Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Introduction to Penetration
Testing
Table of Contents
• Overview
• Enumeration
• Tool Output
• Do We Stop Here?
• Custom Scripts
• Wpscan
• Online Research
• ...
Overview
• This session will cover the mindset I follow
when approaching a web application
• I am going to show where many...
Overview Cont.
• Tools Leveraged:
– Nmap
– Whatweb
– Wpscan
– Wget
– Custom scripts
– Burp Suite
– Netcat
– Google
Methodology Overview
• Pre-Engagement Activities
– Hammer out all the details to conduct the test (Schedule,
Scoping, Rule...
Methodologies Cont.
• Penetration Testing Execution Standard
(PTES):
– http://www.pentest-
standard.org/index.php/Main_Page
Mindset is Key
• Think like an attacker and see things through a
different lens:
– Upload an avatar? Hmmm add code?
– Down...
Enumeration
• Nmap:
• WhatWeb:
Do We Stop Here?
• Hmmm?
Custom Scripts
• Web Application testing requires custom
scripting….really no way getting around it:
Custom Scripts Cont.
• Making web requests with a scripting language
isn’t too difficult
• Check out tutorials online and ...
Wpscan
• Wpscan:
Wpscan
• Do we stop here?
Wpscan : Plugin Enumeration
• Wpscan: --enumerate p
Online Research
Online Research Cont.
• Hmm, our web server doesn’t respond when
we request “/wordpress/wp/wp-content/”
• Do we stop here?
Testing Exploitation
• Yea, lets grap “/etc/passwd”
PHP LFI
• Cool, so we can LFI, do we stop now?
PHP LFI…Now What?
• What can be done with a PHP LFI?
• It depends on what function is leading to the LFI
vulnerability (in...
Code Execution? Yes, Please!
Code Execution? Yes, Please!
• Request:
Demo
Summary
• Tools may not give you the answer
• Very easy to hit a hurdle and quit
• You need to be curious/creative and
con...
Upcoming SlideShare
Loading in …5
×

Introduction to Penetration Testing

8,400 views

Published on

Introduction to Penetration Testing with a use case of LFI -> Shell. I talk about the mindset required to be a good tester, and show places many testers and automated tools stop and how to go further.

Published in: Technology
  • Be the first to comment

Introduction to Penetration Testing

  1. 1. Introduction to Penetration Testing
  2. 2. Table of Contents • Overview • Enumeration • Tool Output • Do We Stop Here? • Custom Scripts • Wpscan • Online Research • Testing Exploitation • PHP LFI • Code Execution, Yes Please!
  3. 3. Overview • This session will cover the mindset I follow when approaching a web application • I am going to show where many might stop, and what happens when you push further • These types of techniques can be applied to any web application
  4. 4. Overview Cont. • Tools Leveraged: – Nmap – Whatweb – Wpscan – Wget – Custom scripts – Burp Suite – Netcat – Google
  5. 5. Methodology Overview • Pre-Engagement Activities – Hammer out all the details to conduct the test (Schedule, Scoping, Rules of Engagement, Formal Permission, etc.) • Information Gathering and Reconnaissance – Depends on type of test and information you are given (Organization name, CIDR, list of URLs, source code, etc.) • Automated Testing • Manual Testing and Validation • Reporting • Remediation Support
  6. 6. Methodologies Cont. • Penetration Testing Execution Standard (PTES): – http://www.pentest- standard.org/index.php/Main_Page
  7. 7. Mindset is Key • Think like an attacker and see things through a different lens: – Upload an avatar? Hmmm add code? – Download a report? Hmm directory traversal for another file? • Confidence – Without it you’ll very easily hit a wall and stop – I tell myself a vulnerability is here I just need to find it
  8. 8. Enumeration • Nmap: • WhatWeb:
  9. 9. Do We Stop Here? • Hmmm?
  10. 10. Custom Scripts • Web Application testing requires custom scripting….really no way getting around it:
  11. 11. Custom Scripts Cont. • Making web requests with a scripting language isn’t too difficult • Check out tutorials online and try to automate web requests • Making a tool for CVE-2012-1823 is a good use case because you need to make a POST request and modify several header values – If you can write a tool for this CVE, it demonstrates concepts that can be applied to many different CVEs
  12. 12. Wpscan • Wpscan:
  13. 13. Wpscan • Do we stop here?
  14. 14. Wpscan : Plugin Enumeration • Wpscan: --enumerate p
  15. 15. Online Research
  16. 16. Online Research Cont. • Hmm, our web server doesn’t respond when we request “/wordpress/wp/wp-content/” • Do we stop here?
  17. 17. Testing Exploitation • Yea, lets grap “/etc/passwd”
  18. 18. PHP LFI • Cool, so we can LFI, do we stop now?
  19. 19. PHP LFI…Now What? • What can be done with a PHP LFI? • It depends on what function is leading to the LFI vulnerability (include(), readfile(), etc.) • PHP functions like include() will execute PHP code in the included file – Yay code execution through php snippets! • PHP functions like readfile() will only display output – We have more work to do 
  20. 20. Code Execution? Yes, Please!
  21. 21. Code Execution? Yes, Please! • Request:
  22. 22. Demo
  23. 23. Summary • Tools may not give you the answer • Very easy to hit a hurdle and quit • You need to be curious/creative and constantly push to get more information • Confidence and mindset goes a long way

×