Wiki/Classes/White-hat_Demo.md

80 lines
5.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

I want to emphasize the importance of cybersecurity by showing how a few bad practices can disclose supposedly secure information. Moreover, I want to emphasize the tools that
# This Demo is Not...
* How to hack your friends FaceBook
* How to become an evil hacking mastermind
* How to control the Matrix
# Materials
* Control of Wifi network and wifi's DNS, if using physical hardware, or some method of controlling routing.
* Demo computer (VM or physical)
* For easy installation, install [[ShadowArch#How_to_Install_ShadowArch|ShadowArch]] with a graphical environment and a Holocron layout.
* Run the following. This Makefile is viewable in [https://aninix.net/foundation/ConfigPackages the ConfigPackages git repo]. <pre>make -C /usr/local/src/ConfigPackages/WhiteHatDemo democlient</pre>
* You will still need to sync /etc/hosts with the demo server.
* Users can access a virtualized demo client with VNC over [[SSH]].
* Demo server with lighttpd, telnet server, ftp server, OpenSSH server, Wireshark.
* For easy installation, install ShadowArch with the GUI option, and run the following: <pre>make -C /usr/local/src/ConfigPackages/WhiteHatDemo demoserver</pre>
* Lighttpd should be configured with both unsecured and secured traffic.
* Lighttpd will need one URL that is auth protected -- simple auth is sufficient.
* There should be a remote-capable user "testuser" with a preset initial password.
* You should also sync /etc/hosts with any demo clients.
* [https://www.kali.org/ Kali Linux] iso -- if you're using physical hardware for the demo, use a [[Holocron]] flashdrive
* A demo user with a read-write VNC view of the democlient, a pentester with physical access to the server and client, and a class with read-only VNC sessions watching the client.
# Exercises
## Account Credentials
<!-- This should be updated to be a BurpSuite assault -->[[Category:TODO]]
* An obviously dumb password should be set in the server's /etc/lighttpd/.lighttpdpassword and disclosed to the demouser.
* The pentester "guesses" the password and discloses why it's weak.
* Talk about [http://www.businessinsider.com/how-to-create-strong-password-heartbleed-2014-4 strong passwords].
### Mobile PIN Break
* Talk about how PINs are important
* Talk about guessing pins from smudges
* Financial data, email accounts, text messages, and such are all accessible.
* Talk about [https://en.wikipedia.org/wiki/Phishing phisihing] via a captured phone with SMS
## Encrypted network traffic
The key takeaway is to encrypt all network traffic. While a [https://en.wikipedia.org/wiki/VPN VPN] and similar network encryption models help, these tools are very simple and controllable.
### Browsers
[https://en.wikipedia.org/wiki/SSL SSL] allows us to validate that we are talking to the site we expect to.
* Use wget to mirror a login page to the demo server. The Makefile defaults to facebook.com.
* Redirect the traffic to unsecured traffic
* Have the demo user connect to the site over unsecured HTTP.
* Have a user connect to the same site over HTTPS and see the warning message.
* Optionally, remove the diverted routing and have the user reconnect to the site over HTTPS without seeing the warning.
* Capture traffic on [https://www.wireshark.org/ Wireshark] and ask the demo user to confirm their password in the capture.
* Talk about SSL chain of trust.
SSL encryption also prevents capturing session information.
* Have the demo user go to the demoserver's web server over unsecured HTTP.
* The root page will have a POST HTML form.
* Use Wireshark to capture the data and show the TCP stream.
* Have the demo user repeat the process over HTTPS.
* SSL will prevent following the stream.
### Telnet/FTP
* Have the demo user reset his password on the server with telnet.
* Capture traffic with Wireshark and show the password.
* Have the demo user pull down a file over FTP, change it, and put it back up.
* Capture traffic with Wireshark and show the change.
* Explain SFTP/SSH correlation to HTTPS -- encryption matters.
## Storage bypass w/ iso
[https://wiki.archlinux.org/index.php/Disk_encryption Disk encryption] makes it harder to access data. While physical access is death, strong encryption can delay access beyond heat death of the universe, which is long enough.
* Have the demo user set the root password and add a file in /root.
* Power off the machine and have the pentester take control.
* Ask the class if the files are secure.
* Boot the machine with the iso instead and find the file.
* Optionally, set the root password and boot the original system.
* Talk about encrypted storage and how this recovery would be harder.
### File recovery
Just because a system has files deleted from it doesn't mean that the data is lost.
* dd 0's onto small partition on demo server
* Create ext4 filesystem
* Have the demouser create a file, display its contents, and delete it.
* The pentester "steals" the hardware and boots with a Kali iso
* Run "extundelete <disk> --restore-all -o /root" to recover the file
* Talk about secure deletion with shred or similar programs and the added difficulty of disk encryption.
[[Category:Class]]
[[Category:Security]]