We're good to go? Excellent. Hi. Hello. I can see about four people. I've been giving tours of the stage before we started, so it's like to be a speaker at this stage. Right now I can see about this row of people, all the rest, I just hear noises.

So I'm assuming it's all voices in my head at this stage. Welcome to Website Fuzziness. This is a continuation of a lot of our kind of security thread talks that we've been doing today. I hope you've kind of managed to get to see some of the other security talks around, like Stephen's and Chris's. All quite good ones today. This is about how to attack websites and break them

and use very offensive tools to help you find holes in yours. So, a little bit about me. My name is Niall Merrigan. I am a managing consultant with Capgemini in Stavanger. I'm also an MVP on the developer tools, Azure Advisor, ASB Insider, and prolific whiskey drinker.

As I was found out last night when I went into the Dubliner and I'm absolutely terrified when my wife looks at our credit card bill and she goes, Niall, what did you do? I swear. If you want to eat me, you'll get me at N Merrigan. You'll also find me at niall at merrigan.no. Please visit my company's website because they are very generous in letting me out the door every so often to talk to you.

And you can also visit my website, which will have all the links and bits from this talk about an hour after this. This is my builders versus breakers talk. Builders, all you nice people sitting here, breakers, that Ozzy right there.

And the Ozzy's wife right there too, who's trying to snuck in. This is a builders versus breakers talk. Builders, we're the nice people. We like to create things. We like to make Lego bricks into fun stuff. Breakers are those people who like to tear down our lovely bits

and like find holes and go, Ha ha, you did it wrong. And no. Now the thing is, this is very much on how you can use offensive tools that the breakers are going to use against your systems by yourself to find the holes before they do.

I am of the opinion that a lot of you who are sitting here today are probably aware that we're probably not writing secure code or we're not doing it as well as we should, but what kind of bits and tools and advice can you give me today that I can use so when I go home and I can go back into my boss and go, Yeah, you remember that really good system

we built for our customer? Get legal out because they're going to have a bit of fun later. I want you to find the holes before they get out into the wild. Please do not make my job any easier as it already is. If you saw my talk yesterday, I showed you how bad when you're finding open stuff, this is now about trying to break websites.

So I like to kind of ask people, How secure do you think your code or your applications are? So I'm going to ask a general and risky question again to the audience because we all know the Norwegians love talking back. How many of you, when you release a website, go, Hi, I've released a website, go look at it.

I can see no one here, there's two people there, they're confident, well done you. There are also previous colleagues, so that's kind of cool. No one else? Why not? Excuse me? Penetration testing. I'm going to ask another thing, how many of you do penetration testing?

How many of you consider, how many do regular penetration testing? So there's about a couple of hands. How regular is regular, sir? Three times a year. If you went to the bathroom three times a year, would you consider yourself regular? Seriously? Okay, regular is not three times a year.

Sorry honey, I'm going to the bathroom, it could be a while. That's the five minute warning rule, it's a good thing to do. Now, I'm serious, the idea is here. Regular is every time you push a new bis, every time you push a new piece of functionality, you do a test to verify that it is secure. You don't go, you know what, our applications are secure,

our devs are writing code, they're pushing it out onto the web, but we only test it once every three months, because every three months we know it's secure. But we're not waiting that long, we're using different tools against you. And the tools we're going to be using are these things. This is, what I'm going to show you today, is like Kali Linux, you probably saw a little bit before.

This is a Debian based Linux distribution that is armed to the proverbial teeth with tools you can use today to try out and test your security. It is free, so there is no kind of excuse of something saying, I can't afford it. It's free, it costs a few megabytes of bandwidth, but you're good.

If we look over, we'll see a small little space alien, that is Nikto. Nikto is a command line tool for doing vulnerability scanning against web applications. I'm going to show you how to use that. Above it, you'll see the little spider, that's Arachne. Arachne is a full on web framework. Also command line, but does have a nice UI as well. Both of these can be integrated into your build processes

and you can run them automatically against your websites at regular basis. The little needle is for SQL map. Probably one of the most versatile tools out there for finding SQL injection. I'm going to show you how powerful it is and how bad SQL injection really is,

because most of us think, oh yeah, no one does SQL injection, you'd never find SQL anymore, it's a dead thing. SQL I is still the top security failure for most applications, because developers go, ah, you know, how bad could it really be? Then you've got Vega, which is a web scanning tool,

another variation of one, and a proxy. And above that then is Burp. Burp is one of the most powerful attack tools you can use once you begin to understand things like HTTP transports. And you can start messing and really kind of playing with your application and see how it will react under the hood.

You can do replays, you can do a lot of other mad stuff. I'm going to show you how to use these applications against very vulnerable web applications today. Now, I have to put this in. Alright? Do not do this against any application you do not own or have permission to test.

Because you will get asked very, very dodgy questions by men in black suits, and black ties, and glasses, and rubber gloves. You know? They will be looking for any excuse to go shk and take you apart. So please, only do this against applications you own

or have permission to test, or have been put out there to test. There are a couple of web applications on the website like Hack Me, Troy's own Hack Yourself First website that you can use to test your applications. They're there to show you what bad coding and what bad security mistakes look like. But please, don't do this against your neighbors' sweet shop

or random government websites, as I heard earlier on today. Because apparently, they won't let you leave. If you're wondering for the backstory of that, there's a gentleman here called Chris. If you find him afterwards, he will tell you a very interesting story of how he nearly didn't get out of Australia.

Now, let's pray to the demo gods again, because there's a nasty habit when there's people down there that are in the audience that my demos tend to break. You got this, Superman. Right, let's go, Joe, as I say to my son. Let's go. We have some demos to play with. I'm going to show you what Kali looks like. This is Kali 2. It is, again, free off the internet.

You can play with it as much as you want. I'm running in virtualization mode to just show you that it's just completely portable. If you've never seen this before, and you didn't catch my talk last year, there is a ton of tools to play with. I'm going to be doing a lot of the web application analysis tools like here.

I'm also going to show you how to do some of the exploitation tools. The first thing we're going to do is we are going to run a thing called Nikto. But first, I want to show you the applications we're going to be playing with. You can go and download from the internet a thing called DVWA, Damn Vulnerable Web App.

This is purposely built to be insecure. It's written in PHP, which we all know is very secure. It has a lot of training and testing in there. If you want to really learn how bad coding should look, look at the source code of this, and then start playing with the app and really try and test your tools.

There's also a kind of DVWS, Damn Vulnerable Web Services, if you want to play with that as well, and I think there's a mobile application as well. Over here, I've also got Mutaleday. This is from OWASP, and it's Mutaleday 2. This particular application is really, really good

for learning how to do hacking against websites and seeing bad security failures in action. It has a couple of things like hints, so if you're unsure of how to do a particular attack, you turn on the hints, it'll walk you through it, there's a video, but if you want to say, I want to show this to all my customers and play with things, they can say, here you go, have a go at it, see what you can find.

You can see here, they've got the different OWASP top tens, so you can see, for example, injection, if we go over here, and you can see extract data, bypass, and there's also SQL Map training, so if you want to see, okay, I want to learn how to use these tools,

so if you find that this talk gets you to a point where you really want to go and play with it, download Mute first, okay? The funny thing is that this is, Mutaleday is the, what's it called, Velvet Wasp. It's a wasp about this big. It's muhusuf, it's huge, and it's a sting that'll knock a horse, apparently,

but it's a big, fuzzy, velvety thing, so that's why they used it. Just really random trivia in the middle of a talk to see if you're still listening. Now, there's other things here. We're going to show you the last one, which is this man. This is Hack Yourself First. It's from Troy Hunt, as we may have heard him before, but this is a fantastic talk or tool if you blend it with his Pluralsight course

because what it does, it shows you how to do with .nest the same kind of things we do with PHP. You can walk yourself through the different vulnerabilities. You can try and hack it, and it gets reset every so often, but because it's also online, you don't have to be carrying around a web application to do it, and you don't have something vulnerable on your own machine. You can destroy his instead.

Right. Now we're going to go into showing you Nikto. Nikto is just as simple as type that, and you get a list of applications and things you can do with it. Here, we have the general options you can use. You specify a target host.

So you say, what do I want to attack? And if you just type in Nikto dash dash host, and then put in a URL, it will try and find vulnerabilities on that application for you. So we're just going to do that right now, and let's just go here.

So let's go back. So we'll just do Nikto dash H, our host, and do HTTP local host host forward slash M, because I know that one exists, and then it will start finding all the bugs. So it's very, very kind of slow. It takes about 35 seconds.

Now, you can build this into your build step, so it'll just automatically go through the different application kind of points in for you. Now, I will warn you, this might throw a couple of false positives at you. A false positive is it says there's something wrong, but it's not wrong, because it analyzes a response. So if it puts out a URL and expects to get back a 404

and gets back a 200, it'll say there's something working here, therefore the application is broken, and you might go, uh-uh, tough, that's nothing there. I don't want to send it to there, but no. So what has happened here is you will see that this application has, for example,

the .git head file was found. What does that mean? Anyone using git? Couple of people, good. Anyone know what .git forward slash head means? Source control. Yeah, what does Elsa mean? You can download the entire source control head folder.

So there's the entire source, because you will find applications sitting there where the developers haven't understood how to just push the application correctly to the web server. We'll leave the .git file and forward slash head, and you just go, connect to that, download the complete and utter source code. Now, what happens when you have

the complete and utter source code of an application? Lots of connection strings. I'd be just there going, I can find every single vulnerability because I can examine your code, I don't even have to play with it. I can just download your code. Now, you'll also see other things up here, like, for example, if we go all the way back to the top, one of the first things it finds is, for example,

robots.txt contains eight entries which should be manually viewed. Ladies and gentlemen, what is robots.txt? It tells your search engine what not to look at, right? What does robots.txt contain? Yeah, it contains information,

but it contains text which is human readable. Meaning, do not use it as a security feature for your application. Please don't search in the hidden directory. Please ignore the password file. It's a guidance to web crawlers to say, I don't want this indexed.

People like me ignore such variations, like stop signs and red lights, you know? It is very obvious to just go in and say, I want to go and look at the robots.txt. Have you ever done that? Have you ever just gone to a website and went forward slash robots.txt and see what is in there? The old whitehouse.gov had one of the best ones.

It had 1,200 lines in it. For everything they didn't want you to search. Area 51 is about line 27. Alright, anyway, what we'll find in here is a list of different problems you can fix. It takes quite a while. As you can see, not really user-friendly

from when you have a lot of command line stuff. It's a bit heavy, right? So, I'm all about making things light and easy for myself. I keep going and I keep scrolling and I keep scrolling and keep scrolling some more. So, what I plan to do now is show you what you can do with Arachne. So, I have to go to a different directory

and tools and Arachne. And if I do r.4 slash, no, it's bin, isn't it? cdbin. So, here's Arachne. You can download this and run it.

Now, in Kali 1.06 or 1.10, this was installed out of the box. I'm fairly sure I've got it basically because I'm using Kali Rolling, which keeps updating itself, that they may have put this in the new build, but they may not. But I have downloaded the latest one from Arachne. You can just go onto the website, Google Arachne, you'll find it. And then if you just do, for example,

.4 slash Arachne here, this gives you a list of options you can use. When it turns up, come on. Come on. There we go, we'll try a different one. We'll try Arachne web then. So, Arachne web is a web application scanner that will run the command line edition of the application.

It should be running. Is it running? Am I doing something wrong here? .4 slash Arachne underscore web. This worked two seconds ago. Right. We'll ignore Arachne, I'll just tell you about it. Arachne is a web application scanner.

It has a lot more features than Nikto. You can specify, I want to do SQL injection, I want to do XSS injection, I want to do different types of scanning, I can validate forums, I can validate post requests, I can also validate cookies, you can validate headers. Now, when I ran this on one of my internal applications,

it took approximately six hours to go through every single test across 1,200 pages. So, it takes quite a while. You can multiply it out across multiple different computers to work for you, and it makes it much easier, much quicker, so if you want to spin up

a couple of different virtual machines. Aha, did we work? Yes, we're missing the URL argument. Okay, that means I can do dash H to do the help, I think. Yes, okay. So, I want to show you what it can do here. So, if we look at the, there's all the different options. I kind of tell people that this is quite a lot of application work here. So, if we go here, you can also put in this

authorized by in every single request. So, if you're being asked by a company to check an application, and they want to find out where all this amazing and crazy traffic has come from, you can put an authorized by so that they will understand and be able to filter their logs. Because a lot of applications, or a lot of companies, what they'll do is they'll have a firewall

or they'll have some kind of deflection shield in front of their application to stop all this kind of traffic once they start seeing a spike. Now, what you want to be able to do is say, well, I'm going to be coming from this IP address, I'm going to be running these different application attacks, and I want you to be able to find that in your logs so that you can, because if someone is watching and you're running a lot of different attacks,

they will pass in their own attacks with you so that they will be then all of a sudden kind of in the middle of the mix and being ignored. So, you want to try and do that. There's also a thing here, if I go further down. Let's see if I can find it. This is always the part with this one, I have to try and look for it. Where's it gone? Come on.

There we go. There is a thing for using a browser cluster. And what you can use is specify the number of browsers you want to specify at a specific time. So, you can use this even as a load testing application for yourself. Now, if we were to run Arachne Web instead,

wait for it to power up. Arachne Web is the web UI version of this and it runs on local host on port 9292. Local host 9292. There we go. So, what you get here then is a much easier application view

and specification. So, you can say, I want to create a new profile. I want to scan a new website. And when you scan a new website, it will say, what target URL do you want to use? It will give you the different options. You can specify the distribution, the number of instances you want to run, span it across maybe 20 or 30 instances in your farm and say, I want to get a quick application feedback from

and see how it works. Now, also, you get different profiles. So, if we were to create a new one. Come on. You can audit, for example, HTTP network settings, fingerprinting. You can do all these different types of checks. The security checks gives you the different options you can use. So, you can say, for example,

I want to check XSS. I want to check DOM XSS. DOM XSS and script context. I can also do response splitting, remote file inclusion. A lot of complex, very complex tasks that would normally be very difficult to set up manually. But being able to just be able to go click, click, click, click the different ones I want to use, can we test? So, you can start running very advanced tests very quickly.

What's also cool is when you do these scans, they generate a bug list, which has a discussion. So, if we were to scan, for example, if I just do a quick, if I scan new, and I type in HTTP local host

four slash m and just go, go. It starts up and says, the scan is initializing, please wait. And we get a little... Oops, we have lost some errors. Great. Typically, we have lost some errors. When you start logging it, and you can start bringing in comments,

and you can say, I want to show what's wrong with this application. Here's a bug. So, your testers have found a bug in your application. Your developers are going, that's not a bug, because that is how the customer wants it. But you're saying, the security scanner is saying, well, no, this is wrong. And then you can start building in a discussion and building it into your bug tracker. You can send the results then to, for example,

your GitHub tracker or any different other application, Jira, Bugzilla, whatever you're using. And you can then start having discussion about the security problems in your application. Makes it much simpler, much easier for you to use. This is one of the most powerful web frameworks out there that you can download and work with today.

So, if you are not using any vulnerability scanner right now, and you want to start off, this makes it so simple. And because you get a nice geographical view, your managers will even understand what you're doing. Now, the problem is that I find that when people go into command line, my boss goes, I have no idea what you're doing, okay?

But when I put up a nice little pie chart that shows, here's all our security problems, here's the high, low, and mediums, and then he can go, all right, there's the stuff we can fix. This makes it much easier. You can have a dashboard, you can do whatever you want. It makes it really easy for your team to collaborate. Now, I'm going to show you next what's on the list, SQL.

I'm going to show you Vega first, actually. Vega is, if kind of Arachne and Nikto are a bit too complex for you, or kind of your, I won't say that in a bad way, I mean it's more of a case of who are you trying to show that there's a vulnerability, or what is your type of tools you need to use.

Vega is very graphical driven, so what you can do is point it at an application and say, I want to scan and find out what's wrong. I can see, for example, here I did it on Troy's site. So what I did here is I told him, I went and told him to scan, hack yourself first, and find me all potential problems.

So I ran it for a couple of minutes, and what it did here is it came back and said, I have got a couple of different things that are wrong. I can see here I have eight high priority ticket items, 19 low, and a couple of info items. So on the high ones, I can see clear text password over HTTP. Now this, as we all know, is bad.

Sending passwords over plain text is bad, right? But what this does is it shows you the impact, but it also tells you what you shouldn't be doing and gives you some references. So not just it tells you, ha ha, you're stupid, it says, ha ha, you're stupid, but guess what, I have a fix.

It's just the application that cares. Now, I didn't know if that would work. Ha ha, sorry. So anyway, you've got the session cookie. It says, for example, here's something that's wrong. You can decide if this is right or wrong, because a lot of the times ASP session cookies

can come up as a problem, but it says, here's a discussion, no issue with cookie that's been said without the secure flag, here's what the impact is. So this is what I find is very good. It teaches you what's wrong, because most of us, we understand. We get a security bug, it comes up with a little kind of like a big exclamation mark, a red dot, and we go, I have no idea why this is wrong,

and I have to try and Google it, and after a while I just give up, okay? But some applications that teach you how to do this and make it simpler, this is one of them, and it's free to download. You can download it for Mac, you can download it for Linux. I think it even comes on Windows. It is really simple to work with. But what I think is really handy as well is it also shows you what your web application is exposing,

because it does a quick scan and shows you the full structure of your site. So you may be thinking, oh, no one can find this because it's hidden in some little folder. This will find it. It can also use it as a proxy, so, for example, if you want to run your traffic through it to see what type of application vulnerabilities it finds, it will do it. Now, if we just do a new scan, I can just show you the kind of options you'll get.

I'm just going to do the same thing here, localhost 4 slash m, okay? If I click next, the injection modules you can play with are included like SQL text injection, HTTP trace probes, integer overflow checks, format string checks. It's quite an amount of different things you can use.

You can also look for response ones, like, for example, email finder module, which I think is quite cool, because if you use that just on its own to scan a web application, you can start looking for email addresses that the web application is leaking and use that for social engineering. Then you can see, for example, if they've got insecure scripts includes,

which is kind of an obscure one for a lot of people because they may not even know what they're doing, but it would tell you if there's something you can say, I can inject script into this application in response. So if I can proxy or if I can get a man in the middle, this means I can, say, inject a bad piece of code in the response that comes back. All this, like, for example, social security, social insurance, number detector.

Okay, probably one of the more ones we're probably not going to use in Norway, but it would be kind of cool. But you've even got, like, xframe options headers not set, common problems that we can very readily fix in applications. This generates a nice, simple, clean report that you can go to management or you can go to your customer and say, this is all wrong.

Here's how we fix it. It even guides you through it. It makes it much simpler for you as a developer and for you to say, we've got something wrong. I know you don't get what's wrong, but it's insecure, and here's why. And you can start explaining it. Does that make sense? Okay, everyone's nodding, I think, because I can't really see you all. Am I light? Oh, never mind.

Right. If we go out of this, I'm going to start showing you something else. Let's do that. Right. Breathe. Good job. Now, I want to show you SQL injection. Now, everyone goes, SQL injection? Nah, nah, it's not being done anymore. Right. Let's put that to shame.

This is the exploit database, hosted by offensive security. So I just did a search for injection, okay? The word injection. I came back with 7,528 results of exploits in SQL I alone. So you can see here, as of yesterday,

DRAIL DB table viewer has a blind SQL I injection vulnerability. Electro web online examination system, SQL injection. WordPress pro advertising system, SQL injection. Open source real estate script, SQL injection. PHP real estate, SQL injection.

EduSec, SQL injection. And these are from the last month. SQL injection is still a bloody big problem in computing and development terms. So, stop playing with needles. Do not do any injection. Do not get done by this.

This is so simple that, you know, everyone goes, oh yes, I said no, they can't be doing it, why not? It's still happening, because devs are being stupid. And I'm being very honest here, because I think that we have been promoting this for a long time. Like since about the year 2000, 2001, when we started seeing injection attacks coming on stream,

we've been saying that this is something you shouldn't do. And people are still doing it. So I kind of want to just reiterate, don't do this. It's relatively easy to fix, and very easy to test for. So please, please, please check for SQL I if you've got anything that's sending data in there. Now, if you want to go find applications that are potentially SQL I-able,

you use a thing called PunkSpider. PunkSpider is a bit out of date at the moment, but this is a vulnerability search engine. And what we have done is I've just said, I'm going to look for applications on the .no domain, and I'm going to try and find SQL I on blind SQL I, and I keep, as you can see here, it even generates the nice URL for me. Now, all these sites are SQL injectable.

So, for example, the one here, vsk.no. If you're actually the developer for this, this is an example of why this is a problem. If we were to do a voggin-grouping, for example, I think if I just do that, it should take a wobble out of it, maybe not.

This one definitely does. One line. Whoopsie! This is an example of poor coding. I know it says defaulted ASP, and it's a bit of old code, but this is just one of those things that I think that, and this is made by a particular company

because I found the same signature across a number of different sites, and it's a very common thing to do. Because, for example, this personalized candy store is exactly the same. Just doing this, for example, should just knock out and give me a SQL injection problem. Come on. No, it didn't. Oh, they must have fixed... Oh, it's something loaded again. Sorry.

I remembered this before. There we go. So you get a Microsoft OLEDB provider. We find this very, very easily because all you've got to use is something like inurl, defaulted ASP, question mark, equals. This allows you to use get parameters. Now everyone says, okay, get parameters. We know this.

It is actually quite hard to do a lot of this in .NET, but people still manage it. Because they go, I'll just turn off this, I'll just turn off this because I wanted to make it work whatever way I can. Great. Well done. You've just made your machine, or you're so vulnerable. Now everyone's thinking, well, that's fine, Niall, but I have to write very complex queries

and very complex things to attack a website, right? Yeah. Let's show you SQL map. How many of you are running Windows 10 anniversary edition or the new latest bits? Good. A couple, one or two people running the new insider builds. If you are running it on, you can just install SQL map natively in Bash shell.

If you're not, just download Python. And then run it, and you can run SQL map automatically on your Windows machine. Just python.exe, SQL map, and it'll work. Alright? If you don't fancy running on Unix. So here, SQL map, it'll give me an error saying something's wrong.

Of course, because I forgot to put an H. Try help, Niall. So SQL map is a massively powerful tool for generating or finding SQL injection problems in applications. So all you have to do is pass it a URL, and it will start looking for stuff. Now you'll see up here it says,

Gee, Google Dork. This means you go looking for a specific Google URL, you pass it in, and then it will start attacking all the websites within that. Because, you know, nothing better than trying to do a mass attack on everyone else. It allows you to run it through tour if you're kind of that way inclined. By the way, kids, if you are going to attack

or be stupid and attack someone's website, don't do it from your home IP. No, I'm serious. It's just not good. Anyway, So you can then, say for example, I can use it to bring out enumeration. I can bring out all the banners, all the current users, DB passwords, whatever.

And I want to go to show you now is what I can do with SQL map and say here, SQL map minus H and I'm going to just bring up Troy Seiss if we can find it. And I'll show you what he's been doing badly. Okay, close that. View the P1. I'm hoping your site works today. Ooh, look, someone did something fun.

This is always the problem with running this site. Because people are actively playing with it, it just doesn't get reset. So you just take the risk. So I'm going to do this. No host, is it? Or is it minus you, sorry. And what this will do is running your URL without any get parameters so you won't try SQL. Did I do the wrong one?

Okay, let's go. Whoa! Yeah, I'm reloading it. I don't know what it's taking now. Right. So what I'll do instead,

SQL map practice, user info. So this should allow me to run. Well, we might just see this. Shouldn't you have it inside when you do the V12 one? This one. There we go. Now, you always take a bit of fun for yourself. Nothing like having a bit of, like,

uh-oh seconds on the stage. So it'll start doing this. It'll say, going off, finding out this is dynamic. It'll start the heuristics. It looks like the backend DBMS is Microsoft SQL Server. Would you like to skip? Yes. Would you like to do that? No. And then it will start just actively looking for the site

and finding out different things here. It'll do statistical time-based analysis. It will tell you all the different pieces of the application. And what we'll be able to do after a while is say, okay, show me what's in the database. How am I going to get all the queries out? How am I going to get all the users to find? It just does, it just says, hang on, come on.

It'll come back. Now, did any of you see my talk yesterday? Great. Do you remember, like, what's the difference in green code and red code? Good. Green code. If you didn't get the joke, go see the previous talk, come back to this talk, and then laugh again. So, we can see here

that the web server operating system is Windows 8 or 2012. The web application technology is ASPNS, this particular thing, and the backend DBMS is SQL Server 2012. All right? But if I was to do, for example, dash dash banner, what it'll do is it'll get the banner of the application and say it's Microsoft SQL Azure RTM 12.0.2000.8

running on this particular time for Microsoft Corporation. And this is just because there's a SQL I in this. But I can also say, for example, let me just get back out all the tables or the columns, for example. I can even dump out all the data within the database if I was so inclined. Because once you have all this type of application access,

you can do whatever you want. Now, what I know that Troy has done here is I know he hasn't got an admin user because he's not that stupid. Because if he was running an application as administrator, this would be very, very, very bad. Because then I would be able to upload a shell or I'd be able to add my own users, for example. But if I was to do, for example, tables here,

it'll run this, it'll start giving out applications, it'll say here, this will take a little bit of time. And what we'll start to do is bring out all the different tables we'll be able to see, and then we can start even querying the tables and adding our own queries to do stuff. But this, as you can see, doesn't take a lot of effort. It just takes a little bit of time.

And if you want to go and find out how bad someone has screwed up, this is a very good way of doing so. Now, if your application is SQL injectable and you end up with, like, getting this, you'll see someone will be able to hand you back your database. No problem. Anyone ever kind of been caught by SQLite? I can't see any hands. Yes, Chris, thank you for being nice.

There's at least one person doing it. You've been working in the business a long time, though, haven't you? 19 years. There's a common thing. When I was teaching in university, we used to give students, they'd have to build a hotel reservation system. Now, we could always find the people who had

understood SQL injection quicker than everyone else. Because in Ireland you get things like O'Driscoll and O'Connell, their O'D, O'C, those guys figured out SQLite very quickly. Because that poor chap was inside going, oh, this doesn't work, and would escape their data. The first thing I'd do is I'd press an apostrophe and it'd kaboom.

So this is a very, very simple way to query out a database, get all the data out, and then say, okay, once you have all the data, and if they're not storing their passwords correctly, or they're not hashing their passwords correctly, you have all that. A lot of the major hacks in the last couple of years

have all been SQLite breaches. Because someone has done something very silly, realized they've kind of went, ah, it's okay, no one will find it, and then someone runs an application like this. The most common problem is that when we have applications that are done, as in they're fully baked, the product is finished, and they've gone into maintenance mode, people start ignoring these security problems.

Now, what I want to show you now is what we can do, like get requests are kind of easy, right? It's just, oh, look, we can see all the parameters, yeah, yeah, you're not being really hacky, you're just pressing the apostrophe, and you're making it go, boom, nice. Let's do something that shows you what happens

when we intercept the traffic and start playing with it. So we're going to fire up Burp here, and Burp is a proxy. Any of you familiar with Fiddler? If you're not a web developer, if you are a web developer and you haven't used Fiddler, you're doing it wrong. Fiddler is a proxy for allowing you to do traffic in Inception,

Burp is a kind of a bigger version of this. It has a lot more applications or, sorry, bits into it, but if you're not using Burp and you want to use Fiddler, Fiddler does a lot of this stuff the same way. So what we're going to do here is we're going to, of course there's a new free edition, what we're going to do here is proxy our traffic through Burp

and start intercepting things and changing. And then we're going to show you what happens when you think, oh, just because I've got a post request, no one will figure out, or I can't do SQL injection with post. Yes, you can. So what I want to do first is go to the proxy. I said intercept is on,

so now I need to go back and I'll close you up because this caused a problem. I'm going to go back in here and I'm going to set my preferences to go through that proxy. So I know it runs on port 8080, and I'm just going to click OK. So now if I was to go to here,

and I close U2, if I go back here and I go to, for example, SQL I, SQL MAF, view someone's blog. When I click on that, Burp has now got a request. So you can see here what the request it has found, and I can just forward that one. OK, forward again.

And I'm going to click intercept is off, so I just want all the application just to forward all the information onwards. So this allows you to stop every single request that's the browser sending between you and the web application and have a look at it. So you don't have to get this mad thing, you can just say, this has gone wrong, this has gone wrong, here's something different. But what I want to do first is see if the application,

if I can do something with it. So I've got to choose an author here. So I'm going to do it to admin, and then view the blog entries, and it brings back some information. Now if I put on intercept on again, I go back up here, and I say I'm going to choose a different author, and I'm going to use Adrian, view blog entries. When we go back here,

I can see that the request looks like this, and I can see here this author Adrian, and view someone's blog, and that's what they're doing here. So if I right click here and just go send to intruder. OK, and I'm going to drop all the, I'm going to take intercept off. On intruder, intruder allows me to attack

the different targets and positions. So I'm going to use this post request as a template to attack this application. So here in the positions, it highlights automatically the different ones it thinks that we can use. I'm going to clear that. I'm going to highlight Adrian. Every time I say that, I really want to do it in a rocky voice.

You know, add. OK. And I want to do the payloads. Now we have different payload types. You can set it to, you have for example, there's different options for it, but what I'm going to do here is I'm going to load a SQL injection list. Now this comes in the box already. It's inside the wfuzz attack list.

But if you can't find a list, or you don't know how to write SQL injection attacks, go to the big list of naughty strings on GitHub. OK. That has an exceptional list of different characters in all different languages that allow you to attack your application. So what I'm going to do then is just going to start attack.

This is a free edition of Burp, so it'll slow down. And what we're going to do here is watch what happens with the different results. OK. We're just going to see here. If I go on the length, something is different with some of these. So I can see then if I open this,

I can get back the response and the render. Let's see if there's a bug in this one. I'm like, this looks OK. That's fine. But if I was to do this one, what does this show? Oh, it came back with an error.

Hmm. So if it's got this, we can see there's a SQL injection problem now. We can see there's a bug. Because if I put in an apostrophe, which as we all know is the first key to look for a SQL injection, we find that it does have an issue. Right. So what will we do now? How will we pass this to SQL map? What can SQL map do if we got this?

So you can use the post request. You can just say, we'll close this out. Attack. Pause. Bring this back out and close it. OK. This will stop the current attack. OK. We'll go back and use our HTTP history. And we'll see.

Is this the one I want? Yep. I'm going to just copy out all this and use leafpad here. And I'm going to paste it into leafpad. Close it. Yes. And I'm going to put it in the root directory. And I'm going to call it post request two,

just in case, .txt. And we're going to click save. Now, back in SQL map. If I do SQL map, dash dash help, dash h dash hh, I think.

SQL map hh gives you the full on list of the different problems here. Or, sorry, different options. And when we go back up, excuse me. When we go back up, come on. See, we've got a lot more options here. We can do a thing here with a request file. So we can pass in the post request and make it work. So what I'm going to do here instead is do SQL map

minus or post request post. It would help if I was in the right directory. SQL map minus or post request two, .txt.

Okay, I'm just going to do that and let it go off and find. So it now knows that I am running. It says your web server operating system is Linux Debian. It's web application technology is Apache 2.4.18. And we can see the back end DBMS is 5.0.2. Now, if I was to do, for example, like this, and say I want to bring out the users.

So the users that are inside in there, okay, is root, and I can see all the different options I can have. I've got different heres and bits and pieces. So I can start then, for example, if I wanted to do, for example, passwords. Would you like to create a new?

Would you like to use dictionary pass against retrieved passwords? Yes. Do you want to? No. Let it just go crack the passwords for me. This is running on a single core machine. If you've got a larger machine, it'll take a little bit, you'll have a lot less problems with it. But the idea is this is how difficult it would be

to kind of get the passwords out. And what happens when you have a username and password on the database? A lot of bad stuff. Now, ladies and gentlemen, this is just an example of the different types of tools you can use today to break your applications. Still going.

Oh, there it is. So the pass for NDC at local host was pass 1234. Nice. Well done, system administrator. Now, this is a single core machine running on the processor.

If you've got a GPU, they're exceptionally good at this. Now, there's a guy, they build large boxes, and they have great names like Brutalis, and they come with like 8 or 18 Titan 1080s in them. Have you seen the new Titan 1080?

Any gamers in the house? That massive card which is like, it just has a small nuclear reactor behind it. And it only costs like 7 or 8 thousand kroner. Now imagine 10 of these running trying to crack your password. How long do you think your password would survive? They guesstimate that they can crack about 350 billion per second right now

of NTLM hashes. So if you think your password is strong, and it's less than 8 characters or something like that, think again. It'll probably be cracked in under a second. Now, I'm just showing you examples here of how you can use different types of tooling

to build it into your application, or sorry, use these types of tools to kind of get an exam, or timeout. One, two, three. These you can use these tools to really kind of check your systems. Because many of you are probably going, I don't know what these are, how hackers are getting near my application. These tools are what they're using.

And these are only the basic ones. There's a lot more advanced ones out there, and the SQL map is one of the most simple of the tools there you can use today. But it is exceptionally powerful. Now, one of the other things I want to show you here is like, for example, here. If I type in tables,

this gives me all the lists of the tables that are in the application. So, you know, I don't even have to query, I don't even have to run around and try and figure out things. I can even say, like, show me all the app, or show me, for example, here, columns. So there's the list. So, you know, you can just go,

oh, here's all the different applications, here's my database map, here's what I can do. And if I was to say, for example, all, this will bring out the entire data and dump it. So you can just do colon, or sorry, greater than, greater than, and all of a sudden you can send it out to a text file and examine it at your own leisure. Now, that's kind of the end of the demos.

Let's go to here. Everyone's a bit tired. Whoops. Try again, Niall. Hang on a second. I always hate this part. Shift-F5. You can get the links and the bits on www.certsandprogs.com. You can download Kali today.

I don't recommend doing it in here, because all the other attendees will probably give out to you. But it is a 2-gig torrent file, and then it expands quite a bit bigger, but this application, or sorry, Kali on its own works in a VM, it runs in VirtualBox, it can run in Hyper-V, whatever you want, or you can install it on your system directly.

It's a very cool set of tooling. All these different tools are free. There's nothing here that's going to cost you money. And with the new versions of Windows, with Bash shell, for example, you will be able to run these natively on your own boxes. You won't have to use Kali for this. You can just get from the different repos. So I'm going to open up the floor

for any questions. Anyone at all that I can't see? Anyone got a question? Come on. We've got five minutes at least. And I can wait here. Yes, Chris?

What are the implications of having JavaScript access to a box? Well, the thing is, once you have, for example, XSS, and you can persist that, so it happens every time.

Troy shows a very good example of stealing someone's cookie. And when we steal someone's cookie, it's not that they get hungry, it's that we steal probably their potential to log into somewhere. Instagram had a sideswipe problem where they sent out their authorization cookie over HTTP, meaning you could copy that cookie on HTTP.

Now, how difficult is it to recreate a cookie in a browser? Anyone going to say, not very hard, Niall? Thank you! Not very hard, Niall. You go in, you recreate the cookie, and I did this in an example.

Really funny story, my sister-in-law had come over, she wanders into the house, my pineapple, I'm testing some stuff, her iPhone is like, woohoo, Wi-Fi! And it was NS Bay Interactive, you know, the train. And she jumps on, and she was on Instagram just posting some stuff. And this cookie flies across with SSL strip and goes, huh, this is kind of cool.

So I copy the cookie from the Wi-Fi pineapple's UI into my browser. And I log in as her. And then I post up a picture for her. And she goes, and all I hear is my wife going, Niall!

Yes, dear? Stop it! Okay. You know, there's always a good thing when your office is well away from the living room, you get a good five-second head start to get out the door. But to answer your question, Chris, if you've got persistent XSS, what'll happen is

I can't trust that the JavaScript you're serving to me is correct. I can, for example, how many of you think that jQuery is epic and good and all JavaScript is good? How many of you think that if I was to change your jQuery and just slightly adjust it and add logging in there so that it emails me something? I can add any type of dodgy script I want

and you won't even see it because you'll... How many people view the source of the website they're looking at? How many people turn JavaScript off in their application? Ever tried turning JavaScript off on the web? Then everything stops. XSS is more dangerous than we kind of... Like, you know, oh, you just put up a message box.

Oh, yeah, wow, good, well done. But if I can put in something that's logging or every time you type in a piece of information it just sends those keystrokes to me, all your passwords belong to me, baby. You know? Good question. Last, any more questions? Going once, going twice, go to Troy's talk! Thank you very much!