SlideShare una empresa de Scribd logo

Pen test for sys admin

S
sussurro
Tecnología
1 de 14
Descargar para leer sin conexión
Penetration Testing for System Administrators Sept 13, 2010 ryan Linn NCSA Meeting Thursday, September 23, 2010
Agenda • Introduction • Description of Penetration Testing • Overview of Process • Walkthrough of Common Tasks • Questions/Closing Thursday, September 23, 2010
Introduction • Information Security Engineer at SAS • Columnist at EthicalHacker.net • Contributed code to Metasploit, Browser Exploitation Framework (BeEF), and Nikto • Spoken at numerous regional and national security conferences Thursday, September 23, 2010
Description of Pen Testing • Means different things to different people • Find vulnerabilities and stop • Find vulnerabilities and verify • Find vulnerabilities and see how far you can get • For today: Find vulnerabilities and verify Thursday, September 23, 2010
Overview of Process • Recon • Discovery/Scanning • Enumeration • Exploitation Thursday, September 23, 2010
Recon • Non Invasive • Whois • Google • Basic DNS Queries Thursday, September 23, 2010
Discovery/Scanning • Port Scans • In-depth DNS queries • Vulnerability Scanning • OS Identification Thursday, September 23, 2010
Enumeration • SMB enumeration • Oracle DB Enumeration • User enumeration Thursday, September 23, 2010
Exploitation • Leverage information gathered • Verify vulnerability information • Possibly go back to gather more information if successful Thursday, September 23, 2010
Walkthroughs • Recon • Scanning • Exploitation Thursday, September 23, 2010
Scanning • Nmap Scans • Port/Service/OS Identification • Nessus/OpenVAS • Vulnerability Scanner • Safe Checks/Unsafe Checks Thursday, September 23, 2010
Exploitation/ Verification • Metasploit • Penetration Testing Framework • Aids in Exploit Development • Exploitation of Vulnerability • Also has scanning capability Thursday, September 23, 2010
Docs/Training • SANS Sec504 : Incident Handling • SANS Sec580: Metasploit Kung Fu for Enterprise Pen Testing • http://www.offensive-security.com/ metasploit-unleashed • http://www.EthicalHacker.net Thursday, September 23, 2010
Questions? • Contact Info: • Twitter: @sussurro • Blog: blog.happypacket.net • http://www.ethicalhacker.net Thursday, September 23, 2010

Recomendados

OPOA in Action -- 使用MagixJS简化WebAPP开发
OPOA in Action -- 使用MagixJS简化WebAPP开发OPOA in Action -- 使用MagixJS简化WebAPP开发
OPOA in Action -- 使用MagixJS简化WebAPP开发
leneli
 
SLT Times Single Stock Futures
SLT Times Single Stock FuturesSLT Times Single Stock Futures
SLT Times Single Stock Futures
nico9111
 
Ravi project
Ravi projectRavi project
Ravi project
gary6h
 
广告投放代码和创意代码持续优化
广告投放代码和创意代码持续优化广告投放代码和创意代码持续优化
广告投放代码和创意代码持续优化
leneli
 
Zs social media
Zs social mediaZs social media
Zs social media
Wael Albassam
 
Water molecules2
Water molecules2Water molecules2
Water molecules2
gary6h
 
D2-ETao-show
D2-ETao-showD2-ETao-show
D2-ETao-show
leneli
 
Conflict Management Style
Conflict Management StyleConflict Management Style
Conflict Management Style
Yvette Mong-Batar
 

Recomendados

OPOA in Action -- 使用MagixJS简化WebAPP开发
OPOA in Action -- 使用MagixJS简化WebAPP开发OPOA in Action -- 使用MagixJS简化WebAPP开发
OPOA in Action -- 使用MagixJS简化WebAPP开发
leneli
 
SLT Times Single Stock Futures
SLT Times Single Stock FuturesSLT Times Single Stock Futures
SLT Times Single Stock Futures
nico9111
 
Ravi project
Ravi projectRavi project
Ravi project
gary6h
 
广告投放代码和创意代码持续优化
广告投放代码和创意代码持续优化广告投放代码和创意代码持续优化
广告投放代码和创意代码持续优化
leneli
 
Zs social media
Zs social mediaZs social media
Zs social media
Wael Albassam
 
Water molecules2
Water molecules2Water molecules2
Water molecules2
gary6h
 
D2-ETao-show
D2-ETao-showD2-ETao-show
D2-ETao-show
leneli
 
Conflict Management Style
Conflict Management StyleConflict Management Style
Conflict Management Style
Yvette Mong-Batar
 
Zs social media
Zs social mediaZs social media
Zs social media
Wael Albassam
 
Adoption Announcement
Adoption AnnouncementAdoption Announcement
Adoption Announcement
cltipton
 
TBAD F2E 2010 review
TBAD F2E 2010 reviewTBAD F2E 2010 review
TBAD F2E 2010 review
leneli
 
第三方广告代码稳定性和性能优化实战
第三方广告代码稳定性和性能优化实战第三方广告代码稳定性和性能优化实战
第三方广告代码稳定性和性能优化实战
leneli
 
Zs social media
Zs social mediaZs social media
Zs social media
Wael Albassam
 
How ZI Created a Successful HR Framework
How ZI Created a Successful HR FrameworkHow ZI Created a Successful HR Framework
How ZI Created a Successful HR Framework
Wael Albassam
 
After Yahoo 34 Rules -- 网站性能优化新进展
After Yahoo 34 Rules -- 网站性能优化新进展After Yahoo 34 Rules -- 网站性能优化新进展
After Yahoo 34 Rules -- 网站性能优化新进展
leneli
 
使用kslite支持第三方内容开发
使用kslite支持第三方内容开发使用kslite支持第三方内容开发
使用kslite支持第三方内容开发
leneli
 
Multi-Player Metasploit: Tag Team Pen Testing and Reporting
Multi-Player Metasploit: Tag Team Pen Testing and ReportingMulti-Player Metasploit: Tag Team Pen Testing and Reporting
Multi-Player Metasploit: Tag Team Pen Testing and Reporting
sussurro
 
Drupal security - Configuration and process
Drupal security - Configuration and processDrupal security - Configuration and process
Drupal security - Configuration and process
Gábor Hojtsy
 
Oc Cloud Obscurity
Oc Cloud ObscurityOc Cloud Obscurity
Oc Cloud Obscurity
Skills Matter
 
Availability, the Cloud and Everything
Availability, the Cloud and EverythingAvailability, the Cloud and Everything
Availability, the Cloud and Everything
logicalstack
 
Mobile, Media & Touch
Mobile, Media & TouchMobile, Media & Touch
Mobile, Media & Touch
Tim Wright
 
Yet Another Replication Tool: RubyRep
Yet Another Replication Tool: RubyRepYet Another Replication Tool: RubyRep
Yet Another Replication Tool: RubyRep
Denish Patel
 
Drupal Distributions: The Dos and Don'ts:
Drupal Distributions: The Dos and Don'ts:Drupal Distributions: The Dos and Don'ts:
Drupal Distributions: The Dos and Don'ts:
Development Seed
 
ScaleCamp 2009 - Last.fm vs Xbox
ScaleCamp 2009 - Last.fm vs XboxScaleCamp 2009 - Last.fm vs Xbox
ScaleCamp 2009 - Last.fm vs Xbox
davidsingleton
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 
MongoDB is the new MySQL
MongoDB is the new MySQLMongoDB is the new MySQL
MongoDB is the new MySQL
radamanthus
 
20100423sage
20100423sage20100423sage
20100423sage
Jeff Hammerbacher
 
No sql findings
No sql findingsNo sql findings
No sql findings
Christian van der Leeden
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Zilliz
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 

Más contenido relacionado

Destacado

Adoption Announcement
Adoption AnnouncementAdoption Announcement
Adoption Announcement
cltipton
 
第三方广告代码稳定性和性能优化实战
第三方广告代码稳定性和性能优化实战第三方广告代码稳定性和性能优化实战
第三方广告代码稳定性和性能优化实战
leneli
 
使用kslite支持第三方内容开发
使用kslite支持第三方内容开发使用kslite支持第三方内容开发
使用kslite支持第三方内容开发
leneli
 

Destacado (9)

Zs social media
Zs social mediaZs social media
Zs social media
 
Adoption Announcement
Adoption AnnouncementAdoption Announcement
Adoption Announcement
 
TBAD F2E 2010 review
TBAD F2E 2010 reviewTBAD F2E 2010 review
TBAD F2E 2010 review
 
第三方广告代码稳定性和性能优化实战
第三方广告代码稳定性和性能优化实战第三方广告代码稳定性和性能优化实战
第三方广告代码稳定性和性能优化实战
 
Zs social media
Zs social mediaZs social media
Zs social media
 
How ZI Created a Successful HR Framework
How ZI Created a Successful HR FrameworkHow ZI Created a Successful HR Framework
How ZI Created a Successful HR Framework
 
After Yahoo 34 Rules -- 网站性能优化新进展
After Yahoo 34 Rules -- 网站性能优化新进展After Yahoo 34 Rules -- 网站性能优化新进展
After Yahoo 34 Rules -- 网站性能优化新进展
 
使用kslite支持第三方内容开发
使用kslite支持第三方内容开发使用kslite支持第三方内容开发
使用kslite支持第三方内容开发
 
Multi-Player Metasploit: Tag Team Pen Testing and Reporting
Multi-Player Metasploit: Tag Team Pen Testing and ReportingMulti-Player Metasploit: Tag Team Pen Testing and Reporting
Multi-Player Metasploit: Tag Team Pen Testing and Reporting
 

Similar a Pen test for sys admin

Availability, the Cloud and Everything
Availability, the Cloud and EverythingAvailability, the Cloud and Everything
Availability, the Cloud and Everything
logicalstack
 
Mobile, Media & Touch
Mobile, Media & TouchMobile, Media & Touch
Mobile, Media & Touch
Tim Wright
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 

Similar a Pen test for sys admin (11)

Drupal security - Configuration and process
Drupal security - Configuration and processDrupal security - Configuration and process
Drupal security - Configuration and process
 
Oc Cloud Obscurity
Oc Cloud ObscurityOc Cloud Obscurity
Oc Cloud Obscurity
 
Availability, the Cloud and Everything
Availability, the Cloud and EverythingAvailability, the Cloud and Everything
Availability, the Cloud and Everything
 
Mobile, Media & Touch
Mobile, Media & TouchMobile, Media & Touch
Mobile, Media & Touch
 
Yet Another Replication Tool: RubyRep
Yet Another Replication Tool: RubyRepYet Another Replication Tool: RubyRep
Yet Another Replication Tool: RubyRep
 
Drupal Distributions: The Dos and Don'ts:
Drupal Distributions: The Dos and Don'ts:Drupal Distributions: The Dos and Don'ts:
Drupal Distributions: The Dos and Don'ts:
 
ScaleCamp 2009 - Last.fm vs Xbox
ScaleCamp 2009 - Last.fm vs XboxScaleCamp 2009 - Last.fm vs Xbox
ScaleCamp 2009 - Last.fm vs Xbox
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
MongoDB is the new MySQL
MongoDB is the new MySQLMongoDB is the new MySQL
MongoDB is the new MySQL
 
20100423sage
20100423sage20100423sage
20100423sage
 
No sql findings
No sql findingsNo sql findings
No sql findings
 

Último

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Pen test for sys admin

  • 1. Penetration Testing for System Administrators Sept 13, 2010 ryan Linn NCSA Meeting Thursday, September 23, 2010
  • 2. Agenda • Introduction • Description of Penetration Testing • Overview of Process • Walkthrough of Common Tasks • Questions/Closing Thursday, September 23, 2010
  • 3. Introduction • Information Security Engineer at SAS • Columnist at EthicalHacker.net • Contributed code to Metasploit, Browser Exploitation Framework (BeEF), and Nikto • Spoken at numerous regional and national security conferences Thursday, September 23, 2010
  • 4. Description of Pen Testing • Means different things to different people • Find vulnerabilities and stop • Find vulnerabilities and verify • Find vulnerabilities and see how far you can get • For today: Find vulnerabilities and verify Thursday, September 23, 2010
  • 5. Overview of Process • Recon • Discovery/Scanning • Enumeration • Exploitation Thursday, September 23, 2010
  • 6. Recon • Non Invasive • Whois • Google • Basic DNS Queries Thursday, September 23, 2010
  • 7. Discovery/Scanning • Port Scans • In-depth DNS queries • Vulnerability Scanning • OS Identification Thursday, September 23, 2010
  • 8. Enumeration • SMB enumeration • Oracle DB Enumeration • User enumeration Thursday, September 23, 2010
  • 9. Exploitation • Leverage information gathered • Verify vulnerability information • Possibly go back to gather more information if successful Thursday, September 23, 2010
  • 10. Walkthroughs • Recon • Scanning • Exploitation Thursday, September 23, 2010
  • 11. Scanning • Nmap Scans • Port/Service/OS Identification • Nessus/OpenVAS • Vulnerability Scanner • Safe Checks/Unsafe Checks Thursday, September 23, 2010
  • 12. Exploitation/ Verification • Metasploit • Penetration Testing Framework • Aids in Exploit Development • Exploitation of Vulnerability • Also has scanning capability Thursday, September 23, 2010
  • 13. Docs/Training • SANS Sec504 : Incident Handling • SANS Sec580: Metasploit Kung Fu for Enterprise Pen Testing • http://www.offensive-security.com/ metasploit-unleashed • http://www.EthicalHacker.net Thursday, September 23, 2010
  • 14. Questions? • Contact Info: • Twitter: @sussurro • Blog: blog.happypacket.net • http://www.ethicalhacker.net Thursday, September 23, 2010