Doublehops

I started a small project recently to create a PHP based web page that is vulnerable to SQL injection to better understand how a site can be compromised and what someone can do once they’ve exploited the vulnerability. SQL injection is possible when a software developer doesn’t properly handle data sent by a user with their browser through a form or in the URL. By running this example you will learn that it is quite easy to gain shell access to a server when data is handled poorly.

The project which can be forked on Github steps you through setting up and running a virtual machine, abuse the SQL vulnerability and eventually gain shell access. Once a vulnerability has been found, it only takes five steps to gain shell access.

There are several examples of what can be done but you’re also walked through gaining shell access. It’s really quite simple. If you’re interested in web application security I suggest giving it a go. It shouldn’t take more than an hour to get through it.

View the project on Github.

I’ve always been interested in computer security and although it’s something I consciously think about when building web applications, it’s not something I’ve ever giving solid time to solely focus on. However, over the last three months I spent all my spare time in the evenings and on weekends working through the Offensive Security certificate, a certificate that is taught by the developers of the Kali Linux distro.

The certificate is a very hands on approach to learning how to compromise computer systems. Along with a guide that goes into detail many of the ways in which vulnerabilities can be found and exploited, you are given access to a VPN with about two dozen vulnerable machines where you can explore and hone your skills. Starting out by scanning networks and profiling each server by learning its operating system, open ports and applications (and their versions) running on each. I found that it can be a tedious exercise but very interesting at the same time. SQL injection was fun but maybe because I’ve played around with that before and already had a great understanding of how it works. The buffer overflow exploits, although tough, was made much easier than I would have guessed because of the tools available today that make attempts quite transparent.

You quickly learn to write your own scripts to automate things that you find yourself repeating. As a result it improved my skills in both Python and Bash. This mostly to do things like scan a network for webservers or servers had MySQL ports open. I thought that sqlmap was a useful tool as it takes the tedious guess work out of finding applications that are not properly escaping user data before running them through an SQL query. The certificate introduces the student to many useful tools ranging from discovery and exploit execution.

It was an exhausting exercise to take outside of my day job but very rewarding. I learned a lot about a topic that has fascinated me for over 20 years and I can use these new skills to build and test that the applications and environments that I build are as secure as possible. In 2017, I will start working with IoT devices and build the APIs that they will communicate with. These devices will need to be secure and not become part of the growing botnets that we read about. Keeping on top of security issues is an ongoing task that I’m glad to be a part of.

I love Defcon. I attended two years ago and was disappointed in myself for not going in 2013. Defcon is about security and fun. Although there is a lot to learn and share, there are also parties and other events that fill up the days and nights. Despite being to Las Vegas twice now I haven’t really been a tourist there. I spend all of my time at Defcon.

The presentations at Defcon are the most entertaining talks I see at conferences. They are fascinating and educational. Presenters talk about exploits they’ve made or discovered and the impact the vulnerabilities can have to vendors and users. Presenters bring ideas forward that make you question technologies and think about them in new and different ways. One presentation I saw was about a project where a quadcopter was used to fly autonomously over regions, picking up wireless access points and devices and map their locations. In regards to devices it would record their current location, but using the devices broadcast request would record all the locations that device (and therefore device owner’s) that it had ever been. This is scary from a privacy point of view but it’s amazing to think that hardware has become so accessible and cheap now that anyone can start a similar project to this that can achieve so much.

I also sat on a presentation by Ladar Levison from Lavabit. The owner of the company that hosted Edward Snowden’s email before he become a whistle blower. He discussed his new project that would prevent authorities or anyone getting access to your emails. This is a project that you could host yourself if you desired.

Apart from presentations there are many competitions. These range from lock picking to capture-the-packet and capture-the-flag. Each with their own technical challenges that test your understanding of the underlying technologies.

It was also good to spend time with friends and share stories of our own security challenges and concerns. We walk away from the event with a list of tasks that we force upon ourselves to achieve before the next Defcon. I really hope to attend again next year.

Last month I was one of 15,000 people that attended the Defcon computer security convention in Las Vegas. It was a fantastic four day event with presenters talking about their findings and projects in regards to all things security.

Upon paying the $200 entry fee we were given our badge required for entry. This year’s badge was electronic and a puzzle in a way. Through onboard lights and light sensor the badges would communicate with each other as they past by. Also via a USB port we were encouraged to program some hacks so that they behaved differently.

Defcon 2012 Badge

One of the most interesting events in Capture The Flag where teams are set against each other to hack into their opponents servers and capture so called flags. Each team would harden their own servers before beginning to attack others. From what I could gather they do this non-stop throughout the event and the team who has gathered the most flags is deemed the winner.

My highlights were sitting in on talks by Kevin Mitnick on social engineering and Kevin Poulsen discussing the exploits he used to get up to in his past. Having read books by both presenters I was keen to see what they had to say.

I would love to attend again next year. Anyone feel like sponsoring my trip?