• Your job? • ? • Hacking is fun • The community is FUN •Learning •Beer and Pizza, hang out

• Basics •Why?TF

•Why do we do Security Testing? •VM’s/Labs •Networking Knowledge • Attack Concepts • The Methodology(s)

• Intermediate Stuff •Practical Penetration Testing •Current Techniques

Most importantly…

Have fun Participate* Learn Eventually we will be learning together

A Vulnerability is defined as a weakness which allows an attacker to reduce a computer system's security.

Definition #1

Types of Security Testing

Network Testing $

Traditional, auditing of services and configuration

Web Application Testing $$

Focus on application type flaws

Web frameworks

Social Engineering $

Attacking users, most resembles real world

Types of Security Testing

Physical Testing / Red Teaming $$

A fork of social engineering, much more involved

Binary Analysis / Reverse Engineering / Exploit Development $$$

Specialty fields

Source Code Auditing $$

Fork of both Web App testing and Binary ninjary

3 Types of Tests

Confusing? A bit…

Audit Usually network testing, based around some agencies

expectation of what security is. The biggest one is a standard called PCI.

Usually boring, but bring in lots of money. Usually same skill sets used.

Very Structured, Sometimes checklist and vulnerability scan driven.

Can include IT services (Firewall config review, vlan review, etc)

3 Types of Tests

Assessment

More broad than an audit, doesn’t have to comply with any agencies expectation of security.

Mile wide, less in depth

Identify as many vulnerabilities as possible

Can include IT services (Firewall config review, vlan review, etc)

3 Types of Tests

Penetration Test With all these definitions, tends to get confused

“Pentests” actually test the security controls themselves and exploit the vulnerabilities.

More goal oriented, prove real threats, get real data as success factor.

Harder, more expectation of pwnage, most of the time you have to “get” something.

Usually does NOT include IT services.

We will focus mostly on pentesting… because I think it’s the most fun but, the skills map across all domains.

Ethics

Difference between hacking and a audit/assessment/pentest is….

PERMISSION

Lab 1: Trial by fire (metasploit)

Students who are here: access the class VM

• Run ./msfconsole

• Find syntax to use Tomcat Mgr Deploy • Make sure you updated msf

• Google for default tomcat passwords or read the metasploit ones

• Use generic/tcp/bind payload

• For students who are remote:

• Use Gotmilks guide:

• http://g0tmi1k.blogspot.com/2010/07/video-metasploitable-tomcat.html

• Congratulations – You just pwned your 1st box! If you have extra time try and find the flags I’ve placed on the system and pwn a different lab machine or follow the video above to grab a legit SSH account.

A bit about hacking history…

4 Time Periods

Period 1 - In the not so distant past hacking and attack vectors were largely external.

Core external services were rife with overflows

Password complexity was non existent

Trust relationship vulnerabilities were numerous

Firewalls sucked or were non-existent

The big web vulns were just beginning to be exploited

A bit about hacking history…

Period 2 – Things got a bit better, then got worse External services started to shape up, no more ./’ing the

world.

Passwords got a bit better

Firewalls were big baddies

BUT…

Web Vulns took off… SQL Injection was EVERYWHERE, Session Fixation, Logic flaws, etc…

Internal software was Swiss Cheese - Attackers migrated to client-side vectors

A bit about hacking history…

Period 3 – Attackers got smart(er) External services were pretty hard, death of external

hacking and security assessment.

With the death of externals, companies focus on internal pentests.

Web vulns still prevalent but getting better with initiatives like OWASP

Internal software was still bad but OS mitigations put a band aid on some exploits.

Attackers created smarter ways to infect insiders through web malware

A bit about hacking history…

Period 4 – The Current State External services are very rarely vulnerable. Web is still around, less in your face though. Internal software continues to fail, but developing exploits are 2-9

months of research for an 0-day. Much more work. Focus on internal pentesting assumes the attacker got access somehow.

Internal pentesting is a lot of beating up on the windows domain model, popping unpatched boxes, abusing current password schemes, using man-in-the-middle attacks, and internal password fail.

On the client side attackers sometimes use no exploits: javascript malware, java applet reverse shells, crazy embedding tricks, etc… We are just beginning to emulate this.

Mobile phones are making the mistakes of yester-year, hot topic right now

So What?

What you’ll see a lot of still being sold in the industry are:

Web Assessments

Internal Pentests

Source Code Review

Mobile Assessments

The new “External” Pentests which are really Client-Side Penetration Tests / Social Engineering Assessments / Web Pentest hybrids

• Next Time:

• OSINT