The document discusses ethical hacking and penetration testing. It provides an overview of the session which will cover taking a look at the environment, the penetration testing process and tools, and some real-life case studies. It then discusses the benefits of penetration testing for identifying vulnerabilities before exploitation. The document outlines the general penetration testing process which involves information gathering, scanning, determining service versions, running exploits, and repeating until goals are achieved. It also discusses specific internal and external penetration testing methodologies and commonly used tools.
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a “ninja” per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen
Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a “ninja” per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016grecsl
Knowing how to perform basic monitoring and analysis can go a long way in helping infosec analysts do some foundation analysis to either crush the mundane or recognize when it's time to pass the more serious attacks on to the the big boys. This presentation covers environment options for making your network monitor-able, three quick steps to triage and analyze alerts, and integrated distros that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well... maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of network monitoring and analysis.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Network Scanning Phases and Supporting ToolsJoseph Bugeja
This presentation focuses on the network penetration scanning phase. It introduces tools and techniques that professional pen-testers and ethical hackers need to master to find target machines, openings on those targets and vulnerabilities.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
I'm Cuckoo for Malware provides an introductory overview to Cuckoo Sandbox and Malware Analysis. This talk walks through discussing different types of malware and what they do, to explaining how Cuckoo Sandbox works and how to get the best results from it. The talk will cover how to harden your sandbox against Malware authors attempts to avoid analysis and give ideas for listeners wanting to set up custom environments of their own. The goal of the talk is to allow listeners with enough information so that they can begin analyzing malware in their own Cuckoo-based sandbox environment.
Introduction to Penetration Testing with a use case of LFI -> Shell. I talk about the mindset required to be a good tester, and show places many testers and automated tools stop and how to go further.
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common – they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
In this presentation, we discuss the benefit of using flow data for detection and analysis. We also discuss the SiLK flow analysis suite and the FlowPlotter tool that can be used for generating ad-hoc visualizations from flow data, as well as the upcoming FlowBAT tool that is used to ease analysis of this very useful data type.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016grecsl
Knowing how to perform basic monitoring and analysis can go a long way in helping infosec analysts do some foundation analysis to either crush the mundane or recognize when it's time to pass the more serious attacks on to the the big boys. This presentation covers environment options for making your network monitor-able, three quick steps to triage and analyze alerts, and integrated distros that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well... maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of network monitoring and analysis.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Network Scanning Phases and Supporting ToolsJoseph Bugeja
This presentation focuses on the network penetration scanning phase. It introduces tools and techniques that professional pen-testers and ethical hackers need to master to find target machines, openings on those targets and vulnerabilities.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
I'm Cuckoo for Malware provides an introductory overview to Cuckoo Sandbox and Malware Analysis. This talk walks through discussing different types of malware and what they do, to explaining how Cuckoo Sandbox works and how to get the best results from it. The talk will cover how to harden your sandbox against Malware authors attempts to avoid analysis and give ideas for listeners wanting to set up custom environments of their own. The goal of the talk is to allow listeners with enough information so that they can begin analyzing malware in their own Cuckoo-based sandbox environment.
Introduction to Penetration Testing with a use case of LFI -> Shell. I talk about the mindset required to be a good tester, and show places many testers and automated tools stop and how to go further.
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common – they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
In this presentation, we discuss the benefit of using flow data for detection and analysis. We also discuss the SiLK flow analysis suite and the FlowPlotter tool that can be used for generating ad-hoc visualizations from flow data, as well as the upcoming FlowBAT tool that is used to ease analysis of this very useful data type.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Ransomware like CryptoLocker has infiltrated countless businesses, encrypted files and demanded a pound of flesh for their safe release. With no relief in sight and new variations emerging regularly, ransomware continues to be one of the most widespread and damaging threats to businesses today. Now, more than ever, businesses need to have rock solid backup and disaster recovery systems in place to ensure continuity.
This Cyber Security Project report presents a detailed analysis of vulnerabilities identified following a comprehensive scan conducted on the target system/network. Leveraging advanced scanning tools and methodologies, our assessment aims to uncover potential weaknesses and security gaps that could pose risks to the integrity and confidentiality of your digital assets. From critical vulnerabilities requiring immediate attention to low-risk findings warranting further monitoring, this report provides actionable insights to enhance your cybersecurity posture. Explore the breakdown of vulnerabilities, prioritized recommendations for remediation, and proactive measures to mitigate future threats. Empower your organization with the knowledge and strategies needed to strengthen defenses and safeguard against potential exploits with our Cyber Security projects. Discover more at https://bostoninstituteofanalytics.org/cyber-security-and-ethical-hacking/
A Hacker's Perspective on Embedded Device Security, presented by Paul Dant of Independent Security Evaluators at the Security of Things Forum, Sept. 10, 2015
BSides CHARM 2015 Talk "InfoSec Hunters and Gatherers" - Learn how to go beyond automated tools to truly be the "Hunter" and find both bad guys and vulnerabilities.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
Wm4
1. Ethical Hacking:
The Value of Controlled Penetration Tests
Dr. Bruce V. Hartley, CISSP
Privisec, Inc.
August 6 , 2003
bhartley@privisec.com
719.651.6651
2. Session Overview
♦ Session Introduction
♦ Ethical Hacking
– Taking a Look at the Environment
– The Process, Tools, and Techniques
• Internal Penetration Tests
• External Penetration Tests
– Some Real-Life Case Studies
♦ Conclusions
2
3. Before We Get Started
♦ My Background:
– In The IT Field for 22 Years – Security for About 16
– Currently President & CEO of Privisec, Inc.
– Previously President and CEO of PoliVec, Inc.
– Before That, SVP and CTO of Trident Data Systems
– Academic Credentials:
• Doctorate in Computer Science From Colorado Technical University,
Masters and Bachelors Degrees in Computers as Well…So I’m a
Geek…And, Remember: Geek is Sheik!
• CISSP Since Forever as Well
– Other Information:
• Technical Editor for Business Security Advisor Magazine, Formally
Internet Security Advisor Magazine
• Numerous Publications, Conferences, etc.
3
5. Why Penetration Testing?
♦ Taking a Look at the Environment
♦ Penetration Testing – Benefits
♦ Taking a Look at the Process
♦ Real-Life Case Studies – Proof!
6.
7.
8. Look At The Environment
♦ We Now Have Open Discussions on The Internet
Concerning:
– Vulnerabilities
– Exploits and Attacks
– Bugs and Faults
♦ Newer and More Sophisticated Attacks
♦ Newer and More Sophisticated Hacker Tools
♦ Attack Scripts and Penetration Tools Available to
Anyone on the Internet
9. Look At The Environment
♦ Recent Google Search Results:
– Hacker 12,500,000 Hits
– Hacker Tools 757,000 Hits
– Hacker Exploits 103,000 Hits
– NT Exploits 99,000 Hits
– Unix Exploits 139,000 Hits
– Computer Vulnerabilities 403,000 Hits
– Hacking NT 292,000 Hits
– Hacking Windows 2000 271,000 Hits
– Hacking Unix 390,000 Hits
– Hacking Linux 1,290,000 Hits
10. Ethical Hacking - Benefits
♦ Penetration Tests are Designed to Identify
Vulnerabilities Before They are Exploited
♦ Provides a Solid Understanding of What is Visible
and Possibly Vulnerable
♦ Preventative Measure – Can be Very Effective
♦ Should Include a Remediation Phase
– Correct Identified Vulnerabilities and Exposures
11. Ethical Hacking - Rationale
♦ Vulnerabilities and Exploits are Always Changing
– Unless This is Your Business, Its Hard to Keep Up
– Need to Perform on a Recurring Basis
♦ Hacking Tools and Methods Can Cause Damage
IF Used Incorrectly
– Some Exploits are Passive, Some are Not!
– Some Exploits are Destructive, Some are Not!
♦ A Well Defined Process, Attack Methodology,
and a Set of Tools are Required
12. Penetration Testing - General
♦ Can Consider Both Internal and External
Assessments
♦ Internal: Goal is to Gain “Unauthorized Access to
Data/Information”
– Ultimate Goal is to Gain Administrator, System, or
Root Access From the Inside (Depending on Platform)
– Usually Begin With Just a Network Connection
– May Require a Standard, Non-privileged Account
(User)
13. Penetration Testing - Internal
♦ Start by Sniffing Network
– Try to Obtain Userid and Password Combos
– Common Tools
• Snort (Unix/Linux and Windows)
• WinSniff (Windows)
♦ Scan Internal Network (Port Scan)
– Discover Active IPs and Devices
– Gain Info About System Types and OSs
– Common Tools
• Nmap (Unix/Linux and Windows)
• SuperScan (Windows)
14. Penetration Testing - Internal
♦ Check for Systems Running snmp With
Exploitable Community Strings
– Looking for ‘Public’, ‘Private’ or Other Common
Words
– Common Tools
• SolarWinds (Windows)
• SNScan (Windows)
♦ Launch Vulnerability Scanners to Identify
Vulnerabilities to Exploit
– Nessus, Nikto, Whisker, Brute Forcer Tools, Etc.
15. Penetration Testing - Internal
♦ Once Any Level of Access is Gained, Try
and Obtain Privileged Access
– Grab Password Files and Crack Passwords
• Pwdump3 and pwdump3e
• SAM Grab
• L0phtCrack
• John-the-Ripper
♦ Run More Sophisticated Exploits Against
Vulnerable Services, Applications, Etc.
16. Penetration Testing – External
♦ External – Both Dial-Up and Internet
♦ Goal – Get Privileged Access
♦ Starts With Enumeration of the Target Network
and/or Systems
♦ External Scan of Assets/Devices, Possibly More
Enumeration
♦ Once Devices are Identified, Determine Type of
Platform, Services, Versions, Etc.
♦ Hypothesize Potential Vulnerabilities and
Prioritize Based on Likelihood of Success
♦ Attack in Prioritized Order
17. Penetration Testing – Tools
♦ Relies on Numerous Tools:
– Port Scanners
– Demon Dialers
– Vulnerability Scanners
– Password Grabbers and Crackers
– Vulnerability and Exploit Databases
– Default Password Databases
– Other Resources
• Experience and the Good Old Internet!
18. Penetration Testing – The Process
♦ The Vulnerability Assessment Process:
– Gather Information
– Scan IP Addresses
– Determine Service Versions
– Assemble Target List
– Gather and Test Exploits (Yes, Test Them First!)
– Run Exploits Against Live Targets
– Assess Results
– Interactive Access on Host(s)
– Root/Admin Access on Host(s)
– Repeat Until No More Targets Available or Desired
Results are Achieved
19. Preparatory Work
♦ Things You Need Before Starting the Test
– Authority to Perform Test
• This must be in writing!
– A Specific Set of Ground Rules That Should
Answer at Least the Following Questions
• Is this test covert or overt?
• Are there any “off-limits” systems or networks?
• Who is our trusted POC?
• Is there a specific target (system, type of
information, etc) of this test?
20. Gathering Information
♦ The First Thing You Want to Know is What IP
Address Range(s) are Owned and/or Used by the
Target Organization
♦ Start With a whois Lookup
– American Registry for Internet Numbers (ARIN) whois
http://whois.arin.net/whois/index.html
– Network Solutions whois
http://www.networksolutions.com/cgi-bin/whois/whois/
– European information is at the RIPE NCC
http://www.ripe.net/perl/whois
– Asian information is at the Asia Pacific Network
Information Center http://www.apnic.net/
21. Gathering Information
♦ Other Sources of Information:
– IP address of Webserver(s), Mail Server(s), DNS
Server(s)
– Go Back to whois and Verify Who Owns Those IP
Addresses and the Network Space That Contains Those
IP Addresses
– IP Addresses of Other Organizations That May Have
Been Purchased by the Primary Organization
– SamSpade.Org!
♦ Verify All IP Addresses and Ranges With Trusted
POC Before Proceeding!
22. Scanning IP Addresses
♦ Intent: To Discover What Network Ports (Services) are Open
♦ Tool of Choice: nmap, by Fyodor Available at:
http://www.insecure.org/nmap/
– Written for Unix/Linux Systems
– Freely available
– Ported to Windows NT/2000 by eEye Digital Security
http://www.eeye.com/html/Research/Tools/nmapnt.html
– Provides Many Features
• Multiple different scanning methods
• Operating System detection
• Ping sweeps
• Changeable scan speed
• Multiple logging formats
23. Scanning IP Addresses
♦ If You Are Scanning From a Windows NT/2000
System, Your Options are:
– Use nmapNT from eEye
• Requires installation of a libpcap network driver
• More difficult to use, specifically wrt selecting network
interfaces
– Use SuperScan from Foundstone
• GUI interface
• Lots of options
– Use fscan from Foundstone
• Command-line tool (very useful in some instances)
• Lots of options
24. Scanning IP Addresses
♦ Both Unix/Linux and Windows Versions of
nmap have a Graphical Front-End Available
(nmapfe)
♦ Same Options Available Via the GUI –
Easy to Use
25. Scanning IP Addresses
♦ SNMP Scanning
– Usually can be Performed Quickly
– A Default SNMP Server can Yield Reams of Useful
Information
• Default community strings (passwords) are ‘public’ and
‘private’
– Tools
• SNScan From Foundstone
• Solarwinds Network Management and Discovery Tools (for
Windows)
– SNMP sweep
• ucd-snmp/net-snmp for Unix
– snmpstatus
– snmpwalk
26. Scanning IP Addresses
♦ Web Server Scanning
– Whisker by Rain Forest Puppy
http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=1
• Perl script that probes web servers for
– Version information
– Executable subdirectories
– Potentially vulnerable executable scripts or programs
• Basic use: perl whisker.pl -v -h hostname | tee filename
– Many advanced features available
– Nikto
• HTTPS-only web servers can be scanned with stunnel
(http://www.stunnel.org/) + Whisker or Nikto
– stunnel -c -d localhost:80 -r hostname:443
– perl whisker.pl -v -h localhost | tee filename
27. Determining Service Versions
♦ Each Open TCP Port Likely Provides a Network
Service
♦ Well-Known Port Numbers are Normally Used to
Provide Well-Known Services
– e.g. TCP port 23 is expected to be a telnet daemon
– Reference http://www.iana.org/assignments/port-
numbers
♦ Many Well-Known Services Will Provide Version
Numbers With Very Little Prodding
28. Vulnerability Assessment Tools
♦ Once Target List is Identified, Can Run
Vulnerability Scanner to Attempt to Identify
and Possibly Exploit Known Vulnerabilities
– CERT and CIAC Advisories
– Vendor Advisories and Warnings
– Other Public Sources (Bugtraq)
29. Vulnerability Assessment Tools
♦ Once Target List is Identified, Can Run
Vulnerability Scanner to Attempt to Identify
Vulnerabilities
♦ Some Common Tools:
– Nessus (Unix/Linux)
– SNScan (Windows)
– Nikto (Unix/Linux)
– Whisker (Unix/Linux)
– SMB Brute Forcer (Windows)
30. Assembling The Target List
♦ Assemble a Comprehensive List of Open Ports
and Known Service Versions
♦ Examine List for Likely Vulnerable Versions of
Software, e.g.
– wu-ftpd versions older than 2.6.1
– bind (DNS) servers older than 8.2.3
– Any IIS web server
♦ For Web Servers, Examine the Results of Whisker
or Nikto Scans for Potentially Vulnerable Scripts
or Programs
♦ Pick the Top Five Most Likely Exploitable
Hosts/Services
31. Gathering and Testing Exploits
♦ Exploit Code Should Never be Run Against
a Live Target Without Prior Testing Against
a Test System
♦ Exploits Can be Very Dangerous!
♦ If You Haven’t Tested it Don’t Run It!!!
♦ Behavior May Not be as Expected or
Desired
32. Gathering and Testing Exploits
♦ Minimal Criteria for Exploit to be Worth Testing
– Exploit Must Match Both
• Target operating system
• Target service version number
♦ Need to Assemble or Have Access to Test System(s) That
Matches Configuration of Target
♦ Exploits Have Many Potential Results
– Read any File on the Target System
– Modify any File on the Target System
– Allow Non-interactive Execution of Commands
– Allow Interactive Access to Remote System as an Unprivileged
User (Unprivileged Shell or Command-level Access)
– Allow Interactive Access to Remote System as a Root, Admin, or
Other Privileged User (Privileged Shell or Command-level Access)
34. Gathering and Testing Exploits
♦ Once a Candidate Exploit is Located
– Compile the Code on an Appropriate Platform
– Test it Against Test System
– Assess Results
• Exploit Failed
– Move on to the next candidate
• Exploit Succeeded
– What did it give us?
– What can we do with that elevated access?
35. Running Exploits Against Live Targets
♦ Set All the Pieces Up
– Attacking System
– Any Required Network Listeners, etc
♦ Type the Commands to be Executed Into a Text Editor
♦ Triple Check the Commands, Especially IP Addresses!
– Recommend Two-person Teams, Each Double-checking the
Other’s Work
♦ Recommend Simultaneous use of a Sniffer to Monitor all
Relevant Network Traffic
♦ When Prepared to Execute, Copy and Paste the Commands
into the Execution Window
♦ Hope it Works!
36. Assessing Results
♦ If Exploit Fails, Attempt to Determine Why
– Exploit was Supposed to Open a Command Shell on a
High-numbered Port, but Port was Unavailable for
Connection Attempt
• Potentially blocked by a firewall
– Examine Sniffer Logs for Clues
♦ Unfortunately, it is Often Very Difficult to
Determine the Cause of a Failed Exploit Attempt
♦ Move on to the Next Candidate Exploit
37. Assessing Results
♦ If Exploit Succeeded
– Assess Level of Access Currently Obtained
– Reprioritize Target List for Next Exploit
Attempt
♦ First-Level Goal Should be any Sort of
Interactive Access to the Remote System
♦ Second-Level Goal Should be root or
Admin-Level Interactive Access on Remote
System
38. Interactive Access on Host(s)
♦ Once Interactive Access is Obtained, Local
Exploits Can Be Run
– These are Much More Prevalent Than Remote Exploits
– Much Easier to Obtain Root or Admin-level Privileges
♦ Even With Unprivileged Interactive Access, Many
Useful Steps Can be Taken
– Determine Available Network Interfaces and Settings
• Is this system behind a network address translator?
• Is this system on a DMZ or an internal network?
– Perform Port Scans From This System Against Others
on its Local Network (nmap, SuperScan, or fscan)
– Be Very Careful to Avoid all GUI or Windowing
Commands, Especially on Windows Systems
39. Interactive Access on Host(s)
♦ Privileged Command Access Leads to Many
Further Options
– Start up a network sniffer on each interface
• Winsniff for Windows NT/2000 http://winsniff.hypermart.net/
• Dsniff or Snort for unix systems
http://www.monkey.org/~dugsong/dsniff/
– Look for trust relationships between this host and
others
– Obtain encrypted passwords or password hashes and
begin cracking passwords
• On unix: /etc/passwd, /etc/shadow, or other appropriate
location
• On windows: pwdump or pwdump2
– If the objective is a specific piece or type of
information, check the system for that information
40. Interactive Access on Host(s)
♦ As Each New Piece of Information is
Obtained, Re-prioritize the Target List and
Take Action Appropriately
♦ Continue Until All Objectives are
Accomplished, or No Further Access Can
be Obtained
42. Example Penetrations
u Five Examples From the Multiple Industries
u All Penetrations 100% Successful
; Gained “Unauthorized” Privileged Access
; Access Undetected by Systems Personnel
u All Penetrations Were Preventable – Known
Vulnerabilities or Poorly Configured Systems
43. Example Penetrations
Industry Type of Attack Penetration Method Level of Access Vulnerability Firewall Installed
Airline Netware and Dial-up Dial-in – Used remote Complete system Dial-in Yes. Commercial firewall
Connections control program to access to entire installed on a Windows
connect to a Novell client Network: File NT Server.
machine without any
Servers, Mail
authentication. Client
had an active session on a Servers, Applications
network server. Using a Servers, Database
Novell default account Servers, and Personal
gained full system Workstations.
privileges.
UNIX and Dial-up Dial-in – Exploited a Vulnerability
Multimedia known vulnerability on a Complete system Yes. Commercial firewall
Connections on a UNIX
Entertainment UNIX host via modem access to entire installed on a UNIX
host via
network. modem Server.
connection – gained root
access. connection
Newspaper Yes. Commercial firewall
Intranet Vulnerability Internet – Exploited a Vulnerability
Complete system installed on a UNIX
known vulnerability in in NFS
access to WWW Server.
NFS and gained root
servers, DNS
access on WWW (UNIX)
Servers, Mail
server. Gained access to
Servers, File/Print
internal network due to
Servers, and
poor host security (trust
publishing systems.
relationships) on WWW
server.
43
44. More Penetrations
Industry Type of Attack Penetration Method Level of Access Vulnerability Firewall Installed
Financial Dial-in – Exploited a Complete system Yes. Commercial firewall
NFS Vulnerability NFS
known vulnerability in access to Intranet and installed on a UNIX
sendmail to gain access internal (trusted) Server.
to an Intranet server network.
(UNIX). Gained access
from Intranet server to
internal network due to
trust relationships.
Exploited a known
vulnerability in NFS on a
VMS host to gain
additional full system
access.
Publishing NIS Vulnerability Internet and Dial-in - Complete system Vulnerability on Yes. Commercial firewall
Exploited a known access to internal an exposed installed on a UNIX
vulnerability on an networks. UNIX server to Server.
exposed UNIX server to gain access via
gain access via Internet. internet.
Penetrated a client PC
running Windows 95 via
modem access using
remote control software,
and a UNIX host via a
terminal program and a
default account. Gained
root access by exploiting
a known vulnerability.
44
45. Penetration Tests: Lessons
♦ In Each Case, the Penetration Could Have Been
Prevented IF:
– A Comprehensive Security Policy had Been
Implemented Across the Enterprise
– Good Systems Administration Practices Were Utilized
– A More Proactive Security Process was in Place
• Security Audits and/or Assessments
• Investment in Security Assessment Technology
• Better User Security Education and Awareness
• Minimal Incident Response Capability
46. Conclusions
♦ Penetration Testing Can Be Used to Significantly
Improve Your Security Posture
♦ A Reasonably Secure Infrastructure is Achievable
– Must View Security as a Process, Not a Project
– Embrace Technology and Use it!
– Be Consistent Throughout the Enterprise
– Consider the Entire Business Process, Not Just the
Transaction Component
♦ Think About Security From an Enabling
Standpoint vs. an Inhibitor
♦ Be Proactive…Don’t Wait for a Security Problem
46
47. My Contact Information
Dr. Bruce V. Hartley, CISSP
President & CEO
Privisec, Inc.
719.651.6651 (Phone)
719.495.8532 (Fax)
bhartley@privisec.com
www.privisec.com