Penetration Testing Karen Miller.

Slides:

Advertisements

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Advertisements

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Penetration Testing Presented by: Elham Hojati Advisor: Dr. Akbar Namin July 2014.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Computer Security and Penetration Testing

Penetration testing – W3AF Tool

Browser Exploitation Framework (BeEF) Lab

1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.

Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.

Port Scanning and Enumeration (NMAP)

Network Assessment How intrusion techniques contribute to system/network security Network and system monitoring System mapping Ports, OS, applications.

Assessing a Target System Source: Chapter 3 Computer Security Fundamentals Chuck Easttom Prentice Hall, 2006.

Chapter 13 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.. Investigating Computer Intrusions.

1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.

EC521: Cybersecurity OpenVAS Team Members: Yingchao Zhu; Chen Qian; Xingyu Wu; XuZhuo Zhang; Igibek Koishybayev; 1 OpenVAS Vulnerability Test.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

Retina Network Security Scanner

Module 5 – Vulnerability Identification  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability Identification.

Web Security Introduction to Ethical Hacking, Ethics, and Legality.

Enumeration March 2, 2010 MIS 4600 – MBA © Abdou Illia.

NESSUS. Nessus Vulnerability Scanner Features: Ease of use Deep Vulnerability Analysis Discover network based and local vulnerabilities Perform configuration.

Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.

Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.

Unit 2: Cyber Security Part 3 Monitoring Tools & other Security Products.

Vulnerability Assessment 2012 BackTrack Workshop Upstate ISSA Chapter.

Defining your requirements for a successful security (and compliance

Penetration Testing Scanning

Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.

Nessus Vulnerability Scan

Penetration Testing: Concepts,Attacks and Defence Stratagies

WEB APPLICATION TESTING

Penetration Testing Presented by: Elham Hojati

Security Testing Methods

CITA 352 Chapter 5 Port Scanning.

Penetration Test Debrief

Chris D Hicks Director of IT MCSE, MCP + Internet Security

Nessus Vulnerability Scan

Footprinting (definition 1)

Daniel Kouril, Ivo Nutar Masaryk University

Technology Envioronment

Penetration Testing Presented by: Elham Hojati

Metasploit a one-stop hack shop

CIT 480: Securing Computer Systems

Penetration Test Debrief

Metasploit assignment

Pentesting with Powershell

HTML Level II (CyberAdvantage)

Everything You Need To Know About Penetration Testing.

Myths About Web Application Security That You Need To Ignore.

PT0-001 Dumps PDF CompTIA PenTest+ Exam Exam Code Exam Name.

Network Security and Monitoring

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Analysis Report Kali Linux Metasploit

Web Application Penetration Testing ‘17

Metasploit Analysis Report Overview

Analyzing OS Sample Windows 7 image provided by different class

Cyber Operation and Penetration Testing Social Engineering Attack and Web-based Exploitation Cliff Zou University of Central Florida.

Metasploit assignment – Arkadiy Kantor – Mis-5212

NESSUS SCANNING By: Vaibhav Shukla.

Ethical Hacker Pro IT Fundamentals Pro

Presentation transcript:

Penetration Testing Karen Miller

Purpose Using a variety of tools and resources; While acting as an attacker; In order to test an organization’s defenses;

Steps Define your scope and goal; why are you performing the penetration test? Reconnaissance; gather information on target (open ports, operating system, IP addresses, etc.) Enumeration; use gathered information to identify potential entry points Vulnerability scanning/exploitation; discover and exploit vulnerabilities Report findings including possible methods of strengthening defenses

Vulnerability Scanning Finding weaknesses in computers, networks, and applications; To find possible methods of strengthening the system; Or to exploit the system in order to gain more information about weaknesses.

Vulnerability Scanning Tools Nessus: network vulnerability scanner (Linux, OSX, Windows) Nikto: web application security scanner (Linux, OSX, Windows) OpenVAS: vulnerability scanning/management tools (Linux, Windows) w3af: vulnerability scanner/exploitation tool (Linux, OSX, Windows)

Damn Vulnerable Web Application (DVWA) PHP/MySQL web application Variety of web app vulnerabilities to test your skills with i.e. Command injection, SQL injection

Nikto root@Kali:~# nikto –host http://127.0.0.1/dvwa + OSVDB-3268: /dvwa/config/: Directory indexing found. + /dvwa/config/: Configuration information may be available remotely. + OSVDB-12184: /dvwa/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. Go to: http://osvdb.org/ and search for “OSVDB-XXXX” for more information on the vulnerability i.e. http://osvdb.org/show/osvdb/3268 which shows details about the OSVDB-3268 vulnerability Nikto detected

OpenVAS You can add targets by going to Configuration > Targets > New Target (star button) To set up a scan, go to Scan Management > Tasks > New Task Give your scan a name, select a target, and for “Scan Config” select “Full and very deep ultimate” Create the task, then hit the green play button to start the scan

Sources https://www.sans.org/reading-room/whitepapers/analyst/penetration- testing-assessing-security-attackers-34635 https://www.sans.org/reading- room/whitepapers/threats/vulnerabilities-vulnerability-scanning-1195 http://www.geekyshows.com/2013/08/how-to-install-dvwa-in-kali- linux.html https://uwnthesis.wordpress.com/2013/08/31/kali-openvas- vulnerability-scanner-how-to-use-openvas-on-kali-debian-linux/