Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SECURITY PENETRATION       TESTING TEKNIS PELATIHAN KEAMANAN INFORMASI                              AHMAD MUAMMAR !(C)2011...
AGENDASECURITY ASSESSMENT VULNERABILITY ASSESSMENT SECURITY AUDIT PENETRATION TESTING VA V.S PENTEST PENTEST V.S SYSTEM AU...
AGENDAPENETRATION TESTING  TYPE  SCOPE (AREA)  LIMITATIONSPENETRATION TESTING  METHODOLOGIES  WELL KNOWN STANDARD         ...
SECURITY ASSESSMENTIS A WAY TO VALIDATE/CHECK THE LEVEL OF SECURITYON EVERY ASPECT OF IT INFRASTRUCTURE.ALSO TO ENSURE THA...
SECURITY ASSESSMENTVULNERABILITY ASSESSMENT A VULNERABILITY ASSESSMENT IS USUALLY CARRIED OUT BY SECURITY VULNERABILITY SC...
SECURITY ASSESSMENTSECURITY AUDIT  MOST PART ARE CHECKLIST-BASED (CORPORATE  SECURITY POLICICES OR REGULATION STANDARDS  (...
SECURITY ASSESSMENTPENETRATION TESTING  IS WHEN A “HACKER” DO THE ATTACKER WORK.  THE ONLY GOAL IS TO GET AS MUCH AS POSSI...
VA V.S PENTESTVULNERABILITY ASSESSMENT IDENTIFIES THE“POSSIBLE” VULNERABILITIES (ALSO FALSE POSITIVE)PENETRATION TESTING V...
PENTEST V.S SECURITY AUDITSSECURITY AUDITS IMPORTANT FOR BEING COMPLIEDWITH SECURITY POLICIES, LEGISLATION ANDSTANDARDSPEN...
PENETRATION TESTINGCHECK SENSITIVE INFORMATION AVAILABLECHECK WHAT KIND OF PRIVILEGES PENTESTER GAINCHECK IF POSSIBLE TO E...
PENETRATION TESTINGTYPE OF PENETRATION TESTING:  BLACK BOX: 0 INFORMATION ABOUT THE SYSTEM,  MAYBE ONLY THE IP/DOMAIN NAME...
PENETRATION TESTINGNETWORK INFRASTRUCTURE PENTEST  WIFI, VOIP, TELEPHONEAPPLICATION INFRASTRUCTURE PENTEST  WEB, MOBILESYS...
PENETRATION TESTINGMOST LIMITATIONS  TIME  SKILLED  ACCESS TO EQUIPMENT                        AHMAD MUAMMAR !(C)2011 | @Y...
PENETRATION TESTINGMETHODOLOGY A GUIDELINE FOR SOLVING A PROBLEM, WITH SPECIFIC COMPONENTS SUCH AS PHASES, TASKS, METHODS,...
PENETRATION TESTINGWELL KNOWN STANDARD                                                !                      AHMAD MUAMMAR...
PENETRATION TESTINGSOURCE: ISSAF                                AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING          INFORMATION GATHERING : USING ALL RESOURCES          (INTERNET) TO FIND ALL THE INFORMATION A...
INFORMATION GATHERINGNON TECHNICALSEARCH COMPANY INFO ON SOCIAL NETWORK :LINKEDIN.COM, FACEBOOKSEARCH KEY PERSONAL ACTIVIT...
HANDS ONINFORMATION GATHERING VIA SOCIAL NETWORKINFORMATION GATHERING VIA GOOGLE HACKING                                  ...
INFORMATION GATHERINGTECHNICALUSING DIG. NSLOOKUP, WHOIS TO FIND INFORMATION                                    AHMAD MUAM...
HANDS ONINFORMATION GATHERING USING DIGINFORMATION GATHERING USING WHOIS                                    AHMAD MUAMMAR ...
PENETRATION TESTING          NETWORK MAPPING: FOOTPRINT THE NETWORK AND          RESOURCES THAT ALREADY GATHER FROM       ...
NETWORK MAPPING          TOOLS: NMAP, TRACEROUTE, PING          MENCOBA NMAP, TRACEROUTESOURCE: ISSAF                     ...
HANDS ON           AHMAD MUAMMAR !(C)2011 | @Y3DIPS
HANDS ON           AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING          VULNERABILITY IDENTIFICATION : IDENTIFY ALL          SERVICES VULNERABILITY (BASED ON VERSION...
HANDS ONNMAP -SV (DETECT OPEN PORT WITH SERVICE INFO(VERSION))NMAP -O (DETECT POSSIBLE OS)                                ...
PENETRATION TESTING          PENETRATION: TRY TO GAIN UNAUTHORIZED ACCESS BY          CIRCUMVENTING THE SECURITY MEASURES ...
PENETRATION TESTING          GAINING ACCESS AND PRIVILEGES : GAINING LEAST          PRIVILEGE BY DEFAULT USER OR PASSWORD,...
HANDS ONUSING METASPLOITUSING LOCAL EXPLOIT TO GAIN HIGHER LEVELPRIVILEGES                                    AHMAD MUAMMA...
PENETRATION TESTING          ENUMERATING FURTHER: OBTAIN PASSWORD          (PASSWORD FILE (/ETC/SHADOW, SAM), USER        ...
HANDS ONCRACKING PASSWORD FILE                         AHMAD MUAMMAR !(C)2011 | @Y3DIPS
PENETRATION TESTING          COMPROMISE REMOTE USERS/SITES: (IF POSSIBLE) TRY          TO COMPROMISE REMOTE USER (VPN USER...
PENETRATION TESTING          MAINTAINING ACCESS: OFTEN NOT PERFORM          COVERING TRACKS: OFTEN NOT PERFORMSOURCE: ISSA...
PENETRATION TESTINGVALUE IS ON THE REPORTPENETRATION TESTING SERVICE LEVEL AGREEMENT  NON DISCLOSURE AGREEMENTTHERE ARE AL...
Upcoming SlideShare
Loading in …5
×

Penetration testing

Technical workshop about Penetration Testing for BPPT

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Penetration testing

  1. 1. SECURITY PENETRATION TESTING TEKNIS PELATIHAN KEAMANAN INFORMASI AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  2. 2. AGENDASECURITY ASSESSMENT VULNERABILITY ASSESSMENT SECURITY AUDIT PENETRATION TESTING VA V.S PENTEST PENTEST V.S SYSTEM AUDIT AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  3. 3. AGENDAPENETRATION TESTING TYPE SCOPE (AREA) LIMITATIONSPENETRATION TESTING METHODOLOGIES WELL KNOWN STANDARD AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  4. 4. SECURITY ASSESSMENTIS A WAY TO VALIDATE/CHECK THE LEVEL OF SECURITYON EVERY ASPECT OF IT INFRASTRUCTURE.ALSO TO ENSURE THAT NECESSARY SECURITYCONTROLS ARE INTEGRATED INTO THE DESIGN ANDIMPLEMENTATION.TO PREPARE FOR BETTER ENHANCEMENT AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  5. 5. SECURITY ASSESSMENTVULNERABILITY ASSESSMENT A VULNERABILITY ASSESSMENT IS USUALLY CARRIED OUT BY SECURITY VULNERABILITY SCANNER APPLICATION. MOST OF THE PRODUCT TEST TYPE OF OPERATING SYSTEM, APPLICATION, PATCH LEVEL, USER ACCOUNT AND ELSE. VULNERABILITY SCANNER IDENTIFY COMMON SECURITY CONFIGURATION MISTAKES AND COMMON ATTACK AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  6. 6. SECURITY ASSESSMENTSECURITY AUDIT MOST PART ARE CHECKLIST-BASED (CORPORATE SECURITY POLICICES OR REGULATION STANDARDS (ISO) OR PBI) IMPORTANT FOR BEING COMPLIED WITH SECURITY POLICIES, LEGISLATION AND STANDARDS E.G: IS THERE ANY BACKUPS? ANTIVIRUS? AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  7. 7. SECURITY ASSESSMENTPENETRATION TESTING IS WHEN A “HACKER” DO THE ATTACKER WORK. THE ONLY GOAL IS TO GET AS MUCH AS POSSIBLE AND AS DEEP AS POSSIBLE TO BREAK INTO THE SYSTEM. AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  8. 8. VA V.S PENTESTVULNERABILITY ASSESSMENT IDENTIFIES THE“POSSIBLE” VULNERABILITIES (ALSO FALSE POSITIVE)PENETRATION TESTING VALIDATES THE VULNERABILITY AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  9. 9. PENTEST V.S SECURITY AUDITSSECURITY AUDITS IMPORTANT FOR BEING COMPLIEDWITH SECURITY POLICIES, LEGISLATION ANDSTANDARDSPENTEST COMPLEMENT SYSTEM AUDITS AND HELP TOFIX SECURITY THREAT BEFORE AN ATTACKERDISCOVERS IT AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  10. 10. PENETRATION TESTINGCHECK SENSITIVE INFORMATION AVAILABLECHECK WHAT KIND OF PRIVILEGES PENTESTER GAINCHECK IF POSSIBLE TO ESCALATE PRIVILEGESCHECK IF VULNERABILITY CAN LEAD TO MORE EXPLOITS(ANOTHER APPLICATION, SYSTEM, OR SERVER) AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  11. 11. PENETRATION TESTINGTYPE OF PENETRATION TESTING: BLACK BOX: 0 INFORMATION ABOUT THE SYSTEM, MAYBE ONLY THE IP/DOMAIN NAME. FULL ATTACKER PERSPECTIVE GRAY BOX: PARTIAL INFORMATION ABOUT A SYSTEM, SIMULATE ATTACK BY EMPLOYEE, VENDORS. WHITE BOX: SIGNIFICANT INFORMATION ABOUT A SYSTEM, SOURCE CODE/CONFIGURATION REVIEW. AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  12. 12. PENETRATION TESTINGNETWORK INFRASTRUCTURE PENTEST WIFI, VOIP, TELEPHONEAPPLICATION INFRASTRUCTURE PENTEST WEB, MOBILESYSTEM INFRASTRUCTURE PENTESTPHYSICAL SECURITYSOCIAL ENGINEETING (PEOPLE) AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  13. 13. PENETRATION TESTINGMOST LIMITATIONS TIME SKILLED ACCESS TO EQUIPMENT AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  14. 14. PENETRATION TESTINGMETHODOLOGY A GUIDELINE FOR SOLVING A PROBLEM, WITH SPECIFIC COMPONENTS SUCH AS PHASES, TASKS, METHODS, TECHNIQUES AND TOOLS AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  15. 15. PENETRATION TESTINGWELL KNOWN STANDARD ! AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  16. 16. PENETRATION TESTINGSOURCE: ISSAF AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  17. 17. PENETRATION TESTING INFORMATION GATHERING : USING ALL RESOURCES (INTERNET) TO FIND ALL THE INFORMATION ABOUT TARGET, USING TECHNICAL AND NON-TEHCNICAL METHODSSOURCE: ISSAF AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  18. 18. INFORMATION GATHERINGNON TECHNICALSEARCH COMPANY INFO ON SOCIAL NETWORK :LINKEDIN.COM, FACEBOOKSEARCH KEY PERSONAL ACTIVITY: ADMINISTRATOR,PROGRAMMERGOOGLE HACKING AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  19. 19. HANDS ONINFORMATION GATHERING VIA SOCIAL NETWORKINFORMATION GATHERING VIA GOOGLE HACKING AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  20. 20. INFORMATION GATHERINGTECHNICALUSING DIG. NSLOOKUP, WHOIS TO FIND INFORMATION AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  21. 21. HANDS ONINFORMATION GATHERING USING DIGINFORMATION GATHERING USING WHOIS AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  22. 22. PENETRATION TESTING NETWORK MAPPING: FOOTPRINT THE NETWORK AND RESOURCES THAT ALREADY GATHER FROM INFORMATION GATHERING. E.G: FIND LIVE HOST, PORT AND SERVICE, NETWORK PERIMETER, OS AND SERVICE FINGERPRINTINGSOURCE: ISSAF AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  23. 23. NETWORK MAPPING TOOLS: NMAP, TRACEROUTE, PING MENCOBA NMAP, TRACEROUTESOURCE: ISSAF AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  24. 24. HANDS ON AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  25. 25. HANDS ON AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  26. 26. PENETRATION TESTING VULNERABILITY IDENTIFICATION : IDENTIFY ALL SERVICES VULNERABILITY (BASED ON VERSION/ BANNER), USING VULNERABILITY SCAN, IDENTIFY ATTACK PATH TOOLS: NMAP, NESSUSSOURCE: ISSAF AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  27. 27. HANDS ONNMAP -SV (DETECT OPEN PORT WITH SERVICE INFO(VERSION))NMAP -O (DETECT POSSIBLE OS) AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  28. 28. PENETRATION TESTING PENETRATION: TRY TO GAIN UNAUTHORIZED ACCESS BY CIRCUMVENTING THE SECURITY MEASURES TO GET ACCESS,. E.G: FIND POC, CREATE TOOLS, TESTINGSOURCE: ISSAF AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  29. 29. PENETRATION TESTING GAINING ACCESS AND PRIVILEGES : GAINING LEAST PRIVILEGE BY DEFAULT USER OR PASSWORD, DEFAULT SETTINGS, PUBLIC SERVICES, TRY TO ESCALATE PRIVILEGES TO SUPERIOR LEVEL (ADMINISTRATOR/ ROOT) USING/CREATING EXPLOIT OR METASPLOIT (FREE) , IMMUNITY CANVAS, CORE IMPACTSOURCE: ISSAF AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  30. 30. HANDS ONUSING METASPLOITUSING LOCAL EXPLOIT TO GAIN HIGHER LEVELPRIVILEGES AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  31. 31. PENETRATION TESTING ENUMERATING FURTHER: OBTAIN PASSWORD (PASSWORD FILE (/ETC/SHADOW, SAM), USER DATABASE), SNIFFING NETWORK, MAPPING INTERNAL NETWORKSOURCE: ISSAF AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  32. 32. HANDS ONCRACKING PASSWORD FILE AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  33. 33. PENETRATION TESTING COMPROMISE REMOTE USERS/SITES: (IF POSSIBLE) TRY TO COMPROMISE REMOTE USER (VPN USERS) TO GET PRIVILEGE TO INTERNAL NETWORKSOURCE: ISSAF AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  34. 34. PENETRATION TESTING MAINTAINING ACCESS: OFTEN NOT PERFORM COVERING TRACKS: OFTEN NOT PERFORMSOURCE: ISSAF AHMAD MUAMMAR !(C)2011 | @Y3DIPS
  35. 35. PENETRATION TESTINGVALUE IS ON THE REPORTPENETRATION TESTING SERVICE LEVEL AGREEMENT NON DISCLOSURE AGREEMENTTHERE ARE ALWAYS A RISK, E.G : SYSTEM DOWN/CRASH DURING PENTEST, SLOWDOWN NETWORK AHMAD MUAMMAR !(C)2011 | @Y3DIPS

×