• Your job?•?• Hacking is fun• The community is FUN•Learning•Beer and Pizza, hang out
• Basics •Why?TF •Why do we do Security Testing? •VM’s/Labs •Networking Knowledge • Attack Concepts • The Methodology(s)• Intermediate Stuff •Practical Penetration Testing •Current Techniques Most importantly…
Have funParticipate*LearnEventually we will be learning together
Definition #1 A Vulnerability is defined as a weakness which allows an attacker to reduce a computer systems security.
Types of Security Testing Network Testing $ Traditional, auditing of services and configuration Web Application Testing $$ Focus on application type flaws Web frameworks Social Engineering $ Attacking users, most resembles real world
Types of Security Testing Physical Testing / Red Teaming $$ A fork of social engineering, much more involved Binary Analysis / Reverse Engineering / Exploit Development $$$ Specialty fields Source Code Auditing $$ Fork of both Web App testing and Binary ninjary
3 Types of Tests Confusing? A bit… Audit Usually network testing, based around some agencies expectation of what security is. The biggest one is a standard called PCI. Usually boring, but bring in lots of money. Usually same skill sets used. Very Structured, Sometimes checklist and vulnerability scan driven. Can include IT services (Firewall config review, vlan review, etc)
3 Types of Tests Assessment More broad than an audit, doesn’t have to comply with any agencies expectation of security. Mile wide, less in depth Identify as many vulnerabilities as possible Can include IT services (Firewall config review, vlan review, etc)
3 Types of Tests Penetration Test With all these definitions, tends to get confused “Pentests” actually test the security controls themselves and exploit the vulnerabilities. More goal oriented, prove real threats, get real data as success factor. Harder, more expectation of pwnage, most of the time you have to “get” something. Usually does NOT include IT services. We will focus mostly on pentesting… because I think it’s the most fun but, the skills map across all domains.
Ethics Difference between hacking and a audit/assessment/pentest is…. PERMISSION
Lab 1: Trial by fire (metasploit)Students who are here: access the class VM• Run ./msfconsole• Find syntax to use Tomcat Mgr Deploy • Make sure you updated msf • Google for default tomcat passwords or read the metasploit ones • Use generic/tcp/bind payload • For students who are remote: • Use Gotmilks guide: • http://g0tmi1k.blogspot.com/2010/07/video-metasploitable- tomcat.html • Congratulations – You just pwned your 1st box! If you have extra time try and find the flags I’ve placed on the system and pwn a different lab machine or follow the video above to grab a legit SSH account.
A bit about hacking history… 4 Time Periods Period 1 - In the not so distant past hacking and attack vectors were largely external. Core external services were rife with overflows Password complexity was non existent Trust relationship vulnerabilities were numerous Firewalls sucked or were non-existent The big web vulns were just beginning to be exploited
A bit about hacking history… Period 2 – Things got a bit better, then got worse External services started to shape up, no more ./’ing the world. Passwords got a bit better Firewalls were big baddies BUT… Web Vulns took off… SQL Injection was EVERYWHERE, Session Fixation, Logic flaws, etc… Internal software was Swiss Cheese - Attackers migrated to client-side vectors
A bit about hacking history… Period 3 – Attackers got smart(er) External services were pretty hard, death of external hacking and security assessment. With the death of externals, companies focus on internal pentests. Web vulns still prevalent but getting better with initiatives like OWASP Internal software was still bad but OS mitigations put a band aid on some exploits. Attackers created smarter ways to infect insiders through web malware
So What? What you’ll see a lot of still being sold in the industry are: Web Assessments Internal Pentests Source Code Review Mobile Assessments The new “External” Pentests which are really Client-Side Penetration Tests / Social Engineering Assessments / Web Pentest hybrids