WTF is Penetration Testing
out of 16
Post on 09-Jun-2015
DESCRIPTIONWTF is Penetration Testing
<ul><li> 1. WTF IS PENETRATION TESTING?AN OVERVIEW OF WHO, WHAT, WHERE, WHEN, AND WHYAKHIL.. </li></ul> <p> 2. Presentation Overview WHAT IS A PEN TEST? WHY DO COMPANIES PEN TEST? WHO DOES PEN TESTING? WHAT SKILLS ARE REQUIRED?NON TECHNICAL SKILLSETBASIC TECHNICAL SKILLSETOFFENSIVE AND DEFENSIVE KNOWLEDGE WHAT ARE SOME COMMON TOOLS? PEN TESTING AS A CAREER ATTACK DEMO: SQL INJECT WORLD QUESTIONS 3. What is Penetration Testing?Our Definition:The process of evaluating systems, applications, and protocolswith the intent of identifying vulnerabilities from the perspective of an unprivileged or anonymous user to determine the real-world impactlegally and under contract 4. Why do Companies Pen Test?Compliance RequirementsValidate Existing ControlsIdentify Unknown Security GapsPrioritize Existing Security InitiativesPrevent Data BreachesTest IDS / IPS / IRP 5. What are the Technical Objectives?Client specific objectives firstIdentify and verify all entry pointsIdentify critical escalation pointsGain unauthorized access to:Application functionalityCritical systemsSensitive data 6. Assessment VS. Penetration :Vulnerability Assessment and Penetration Testing Answer:-What are my system layer vulnerabilities?Where are my system layer vulnerabilities?How wide spread are my system layer vulnerabilities?Can I identify attacks?How do I fix my vulnerabilities? 7. Assessment VS. PenetrationPenetration Testing Answers:What are my high impact network layer issues?What are my high impact application layer issues?Can an attacker gain unauthorized access to: critical infrastructure that provides privileged access or cause service disruptions critical application functionality that the business depends on sensitive data that the business would be required to report on if a breach occursCan an attacker bypass our IPS / WAF?Can an attacker pivot from environment A to environment B? 8. Common Penetration Test Approach Kickoff: Scope, cost, testing windows, risks etc Information Gathering Vulnerability Enumeration Penetration Escalation Evidence Gathering (Pilfering) Clean up Report Creation Report Delivery and Review Remediation 9. Rules of EngagementHave fun, butHack Responsibly!Written permissionStay in scopeNo DoSDont change major stateRestore stateClear communication 10. What Skills are Needed?Non TechnicalBasic TechnicalOffensiveDefensiveCommon Tools 11. Non Technical SkillsetWritten and Verbal CommunicationsEmails/phone callsReport developmentSmall and large group presentationsProfessionalismRespecting others, setting, and meeting expectationsTroubleshooting MindsetNever give up, never surrenderWhere there is a will, there is a wayEthicsDont do bad thingsPros (career) vs. Cons (jail)Hack responsibly 12. Basic Technical SkillsetWindows Desktop AdministrationWindows Domain AdministrationLinux and Unix AdministrationNetwork Infrastructure AdministrationApplication DevelopmentScripting (Ruby, Python, PHP, Bash, PS, Batch)Managed languages (.Net, Java, Davlik)Unmanaged languages (C, C++) 13. Offensive and Defensive KnowledgeSystem enumeration and service fingerprintingLinux system exploitation and escalationWindows system exploitation and escalationNetwork system exploitation and escalationProtocol exploitationWeb application exploitation (OWASP)Reverse engineering client-server applications + AV EvasionSocial engineering techniques (onsite, phone, email) 14. Common Tools Knowledge > ToolsUnderstand the core technologiesUnderstand the core offensive techniquesUnderstand the core defensive techniquesNetwork Penetration TestingBT, CAIN, YERSINIA, NCAT, NMAP, NESSUS,NEXPOSE, WCE, MIMIKATZ, AirCrack-ng,METASPLOIT and NATIVE TOOLS!Application Penetration TestingBURP, ZAP, NIKTO, DIRBUSTER, SQLMAP, SQLNinja, and BEEF. and commercial tools 15. Pen Testing as a Career:Common PathsInternal PathsHelp DeskIT SupportIT AdminSecurity AnalystSenior Security AnalystInternal ConsultantCISOSecurity Consulting PathsInternshipConsultantSenior ConsultantPrinciple ConsultantTeam LeadDirector Security>Consultants often end up in malware research or exploit development, but some go corporate.>Internal employees often stay internal. 16. BE SAFE and HACK RESPONSIBLYQuestions,comments, curses?</p>
View more >
Penetration Testing and Its Methodologies - ?· Penetration Testing and Its Methodologies By Bhashit Pandya Web Security Researcher Penetration Testing and Methodologies is licensed under a
Automated Penetration Testing with the Metasploit Penetration Testing with the Metasploit Framework Topics What makes a good penetration testing framework? Frameworks available What is the Metasploit ...
Penetration testing - TÜV SÜD America Website ?· What is penetration testing? ... carry out an on-site…
Android Based Penetration Testing Framework - nbsp;· Android Based Penetration Testing Framework. This work is licensed under the Creative Commons ... Penetration Testing tools
Penetration testing highlight report Restricted - ?· Penetration testing highlight report . Restricted…
Custom Penetration Testing - SANS Sims - Custom... · Advanced Penetration Testing - 2009 SANS 3 What is Penetration Testing? • Process of testing a target environment for weaknesses –More thorough than vulnerability
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.
Using penetration testing to enhance your company's penetration testing... · Using penetration testing…
Penetration Testing - Brown University ?· Penetration Testing 12/7/2010 Penetration Testing 1 What Is a Penetration Testing? • Testing the security of systems and architectures from the point of view of an
PENETRATION TESTING - Perspective Risk nbsp;· A PROVIDER OF PENETRATION TESTING SERVICES? ... Invariably, penetration testing means that the penetration testers will
viewComparing Security Audit, Vulnerability Assessment, and Penetration Testing Blue Teaming/Red Teaming Types of Penetration Testing Phases of Penetration Testing Security Testing Methodology Penetration Testing ISO/IEC ...
Writing a Penetration Testing Report - Abaxio ?· (Sample Penetration Testing Report Black Box Penetration…
Penetration Testing - ?· Penetration Testing – Methodology Layer 1 – Reconnaissance ... What is a Penetration Assessment? Elimination of False Positives