DjangoCon 2019 - How to Hack (Legally): Python Edition by Karen Miller
When it comes to hacking, trainees are at risk of legal implications and developing bad habits. In this talk, I aim to provide an overview of best practices and trusted resources available to attendees who wish to develop penetration testing skills safely, with an emphasis on Python.
This talk was presented at: https://2019.djangocon.us/talks/how-t...
LINKS: Follow Karen Miller 👇 On Twitter: https://twitter.com/kdangm Official homepage: https://www.hack-hub.com/
Follow DjangCon US 👇 https://twitter.com/djangocon
Follow DEFNA 👇 https://twitter.com/defnado https://www.defna.org/
Intro music: "This Is How We Quirk It" by Avocado Junkie. Video production by Confreaks TV. Captions by White Coat Captioning.
Okay, so like he said, my name is Karen. I'm an associate cybersecurity engineer. I'm on the penetration testing team at the Software Engineering Institute at Carnegie Mellon University. Fee welcome to my presentation on how to hack Weebly with resources that are geared towards Python users. And I'll also briefly talk about why these skills might be helpful for you as both Python and Django users. So my main goal with this talk is to provide you with resources that will help you safely and ethically learn how to hack, just so you don't end up in prison. So, yeah, there is an emphasis on the legally part. So first I'm going to go over some terms that you may or may not already be familiar with, just so that we're all on the same page. And then I'm going to dive into a website that I created and some of the ethical hacking resources that you'll find listed there, including training, certifications, challenges, competitions, tools, vulnerable virtual machines and vulnerable web applications. Then I'm going to cover some best practices for avoiding damage to systems and avoiding legal consequences. Throughout your learning and your hacking experience, you might have read the title of this talk and thought that I would be teaching you how to hack in 45 minutes. And if you did, I'm really sorry, I don't think that's possible. But by the end of this talk, you should know where to start your ethical hacking journey and you should have plenty of resources to use along the way. So first, let's go through some terms. A lot of the terms I'm going to go over can mean different things in different contexts, but I'm speaking specifically in the offensive security context. So we'll start out with an easy one. You all know this one, right? Let's not kid ourselves. A bug is a flaw in software systems that causes unintended behavior. A vulnerability is a weakness, which can be exploited, and a vulnerability can be the result of a bug. Luckily, Django doesn't have any vulnerabilities, right? It's flawless. But really, 70 ish CVEs since 2009 isn't super terrible. Obviously, it's not ideal. By the way, CVE stands for Common Vulnerabilities and Exposures, which isn't something I'm going to really dive into today. But I do owe you a quick explanation, since I just showed you 68 of them. So basically, Cde codes like the ones that you see on the screen are part of a database that's maintained by Mitre, which tracks and describes publicly known cybersecurity vulnerabilities. And if you want to see a real list, you should go and look up WordPress CBEs. I've used the word exploit already, but an exploit is code or commands or actions that involve taking advantage of a vulnerability, for example, to harm or to access the system. A proof of concept is a demonstration of an exploit to prove its feasibility. The amount of completeness can vary, so it could just be pseudo code that says theoretically, if you follow these steps, you should be able to exploit some vulnerability or it might be actual working code, and maybe you have to adjust that code a little bit to make it work for you. A Pen test or penetration test is a simulated attack on systems for the purpose of discovering and exploiting vulnerabilities in order to identify weaknesses and offer corresponding guidance on how to better protect those systems from real threats. So if you're building a web application, what are some vulnerabilities or some security misconfigurations that someone might test for in order to make sure that your application is hopefully secure and feel free to shout out any answers? So here are some attacks that a Pen tester might try in order to access sensitive information that's stored in a database, or for example, upload a malicious file to a server. This could aid the Pen tester in obtaining access to the server or potentially other resources. Then the Pentestor can provide a detailed report outlining those findings and what can be done to mitigate those vulnerabilities in the web application. So it's important that the Pen tester find these things and that the Pen tester advise whoever asked them to test that application on how to mitigate those vulnerabilities before a malicious hacker comes along and finds them first. So a great resource for learning about web application security, including some of these items up here if you're not already familiar with them, is Owasp.org. And OWASP stands for Open Web Application Security Project. I'll talk a little bit more about that later. A threat is anything that could potentially cause harm to a system or to systems, whether intentional or not. An example of a threat is a hacker. And while we have this picture up, I just want to make you aware that when you're hacking, you have to wear a black hoodie and you have to sit in a dark room and for some reason binary will be floating around you. And it's really crazy, but yeah, risk is the amount of damage that could be done if a threat exploits a vulnerability. So for example, taking into consideration how much damage a hacker could do if they discovered a buffer overflow in a program and they exploited that buffer overflow to gain access to a system. So you might think about what data is on that system, what would happen if that system was taken offline? And what other systems or resources could the hacker maybe access if they were able to get into that particular system. Red team. Blue team refers to an exercise that involves one team, the Blue Team trying to get into systems and sorry, red team trying to get into systems and another team, the blue Team trying to defend those systems. The key difference here being that there's a training element. So instead of focusing on getting into the systems to identify weaknesses in those systems, the red team is getting into the systems to identify weaknesses in the Blue Team's security operations. For example, their ability to detect, prevent mitigate and hopefully they are ultimately providing valuable training and actionable data to the Blue Team. A capture the flag competition or a CTS involves security or forensics related challenges. A lot of times you'll see that these are set up like a jeopardy board. So the harder the challenge, the more points you'll get. Now we're going to go through some resources that you can use to learn how to hack. So I created this website, it's called Hack Hub, and I've made it to compile lists of trusted resources that you can use to learn how to hack. And I'm not paid in any way for anything that's on this website, so there's no reason for me to put anything sketchy on there. I just wanted to provide easy access to ethical hacking training tools, virtual machines, exploits and other resources because I've found that throughout my own learning experience. Sometimes it's difficult to hunt down and keep track of these things, especially as a beginner when you're not sure where to start and you're not sure what sources are trustworthy. I also want to emphasize that you absolutely shouldn't limit yourself to what's on this website because there are tons of resources out there that I haven't gotten around to adding or that I'm not even aware exist. So if you look over here, there is a contact form. So if you ever want to share some of your discoveries or if you have any comments, feedback or questions, please feel free to submit a message here and it will come directly to me and I will respond. But this is hack up. The Safety Page is an acrobatic that goes over some guidelines I'm going to talk about later that you should keep in mind as you're learning how to hack and also as you are hacking. On each of these sections, there are blurbs about the categories, so I highly encourage you to read those before you dive into some of these resources because it has some helpful information. Then you can go into the individual categories for actual links to the resources. So I have certification courses, courses that are associated with certifications, some training resources. A lot of these have helpful guides, walk through tutorials or training. There are challenges in war games if you want to practice your skills in a controlled environment and potentially be competing with other people. But it's not exactly a competition, it's more of like an ongoing scoreboard. If you want to participate in an actual competition, there are plenty of those here. There's also a link, I believe, to a calendar somewhere that has a whole list of all the CTFs and cyber defense competitions that are coming up. And since it's almost Cyber Security Awareness Month, you might want to keep those on your radar because that's when a lot of these competitions run. If you find that some of these links don't work. It might be seasonal. For example, Metasploit CTF I know is not going on right now, so the link is broken. And then we have Pen testing tools. A lot of these are included in Kelly Linux, which is a Linux distribution. And I'll talk a little bit more about in a Minute vulnerable Machines. These are virtual machines that you can set up locally to practice your hacking skills on vulnerable web applications. Same deal. You can set them up locally and practice hacking them so that's Hack Hub, all of the resources that I'm going to be talking about in a minute can be found on Hack Up. So before we go on, please feel free to take a picture or save this URL, or just join me in a brief moment of awkward silence while I wait for people to do that. All right, let's start with training. There are a lot of free training resources. Don't feel like you have to pay a lot of money to learn how to hack. But that's not to say that you won't find valuable paid training. It really just depends on what you want to learn and what your budget is. But for this talk, I found three Python training courses that you might want to check out if you're interested in learning how to apply Python to security and networking. The Python four security professionals. Course on cybrary is free. It's designed for people with little to no Python coding experience. So if you're new to coding, it's a good course to check out to learn Python functions that are relevant to Pen testing. And if you're a Python expert, I think it could still be worth your time. You might find yourself bypassing a lot of the material, but it could be a good exercise to get into the security scripting mindset or to review concepts that maybe you don't use a lot now, but you might use more in a security context. Hackersploit has free training videos on Python for Ethical Hacking, which is also listed as Python for Penetration testing on their website. For some reason a little bit confusing, but this is a more advanced it's more advanced than the library course that I just mentioned, and it will go over TCP functions and developing network scanners and developing port scanners. And then this Pen Tester Academy course called Python for Pentesters requires you to either be subscribed, which I think costs $39 a month for Penn Tester Academy, but it also gets you access to other courses, or you could pay $150 just to have full access to that one course. This course covers a much broader range of topics from scripting and actual exploitation techniques attacking web applications. So since we all have different levels of experience and goals, it can really be helpful to see what other people have said about these courses or other courses before you commit to it, especially if it involves spending a lot of money. So I encourage you to do the research before you purchase a course or spend a lot of time on it. Now, I'm going to talk a little bit about certifications. I didn't list these certifications because I think that you must have them. I just selected some routes that are popular to demonstrate their flexibility. But of course, you might decide, pursuing certifications isn't for me, and that's fine. It all depends on your personal goals, it depends on your employment goals. So that being said, you should consider what your employer values, what your prospective employer values, and it varies by organization. So in some cases, maybe your employer will pay for these certifications, or maybe they'll only pay for specific ones, which would be great considering the price of some of these. So these are all things that you should consider. The first row is EC Council certifications, which lead up to the license penetration tester or LPT certification. That certification requires a lot more technical knowledge than the first in the series, which you may have heard of, the Certified Ethical Hacker Certification, or CEH. The CEO is considered Entry Level friendly for people who want to become familiar with Security Concepts and Ethical Hacking Global Information Assurance Certification, or GIAC, has various pen testing related certifications that are associated with Sam's courses. The GIAC Penetration Tester, or G Pen, is considered more mid level because it can be more challenging if you make use of the labs. But since the labs are optional and since the exam is open book, it's really about what you're willing to put into it. And I hope if you're paying that much or someone is paying that much for you, that you're willing to put a lot of time and effort into it. And if you're interested in exploits and research, you can eventually work your way up to the GIAC Exploit Researcher and Advanced Penetration Tester Certification, which, thank goodness, is shortened to GX Pen. The last row includes some offensive security certifications. These are highly regarded because of how technical the labs and the exams are. The labs are really wonderful and frustrating, and you'll learn a great deal and you'll hear the phrase try harder over and over again, which will probably annoy you to death. But eventually, when you overcome the trauma of the OSCP, you might decide to pursue the Web Expert Certification, the Oswe, or if you want to focus on exploit development instead of Web attacks, then you might pursue the Exploitation Expert Certification or the Ose. But like I said, there's no right certification, there's no right series for everyone. For example, you might prefer to go certified ethical Hacker. Remember that's the more entry level, friendly certification and then the GIAC Pen Tester, which is a good mid level certification, and then the Offensive Security Certified Professional, which might make you want to throw your keyboard at a wall, but it will be worth it, I promise. Or maybe you want to focus on web application pen testing, in which case you might do the GIAC Web application penetration tester. The GWAC or the Offensive Security web Expert Oswe. And those are worth looking into, if that's interesting to you. You should really take some time to evaluate which path is right for you if you're interested in pursuing certifications at all. And sorry for throwing all of these annoying acronyms at you, but that's why they're on hack up so that you can look into them a little bit more on your own time. So, like I said, next month is Cybersecurity Awareness Month, which means there will be a lot of competitions, a lot of capture the flags happening. And if you have time to participate in some of those, you should do some research on which of those you're qualified for, because some of them target a specific audience. You should see if maybe there are some local competitions that you can participate in, but if there aren't, I know that there are a lot of remote competitions that you can participate in, and oftentimes if you're at a security conference, there will be a capture the flag that's ongoing and people there who are probably very happy to help you if you ever get stuck. So competitions are very dear to me because they're what transitioned me from computer science into security. And they really challenge you to think outside the box and apply your skills to realistic scenarios, but not always realistic scenarios. Are there any Doctor Who fans out there? Yeah. All right, so one time I don't know anything about Doctor Who, but one time I ended up learning a Doctor Who language for a capture the flag. I think it's called galafrain. I might be pronouncing that wrong, but it was still a wonderful challenge, because even though I ended up staring at this thing for a really long time and I was really frustrated and I didn't know what it was, it pushed me to do extensive research and learn something new. And that's a really valuable skill to have as a hacker or penetration tester, or for anyone to have, really. So that's why you should try to participate in capture flags, if you're interested. PECO CTS is a capture flag competition that's run by Carnegie Mellon University and it's aimed at middle schoolers and high schoolers, but the challenges are open year round. So if you're new to CTS, this is a great way for you to get experience and get a feel for how to capture the flags are structured. And since you can do it on your own time without anyone around, there's no pressure, and it's a great way to ease into capture the flags. Run Code is an annual tournament which I believe is open to everyone regardless of whether you're in school or not or what your age is. But similarly. They also have challenges open year round. Including operating system network security and other coding challenges so I encourage you to look at that one too and hack this site is a source of hacking challenges and they're broken down in categories so it's easy for you to figure out what you want to focus on like programming challenges for example and then you can easily do those Pen testing tools. Kali Linux is a Linux distribution that's used by Pen testers and it includes an extensive collection of security and forensics tools so I would start your Pen testing tool exploration there because there's tons of them and you might find that some of them you never need but it's still good to know what's available to you exploit DB is a database of exploits. Proofs of concept and other security resources and you can access the Exploit database using a tool called Search spoit which comes with Kali Linux vulnerable machines in the form of virtual machines can be set up as targets for you to practice your tools and techniques on and these can be set up on your own machine of course or you obviously want to keep them on your own property since they are vulnerable and you don't want them to be public facing because then you're just opening a door for hackers so vulnerab is a great source of vulnerable virtual machines and a lot of them have written a associated with them so that if you ever get stuck or if you just want to see how other people have exploited those machines then you can reference those and a lot of times there's a link in the description of the box when you go to download it but if there isn't then you can probably find it just with a quick Google search there are also a few metasploitable boxes these are Linux virtual machines that are again intentionally vulnerable for the purpose of practicing your tools and your exploits and they're called metasploitable machines because of a tool called Metasploit and Kali Linux which you will discover very quickly if you decide to explore cali but yeah. Again these can be hosted locally hack the box is a little bit different because it doesn't provide downloadable virtual machines it's a lab environment that you VPN into with machines of various difficulty level for you to try to hack and they only allow write ups for the retired boxes and you have to have a subscription to access retired boxes but since they rotate boxes fairly often if you're ever wondering how you could have exploited a box. Or if you're ever wondering how other people exploited a box you can just wait for that box to retire and then you can watch the write ups start to pop up as a side note. I would encourage you to check out Ipsec's YouTube channel for a lot of really good thorough walkthroughs of retired boxes last we have vulnerable web applications there are tons of these and they're built in various languages and platforms. And you can use them to practice things like cross site scripting. SQL injection. Command injection. A lot of those words that I showed you earlier. If you find a web application exploit on exploit DB, a lot of times they will provide you with a download link to the associated vulnerable version of that web application. If you want something more realistic that's not intentionally vulnerable, or since we're at a Django conference, you could try building your own vulnerable web application to practice on. Or you could collaborate with your wonderful peers. And when you feel comfortable, you can apply the skills that you learn to your own web applications or the web applications that your peers develop in a very controlled, non production environment, with necessary permissions, of course. And I mentioned OWF earlier, it's a great source of all things web application security. And they have their own list of intentionally vulnerable web applications, including a lot that were built by people over at OWASP. Okay? So you shouldn't just learn how to hack. You should learn how to hack ethically, and you should also learn how to ethically learn how to hack. So this is the part where I tell you how to hopefully avoid going to prison with this across stick that I made. Be a trusted hacker. And being a trusted hacker means that you take your time when you're learning and when you're hacking, because there are a lot of important concepts that you really need to understand, really need to consider to avoid damaging a system or to avoid facing legal consequences. So be patient and be curious, but don't be impulsive. Here are a few reasons why. These are three commands that you could accidentally execute. The first one move to your directory of important data or your customers directory of important data into a sort of black hole, which isn't good. The second one forces the recursive removal of all files below the root directory. And the third command wipes a file that you maybe didn't need to wipe. So I know it's easy to sit here and think, I would never be that dumb. I actually know an intelligent person who accidentally executed that second command, and it wasn't me, even though I know you're all thinking it was her. But no, he was joking one day about accidentally deleting all his files, can't remember the context, and then a couple of days later, he admitted that he did execute that command and deleted all of his files. Next, you want to refrain from touching systems that you don't own unless you have a legal agreement which permits you to. So set up your own environment or use one that's explicitly designed for you to practice your techniques. Like some of the resources that I just discussed, every state and every country has its own laws regarding hacking. But I think that the general consensus is that hacking systems you don't own is not a good idea. Some of you might be familiar with the story, but a 14 year old played a pranked on his teacher by logging into the teachers accounts and changing their wallpaper at the school. Teachers use really weak passwords. They would type their passwords in right in front of their students. He didn't have to go to great lengths, basically, to get into this teacher's computer, but there were state exam answers that he could have accessed when he logged in and potentially a significant amount of damage that he could have done, even if that wasn't his intention and even if that's not at all what he did. So at age 14, he committed a felony. And at whatever age you all are committing a felony is much more serious than what it was for him. So just keep that in mind. Use tools, exploits and guides from trusted sources, because there are malicious tools and exploits that are designed to compromise your system or even publicly humiliate you, and they are falsely advertised to trick people. More on that in about three slides. Segregate and segment appropriately to ensure important data and systems, and especially systems that you don't own, are separate and protected from your test environment. And why do you have a test environment? So that you can test exploits and tools in a safe space to make sure that they work as expected and make sure that you know how to use them. This can really help you gain a further understanding of what an exploit or tool does and what artifacts they might generate. Because you don't want to accidentally leave files on your customer systems so that weeks later they come to you asking, hey, was this left by you? Or was it left by an actual hacker who's after our data? And if that does happen, you want to be able to say with total confidence, yes, that was me, or no, you should probably look into that exploit smartly, not blindly. Understand how an exploit works. Understand what it does before you even try it. Modify it as needed to suit your purposes, because it's not a one size fits all type of situation. If you're targeting a different operating system or even launching it from a different operating system than it's meant to, then there's going to be some modification needed. Otherwise, if you don't look into what it actually does, you might run into an open SSH exploit with this shellcode. And if you don't reverse engineer this shellcode, you might not realize that it executes this command, which, if you recall from earlier, does delete all of your files. Finally, this should go without saying, but I'm going to say it anyway. Don't use your skills maliciously, however tempting it might be. Just don't. Because it could cost you a lot of money and a lot of prison time. And I'm not trying to scare you out of security. I really am not. I just think it's good to develop good habits early on. If you're interested in pivoting into a security career or just learning more, here's a quote from a man who did go to prison for hacking and who has since used his skills for a more ethical line of work. He said My motivation for hacking was all about the intellectual challenge, the seduction of adventure, and most importantly, the pursuit of knowledge. The hacker ethic is you never try to make money from it, and you never try to harm or destroy. Unfortunately, as you all know, that's not the case for a lot of hackers. People quickly turned hacking into a means of money and destruction, and it's a huge issue that we hear about every day. So if you're going to learn how to hack, please learn for the right reasons, because there are already so many people doing it for the wrong reasons. If you're interested in reading more about these guidelines that I just went through in blog post form as of last week, this post is published to the Software Engineering Institute's Insider Threat Blog, and it's super easy to find. Just Google SEI blog or SEI Insights and look for the insider threat blog. My post is really easy to spot because for some reason, everyone else's headshots are like these professional headshots on a subtle background, and mine is like outside with a leafy background, so it really stands out weird. I won't be taking questions now as my way of sort of making sure that you utilize the resources and contacts you discover at conferences. And let's be real, I also probably won't be able to give you as good of an answer standing in front of a bunch of people in a camera as I would if it was just one on one. I could give you a more thoughtful response if you approach me in the hall. Or if you want, you can email me. You can contact me through Twitter. My Instagram handles up there if you're interested in urban photography. But I guess you could ask questions on Instagram too, if that's what you want. Thank you for your time and stay out of prison.