SlideShare a Scribd company logo

Penetration Testing Basics

Download as PPT, PDF
Rick Wanner
Rick Wanner

The document provides an overview of penetration testing basics from a presentation by The Internet Storm Center, SANS Institute, and GIAC Certification Program. It discusses the Internet Storm Center, SANS/GIAC training and certifications, common cyber threats, the methodology for penetration testing, tools used for various stages like reconnaissance, scanning, exploitation, and analysis, and the importance of reporting and mitigation strategies.

1 of 62
Downloaded 691 times
Penetration Testing Basics A presentation of The Internet Storm Center, The SANS Institute and The GIAC Certification Program
About Me Rick Wanner B.Sc. I.S.P. Client Technology Manager, Security at SaskTel Areas of expertise Secure Network Architecture, Penetration Testing IDS, Policy Development and compliance Masters Student at STI (SANS Technology Institute) Handler at the Internet Storm Center (isc.sans.org) Independent contractor/Volunteer with SANS/GIAC [email_address]
Presentation Overview Internet Storm Centre SANS/GIAC Mini-Briefing Security Mitigation Strategies Penetration Testing
The Internet Storm Center The Internet Storm Center acts as a distributed early warning system for the Internet The ISC acts as an intermediary with ISPs worldwide. The ISC is composed of approximately 40 volunteer handlers which coordinate a group of volunteer intrusion analysts and malware specialists. Daily blog/diary published at http://isc.sans.org/ Sponsored by the SANS Institute.
We want your logs! The ISCs principal inputs come from Dshield.org and Internet users All logs are scrubbed before they are submitted.
SANS Training and GIAC Certifications SANS Institute is the leading training organization for system administration, audit, network, security and security management. GIAC, The Global Information Assurance Certification program, provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job.
Today’s Cyber Threats Cyber threats have certainly changed since Al Gore invented the internet. What started off as an innocuous invention by ARPANET and supported by the U.S. Department of Defense, is now a significant vehicle for conducting business, shopping, banking, researching, communicating, and maintaining vital corporate information Unfortunately it’s also a haven for hackers and intrusive malicious code.
The Internet The Internet is a community of individuals with its good neighbourhoods and bad neighborhoods. In this community the bad neighborhoods are only separated from the good neighbourhoods by at most 150 milliseconds.
The Need for Information Security While you are working hard to protect your organization’s critical information and systems, there are others out there who want to compromise it. Learning the appropriate actions to secure this information not only benefits your employer, clients, and stockholders, it benefits you. In this industry, you don’t want to be the one who learned the hard way.
Security Outlook As users get more sophisticated, so do the bad guys. A CA, Inc. report issued on January 29, 2007 stated that: In 2006, trojans accounted for 62% of all malware; worms 24%; and viruses and other types of malware accounted for the remaining 13%. CA, Inc predicts that attackers will use blended threats to steal private information and perpetrate other attacks Phishers are getting smarter Spam will increase Targeted attacks will increase A rise in the use of kernel rootkits Increased exploitation of browser and application vulnerabilities Typo-squatting on search engines will increase Attacks are increasingly sophisticated.
Penetration Testing Penetration testing is discovering vulnerabilities in your networks, systems, applications and data before the bad guys do. Penetration testing simulates the generalized attack methodology.
Generalized Attack Methodology Reconnaissance Scanning Gaining Access Maintaining Access Covering Tracks
Penetration Testing Method Preparation Reconnaissance Scanning Exploitation Analysis Reporting
Preparation Define the parameters of the test. Objectives Scope Roles and responsibilities Limitations Success factors Timeline Documented Permission
Reconnaissance Reconnaissance determines…”What can a potential attacker learn about your company?” Utilizes publicly available information.
Reconnaissance (2) Some sources of information: Search Engines Websites Registrars SEC Recruiting sites Netcraft.com
Reconnaissance (3) - Netcraft
Reconnaissance (4) - Netcraft
Scanning Now we know where to look, let’s dig in a little deeper. Generally you are going to use two types of scanners, port scanners, and vulnerability scanners. The hackers choice: Nmap Nessus
Nmap Nmap – open sourced port scanner Usually start with discovery scans and progress to targeted scans. Runs on Windows and *nix. Available from nmap.org
Nmap Book
Nmap - Reconaissance nmap –sL <Address> nmap –sL www.telus.net/24 nmap –sL 205.206.163.16/24
Nmap - Discovery nmap –F <Address> nmap –F 192.168.1.0/24 nmap -top-ports 20 <address> nmap -top-ports 20 192.168.1.0/24
Nmap - Targeted nmap -F –A <address> nmap -F –A 192.168.1.200
Vulnerability Scanner Nessus –open sourced VA scanner Vulnerability feed costs money.
Commercial Vulnerability Scanners Rapid7 NeXpose GFI LANguard eEye Retina Network
Application Attacks Now we have all these layers of protection. Are you still vulnerable? The fact is that you can’t deny what you must permit. What about application level attacks?
Cross-Site Scripting Allows code injection by malicious web users into the web pages viewed by other users. Root cause - lack of input filtering and validation Permits attacker to execute arbitrary scripts on the browser
Yahoo's HotJobs site vulnerable to cross-site scripting attack Dan Kaplan - October 27 2008 Internet research firm Netcraft's toolbar has detected a cross site scripting bug in Yahoo that could be exploited to steal authentication cookies. The flaw resides on Yahoo's HotJobs search engine site, on which hackers embedded malicious JavaScript code, Netcraft's Paul Mutton said in a blog  post on Sunday. &quot;The script steals the authentication cookies that are sent for the Yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details,&quot; Mutton wrote. The pilfered credentials could enable the attackers access to the victims' Yahoo acounts, including email. This vulnerability is similar to another bug that affected Yahoo earlier this year, he said. &quot;Simply visiting the malign URLs on Yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email — the victim does not even have to type in their username and password for the attacker to do this,&quot; Mutton wrote. &quot;Both attacks send the victim to a blank webpage, leaving them unlikely to realize that their own account has just been compromised.&quot;
Cross-Site Request Forgery (XSRF) Unauthorized commands are transmitted from a user that the website trusts. Exploitation of an existing web session. Embedded code causes unauthorized actions
SQL Injection SQL statements are injected into user input to see if a response is returned. Results Authentication Bypass Unauthorized data access
Preventing Web Application Attacks Every input should be validated! “ Suspicion Breeds Confidence” Test it!
Nikto Open source Linux based web application scanner Available at http://www.cirt.net/nikto2
Nikto (2) Basic Scan perl nikto.pl –h <host> perl nikto.pl –h 192.168.1.1 Multiple ports perl nikto.pl –h 192.168.1.1 –p 80,88,443
Nikto – Simple Scan [root@rwanner nikto]# ./nikto.pl -h localhost - Nikto v2.03/2.04 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 80 + Start Time: 2008-10-27 21:53:47 --------------------------------------------------------------------------- + Server: Apache/2.2.6 (Fedora) - Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST. + Apache/2.2.6 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current. + OSVDB-682: GET /usage/ : Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html. + OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details + OSVDB-3092: GET /manual/ : Web server manual found. + OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons + OSVDB-3268: GET /manual/images/ : Directory indexing is enabled: /manual/images + OSVDB-3233: GET /icons/README : Apache default file found. + 3577 items checked: 9 item(s) reported on remote host + End Time: 2008-10-27 21:54:28 (41 seconds)
Nikto (3) Multiple hosts perl nikto.pl –h <filename> perl nikto.pl –h hosts.txt Hosts file 192.168.1.1:80:443 192.168.0.200 192.168.0.200,443
Nikto – Multiple Hosts Scan ]# ./nikto.pl -h hosts.txt - Nikto v2.03/2.04 --------------------------------------------------------------------------- + Target IP: 192.168.1.1 + Target Hostname: 192.168.1.1 + Target Port: 443 --------------------------------------------------------------------------- + SSL Info: Ciphers: DES-CBC3-SHA Info: /C=US/ST=California/L=Irvine/O=Cisco-Linksys, LLC/OU=Division/CN=Linksys/emailAddress=support@linksys.com Subject: /C=US/ST=California/L=Irvine/O=Cisco-Linksys, LLC/OU=Division/CN=Linksys/emailAddress=support@linksys.com + Start Time: 2008-10-28 21:16:37 --------------------------------------------------------------------------- + Server: No banner retrieved
Commercial Web Scanners IBM Rational AppScan HP Webinspect Cenzic Hailstorm
Exploitation Once you identify a potential vulnerability you have choices: Can use individual exploits…available via the Internet Can use pre-built exploitation frameworks. The most popular exploitation framework is Metasploit. Available for Windows or Linux Available at http://www.metasploit.com/
Metasploit 3 primary components Exploit Stack/Heap based buffer overflow Insecure coding PHP vulnerability, IIS Unicode, SQL injection, etc. NOP sled (optional - exploit dependent) Payload Shellcode Encoders Other (exploit dependent)
Metasploit #./msfconsole  start Metasploit msf > use windows/dcerpc/ms03_026_dcom msf > setg PAYLOAD windows/exec msf > setg CMD nc –L –p 80 cmd.exe msf > setg RHOST 192.168.0.2 msf > exploit
Exploitation Demo Patching and Configuration Lacking patch management procedures Single inbound port open through firewall Results Simple remote exploitation Worm characteristics Can be used to bypass firewalls
Commercial Tools Core Impact
Analysis When you finish you will have a mountain of data to analyze. Break it down by a risk based approach.
Reporting Base your report on risk. Write it so your senior executives can understand. Provide recommendation based on standards or best practices. Keep the Executive summary short. Stay away from FUD!
Presentation Summary Support the Internet Storm Center (ISC) SANS is the best! Test your servers and applications... before the bad guys do!
Special Tuition Offer Because you attended this session, we are offering you 10% discount on tuition for our upcoming Critical infrastructure course in Calgary
COMMUNITY SANS For details on this special offer, please contact community@sans.org for further information.
Community SANS in Calgary Critical Infrastructure Protection in CALGARY Monday, June 15, 2009 – Wednesday, June 17, 2009 Please use: Discount Code: COINS10 Discount : 10%
COMMUNITY SANS in REGINA We are coming back to Regina again next month!!! April 6-8, 2009 Regina Inn – Hotel & Conference Centre Security 557 - “ Virtualization Security and Operations ”
One CPE Credit You will receive one CPE credit for attending this evening.
THANK YOU!!!! This evening was brought to on behalf of our COMMUNITY OF INTEREST IN NETWORK SECURITY (COINS) program. Thank you for joining us tonight!
SANS/GIAC Overview
SANS Training and GIAC Certifications SANS Institute is the leading training organization for system, audit, network, and security. GIAC, The Global Information Assurance Certification program, provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job.
SANS and GIAC Guiding Principles Education Current, Evolving and Proven Material Certifications that prove you have the knowledge and skills to get the job done Hands-On Hands-on training conducted by instructors who are experts in their fields Testing process that evaluates hands-on capabilities Community Listening and learning to the community’s needs Giving vital knowledge back to the community
How SANS and GIAC Are Different From Other Training/Certifications SANS and GIAC constantly update course and certification information to keep you on top of current threats and vulnerabilities. We use real-world, hands-on scenarios. While tools are an important part of IT security, we teach you and validate actual skills, so you don’t have to solely rely on the performance of a tool. The SANS Promise - You will be able to apply our information security training the day you get back to the office.
GIAC Certification GIAC Silver Certifications Multiple choice exams only GIAC Gold Certifications Plus a written technical report GIAC Platinum Series Highest certification level
Top 3 Reasons to Earn Your GIAC Certification Hiring managers use GIAC certifications to ensure that candidates actually possess deep technical skills GIAC certifications help IT Security Professionals get promoted faster and earn more money GIAC certification reinforces and affirms the 'hands on' knowledge you possess
What Certified People Say? &quot;The GIAC certification has enabled me to take the next step in my Information Security career. It allowed me to prove that my value was more than just that of a security minded Sys Admin.&quot; J. Klein, Enterprise Information Systems, Cedars-Sinai Medical Center &quot;The SANS hands-on experience and the intensive GIAC certification process has garnered me the respect of my boss and peers. Now, when I speak, people listen. I have the confidence to get the job done. My boss looks at me with respect that simply wasn't there before SANS training and GIAC certification. Not only my boss, but managers and peers at other large organizations.“ Matt Carpenter, Enterprise Information Systems GIAC certifications help IT Security Professionals get promoted faster and earn more money…
GIAC Certifications GSEC - Security Essentials GCFW - Firewall Analyst GCIA - Intrusion Analyst GCIH - Incident Handler GCFA - Forensics Analyst GCUX - Unix Security GCWN - Windows Security GNET - . NET GSOC - Securing Oracle GSSP-JAVA - Secure Coding GSSP-C - Secure Coding GISF - Information Security Fundamentals GSAE - Security Audit Essentials GSLC - Security Leadership GSNA - System & Network Auditor G7799 - ISO 17799/27001 GISP - Information Security Professional GCIM - Incident Manager GAWN - Auditing Wireless Networks GREM - Reverse-Engineering Malware GPEN - Penetration Tester GCPM - IT Project Management For a complete list of GIAC Certifications http://www.giac.org/certifications/roadmap.php
Free Resources SANS and GIAC have a variety of free resources readily available at www.sans.org and www.giac.org Here’s a sample of what we offer: Internet Storm Center SANS reading room - http://www.sans.org/reading_room Top 15 Malicious Spyware Actions SANS Security Policy Samples The Internet Guide to Popular Resources on Information Security FAQ’s SCORE Security Tool White Papers and GIAC Gold Papers Glossary of Security Terms
Thank You! Questions: [email_address] [email_address]
Ad

Recommended

Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Egypt cuisine
Egypt cuisine Egypt cuisine
Egypt cuisine
ljsh1
 
Presentation on supervised learning
Presentation on supervised learningPresentation on supervised learning
Presentation on supervised learning
Tonmoy Bhagawati
 
Software quality assurance
Software quality assuranceSoftware quality assurance
Software quality assurance
Aman Adhikari
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
 
Supply chain-attack
Supply chain-attackSupply chain-attack
Supply chain-attack
vikram vashisth
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
Aravind R
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
211 Check
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
shiriskumar
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
Ad

More Related Content

What's hot (20)

Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
 
Supply chain-attack
Supply chain-attackSupply chain-attack
Supply chain-attack
vikram vashisth
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
Aravind R
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
211 Check
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
 
Supply chain-attack
Supply chain-attackSupply chain-attack
Supply chain-attack
vikram vashisth
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
Aravind R
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
211 Check
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 

Viewers also liked (9)

OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
shiriskumar
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
VAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant maliVAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Servers
Information Technology
 
Network architecture
Network architectureNetwork architecture
Network architecture
Online
 
Osi model 7 Layers
Osi model 7 LayersOsi model 7 Layers
Osi model 7 Layers
Siddique Ibrahim
 
AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.
shiriskumar
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
Pascal Flöschel
 
OSI Model
OSI ModelOSI Model
OSI Model
Rahul Bandhe
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
shiriskumar
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
VAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant maliVAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Servers
Information Technology
 
Network architecture
Network architectureNetwork architecture
Network architecture
Online
 
Osi model 7 Layers
Osi model 7 LayersOsi model 7 Layers
Osi model 7 Layers
Siddique Ibrahim
 
AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.
shiriskumar
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
Pascal Flöschel
 
OSI Model
OSI ModelOSI Model
OSI Model
Rahul Bandhe
 
Ad

Similar to Penetration Testing Basics (20)

website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
Bhagyashri Chalakh
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
Greater Noida Institute Of Technology
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Joann Davis
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
Teri Radichel
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
RakeshKumar442494
 
Overview on hacking tools
Overview on hacking toolsOverview on hacking tools
Overview on hacking tools
ZituSahu
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hacking
parag101
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
Narayanan
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
T04505103106
T04505103106T04505103106
T04505103106
IJERA Editor
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
AmardeepKumar621436
 
Web Based Security
Web Based SecurityWeb Based Security
Web Based Security
John Wiley
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
dawitTerefe5
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
Bhagyashri Chalakh
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
Greater Noida Institute Of Technology
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Joann Davis
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
Teri Radichel
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
RakeshKumar442494
 
Overview on hacking tools
Overview on hacking toolsOverview on hacking tools
Overview on hacking tools
ZituSahu
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hacking
parag101
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
Narayanan
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
T04505103106
T04505103106T04505103106
T04505103106
IJERA Editor
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
AmardeepKumar621436
 
Web Based Security
Web Based SecurityWeb Based Security
Web Based Security
John Wiley
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
dawitTerefe5
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Ad

Recently uploaded (20)

Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 

Penetration Testing Basics

  • 1. Penetration Testing Basics A presentation of The Internet Storm Center, The SANS Institute and The GIAC Certification Program
  • 2. About Me Rick Wanner B.Sc. I.S.P. Client Technology Manager, Security at SaskTel Areas of expertise Secure Network Architecture, Penetration Testing IDS, Policy Development and compliance Masters Student at STI (SANS Technology Institute) Handler at the Internet Storm Center (isc.sans.org) Independent contractor/Volunteer with SANS/GIAC [email_address]
  • 3. Presentation Overview Internet Storm Centre SANS/GIAC Mini-Briefing Security Mitigation Strategies Penetration Testing
  • 4. The Internet Storm Center The Internet Storm Center acts as a distributed early warning system for the Internet The ISC acts as an intermediary with ISPs worldwide. The ISC is composed of approximately 40 volunteer handlers which coordinate a group of volunteer intrusion analysts and malware specialists. Daily blog/diary published at http://isc.sans.org/ Sponsored by the SANS Institute.
  • 5. We want your logs! The ISCs principal inputs come from Dshield.org and Internet users All logs are scrubbed before they are submitted.
  • 6. SANS Training and GIAC Certifications SANS Institute is the leading training organization for system administration, audit, network, security and security management. GIAC, The Global Information Assurance Certification program, provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job.
  • 7. Today’s Cyber Threats Cyber threats have certainly changed since Al Gore invented the internet. What started off as an innocuous invention by ARPANET and supported by the U.S. Department of Defense, is now a significant vehicle for conducting business, shopping, banking, researching, communicating, and maintaining vital corporate information Unfortunately it’s also a haven for hackers and intrusive malicious code.
  • 8. The Internet The Internet is a community of individuals with its good neighbourhoods and bad neighborhoods. In this community the bad neighborhoods are only separated from the good neighbourhoods by at most 150 milliseconds.
  • 9. The Need for Information Security While you are working hard to protect your organization’s critical information and systems, there are others out there who want to compromise it. Learning the appropriate actions to secure this information not only benefits your employer, clients, and stockholders, it benefits you. In this industry, you don’t want to be the one who learned the hard way.
  • 10. Security Outlook As users get more sophisticated, so do the bad guys. A CA, Inc. report issued on January 29, 2007 stated that: In 2006, trojans accounted for 62% of all malware; worms 24%; and viruses and other types of malware accounted for the remaining 13%. CA, Inc predicts that attackers will use blended threats to steal private information and perpetrate other attacks Phishers are getting smarter Spam will increase Targeted attacks will increase A rise in the use of kernel rootkits Increased exploitation of browser and application vulnerabilities Typo-squatting on search engines will increase Attacks are increasingly sophisticated.
  • 11. Penetration Testing Penetration testing is discovering vulnerabilities in your networks, systems, applications and data before the bad guys do. Penetration testing simulates the generalized attack methodology.
  • 12. Generalized Attack Methodology Reconnaissance Scanning Gaining Access Maintaining Access Covering Tracks
  • 13. Penetration Testing Method Preparation Reconnaissance Scanning Exploitation Analysis Reporting
  • 14. Preparation Define the parameters of the test. Objectives Scope Roles and responsibilities Limitations Success factors Timeline Documented Permission
  • 15. Reconnaissance Reconnaissance determines…”What can a potential attacker learn about your company?” Utilizes publicly available information.
  • 16. Reconnaissance (2) Some sources of information: Search Engines Websites Registrars SEC Recruiting sites Netcraft.com
  • 19. Scanning Now we know where to look, let’s dig in a little deeper. Generally you are going to use two types of scanners, port scanners, and vulnerability scanners. The hackers choice: Nmap Nessus
  • 20. Nmap Nmap – open sourced port scanner Usually start with discovery scans and progress to targeted scans. Runs on Windows and *nix. Available from nmap.org
  • 22. Nmap - Reconaissance nmap –sL <Address> nmap –sL www.telus.net/24 nmap –sL 205.206.163.16/24
  • 23. Nmap - Discovery nmap –F <Address> nmap –F 192.168.1.0/24 nmap -top-ports 20 <address> nmap -top-ports 20 192.168.1.0/24
  • 24. Nmap - Targeted nmap -F –A <address> nmap -F –A 192.168.1.200
  • 25. Vulnerability Scanner Nessus –open sourced VA scanner Vulnerability feed costs money.
  • 26. Commercial Vulnerability Scanners Rapid7 NeXpose GFI LANguard eEye Retina Network
  • 27. Application Attacks Now we have all these layers of protection. Are you still vulnerable? The fact is that you can’t deny what you must permit. What about application level attacks?
  • 28. Cross-Site Scripting Allows code injection by malicious web users into the web pages viewed by other users. Root cause - lack of input filtering and validation Permits attacker to execute arbitrary scripts on the browser
  • 29. Yahoo's HotJobs site vulnerable to cross-site scripting attack Dan Kaplan - October 27 2008 Internet research firm Netcraft's toolbar has detected a cross site scripting bug in Yahoo that could be exploited to steal authentication cookies. The flaw resides on Yahoo's HotJobs search engine site, on which hackers embedded malicious JavaScript code, Netcraft's Paul Mutton said in a blog  post on Sunday. &quot;The script steals the authentication cookies that are sent for the Yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details,&quot; Mutton wrote. The pilfered credentials could enable the attackers access to the victims' Yahoo acounts, including email. This vulnerability is similar to another bug that affected Yahoo earlier this year, he said. &quot;Simply visiting the malign URLs on Yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email — the victim does not even have to type in their username and password for the attacker to do this,&quot; Mutton wrote. &quot;Both attacks send the victim to a blank webpage, leaving them unlikely to realize that their own account has just been compromised.&quot;
  • 30. Cross-Site Request Forgery (XSRF) Unauthorized commands are transmitted from a user that the website trusts. Exploitation of an existing web session. Embedded code causes unauthorized actions
  • 31. SQL Injection SQL statements are injected into user input to see if a response is returned. Results Authentication Bypass Unauthorized data access
  • 32. Preventing Web Application Attacks Every input should be validated! “ Suspicion Breeds Confidence” Test it!
  • 33. Nikto Open source Linux based web application scanner Available at http://www.cirt.net/nikto2
  • 34. Nikto (2) Basic Scan perl nikto.pl –h <host> perl nikto.pl –h 192.168.1.1 Multiple ports perl nikto.pl –h 192.168.1.1 –p 80,88,443
  • 35. Nikto – Simple Scan [root@rwanner nikto]# ./nikto.pl -h localhost - Nikto v2.03/2.04 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 80 + Start Time: 2008-10-27 21:53:47 --------------------------------------------------------------------------- + Server: Apache/2.2.6 (Fedora) - Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST. + Apache/2.2.6 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current. + OSVDB-682: GET /usage/ : Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html. + OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details + OSVDB-3092: GET /manual/ : Web server manual found. + OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons + OSVDB-3268: GET /manual/images/ : Directory indexing is enabled: /manual/images + OSVDB-3233: GET /icons/README : Apache default file found. + 3577 items checked: 9 item(s) reported on remote host + End Time: 2008-10-27 21:54:28 (41 seconds)
  • 36. Nikto (3) Multiple hosts perl nikto.pl –h <filename> perl nikto.pl –h hosts.txt Hosts file 192.168.1.1:80:443 192.168.0.200 192.168.0.200,443
  • 37. Nikto – Multiple Hosts Scan ]# ./nikto.pl -h hosts.txt - Nikto v2.03/2.04 --------------------------------------------------------------------------- + Target IP: 192.168.1.1 + Target Hostname: 192.168.1.1 + Target Port: 443 --------------------------------------------------------------------------- + SSL Info: Ciphers: DES-CBC3-SHA Info: /C=US/ST=California/L=Irvine/O=Cisco-Linksys, LLC/OU=Division/CN=Linksys/[email protected] Subject: /C=US/ST=California/L=Irvine/O=Cisco-Linksys, LLC/OU=Division/CN=Linksys/[email protected] + Start Time: 2008-10-28 21:16:37 --------------------------------------------------------------------------- + Server: No banner retrieved
  • 38. Commercial Web Scanners IBM Rational AppScan HP Webinspect Cenzic Hailstorm
  • 39. Exploitation Once you identify a potential vulnerability you have choices: Can use individual exploits…available via the Internet Can use pre-built exploitation frameworks. The most popular exploitation framework is Metasploit. Available for Windows or Linux Available at http://www.metasploit.com/
  • 40. Metasploit 3 primary components Exploit Stack/Heap based buffer overflow Insecure coding PHP vulnerability, IIS Unicode, SQL injection, etc. NOP sled (optional - exploit dependent) Payload Shellcode Encoders Other (exploit dependent)
  • 41. Metasploit #./msfconsole  start Metasploit msf > use windows/dcerpc/ms03_026_dcom msf > setg PAYLOAD windows/exec msf > setg CMD nc –L –p 80 cmd.exe msf > setg RHOST 192.168.0.2 msf > exploit
  • 42. Exploitation Demo Patching and Configuration Lacking patch management procedures Single inbound port open through firewall Results Simple remote exploitation Worm characteristics Can be used to bypass firewalls
  • 44. Analysis When you finish you will have a mountain of data to analyze. Break it down by a risk based approach.
  • 45. Reporting Base your report on risk. Write it so your senior executives can understand. Provide recommendation based on standards or best practices. Keep the Executive summary short. Stay away from FUD!
  • 46. Presentation Summary Support the Internet Storm Center (ISC) SANS is the best! Test your servers and applications... before the bad guys do!
  • 47. Special Tuition Offer Because you attended this session, we are offering you 10% discount on tuition for our upcoming Critical infrastructure course in Calgary
  • 48. COMMUNITY SANS For details on this special offer, please contact [email protected] for further information.
  • 49. Community SANS in Calgary Critical Infrastructure Protection in CALGARY Monday, June 15, 2009 – Wednesday, June 17, 2009 Please use: Discount Code: COINS10 Discount : 10%
  • 50. COMMUNITY SANS in REGINA We are coming back to Regina again next month!!! April 6-8, 2009 Regina Inn – Hotel & Conference Centre Security 557 - “ Virtualization Security and Operations ”
  • 51. One CPE Credit You will receive one CPE credit for attending this evening.
  • 52. THANK YOU!!!! This evening was brought to on behalf of our COMMUNITY OF INTEREST IN NETWORK SECURITY (COINS) program. Thank you for joining us tonight!
  • 54. SANS Training and GIAC Certifications SANS Institute is the leading training organization for system, audit, network, and security. GIAC, The Global Information Assurance Certification program, provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job.
  • 55. SANS and GIAC Guiding Principles Education Current, Evolving and Proven Material Certifications that prove you have the knowledge and skills to get the job done Hands-On Hands-on training conducted by instructors who are experts in their fields Testing process that evaluates hands-on capabilities Community Listening and learning to the community’s needs Giving vital knowledge back to the community
  • 56. How SANS and GIAC Are Different From Other Training/Certifications SANS and GIAC constantly update course and certification information to keep you on top of current threats and vulnerabilities. We use real-world, hands-on scenarios. While tools are an important part of IT security, we teach you and validate actual skills, so you don’t have to solely rely on the performance of a tool. The SANS Promise - You will be able to apply our information security training the day you get back to the office.
  • 57. GIAC Certification GIAC Silver Certifications Multiple choice exams only GIAC Gold Certifications Plus a written technical report GIAC Platinum Series Highest certification level
  • 58. Top 3 Reasons to Earn Your GIAC Certification Hiring managers use GIAC certifications to ensure that candidates actually possess deep technical skills GIAC certifications help IT Security Professionals get promoted faster and earn more money GIAC certification reinforces and affirms the 'hands on' knowledge you possess
  • 59. What Certified People Say? &quot;The GIAC certification has enabled me to take the next step in my Information Security career. It allowed me to prove that my value was more than just that of a security minded Sys Admin.&quot; J. Klein, Enterprise Information Systems, Cedars-Sinai Medical Center &quot;The SANS hands-on experience and the intensive GIAC certification process has garnered me the respect of my boss and peers. Now, when I speak, people listen. I have the confidence to get the job done. My boss looks at me with respect that simply wasn't there before SANS training and GIAC certification. Not only my boss, but managers and peers at other large organizations.“ Matt Carpenter, Enterprise Information Systems GIAC certifications help IT Security Professionals get promoted faster and earn more money…
  • 60. GIAC Certifications GSEC - Security Essentials GCFW - Firewall Analyst GCIA - Intrusion Analyst GCIH - Incident Handler GCFA - Forensics Analyst GCUX - Unix Security GCWN - Windows Security GNET - . NET GSOC - Securing Oracle GSSP-JAVA - Secure Coding GSSP-C - Secure Coding GISF - Information Security Fundamentals GSAE - Security Audit Essentials GSLC - Security Leadership GSNA - System & Network Auditor G7799 - ISO 17799/27001 GISP - Information Security Professional GCIM - Incident Manager GAWN - Auditing Wireless Networks GREM - Reverse-Engineering Malware GPEN - Penetration Tester GCPM - IT Project Management For a complete list of GIAC Certifications http://www.giac.org/certifications/roadmap.php
  • 61. Free Resources SANS and GIAC have a variety of free resources readily available at www.sans.org and www.giac.org Here’s a sample of what we offer: Internet Storm Center SANS reading room - http://www.sans.org/reading_room Top 15 Malicious Spyware Actions SANS Security Policy Samples The Internet Guide to Popular Resources on Information Security FAQ’s SCORE Security Tool White Papers and GIAC Gold Papers Glossary of Security Terms
  • 62. Thank You! Questions: [email_address] [email_address]

Editor's Notes

  • #2: Welcome to Penetration Testing Basics presented by the SANS Institute and GIAC Certifications. Penetration Testing Basics is designed to be an informative presentation for those in IT with an interest in IT security. Security is only as good as the person implementing it, so make sure you and your team have the knowledge and expertise needed to ensure the security of your organization’s vital data and systems.
  • #3: Just me. Feel free to contact me if you have questions. I will endeavour to help.
  • #5: LiOn worm of 2001 From http://isc.sans.org/about.html ISC History and Overview The ISC was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. On March 22, 2001, intrusion detection sensors around the globe logged an increase in the number of probes to port 53 – the port that supports the Domain Name Service. Over a period of a few hours, more and more probes to port 53 were arriving - first from dozens and then from hundreds of attacking machines. Within an hour of the first report, several analysts, all of whom were fully qualified as SANS GIAC certified intrusion detection experts, agreed that a global security incident was underway. They immediately sent a notice to a global community of technically savvy security practitioners asking them to check their systems to see whether they had experienced an attack. Within three hours a system administrator in the Netherlands responded that some of his machines had been infected, and he sent the first copy of the worm code to the analysts. The analysts determined what damage the worm did and how it did it, and then they developed a computer program to determine which computers had been infected. They tested the program in multiple sites and they also let the FBI know of the attack. Just fourteen hours after the spike in port 53 traffic was first noticed, the analysts were able to send an alert to 200,000 people warning them of the attack in progress, telling them where to get the program to check their machines, and advising what to do to avoid the worm. The Li0n worm event demonstrated what the community acting together can do to respond to broad-based malicious attacks. Most importantly, it demonstrated the value of sharing intrusion detection logs in real time. Only in the regional and global aggregates was the attack obvious. The technology, people, and networks that found the Li0n worm were all part of the SANS Institute&apos;s Consensus Incident Database (CID) project that had been monitoring global Internet traffic since November 2000. CID’s contribution the night of March 22 was sufficient to earn it a new title: the SANS Internet Storm Center. Today the Internet Storm Center gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. It is rapidly expanding in a quest to do a better job of finding new storms faster, identifying the sites that are used for attacks, and providing authoritative data on the types of attacks that are being mounted against computers in various industries and regions around the globe. The Internet Storm Center is a free service to the Internet community. The work is supported by the SANS Institute from tuition paid by students attending SANS security education programs. Volunteer incident handlers donate their valuable time to analyze detects and anomalies, and post a daily diary of their analysis and thoughts on the Storm Center web site. Behind the Internet Storm Center The ISC relies on an all-volunteer effort to detect problems, analyze the threat, and disseminate both technical as well as procedural information to the general public. Thousands of sensors that work with most firewalls, intrusion detection systems, home broadband devices, and nearly all operating systems are constantly collecting information about unwanted traffic arriving from the Internet. These devices feed the DShield database where human volunteers as well as machines pour through the data looking for abnormal trends and behavior. The resulting analysis is posted to the ISC&apos;s main web page where it can be automatically retrieved by simple scripts or can be viewed in near real time by any Internet user. In many ways, the ISC parallels the data collection, analysis, and warning system used by weather forecasters. For example, the National Weather Service uses small sensors in as many places as possible to report pressure, wind speed, precipitation and other data electronically to regional weather stations. These local stations provide technical support to maintain the sensors, and they summarize and map the sensor data and display it for local meteorologists. They also forward the summarized data to national weather center or transnational weather analysis centers. If analysts are available to monitor the data, they can provide early warnings of storms in their areas. The national and transnational weather analysis centers summarize and map all the regional data to provide an overall picture of the weather. They monitor the data constantly looking for early evidence of major storms and can provide early warnings whenever possible. Likewise, the Internet Storm Center uses small software tools to send intrusion detection and firewall logs (after removing identifying information) to the DShield distributed intrusion detection system. The ISC&apos;s volunteer incident handlers monitor the constantly changing database to provide early warnings to the community of major new security threats. The ISC also provides feedback to participating analysis centers comparing their attack profiles to those of other centers, and provides notices to ISPs of IP addresses that are being used in widespread attacks. The ISC maintains a very popular daily diary of incident handler’s notes, and can generate custom global summary reports for any Internet user. The value of the Internet Storm Center is maximized when the sensors are collecting data on attacks touching all corners of the Internet. Because of the vastness of cyberspace it is impossible to instrument the entire Internet. Instead, samples are taken in as many diverse places as possible to create an accurate representation of current Internet activity. Many ISC users send their log data directly to the ISC databases without going through an organizational or local analysis and coordination center. Several large organizations have expressed interest in mirroring the ISC&apos;s distributed intrusion detection system, placing sensors at the edges and within their networks to provide early detection of anomalous behavior. Early Warning In addition to hundreds of users who monitor the ISC&apos;s website and provide some of the best early warnings, the ISC is supported by a core team of expert volunteer incident handlers , making it a virtual organization composed of the top tier of intrusion detection analysts from around the globe. The all-volunteer team monitors the data flowing into the database using automated analysis and graphical visualization tools and searches for activity that corresponds with broad based attacks. They report their findings to the Internet community through the ISC main web site, directly to ISPs, and via general postings and emails to newsgroups or public information sharing forums. The team determines whether a possible attack is real and whether it is worth follow-up action. If so, the team can request an immediate email to the 100,000 subscribers to the SANS Security Alert Consensus - an alerting service used primarily by very advanced security- conscious system and network administrators and analysts. The email would ask for data and code from anyone who has hard evidence of the attack. Once the attack is fully understood, the team determines the level of priority to place on the threat, whether to make a general announcement or simply post it, and whether to get core Internet backbone providers involved so they may consider cutting off traffic to and from sites that may be involved in the attacks. The ISC maintains a private web site and private reports for each reporting site. Reports include lists of the most recent attacks along with the indications of how many other sites the attackers have targeted, the severity of each attack, and background data about why attackers target specific ports. The web page helps the reporting site manage its intrusion data and keeps track of attacks. Users can show the results of submissions in a variety of formats including columnar data or pie charts. Data can also be exported in formats usable in other data visualization programs.
  • #7: Why choose SANS courses and GIAC certifications? SANS Institute is the leading training organization for system administration, audit, network, and security. GIAC (Global Information Assurance Certification) provides certification that validates the skills of security professionals.
  • #8: 1970’s – mid-80’s Digital phone switches, blue boxes - Steve Wozniak and Steve Jobs Apple founders 1980’s – birth of Arpanet, Bitnet, CANet 1988 – Morris Worm – leveraged vulnerabilites in sendmail, finger, rsh, and weak passwords 1990’s – hacker groups - The L0pht – L0pht Heavy Industries - Cult of the Dead Cow - Masters of Deception - Legion of Doom 2000 + decade of the worm Melissa, Iloveyou, witty, 2001 Summer of Hell – Blended threats - Code Red – July 13 - Code Red II – August 4 - Nimda – September 18 th – motivated by knowledge, achievement, mischevious Relatively low tech, clumsy attacks 2008 – Conficker/Downadup – data gathering - blended threat - email addresses, SSN, Credit Card #’s, Health Card numbers, accounts, passwords - phishing Cyber Threats are growing at an alarming rate. Although the internet was once a ‘safe place’ this is no longer the case (and hasn’t been for quite some time).
  • #9: The Internet is just a large community of individuals. Like any other community most people are law abiding citizens. Like any other city a small portion of the population are willing to break the law. Like any city there are good neighbourhoods and bad neighbourhoods. The difference is that good neighbourhoods and bad neighbourhoods are only separated by a maximum of 150 milliseconds. In order to protect yourself in the city you live in you put locks on your doors and windows, install alarms, don’t let people in unless you know them or think you understand their motives. But yet for some reason when we put a computer and application on the Internet we are oblivious to the risks and don’t lock the doors and windows and expect the criminals to stay out. The population of the Internet is approximately 1.5 Billion people. If even .1% of them have evil intentions that is 1.5 Million evil doers.
  • #10: Strong IT Security skills benefit everyone (except the bad guys). Being made an example of by a hacker is one of the worst things that can happen. Being owned is learning the hard way.
  • #11: Everyday your organization’s vital information systems are coming under attack. Make sure you and your team have the knowledge necessary to prevent, detect, and resolve the threats and incidents that could result in loss of money, integrity, confidentiality, and availability.
  • #12: The bad guys are checking out your network. If you’re controls are working, then it shouldn’t be a problem...should it? The goal of penetration testing is to test your security controls from an attacker’s point of view.
  • #13: This is a generalized attack methodology used by an attacker. It begins with determining as much as possible about a company by researching publicly available sources to see what they can learn, this is called reconnaissance. During the reconnaissance phase the attacker does not need to touch your network. The second phase is usually scanning. This is where the attacker starts poking at your network to see what he can see, to see what servers and apps you are showing to the world. Once he has found a potential target the attacker will attempt to exploit any potential vulnerabilities to gain a toe hold into your network. If he can gain purchase on your network he will usually try and ensure he can maintain access and get in whenever he wants through the use of backdoors, trojans, zombie processes or some other method. Then the skilled attacker will attempt to cover his tracks so you cannot detect his presence in your systems. He will endeavour to do this though modification of log files, installation of rootkits, removal of logins, and other methods.
  • #14: Penetration testing closely mirrors the attackers methodology. The goal of the penetration test is to find the weak points in your defenses, document the and hopefully fix them before an attacker can take advantage of them so the tail end of the process involves analyzing and reporting on any issues you detect.
  • #15: The preparation stage is probably the most critical. This is when you need to define the parameters of the penetration test. What machines and services are in scope and which are out of out of scope. Who will do what? Are there any machines which must be avoided at all costs? How will we measure success. How long should the Penetration Testing project take and when will the work be done? The most important consideration is documented permission. Once you have determined all the parameters of the Pen Test, summarize it in one or two pages and have it signed by someone with authority to approve it and by all means if the scope needs to expand have it resigned. Don’t skip getting permission. More than a few security people have found themselves in serious trouble for unapproved security testing.
  • #23: List scan nmap –sL &lt;Address&gt; nmap –sL www.telus.net/24 nmap –sL 205.206.163.16/24
  • #24: To do a basic discovery scan in nmap: nmap -top-ports 20 &lt;address&gt; nmap -top-ports 20 192.168.1.0/24 -F is fast scan, scans top 100 TCP and UDP ports
  • #25: Nmap –top-ports 20 –A &lt;host&gt; Nmap –top-ports 20 –A 192.68.1.200 -A is the equivalent of –O (OS Detection) and –sV (version and application detection) as well as Script scanning and Traceroute Top TCP 80, 23, 443, 21, 22, 25, 3389 (RDP), 110 (POP), 445, 139, 143 (IMAP) Starting Nmap 4.76 ( http://nmap.org ) at 2008-10-30 13:21 Canada Central Standard Time Interesting ports on 192.168.1.200: PORT STATE SERVICE VERSION 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 25/tcp closed smtp 53/tcp closed domain 80/tcp open http Apache httpd 2.2.6 ((Fedora)) |_ HTML title: Rick Wanner&apos;s Web Page&lt;/title&gt; &lt;META NAME=&amp;quot;description&amp;quot; CONTE... 110/tcp closed pop3 111/tcp open rpcbind | rpcinfo: | 100000 2 111/udp rpcbind | 100024 1 834/udp status | 100000 2 111/tcp rpcbind |_ 100024 1 837/tcp status 135/tcp closed msrpc 139/tcp closed netbios-ssn 143/tcp closed imap 443/tcp open ssl/http Apache httpd 2.2.6 ((Fedora)) |_ HTML title: Rick Wanner&apos;s Web Page&lt;/title&gt; &lt;META NAME=&amp;quot;description&amp;quot; CONTE... 445/tcp closed microsoft-ds 993/tcp closed imaps 995/tcp closed pop3s 1723/tcp closed pptp 3306/tcp open mysql MySQL (unauthorized) 3389/tcp closed ms-term-serv 5900/tcp closed vnc 8080/tcp closed http-proxy MAC Address: 00:48:54:8B:EB:B0 (Unknown) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.9 - 2.6.25 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.23 seconds
  • #28: The fact is that the bad guys aren’t stupid. If anything they are getting increasingly smarter. We’ve deployed all these layers of security around our network, but we have to draw the line somewhere. You have to leave some ports opened so you can actually do business. Stretching the house analogy well beyond where we should… You’ve locked all the doors and windows, set the alarm, but the dog still needs to go in and out of the doggy door.
  • #30: From scmagazineus.com - http://www.scmagazineus.com/Yahoos-HotJobs-site-vulnerable-to-cross-site-scripting-attack/PrintArticle/120008/
  • #32: Attacks like SQL Injection truly demonstrate the need for a defense in depth strategy. Think about how web servers are set up at your organization. The system itself likely sits within the segment of a network that is Internet accessible. If you have done your due diligence, it is up to date with the most recent security patches and only HTTP (80) and HTTPS (443) ports are open through the firewall. There are many layers of defense in this typical scenario, but none of them protect your organization against SQL Injection. A typical SQL Injection attack is demonstrated in this video. It runs over ports allowed through the firewall (80, 443) into a DMZ and doesn’t attempt to exploit any weaknesses that can be fixed with an operating system or web server patch. In many occasions, the SSL communications actually make network IDS and sniffers blind to the attack since it rides an encrypted channel straight to the web server. The demonstrated attacks will be used to bypass authentication and gain access to unauthorized data. How can we protect ourselves against these attacks? As we see, typical defense in depth isn’t enough and the attacker has the advantage; this entire exploit was performed with a standard web browser. Further security must be implemented within the software development lifecycle. Application developers must perform proper validation on all incoming input to ensure malicious commands are not being executed by remote users. Additional controls, such as a web application firewall, log monitoring, and event correlation software may be implemented in addition to improved development practices. Open Web Application Security Project http://www.owasp.org/
  • #42: #./msfconsole - start Metasploit msf &gt; use windows/dcerpc/ms03_026_dcom - the exploit to use. This is an older Windows RPC vulnerability. msf &gt; setg PAYLOAD windows/exec - if the exploit succeeds try and execute something remotely msf &gt; setg CMD nc –L –p 80 cmd.exe - this is the command to be executed. In this case start a netcat listener on port 80. msf &gt; setg RHOST 192.168.0.2 - this is the host to be attacked. msf &gt; exploit - execute the attack.
  • #43: The lessons in defense in depth, configuration management, and malicious code can all be applied to this next demonstration. An attacker performs a quick port scan of your network range and discovers a pair of Windows systems. The first system is chosen for attack, and the attacker launches the Metasploit exploitation framework. A common Windows exploit is selected and Metasploit is configured to open up a listening command shell on the vulnerable system. Once the exploit is launched, the attacker connects to the back door and issues a command. If the attacker found the listening port to be blocked by a firewall, another exploit could be used to initiate an outbound command shell effectively bypassing the controls. This attack would not be possible if proper patch management procedures were in place and followed. Many organizations have patch management solutions, but sometimes systems slide through the cracks or legacy software does not support the latest service pack leaving the entire system vulnerable. Firewalls won’t always protect systems against exploitation as some ports must remain open for functionality purposes. The ease of exploitation can be shocking if you haven’t seen this type of demonstration before. It takes little effort to perform (or even automate) this attack. This exploit was used in the Blaster worm in 2003 that infected machines all over the world. All it takes is one accessible vulnerable system or one rogue infected laptop to bring a devastating worm or exploit into your organization.
  • #44: The only commercial exploitation framework that I know of is Core Impact. As with most of these tools the big difference over the open-sourced version is the reporting capabilities, although Core is a fair bit easier to use than Metasploit.
  • #46: Think about your audience. In most cases they will be Executives who don’t give a hoot that you compromised a Solaris 8.0 box using a box cutter and two pieces of twine. What they care about is what it means to the corporation. The best type of report for this audience uses a risk based approach and describes what the root cause of the failures are and how they should be addresses. Usually it is best to write your recommendations citing standards or best practices as the basis for your recommendations. I usually like to write 2 reports in one, each two sections: Executive Summary (1 page maximum) Executive Report (3-5 pages maximum) Technical Summary (3-5 pages maximum) Detailed Technical Report ( ???? Pages)
  • #55: Why choose SANS courses and GIAC certifications? SANS Institute is the leading training organization for system, audit, network, and security. GIAC (Global Information Assurance Certification) provides certification that validates the skills of security professionals.
  • #56: Education and Community are the guiding principles of SANS and of GIAC. SANS’ goal for a number of years has been to provide the best technical training, delivered by the best instructors. In this, we have a proven track record. Many of the core SANS courses now form the basis of the GIAC certification program. In the past, our efforts have focused on “live” classroom training at conferences. While this provides an excellent educational forum, it limits us in both time (how often we can offer courses) and space (seating limitations). Another difference between SANS/GIAC and other programs is that SANS and GIAC are constantly evolving. SANS courses and GIAC objectives are not static – and therefore they don’t become dated. Information security (like technology in general) is a rapidly changing field. Our material is revised on an ongoing basis – generally, every few months. Student feedback and new technical developments lead to new consensus on best practices, which are incorporated into GIAC material through instructor revisions…and the cycle begins again. Courses are revised, exams updated to reflect new material, new practical assignments developed to build on earlier research. GIAC continues to raise the bar, setting new standards for excellence. In addition, GIAC has a very strong community focus. One of GIAC’s primary goals is to continually advance the defensive state of practice of information security. We do this not only through education, but also by sharing our research with others so that they too can continue to learn. Community consensus drives our curriculum and shapes the future direction of the program. Public disclosure on our web site – through GIAC and www.incidents.org, through consensus documents, through the research of GIAC certified professionals – provides free public information and education.
  • #57: SANS and GIAC constantly updates course and certification information to keep you on top of current threats and vulnerabilities. We use real-world, hands-on scenarios. While tools are an important part of the IT security toolbox, we teach you actual skills so you don’t have to rely on a tool. The SANS Promise - You will be able to apply our information security training the day you get back to the office.
  • #58: GIAC offers a series of certification levels to assess the different degrees of knowledge mastery a student possesses in specific subject areas. Early in 2005, GIAC announced a major shift: a written practical assignment was no longer required to obtain any GIAC Certification. All of the base GIAC certifications assess knowledge through online multiple choice exams, and they assess industry standard practices and scenario based knowledge. The current GIAC exam system assesses a wider range of material than the original written practical. Students who scored at least 70 on their exams for their certification have earned GIAC SILVER. Please note that SANS Technology Institute students must score an 80 or above to receive STI credit. Those students who have earned a GIAC certification and want to take their learning to the next level have the option to apply for GIAC Gold. GIAC Gold requires the candidate to research and write a technical report based on a specific aspect of the core certification that would benefit the info-sec community. Students attempting GIAC Gold will have an advisor to work with throughout the development of their project. The GIAC Platinum series is the top of the line certification. The platinum level requires multiple GIAC certifications in a specific discipline and involves many days of additional testing. The platinum series ensures that an individual is a true subject area expert.
  • #59: GIAC certifications verify that an individual has a working understanding of a specific Information Security discipline. GIAC certified individuals prove on a day to day basis that they can secure systems and apply the knowledge they purport to possess. Would you want someone without a drivers license behind the wheel of your new car? The more qualified security professionals there are, the better protected our Internet neighborhoods become. It is much like having more police officers watching over us, or at the very least a really strong Neighborhood Watch group. Our “neighborhood” is world wide, so we need a lot of qualified “police officers” to do the job right. Increased recognition of the importance of computer and information security in general and a growing recognition of the quality of the GIAC program have led to prominent recognition. Many large companies and government agencies (for example: State Farm, National Security Agency, Northrop Grumman, Symantec, and Department of Energy), now request or require GIAC certification for new job candidates. US Department of Defense directive 8570 is an enterprise-wide program to train, certify, and manage the DoD Information Assurance (IA) workforce, requiring technicians and managers to be trained and certified to a DoD baseline requirement. GIAC certifications serve as a bench mark for five out of the six defined job levels within the DoD 8570 program. In addition to personal benefit, a certification is also a manager’s tool. First, it is a way to verify the time and money you have invested in an employee’s education, your employee can walk away with something tangible to show for it. Second, it is a way for a new manager to know that an employee is capable because they have the credentials to show they know what they are talking about.
  • #60: This page intentionally left blank.
  • #61: GIAC has been an industry leader in information security certifications for years. The number of certifications has grown with the demands of students, new threats and new technologies. Each GIAC certification is designed to stand on its own, and represents a certified individual&apos;s mastery of a particular set of knowledge and skills. There is no particular &amp;quot;order&amp;quot; in which GIAC certifications must be earned; though we recommend that candidates master lower level concepts before moving on to more advanced topics.
  • #62: SANS and GIAC offer a variety of free resources readily available on the web. The Internet Storm Center or ISC, provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers Top 15 Malicious Spyware Actions - Spyware authors have ramped up their malicious code to invade users&apos; privacy at unprecedented levels. The list on this page describes some of the most malicious activities of today&apos;s spyware, illustrating the need for solid antispyware defenses. SANS Security Policy Samples – is a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. The Internet Guide to Popular Resources on Information Security is an FAQ providing answers to common information requests about computer security and links to additional reading More FAQ’s – You will also find FAQ’s regarding intrusion detection and malware. SCORE is a community of security professionals from a wide range of organizations and backgrounds working to develop consensus regarding minimum standards and best practice information, essentially acting as the research engine for CIS. Security Tool White Papers - A collection of White Papers to help you research and find the security tools that best fit your needs. Glossary of Security Terms – A comprehensive list of terms used in computer security and intrusion detection
  • #63: Thanks for coming. We hope you have gained some valuable information from this presentation Please let us know if you have any questions about SANS training or GIAC certifications. And, do not forget to sign up for your free GIAC assessment!