Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Testing Karen Miller.

Published byJob Elliott Modified over 6 years ago

Similar presentations

Presentation on theme: "Penetration Testing Karen Miller."— Presentation transcript:

1 Penetration Testing Karen Miller

2 Purpose Using a variety of tools and resources;
While acting as an attacker; In order to test an organization’s defenses;

3 Steps Define your scope and goal; why are you performing the penetration test? Reconnaissance; gather information on target (open ports, operating system, IP addresses, etc.) Enumeration; use gathered information to identify potential entry points Vulnerability scanning/exploitation; discover and exploit vulnerabilities Report findings including possible methods of strengthening defenses

4 Vulnerability Scanning
Finding weaknesses in computers, networks, and applications; To find possible methods of strengthening the system; Or to exploit the system in order to gain more information about weaknesses.

5 Vulnerability Scanning Tools
Nessus: network vulnerability scanner (Linux, OSX, Windows) Nikto: web application security scanner (Linux, OSX, Windows) OpenVAS: vulnerability scanning/management tools (Linux, Windows) w3af: vulnerability scanner/exploitation tool (Linux, OSX, Windows)

6 Damn Vulnerable Web Application (DVWA)
PHP/MySQL web application Variety of web app vulnerabilities to test your skills with i.e. Command injection, SQL injection

7 Nikto nikto –host + OSVDB-3268: /dvwa/config/: Directory indexing found. + /dvwa/config/: Configuration information may be available remotely. + OSVDB-12184: /dvwa/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. Go to: and search for “OSVDB-XXXX” for more information on the vulnerability i.e. which shows details about the OSVDB-3268 vulnerability Nikto detected

8 OpenVAS You can add targets by going to Configuration > Targets > New Target (star button) To set up a scan, go to Scan Management > Tasks > New Task Give your scan a name, select a target, and for “Scan Config” select “Full and very deep ultimate” Create the task, then hit the green play button to start the scan

9 Sources testing-assessing-security-attackers-34635 room/whitepapers/threats/vulnerabilities-vulnerability-scanning-1195 linux.html vulnerability-scanner-how-to-use-openvas-on-kali-debian-linux/

Download ppt "Penetration Testing Karen Miller."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Penetration Testing Presented by: Elham Hojati Advisor: Dr. Akbar Namin July 2014.

Penetration Testing Presented by: Elham Hojati Advisor: Dr. Akbar Namin July 2014.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Penetration testing – W3AF Tool

Penetration testing – W3AF Tool
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.

1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.

Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.
Port Scanning.

Port Scanning.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.

Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
Port Scanning and Enumeration (NMAP)

Port Scanning and Enumeration (NMAP)

Similar presentations

Ads by Google