Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Slides:



Advertisements
Similar presentations
Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’
Advertisements

Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Information System Security. Outline  Oracle Vulnerabilities  Oracle Security Assessment 2 Information System Security - Week 10.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Ethical Hacking Introduction.  What is Ethical Hacking?  Types of Ethical Hacking  Responsibilities of a ethical hacker  Customer Expectations  Skills.
Hands-On Ethical Hacking and Network Defense
1 An Overview of Computer Security computer security.
Network Security Testing Techniques Presented By:- Sachin Vador.
Vulnerability Analysis
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Comp 8130 Presentation Security Testing Group Members: U Hui Chen U Ming Chen U Xiaobin Wang.
Vulnerability Assessment Course Terms, Methodology, Preparation, Obstacles, and Pitfalls.
Penetration Testing Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802
The Business of Penetration Testing
Mapping The Penetration Tester’s Mind 0 to Root in 60 Min #MappingThePenTestersMind 1.
Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Web Application Testing with AppScan Terry Labach.
Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.
Team BAM! Scott Amack, Everett Bloch, Maxine Major.
SEC835 Database and Web application security Information Security Architecture.
Chapter 1 Ethical Hacking Overview. Hands-On Ethical Hacking and Network Defense2  Describe the role of an ethical hacker  Describe what you can do.
Computer Crime and Information Technology Security
Information Systems Security Computer System Life Cycle Security.
A Framework for Automated Web Application Security Evaluation
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
VULNERABILITY ASSESSMENT FOR THE POLICE DEPARTMENT’S NETWORK.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Chapter 1 Ethical Hacking Overview. Objectives After reading this chapter and completing the exercises, you will be able to: Describe the role of an ethical.
Ethical Hacking and Network Defense NCTT Winter Workshop January 11, 2006.
# Ethical Hacking. 2 # Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting.
AASSA Conference 2012 Quito, Ecuador March 16 th 2012 All the rights reserved.Instructor: Francisco Bolaños, Ing. InterAmerican Academy Ethical Hacking.
INTRUDERS BY VISHAKHA RAUT TE COMP OUTLINE INTRODUCTION TYPES OF INTRUDERS INTRUDER BEHAVIOR PATTERNS INTRUSION TECHNIQUES QUESTIONS ON INTRUDERS.
Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  Professionalizing Penetration Testing.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
Presents Ethical Hacking For Inplant Training / Internship, please download the "Inplant training registration form" from our website.
Module 5 – Vulnerability Identification  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability Identification.
Risk (Vulnerability) Assessment & Penetration Test Approach 1VA PT Approach Confidential.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Introduction to Security Dr. John P. Abraham Professor UTPA.
Computer Security By Duncan Hall.
Presents Ethical Hacking 1 For Inplant Training / Internship, please download the "Inplant training registration form" from our.
Web Security Introduction to Ethical Hacking, Ethics, and Legality.
Chapter 1 Ethical Hacking Overview. Hands-On Ethical Hacking and Network Defense2  Describe the role of an ethical hacker  Describe what you can do.
Ethical Hacking and Network Defense. Contact Information Sam Bowne Sam Bowne Website: samsclass.info Website:
Exploitation Development and Implementation PRESENTER: BRADLEY GREEN.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
CITA 352 Chapter 1 Ethical Hacking Overview. Introduction to Ethical Hacking Ethical hackers –Hired by companies to perform penetration tests Penetration.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Defining your requirements for a successful security (and compliance
Slide Credits: Sunil Paudel
Professionalizing Penetration Testing
Topic 5 Penetration Testing 滲透測試
A Comprehensive Security Assessment of the Westminster College Unix Lab Jacob Shodd.
Security Testing Methods
Evaluating Existing Systems
Evaluating Existing Systems
Unauthorized Access Risk Mitigation Techniques
Penetration Testing Computer Science and Software Engineering
Network hardening Chapter 14.
Ethical Hacking ‘Ethical hacking’ is the branch of computer science that involves cybersecurity and preventing cyberattacks. Ethical hackers are not malicious.
Chapter # 3 COMPUTER AND INTERNET CRIME
Code vulnerabilities Vulnerabilities are mistakes, errors or weaknesses in a piece of software’s source code that can be directly used by a hacker to perform.
Presentation transcript:

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India

Before We Start  My Introduction.  Audience Type.  Expectations from this presentation.  Disclaimer.  Not a professional Tester  Based on my learning, Understanding.

Agenda  Background.  What is Penetration Testing.  Need for Penetration Testing.  Methods and Techniques of Pen Test.  Demo.  Tiger tools.  MetaSploit.  ExploitTree  Whopix.  ERD Commander(local Password Craking).  Questions.  Resources.

Background What is Penetration Testing  A form of stress testing, which exposes weaknesses or flaws in a computer system.  Art of finding an open door.  A valued assurance assessment tool.  PT can be used to find Flaws in  Policies  Specifications  Architecture,  Implementation,  Software,  Hardware,  And many more ………………

Background Need for Penetration Testing  To find poorly configured machines.  Verify that security mechanisms are working.  Help organizations to tighten the Security system. FACT!!!! 99.9% secure = 100%vulnerable !

Methods and Techniques of Pen Test.  Black Box  zero-knowledge testing  Tester need to acquire the knowledge and penetrate.  Acquire knowledge using tools or Social Engineering techniques  Publicly available information may be given to the penetration tester, Benefits: Black box testing is intended to closely replicate the attack made by an outsider without any information of the system. This kind of testing will give an insight of the robustness of the security when under attack by script kiddies

Methods and Techniques of Pen Test. White Box  complete-knowledge testing  Testers are given full information about the target system they are supposed to attack.  Information includes,  Technology overviews,  Data flow diagrams  Code snippets  More….. Benefits:  reveals more vulnerabilities and may be faster.  compared to replicate an attack from a criminal hacker that knows the company infrastructure very well. This hacker may be an employee of the company itself, doing an internal attack

Methods and Techniques of Pen Test. Gray-box or crystal-box test The tester simulates an inside employee. The tester is given an account on the internal network and standard access to the network. This test assesses internal threats from employees within the company.

Methodology of Penetration Testing. There are NO formal methods of Penetration testing!!!!!!!!  Typically has Seven Stages  Scope/Goal Definition  Information Gathering  Vulnerability Detection  Information Analysis and Planning.  Attack& Penetration/Privilege Escalation.  Result Analysis & Reporting.  Cleanup. REPEAT

Methodology of Penetration Testing. STAGE 1: Scope/Goal Definition  Which attacker profile the tester will use  Hacker with no knowledge about the target.  Hacker with knowledge about the target.  Internal user with access.  Which systems or networks the test will be conducted.  How long will the test last.

Methodology of Penetration Testing. STAGE 2: Information Gathering.  Information about the Targets.  Publicly available information( nslookup)  Technical Information provided by organisation.

Methodology of Penetration Testing. STAGE 3: Vulnerability Detection.  Manual Detection  manually probe the target host for common misconfigurations or flaws because a vulnerability scanner can fail to identify certain vulnerabilities.  Ex: database configurations etc….  Using Software.  Use of commercial or Freeware Scanners to enumerate known flaws or vulnerabilities, Ex: Retina,Hfnectcheck, GFI Languard, Nikito, nmap so on. PLENTY TOOLS available in Market/Internet.

Methodology of Penetration Testing. STAGE 4: Information Analysis and Planning.  Collating the information gathered in previous stages.  Preparation of High level attack planning  Overall Approach  Target identification.

Methodology of Penetration Testing. STAGE 5: Attack & Penetration/Privilege Escalation. Has Two Sub Stages  I. Attack & Penetration  Known/available exploit selection  Tester acquires publicly available s/w for exploiting.  Exploit customization  Customize exploit s/w program to work as desired.  Exploit development  Develop own exploit if no exploit program available.  Exploit testing  Exploit must be tested before formal Test to avoid damage.  Attack.  Use of exploit to again unauthorized access to target

Methodology of Penetration Testing. STAGE 5: Attack & Penetration/Privilege Escalation.  II. Privilege Escalation  What can be done with acquired access/privileges.  Alter.  Damage.  What not …… Repeat the Stages (2 to 5)

Methodology of Penetration Testing. STAGE 6:Result Analysis & Reporting Organize Data/related results for Management Reporting.  Consolidation of Information gathered.  Analysis and Extraction of General conclusions.  Recommendations.

Methodology of Penetration Testing. STAGE 7:Cleanup Cleaning of all that has been done during the testing  Any System alterations  Exploits

Resources.  Guidelines  OSSTMM : The Open Source Security Testing Methodology Manual.  OWASP : Open Web Application Security Project.  Tools  NMAP,Nikito,John,CAIN&able and many more………….  Whopix  Tigertools (Commercial Tool)  Metasploit.  ExploitTree.  Core Impact (Commercial Tool)

Metasploit Framework

ExploitTree Framework

MilWorm

Demos  DCOM vulnerability using ExploitTree.  Password Cracker –Tiger Tools.  WHOPIX.  Security Auditor.  Pasword Craking (Raptor Chown-Recorded Demo).  ExploitTree.  MetaSploit.

Questions Questions?.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.