Presentation is loading. Please wait.

Presentation is loading. Please wait.

Daniel Kouril Sven Gabriel

Published byGarry Higgins Modified over 5 years ago

Similar presentations

Presentation on theme: "Daniel Kouril Sven Gabriel"— Presentation transcript:

1 Daniel Kouril Sven Gabriel
Security Training Daniel Kouril Sven Gabriel Zamereni, predstaveni EGI Conference 2016, Amsterdam

2 Agenda Brief technical introduction Capture-the-Flag Game
Purpose of introduction, audience, roles of attendees, skills needed

3 Requirements Chrome browser v.38 or higher is required
Not chromium, FF, IE; any common OS

4 Cyber Attacks

5 Attack & Incentives Getting (unauthorized) access to data
Cyber espionage, money stealing Disruption of services Blackmailing, demonstration of capabilities Modification of data Damage reputation Misuse resources Botnets Ransomware, bitcoins, spam

6 Attackers’ behavior Striving to overcome security precautions
Hiding their activities Often try to stay unnoticed for a long time No attribution

7 (d)DoS example Overloading the service and/or network with common requests Reflected attacks Hiding origin IP address spoofing Amplifications Some protocols return significantly longer responses than requests NTP, SNMP, DNS Hard to attribute, prevent

8 Typical attackers’ steps
Select target Find vulnerability, weakness Find a way to exploit vulnerability or bypass security Make the target work for attacker

9 Vulnerabilities Different types
Programming error Design flaw Misconfiguration Weak protection Human error CVE – directory of known vulnerabilities CVE-YYYY-id unique identifier Known vs. Zero-day Unpatched known vulnerabilities expose a major threat

10 SQL Injections Insufficient sanitization of users’ input
Consider an application managing users “SELECT * FROM users WHERE name =‘” + userName + “‘;” userName == “sveng” yields: SELECT * FROM users WHERE name =‘sveng‘; userName == “' OR '1'='1 -- ” yields: SELECT * FROM users WHERE name = '' OR '1'='1 -- ‘; Typical programming error, from wikipedia; also add sql queries, …

11 Finding vulnerabilities
Collect information about the target Estimate weaknesses Manual vs. automated probing Often blackbox-style analysis

12 Metasploit Framework Tool for development and testing exploits
Directory of exploit codes Text-based console (msfconsole), controlled by commands show exploit – list of exploits use <exploit> - activate a particular exploit show options – display variables to set set RHOST <IP> show payload – show what will be injected exploit – trigger the exploitation process Web exists

13 Game You’re an attacker who is trying to take over a remote machine
You will exercise the techniques described earlier The goal is to use the remote machine to reflect a DoS attack about another victim DoS’ing the target Damaging reputation of the “reflector”

Download ppt "Daniel Kouril Sven Gabriel"

Similar presentations

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Threats and Attacks Principles of Information Security, 2nd Edition

Threats and Attacks Principles of Information Security, 2nd Edition
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Cyber Crimes.

Cyber Crimes.
Approaches to Application Security – DSM

Approaches to Application Security – DSM
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
A Security Review Process for Existing Software Applications

A Security Review Process for Existing Software Applications
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:
Software Security Testing Vinay Srinivasan cell: +91 9823104620.

Software Security Testing Vinay Srinivasan cell:

Similar presentations

Ads by Google