Hacking 101: Metasploit, cross-site scripting, and SQL injection

WatchGuard director of security strategy Corey Nachreiner walks the audience at AusCERT 2013 through some of the tools that hackers use to break into systems.

If you want to know how to defend, sometimes the best place to start is to know your enemy. At AusCERT 2013, WatchGuard director of security strategy Corey Nachreiner walked information security professionals through a couple of common tools and techniques that many hackers use on a very basic level.

Nachreiner walks through Rapid7's Metasploit tool, showing how even "script kiddies" can easily use it thanks to its relatively user-friendly graphical user interface.

Using Metasploit, he created a malicious drive-by site designed to exploit users that hadn't yet patched their Java browser plugin. He then scoped out a poorly designed "Fakebook" site, identified a cross-site scripting flaw to force users to visit his drive-by site, then opened up a root shell prompt.

Nachreiner also identifies a common SQL injection flaw and shows how, using SQLmap, it is easy to detect other flaws, automatically exploit them, and map out the back-end database for sites.

Ultimately, Nachreiner's demonstration shows how, from start to finish, he is able to steal theoretical credit cards and personal information from a site.