Upload
securityaegis
View
1.128
Download
3
Tags:
Embed Size (px)
DESCRIPTION
SecurityAegis.com 's Free pentest course slides - deck one
Citation preview
• Your job? • ? • Hacking is fun • The community is FUN •Learning •Beer and Pizza, hang out
• Basics •Why?TF
•Why do we do Security Testing? •VM’s/Labs •Networking Knowledge • Attack Concepts • The Methodology(s)
• Intermediate Stuff •Practical Penetration Testing •Current Techniques
Most importantly…
Have fun Participate* Learn Eventually we will be learning together
A Vulnerability is defined as a weakness which allows an attacker to reduce a computer system's security.
Definition #1
Types of Security Testing
Network Testing $
Traditional, auditing of services and configuration
Web Application Testing $$
Focus on application type flaws
Web frameworks
Social Engineering $
Attacking users, most resembles real world
Types of Security Testing
Physical Testing / Red Teaming $$
A fork of social engineering, much more involved
Binary Analysis / Reverse Engineering / Exploit Development $$$
Specialty fields
Source Code Auditing $$
Fork of both Web App testing and Binary ninjary
3 Types of Tests
Confusing? A bit…
Audit Usually network testing, based around some agencies
expectation of what security is. The biggest one is a standard called PCI.
Usually boring, but bring in lots of money. Usually same skill sets used.
Very Structured, Sometimes checklist and vulnerability scan driven.
Can include IT services (Firewall config review, vlan review, etc)
3 Types of Tests
Assessment
More broad than an audit, doesn’t have to comply with any agencies expectation of security.
Mile wide, less in depth
Identify as many vulnerabilities as possible
Can include IT services (Firewall config review, vlan review, etc)
3 Types of Tests
Penetration Test With all these definitions, tends to get confused
“Pentests” actually test the security controls themselves and exploit the vulnerabilities.
More goal oriented, prove real threats, get real data as success factor.
Harder, more expectation of pwnage, most of the time you have to “get” something.
Usually does NOT include IT services.
We will focus mostly on pentesting… because I think it’s the most fun but, the skills map across all domains.
Ethics
Difference between hacking and a audit/assessment/pentest is….
PERMISSION
Lab 1: Trial by fire (metasploit)
Students who are here: access the class VM
• Run ./msfconsole
• Find syntax to use Tomcat Mgr Deploy • Make sure you updated msf
• Google for default tomcat passwords or read the metasploit ones
• Use generic/tcp/bind payload
• For students who are remote:
• Use Gotmilks guide:
• http://g0tmi1k.blogspot.com/2010/07/video-metasploitable-tomcat.html
• Congratulations – You just pwned your 1st box! If you have extra time try and find the flags I’ve placed on the system and pwn a different lab machine or follow the video above to grab a legit SSH account.
A bit about hacking history…
4 Time Periods
Period 1 - In the not so distant past hacking and attack vectors were largely external.
Core external services were rife with overflows
Password complexity was non existent
Trust relationship vulnerabilities were numerous
Firewalls sucked or were non-existent
The big web vulns were just beginning to be exploited
A bit about hacking history…
Period 2 – Things got a bit better, then got worse External services started to shape up, no more ./’ing the
world.
Passwords got a bit better
Firewalls were big baddies
BUT…
Web Vulns took off… SQL Injection was EVERYWHERE, Session Fixation, Logic flaws, etc…
Internal software was Swiss Cheese - Attackers migrated to client-side vectors
A bit about hacking history…
Period 3 – Attackers got smart(er) External services were pretty hard, death of external
hacking and security assessment.
With the death of externals, companies focus on internal pentests.
Web vulns still prevalent but getting better with initiatives like OWASP
Internal software was still bad but OS mitigations put a band aid on some exploits.
Attackers created smarter ways to infect insiders through web malware
A bit about hacking history…
Period 4 – The Current State External services are very rarely vulnerable. Web is still around, less in your face though. Internal software continues to fail, but developing exploits are 2-9
months of research for an 0-day. Much more work. Focus on internal pentesting assumes the attacker got access somehow.
Internal pentesting is a lot of beating up on the windows domain model, popping unpatched boxes, abusing current password schemes, using man-in-the-middle attacks, and internal password fail.
On the client side attackers sometimes use no exploits: javascript malware, java applet reverse shells, crazy embedding tricks, etc… We are just beginning to emulate this.
Mobile phones are making the mistakes of yester-year, hot topic right now
So What?
What you’ll see a lot of still being sold in the industry are:
Web Assessments
Internal Pentests
Source Code Review
Mobile Assessments
The new “External” Pentests which are really Client-Side Penetration Tests / Social Engineering Assessments / Web Pentest hybrids
• Next Time:
• OSINT