The document provides an overview of security testing and hacking. It discusses the basics of vulnerability testing, different methodologies like network testing and web application testing. It outlines three main types of security tests: audits, assessments, and penetration tests. It discusses the importance of having permission and ethics when conducting security work. The document also provides a brief history of hacking and how the techniques have evolved over time as external vulnerabilities have been addressed.

2. • Your job?
•?
• Hacking is fun
• The community is FUN
•Learning
•Beer and Pizza, hang out

3. • Basics
•Why?TF
•Why do we do Security Testing?
•VM’s/Labs
•Networking Knowledge
• Attack Concepts
• The Methodology(s)
• Intermediate Stuff
•Practical Penetration Testing
•Current Techniques
Most importantly…

5. Have fun
Participate*
Learn
Eventually we will be learning together

6. Definition #1
A Vulnerability is defined as a
weakness which allows an
attacker to reduce a computer
system's security.

8. Types of Security Testing
 Network Testing $
 Traditional, auditing of services and configuration
 Web Application Testing $$
 Focus on application type flaws
 Web frameworks
 Social Engineering $
 Attacking users, most resembles real world

9. Types of Security Testing
 Physical Testing / Red Teaming $$
 A fork of social engineering, much more involved
 Binary Analysis / Reverse Engineering / Exploit
Development $$$
 Specialty fields
 Source Code Auditing $$
 Fork of both Web App testing and Binary ninjary

11. 3 Types of Tests
 Confusing? A bit…
 Audit
 Usually network testing, based around some agencies
expectation of what security is. The biggest one is a standard
called PCI.
 Usually boring, but bring in lots of money. Usually same skill
sets used.
 Very Structured, Sometimes checklist and vulnerability scan
driven.
 Can include IT services (Firewall config review, vlan review,
etc)

12. 3 Types of Tests
 Assessment
 More broad than an audit, doesn’t have to comply with
any agencies expectation of security.
 Mile wide, less in depth
 Identify as many vulnerabilities as possible
 Can include IT services (Firewall config review, vlan
review, etc)

13. 3 Types of Tests
 Penetration Test
 With all these definitions, tends to get confused
 “Pentests” actually test the security controls themselves and
exploit the vulnerabilities.
 More goal oriented, prove real threats, get real data as
success factor.
 Harder, more expectation of pwnage, most of the time you
have to “get” something.
 Usually does NOT include IT services.
 We will focus mostly on pentesting… because I think it’s the
most fun but, the skills map across all domains.

14. Ethics
 Difference between hacking and a
audit/assessment/pentest is….
 PERMISSION

15. Lab 1: Trial by fire (metasploit)
Students who are here: access the class VM
• Run ./msfconsole
• Find syntax to use Tomcat Mgr Deploy
• Make sure you updated msf
• Google for default tomcat passwords or read the metasploit ones
• Use generic/tcp/bind payload
• For students who are remote:
• Use Gotmilks guide:
• http://g0tmi1k.blogspot.com/2010/07/video-metasploitable-
tomcat.html
• Congratulations – You just pwned your 1st box! If you have extra time try
and find the flags I’ve placed on the system and pwn a different lab
machine or follow the video above to grab a legit SSH account.

16. A bit about hacking history…
 4 Time Periods
 Period 1 - In the not so distant past hacking and
attack vectors were largely external.
 Core external services were rife with overflows
 Password complexity was non existent
 Trust relationship vulnerabilities were numerous
 Firewalls sucked or were non-existent
 The big web vulns were just beginning to be exploited

17. A bit about hacking history…
 Period 2 – Things got a bit better, then got worse
 External services started to shape up, no more ./’ing the
world.
 Passwords got a bit better
 Firewalls were big baddies
 BUT…
 Web Vulns took off… SQL Injection was EVERYWHERE,
Session Fixation, Logic flaws, etc…
 Internal software was Swiss Cheese - Attackers
migrated to client-side vectors

18. A bit about hacking history…
 Period 3 – Attackers got smart(er)
 External services were pretty hard, death of external
hacking and security assessment.
 With the death of externals, companies focus on internal
pentests.
 Web vulns still prevalent but getting better with
initiatives like OWASP
 Internal software was still bad but OS mitigations put a
band aid on some exploits.
 Attackers created smarter ways to infect insiders
through web malware

19. A bit about hacking history…
 Period 4 – The Current State
 External services are very rarely vulnerable.
 Web is still around, less in your face though.
 Internal software continues to fail, but developing exploits are 2-9
months of research for an 0-day. Much more work.
 Focus on internal pentesting assumes the attacker got access somehow.
Internal pentesting is a lot of beating up on the windows domain model,
popping unpatched boxes, abusing current password schemes, using
man-in-the-middle attacks, and internal password fail.
 On the client side attackers sometimes use no exploits: javascript
malware, java applet reverse shells, crazy embedding tricks, etc… We are
just beginning to emulate this.
 Mobile phones are making the mistakes of yester-year, hot topic right
now

20. So What?
 What you’ll see a lot of still being sold in the
industry are:
 Web Assessments
 Internal Pentests
 Source Code Review
 Mobile Assessments
 The new “External” Pentests which are really Client-Side
Penetration Tests / Social Engineering Assessments /
Web Pentest hybrids

21. • Next Time:
• OSINT