Workshop

Ethical Hacking With Kali Linux

I'm so Happy to Learn Hacking
 3

Who Am I ?
Rungga Reksya Sabilillah

Teacher of TIK SDIT (2007)
Assistant IT Lab (2008-2009)
IT Support
IT Auditor at Conventional Bank
IT Auditor at Islamic Bank
Security and Infrastructure Auditor at Media
IT Consultant
Certified Risk Management 1st / BSMR (2010)
Certified Ethical Hacking / CEH (2013)
Lead Auditor ISO 27001 (2013)
Lead Auditor ISO 20000 (2014)
Security Analyst / ECSA (2015)
Security Certified Professional / OSCP (2015)
Certified Network Defender / CND (2016)
Lead Auditor ISO 22301 (2017)
S1 – Teknik Informatika (2005 – 2009)
S2 – Manajemen Sistem Informasi (2011-2013)
Wushu Athletes at The PORDA II Banten (2006)
Leader of Wushu Gunadarma (2007-2008)
rungga_reksya

Favorite Operating Systems of Hackers
Kali Linux
It was developed by Mati Aharoni and
Devon Kearns of Offensive Security
through the rewrite of BackTrack, their
previous forensics Linux distribution
based on Ubuntu.
https://techlog360.com/top-15-favourite-operating-systems-of-hackers/
4
(2017 Lists)
Backbox Linux Parrot Security OS
BackBox is an Ubuntu-based Linux Parrot Security OS (or ParrotSec) is a
distribution penetration test and security GNU/LINUX distribution based on
assessment oriented providing a network Debian. It has been developed by
and informatic systems analysis toolkit. Frozenbox’s Team.
BackBox desktop environment includes
a complete set of tools required for
ethical hacking and security testing.
rungga_reksya

Favorite Operating Systems of Hackers
Live Hacking OS
Live Hacking OS is a Linux distribution
packed with tools and utilities for ethical
hacking, penetration testing and
countermeasure verification. It includes
the graphical user interface GNOME
inbuilt.
(2017 Lists)
Bugtraq
Bugtraq is an electronic mailing list
dedicated to issues about computer
security. Bugtraq team is experienced
freaks and developers, It is available in
Debian, Ubuntu and OpenSuSe in 32 and
64 bit architectures.
5
Dracos Linux
Dracos Linux is an open source
operating system provides to penetration
testing. Packed with a ton of pentest
tools including information gathering,
forensics, malware analysis, maintaining
access, and reverse engineering.
rungga_reksya
 6

Introduction

rungga_reksya
 7

Incident Classification Patterns

(2015 Data Breach Investigations Report)

831 817
40% Web App Attacks Hacking - Use of Social - Phishing
stolen credential

817 812
23% POS Intrusions
Hacking - Use of Malware – Spyware /
backdoor or C2 Key logger

Percentage (blue bar), and count of breaches per pattern. The gray Top 10 Threat action varieties within Web App
line represents the percentage of breaches from the 2015 DBIR. Attack breaches, (n=879)
(n=2,260)

rungga_reksya
 8

Birth and Rebirth of a Data Breach.

Having an understanding of how patterns complement each other can help direct your efforts as to what to prioritize your limited resources against.

Email Attachment PERSON

Email Link Alter Behavior à User Desktop à Malware Installation

Phishing

rungga_reksya
 9

Birth and Rebirth of a Data Breach.

Having an understanding of how patterns complement each other can help direct your efforts as to what to prioritize your limited resources against.

Steal Direct Install Malware à

Credential Backdoor, Export Data

Payment

POS
Use of Stolen Terminal
Credential

rungga_reksya
 10

Three Critical Components for an Information Security

Confidentiality
C

Integrity I A Availability

rungga_reksya
 Information Security Look Like Football 11

InfoSec Officer, Risk

GK-DEFENDER Management Internal,
STRIKER Top Management, CISO
Compliance, etc.

Sysadmin, Network, Firewall, InfoSec Consultant,

SIEM, etc. MIDFIELDER Pentester, etc. COACH
Formation = Framework
- ISO/IEC 27001
- NIST SP 800
(Computer Security) Supporter Soccer
- PCI DSS
- HIPAA
- ISMF
Stakeholder

rungga_reksya
 12

CRITICAL COMPONENTS of ITSM

Four ITSM Components That Need to be Integrated with ISMS

PEOPLE PRODUCT SUPPLIER PROCESS

Information Security Technical Vulnerability Supplier Relationships Information Security
Awareness Management (Annex 15), etc. Policies (Annex 5);
(Annex 7.2.2), etc. (Annex 12.6), etc. Segregation of Duties
(Annex 6.1.2), etc.

rungga_reksya
 13

Penetration Testing Methodologies and Standards

SUCCESSFUL
Reporting RESULT

Exploitation

Threat Modeling and Vulnerability Analysis

Pre-engagement Intelligence Gathering

Interactions

http://resources.infosecinstitute.com/penetration-testing-methodologies-and-standards/ rungga_reksya
 14

Penetration Testing Methodologies and Standards

PENETRATION
BLACKBOX WHITE BOX
TESTING

GRAY
BOX

rungga_reksya
 15

Framework
Penetration Testing

WASC OSSTMM OWASP

Web Application Security Consortium Open Source Security Testing Open Web Application Security
Threat Classification Methodology Manual Project Testing Guide

rungga_reksya
 16

The Open Web Application Security Project

OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New)
2010-A1 – Injection 2013-A1 – Injection

2010-A2 – Cross Site Scripting (XSS) 2013-A2 – Broken Authentication and Session Management

2010-A3 – Broken Authentication and Session Management 2013-A3 – Cross Site Scripting (XSS)

2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References

2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration

2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure

2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control

2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF)

2010-A9 – Insufficient Transport Layer Protection 2013-A9 – Using Known Vulnerable Components (NEW)

2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards

3 Primary Changes: § Merged: 2010-A7 and 2010-A9 -> 2013-A6

§ Added New 2013-A9: Using Known Vulnerable Components § 2010-A8 broadened to 2013-A7

rungga_reksya
 17

Exploit Database
36845 Exploit Archieved, 82454 CVE ID, 3000 Modules on Metasploit, etc.

1 2 3 4

Common
Exploit DB Packet Storm Rapid 7
Vulnerabilities
& Exposures
https://www.exploit-db.com https://packetstormsecurity.com https://cve.mitre.org https://www.rapid7.com/db/
modules

rungga_reksya
 18

Bug Bounty Programs

http://bugsheet.com https://firebounty.com https://www.openbugbounty.org

Bug Sheet Fire Bounty Open Bug

Bounty

Bug Crowd Hacker One Bounty Factory

https://bugcrowd.com https://hackerone.com https://bountyfactory.io

rungga_reksya
 19

Information Gathering
The Object of Penetration Testing

Information Target Enumerating Vulnerability

Gathering Discovery Target Mapping
rungga_reksya
 20

Information Gathering
The Object of Penetration Testing

Information Target Enumerating Vulnerability

Gathering Discovery Target Mapping
rungga_reksya
 21

Concept of Takeover System

Login to Make Form

SQL Injection MYSQL Upload

XSS

SHELL

Login to Upload
Phishing APP File

PWN
SVR
rungga_reksya
 22

Open:
This indicates that an
application is listening for
connections on this port.
NMAP Features
Closed:
This indicates that the
1 2 probes were received but
there is no application
listening on this port.

Filtered: PORT Unfiltered:

This indicates that the
3 4 This indicates that the
probes were not received
and the state could not
STATES probes were received but
a state could not be
be established. It also established.
indicates that the probes
are being dropped by
some
kind of filtering.
5 6
Open/Filtered: Closed/Filtered:
This indicates that the port This indicates that the port
was filtered or open but was filtered or closed but
Nmap couldn't establish the Nmap couldn't establish the
state. state. rungga_reksya
 23

NMAP Features
Target
(192.168.1.0/24)

T Fingerprinting services of a remote host

ü Host Discovery
ü Service/Version Detection
ü Operating System Detection
ü Network Tracerouter
ü Nmap Script Engine

P
IP Pentester
(10.0.0.10)

rungga_reksya
 24

How it Works
Service detection is one of the most loved features of Nmap, as it's
Service Detection very useful in many situations such as identifying security
vulnerabilities or making sure a service is running on a given port.
# nmap -sV –-version-intensity 9

Aggressive Nmap has a special ag to activate aggressive detection, namely -A.

Aggressive mode enables OS detection (-O), version detection (-
Detection sV), script scanning (-sC), and traceroute (--traceroute).
# nmap -A <target>
# nmap -sC -sV -O <target>

Finding Live Finding live hosts in a network is often used by penetration testers
to enumerate active targets, and by system administrators to count
Hosts or monitor the number of active hosts.
# nmap -sP 192.168.1.1/24

Ping scanning does not perform port scanning or service detection,

NSE Scripts but the Nmap Scripting Engine can be enabled for scripts
depending on host rules, such as the cases of sniffer-detect and dns-
brute.
# nmap -sP --script discovery 192.168.1.1/24

rungga_reksya
 25

Port States Service

80
53 25
http
21 domain smtp
ftp
1433
22 445 8080
3389 mssql
ssh remote smb tomcat

5432 8009
3306
23 mysql postgresql ajp13
telnet

Common
rungga_reksya
 90%

HASH
IDENTIFICATION

ONLINE
PASSWORD HASH HACKING
 90%

HASH
IDENTIFICATION

ONLINE
PASSWORD HASH HACKING
 28

Cheat Sheet

NIKTO NMAP SEARCH SPLOIT

# nikto – h [url] # nmap – sV ip_target # searchsploit target_name

BASE 64 DECODE CREATE USER MIMIKATZ

# echo pastecodebase64 | base64 -d # net user hacker P@ssw0rd /add # log
# net localgroups administrators hacker # privilege::debug
/add # sekurlsa::logonpasswords

rungga_reksya
 29

Case Study
Turn on Your VM:
- Target: 192.168.1.2
- Kali Linux: 192.168.1.3 (root::toor)

SHELL

DUMP
NET
NIKTO USER
PHP
MYADMIN
SEARCH
PLOIT
rungga_reksya
So You Want to be a Penetration Tester

Feeling

Experience

Untiring

Lucky

Out of The Box

rungga_reksya
 31

Any Questions for Us ?

rungga_reksya