You are on page 1of 42


Introduction & Agenda

• Disclaimer
• About the instructor
• What you should do
• Setting up a Hacking Environment (Live Demos and Explanations)
• Setting up a Virtualized Environment
• Setting up Kali Linux
• Setting up Damn Vulnerable Web Application (DVWA)
• Setting up Webgoat
• Other external hacking targets
• Conclusion


About the Instructor
• Name: Arif Gani
• Formal Education:
• Associate’s Degree in Accounting
• Bachelor’s Degree in MIS and Finance
• Master’s Degree in Marketing
• Master’s Degree in Cybersecurity
• Certifications:
• Certified Information Systems Auditor (CISA)
• Certified Information Systems Security Professional (CISSP)
• Certified Ethical Hacker (CEH)
• Cloud Computing Security Professional (CCSP)
• Six Sigma (Green Belt)
About the Instructor
• Name: Arif Gani
• Professional Experience:
• Working professional with 15 Years of IT Security experience
• Work Experience: GE, Ernst & Young, Ethical Hacker
• Other Teaching Experience:
• Internet Safety
• Data Backup & Recovery
• “Cutting the Cord”
• Contact:
• Facebook: IS Training Camp
What You SHOULD Do
• Set up your own lab environment
• Turn off any services you turn on in your lab
• Segregate your network from the outside world
• Take your time trying to exploit
• Research what you don’t understand
• Think about remediation
• Do not hack external websites (without a contract)
• Learn to hack – but understand how to remediate


• Virtualization is the process of creating a software-based, or
virtual, representation of something, such as virtual applications,
servers, storage and networks
• A virtual computer system is known as a “virtual machine” (VM)
• VMWare
• VirtualBox
• Parallels Desktop
• MobaLiveCD
• VMLite XP Mode
• VirtualBox
• Parallels Workstation

• Kali Linux is a Debian-derived Linux distribution designed for
digital forensics and penetration testing
• has over 600 preinstalled penetration-testing programs

• Requirements:
• requires a minimum of 20GB hard disk space for installation
• a minimum of 1GB RAM for i386 and AMD64 architectures


Damn Vulnerable Web Application (DVWA) - Introduction

• Damn Vulnerable Web App (DVWA) is a PHP/MySQL web

application that is damn vulnerable.
• Its main goals are to be an aid for security professionals to test
their skills and tools in a legal environment, help web developers
better understand the processes of securing web applications and
aid teachers/students to teach/learn web application security in a
class room environment.
Damn Vulnerable Web Application (DVWA) -– INSTALLATION DEMO


Damn Vulnerable Web Application (DVWA) - Explanation
• Brute Force
• We are going to brute force a password of a web application
• We are going to do some reconnassaince work using BurpSuite to understand how
the authentication on this site works
• We are then going to do a dictionary brute force attack using THC Hydra
• Command Execution
• What is Command Execution? - Command Execution is where a website application
provides the ability to execute system commands.
• This section of DVWA has a web application that allows you to ping IP addresses.
• We are not going to be using any Kali Linux tools - just fooling the system into giving
us information
Damn Vulnerable Web Application (DVWA) - Explanation
• CSRF stands for Cross Site Request Forgery. Essentially, with this type of attack you
ride a users session and force them to take unwanted actions on a web
application?—?providing they are currently authenticated with the application.
• We are going to replay the session ID to make it look like an authenticated user is
performing an action
• Here we are going to change the password based just on the session ID
• File Inclusion
• File Inclusion attack is similar to file upload attack. The difference is that file
uploading attack uses “uploading function” on a target’s website but file inclusion
attack uses user-supplied input maliciously.
• We are going to trick the server into using this same function to actually read the
files on the server
• Wouldn't it be nice to read a password file?
Damn Vulnerable Web Application (DVWA) - Explanation
• SQL Injection
• SQL injection is the placement of malicious code in SQL statements, via web page
• In this, at least on the low security level, we are going to fool a web application in
giving us database information just by simply changing what we put in the search
• You can figure out the table, the column names, and then go at it to get whatever
information you want

• SQL Injection Blind

• Blind SQL injection is nearly identical to normal SQL Injection, the only difference
being the way the data is retrieved from the database.
• In this we will be using SQLMap to exploit the database
Damn Vulnerable Web Application (DVWA) - Explanation
• Upload
• This is where the server allows you to upload files
• We are going to find a vulnerable target and upload malicious files right to the
• XSS Reflected
• XSS = Cross Site Scripting. XSS occurs when one of two things happen
• Data enters a Web application through an untrusted source, most frequently a
web request.
• The data is included in dynamic content that is sent to a web user without being
validated for malicious content.
• A Reflected attacks are those where the injected script is reflected off the web server,
such as in an error message
• A little harder to use as this requires you to have the user click a link with the XSS code
in it
• We are simply going to take an input box and put javascript code in there. If that holds
in the URL, you can send that to another user to click and be exploited
Damn Vulnerable Web Application (DVWA) - Explanation
• XSS Stored
• A stored attack is where you actually upload your code to sit on the server
• Now this is where it gets interesting because it's not just your one target that you
can hit, but everyone that comes to this website
• Here I'm going to show you how to gain shell access to the server and upload your

WebGoat - Introduction

• WebGoat is a deliberately insecure web application maintained by

• Designed to teach web application security lessons
• This program is a demonstration of common server-side
application flaws.
• The exercises are intended to be used by people to learn about
application security and penetration testing techniques

WebGoat - Explanation
WebGoat - Explanation
HTTP Basics Buffer Overflow (TBD)
HTTP Splitting and Cache Poisoning HTTPOnly Test
How to Exploit Thread Safety Problems How to Perform Command Injection
How to Discover Clues in the HTML How to Perform Parameter Injection
How to Exploit Hidden Fields How to Perform Blind SQL Injection
How to Exploit Unchecked Email How to Perform Numeric SQL Injection
How to Bypass Client Side JavaScript Validation How to Perform String SQL Injection
How to Force Browser Web Resources How to Perform Log Spoofing
How to Bypass a Role Based Access Control Scheme How to Perform XPATH Injection Attacks
How to Bypass a Path Based Access Control Scheme LAB: SQL Injection
LAB: Role based Access Control How to Bypass a Fail Open Authentication
Using an Access Control Matrix Scheme
How to Exploit the Forgot Password Page How to Perform Basic Encoding
How to Spoof an Authentication Cookie Denial of Service from Multiple Logins
How to Hijack a Session How to Create a SOAP Request
Basic Authentication How to Perform WSDL Scanning
LAB: Cross Site Scripting How to Perform Web Service SAX Injection
How to Perform Stored Cross Site Scripting (XSS) How to Perform Web Service SQL Injection
How to Perform Reflected Cross Site Scripting (XSS) How to Perform DOM Injection Attack
How to Perform Cross Site Trace Attacks (XSS) How to Perform XML Injection Attacks
How to Perform JSON Injection Attack



•, commonly referred to as HTS, is an online hacking and security

website founded by Jeremy Hammond
• Jerry has moved on and the site is now maintained by a members of the community
• This site provides users with a way to learn and practice basic and advanced
"hacking" skills through a series of challenges in a safe and legal environment
• The organization has a user base of over 1,800,000
• HackThisSite is hostS to a series of "missions" aimed at simulating real world hacks.
These range from ten basic missions where one attempts to exploit relatively simple
server-side scripting errors, to difficult programming and application cracking
• The missions works on a system of points where users are awarded scores based on
their completion of missions. In general, the missions become steadily more difficult
as the user advances through a particular mission category
• Basic and realistic challenges
• The Web hacking challenges includes eleven Basic Web Challenges. Each
challenge consists of an authentication page with a password entry box, plus
other files which are to be exploited or attacked in order to gain the correct
• Programming missions
• A Programming Challenges section also exists. This section currently consists of
twelve challenges charging the user to write a program which will perform a
specified function within a certain number of seconds after activation.
• Application missions
• The goal of application challenges is generally to extract a key from an application,
usually involving some form of reverse-engineering.
• Code Review missions
• Also of recent creation are the "extended basic" missions. These are designed to
be code review missions where you learn how to read code and look for flaws.
• Easter Eggs
• A set of 10 easter eggs hidden around HTS were known as the "HTS missions".
One of these "missions" was the fake Admin Panel, for example. Developers later
decided to remove HTS easter eggs: some allowed XSS and SQL exploits and many
members submitted false bug reports because of them.
• Steganography missions
• Steganography missions are also available on the website. The goal in these
missions is to extract the hidden message from the media file provided. There are
17 steganography missions available.
phpBB/HowDark incident
In November 2004 the (now defunct) HackThisSite-based HowDark Security Group
notified the phpBB Group, makers of the phpBB bulletin software, of a serious
vulnerability in the product. The vulnerability was kept under wraps while it was
brought to the attention of the phpBB admins, who after reviewing, proceeded to
downplay its risks. Unhappy with the Groups' failure to take action, HowDark then
published the bug on the bugtraq mailing-list. Malicious users found and exploited the
vulnerability which led to the takedown of several phpBB-based bulletin boards and
websites. Only then did the admins take notice and release a fix. Slowness to patch the
vulnerability by end-users led to an implementation of the exploit in the Perl/Santy
worm (read full article) which defaced upwards of 40,000 websites and bulletin boards
within a few hours of its release.
Protest Warrior incident
On March 17, 2005 Jeremy Hammond, the founder of HackThisSite, was arrested
following an FBI investigation into an alleged hacking of conservative political activist
group Protest Warrior. His apartment was raided by the Chicago FBI, and all electronic
equipment was seized. The federal government claimed that a select group of
HackThisSite hackers gained access to the Protest Warrior user database, procured user
credit-card information and conspired to run scripts that would automatically wire
money to a slew of non-profit organizations. The plot was uncovered when a hacker
said to have been disgruntled with the progress of the activities turned informant.
Internal problems
Administrators, developers, and moderators on HackThisSite are arranged in a
democratic but highly anarchical fashion. While this structure appears to work at most
times, when disputes arise, loyalties tend to become very confusing. Subsequently,
HackThisSite has a long history of administrators, developers, and moderators turning
darkside and severely impairing or completely taking down the site. In one incident, and
the last major attack to occur, several blackhat dissidents gained root-level access to the
website and proceeded to "rm -rf" the entire site. This led to HTS being down for


TESTFIRE.NET- Explanation
TESTFIRE.NET- Explanation
• Mock banking website
• I have NOT used this site before nor was I able to find much documentation on it
• Exploits you can expect here:
• Brute Force
• SQL Injection
• Session Hijacking
• Application Authentication
• Set up your own lab environment
• Turn off any services you turn on in your lab
• Segregate your network from the outside world
• Take your time trying to exploit
• Research what you don’t understand
• Think about remediation
• Do not hack external websites (without a contract)
• Work your way up

IS Training Camp