 Tervetuloa tänään puheenjohtajana hakemaan. Se on tärkeintä, että jos haluaisin löydä voneenpäätöitä järjestelmällä, niin haluaisin vain ajatella hakemaan. Mutta se on tärkeintä, että haluaisin ajatella hakemaan, jos haluaisin hakemaan hyvällä. Järjestelmällä järjestelmällä järjestelmällä on tärkeintä, miten hakemaa. Minä olen Jarmalahtiranta. Järjestelmällä järjestelmällä järjestelmällä järjestelmällä. Tätä on tärkeintä, että haluaisin ja tämän tämän t3 vuodelle olen tullut ja työntekijöiden, joten järjestelmällä järjestelmällä hyvällä ja hyvällä ja järjestelmällä. Järjestelmällä järjestelmällä on tärkeintä, että haluaisin voneenpäätöitä tai voneenpäätöitä. Mutta se on basically finding vulnerabilities and writing exploits or using known exploits to break things. And basically there's this progression, so you have bugs, but not all bugs are a problem, some are just bugs. But if there's a security implication in a bug, if it can be used for nefarious means then it's vulnerability. Then when someone actually writes code which makes use of this vulnerability, then that's called an exploit. And when someone uses that exploit then that's called a compromise. And so yeah. Just having vulnerabilities isn't like the end of the world. But when someone actually compromises your system then that's not cool. So why do we have vulnerabilities? Well it turns out just getting things to work can be really hard. And when you kind of drill down to it, it isn't even about code. It's more about people. So writing secure, actually creating secure products requires and secure development life cycle. But that's a topic for another talk. But basically all the developers always have a lot of time pressure. They have different priorities and these security features are very easy to kind of leave in the backlog and do later when you have time. You always have time later. Generally people usually would like to write secure software but there's just so much other stuff that they would also like to do. So yeah, here we are. But about hacking. It isn't actually about breaking the rules. It's more about knowing the rules better than your opponent. So for example knowing the system better than the people who created it. So if I want to hack some device the first thing that I will do is go read a manual, go check out the documentation. Learn how to use the system. And even in that case you might already find that okay there are these default credentials and you can actually turn this encryption off and that sort of stuff. And then there's knowing the typical mistakes that the developers make. Just basic human errors. Personally I've been developing web applications for about 10 years 10 years before I started in security. So I wrote a lot of PHP code and I probably did all the mistakes that a developer can make. Probably even a bit more. So I know how to mess up. So that actually also helped me as a hacker because I know the typical points of trouble. So yeah, we have vulnerability classes like cross-site scripting and SQL injections and they've been around since forever. But the fact of the matter is that we get new developers every day and every day someone is writing their first database query and they are making their first SQL injection vulnerability and that's just the kind of world we have to live in. So hacking is also about knowing the typical edge cases and rarely known features. So stuff like legacy modes and that sort of stuff that's just kept there and the developers actually would like to get rid of them and they actively try to forget that they exist. So that sort of places are great for finding vulnerabilities. And finally, just when you have all this knowledge then you understand how you can kind of bend the system to your will and make the system do what you want instead of what the developers intended. And yeah, there are a lot of tools and they are constantly evolving but they are just tools. They are just there to make your work easier but the key is the knowledge and understanding of kind of how things work. So let's take a look at some vulnerability examples. So here's the first one. Let's say that I want to make an SSH connection to this jump host at my company and I also want to create this tunnel or forwarding traffic from my local port to the internal network. Now, thinking about this from a SSH server developer standpoint it would be kind of logical that when you set the connection up you also set the port forwarding up at the same time but what happens when you log in using SSH? Well, the first thing that you do is that you write your username and password. So if the port forwarding would be set up at the same time as the main connection then you wouldn't actually need to know any credentials to get this port forwarding up you could just stop create the SSH connection and just leave it hanging at the login prompt and you would immediately get access to the internal network and that wouldn't be optimal, let's say that. So these kinds of vulnerabilities are what's called logical vulnerability. You couldn't find these using a security scanner or source code analysis or anything like that. Everything's working the way it's intended to work. It's just that the design is wrong. Moving on, I guess many of you have heard about SQL injections and the gist of it is that when a database query hits the database, it usually looks something like this. So this could be a login prompt. A database query that's got by a login prompt at some website. Select everything from user's table where the username is what we entered and the password is blah blah blah. We don't really care about that. So if my username is this then it just looks like this and this is pretty benign and normal. But what happens if our username looks like this? So now we have a name and this strange payload. So now the query actually looks like this. Select everything from user's where username is Jarmo or a equals a and stop executing everything. So what's happening here is that input isn't handled or validated properly, which enables us as a hacker to inject our own content to the SQL query. And that basically means that we can run any query on the database that we want. But in order to create this payload the way it is you again have to understand what's happening beneath the surface. You have to understand the context where this username variable is and what kind of things you have to inject there so that you get to run your own queries. So, let's take a brief analysis of this. The bug was improper way of creating this query. This is called a SQL injection. And the exploit impact can be a bit difficult to assess. So obviously we can bypass the login. We could log into the system but we could also read arbitrary data from the database because we can do these queries. But actually that's not all. In one assignment that I did previously we were testing this test environment. They said that oh it's just the test environment you can do whatever there's no actual production data there. But it turned out that yes the database was a test database but the SQL injection allowed us to access other databases on the same database management server and we could actually access some production data from another system although we were testing this test environment of this system. Let's take another example. So, in my previous job I was sitting at my desk and I heard someone say that we write the values to a SQLite database from the command line and I was pretty horrified about that and let's see why. So that basically means that they are using structures something like this. So if they were writing Python they would import operating system and use basically this system function which enables them to run commands on the operating system and then they would use command like this. So SQLite 3 to this database and insert here's the SQL query. And of course you can see that there's the same SQL injection vulnerability no problem there but what if our value actually looks like this. So here's the end result now you will be running this code to the SQLite 3 which doesn't make sense and the SQLite 3 will be watch that but we don't care because after that we run this part of the code which actually deletes all the all the files which deletes all the logs from the server and then again here's some stuff that we really don't care because we already deleted the logs. So here's the payload another analysis it kind of looked similar but this time the bug was this dangerous use of a system function and the vulnerability was actually remote code execution so previously we could get run our queries on the database but now we could actually run code on the server so yeah a lot of hacking is just like you put what where and as a developer thinking that well well this is a bit difficult and time consuming to do properly so I'll just cut some corners and no one will ever figure it out that's like a recipe for disaster or a great opportunity for a hacker so yeah we usually figure these things out and yes there is this thing called security by obscurity and it does help but you should only use it as a secondary control so definitely as a defender do all the things that you can do to make hacking more difficult but don't don't rely on just hiding things also if you create these shortcuts you actually end up in a situation where if you actually have the time it can be really difficult to fix later because you did it not so optimal way at the beginning now let's look at the tools of the trade there are basically two ways to hack systems so either you are doing black box hacking where you know nothing about the system beforehand other option is to do white box hacking where you actually have credentials, documentation and access to the internals or you know the development even that sort of stuff and white box hacking is generally a lot more effective and you get a lot more results because well you have a lot more information that just helps and there are two different kinds of vulnerabilities so known vulnerabilities are such that someone has already found them so all these huge disasters like heart bleed and all that sort of stuff that's just one known vulnerability someone has found it and then you can make sure that your system doesn't have it and then we have unknown vulnerabilities which are brand new and you can find them so let's say that you're developing a system and you have a new cross-site scripting vulnerability there then that's an unknown vulnerability because it's brand new even though we do have like access vulnerabilities they've been around since ever so yeah when hacking is about understanding the systems and also making educated guesses to find the weak spots the tools are making this guesswork a lot more effective there are different categories of tools and most tools fit several so scanners usually have some fuzzing capability and some attack proxies actually also includes scanners and fuzzing and so on so yeah this is a kind of a rough outline but also there are different environments and different tools work in different environments so you would probably use a different scanner or a fuzzer if you were working in a cloud or if you were working with an embedded system for example so let's first take a look at the vulnerability scanners the first category here is scanners and I'm going to show you a demo of a vulnerability scanner called green bone it was previously known as openvas so here's how it looks and using it is really simple basically here's this nice little wizard which asks you which IP would you like to scan you put your IP target IP address there and click star scan and it just starts scanning it takes some while so I already have the results here so you can see that it took half an hour to finish and the way this works is that it first does a port scan so it found a lot of open ports here and it has a list of huge list of known vulnerabilities so it could detect all these different vulnerabilities just by probing the server through those open ports so we think have things like our login our exec service Apache Tomcat vulnerabilities VNC and so on you can see that these vulnerabilities are kind of network related because well it just had the open ports to go with when you click vulnerability you can also get additional information so what is it how was it detected what's the impact of this and most importantly how you can fix it so these are really easy to use and nice and this scan a second time but this time I also gave the scanner username and password so it could actually log in to the server and this time we got a lot more results so if you look here we had 65 vulnerabilities when we look at the credentialed scan we now have 7200 vulnerabilities and let's look at the results so now the vulnerabilities also include internal components on the computer so ktorrent libxml2 BIM like these are not visible to the network but either way this scanner could find them because it could log in to the server now we are going to take a look at a different tool so this is called a sequel map and this is meant for just finding sequel injection vulnerabilities and let's say that I suspect that this login page has this vulnerability so I try to login I see what kind of data it sends and then I will feed that information to my trusty sequel map tool there is also a command line to like so many other hacking tools so here is the URL here is the data and I also told it that this probably is using my sequel database so let's see what happens it's making a connection yes I definitely want to use this session cookie and basically I'll just accept all these default values that it's asking and you can see that it's testing different things here different types of injection methods some depending on different versions of the database engine and yeah exciting to see what happens alright the post parameter username is vulnerable do I want to keep testing the others I think we're fine at this point so there you have it they found several different ways of exploiting this current vulnerability and now I could just report this to the devs saying that okay you should probably take a look at this login page now when we compare this to the free in bone results in that case it just found those vulnerabilities that have been found before but in this case we probed this site to find a new sequel injection vulnerability the green bone could give us accurate instructions on how to mitigate and how to fix those things but in this case we would just know that okay this this form has an injection vulnerability and we would have to find out what to do and how to mitigate it ourselves so scanners are a great tool for catching this low-hanging fruit and also you can use them for finding new vulnerabilities but the key in this again is understanding how the scanners work so that you can interpret the results so the results depend a lot on how you are running the scanner what the scanner can reach so even if you don't get any results that doesn't mean that hey the product is secure just that the vulnerabilities that are there weren't found by the scanner the next category is fuzzers and fuzzing now this is a bit of a gray area because for example group suite has some fuzzing and also scanning capabilities and I guess you could also call a sequel map a fuzzer but basically the idea is that you are mutating data in some intelligent way to find new unexpected behaviors basically throwing some intelligent garbage at your systems and yeah this can be an art form of its own so for example Google is running 30,000 VMs on their cluster fuzz instance but the kind of key point to take away key point to take home here is that when you are doing fuzzing it's really important that your fuzzing is focused on the correct part of the stack so again if we're thinking about this login page hdd request then yeah you need to be able to hit that login username or password field so if you're using some generic fuzzer and let's say that you're actually fuzzing the IP address field of the target then it won't even arrive in the correct destination or maybe you will break the hdd ps connection or something like that so you have to select the correct tool and use it in the correct way and this can be a bit difficult like some protocols for example they can be stateful so you actually have to you have to kind of make sure that your fuzzer's internal state is the same as the your targets so I guess because of this many of the commercial scanners are I hear that they are really good but they are also super expensive and again some name dropping of tools we have defensics we have peach then we have the fuff and finally radamsa and American fuzzy lot then we have attack proxies which this is a pretty generic term and there are different kinds but the idea is that you create this machine in the middle attack where you put yourself between the client and the server so you can see all the traffic that's going going there and you can inspect it and you can modify it usually this used to be a lot easier back in the old days when the most connections were just plain text HTTP for example nowadays we're getting a lot of HTTPS which is great for security but from the hacking point of view it usually means that you need to bypass this TLS encryption and what that means is that you basically insert your own certificates to the client so that the client actually trusts this machine in the middle so yeah this is group suite I think it's the kind of industry standard for web application security testing and there's also the open web application security program OVASP which is kind of a free alternative and if you want to try to hack websites these are the tools for you and then there's for example the machine in the middle proxy which can also break TLS connections but again these are just tools and the key is to get see what's happening data is flowing between the client and server and then figuring out what can we do with this data that can make things work the way we want and moving on your developers anything that you are using to develop systems basically can also be used for hacking and of course as your developers you can also create your own tools and that's also a really nice way to learn learn things, learn about hacking but of course it's a good idea to before you start writing your own tool just do a little google search and see what's already available for you then we have reverse engineering tools which are used to transfer binaries and other low level formats to a more readable form so when you just get exe or whatever binary it would be nice to see what's inside and these are the tools for that here's a screenshot of a tool called JDX GUI and it's a tool that's used for reverse engineering android apk files apk files apk files and because these files are like android apps are made in Java so it's really nice and readable the output format is really nice and readable and then you can do things like well just search for secret and you can find a lot of secret text here and of course these are not problem probably but oftentimes you might end up actually seeing okay they had some hard coded credentials or something like that inside the apk other tools in this category is KITRA and IDAPRO which are both very famous but also kind of I would say that there are specialist tools that they take a little while to kind of learn to get to use and finally we have exploit tools and these are the tools that you use to actually break into systems and when we think about security testing I would say that this is often not that necessary so often it's enough to just show that hey here's a vulnerability you should fix it but we also have tools that can be used to exploit the weaknesses or vulnerabilities and pivot further into the system and the networks and now I'm going to show you this tool called metasploit because it's really fun and it's has this hacker aesthetic now this is metasploit it's a command line tool it's actually a kind of modular framework so you can see that there are a lot of exploits and auxiliary stuff different payloads encoders and whatnot and it keeps on growing and evolving every day so how do we use this then well I'm going to exploit the vulnerability on the system that I know it's there strangely it didn't actually appear on my green bone scan but there you go so I'm going to use this exploit for a IRC server there and when you load an exploit you can then write show options and basically for this exploit you just write which host you want to attack so we will set remote host like this and when we compromise the system we also want to run some code there we want to do something there and in this case I'm going to set up this reverse shell so it's going to basically give me shell on that machine so my payload will be this Unix type reverse shell and for that I will also need to I would need to need to tell it to that payload that okay this is my own address so it can phone home so let's see now our options look like this our target port our own IP on port and then we say the magic word exploit and we have a shell so let's see directly these things here we are in this kind of a folder on this kind of a machine so yeah well just a brief demo so when you see this sort of things youtube videos or that sort of stuff then you know that okay that's just the metasploits framework they are using now it's time to wrap things up I think I've already said about the thousand times that hacking is about understanding the systems and knowing the typical mistakes so you being developers that's also already a great foundation for that so hacking can be a fun and a great way to expand your current knowledge and internet is filled with information so that you can even you can learn more and get deeper to this though do take things with a grain of salt because not all information is correct and things are also improving and progressing at the tremendous pace so some things are out of date and there is a lot of hype also out there I do warn you that if you start learning and if you start hacking systems only hack systems where you have permission so only hack systems that you own yourself or where you have a permission from the other party some further material that you can check out OSP has some great testing guides and they are a huge shop which is a vulnerable web application there's the watch bigger web security academy and some other resources available youtube is full of videos and stuff also your company might have this security champion program and if you're a developer who's interested in security then that's definitely you and finally you can find your local hacking or security enthusiast group and go there and meet some new people and learn some new things and with that it's now time for Q&A