June 03, 2017 Written by

The guys from 8ack visited us for a talk on cybersecurity. In their workshop-style talk they went through all facettes of ethical hacking, ranging from social engineering to vulnerability exploitation.

When professional white hats analyze a target system, of course they do not stick to the basic metasploit toolset. Rather they rely on smarter techniques. I was surprised how easy it is to identify vulnerable IOT devices with shodan.io. The Web site is a search engine for Internet-of-Things devices. Simply searching for :camera one gets a list of all Internet-connected Web cams. Looking at the search results it goes without saying that botnets, such as Mirai, arose and became so powerful. 

It is well-know the weakest link in a security system is the user. Instead of hacking a computer system, hacking the user behind the system is more promising. I learned there are plenty of marketplaces for hacking equipment to do that. Among them is the hackshop. You can buy gadgets with names like the WIFI Pineapple or Rubber Ducky. Funny names, aren't they? But also scary. Pinneapple simulates a WIFI access point and makes drive-by WIFI attacks really convenient. Rubber Duck is a malicious USB stick. It emulates a keyboard. In fact, it allows the owner to program any keyboard typing. Anyone is able to craft payloads capable of changing system settings, opening back doors, retrieving data, initiating reverse shells, or basically anything that can be achieved with physical access -- all automated and executed in a matter of seconds. 

Last but not least, the guys demonstrated a spontaneous DoS attack. With little efforts, the Web site was unreachable simply because the administrator backend was brute-force attacked. Though SYN flooding attacks still happen in the wild they are less efficient. Denial-of-Service attack consume more resources on the application layer. Typically multiple application servers interact such that a computer system under attack needs to allocate resources for a longer period of time. 

Big shout out to the 8ack team! The workshop was very instructive. We learned much and had a lot of fun!



Last modified on Saturday, 10 June 2017 17:29