Cyberattacks are one of the greatest risks facing today's organizations, and they continue to grow in scale, complexity and sophistication. If you're defending against such attacks, you need to prepare for any and every possibility. If you're the one attacking, all you need is an in -- just one.
One of the best ways to improve cybersecurity is by thinking like a hacker.
Having never worked on a network- or security-related hack before, however, it was helpful for me to familiarize with some key terms in cybersecurity, learn by implementing a few tools based on what I learned, and explore how hackers might find that one in as well as relay information securely to any accomplices. There are two parts to my project.
What it does
First, because defenders have to consider all attack possibilities, I explored the approach of defending against attacks by being informed about what attackers can do with the tools they have access to and why they do it. Inspired by OhloneHacks' own challenge for finding security flaws in a Windows 7 system, I found an intentionally vulnerable Linux system called Metasploitable that I could spin up in Oracle's VirtualBox and then I built some tools in Python to help identify security risks. Specifically I created a port scanner that lets us know what ports are open for potential attacks. I then reverse engineered the code a little to create a vulnerability scanner that lets you feed into it a list of known vulnerabilities and identify any open ports with it. Lastly, I worked on a brute force attack to gain access to a system by trying out countless common password possibilities, and I did so in two ways. The first way is slow because I try each password and wait for a response before moving on to the next, and the second way is threaded, which is a lot quicker.
For the second part of this project, I created basically a crypto chat application (try it out at hackeye.glitch.me) in part because it's something more visual and interactive. If either attackers or the average person wants to communicate securely, one of the best ways is to build your own app where you know all the components involved and how they work together, and only you and your interested parties know the secret key with which to decrypt garbled messages. A plus is that you can deploy the app locally, so you never have to leave any openly public traces or hints of what you're using to communicate and what's available. While I leverage CryptoJS to encrypt and decrypt messages for efficiency, I could've coded my own cipher or hash with which to encrypt and decrypt messages.
How we built it
Metasploitable, Oracle virtualbox, python, cryptoJS, HTML, JS, CSS
Challenges we ran into
The biggest challenge I faced was hands-down thinking about how to design the code, using libraries I don't often use in this context. This took a lot of looking up what's possible and pseudocoding. It was also fun figuring out how to create my first multi-threaded process.
Accomplishments that we're proud of
Made a project!
What we learned
What's next for Hackeye
If I had more time, I would perform a more thorough assessment of the security risks and go deeper in exploiting them, maybe package it as a virus so-to-speak that automatically runs commands to check for security risks and inform users of them, read more into social engineering tactics, and explore encrypting messages using public key infrastructure.