Setting Up A Security Lab - By K.V. Prashant

Setting Up A Security Lab
K.V.Prashant

Setting Up A Security Lab
What is most common/repeated/ annoying(sometimes) question on security forums?
Ans:- I want to be a Hacker......
How can I be?
What should I read?
we will try to address this today

Web
Server
DB
App
Server
A Peak Into Malicious World
Server Side AttacksPort level attacks, Privilege escalations, Buffer Over Flow, SQL Injection, etc.
Client SideViruses, Malware, XSS, Logical Attacks
Network Layer VulnerabilitiesMan In The Middle, Sniffing, Spoofing, Wireless hacking

System/Network Hacking Approach
Footprinting
Information Gathering (Whois, Nslookup,Google Hacking)
Locate the network range (Angry IP Scanner, Superscan)
Scanning & Service Enumeration
OS fingerprintingDetect ‘live’ systems on the network
Detect Services running on target systems(Nmap)
Detecting Vulnerable services (Nessus, Lanquard)
Attack/Hacking
Port Level Attacks (Meta Spoilt)
Spoofing and Sniffing
Caine & Able

Web Application Hacking Approach
1. Information Gathering
Technology used(Java, .Net, PHP), message formats(JSON, XML,name/vale)
Webserver, APPServer, Application firewall
2. Automated scanning
Commercial tools:- Appscan, Acunetix, WebInspect,Cenzic, NTOSpider, Nstalker
Open source:- W3AF, Paros, Webscarab, Burp, firefox extensions, like temper data, live http headers, XSSMe, SQLMe
3. Testing for OWASP to vulnerabilities
XSS, SQl…..
4. Test for Configuration attacks
Web server configuration pages
CMS admin pages(Admin/Admins) ;)
Logical attacks

Getting Hands Dirty:- LAB for system hacking
Get your network ready….
At least 2 machines, preferably a powerful desktop.
Virtualization softwares
VMWare player
Sun virtualbox

Getting into Business:- LAB for system hacking
Get vulnerable Operating systems
Unpatched Windows 2000, Xp
Damn Vulnerable Linux
de-ice
Hackerdemia
pWnOS
Ubuntu 7.04
Vulnerable Matriux
Security Distros(http://www.securitydistro.com/)
Backtrack
Matriux
Moth/Lambert
Helix(Forensic Distro)

Getting into Business:- LAB for Web-Applications hacking
Insecure Applications
WebGoat
Hacme Tools(bank, Casion,Books,Travel…)
Damm vulnerable app
http://demo.testfire.net/
http://testasp.acunetix.com/
Hands on
Older versions of CMS tools like XOOPS, drupal
OrangeHRM
Follow backtrack mailing list & try to replicate issues…

Road ahead….
Simulated network lab
Cisco emulators
Malware analysis lab
Static & Behavior based analysis

http://null.co.in	53
http://www.slideshare.net	12
http://webcache.googleusercontent.com	1

Setting Up A Security Lab - By K.V. Prashant

by n|u - The Open Security Community on Apr 04, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 66

Statistics

Setting Up A Security Lab - By K.V. Prashant — Presentation Transcript