Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Slides:



Advertisements
Similar presentations
ETHICAL HACKING.
Advertisements

Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
System Security Scanning and Discovery Chapter 14.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Hands-On Ethical Hacking and Network Defense
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Network Security Testing Techniques Presented By:- Sachin Vador.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Reconnaissance Steps. EC-Council Gathering information from Open Sources  Owner of IP-address range  Address Range  Domain Names  Computing Platforms.
Computer Security and Penetration Testing
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.
Network Security With nmap By *** *****. Installing nmap netlab-2# cd /usr/ports/security/nmap netlab-2# make install all.
Firewall Auditing Sean K. Lowder CISSP / MCSE / CCNA
Penetration Testing.
Mapping The Penetration Tester’s Mind 0 to Root in 60 Min #MappingThePenTestersMind 1.
Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.
Team BAM! Scott Amack, Everett Bloch, Maxine Major.
Information Systems Security Computer System Life Cycle Security.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
CIS 450 – Network Security Chapter 3 – Information Gathering.
End-to-End Methodology. Testing Phases  Reconnaissance  Mapping  Discovery  Exploitation  Repeat…  Report.
DIYTP Assessing a System - Basics  Why?  Vulnerabilities  What to look at:  The six ‘P’s  Patch  Ports  Protect  Policies  Probe  Physical.
Hands on with BackTrack Information gathering, scanning, simple exploits By Edison Carrick.
Ethical Hacking and Network Defense NCTT Winter Workshop January 11, 2006.
# Ethical Hacking. 2 # Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting.
Network Assessment How intrusion techniques contribute to system/network security Network and system monitoring System mapping Ports, OS, applications.
Assessing a Target System Source: Chapter 3 Computer Security Fundamentals Chuck Easttom Prentice Hall, 2006.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.
Module 3 – Information Gathering  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability Identification.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Module 5 – Vulnerability Identification  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability Identification.
Computer Security Fundamentals by Chuck Easttom Chapter 11 Network Scanning and Vulnerability Scanning.
Footprinting and Scanning
Network Reconnaissance CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
Web Security Introduction to Ethical Hacking, Ethics, and Legality.
Ethical Hacking and Network Defense. Contact Information Sam Bowne Sam Bowne Website: samsclass.info Website:
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
Filip Chytrý Everyone of you in here can help us improve online security....
 Terms:  “Security”: is a system’s ability to provide services while maintaining the five IA pillars  “Attack”: an action that violates one of the.
General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited and encouraged to use.
Modern information gathering Dave van Stein 9 april 2009.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Department of Computer Science Introduction to Information Security Chapter 7 Activity Security Assessment Semester 1.
You can easily passed the GPEN Penetration tester exam by the help of exams4sure.com exams4sure.com Get Complete File From
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Topic 5 Penetration Testing 滲透測試
Enumeration The First Step.
Seminar On Ethical Hacking Submitted To: Submitted By:
Footprinting and Scanning
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Foot Printing / Scanning Tools Lect 4 – NETW 4006
Penetration Testing Karen Miller.
CIT 480: Securing Computer Systems
Footprinting and Scanning
Cert Store Solution is a platform of 100+ IT professionals and having 500+ IT/Security and Academic courses. Cert Store is the Gold and Accredited partner.
2018 Latest Eccouncil Exam Questions Answers - Eccouncil Dumps PDF
Intro to Ethical Hacking
FootPrinting CS391.
Learning objectives By the end of this unit you should: Explain
Computer Security Fundamentals
Metasploit Analysis Report Overview
Analyzing OS Sample Windows 7 image provided by different class
Ethical Hacking ‘Ethical hacking’ is the branch of computer science that involves cybersecurity and preventing cyberattacks. Ethical hackers are not malicious.
Presentation transcript:

Penetration Testing Edmund Whitehead Rayce West

Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing Viewpoints - Phases of Penetration Testing - Reconnaissance and Information Gathering - Network Enumeration and Scanning - Vulnerability Testing and Exploitation - Reporting - How to become a Penetration Tester

Penetration Testing Definition of Penetration Testing: - A penetration test or pentest is a test evaluating the strengths of all security controls on the computer system. Penetration tests evaluate procedural and operational controls as well as technological controls.

Who needs Penetration Testing - Banks/Financial Institutions, Government Organizations, Online Vendors, or any organization processing and storing private information - Most certifications require or recommend that penetration tests be performed on a regular basis to ensure the security of the system. - PCI Data Security Standard's Section 11.3 requires organizations to perform application and penetration tests at least once a year. - HIPAA Security Rule's section 8 of the Administrative Safeguards requires security process audits, periodic vulnerability analysis and penetration testing.

Penetration Testing Viewpoints -External vs. Internal Penetration Testing can be performed from the viewpoint of an external attacker or a malicious employee. - Overt vs. Covert Penetration Testing can be performed with or without the knowledge of the IT department of the company being tested.

Phases of Penetration Testing - Reconnaissance and Information Gathering - Network Enumeration and Scanning - Vulnerability Testing and Exploitation - Reporting

Reconnaissance and Information Gathering Purpose: To discover as much information about a target (individual or organization) as possible without actually making network contact with said target. Methods: Organization info discovery via WHOIS Google search Website browsing

WHOIS Results for Domain Name: CLEMSON.EDU Registrant: Clemson University 340 Computer Ct Anderson, SC UNITED STATES Administrative Contact: Network Operations Center Clemson University 340 Computer Court Anderson, SC UNITED STATES (864) Technical Contact: Mike S. Marshall DNS Admin Clemson University 340 Computer Court Anderson, SC UNITED STATES (864) Name Servers: EXTNS1.CLEMSON.EDU EXTNS2.CLEMSON.EDU EXTNS3.CLEMSON.EDU

Network Enumeration and Scanning Purpose: To discover existing networks owned by a target as well as live hosts and services running on those hosts. Methods: Scanning programs that identify live hosts, open ports, services, and other info (Nmap, autoscan) DNS Querying Route analysis (traceroute)

NMap Results nmap -sS Starting Nmap 4.01 at :23 BST 4 Interesting ports on chaos ( ): 5 (The 1668 ports scanned but not shown below are in state: closed) 6 PORT STATE SERVICE 7 21/tcp open ftp 8 22/tcp open ssh 9 631/tcp open ipp /tcp open X Nmap finished: 1 IP address (1 host up) scanned in seconds

Vulnerability Testing and Exploitation Purpose: To check hosts for known vulnerabilities and to see if they are exploitable, as well as to assess the potential severity of said vulnerabilities. Methods: Remote vulnerability scanning (Nessus, OpenVAS) Active exploitation testing o Login checking and bruteforcing o Vulnerability exploitation (Metasploit, Core Impact) o 0day and exploit discovery (Fuzzing, program analysis) o Post exploitation techniques to assess severity (permission levels, backdoors, rootkits, etc)

Reporting Purpose: To organize and document information found during the reconnaissance, network scanning, and vulnerability testing phases of a pentest. Methods: Documentation tools (Dradis) o Organizes information by hosts, services, identified hazards and risks, recommendations to fix problems

How to Become a Penetration Tester - Stay up to date on recent developments in computer security, reading newsletters and security reports are a good way to do this. - Becoming proficient with C/C++ and a scripting language such as PEARL - Microsoft, Cisco, and Novell certifications - Penetration Testing Certifications - Certified Ethical Hacker (CEH) -GIAC Certified Penetration Tester (GPEN)

Conclusion Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.