Adding Pentest Sauce to Your Vulnerability Management Recipe. Coves 10 tips to improve vulnerability management based on common red team and pentest findings.
Introduction to Penetration Testing with a use case of LFI -> Shell. I talk about the mindset required to be a good tester, and show places many testers and automated tools stop and how to go further.
BSides CHARM 2015 Talk "InfoSec Hunters and Gatherers" - Learn how to go beyond automated tools to truly be the "Hunter" and find both bad guys and vulnerabilities.
Have you ever run a vulnerability scanner and thought "Okay...so now what?". This talk explores how to go beyond running a vulnerability scanner by walking through a penetration test with examples and tips along the way.
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
We discuss tips and tricks we have picked up along our way performing penetration tests and red teaming engagements. We also cover 5 main ways we break into a company.
Introduction to Penetration Testing with a use case of LFI -> Shell. I talk about the mindset required to be a good tester, and show places many testers and automated tools stop and how to go further.
BSides CHARM 2015 Talk "InfoSec Hunters and Gatherers" - Learn how to go beyond automated tools to truly be the "Hunter" and find both bad guys and vulnerabilities.
Have you ever run a vulnerability scanner and thought "Okay...so now what?". This talk explores how to go beyond running a vulnerability scanner by walking through a penetration test with examples and tips along the way.
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
We discuss tips and tricks we have picked up along our way performing penetration tests and red teaming engagements. We also cover 5 main ways we break into a company.
BSides Philly Finding a Company's BreakPointAndrew McNicol
We cover modern day hacking techniques to establish a foothold into a target network. This is a great introduction to hacking techniques to those new to pentesting, with hopes of breaking the mindset of "scan then exploit".
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
A beginner level presentation made for c0c0n 2013 to talk about some basic modules of python which can be used in routine penetration testing exercises.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered:
Identify domains
Enumerate domain controllers
Enumerate users from domain controllers
Enumerate password policy from domain controllers
Perform dictionary attack
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi
Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
BSides Philly Finding a Company's BreakPointAndrew McNicol
We cover modern day hacking techniques to establish a foothold into a target network. This is a great introduction to hacking techniques to those new to pentesting, with hopes of breaking the mindset of "scan then exploit".
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
A beginner level presentation made for c0c0n 2013 to talk about some basic modules of python which can be used in routine penetration testing exercises.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered:
Identify domains
Enumerate domain controllers
Enumerate users from domain controllers
Enumerate password policy from domain controllers
Perform dictionary attack
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi
Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
Using Analyzers to Resolve Security Problemskiansahafi
in this presentation i took a project and used an analyzer(e.g. SonarQube) to detect the security issues with it and reported a the result and after resolving most of those problems i used the same analyzer to get another report and in the process showed how to use such analyzers to detect security issues in the web applications
Pentesting Tools to Find Bugs Before Hackers | CyberPro Magazinecyberprosocial
According to the latest updates, the annual cost of cybercrime globally is expected to reach $10.5 trillion by 2025. You can imagine how much danger your system is in. But, need not worry your system is safe! Pentesting tools are there for you.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
2. Agenda
~$ whoami
After a Pentest We Hear…
Caveat
Bash Kung Fu Example
Ten Tips (No Particular Order)
Final Thoughts
Pentest Trends
Useful Training and Links
Contact Us
3. ~$ whoami
Andrew and Luke
Red Team @BreakPoint Labs (@0xcc_labs)
Bloggers/Podcasters @Primal Security (@primalsec)
Past: BSides (DC, CHARM, PHILLY, JXN, NoVA), RVASec
Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.)
Both came from Vulnerability Management and are
now Pentesters
5. After a Pentest We Hear…
Why didn’t I see these vulnerabilities in our vulnerability scans?
6. Caveats
In a perfect world the Vulnerability team would have:
Testing Infrastructure (not just web access to scanner)
Command-line Skills + Scripting Skills (Python!)
Knowledge of other tools outside of vulnerability scanner
Understanding of what vulnerability scanners do well and
where they fall short
7. Bash Kung Fu Example
Password Reuse Example: (You should do this!)
Cat <file> | awk –F “:” ‘{print $4}’ | sort |
uniq –c | sort –nr | head –n 20
8. 1) Tools Beyond Vulnerability Scanner
What else to use outside of your vulnerability scanner?
Nmap (Various NSE Scripts)
Metasploit (Various Auxiliary Scanner Modules)
SMBmap / Enum4linux (Network Shares)
PowerSploit / Powerview -> Against Default Image
Responder.py (Analyze Mode – Detect Multicast Poisoning)
Pentest / Hack your Default Windows Image
9. 1) Tools Beyond Vulnerability Scanner
Tools that focus on Web (common weakness in vulnerability management):
BurpSuite (Free Version – Allows for Spidering and Throttled Automation)
EyeWitness (Visual Report of Application Landing Page(s) & Tech)
Whatweb (Technology Enumeration via Banner Grabbing Apps)
Wappalyzer (Chrome or Firefox Ext to ID Web Tech)
Censys.io and Shodan (External Footprint and Technology Detail)
Various CMS Scanners (Wpscan, CMSmap, etc.)
11. 2) Find Out the Tech Stack
Vulnerability Scanners Commonly Fall Short Here
Find Tech Stack: Whatweb, Wappalyzer, EyeWitness
Nmap -> Parse + Build URL List -> EyeWitness & Whatweb
Attempt Default Credentials (‘admin:admin’)
Look for version specific Exploits (exploit-db)
Many systems will lack secure configurations (SCADA,
Printers, Network Cameras, Network Devices, etc.)
12. 3) Understand Your External Footprint
External testing box can provide external/attacker view (We Like AWS)
Most organizations rely on internal vulnerability scanner
Hard to know what attackers see from this view point on the network
13. 3) Understand Your External Footprint (Cont)
What does the Internet already know about your organization….?!?!
Censys.io and Shodan: 3rd
party databases on Internet-exposed systems/services
Use Google Fu (search operators) to see what’s indexed within Google
Recon-ng also tons of good modules (Jhaddix Enumall.py)
Full Blog Here: https://breakpoint-labs.com/blog/reconnaissance-with-shodan-and-censys/
14. 4) Investigate Network Shares
What will you find while investigating open network shares?
Scripts
Virtual Machines
Databases
Configuration Files
Sensitive Group Policy Files,
Personally Identifiable Information (PII)
Data Backup Files
Financial documents
Personal documents
Sensitive corporate information in the form of (ppt, xls, doc, pdf, etc)
Indications of compromise….(i.e. Ransomware)
15. 4) Investigate Network Shares (Cont)
How can we investigate a network for open network shares?
Smbmap and enum4linux can be useful tools to help automate some
reconnaissance and misconfigurations around network shares.
Parse Nmap for systems with SMB open and extract the IP, then for loop
over smbmap command:
for i in `cat <file>`; do <command> $i; done
16. 5) Address Web Applications Appropriately
How can we assess our web applications and infrastructure better?
Don’t rely on network vulnerability scanners to identify web flaws alone…
Learn Burp Suite (Perferbably Pro) and the power of manual testing!
Add a web application vulnerability scanning tool (i.e. Acunetix or BurpSuite
Pro Scanner) to identify vulnerabilties and flaws beyond the current tools.
17. 5) Address Web Applications Appropriately
(Cont)
Developing an web infrastructure whitelist for your organization is key
Nmap + Shodan/Censys + Whatweb + EyeWitness = Big Picture
What Content Management Systems (CMS) do your Devs use?
Update Your web techs core version as well as plugins, dependencies, etc.
For further detail on identifying web application vulnerabilities reference: https://breakpoint-labs.com/blog/webapp-vulns/
18. 6) Find All the Devices and Appliances
Printers, Network Cameras, Network Devices, NAS, SCADA, etc...
These devices are often be poorly configured on internal networks (i.e. excessive services
available, default credentials)
Usually a detailed review of Nmap results can go a long way to enumerate odd ball
services and information for these type of devices/appliances.
19. 7) Know What Vulnerabilities are Interesting to
Attackers
How Your Admins Feel About Vulnerability Reports:
20. 7) Know What Vulnerabilities are Interesting to
Attackers (Cont)
Goal: This can help you prioritize remediation efforts.
Examples can include:
Eternal Blue Vulnerabilities and Ransomware
Samba RCE Vulnerability (CVE-2017-7494)
GPP Configuration Files on SYSVOL Shares
Multicast Poisoning (LLMNR / Responder)
Internet Facing Web Applications and/or CMS vulnerabilities
The next big vulnerability like heartbleed, shellshock, etc…
Focus on flaws that will actively be exploited – takes time to learn
21. 8) Be Aware of the Impact of Outdated Windows
Systems on your Network
Does your organization have any legacy system(s) on the domain?
Examples: Windows XP, Windows Server 2000 and 2003, etc.
We commonly see these systems on networks still…
Typically the systems are known about and the risk is accepted, but should it be?
22. 8) Be Aware of the Impact of Outdated Windows
Systems on your Network (Cont)
The Truth: Attackers can elevate access to these systems easily (MS08-067) ->
dump credentials from memory (Mimikatz) -> grab hashes -> pivot = Winning
Typically local admin accounts on these systems are easy to obtain.
Are they then shared across your network?
Can lead to a full domain compromise!
23. 9) Understand OPSEC Failures and the Impact
Credentials on Sticky Notes / Note Pads – On Every Assessment
We suggest the security analyst do some regular walk-through of the
environment for these types of OPSEC failures.
24. 10) Implement User Awareness Exercise
Vuln Analysts can Phish too!
End users tend to think “Pshhh…I won’t be a victim of a phishing email!”
Some Phishing Tools: GoPhish, Lucy
Generally Vuln Analysts can pitch this as “Click Analysis”
Pentents: 25-40% success rate in Phishing
25. Final Thoughts on Tips
• Implement open source tools into your vuln mngt program.
• Use Shodan and Censys.io for external (Internet facing) reconnaissance
• Make sure you investigate shares (enum4linux & smbshare)
• Unlinked Content enumeration on web applications is often missed by tools (understand the
limitations of the tools)
• Passwords written down on sticky notes? Yea usually
• Develop whitelists and know the tech stacks associated with systems on the network
• Understand how to find vulns without relying on the vuln scanning tool (ex. Shellshock)
• Review network devices and appliances for weaknesses and lack of secure configurations (default
creds)
26. Pentest Trends
• Flaws that are not in checklists or Vuln Scanner can lead to full compromise
• LLMNR Poisoning is very effective
• Network Shares Expose Sensitive Information
• Web Application security and Network Monitoring is generally lacking
• People are far too trusting because they think it will never happen to them
• 25-40% Success rate on social engineering
• Passwords on sticky notes
• Default passwords and configurations on devices and appliances
• Vulnerability Management program is not aware of critical flaws
• Organizations are not aware of what is exposed to the Internet
• Users leverage weak credentials (Keyboard walks), and passwords are reused
27. Useful Trainings & Links
• Free Training: Cybrary
• CTFs: Vulnhub, Past CTF Writeups, Pentester Lab
• Training: Offensive Security, SANS, SecurityTube
• Book: Web Application Hackers Handbook
• Book: Black Hat Python
• Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel
• Talk: How to Shot Web - Jason Haddix
• Talk: How to be an InfoSec Geek - Primal Security
• Talk: Beyond Automated Testing – Us!
• Slides: Adam Steed - Attacking and Defending AD
• Slides: Will be on site soon