfo. `SameOriginPolicy` prevents xyzapp.com from making an AJAX request to `abcapp.com/userinfo` and get the response. `SameOriginPolicy` is the default policy followed in all browsers which prevents data sharing between two different domains. --- # Improper Cross-Origin Resource Sharing (CORS) *** Improper configuration of CORS headers leads to security risk as I have seen in most of the web applications that CORS header is set as `Access-Control-Allow-Origin: ‘*’` or `Access-Control-Allow-Origin: ‘any’` --- # CORS vs CSP *** Content Security Policy(CSP) header is used to define what content can run on its own domain. For example, abcapp.com domain wants to access a javascript library only from `userscripts.example.com` and not from any other third-party libraries then abcapp.com can set the header as --- # Subresource Integrity (SRI) *** Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match. `<script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script>` You use the Subresource Integrity feature by specifying a `base64-encoded` cryptographic hash of a resource (file) you are telling the browser to fetch, in the value of the integrity attribute of any `<script>` or `<link>` element. --- # Vulnerability Scan *** A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures. ## Tools: - Nikto - Wapiti --- # Vulnerbility Scan *** ## DIrb Enumerate site directories using the tool Dirb. --- # Vulnerbility Scan *** ## Nikto Using Nikto scanner to scan for underlying vulnerbility of webpage. --- # Vulnerbility Scan *** ## Wapiti Using Wapiti scanner to scan for underlying vulnerbility of webpage. --- # Server-Side Attack *** Web servers are themselves computers running an operating system; connected to the back-end database, running various applications. Any vulnerability in the applications, Database, Operating system or in the network will lead to an attack on the web server. - Ex: DOS(Denial of Service) --- # Denial of Service *** DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users of the service or resource they expected. --- # Server side attack *** ## xerxes using Xerxes to dos side and understand the concept. --- # SQL Injection *** A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data , execute administration operations on the database --- # Types of SQL Injection *** - Error based Injection, The attacker sends some malicious query to the database which results in errors. - Union Based SQL injection, Using union command in SQL query to execute additional queries; thereby, modifying/inserting/deleting or dropping the contents of the table. - Blind SQL injection, This is a type of SQL injection where we don’t have a clue as to whether the web application is vulnerable to injection attack or not. Types of blind SQLi : - Boolean Based - Time based --- # SQLI *** ## Hands_on real world examples to for SQLI. Google dorks: - about.php?cartID= site:.pk Will see how to find the entry point and how to balance the query. --- # CSRF *** Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other. <img src="/images/fulls/csrf-cross-site-request-forgery.webp" alt="CSRF" style="min-width:150px; max-width:300px;"/> --- # Local File Inclusion *** Local file inclusion (LFI) and path traversal vulnerabilities occur when user-supplied data is able to probe the underlying file system of the server. In other words, an attacker can, among other things, read files from the server. --- # LFI *** ## Hands_on real world examples to for LFI. Using Burp suite to intercept the http methods and tampering it to find lfi. --- # Remote File Inclusion *** Using Remote File Inclusion (RFI), an attacker can cause the web application to include a remote file. This is possible for web applications that dynamically include external files or scripts. --- # OS command injection *** OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. --- # Session hijacking *** TCP session hijacking is a security attack on a user session over a protected network. The most common method of session hijacking is called IP spoofing, when an attacker uses source-routed IP packets to insert commands into an active communication between two nodes on a network and disguising itself as one of the authenticated users. --- # OWASP Testing Guide *** - https://www.owasp.org/images/1/19/OTGv4.pdf - https://bit.ly/2KM7u83 --- # OWASP TOP 10 *** ## Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization --- # OWASP TOP 10 *** ## Broken Authentication Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently. --- # OWASP TOP 10 *** ## Sensitive Data Exposure Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. --- # OWASP TOP 10 *** ## XML External Entities (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. --- # OWASP TOP 10 *** ## Broken Access Control Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc. --- # OWASP TOP 10 *** ## Security Misconfiguration Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. --- # OWASP TOP 10 *** ## Cross-Site Scripting (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. --- # OWASP TOP 10 *** ## Insecure Deserialization Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. --- # OWASP TOP 10 *** ## Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. --- # OWASP TOP 10 *** ## Insufficient Logging & Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. --- # Hands_on *** ## OWASP ZAP Proxy Playing around with ZAP Proxy. Intercepting requests, Tampering Requests, crawling and fussing. --- name: restting-vs-reverting class: middle, center, changebg # THANK YOU