SlideShare a Scribd company logo

What is pentest

I
itissolutions

What is penetration testing and how can we approch

Technology
1 of 16
Download to read offline
WTF IS PENETRATION TESTING? AN OVERVIEW OF WHO, WHAT, WHERE, WHEN, AND WHY AKHIL..
Presentation Overview • WHAT IS A “PEN TEST”? • WHY DO COMPANIES “PEN TEST”? • WHO DOES “PEN TESTING”? • WHAT SKILLS ARE REQUIRED? ‒NON TECHNICAL SKILLSET ‒BASIC TECHNICAL SKILLSET ‒OFFENSIVE AND DEFENSIVE KNOWLEDGE • WHAT ARE SOME COMMON TOOLS? • PEN TESTING AS A CAREER• ATTACK DEMO: SQL INJECT WORLD • QUESTIONS
What is Penetration Testing? Our Definition: “The process of evaluating systems, applications, and protocolswith the intent of identifying vulnerabilities from the perspective of an unprivileged or anonymous user to determine the real-world impact…” “…legally and under contract”
Why do Companies Pen Test?• Compliance Requirements Validate Existing Controls Identify Unknown Security Gaps Prioritize Existing Security Initiatives Prevent Data Breaches Test IDS / IPS / IRP
What are the Technical Objectives? Client specific objectives first Identify and verify all entry points Identify critical escalation points Gain unauthorized access to: ‒Application functionality ‒Critical systems ‒Sensitive data
Assessment VS. Penetration• : Vulnerability Assessment and Penetration Testing Answer: -What are my system layer vulnerabilities? ‒Where are my system layer vulnerabilities? ‒How wide spread are my system layer vulnerabilities? ‒Can I identify attacks? ‒How do I fix my vulnerabilities?
Assessment VS. Penetration Penetration Testing Answers: ‒What are my high impact network layer issues? ‒What are my high impact application layer issues? ‒Can an attacker gain unauthorized access to: • critical infrastructure that provides privileged access or cause service disruptions • critical application functionality that the business depends on • sensitive data that the business would be required to report on if a breach occurs ‒Can an attacker bypass our IPS / WAF?‒Can an attacker pivot from environment A to environment B?
Common Penetration Test Approach • Kickoff: Scope, cost, testing windows, risks etc • Information Gathering • Vulnerability Enumeration • Penetration • Escalation • Evidence Gathering (Pilfering) • Clean up • Report Creation • Report Delivery and Review • Remediation
Rules of Engagement Have fun, but…Hack Responsibly! Written permission Stay in scope No DoS Don’t change major state Restore state Clear communication
What Skills are Needed? Non Technical Basic Technical Offensive Defensive Common Tools
Non Technical Skillset Written and Verbal Communications Emails/phone calls Report development Small and large group presentations Professionalism Respecting others, setting, and meeting expectations Troubleshooting Mindset Never give up, never surrender Where there is a will, there is a way Ethics Don’t do bad things Pros (career) vs. Cons (jail) Hack responsibly
Basic Technical Skillset Windows Desktop Administration Windows Domain Administration Linux and Unix Administration Network Infrastructure Administration Application Development Scripting (Ruby, Python, PHP, Bash, PS, Batch) Managed languages (.Net, Java, Davlik) Unmanaged languages (C, C++)
Offensive and Defensive Knowledge System enumeration and service fingerprinting Linux system exploitation and escalation Windows system exploitation and escalation Network system exploitation and escalation Protocol exploitation Web application exploitation (OWASP) Reverse engineering client-server applications + AV Evasion Social engineering techniques (onsite, phone, email)
Common Tools• Knowledge > Tools Understand the core technologies Understand the core offensive techniques Understand the core defensive techniques Network Penetration Testing BT, CAIN, YERSINIA, NCAT, NMAP, NESSUS,NEXPOSE, WCE, MIMIKATZ, AirCrack-ng,METASPLOIT… and NATIVE TOOLS! Application Penetration Testing BURP, ZAP, NIKTO, DIRBUSTER, SQLMAP, SQLNinja, and BEEF…. and commercial tools
Pen Testing as a Career: Common Paths Internal Paths Help Desk IT Support IT Admin Security Analyst Senior Security Analyst Internal Consultant CISO Security Consulting Paths Internship Consultant• Senior Consultant Principle Consultant Team Lead Director Security >Consultants often end up in malware research or exploit development, but some go corporate. >Internal employees often stay internal.
BE SAFE and HACK RESPONSIBLYQuestions,comments, curses?

Recommended

Security Bootcamp 2013 penetration testing (basic)
Security Bootcamp 2013 penetration testing (basic)Security Bootcamp 2013 penetration testing (basic)
Security Bootcamp 2013 penetration testing (basic)
Security Bootcamp
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?
Bhavin Shah
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Social engineering
Social engineeringSocial engineering
Social engineering
ankushmohanty
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 

Recommended

Security Bootcamp 2013 penetration testing (basic)
Security Bootcamp 2013 penetration testing (basic)Security Bootcamp 2013 penetration testing (basic)
Security Bootcamp 2013 penetration testing (basic)
Security Bootcamp
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?
Bhavin Shah
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Social engineering
Social engineeringSocial engineering
Social engineering
ankushmohanty
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
Social engineering
Social engineeringSocial engineering
Social engineering
Maulik Kotak
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
ANURAG CHAKRABORTY
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation Slides
SlideTeam
 
Cybersecurity Roadmap for Beginners
Cybersecurity Roadmap for BeginnersCybersecurity Roadmap for Beginners
Cybersecurity Roadmap for Beginners
Sanjeev Kumar Jaiswal
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation Slides
SlideTeam
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
Bryan Len
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability Management
Rahul Neel Mani
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
Mike Saunders
 
Investigating Using the Dark Web
Investigating Using the Dark WebInvestigating Using the Dark Web
Investigating Using the Dark Web
Case IQ
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and Blue
Iftach Ian Amit
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
Chris Sistrunk
 

More Related Content

What's hot

Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation Slides
SlideTeam
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
Bryan Len
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
Mike Saunders
 
Investigating Using the Dark Web
Investigating Using the Dark WebInvestigating Using the Dark Web
Investigating Using the Dark Web
Case IQ
 

What's hot (20)

What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation Slides
 
Cybersecurity Roadmap for Beginners
Cybersecurity Roadmap for BeginnersCybersecurity Roadmap for Beginners
Cybersecurity Roadmap for Beginners
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation Slides
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability Management
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
Investigating Using the Dark Web
Investigating Using the Dark WebInvestigating Using the Dark Web
Investigating Using the Dark Web
 

Viewers also liked

Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
Hykeos
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 

Viewers also liked (20)

Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and Blue
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
Team and project
Team and projectTeam and project
Team and project
 
Haas alumni dynamic nonprofit boards apr30 2011
Haas alumni dynamic nonprofit boards apr30 2011Haas alumni dynamic nonprofit boards apr30 2011
Haas alumni dynamic nonprofit boards apr30 2011
 
Le pentest face au droit - Cyber@Hack 2015
Le pentest face au droit - Cyber@Hack 2015Le pentest face au droit - Cyber@Hack 2015
Le pentest face au droit - Cyber@Hack 2015
 
Innovations in training
Innovations in trainingInnovations in training
Innovations in training
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
 
System of security controls
System of security controlsSystem of security controls
System of security controls
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Fresh concrete properties & its standard tests
Fresh concrete properties & its standard testsFresh concrete properties & its standard tests
Fresh concrete properties & its standard tests
 
Standard Penetration Test
Standard Penetration TestStandard Penetration Test
Standard Penetration Test
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 

Similar to What is pentest

WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
NetSPI
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 
Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment Services
Chris Nickerson
 
NH Bankers 10 08 07 Kamens
NH Bankers 10 08 07 KamensNH Bankers 10 08 07 Kamens
NH Bankers 10 08 07 Kamens
kamensm02
 

Similar to What is pentest (20)

WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
 
What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career path
 
Introduction to information security field
Introduction to information security fieldIntroduction to information security field
Introduction to information security field
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
 
The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdf
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
 
Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment Services
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
NH Bankers 10 08 07 Kamens
NH Bankers 10 08 07 KamensNH Bankers 10 08 07 Kamens
NH Bankers 10 08 07 Kamens
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 

Recently uploaded (20)

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 

What is pentest

  • 1. WTF IS PENETRATION TESTING? AN OVERVIEW OF WHO, WHAT, WHERE, WHEN, AND WHY AKHIL..
  • 2. Presentation Overview • WHAT IS A “PEN TEST”? • WHY DO COMPANIES “PEN TEST”? • WHO DOES “PEN TESTING”? • WHAT SKILLS ARE REQUIRED? ‒NON TECHNICAL SKILLSET ‒BASIC TECHNICAL SKILLSET ‒OFFENSIVE AND DEFENSIVE KNOWLEDGE • WHAT ARE SOME COMMON TOOLS? • PEN TESTING AS A CAREER• ATTACK DEMO: SQL INJECT WORLD • QUESTIONS
  • 3. What is Penetration Testing? Our Definition: “The process of evaluating systems, applications, and protocolswith the intent of identifying vulnerabilities from the perspective of an unprivileged or anonymous user to determine the real-world impact…” “…legally and under contract”
  • 4. Why do Companies Pen Test?• Compliance Requirements Validate Existing Controls Identify Unknown Security Gaps Prioritize Existing Security Initiatives Prevent Data Breaches Test IDS / IPS / IRP
  • 5. What are the Technical Objectives? Client specific objectives first Identify and verify all entry points Identify critical escalation points Gain unauthorized access to: ‒Application functionality ‒Critical systems ‒Sensitive data
  • 6. Assessment VS. Penetration• : Vulnerability Assessment and Penetration Testing Answer: -What are my system layer vulnerabilities? ‒Where are my system layer vulnerabilities? ‒How wide spread are my system layer vulnerabilities? ‒Can I identify attacks? ‒How do I fix my vulnerabilities?
  • 7. Assessment VS. Penetration Penetration Testing Answers: ‒What are my high impact network layer issues? ‒What are my high impact application layer issues? ‒Can an attacker gain unauthorized access to: • critical infrastructure that provides privileged access or cause service disruptions • critical application functionality that the business depends on • sensitive data that the business would be required to report on if a breach occurs ‒Can an attacker bypass our IPS / WAF?‒Can an attacker pivot from environment A to environment B?
  • 8. Common Penetration Test Approach • Kickoff: Scope, cost, testing windows, risks etc • Information Gathering • Vulnerability Enumeration • Penetration • Escalation • Evidence Gathering (Pilfering) • Clean up • Report Creation • Report Delivery and Review • Remediation
  • 9. Rules of Engagement Have fun, but…Hack Responsibly! Written permission Stay in scope No DoS Don’t change major state Restore state Clear communication
  • 10. What Skills are Needed? Non Technical Basic Technical Offensive Defensive Common Tools
  • 11. Non Technical Skillset Written and Verbal Communications Emails/phone calls Report development Small and large group presentations Professionalism Respecting others, setting, and meeting expectations Troubleshooting Mindset Never give up, never surrender Where there is a will, there is a way Ethics Don’t do bad things Pros (career) vs. Cons (jail) Hack responsibly
  • 12. Basic Technical Skillset Windows Desktop Administration Windows Domain Administration Linux and Unix Administration Network Infrastructure Administration Application Development Scripting (Ruby, Python, PHP, Bash, PS, Batch) Managed languages (.Net, Java, Davlik) Unmanaged languages (C, C++)
  • 13. Offensive and Defensive Knowledge System enumeration and service fingerprinting Linux system exploitation and escalation Windows system exploitation and escalation Network system exploitation and escalation Protocol exploitation Web application exploitation (OWASP) Reverse engineering client-server applications + AV Evasion Social engineering techniques (onsite, phone, email)
  • 14. Common Tools• Knowledge > Tools Understand the core technologies Understand the core offensive techniques Understand the core defensive techniques Network Penetration Testing BT, CAIN, YERSINIA, NCAT, NMAP, NESSUS,NEXPOSE, WCE, MIMIKATZ, AirCrack-ng,METASPLOIT… and NATIVE TOOLS! Application Penetration Testing BURP, ZAP, NIKTO, DIRBUSTER, SQLMAP, SQLNinja, and BEEF…. and commercial tools
  • 15. Pen Testing as a Career: Common Paths Internal Paths Help Desk IT Support IT Admin Security Analyst Senior Security Analyst Internal Consultant CISO Security Consulting Paths Internship Consultant• Senior Consultant Principle Consultant Team Lead Director Security >Consultants often end up in malware research or exploit development, but some go corporate. >Internal employees often stay internal.
  • 16. BE SAFE and HACK RESPONSIBLYQuestions,comments, curses?