SlideShare a Scribd company logo
1 of 54
Download to read offline
WTF is Penetration Testing
v.2
Who are we?
Eric Gruber
@egru
http://github.com/egru
http://github.com/netspi
http://netspi.com/blog
Karl Fosaaen
@kfosaaen

http://github.com/kfosaaen
http://slideshare.com/kfosaaen
Scott Sutherland
@_nullbind

http://github.com/nullbind
http://slideshare.com/nullbind
Demo
Common Escalation Paths:
• Enumerate live systems and open ports with
nmap
• Brute force database account with SQLPingv3
• Get a shell on the database server with the
mssql_payload Metasploit module
• Dump domain admin passwords in clear text
with mimikatz
• Log into high value database to access data
• Log into domain controller to find and access
everything else
Overview
•
•
•
•
•
•
•
•
•

What is a penetration test?
Why do companies pay for them?
Types of penetration testing
What are the rules of engagement?
Who does penetration testing?
What skills do they have?
What tools do they use?
Penetration testing as a Career
Questions
What is a Penetration Test?
What is Penetration Testing?
Our Definition:

“The process of evaluating systems,
applications, and protocols with the intent
of identifying vulnerabilities usually from
the perspective of an unprivileged or
anonymous user to determine potential
real world impacts…”
“…legally and under contract”
What is Penetration Testing?

In short…
What is Penetration Testing?

…we try to break into stuff
before the bad guys do
Why do companies buy
Penetration Tests?
Why do companies buy pentests?
• Meet compliance requirements
• Evaluate risks associated with an acquisition
or partnership
• Validate preventative controls
• Validate detective controls
• Prioritize internal security initiatives
• Proactively prevent breaches
Why do Companies Pen Test?
Why do Companies Pen Test?
What types of Penetration Tests are there?
Hats and Boxes?
Types of Penetration Testers
Black Hat

Independent research and exploitation
with no collaboration with vendor.
Gray Hat

Independent research and exploitation
with some collaboration with vendor.
White Hat

Collaborative research, assessment, and
exploitation with vendor.
Types of Penetration Tests
Black Box

Zero knowledge of target.
Gray Box

User knowledge of target. Sometimes as
an anonymous user.
White Box

Administrative or development knowledge
of target.
Types of Penetration Tests
Information

Black Box

Gray Box

White Box

Network Ranges

x

x

IP Addresses

x

x

Domains

x

x

Network Documentation

x

x

Application Documentation

x

x

API Documentation

x

x

Application Credentials

x

Database Credentials

x

Server Credentials

x
Types of Penetration Tests
• Technical Control Layer
‒ Network
‒ Application (mobile, web, desktop etc)
‒ Server
‒ Wireless

‒ Embedded Device
• Physical Control Layer

‒Client specific site
‒Data centers
• Administrative Control Layer

‒Email phishing
‒Phone and onsite social engineering
What are the
Rules of Engagement?
Rules of Engagement
•
•
•
•
•
•
•
•
•

Hack Responsibly!
Written permission
Clear communication
Stay in scope
No Denial-of-Service
Don’t change major state
Restore state
Use native technologies
Stay off disk
Are there any Penetration Testing
methodologies?
Common Approach
•
•
•
•
•
•
•
•
•

Kickoff: Scope, test windows, risks, contacts
Information Gathering
Vulnerability Enumeration
Penetration
Escalation
Evidence Gathering
Clean up
Report Creation
Report Delivery and Review
Common Approach: Standards
Methodologies
• Ptes
• OSSTM
• ISSAF
• NIST
• OWASP
Certifications
• SANS
• OSCP
• CREST
Penetration Test vs.
Vulnerability Assessment
Assessment VS. Penetration
What can both an assessment or pentest
answer?
•
•
•
•
•

What are my system layer vulnerabilities?
Where are my system layer vulnerabilities?
Will we know if we are being scanned?
How do I fix my vulnerabilities?
Are we fixing things over time?
Assessment VS. Penetration
What else can a pentest answer?

• What vulnerabilities represent the most risk?
• What are my high impact system, network,
and application layer issues?
• Can an attacker gain unauthorized access to
critical infrastructure, application
functionality, and sensitive data
• Can attackers bypass multiple layers of
detective and preventative controls?
• Can attackers pivot between environments?
• Are procedures being enforced
Who conducts Penetration Testing?
Who Conducts Penetration Testing?

People that can pass a background check
Who Conducts Penetration Testing?
• Internal Employees
‒ Security analysts
‒ Security consultants

• Third Parties
‒ Audit Firms
‒ Value-Added Reseller (VAR)
‒ Manage Services
‒ Software as a Service (SaaS)
‒ Software Vendors
‒ Security Consultants
What skills are required?
What Skills are Needed?
•
•
•
•

Non Technical
Basic Technical
Offensive
Defensive
Non Technical Skillsets
• Written and Verbal Communications
‒ Emails/phone calls
‒ Report development
‒ Small and large group presentations

• Professionalism
‒ Respecting others, setting, and
meeting expectations
Non Technical Skillsets
• Troubleshooting Mindset
‒ Never give up, never surrender!
‒ Where there is a will, there is a way

• Ethics
‒ Don’t do bad things
‒ Pros (career) vs. Cons (jail)
‒ Hack responsibly
Basic Technical Skillsets
•
•
•
•
•

Windows Desktop Administration
Windows Domain Administration
Linux and Unix Administration
Network Infrastructure Administration
Application Development
‒ Scripting (Ruby, Python, PHP, Bash, PS, Batch)
‒ Managed languages (.Net, Java, Davlik)
‒ Unmanaged languages (C, C++)
Offensive and Defensive Knowledge
• System enumeration and service
fingerprinting
• Linux system exploitation and escalation
• Windows system exploitation and escalation
• Network system exploitation and escalation
• Protocol exploitation
• Web application exploitation
• Reverse engineering
• Anti-virus Evasion
• Social engineering techniques
What are some of the
common tools?
Common Tools
There are hundreds of “hacker” tools.

Generally, you need to have enough
knowledge to know what tool or tool(s) is
right for the task at hand….

…and if one doesn’t exist, then create it.
Common Tools
That being said…
Common Tools
Knowledge > Tools = Train your brain!
Understand the core technologies
Understand basic offensive techniques
Understand basic defensive techniques
Common Tools: Info Gathering
Find online resources owned by target including:
• Subsidiaries (companies)
• Systems (live IP addresses)
• Services
• Domains
• Web applications
• Email addresses
Tool Examples:
• Public registries: IP, DNS, SEC Filings, etc.
• Nmap
• Recon-ng
• Google
• BackTrack / Kali tool sets (many discovery tools)
Common Tools: Identify Vulnerabilities
Find vulnerabilities:
• Missing patches
• Weak configurations
‒ system, application, network

• Application issues
Tool Examples:
• Patches/Configurations: OpenVAS, Nessus,
NeXpose, Qualys, IP360 etc
• Applications: Burp, Zap, w3af, Nikto, DirBuster,
SQLMap, Web Inspect, Appscan etc
Common Tools: Penetration
Common penetration methods:
• Buffer overflows
• Default and weak passwords
• SQL Injection
• Insecure Protocols
Tool Examples:
• Patches: Metasploit, Canvas, Core Impact
• Configurations: Native tools, Responder,
Metasploit, Yersinia, Cain, Loki, Medusa
• Applications: SQLMap, Metasploit, Burp, Zap etc
Common Tools: Privilege Escalation
Exploit trust relationships to access to everything!
Tool Examples:
• Local Exploits & Weak Configurations
‒ Metasploit, Core Impact, Canvas,
‒ exploit-db.com

• Password Hash Cracking
‒ John the ripper, Hashcat, Rainbow Tables

• Pass-the-Hash
‒ Metasploit, PTH toolkits, WCE

• Token stealing
‒ Metasploit and Incognito

• Credential dumping
‒ Mimikatz, LSA Secrets, Credential Manager,
groups.xml, unattend.xml etc
Common Tools

Tools output a TON of data!
How do people manage all that data?
Common Pentest CMS Options
Managing penetration test data:
• Storing files in organized folders
• Writing reports from word/excel templates
• Storing information in databases and XML
• Open source CMS projects
• Commercial CMS products
• Examples:
‒ Dradis
‒ Threadfix
‒ CorrelatedVM
‒ Risk IO
Penetration Testing as a Career?
Pen Testing as a Career: How to Start
• Read and learn! – There is no “end”
• Tap into the community!
• Research and development
‒ Contribute to/start open source projects
‒ Present research at conferences

• Training and Certifications
‒ Community: DC612, OWASP, Conferences, etc
‒ Professional ($): SANS, OffSec, CISSP, CREST, etc

• Volunteer
• Internships
Pen Testing as a Career: Common Paths
• Internal Paths
‒ Help Desk
‒ IT Support
‒ IT Admin
‒ Security Analyst
‒ IRP Team
‒ Senior Security Analyst
‒ Internal Consultant
‒ CISO
• Security Consulting Paths
‒ Internship
‒ Consultant
‒ Senior Consultant
‒ Principal Consultant
‒ Team Lead
‒ Director

Corporate
employees tend to
stay corporate.
Security
consultants often
end up in malware
research and
exploit
development.
What we covered…
•
•
•
•
•
•
•
•
•

What is a penetration test?
Why do companies pay for them?
Types of penetration testing
What are the rules of engagement?
Who does penetration testing?
What skills do they have?
What tools do they use?
Penetration testing as a Career
Questions
Questions,
comments, curses?
BE SAFE and

HACK RESPONSIBLY

More Related Content

What's hot

Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 

What's hot (20)

Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 

Viewers also liked

Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?amiable_indian
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Tipos de Pentest
Tipos de PentestTipos de Pentest
Tipos de PentestRafael Seg
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
Ed Batista, The Art of Self-Coaching @StanfordBiz, Class 5: Resilience
Ed Batista, The Art of Self-Coaching @StanfordBiz, Class 5: ResilienceEd Batista, The Art of Self-Coaching @StanfordBiz, Class 5: Resilience
Ed Batista, The Art of Self-Coaching @StanfordBiz, Class 5: ResilienceEd Batista
 
Contact Centers en Nube y Nubes de Contact Centers: Las 6 As (Any network, An...
Contact Centers en Nube y Nubes de Contact Centers: Las 6 As (Any network, An...Contact Centers en Nube y Nubes de Contact Centers: Las 6 As (Any network, An...
Contact Centers en Nube y Nubes de Contact Centers: Las 6 As (Any network, An...Mundo Contact
 
Penetration Testing as an auditing tool
Penetration Testing as an auditing toolPenetration Testing as an auditing tool
Penetration Testing as an auditing toolsyrinxtech
 
18646089 tipos-y-clases-de-auditorias-informaticas
18646089 tipos-y-clases-de-auditorias-informaticas18646089 tipos-y-clases-de-auditorias-informaticas
18646089 tipos-y-clases-de-auditorias-informaticasyomito_2
 
Importancia de la Auditoria en Seguridad Informática
Importancia de la Auditoria en Seguridad InformáticaImportancia de la Auditoria en Seguridad Informática
Importancia de la Auditoria en Seguridad InformáticaMeztli Valeriano Orozco
 
Pruebas de penetración
Pruebas de penetraciónPruebas de penetración
Pruebas de penetraciónDavid Thomas
 
Penetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostomPenetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostomHardway Hou
 
Desmitificando el pentest share
Desmitificando el pentest shareDesmitificando el pentest share
Desmitificando el pentest shareny4nyi
 

Viewers also liked (18)

Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
What is pentest
What is pentestWhat is pentest
What is pentest
 
Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Tipos de Pentest
Tipos de PentestTipos de Pentest
Tipos de Pentest
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Ed Batista, The Art of Self-Coaching @StanfordBiz, Class 5: Resilience
Ed Batista, The Art of Self-Coaching @StanfordBiz, Class 5: ResilienceEd Batista, The Art of Self-Coaching @StanfordBiz, Class 5: Resilience
Ed Batista, The Art of Self-Coaching @StanfordBiz, Class 5: Resilience
 
Contact Centers en Nube y Nubes de Contact Centers: Las 6 As (Any network, An...
Contact Centers en Nube y Nubes de Contact Centers: Las 6 As (Any network, An...Contact Centers en Nube y Nubes de Contact Centers: Las 6 As (Any network, An...
Contact Centers en Nube y Nubes de Contact Centers: Las 6 As (Any network, An...
 
Penetration Testing as an auditing tool
Penetration Testing as an auditing toolPenetration Testing as an auditing tool
Penetration Testing as an auditing tool
 
18646089 tipos-y-clases-de-auditorias-informaticas
18646089 tipos-y-clases-de-auditorias-informaticas18646089 tipos-y-clases-de-auditorias-informaticas
18646089 tipos-y-clases-de-auditorias-informaticas
 
Importancia de la Auditoria en Seguridad Informática
Importancia de la Auditoria en Seguridad InformáticaImportancia de la Auditoria en Seguridad Informática
Importancia de la Auditoria en Seguridad Informática
 
Ciberseguridad en empresas
Ciberseguridad en empresasCiberseguridad en empresas
Ciberseguridad en empresas
 
Pruebas de penetración
Pruebas de penetraciónPruebas de penetración
Pruebas de penetración
 
Penetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostomPenetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostom
 
Desmitificando el pentest share
Desmitificando el pentest shareDesmitificando el pentest share
Desmitificando el pentest share
 

Similar to WTF is Penetration Testing v.2

The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfgcara4
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Httpillage lascon-2015
Httpillage lascon-2015Httpillage lascon-2015
Httpillage lascon-2015forcedrequest
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDaveEdwards12
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoConferencias FIST
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber WeaponryJoshua L. Davis
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 

Similar to WTF is Penetration Testing v.2 (20)

The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdf
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Httpillage lascon-2015
Httpillage lascon-2015Httpillage lascon-2015
Httpillage lascon-2015
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario Malicioso
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Becoming a better pen tester overview
Becoming a better pen tester overviewBecoming a better pen tester overview
Becoming a better pen tester overview
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber Weaponry
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 

More from Scott Sutherland

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 

More from Scott Sutherland (20)

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 

Recently uploaded

React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - AvrilIvanti
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 

Recently uploaded (20)

React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - Avril
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 

WTF is Penetration Testing v.2

  • 1. WTF is Penetration Testing v.2
  • 2. Who are we? Eric Gruber @egru http://github.com/egru http://github.com/netspi http://netspi.com/blog Karl Fosaaen @kfosaaen http://github.com/kfosaaen http://slideshare.com/kfosaaen Scott Sutherland @_nullbind http://github.com/nullbind http://slideshare.com/nullbind
  • 3. Demo Common Escalation Paths: • Enumerate live systems and open ports with nmap • Brute force database account with SQLPingv3 • Get a shell on the database server with the mssql_payload Metasploit module • Dump domain admin passwords in clear text with mimikatz • Log into high value database to access data • Log into domain controller to find and access everything else
  • 4. Overview • • • • • • • • • What is a penetration test? Why do companies pay for them? Types of penetration testing What are the rules of engagement? Who does penetration testing? What skills do they have? What tools do they use? Penetration testing as a Career Questions
  • 5. What is a Penetration Test?
  • 6. What is Penetration Testing? Our Definition: “The process of evaluating systems, applications, and protocols with the intent of identifying vulnerabilities usually from the perspective of an unprivileged or anonymous user to determine potential real world impacts…” “…legally and under contract”
  • 7. What is Penetration Testing? In short…
  • 8. What is Penetration Testing? …we try to break into stuff before the bad guys do
  • 9. Why do companies buy Penetration Tests?
  • 10. Why do companies buy pentests? • Meet compliance requirements • Evaluate risks associated with an acquisition or partnership • Validate preventative controls • Validate detective controls • Prioritize internal security initiatives • Proactively prevent breaches
  • 11. Why do Companies Pen Test?
  • 12. Why do Companies Pen Test?
  • 13.
  • 14.
  • 15. What types of Penetration Tests are there?
  • 17. Types of Penetration Testers Black Hat Independent research and exploitation with no collaboration with vendor. Gray Hat Independent research and exploitation with some collaboration with vendor. White Hat Collaborative research, assessment, and exploitation with vendor.
  • 18. Types of Penetration Tests Black Box Zero knowledge of target. Gray Box User knowledge of target. Sometimes as an anonymous user. White Box Administrative or development knowledge of target.
  • 19. Types of Penetration Tests Information Black Box Gray Box White Box Network Ranges x x IP Addresses x x Domains x x Network Documentation x x Application Documentation x x API Documentation x x Application Credentials x Database Credentials x Server Credentials x
  • 20. Types of Penetration Tests • Technical Control Layer ‒ Network ‒ Application (mobile, web, desktop etc) ‒ Server ‒ Wireless ‒ Embedded Device • Physical Control Layer ‒Client specific site ‒Data centers • Administrative Control Layer ‒Email phishing ‒Phone and onsite social engineering
  • 21. What are the Rules of Engagement?
  • 22. Rules of Engagement • • • • • • • • • Hack Responsibly! Written permission Clear communication Stay in scope No Denial-of-Service Don’t change major state Restore state Use native technologies Stay off disk
  • 23. Are there any Penetration Testing methodologies?
  • 24. Common Approach • • • • • • • • • Kickoff: Scope, test windows, risks, contacts Information Gathering Vulnerability Enumeration Penetration Escalation Evidence Gathering Clean up Report Creation Report Delivery and Review
  • 25. Common Approach: Standards Methodologies • Ptes • OSSTM • ISSAF • NIST • OWASP Certifications • SANS • OSCP • CREST
  • 27. Assessment VS. Penetration What can both an assessment or pentest answer? • • • • • What are my system layer vulnerabilities? Where are my system layer vulnerabilities? Will we know if we are being scanned? How do I fix my vulnerabilities? Are we fixing things over time?
  • 28. Assessment VS. Penetration What else can a pentest answer? • What vulnerabilities represent the most risk? • What are my high impact system, network, and application layer issues? • Can an attacker gain unauthorized access to critical infrastructure, application functionality, and sensitive data • Can attackers bypass multiple layers of detective and preventative controls? • Can attackers pivot between environments? • Are procedures being enforced
  • 30. Who Conducts Penetration Testing? People that can pass a background check
  • 31. Who Conducts Penetration Testing? • Internal Employees ‒ Security analysts ‒ Security consultants • Third Parties ‒ Audit Firms ‒ Value-Added Reseller (VAR) ‒ Manage Services ‒ Software as a Service (SaaS) ‒ Software Vendors ‒ Security Consultants
  • 32. What skills are required?
  • 33. What Skills are Needed? • • • • Non Technical Basic Technical Offensive Defensive
  • 34. Non Technical Skillsets • Written and Verbal Communications ‒ Emails/phone calls ‒ Report development ‒ Small and large group presentations • Professionalism ‒ Respecting others, setting, and meeting expectations
  • 35. Non Technical Skillsets • Troubleshooting Mindset ‒ Never give up, never surrender! ‒ Where there is a will, there is a way • Ethics ‒ Don’t do bad things ‒ Pros (career) vs. Cons (jail) ‒ Hack responsibly
  • 36. Basic Technical Skillsets • • • • • Windows Desktop Administration Windows Domain Administration Linux and Unix Administration Network Infrastructure Administration Application Development ‒ Scripting (Ruby, Python, PHP, Bash, PS, Batch) ‒ Managed languages (.Net, Java, Davlik) ‒ Unmanaged languages (C, C++)
  • 37. Offensive and Defensive Knowledge • System enumeration and service fingerprinting • Linux system exploitation and escalation • Windows system exploitation and escalation • Network system exploitation and escalation • Protocol exploitation • Web application exploitation • Reverse engineering • Anti-virus Evasion • Social engineering techniques
  • 38. What are some of the common tools?
  • 39. Common Tools There are hundreds of “hacker” tools. Generally, you need to have enough knowledge to know what tool or tool(s) is right for the task at hand…. …and if one doesn’t exist, then create it.
  • 41. Common Tools Knowledge > Tools = Train your brain! Understand the core technologies Understand basic offensive techniques Understand basic defensive techniques
  • 42. Common Tools: Info Gathering Find online resources owned by target including: • Subsidiaries (companies) • Systems (live IP addresses) • Services • Domains • Web applications • Email addresses Tool Examples: • Public registries: IP, DNS, SEC Filings, etc. • Nmap • Recon-ng • Google • BackTrack / Kali tool sets (many discovery tools)
  • 43. Common Tools: Identify Vulnerabilities Find vulnerabilities: • Missing patches • Weak configurations ‒ system, application, network • Application issues Tool Examples: • Patches/Configurations: OpenVAS, Nessus, NeXpose, Qualys, IP360 etc • Applications: Burp, Zap, w3af, Nikto, DirBuster, SQLMap, Web Inspect, Appscan etc
  • 44. Common Tools: Penetration Common penetration methods: • Buffer overflows • Default and weak passwords • SQL Injection • Insecure Protocols Tool Examples: • Patches: Metasploit, Canvas, Core Impact • Configurations: Native tools, Responder, Metasploit, Yersinia, Cain, Loki, Medusa • Applications: SQLMap, Metasploit, Burp, Zap etc
  • 45. Common Tools: Privilege Escalation Exploit trust relationships to access to everything! Tool Examples: • Local Exploits & Weak Configurations ‒ Metasploit, Core Impact, Canvas, ‒ exploit-db.com • Password Hash Cracking ‒ John the ripper, Hashcat, Rainbow Tables • Pass-the-Hash ‒ Metasploit, PTH toolkits, WCE • Token stealing ‒ Metasploit and Incognito • Credential dumping ‒ Mimikatz, LSA Secrets, Credential Manager, groups.xml, unattend.xml etc
  • 46. Common Tools Tools output a TON of data!
  • 47. How do people manage all that data?
  • 48. Common Pentest CMS Options Managing penetration test data: • Storing files in organized folders • Writing reports from word/excel templates • Storing information in databases and XML • Open source CMS projects • Commercial CMS products • Examples: ‒ Dradis ‒ Threadfix ‒ CorrelatedVM ‒ Risk IO
  • 50. Pen Testing as a Career: How to Start • Read and learn! – There is no “end” • Tap into the community! • Research and development ‒ Contribute to/start open source projects ‒ Present research at conferences • Training and Certifications ‒ Community: DC612, OWASP, Conferences, etc ‒ Professional ($): SANS, OffSec, CISSP, CREST, etc • Volunteer • Internships
  • 51. Pen Testing as a Career: Common Paths • Internal Paths ‒ Help Desk ‒ IT Support ‒ IT Admin ‒ Security Analyst ‒ IRP Team ‒ Senior Security Analyst ‒ Internal Consultant ‒ CISO • Security Consulting Paths ‒ Internship ‒ Consultant ‒ Senior Consultant ‒ Principal Consultant ‒ Team Lead ‒ Director Corporate employees tend to stay corporate. Security consultants often end up in malware research and exploit development.
  • 52. What we covered… • • • • • • • • • What is a penetration test? Why do companies pay for them? Types of penetration testing What are the rules of engagement? Who does penetration testing? What skills do they have? What tools do they use? Penetration testing as a Career Questions
  • 54. BE SAFE and HACK RESPONSIBLY

Editor's Notes

  1. Internal - wears many other hats or is a consultant on internal “Plan, build, deploy” teams – also help to maintain compliance status and deal with actual breaches when no response team existsExternal – brought because they don’t have the skillset on staff or a third party is required for legal, regulatory, or political reasonsNote: Touch briefly on crowd source of exploit development and the difference.Audit = often sold at loss as part of larger projects – example include deloit, larsonallen, and Value-Added Reseller – often part of goal to sell software, hardware, or applianceManaged services - Deploy appliances managed by third partySaas - Provide services through online application such as white hat, or qualysSoftware Vendors - Hp web inspect, cigitial with blah, rapid7 with metasploit, core with core impact – they makes, sell and use the product during the pentestSecurity consultants – focus just on services – often in advisory role
  2. Internal - wears many other hats or is a consultant on internal “Plan, build, deploy” teams – also help to maintain compliance status and deal with actual breaches when no response team existsExternal – brought because they don’t have the skillset on staff or a third party is required for legal, regulatory, or political reasonsNote: Touch briefly on crowd source of exploit development and the difference.Audit = often sold at loss as part of larger projects – example include deloit, larsonallen, and Value-Added Reseller – often part of goal to sell software, hardware, or applianceManaged services - Deploy appliances managed by third partySaas - Provide services through online application such as white hat, or qualysSoftware Vendors - Hp web inspect, cigitial with blah, rapid7 with metasploit, core with core impact – they makes, sell and use the product during the pentestSecurity consultants – focus just on services – often in advisory role
  3. Internal - wears many other hats or is a consultant on internal “Plan, build, deploy” teamsExternal – brought because they don’t have the skillset on staff or a third party is required for legal, regulatory, or political reasons
  4. Note: full blown reverse engineering using debugging techniques is often more of the focus of and malware analyst or exploit development. However, there is a cross over in toolsets.
  5. Note: full blown reverse engineering using debugging techniques is often more of the focus of and malware analyst or exploit development. However, there is a cross over in toolsets.
  6. Note: full blown reverse engineering using debugging techniques is often more of the focus of and malware analyst or exploit development. However, there is a cross over in toolsets.