dpc june-2014 pentesting-for-fun-and-profit
DESCRIPTION
Introductory level talk about penetration testing given to the Dutch PHP Conference, June 2014TRANSCRIPT
![Page 1: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/1.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
![Page 2: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/2.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Clinton Ingrams
Dutch PHP Conference2014
https://joind.in/10948
![Page 3: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/3.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Working at ...
Cyber Security CentreDe Montfort University
Teaching …
MSc Cyber Security, Forensic Practioners(plus lots of Secure Web App Development,
PHP, etc)
![Page 4: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/4.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Web Application Pen TestingWeb Application Pen Testing
(Ethical Hacking)(Ethical Hacking)
((HTTP > UFBP)HTTP > UFBP)
![Page 5: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/5.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Questions to be answered:
Why?
What?
How?
When?
Who?
With?
How much?
(and don't forget rule 1)
![Page 6: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/6.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Context
![Page 7: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/7.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Application Security is:
Boring
Tedious
Unnecessary
Client-losing
Expensive
.
.
![Page 8: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/8.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Need to know more
vulnerabilities than the OWASPTop 10
![Page 9: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/9.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng UK MoD VAs
Vulnerability Assessment levels
Scanning
Automated probes
Penetration Test
Physical Test
![Page 10: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/10.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Rule 1
Always make sure you have a
signed scoping document
![Page 11: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/11.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng What is a hacker?
Hacker ... is a term used in computing that can describe several types of persons
– Hacker (computer security) someone who seeks and exploits weaknesses in a computer system or computer network
– Hacker (hobbyist), who makes innovative customizations or combinations of retail electronic and computer equipment
– Hacker (programmer subculture), who combines excellence, playfulness, cleverness and exploration in performed activities
(http://en.wikipedia.org/wiki/Hacker)
![Page 12: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/12.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Why:-
From NIST SP800-53A– To “enhance the organisation’s understanding
of the system”
– To “uncover weaknesses of deficiencies in the system”
– To “indicate the level of effort required on the part of adversaries to breach the system safeguards”
● Read ZF05
https://securitythoughts.wordpress.com/2009/08/11/zero-for-0wned-zine-zf05/
![Page 13: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/13.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng When:-
“Why is there never time to consider
security before an app goes live,
but plenty of time and money
after the first hack”
(Thought: when to pentest if following Agile techniques???)
![Page 14: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/14.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng How:- Methodologies
Frameworks:– National Institute of Standards and Technology
● NIST SPECIAL REPORT 800-115
– Open Web Application Security Project● OWASP
– SANS ● Securing Web Applications Technologies
– Open Source Security Testing Methodology Manual
● OSSTMM
– Ad hoc
![Page 15: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/15.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng NIST
![Page 16: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/16.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng OWASP
The following sections describe the 12 subcategories of the Web Application Penetration Testing Methodology:
4.1 Introduction and Objectives
4.2 Information Gathering
4.3 Configuration and Deploy Management Testing
4.4 Identity Management Testing
4.5 Authentication Testing
4.6 Authorization Testing
4.7 Session Management Testing
4.8 Data Validation Testing
4.9 Error Handling
4.10 Cryptography
4.11 Business Logic Testing
4.12 Client Side Testing
![Page 17: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/17.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Ad-hoc
![Page 18: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/18.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Who:-
● Large organisations (UK) may be required to employ a cyber/digital security specialist– cf health & safety specialists
● However, every web development company should (probably) have such a cyber security “specialist”– qualified
– experienced
![Page 19: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/19.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng How much:-
“All the market will bear ...”
(Poul Anderson)
![Page 20: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/20.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng With:-
● Samurai Web Testing Framework– http://samurai.inguardians.com/
(other tool kits are available …)
● Containing toolkits– Eg BurpSuite, ZAP, w3fa, etc
● Deliberately vulnerable web applications– Mutillidae, DVWA, Badstore, Flowershop, …
(victim machines)
![Page 21: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/21.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Planning:-
● Remember Rule 1?● Safety Clause● Profiling● Risk Assessment
![Page 22: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/22.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Profiling
● Google● Whois● DNS● Social Engineering● Dumpster diving
![Page 23: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/23.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng samurai
![Page 24: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/24.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng zenmap
![Page 25: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/25.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng dvwa
![Page 26: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/26.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
![Page 27: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/27.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng zap
![Page 28: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/28.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Demo:-
● (Ze)nmap● Wireshark● ZAP● Burpsuite● w3af
![Page 29: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/29.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Books
● The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy
– Patrick Engebretson● Ninja Hacking: Unconventional Penetration Testing
Tactics and Techniques
– Thomas Wilhelm & Jason Andress● Seven Deadliest Web Application Attacks (Seven
Deadliest Attacks)
– Mike Shema
![Page 30: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/30.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng References
● https://securitythoughts.wordpress.com/2009/08/11/zero-for-0wned-zine-zf05/
● https://cyberarms.wordpress.com/2010/06/12/tiger-team-penetration-testing-on-tv/
● https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
● http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
● https://www.owasp.org/index.php/Web_Application_Penetration_Testing
● http://www.isecom.org/
● http://samurai.inguardians.com/
● https://www.youtube.com/watch?v=6gH4A49sPdc
● http://armoredcode.com/images/keep-calm-and-write-safe-code-small.png
![Page 31: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/31.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Thanks for staying to the end...
@cfing99
a bar …
(https://joind.in/10948)
![Page 32: Dpc june-2014 pentesting-for-fun-and-profit](https://reader033.vdocuments.us/reader033/viewer/2022052900/556206d3d8b42a7d028b4690/html5/thumbnails/32.jpg)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Any Questions?