SlideShare uma empresa Scribd logo

G3t R00t at IUT

Transferir como PPTX, PDF
Nahidul Kibria
Nahidul Kibria

I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in IUT CTF G3t R00t

Tecnologia
1 de 72
2
root@labla/# whoami
The OWASP Foundation http://www.owasp.org Nahidul Kibria Co-Leader, OWASP Bangladesh Chapter, Senior Software Engineer, KAZ Software Ltd. Writing code for fun and food. And security enthusiastic Twitter:@nahidupa
What is the event all about? Computer security? Information security? Cyber Security? Is it a game? Are we going to learn hacking? 5
Capture The Flag(CTF) In computer security, Capture the Flag (CTF) is a computer security wargame. Each team is given a machine (or small network) to defend on an isolated network.--wikipedia 6
Its not just a competition… more than it… HOW? 7
8
9
The domain is giant 10
If you want to be a Penetration Tester 11 A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders with authorize by the owner of that system.
Prerequisites 1. Good understanding network architecture. 2. How modern operating system work and system administration. 3. Application/Database/Service how they designed and work. 12
Penetration testing Penetration testing methodology • Information Gathering/Reconnaissance • Scanning/Enumeration • Vulnerability Identification • Exploitation 13
Tools and tactics Do not reinvent the wheel…Use existing tools But do not just depends on Tools/Scripts…In some case you have to write your own 14
Books 15
If you want to be a Malware Analyst 16
Kick start Basic Static Analysis Basic Dynamic Analysis 17
Lab Setup 18
Collect sample Hashing: A Fingerprint for Malware Look like-- 373e7a863a1a345c60edb9e20ec3231 19
Reverse engineering ollydbg Immunity debugger Ida Pro 20
Books 21
If you want to be a Vulnerability Researcher 22
Common techniques Fuzzing Code review Disassemblers Debuggers 23
2 4
25 Books
26 If you want to be a Exploit Developer
Prerequisites Programming Assembly Memory management Windows/*nix internal Kernel 27
28 Books
29 If you want to be a Forensic Analyst
Prerequisites 30
31 Books
32 Coolest Jobs in Information Security #1 Information Security Crime Investigator/Forensics Expert #2 System, Network, and/or Web Penetration Tester #3 Forensic Analyst #4 Incident Responder #5 Security Architect #6 Malware Analyst #7 Network Security Engineer #8 Security Analyst #9 Computer Crime Investigator #10 CISO/ISO or Director of Security #11 Application Penetration Tester #12 Security Operations Center Analyst #13 Prosecutor Specializing in Information Security Crime #14 Technical Director and Deputy CISO #15 Intrusion Analyst #16 Vulnerability Researcher/ Exploit Developer #17 Security Auditor #18 Security-savvy Software Developer #19 Security Maven in an Application Developer Organization #20 Disaster Recovery/Business Continuity Analyst/Manager
But you have only one life 33
Just become a learning machine 34
Here comes community Collaborative teaching 35
36
About OWASP OWASP’s mission is “to make application security visible, so that people and organizations can make informed decisions about true application” Attacker not use black art to exploit your application
OWASP Bangladesh • Bangladeshi community of Security professional • Globally recognized • Open for all • Free for all What do we have to offer? • Monthly Meetings • Mailing List • Presentations & Groups • Open Forums for Discussion • Vendor Neutral Environments
220 Chapters 39
Our Successes OWASP Tools and Documentation: • ~15,000 downloads (per month) • ~30,000 unique visitors (per month) • ~2 million website hits (per month) OWASP Chapters are blossoming worldwide • 1500+ OWASP Members in active chapters worldwide • 20,000+ participants OWASP AppSec Conferences: • Chicago, New York, London, Washington D.C, Brazil, China, Germany, more… Distributed content portal • 100+ authors for tools, projects, and chapters OWASP and its materials are used, recommended and referenced by many government, standards and industry organizations. 40
Conferences 41
Download Get OWASP Books
Ok enough ! Can you please tell me what I need to do today?
WE DO NOT HAVE ANY PREPARATION
Questions. 1. A question from cryptography. (300 points) 2. A question from malware analysis. (not that much hardcore as it sound) (150 points) 3. A forensic analysis ( The easiest question of the contest) (50 points) 45
Final Questions. 1. A server named GetRoot_v00t will be given. (500 points) 2. Another server named GetRoot_Drag0n will be given. (1000 points) Both server is take down from live because it suspected to compromise by attacker and the attacker changed it root password. So your job is recover the root password of this server as well as create a report of what venerability this server has to the judge. 46
Rules 1. You must run the given Virtual machine only in NATed mode. 2. Take Screenshots in each success steps include them to a document. 3. Cheating is allowed if you can manage it silently. 47
We select the winner according the following criteria (We will do partial marking.) 1.How many points the participants has (scoring). 2.How complete the solutions are (quality). 3. Creativity, Geek Factor. 48
49 Open Talk Subscribe Google group Keep up to date!
5 0
Netcat Originally released in 1996, Netcat is a networking program designed to read and write data across both Transmission Control Protocol TCP and User Datagram Protocol (UDP) connections using the TCP/Internet Protocol (IP) protocol suite. Netcat is often referred to as a ”Swiss Army knife” utility, and for good reason.
Basic Operations Simple Chat Interface Port Scanning Transferring Files Banner Grabbing Redirecting Ports and Traffic Creating backdoor and what else u need ..........
Basic Operations Simple Chat Interface
Port scanning
Banner grab
Creating backdoor...(^_-)
1) Get info about remote host ports and OS detection nmap -sS -P0 -sV -O <target> Where < target > may be a single IP, a hostname or a subnet -sS TCP SYN scanning (also known as half-open, or stealth scanning) -P0 option allows you to switch off ICMP pings. -sV option enables version detection -O flag attempt to identify the remote operating system Other option: -A option enables both OS fingerprinting and version detection -v use -v twice for more verbosity. nmap -sS -P0 -A -v < target >
2) Get list of servers with a specific port open nmap -sT -p 80 -oG – 192.168.1.* | grep open Change the -p argument for the port number. See “man nmap” for different ways to specify address ranges.
3) Find all active IP addresses in a network nmap -sP 192.168.0.* There are several other options. This one is plain and simple. Another option is: nmap -sP 192.168.0.0/24 for specific subnets
4) Ping a range of IP addresses nmap -sP 192.168.1.100-254 nmap accepts a wide variety of addressing notation, multiple targets/ranges, etc.
5) Find unused IPs on a given subnet nmap -T4 -sP 192.168.2.0/24 && egrep “00:00:00:00:00:00″ /proc/net/arp
6) Scan for the Conficker virus on your LAN ect. nmap -PN -T4 -p139,445 -n -v – script=smb-check-vulns –script- args safe=1 192.168.0.1-254 replace 192.168.0.1-256 with the IP’s you want to check.
7) Scan Network for Rogue APs. nmap -A -p1-85,113,443,8080-8100 - T4 –min-hostgroup 50 –max-rtt- timeout 2000 –initial-rtt-timeout 300 –max-retries 3 –host-timeout 20m –max-scan-delay 1000 -oA wapscan 10.0.0.0/8 I’ve used this scan to successfully find many rogue APs on a very, very large network.
9) How Many Linux And Windows Devices Are On Your Network? sudo nmap -F -O 192.168.0.1-255 | grep “Running: ” > /tmp/os; echo “$(cat /tmp/os | grep Linux | wc -l) Linux device(s)”; echo “$(cat /tmp/os | grep Windows | wc -l) Window(s) devices”
OS fingerprinting 1. XP with service pack 1 2. XP with service pack 2 3. Linux 64.0.33 4. MAC os 5. Open BSD 6. Etc etc
TOOLS P0f (passive ) Xprobe/ Xprobe2 DMitry
Web Application threat surface 67 XSS CSRF Click jacking Parameter tempering /sniffing FORGED TOKEN Directory Traversal DIRECT OBJECT REFERENCE SQL Injection XML Injection
OWASP Top 10 Web Application Security Risks (2010 Edition) http://www.owasp.org/index.php/Top_10
Learning tools OWASP Web Goat. Mutillidae 69
Zap Proxy Burp Proxy 70
Firefox proxy settings 71
7 2

Recomendados

Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Communityamiable_indian
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructureBangladesh Network Operators Group
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 

Recomendados

Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Communityamiable_indian
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructureBangladesh Network Operators Group
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcampGregory Hanis
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
aaa
aaaaaa
aaahungnhatban
 
Sectools
SectoolsSectools
Sectoolssecuredome
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Port scanning
Port scanningPort scanning
Port scanningHemanth Pasumarthi
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallHuda Seyam
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
Snort IDS
Snort IDSSnort IDS
Snort IDSprimeteacher32
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testingAbdul Rahman
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Nahidul Kibria
 

Mais conteúdo relacionado

Mais procurados

Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallHuda Seyam
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testingAbdul Rahman
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 

Mais procurados (20)

Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
aaa
aaaaaa
aaa
 
Sectools
SectoolsSectools
Sectools
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Port scanning
Port scanningPort scanning
Port scanning
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Snort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense FirewallSnort Intrusion Detection / Prevention System on PFSense Firewall
Snort Intrusion Detection / Prevention System on PFSense Firewall
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
 
Snort IDS
Snort IDSSnort IDS
Snort IDS
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testing
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 

Destaque

Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Nahidul Kibria
 
Sending a for ahuh. win32 exploit development old school
Sending a for ahuh. win32 exploit development old schoolSending a for ahuh. win32 exploit development old school
Sending a for ahuh. win32 exploit development old schoolNahidul Kibria
 
Scaling application with RabbitMQ
Scaling application with RabbitMQScaling application with RabbitMQ
Scaling application with RabbitMQNahidul Kibria
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 

Destaque (6)

Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.
 
Sending a for ahuh. win32 exploit development old school
Sending a for ahuh. win32 exploit development old schoolSending a for ahuh. win32 exploit development old school
Sending a for ahuh. win32 exploit development old school
 
Scaling application with RabbitMQ
Scaling application with RabbitMQScaling application with RabbitMQ
Scaling application with RabbitMQ
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 

Semelhante a G3t R00t at IUT

Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayKaren Oliver
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESIRJET Journal
 
Nmap & Network sniffing
Nmap & Network sniffingNmap & Network sniffing
Nmap & Network sniffingMukul Sahu
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 

Semelhante a G3t R00t at IUT (20)

Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
OS Fingerprinting
OS FingerprintingOS Fingerprinting
OS Fingerprinting
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURES
 
Nmap & Network sniffing
Nmap & Network sniffingNmap & Network sniffing
Nmap & Network sniffing
 
Internet census 2012
Internet census 2012Internet census 2012
Internet census 2012
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 

Último

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

G3t R00t at IUT

  • 1.
  • 2. 2
  • 4. The OWASP Foundation http://www.owasp.org Nahidul Kibria Co-Leader, OWASP Bangladesh Chapter, Senior Software Engineer, KAZ Software Ltd. Writing code for fun and food. And security enthusiastic Twitter:@nahidupa
  • 5. What is the event all about? Computer security? Information security? Cyber Security? Is it a game? Are we going to learn hacking? 5
  • 6. Capture The Flag(CTF) In computer security, Capture the Flag (CTF) is a computer security wargame. Each team is given a machine (or small network) to defend on an isolated network.--wikipedia 6
  • 7. Its not just a competition… more than it… HOW? 7
  • 8. 8
  • 9. 9
  • 10. The domain is giant 10
  • 11. If you want to be a Penetration Tester 11 A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders with authorize by the owner of that system.
  • 12. Prerequisites 1. Good understanding network architecture. 2. How modern operating system work and system administration. 3. Application/Database/Service how they designed and work. 12
  • 13. Penetration testing Penetration testing methodology • Information Gathering/Reconnaissance • Scanning/Enumeration • Vulnerability Identification • Exploitation 13
  • 14. Tools and tactics Do not reinvent the wheel…Use existing tools But do not just depends on Tools/Scripts…In some case you have to write your own 14
  • 16. If you want to be a Malware Analyst 16
  • 17. Kick start Basic Static Analysis Basic Dynamic Analysis 17
  • 19. Collect sample Hashing: A Fingerprint for Malware Look like-- 373e7a863a1a345c60edb9e20ec3231 19
  • 22. If you want to be a Vulnerability Researcher 22
  • 24. 2 4
  • 26. 26 If you want to be a Exploit Developer
  • 29. 29 If you want to be a Forensic Analyst
  • 32. 32 Coolest Jobs in Information Security #1 Information Security Crime Investigator/Forensics Expert #2 System, Network, and/or Web Penetration Tester #3 Forensic Analyst #4 Incident Responder #5 Security Architect #6 Malware Analyst #7 Network Security Engineer #8 Security Analyst #9 Computer Crime Investigator #10 CISO/ISO or Director of Security #11 Application Penetration Tester #12 Security Operations Center Analyst #13 Prosecutor Specializing in Information Security Crime #14 Technical Director and Deputy CISO #15 Intrusion Analyst #16 Vulnerability Researcher/ Exploit Developer #17 Security Auditor #18 Security-savvy Software Developer #19 Security Maven in an Application Developer Organization #20 Disaster Recovery/Business Continuity Analyst/Manager
  • 33. But you have only one life 33
  • 34. Just become a learning machine 34
  • 36. 36
  • 37. About OWASP OWASP’s mission is “to make application security visible, so that people and organizations can make informed decisions about true application” Attacker not use black art to exploit your application
  • 38. OWASP Bangladesh • Bangladeshi community of Security professional • Globally recognized • Open for all • Free for all What do we have to offer? • Monthly Meetings • Mailing List • Presentations & Groups • Open Forums for Discussion • Vendor Neutral Environments
  • 40. Our Successes OWASP Tools and Documentation: • ~15,000 downloads (per month) • ~30,000 unique visitors (per month) • ~2 million website hits (per month) OWASP Chapters are blossoming worldwide • 1500+ OWASP Members in active chapters worldwide • 20,000+ participants OWASP AppSec Conferences: • Chicago, New York, London, Washington D.C, Brazil, China, Germany, more… Distributed content portal • 100+ authors for tools, projects, and chapters OWASP and its materials are used, recommended and referenced by many government, standards and industry organizations. 40
  • 43. Ok enough ! Can you please tell me what I need to do today?
  • 44. WE DO NOT HAVE ANY PREPARATION
  • 45. Questions. 1. A question from cryptography. (300 points) 2. A question from malware analysis. (not that much hardcore as it sound) (150 points) 3. A forensic analysis ( The easiest question of the contest) (50 points) 45
  • 46. Final Questions. 1. A server named GetRoot_v00t will be given. (500 points) 2. Another server named GetRoot_Drag0n will be given. (1000 points) Both server is take down from live because it suspected to compromise by attacker and the attacker changed it root password. So your job is recover the root password of this server as well as create a report of what venerability this server has to the judge. 46
  • 47. Rules 1. You must run the given Virtual machine only in NATed mode. 2. Take Screenshots in each success steps include them to a document. 3. Cheating is allowed if you can manage it silently. 47
  • 48. We select the winner according the following criteria (We will do partial marking.) 1.How many points the participants has (scoring). 2.How complete the solutions are (quality). 3. Creativity, Geek Factor. 48
  • 49. 49 Open Talk Subscribe Google group Keep up to date!
  • 50. 5 0
  • 51. Netcat Originally released in 1996, Netcat is a networking program designed to read and write data across both Transmission Control Protocol TCP and User Datagram Protocol (UDP) connections using the TCP/Internet Protocol (IP) protocol suite. Netcat is often referred to as a ”Swiss Army knife” utility, and for good reason.
  • 52. Basic Operations Simple Chat Interface Port Scanning Transferring Files Banner Grabbing Redirecting Ports and Traffic Creating backdoor and what else u need ..........
  • 57. 1) Get info about remote host ports and OS detection nmap -sS -P0 -sV -O <target> Where < target > may be a single IP, a hostname or a subnet -sS TCP SYN scanning (also known as half-open, or stealth scanning) -P0 option allows you to switch off ICMP pings. -sV option enables version detection -O flag attempt to identify the remote operating system Other option: -A option enables both OS fingerprinting and version detection -v use -v twice for more verbosity. nmap -sS -P0 -A -v < target >
  • 58. 2) Get list of servers with a specific port open nmap -sT -p 80 -oG – 192.168.1.* | grep open Change the -p argument for the port number. See “man nmap” for different ways to specify address ranges.
  • 59. 3) Find all active IP addresses in a network nmap -sP 192.168.0.* There are several other options. This one is plain and simple. Another option is: nmap -sP 192.168.0.0/24 for specific subnets
  • 60. 4) Ping a range of IP addresses nmap -sP 192.168.1.100-254 nmap accepts a wide variety of addressing notation, multiple targets/ranges, etc.
  • 61. 5) Find unused IPs on a given subnet nmap -T4 -sP 192.168.2.0/24 && egrep “00:00:00:00:00:00″ /proc/net/arp
  • 62. 6) Scan for the Conficker virus on your LAN ect. nmap -PN -T4 -p139,445 -n -v – script=smb-check-vulns –script- args safe=1 192.168.0.1-254 replace 192.168.0.1-256 with the IP’s you want to check.
  • 63. 7) Scan Network for Rogue APs. nmap -A -p1-85,113,443,8080-8100 - T4 –min-hostgroup 50 –max-rtt- timeout 2000 –initial-rtt-timeout 300 –max-retries 3 –host-timeout 20m –max-scan-delay 1000 -oA wapscan 10.0.0.0/8 I’ve used this scan to successfully find many rogue APs on a very, very large network.
  • 64. 9) How Many Linux And Windows Devices Are On Your Network? sudo nmap -F -O 192.168.0.1-255 | grep “Running: ” > /tmp/os; echo “$(cat /tmp/os | grep Linux | wc -l) Linux device(s)”; echo “$(cat /tmp/os | grep Windows | wc -l) Window(s) devices”
  • 65. OS fingerprinting 1. XP with service pack 1 2. XP with service pack 2 3. Linux 64.0.33 4. MAC os 5. Open BSD 6. Etc etc
  • 67. Web Application threat surface 67 XSS CSRF Click jacking Parameter tempering /sniffing FORGED TOKEN Directory Traversal DIRECT OBJECT REFERENCE SQL Injection XML Injection
  • 68. OWASP Top 10 Web Application Security Risks (2010 Edition) http://www.owasp.org/index.php/Top_10
  • 69. Learning tools OWASP Web Goat. Mutillidae 69
  • 72. 7 2