Hacking 101: Metasploit, cross-site scripting, and SQL injection

Hacking 101: Metasploit, cross-site scripting, and SQL injection

Summary: WatchGuard director of security strategy Corey Nachreiner walks the audience at AusCERT 2013 through some of the tools that hackers use to break into systems.

SHARE:
TOPICS: Security, Malware
1

If you want to know how to defend, sometimes the best place to start is to know your enemy. At AusCERT 2013, WatchGuard director of security strategy Corey Nachreiner walked information security professionals through a couple of common tools and techniques that many hackers use on a very basic level.

Nachreiner walks through Rapid7's Metasploit tool, showing how even "script kiddies" can easily use it thanks to its relatively user-friendly graphical user interface.

Using Metasploit, he created a malicious drive-by site designed to exploit users that hadn't yet patched their Java browser plugin. He then scoped out a poorly designed "Fakebook" site, identified a cross-site scripting flaw to force users to visit his drive-by site, then opened up a root shell prompt.

Nachreiner also identifies a common SQL injection flaw and shows how, using SQLmap, it is easy to detect other flaws, automatically exploit them, and map out the back-end database for sites.

Ultimately, Nachreiner's demonstration shows how, from start to finish, he is able to steal theoretical credit cards and personal information from a site.

Topics: Security, Malware

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Good to see these aritcles...

    finally showing up here. Keep up the good work!
    JCitizen