I have now completed the first course in my queue! Since the last post, I have been digging into website hacking. This is of course a big area and a massive element of day-to-day information security. I went through various avenues and implementations of SQL injection attacks, XSS (Cross Site Scripting) attacks, and more. I also learned about protecting against these sorts of attacks, and had a brief introduction into how vulnerability scanning can be automated with scanning tools. Of course, once you have your scan output ready, put it into Dradis and produce a custom no-fuss report!

Trying out the SQL injection procedures was based on attacking a fake vulnerable web server in Metasploitable. Insecure database calls in SQL on a website or web application can let attackers extract or modify information, or grant access even without passwords. An SQL injection vulnerability on one site can potentially undermine the security of all sites and applications hosted on that one web server. As the instructor said, if there is an SQL injection vulnerability on the target site, bingo, game over, you as an attacker can ultimately do virtually anything you want with that site.

With XSS vulnerabilities, you essentially insert scripts to run from a site. As an example, there may be a commenting feature on a web page with an XSS vulnerability, which means that this XSS script would run for all visitors to that page. What makes this insidious is that the script would run for visitors to the page, as it’s not part of the base web page. An insecure website could therefore jeopardize the security of third parties – and therefore, owners of web pages, web applications, and web hosts have a responsibility to protect their sites so third parties are not affected.

The course closed with a very brief introduction to ZAP (Zed Attack Proxy), one of many tools to automate scanning for vulnerabilities. The point of this course was to show the theory behind security vulnerabilities, and the sort of attacks that can be carried out by hackers. Now that I have been introduced to the nuts-and-bolts, step-by-step methods of attacking devices and applications, the path is open to learning more about particular focus areas and to think about scripting and automation. I do have some more studies coming up to these ends. I intend to learn more about hacking using Android, I need to learn more about networking vulnerabilities, and I would like to learn more about scripting and vulnerability scan automation through software like ZAP and Burp, both of which have official Dradis plugins. I already manipulate their plugin outputs most days when building Dradis templates, so it would be fun to create those outputs as well!

Lately I have been looking into the details of hacking through networks, and post-exploitation attacks. The idea was to get beyond the idea of trying out attacks on a second VM on the same device, or another device here at home, to the principle of hacking devices on other networks.

First up was freshening up on the basics of networking. From the “information gathering” step I should have multiple ways of potentially feeding backdoors to the target device. Then there was an exercise of doing so, using BeEF – essentially the same exercise as before, with only some minor changes to function with the outside network. That demonstrated the principle, so we moved on to a look at post-exploitation attacks.

Post-exploitation attacks were run with metasploit through veil-evasion. That generated a robust connection with meterpreter that should be essentially undetectable by antivirus programs. The challenge is of course to manage the original connection, but with that accomplished, meterpreter allows all sorts of scripts to be run as well as terminal access.

In effect, that meant running all the sorts of attacks that people should be paranoid about; keylogging, capturing screenshots of the target device, controlling the camera and/or microphone, altering the files on the target device, and so on. Fun! Metasploit has so many functions and capabilities that going through them in detail was beyond the scope of this course.

Now that the possibilities of post-exploitation attacks had been made clear, the course moved back to networking, to cover pivoting. Pivoting allows hackers to target other devices in the same network as an infected device. Even if the hacker’s device has no access to the final target devices, if they can attack a device in the same network as the final target, they can route their attacks through the infected device. That is another cool exploit, and hammers home how important security is on servers and routers.

As the course progresses, I believe I get a far better understanding of our Dradis users’ use cases. When I build custom Dradis templates and configure projects, of course there’s always some variation of issue descriptions, screenshots, and usually evidence output. These post-exploitation attacks and network penetration efforts are exactly the sort of vulnerabilities that Dradis is set up to report, and screenshots of my work would make good evidence output.

I do feel that in the last weeks’ studies I have been heavy on the theory and observation, but light on actual practise. I intend to set up a few devices and VMs to practise attacking, and I have permission to try to attack some other peoples’ personal devices. Let’s see how that goes; beyond that, the rest of the current course covers website hacking, which will also be fun!