1. Daniel Kouril, Ivo Nutar Masaryk University
Security Training
Daniel Kouril, Ivo Nutar
Masaryk University
Offensive training, basic intro
Bordeaux, November 2016

2. Agenda Brief technical introduction Capture-the-Flag Game
Purpose of introduction, audience, roles of attendees, skills needed

3. Preparation Current browser is needed
Chrome or Firefox in current version

4. Attack & Incentives Getting (unauthorized) access to data
Cyber espionage, money stealing
Disruption of services
Blackmailing, demonstration of capabilities
Modification of data
Damage reputation
Misuse resources
Botnets
Ransomware, bitcoins, spam

5. Typical attackers’ steps
Getting familiar with the environment
Select target
Find vulnerability
Find a way to exploit vulnerability
Make the target useful for attacker

6. Network examination Getting information about
Network topology
Exposed services
Purpose of servers
Types of users, typical usage, …
May take some time, may be quite visible
Network monitoring can detects scans, …

7. Vulnerabilities Different types of weaknesses Known vs. Zero-day
Programming error
Design flaw
Misconfiguration
Personal/social aspects
Known vs. Zero-day
CVE – directory of known vulnerabilities
CVE-YYYY-id unique identifier

8. Finding vulnerabilities
Collect information about the target
Operating system, applications
Exposed services, their versions
Third-party modules
Estimate weaknesses
Known vulnerabilities
Often blackbox-style analysis
Manual vs. automated probing

9. Scanners for particular services
Web vulnerabilities
nikto
SQL dababases
sqlmap
Web CMS scanners
Wordpress, Joomla, Drupal
A lot of others (open-source, commercial, …)

10. Exploiting vulnerabilities
Determine the version, sw, …, estimate the vulnerability and select/craft the exploit
Public databases of exploits
Exploit + payload
Some exploits may make the node crash
Manual vs. automated
Forensics implications

11. Metasploit Framework Tool for development and using exploits
Directory of exploit codes
Text-based console (msfconsole), controlled by commands
show exploits – list of exploits
search – look up the exploits
use <exploit> - activate a particular exploit
show options – display variables to set
set RHOST <IP>
show payload – show what will be injected
exploit – trigger the exploitation process
Web exists

12. Spreading activities Often hop-by-hop
Patterns from EGI attacks
Facilitated by weak password management, shared accounts, credentials, …
A pure knowledge about a username is advantage

13. Attack against passwords
Hashed passwords
Internet-assisted cracking, rainbow tables
Brute-force/directory attacks, John the Ripper
Authentication attacks
Subsequent attempts for authentications
Common attacks targeting SSH, SMTP, RDP, …
Password dictionary
medusa

14. Useful tools Pre-cooked components Specialized linux distributions
Malware composers
“Shells”
Specialized linux distributions
Kali

15. Hands-on exercise You’re an attacker probing in a victim network
You will exercise the techniques described earlier
The goal is to demonstrate how the tools can be used

16. Backup slides

17. (d)DoS example
Overloading the service and/or network with common requests
Reflected attacks
Hiding origin
IP address spoofing
Amplifications
Some protocols return significantly longer responses than requests
NTP, SNMP, DNS
Hard to attribute, prevent

18. SQL Injections Insufficient sanitization of users’ input
Consider an application managing users
“SELECT * FROM users WHERE name =‘” + userName + “‘;”
userName == “sveng” yields:
SELECT * FROM users WHERE name =‘sveng‘;
userName == “' OR '1'='1 -- ” yields:
SELECT * FROM users WHERE name = '' OR '1'='1 -- ‘;
Typical programming error, from wikipedia; also add sql queries, …