automatic penetration testing and security services n.
Skip this Video
Download Presentation
Automatic Penetration Testing and Security Services

Loading in 2 Seconds...

play fullscreen
1 / 28

Automatic Penetration Testing and Security Services - PowerPoint PPT Presentation

  • Uploaded on

Automatic Penetration Testing and Security Services. Beenu Arora 0361483104 Presentation Overview. Introduction Cyber Attacks : 1 case study Need for such tool Information about Project. INTRODUCTION.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Automatic Penetration Testing and Security Services' - meira

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
automatic penetration testing and security services

Automatic Penetration Testing and Security Services

Beenu Arora


presentation overview
Presentation Overview
  • Introduction
  • Cyber Attacks : 1 case study
  • Need for such tool
  • Information about Project
  • Computer related incidents increased at a tremendous rate by the end of the 1990's, and into the 2000's. Many of the computer incidents exploited confidential information being stored by companies in a variety of different industries. The ability to carry out threats against information systems has been made easier due to the sharp increase in system vulnerabilities.
  • Unauthorized Access to confidential information was also the result of weak or non-existent information security practices. Not identifying and mitigating risks is a leading cause of unauthorized access and the exploitation of vulnerabilities. While there are a number of different internal and external threats to information, not all information systems are at risk because of their design, or the information that they maintain. The number of vulnerabilities can impact the associated risk of a threat.
penetration tests process
Penetration Tests Process



Automatic Penetration Testing


Report Generation

earlier version of apt drawbacks
Earlier Version of APT Drawbacks
  • Limited Number of task ( No Footprinting and No in depth scanning)
  • Platform Dependent ( Microsoft Based OS)
  • The application was not stable since the platform is itself not very stable ( VB 6.0)
  • The process was not completely automatic as user had to configure

Since the password can be easily cracked , then what’s the point of keeping

It . The next slide explain this. So there was a need to make a strong algorithm

From some existing one.

the authentication algorithm was too weak
The authentication algorithm was too weak

Note: The key was cracked using IDA Pro. application

some slides of old version
Some Slides of Old Version.

Note: A glimpse of APT v1.0

what new version include
What New version include?
  • A complete cycle of the penetration testing including the missing links of earlier APT.
  • Platform independent environment ( IDE Python).
  • Intensive scanning for the web application including CMS’s like Joomla , Mambo, Xoops, Php-Nuke.
  • Password cracking algorithms of MD5 , SHA1, Base64, Shadows.
  • A dummy honey pot.
  • An Enhanced Encryption Algorithm to avoid the application crack.


Implement an encryption system developed from existing system.

Traditional Process in various web applications

Plaintext ================================= MD5 Hash

(User Enters Password) MD5 Algorithm (128 bit hash)

Enhanced Encryption System

(User enter Password)

(H1) (H2) (H3) (H4) (H-N)

Plaintext=====Hash====Hash====Hash====Hash---process continues

MD5 MD5 MD5 MD5 n-times where n is

length of password

Hence n becomes the private key of the user and at the database H-N is stored

ip auditing
IP Auditing
  • Foot printing module has been developed with features:
    • Who is lookup.
    • IP location
    • Scripting Language used.
scanning ip auditing
Scanning: IP Auditing
  • Web Server Detection and Version
  • Port Scanning
  • Anonymous ftp login checker
exploiting ip audit
Exploiting:IP Audit.
  • Fetching Robots.txt
  • Website Title
  • Website Description
  • Website Keywords
  • Website crawler
continued exploiting ip auditing
Continued: Exploiting: IP Auditing
  • Generation of crawled links on a text files
  • Link scans each page for XSS, SQL Injection, LFI, RFI, RCE
exploitation based on the web server detected application based attack ip auditing
Exploitation based on the web server detected ( Application based attack) : IP Auditing
  • The included ones yet are:
  • GlobalFTP 3.0 Secure Server Exploit
  • Microsoft Windows NAT Helper Components (ipnathlp.dll) 0day Remote DoS Exploit
  • MiniWebSvr 0.0.9a Directory Transversal Vulnerability
  • WFTPD Pro Server Buffer Overflow
  • TFTP Server for Windows V1.4 ST (0day)
exploiting continued ip auditing
Exploiting :Continued: IP Auditing
  • Checking for sensitive directories
cms based attacks exploitation ip auditing
CMS based attacks: Exploitation: IP Auditing
  • Joomla, Mambo, Xoops, Php-Nuke
    • Detection
hash generator security services
Hash Generator: Security Services
  • The script is capable of creating the hashes of string and the supported algorithms are MD5, Sha256, sha384, sha512. May be in few days would also include the algorithm to encrypt the string using base64.
knock the d00r security services
Knock the D00r: Security Services
  • The dictionary attack has been implemented for FTP, POP3, Telnet, and MySQL.
  • It is the role of Information Security to provide the basic requirements to successfully integrate security into Information Technology in a manner that properly addresses real threats. It is the goal of Information Security to ensure the confidentiality, integrity, and availability of information. Implementing weak Information Security controls can result in the loss of trust, reputation, and money .Implementing weak Information Security controls can result in the loss of trust, reputation, and money for consumers, businesses, and governments. The sharp increase in the number of fraud, extortion, and identity theft crimes is a primary result of weak Information Security controls. The cost of implementing basic controls to protect information is generally much less expensive than a security breach. Cyber criminals are becoming more sophisticated and are making use of state-of-threat tools to steal high-value data for profit. Many existing security solutions are not being used effectively enough to thwart dedicated attackers. However, many enterprises have a dilemma. They need to be securing, which requires considerable resources, but some enterprises must meet mandatory regulatory requirements or pass the scrutiny of an audit. If enterprises do just enough to pass an audit, they may be dealing with a requirement, but they will not be providing the necessary level of protection. The real goal of security must be to protect enterprises from any serious breach, which inevitably will result in severe negative consequences for their business, clients, and executive management.
future work
Future Work
  • An Intrusion Detection System.
  • Vulnerability scanning of many sites in one go.
  • Cgi scanner.
  • A complete set for variants for more vigorous testing.
  • Convert it into GUI version.
  • Dictionary attacks for attacking the login forms.
  • A sniffer for the network monitoring.
  • A packet crafter.
  • Python Programmers
  • Milw0rm:
  • Wikipedia:
  • Security Focus:

Thank You

Beenu Arora

(CEH, MCSE, Darkcoder)