Download presentation
Presentation is loading. Please wait.
1
Daniel Kouril Sven Gabriel
Security Training Daniel Kouril Sven Gabriel Zamereni, predstaveni EGI Conference 2016, Amsterdam
2
Agenda Brief technical introduction Capture-the-Flag Game
Purpose of introduction, audience, roles of attendees, skills needed
3
Requirements Chrome browser v.38 or higher is required
Not chromium, FF, IE; any common OS
4
Cyber Attacks
5
Attack & Incentives Getting (unauthorized) access to data
Cyber espionage, money stealing Disruption of services Blackmailing, demonstration of capabilities Modification of data Damage reputation Misuse resources Botnets Ransomware, bitcoins, spam
6
Attackers’ behavior Striving to overcome security precautions
Hiding their activities Often try to stay unnoticed for a long time No attribution
7
(d)DoS example Overloading the service and/or network with common requests Reflected attacks Hiding origin IP address spoofing Amplifications Some protocols return significantly longer responses than requests NTP, SNMP, DNS Hard to attribute, prevent
8
Typical attackers’ steps
Select target Find vulnerability, weakness Find a way to exploit vulnerability or bypass security Make the target work for attacker
9
Vulnerabilities Different types
Programming error Design flaw Misconfiguration Weak protection Human error CVE – directory of known vulnerabilities CVE-YYYY-id unique identifier Known vs. Zero-day Unpatched known vulnerabilities expose a major threat
10
SQL Injections Insufficient sanitization of users’ input
Consider an application managing users “SELECT * FROM users WHERE name =‘” + userName + “‘;” userName == “sveng” yields: SELECT * FROM users WHERE name =‘sveng‘; userName == “' OR '1'='1 -- ” yields: SELECT * FROM users WHERE name = '' OR '1'='1 -- ‘; Typical programming error, from wikipedia; also add sql queries, …
11
Finding vulnerabilities
Collect information about the target Estimate weaknesses Manual vs. automated probing Often blackbox-style analysis
12
Metasploit Framework Tool for development and testing exploits
Directory of exploit codes Text-based console (msfconsole), controlled by commands show exploit – list of exploits use <exploit> - activate a particular exploit show options – display variables to set set RHOST <IP> show payload – show what will be injected exploit – trigger the exploitation process Web exists
13
Game You’re an attacker who is trying to take over a remote machine
You will exercise the techniques described earlier The goal is to use the remote machine to reflect a DoS attack about another victim DoS’ing the target Damaging reputation of the “reflector”
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.