This document provides an overview of PRISMA, a cyber security consultancy firm. It discusses PRISMA's penetration testing and training services. It also covers topics related to penetration testing like methodologies, career paths in cyber security, and certifications. The document is intended to introduce PRISMA's services and activities to potential clients or training participants.

1. www.prismacsi.com
© All Rights Reserved.
11
Practical White Hat Hacker Training #1
Introduction
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed
information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.

2. www.prismacsi.com
© All Rights Reserved.
22
Introduction

3. www.prismacsi.com
© All Rights Reserved.
33
PRISMA : Overview
• Cyber security consultancy to over 100 companies in a period of over 5 years
• Over 300 penetration testing projects
• More than 50 training projects
• The organizers and founders of some of the most important teams and activities in the country
• Octosec
• Canyoupwnme
• Hacktrick Cyber Security Conference
• Game of Pwners CTF
• Hacker Camp

4. www.prismacsi.com
© All Rights Reserved.
44
• Penetration Testing Services
• Cyber Security Training
• Consultancy services
• Research and Development
• Cyber Army Infrastructure Systems
PRISMA : Activities

5. www.prismacsi.com
© All Rights Reserved.
55
• Network Penetration Test
• Web Application Penetration Test
• Mobile Application Penetration Test
• Banking Regulation and Supervision Agency (BRSA) Compliant Penetration Test
• Distributed Denial-of-Service (DDoS) Test
• Load and Stress Test
• Social EngineeringTest
• SCADA Penetration Test
• Red Team Penetration Test
• APT Attack Simulation
• Mail Gateway Security Test
• Physical Penetration Test
Penetration Tests

6. www.prismacsi.com
© All Rights Reserved.
66
• Practical White Hat Hacker Training
• Network Penetration Test Training
• Wireless Network Penetration Test Training
• Mobile Application Security Training
• Web Application Security Training
• Advanced Penetration Test Training
• DoS & DDoS Attacks and Protection Training
• Vulnerability Management Training
• Secure Software Development Training
• Linux System Hardening Training
• Basic Linux Training
Trainings

7. www.prismacsi.com
© All Rights Reserved.
77
• Source Code Analysis
• Product / Project Consultancy
• Vulnerability Management
• HR - Recruitment Processes Technical Competence Analysis
Consultancy

8. www.prismacsi.com
© All Rights Reserved.
88
Let’s get to know a little about each other…
Introduction

9. www.prismacsi.com
© All Rights Reserved.
99
Topics

10. www.prismacsi.com
© All Rights Reserved.
1010
Cyber Security
Basics
Appendix: Basic
Network
Information
Appendix: Basic
Linux Information
Passive Information
Collection
Active Information
Collection
Vulnerability
Discovery
Post Exploitation
Stage
Exploit Stage
Network Based
Attacks
Password Cracking
Attacks
Agenda

11. www.prismacsi.com
© All Rights Reserved.
1111
Web Application
Security
Wireless Network
Security
IPS / IDS / WAF Evasion
Techniques
Social
Engineering
Agenda

12. www.prismacsi.com
© All Rights Reserved.
1212
Cyber Security Basics

13. www.prismacsi.com
© All Rights Reserved.
1313
Information Security
There are 3 important criteria for information security;
• Confidentiality
• Integrity
• Availability
Availability
Confidentiality
Integrity
Security
Model

14. www.prismacsi.com
© All Rights Reserved.
1414
Confidentiality
• Information should only be accessible to the person or system that is allowed to access it.
• Information being able to be read, written and changed by persons other than the targeted
endangers this principle.
• Important events experienced in the past.

15. www.prismacsi.com
© All Rights Reserved.
1515
Integrity
• Consistent transmission of information from the source to the targeted point without any
change in its original form.
• Partial corruption or partial altering of the original information means that its integrity has been
compromised
• Important events experienced in the past.

16. www.prismacsi.com
© All Rights Reserved.
1616
Availibility
• Information should be accessible and available whenever it is required by an authorized person
or system.
• DoS , DDoS attacks endanger this principle.
• Important events experienced in the past.

17. www.prismacsi.com
© All Rights Reserved.
1717
The Hacking Concept
Hacking has more than one meaning;
• Use of systems / hardware / software in ways other than the originally intended
• Producing a solution for a problem can also be called hacking
• Software Piracy = Media language

18. www.prismacsi.com
© All Rights Reserved.
1818
Then who is a hacker?
• According to MIT a hacker is any person working on information systems.
• Computer Hacker
• General description: a person who performs hacks
• What’s a hack?

19. www.prismacsi.com
© All Rights Reserved.
1919
Concepts
• Penetration Test, Pentest
Attempt by hackers to infiltrate targeted systems using various tools and techniques, thereafter
reporting all identified vulnerabilities in detail.
• Pentester, Penetration Test expert
The person who implements/applies the concept of penetration testing and develops themsselves in
the field of cyber security. Keeps track of current techniques and researches carried out by hackers
hence stays up to date.

20. www.prismacsi.com
© All Rights Reserved.
2020
Concepts
• Hacker
• White Hat Hacker
• Black Hat Hacker
• Grey Hat Hacker
• Script Kiddie
• Cracker

21. www.prismacsi.com
© All Rights Reserved.
2121
General Information on Penetration Testing
• Areas
• Network Penetration Testing
• Web Application Penetration Testing
• Mobile Application Penetration Testing
• Critical Infrastructure Systems Penetration Testing
• DDoS and Load Tests
• Risk Analysis
• Vulnerability Scanning

22. www.prismacsi.com
© All Rights Reserved.
2222
Types of Penetration Tests
• Black Box
• Grey Box
• White Box

23. www.prismacsi.com
© All Rights Reserved.
2323
Penetration Tests
VULNERABILITY SCANNING
VS
PENETRATION TESTING

24. www.prismacsi.com
© All Rights Reserved.
2424
Cyber Killchain
Privilege Escalation Covering
Footprints
Exploitation
Vulnerability Discovery
Information
Gathering

25. www.prismacsi.com
© All Rights Reserved.
2525
Penetration Test Methodologies
• OWASP
• Web Security Tests
• Mobile Application Security Tests
• IoT Security Tests
• OSSTMM
• Open Source Security Testing Methodology Manual
• Pentest-Standard

26. www.prismacsi.com
© All Rights Reserved.
2626
Penetration Test Methodologies
• OWASP – Web Application Penetration Testing

27. www.prismacsi.com
© All Rights Reserved.
2727
Penetration Test Methodologies
• OSSTMM - http://www.isecom.org/mirror/OSSTMM.3.pdf

28. www.prismacsi.com
© All Rights Reserved.
2828
Penetration Test Report
• Tools Used
• Discovered devices
• Topology
• Vulnerabilities
• Exploitation methods
• Reachable endpoint
• Risks
• Defense methods
• Attack combinations

29. www.prismacsi.com
© All Rights Reserved.
2929
Career in Cyber Security
• Offensive
• Penetration Testing Expert
• Network Penetration Testing Expert
• Web Application Penetration Testing Expert
• Mobile Application Penetration Testing Expert
• Exploit Development
• Malware Development

30. www.prismacsi.com
© All Rights Reserved.
3030
Career in Cyber Security
• Defensive
• SOC – Security Operation Center – Analyst
• Forensics Expert
• System Security Expert
• Vulnerability Management Specialist
• Software Security Expert
• Malware Analyst

31. www.prismacsi.com
© All Rights Reserved.
3131
Certification Programs
• CEH – Certified Ethical Hacker
• TSE White Hat Hacker
• OSCP – Offensive Security Certified Professional
• OSCE – Offensive Security Certified Expert
• GWAPT – GIAC Web Application Penetration Tester
• GPEN – GIAC Penetration Tester

32. www.prismacsi.com
© All Rights Reserved.
3232
Types of Cyber Attacks by Country
• Turkey
• Russia
• America
• Germany
• China

33. www.prismacsi.com
© All Rights Reserved.
3333
Turkey
• Fraud attacks
• Using and writing of malware
• Social engineering attacks

34. www.prismacsi.com
© All Rights Reserved.
3434
Russia
• Writing and spreading of exploit kits
• Malware
• Banking attacks
• ATM attacks

35. www.prismacsi.com
© All Rights Reserved.
3535
Germany
• Exploit Kit / 0day development
• Malware
• Underground activities
• Hackers meeting point
• Chaos Computer Club

36. www.prismacsi.com
© All Rights Reserved.
3636
America
• Software development
• Technology development
• APT / 0day development
• Cyber war activities
• Case of Stuxnet

37. www.prismacsi.com
© All Rights Reserved.
3737
China
• Malicious software
• Automated software
• Nationalist hacker groups
• APT / 0day / Exploit development
• Cyber war activities

38. www.prismacsi.com
© All Rights Reserved.
3838
Chronology
2010
2018
China's largest search engine Baidu
hacked.
2010
DDoS attack affects internet access.
2013
Russia halts Internet access in Estonia
2007
Morris Worm goes online
1998
1998
After the attacks in Gaza, Israel suffered cyber
attacks, 5 million websites were hacked.
2009
Stuxnet is out in the wild.
2010
Wannacry paralyzes life all over the world.
2017

39. www.prismacsi.com
© All Rights Reserved.
3939
News
https://securityintelligence.com/are-ransomware-attacks-rising-or-falling/

40. www.prismacsi.com
© All Rights Reserved.
4040
Cyber Attacker Profile
• Hacker
• Target-oriented cyber attack
• Government / State-backed cyber attack
• Religion / Racial sympathy
• Ego satisfaction
• Competitors and unfair competition oriented attacks
• Cyberterrorism

41. www.prismacsi.com
© All Rights Reserved.
4141
Cyber Attacker Profile
• Untrained staff (risk of involuntary attacks)
• A fired person X
• Insider

42. www.prismacsi.com
© All Rights Reserved.
4242
Cyber Attacker Profile
• Malware attacks
• If it is target based an APT may be the most likely attacker.
• Any malware can affect your systems in some way.
• These malware can include a system into a botnet.

43. www.prismacsi.com
© All Rights Reserved.
4343
Cyber Attack Losses
• In the past only prestige was lost.
• Changing the interface of pages (Defacement)
• Today financial loss is the most common form of loss.
• After Denial-of-Service attacks companies may experience a service outage or interruption.

44. www.prismacsi.com
© All Rights Reserved.
4444
Some Cyber Security Defense Mechanisms
• Security Firewalls
• Antivirus
• SSL
• Intrusion Detection System (IDS)
• Intrusion Prevention Systems (IPS)
• Security Information and Event Management (SIEM)
• Content Filter

45. www.prismacsi.com
© All Rights Reserved.
4545
Some Cyber Security Defense Mechanisms
• Web Application Firewall (WAF)
• Data Leakage Prevention (DLP)
• Advanced Cyber Threat Detection (APT Protection)
• Deep Packet Inspection (DPI)
• Security Operations Center (SOC)

46. www.prismacsi.com
© All Rights Reserved.
4646
Basic Terminologies
• Cryptology.
• Password science.
• Steganography
• Science of hiding data in plain sight.
• Encoding
• The process of converting data into a different format..
• Base64

47. www.prismacsi.com
© All Rights Reserved.
4747
Terminology
• Hash
• It is data converted into a unique form.
• Data length is fixed. (MD5 32 character)
• MD5
• SHA512
• Hash Cracking Attacks
• Unidirectional
• Wordlist
• Rainbow Table

48. www.prismacsi.com
© All Rights Reserved.
4848
Basic Terminologies
• Base64 - Encoding
• PRISMA -> UFJJU01B
• PRISMACSI -> UFJJU01BQ1NJ
• UFJJU01B -> PRISMA
• UFJJU01BQ1NJ –> PRISMACSI
• MD5
• PRISMA -> c636499e580a2d1c4d96af7aacb67ec3
• PRISMACSI -> be92422ae4a6ebba10d743a6213b9793

49. www.prismacsi.com
© All Rights Reserved.
4949
Anonymity
Why the need?
• They want to hide their personal data.
• They want to hide their identity.
• They want to hide site preferences.
• They have adopted the concept of free internet.

50. www.prismacsi.com
© All Rights Reserved.
5050
Anonymity
Communication
• Whatsapp
• Telegram
• Signal
• IRC
• Jabber

51. www.prismacsi.com
© All Rights Reserved.
5151
Anonymity
Deep Web
• Underground
• Deepweb
• Darkweb
Area where hackers share information.

52. www.prismacsi.com
© All Rights Reserved.
5252
Anonymity
Deep Web
• Chaos Network
• DN42
• Freenet
• Anonet
• Tor

53. www.prismacsi.com
© All Rights Reserved.
5353
Demo
Practice

54. www.prismacsi.com
© All Rights Reserved.
5454
Questions
?

55. www.prismacsi.com
© All Rights Reserved.
5555
www.prismacsi.com
info@prismacsi.com
0 850 303 85 35
/prismacsi
Contacts