SlideShare a Scribd company logo

BSidesJXN 2017 - Improving Vulnerability Management

Andrew McNicol
Andrew McNicol

Adding Pentest Sauce to Your Vulnerability Management Recipe. Coves 10 tips to improve vulnerability management based on common red team and pentest findings.

1 of 28
Adding Pentest Sauce to your Vulnerability Management Recipe Andrew and Luke
Agenda ~$ whoami After a Pentest We Hear… Caveat Bash Kung Fu Example Ten Tips (No Particular Order) Final Thoughts Pentest Trends Useful Training and Links Contact Us
~$ whoami Andrew and Luke Red Team @BreakPoint Labs (@0xcc_labs) Bloggers/Podcasters @Primal Security (@primalsec) Past: BSides (DC, CHARM, PHILLY, JXN, NoVA), RVASec Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.) Both came from Vulnerability Management and are now Pentesters
Goal: New Ideas to Improve Vuln Management
After a Pentest We Hear… Why didn’t I see these vulnerabilities in our vulnerability scans?
Caveats In a perfect world the Vulnerability team would have: Testing Infrastructure (not just web access to scanner) Command-line Skills + Scripting Skills (Python!) Knowledge of other tools outside of vulnerability scanner Understanding of what vulnerability scanners do well and where they fall short
Bash Kung Fu Example Password Reuse Example: (You should do this!) Cat <file> | awk –F “:” ‘{print $4}’ | sort | uniq –c | sort –nr | head –n 20
1) Tools Beyond Vulnerability Scanner What else to use outside of your vulnerability scanner? Nmap (Various NSE Scripts) Metasploit (Various Auxiliary Scanner Modules) SMBmap / Enum4linux (Network Shares) PowerSploit / Powerview -> Against Default Image Responder.py (Analyze Mode – Detect Multicast Poisoning) Pentest / Hack your Default Windows Image
1) Tools Beyond Vulnerability Scanner Tools that focus on Web (common weakness in vulnerability management): BurpSuite (Free Version – Allows for Spidering and Throttled Automation) EyeWitness (Visual Report of Application Landing Page(s) & Tech) Whatweb (Technology Enumeration via Banner Grabbing Apps) Wappalyzer (Chrome or Firefox Ext to ID Web Tech) Censys.io and Shodan (External Footprint and Technology Detail) Various CMS Scanners (Wpscan, CMSmap, etc.)
Takeaway Here…. Reconnaissance is King! The most important step with vulnerability enumeration is reconnaissance
2) Find Out the Tech Stack Vulnerability Scanners Commonly Fall Short Here Find Tech Stack: Whatweb, Wappalyzer, EyeWitness Nmap -> Parse + Build URL List -> EyeWitness & Whatweb Attempt Default Credentials (‘admin:admin’) Look for version specific Exploits (exploit-db) Many systems will lack secure configurations (SCADA, Printers, Network Cameras, Network Devices, etc.)
3) Understand Your External Footprint External testing box can provide external/attacker view (We Like AWS) Most organizations rely on internal vulnerability scanner Hard to know what attackers see from this view point on the network
3) Understand Your External Footprint (Cont) What does the Internet already know about your organization….?!?! Censys.io and Shodan: 3rd party databases on Internet-exposed systems/services Use Google Fu (search operators) to see what’s indexed within Google Recon-ng also tons of good modules (Jhaddix Enumall.py) Full Blog Here: https://breakpoint-labs.com/blog/reconnaissance-with-shodan-and-censys/
4) Investigate Network Shares What will you find while investigating open network shares? Scripts Virtual Machines Databases Configuration Files Sensitive Group Policy Files, Personally Identifiable Information (PII) Data Backup Files Financial documents Personal documents Sensitive corporate information in the form of (ppt, xls, doc, pdf, etc) Indications of compromise….(i.e. Ransomware)
4) Investigate Network Shares (Cont) How can we investigate a network for open network shares? Smbmap and enum4linux can be useful tools to help automate some reconnaissance and misconfigurations around network shares. Parse Nmap for systems with SMB open and extract the IP, then for loop over smbmap command: for i in `cat <file>`; do <command> $i; done
5) Address Web Applications Appropriately How can we assess our web applications and infrastructure better? Don’t rely on network vulnerability scanners to identify web flaws alone… Learn Burp Suite (Perferbably Pro) and the power of manual testing! Add a web application vulnerability scanning tool (i.e. Acunetix or BurpSuite Pro Scanner) to identify vulnerabilties and flaws beyond the current tools.
5) Address Web Applications Appropriately (Cont) Developing an web infrastructure whitelist for your organization is key Nmap + Shodan/Censys + Whatweb + EyeWitness = Big Picture What Content Management Systems (CMS) do your Devs use? Update Your web techs core version as well as plugins, dependencies, etc. For further detail on identifying web application vulnerabilities reference: https://breakpoint-labs.com/blog/webapp-vulns/
6) Find All the Devices and Appliances Printers, Network Cameras, Network Devices, NAS, SCADA, etc... These devices are often be poorly configured on internal networks (i.e. excessive services available, default credentials) Usually a detailed review of Nmap results can go a long way to enumerate odd ball services and information for these type of devices/appliances.
7) Know What Vulnerabilities are Interesting to Attackers How Your Admins Feel About Vulnerability Reports:
7) Know What Vulnerabilities are Interesting to Attackers (Cont) Goal: This can help you prioritize remediation efforts. Examples can include: Eternal Blue Vulnerabilities and Ransomware Samba RCE Vulnerability (CVE-2017-7494) GPP Configuration Files on SYSVOL Shares Multicast Poisoning (LLMNR / Responder) Internet Facing Web Applications and/or CMS vulnerabilities The next big vulnerability like heartbleed, shellshock, etc… Focus on flaws that will actively be exploited – takes time to learn
8) Be Aware of the Impact of Outdated Windows Systems on your Network Does your organization have any legacy system(s) on the domain? Examples: Windows XP, Windows Server 2000 and 2003, etc. We commonly see these systems on networks still… Typically the systems are known about and the risk is accepted, but should it be?
8) Be Aware of the Impact of Outdated Windows Systems on your Network (Cont) The Truth: Attackers can elevate access to these systems easily (MS08-067) -> dump credentials from memory (Mimikatz) -> grab hashes -> pivot = Winning Typically local admin accounts on these systems are easy to obtain. Are they then shared across your network? Can lead to a full domain compromise!
9) Understand OPSEC Failures and the Impact Credentials on Sticky Notes / Note Pads – On Every Assessment We suggest the security analyst do some regular walk-through of the environment for these types of OPSEC failures.
10) Implement User Awareness Exercise Vuln Analysts can Phish too! End users tend to think “Pshhh…I won’t be a victim of a phishing email!” Some Phishing Tools: GoPhish, Lucy Generally Vuln Analysts can pitch this as “Click Analysis” Pentents: 25-40% success rate in Phishing
Final Thoughts on Tips • Implement open source tools into your vuln mngt program. • Use Shodan and Censys.io for external (Internet facing) reconnaissance • Make sure you investigate shares (enum4linux & smbshare) • Unlinked Content enumeration on web applications is often missed by tools (understand the limitations of the tools) • Passwords written down on sticky notes? Yea usually • Develop whitelists and know the tech stacks associated with systems on the network • Understand how to find vulns without relying on the vuln scanning tool (ex. Shellshock) • Review network devices and appliances for weaknesses and lack of secure configurations (default creds)
Pentest Trends • Flaws that are not in checklists or Vuln Scanner can lead to full compromise • LLMNR Poisoning is very effective • Network Shares Expose Sensitive Information • Web Application security and Network Monitoring is generally lacking • People are far too trusting because they think it will never happen to them • 25-40% Success rate on social engineering • Passwords on sticky notes • Default passwords and configurations on devices and appliances • Vulnerability Management program is not aware of critical flaws • Organizations are not aware of what is exposed to the Internet • Users leverage weak credentials (Keyboard walks), and passwords are reused
Useful Trainings & Links • Free Training: Cybrary • CTFs: Vulnhub, Past CTF Writeups, Pentester Lab • Training: Offensive Security, SANS, SecurityTube • Book: Web Application Hackers Handbook • Book: Black Hat Python • Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel • Talk: How to Shot Web - Jason Haddix • Talk: How to be an InfoSec Geek - Primal Security • Talk: Beyond Automated Testing – Us! • Slides: Adam Steed - Attacking and Defending AD • Slides: Will be on site soon
Contact Us Site: https://www.breakpoint-labs.com Email: info@breakpoint-labs.com Twitter: @0xcc_labs

Recommended

Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
Andrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
Andrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
Andrew McNicol
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 

Recommended

Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
Andrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
Andrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
Andrew McNicol
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
dc612
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
Anant Shrivastava
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
Bipin Upadhyay
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
snyff
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
grecsl
 
CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksCNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password Attacks
Sam Bowne
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Raghav Bisht
 

More Related Content

What's hot

BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
dc612
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
Anant Shrivastava
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
Bipin Upadhyay
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
snyff
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
grecsl
 
CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksCNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password Attacks
Sam Bowne
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 

What's hot (20)

BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksCNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password Attacks
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 

Similar to BSidesJXN 2017 - Improving Vulnerability Management

VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Raghav Bisht
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptAndrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
Tom Eston
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromise
Cal Bryant
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
kiansahafi
 
Pentesting Tools to Find Bugs Before Hackers | CyberPro Magazine
Pentesting Tools to Find Bugs Before Hackers | CyberPro MagazinePentesting Tools to Find Bugs Before Hackers | CyberPro Magazine
Pentesting Tools to Find Bugs Before Hackers | CyberPro Magazine
cyberprosocial
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
isc2-hellenic
 

Similar to BSidesJXN 2017 - Improving Vulnerability Management (20)

VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptAndrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Super1
Super1Super1
Super1
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromise
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
Pentesting Tools to Find Bugs Before Hackers | CyberPro Magazine
Pentesting Tools to Find Bugs Before Hackers | CyberPro MagazinePentesting Tools to Find Bugs Before Hackers | CyberPro Magazine
Pentesting Tools to Find Bugs Before Hackers | CyberPro Magazine
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 

Recently uploaded

By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
Globus
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 

Recently uploaded (20)

By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 

BSidesJXN 2017 - Improving Vulnerability Management

  • 1. Adding Pentest Sauce to your Vulnerability Management Recipe Andrew and Luke
  • 2. Agenda ~$ whoami After a Pentest We Hear… Caveat Bash Kung Fu Example Ten Tips (No Particular Order) Final Thoughts Pentest Trends Useful Training and Links Contact Us
  • 3. ~$ whoami Andrew and Luke Red Team @BreakPoint Labs (@0xcc_labs) Bloggers/Podcasters @Primal Security (@primalsec) Past: BSides (DC, CHARM, PHILLY, JXN, NoVA), RVASec Certification Junkies (OSCE, OSCP, GWAPT, GPEN etc.) Both came from Vulnerability Management and are now Pentesters
  • 4. Goal: New Ideas to Improve Vuln Management
  • 5. After a Pentest We Hear… Why didn’t I see these vulnerabilities in our vulnerability scans?
  • 6. Caveats In a perfect world the Vulnerability team would have: Testing Infrastructure (not just web access to scanner) Command-line Skills + Scripting Skills (Python!) Knowledge of other tools outside of vulnerability scanner Understanding of what vulnerability scanners do well and where they fall short
  • 7. Bash Kung Fu Example Password Reuse Example: (You should do this!) Cat <file> | awk –F “:” ‘{print $4}’ | sort | uniq –c | sort –nr | head –n 20
  • 8. 1) Tools Beyond Vulnerability Scanner What else to use outside of your vulnerability scanner? Nmap (Various NSE Scripts) Metasploit (Various Auxiliary Scanner Modules) SMBmap / Enum4linux (Network Shares) PowerSploit / Powerview -> Against Default Image Responder.py (Analyze Mode – Detect Multicast Poisoning) Pentest / Hack your Default Windows Image
  • 9. 1) Tools Beyond Vulnerability Scanner Tools that focus on Web (common weakness in vulnerability management): BurpSuite (Free Version – Allows for Spidering and Throttled Automation) EyeWitness (Visual Report of Application Landing Page(s) & Tech) Whatweb (Technology Enumeration via Banner Grabbing Apps) Wappalyzer (Chrome or Firefox Ext to ID Web Tech) Censys.io and Shodan (External Footprint and Technology Detail) Various CMS Scanners (Wpscan, CMSmap, etc.)
  • 10. Takeaway Here…. Reconnaissance is King! The most important step with vulnerability enumeration is reconnaissance
  • 11. 2) Find Out the Tech Stack Vulnerability Scanners Commonly Fall Short Here Find Tech Stack: Whatweb, Wappalyzer, EyeWitness Nmap -> Parse + Build URL List -> EyeWitness & Whatweb Attempt Default Credentials (‘admin:admin’) Look for version specific Exploits (exploit-db) Many systems will lack secure configurations (SCADA, Printers, Network Cameras, Network Devices, etc.)
  • 12. 3) Understand Your External Footprint External testing box can provide external/attacker view (We Like AWS) Most organizations rely on internal vulnerability scanner Hard to know what attackers see from this view point on the network
  • 13. 3) Understand Your External Footprint (Cont) What does the Internet already know about your organization….?!?! Censys.io and Shodan: 3rd party databases on Internet-exposed systems/services Use Google Fu (search operators) to see what’s indexed within Google Recon-ng also tons of good modules (Jhaddix Enumall.py) Full Blog Here: https://breakpoint-labs.com/blog/reconnaissance-with-shodan-and-censys/
  • 14. 4) Investigate Network Shares What will you find while investigating open network shares? Scripts Virtual Machines Databases Configuration Files Sensitive Group Policy Files, Personally Identifiable Information (PII) Data Backup Files Financial documents Personal documents Sensitive corporate information in the form of (ppt, xls, doc, pdf, etc) Indications of compromise….(i.e. Ransomware)
  • 15. 4) Investigate Network Shares (Cont) How can we investigate a network for open network shares? Smbmap and enum4linux can be useful tools to help automate some reconnaissance and misconfigurations around network shares. Parse Nmap for systems with SMB open and extract the IP, then for loop over smbmap command: for i in `cat <file>`; do <command> $i; done
  • 16. 5) Address Web Applications Appropriately How can we assess our web applications and infrastructure better? Don’t rely on network vulnerability scanners to identify web flaws alone… Learn Burp Suite (Perferbably Pro) and the power of manual testing! Add a web application vulnerability scanning tool (i.e. Acunetix or BurpSuite Pro Scanner) to identify vulnerabilties and flaws beyond the current tools.
  • 17. 5) Address Web Applications Appropriately (Cont) Developing an web infrastructure whitelist for your organization is key Nmap + Shodan/Censys + Whatweb + EyeWitness = Big Picture What Content Management Systems (CMS) do your Devs use? Update Your web techs core version as well as plugins, dependencies, etc. For further detail on identifying web application vulnerabilities reference: https://breakpoint-labs.com/blog/webapp-vulns/
  • 18. 6) Find All the Devices and Appliances Printers, Network Cameras, Network Devices, NAS, SCADA, etc... These devices are often be poorly configured on internal networks (i.e. excessive services available, default credentials) Usually a detailed review of Nmap results can go a long way to enumerate odd ball services and information for these type of devices/appliances.
  • 19. 7) Know What Vulnerabilities are Interesting to Attackers How Your Admins Feel About Vulnerability Reports:
  • 20. 7) Know What Vulnerabilities are Interesting to Attackers (Cont) Goal: This can help you prioritize remediation efforts. Examples can include: Eternal Blue Vulnerabilities and Ransomware Samba RCE Vulnerability (CVE-2017-7494) GPP Configuration Files on SYSVOL Shares Multicast Poisoning (LLMNR / Responder) Internet Facing Web Applications and/or CMS vulnerabilities The next big vulnerability like heartbleed, shellshock, etc… Focus on flaws that will actively be exploited – takes time to learn
  • 21. 8) Be Aware of the Impact of Outdated Windows Systems on your Network Does your organization have any legacy system(s) on the domain? Examples: Windows XP, Windows Server 2000 and 2003, etc. We commonly see these systems on networks still… Typically the systems are known about and the risk is accepted, but should it be?
  • 22. 8) Be Aware of the Impact of Outdated Windows Systems on your Network (Cont) The Truth: Attackers can elevate access to these systems easily (MS08-067) -> dump credentials from memory (Mimikatz) -> grab hashes -> pivot = Winning Typically local admin accounts on these systems are easy to obtain. Are they then shared across your network? Can lead to a full domain compromise!
  • 23. 9) Understand OPSEC Failures and the Impact Credentials on Sticky Notes / Note Pads – On Every Assessment We suggest the security analyst do some regular walk-through of the environment for these types of OPSEC failures.
  • 24. 10) Implement User Awareness Exercise Vuln Analysts can Phish too! End users tend to think “Pshhh…I won’t be a victim of a phishing email!” Some Phishing Tools: GoPhish, Lucy Generally Vuln Analysts can pitch this as “Click Analysis” Pentents: 25-40% success rate in Phishing
  • 25. Final Thoughts on Tips • Implement open source tools into your vuln mngt program. • Use Shodan and Censys.io for external (Internet facing) reconnaissance • Make sure you investigate shares (enum4linux & smbshare) • Unlinked Content enumeration on web applications is often missed by tools (understand the limitations of the tools) • Passwords written down on sticky notes? Yea usually • Develop whitelists and know the tech stacks associated with systems on the network • Understand how to find vulns without relying on the vuln scanning tool (ex. Shellshock) • Review network devices and appliances for weaknesses and lack of secure configurations (default creds)
  • 26. Pentest Trends • Flaws that are not in checklists or Vuln Scanner can lead to full compromise • LLMNR Poisoning is very effective • Network Shares Expose Sensitive Information • Web Application security and Network Monitoring is generally lacking • People are far too trusting because they think it will never happen to them • 25-40% Success rate on social engineering • Passwords on sticky notes • Default passwords and configurations on devices and appliances • Vulnerability Management program is not aware of critical flaws • Organizations are not aware of what is exposed to the Internet • Users leverage weak credentials (Keyboard walks), and passwords are reused
  • 27. Useful Trainings & Links • Free Training: Cybrary • CTFs: Vulnhub, Past CTF Writeups, Pentester Lab • Training: Offensive Security, SANS, SecurityTube • Book: Web Application Hackers Handbook • Book: Black Hat Python • Talks: IronGeek (Adrian Crenshaw’s) YouTube Channel • Talk: How to Shot Web - Jason Haddix • Talk: How to be an InfoSec Geek - Primal Security • Talk: Beyond Automated Testing – Us! • Slides: Adam Steed - Attacking and Defending AD • Slides: Will be on site soon
  • 28. Contact Us Site: https://www.breakpoint-labs.com Email: info@breakpoint-labs.com Twitter: @0xcc_labs