gunadarma workshop security

of 31 /31
Ethical Hacking With Kali Linux Workshop

Author: rungga-reksya-sabilillah

Post on 20-Mar-2017

244 views

Category:

Technology


2 download

Embed Size (px)

TRANSCRIPT

  • Ethical Hacking With Kali LinuxWorkshop

  • I'm so Happy to Learn Hacking

  • Who Am I ?Rungga Reksya Sabilillah

    rungga_reksya

    3

    Teacher of TIK SDIT (2007)Assistant IT Lab (2008-2009)IT SupportIT Auditor at Conventional BankIT Auditor at Islamic BankSecurity and Infrastructure Auditor at MediaIT Consultant

    Certified Risk Management 1st / BSMR (2010)Certified Ethical Hacking / CEH (2013)Lead Auditor ISO 27001 (2013)Lead Auditor ISO 20000 (2014)Security Analyst / ECSA (2015)Security Certified Professional / OSCP (2015)Certified Network Defender / CND (2016)Lead Auditor ISO 22301 (2017)

    S1 Teknik Informatika (2005 2009)S2 Manajemen Sistem Informasi (2011-2013)

    Wushu Athletes at The PORDA II Banten (2006)Leader of Wushu Gunadarma (2007-2008)

  • Favorite Operating Systems of Hackers(2017 Lists)

    4

    Kali Linux

    https://techlog360.com/top-15-favourite-operating-systems-of-hackers/

    It was developed by Mati Aharoni and

    Devon Kearns of Offensive Security

    through the rewrite of BackTrack, their

    previous forensics Linux distribution

    based on Ubuntu.

    Backbox Linux Parrot Security OSBackBox is an Ubuntu-based Linux

    distribution penetration test and security

    assessment oriented providing a network

    and informatic systems analysis toolkit.

    BackBox desktop environment includes

    a complete set of tools required for

    ethical hacking and security testing.

    Parrot Security OS (or ParrotSec) is a

    GNU/LINUX distribution based on

    Debian. It has been developed by

    Frozenboxs Team.

    rungga_reksya

  • Favorite Operating Systems of Hackers(2017 Lists)

    5

    Live Hacking OSLive Hacking OS is a Linux distribution

    packed with tools and utilities for ethical

    hacking, penetration testing and

    countermeasure verification. It includes

    the graphical user interface GNOME

    inbuilt.

    Bugtraq Dracos LinuxBugtraq is an electronic mailing list

    dedicated to issues about computer

    security. Bugtraq team is experienced

    freaks and developers, It is available in

    Debian, Ubuntu and OpenSuSe in 32 and

    64 bit architectures.

    Dracos Linux is an open source

    operating system provides to penetration

    testing. Packed with a ton of pentest

    tools including information gathering,

    forensics, malware analysis, maintaining

    access, and reverse engineering.

    rungga_reksya

  • Introduction6

    rungga_reksya

  • Incident Classification Patterns(2015 Data Breach Investigations Report)

    7

    Percentage (blue bar), and count of breaches per pattern. The gray line represents the percentage of breaches from the 2015 DBIR. (n=2,260)

    40% Web App Attacks

    23% POS Intrusions

    831Hacking - Use of stolen credential

    817Social - Phishing

    817Hacking - Use of backdoor or C2

    812Malware Spyware / Key logger

    Top 10 Threat action varieties within Web App Attack breaches, (n=879)

    rungga_reksya

  • PERSON

    Birth and Rebirth of a Data Breach. Having an understanding of how patterns complement each other can help direct your efforts as to what to prioritize your limited resources against.

    8

    Email Attachment

    Alter Behavior User Desktop Malware InstallationPhishing Email Link

    rungga_reksya

  • Birth and Rebirth of a Data Breach. 9

    Payment

    POS Terminal

    rungga_reksya

    Steal Credential

    Use of Stolen Credential

    Direct Install Malware

    Backdoor, Export Data

    Having an understanding of how patterns complement each other can help direct your efforts as to what to prioritize your limited resources against.

  • 10

    Three Critical Components for an Information Security

    Integrity I A

    C

    Availability

    Confidentiality

    rungga_reksya

  • Information Security Look Like Football 11

    Formation = Framework- ISO/IEC 27001- NIST SP 800

    (Computer Security)- PCI DSS- HIPAA- ISMF

    GK-DEFENDER

    MIDFIELDER

    STRIKER

    COACHSysadmin, Network, Firewall,

    SIEM, etc.

    InfoSec Officer, Risk Management Internal,

    Compliance, etc.

    InfoSec Consultant, Pentester, etc.

    Top Management, CISO

    rungga_reksya

    Supporter Soccer

    Stakeholder

  • CRITICAL COMPONENTS of ITSM12

    PEOPLE

    Four ITSM Components That Need to be Integrated with ISMS

    Technical Vulnerability Management

    (Annex 12.6), etc.

    Supplier Relationships(Annex 15), etc.

    Information Security Policies (Annex 5);

    Segregation of Duties(Annex 6.1.2), etc.

    Information Security Awareness

    (Annex 7.2.2), etc.

    PRODUCT SUPPLIER PROCESS

    rungga_reksya

  • Intelligence Gathering

    Threat Modeling and Vulnerability Analysis

    Exploitation

    Reporting

    SUCCESSFUL RESULT

    13

    Penetration Testing Methodologies and Standards

    http://resources.infosecinstitute.com/penetration-testing-methodologies-and-standards/

    Pre-engagement Interactions

    rungga_reksya

  • Penetration Testing Methodologies and Standards14

    PENETRATIONTESTINGBLACKBOX WHITE BOX

    GRAYBOX

    rungga_reksya

  • FrameworkPenetration Testing

    15

    Web Application Security Consortium

    Threat Classification

    Open Source Security Testing

    Methodology Manual

    WASCOpen Web Application Security

    Project Testing Guide

    OSSTMM OWASP

    rungga_reksya

  • The Open Web Application Security Project16

    rungga_reksya

    OWASP Top 10 2010 (old) OWASP Top 10 2013 (New)2010-A1 Injection 2013-A1 Injection

    2010-A2 Cross Site Scripting (XSS) 2013-A2 Broken Authentication and Session Management

    2010-A3 Broken Authentication and Session Management 2013-A3 Cross Site Scripting (XSS)

    2010-A4 Insecure Direct Object References 2013-A4 Insecure Direct Object References

    2010-A5 Cross Site Request Forgery (CSRF) 2013-A5 Security Misconfiguration

    2010-A6 Security Misconfiguration 2013-A6 Sensitive Data Exposure

    2010-A7 Insecure Cryptographic Storage 2013-A7 Missing Function Level Access Control

    2010-A8 Failure to Restrict URL Access 2013-A8 Cross-Site Request Forgery (CSRF)

    2010-A9 Insufficient Transport Layer Protection 2013-A9 Using Known Vulnerable Components (NEW)

    2010-A10 Unvalidated Redirects and Forwards (NEW) 2013-A10 Unvalidated Redirects and Forwards

    3 Primary Changes: Merged: 2010-A7 and 2010-A9 -> 2013-A6

    Added New 2013-A9: Using Known Vulnerable Components 2010-A8 broadened to 2013-A7

  • Exploit Database36845 Exploit Archieved, 82454 CVE ID, 3000 Modules on Metasploit, etc.

    https://www.exploit-db.com https://packetstormsecurity.com https://cve.mitre.org https://www.rapid7.com/db/modules

    Exploit DB Packet Storm Common Vulnerabilities & Exposures

    Rapid 7

    rungga_reksya

    17

    41 2 3

  • Bug Bounty Programs18

    https://bugcrowd.com

    Bug Crowd

    http://bugsheet.com

    Bug Sheet

    https://hackerone.com

    Hacker One

    https://firebounty.com

    Fire Bounty

    https://bountyfactory.io

    Bounty Factory

    https://www.openbugbounty.org

    Open Bug Bounty

    rungga_reksya

  • rungga_reksya

    Information Gathering The Object of Penetration Testing

    19

    Information Gathering

    Target Discovery

    EnumeratingTarget

    VulnerabilityMapping

  • rungga_reksya

    Information Gathering The Object of Penetration Testing

    20

    Information Gathering

    Target Discovery

    EnumeratingTarget

    VulnerabilityMapping

  • 21

    Concept of Takeover System

    PWNSVR

    SQL InjectionMake Form

    Upload

    Phishing

    XSS

    Login toMYSQL

    SHELL

    Login toAPP

    UploadFile

    rungga_reksya

  • 22

    PORTSTATES

    1Open: This indicates that an application is listening for connections on this port.

    3Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by somekind of filtering. 5

    Open/Filtered:This indicates that the port was filtered or open but Nmap couldn't establish the state.

    2Closed: This indicates that the probes were received but there is no application listening on this port.

    4Unfiltered: This indicates that the probes were received but a state could not be established.

    6Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn't establish the state. rungga_reksya

    NMAP Features

  • NMAP Features23

    Host Discovery Service/Version Detection

    Operating System Detection

    Network Tracerouter

    Nmap Script Engine

    Fingerprinting services of a remote host T

    P

    Target (192.168.1.0/24)

    IP Pentester(10.0.0.10)

    rungga_reksya

  • How it Works24

    Service detection is one of the most loved features of Nmap, as it's very useful in many situations such as identifying security vulnerabilities or making sure a service is running on a given port. # nmap -sV -version-intensity 9

    Service Detection

    Aggressive Detection

    Finding Live Hosts

    NSE Scripts

    Nmap has a special ag to activate aggressive detection, namely -A. Aggressive mode enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute). # nmap -A # nmap -sC -sV -O

    Finding live hosts in a network is often used by penetration testers to enumerate active targets, and by system administrators to count or monitor the number of active hosts. # nmap -sP 192.168.1.1/24

    Ping scanning does not perform port scanning or service detection, but the Nmap Scripting Engine can be enabled for scripts depending on host rules, such as the cases of sniffer-detect and dns-brute. # nmap -sP --script discovery 192.168.1.1/24

    rungga_reksya

  • Port States Service25

    Common

    1433mssql

    23telnet

    21ftp

    3306mysql

    3389remote

    22ssh

    80http 53

    domain

    25smtp

    445smb

    8080tomcat

    5432postgresql

    8009ajp13

    rungga_reksya

  • HASH IDENTIFICATION

    PASSWORD HASH HACKING

    ONLINE

    90%

  • HASH IDENTIFICATION

    PASSWORD HASH HACKING

    ONLINE

    90%

  • Cheat Sheet28

    # nikto h [url]NIKTO NMAP SEARCH SPLOIT

    # nmap sV ip_target # searchsploit target_name

    # log# privilege::debug# sekurlsa::logonpasswords

    # net user hacker [email protected] /add# net localgroups administrators hacker /add

    # echo pastecodebase64 | base64 -dBASE 64 DECODE CREATE USER MIMIKATZ

    rungga_reksya

  • Case StudyTurn on Your VM:- Target: 192.168.1.2 - Kali Linux: 192.168.1.3 (root::toor)

    29

    NIKTO

    SEARCHPLOIT

    PHPMYADMIN

    SHELL

    NETUSER

    DUMP

    rungga_reksya

  • So You Want to be a Penetration Tester

    Feeling

    Untiring

    Out of The Box

    Experience

    Lucky

    rungga_reksya

  • Any Questions for Us ?31

    rungga_reksya