Professional Hacking in 2011


Published on 's Free pentest course slides - deck one

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Professional Hacking in 2011

  1. 1. • Your job?•?• Hacking is fun• The community is FUN•Learning•Beer and Pizza, hang out
  2. 2. • Basics •Why?TF •Why do we do Security Testing? •VM’s/Labs •Networking Knowledge • Attack Concepts • The Methodology(s)• Intermediate Stuff •Practical Penetration Testing •Current Techniques Most importantly…
  3. 3. Have funParticipate*LearnEventually we will be learning together
  4. 4. Definition #1 A Vulnerability is defined as a weakness which allows an attacker to reduce a computer systems security.
  5. 5. Types of Security Testing Network Testing $  Traditional, auditing of services and configuration Web Application Testing $$  Focus on application type flaws  Web frameworks Social Engineering $  Attacking users, most resembles real world
  6. 6. Types of Security Testing Physical Testing / Red Teaming $$  A fork of social engineering, much more involved Binary Analysis / Reverse Engineering / Exploit Development $$$  Specialty fields Source Code Auditing $$  Fork of both Web App testing and Binary ninjary
  7. 7. 3 Types of Tests Confusing? A bit… Audit  Usually network testing, based around some agencies expectation of what security is. The biggest one is a standard called PCI.  Usually boring, but bring in lots of money. Usually same skill sets used.  Very Structured, Sometimes checklist and vulnerability scan driven.  Can include IT services (Firewall config review, vlan review, etc)
  8. 8. 3 Types of Tests Assessment  More broad than an audit, doesn’t have to comply with any agencies expectation of security.  Mile wide, less in depth  Identify as many vulnerabilities as possible  Can include IT services (Firewall config review, vlan review, etc)
  9. 9. 3 Types of Tests Penetration Test  With all these definitions, tends to get confused  “Pentests” actually test the security controls themselves and exploit the vulnerabilities.  More goal oriented, prove real threats, get real data as success factor.  Harder, more expectation of pwnage, most of the time you have to “get” something.  Usually does NOT include IT services.  We will focus mostly on pentesting… because I think it’s the most fun but, the skills map across all domains.
  10. 10. Ethics Difference between hacking and a audit/assessment/pentest is…. PERMISSION
  11. 11. Lab 1: Trial by fire (metasploit)Students who are here: access the class VM• Run ./msfconsole• Find syntax to use Tomcat Mgr Deploy • Make sure you updated msf • Google for default tomcat passwords or read the metasploit ones • Use generic/tcp/bind payload • For students who are remote: • Use Gotmilks guide: • tomcat.html • Congratulations – You just pwned your 1st box! If you have extra time try and find the flags I’ve placed on the system and pwn a different lab machine or follow the video above to grab a legit SSH account.
  12. 12. A bit about hacking history… 4 Time Periods Period 1 - In the not so distant past hacking and attack vectors were largely external.  Core external services were rife with overflows  Password complexity was non existent  Trust relationship vulnerabilities were numerous  Firewalls sucked or were non-existent  The big web vulns were just beginning to be exploited
  13. 13. A bit about hacking history… Period 2 – Things got a bit better, then got worse  External services started to shape up, no more ./’ing the world.  Passwords got a bit better  Firewalls were big baddies  BUT…  Web Vulns took off… SQL Injection was EVERYWHERE, Session Fixation, Logic flaws, etc…  Internal software was Swiss Cheese - Attackers migrated to client-side vectors
  14. 14. A bit about hacking history… Period 3 – Attackers got smart(er)  External services were pretty hard, death of external hacking and security assessment.  With the death of externals, companies focus on internal pentests.  Web vulns still prevalent but getting better with initiatives like OWASP  Internal software was still bad but OS mitigations put a band aid on some exploits.  Attackers created smarter ways to infect insiders through web malware
  15. 15. A bit about hacking history… Period 4 – The Current State  External services are very rarely vulnerable.  Web is still around, less in your face though.  Internal software continues to fail, but developing exploits are 2-9 months of research for an 0-day. Much more work.  Focus on internal pentesting assumes the attacker got access somehow. Internal pentesting is a lot of beating up on the windows domain model, popping unpatched boxes, abusing current password schemes, using man-in-the-middle attacks, and internal password fail.  On the client side attackers sometimes use no exploits: javascript malware, java applet reverse shells, crazy embedding tricks, etc… We are just beginning to emulate this.  Mobile phones are making the mistakes of yester-year, hot topic right now
  16. 16. So What? What you’ll see a lot of still being sold in the industry are:  Web Assessments  Internal Pentests  Source Code Review  Mobile Assessments  The new “External” Pentests which are really Client-Side Penetration Tests / Social Engineering Assessments / Web Pentest hybrids
  17. 17. • Next Time: • OSINT