team bam scott amack everett bloch maxine major n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Penetration Testing vulnerability analysis PowerPoint Presentation
Download Presentation
Penetration Testing vulnerability analysis

Loading in 2 Seconds...

play fullscreen
1 / 21

Penetration Testing vulnerability analysis - PowerPoint PPT Presentation


  • 349 Views
  • Uploaded on

Team BAM! Scott Amack, Everett Bloch, Maxine Major. Penetration Testing vulnerability analysis. Overview. What is penetration testing? Who uses it and why? Penetration testing tools Demo. What is Penetration Testing?. Goal: identify holes in computer security

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Penetration Testing vulnerability analysis' - rimona


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
overview
Overview
  • What is penetration testing?
  • Who uses it and why?
  • Penetration testing tools
  • Demo
what is penetration testing
What is Penetration Testing?
  • Goal: identify holes in computer security
  • Penetration testing is identification of vulnerabilities.
  • Penetration testing may or may not include exploitation.
what is penetration testing1
What is Penetration Testing?

There are two sources of vulnerabilities to which penetration testing may be applied:

  • Human
    • Physical access to computing systems
    • Untrained / poor decisions
    • Hard to “fix”
  • Non-human
    • Open/unprotected ports
    • Poor passwords
    • Website vulnerabilities (XSS, etc.)
who uses p enetration t esting
Who Uses Penetration Testing?
  • Most major companies perform penetration testing on their own services.
      • average loss is $5.5 million(not including value of data stolen!)
      • FICO - continually pen testing
  • Data vulnerability management Market
    • $400.5 million in 2011
    • $1 billion expected in 2016 (Businessweek)
    • Penetration testing is more than just using tools.
penetration testing
Penetration Testing
  • Penetration tester Kevin Bong developed the “Mini Pwner:” a computer the size of an Altoidstin.
  • After being plugged into a company’s Ethernet port,Mini Pwner:
    • Runs simple scanning tools,
    • Maps a company’s network,
    • Creates a VPN connection so ahacker can connect to the router’swifi, and run further exploitationtools. (Forbes, 2012)
penetration testing1
Penetration Testing
  • “The easiest way to get into a company is still to walk in looking professional and talk your way into a wiring closet”

- Kevin Bong, Synercomm penetration tester

penetration testing tools
Penetration Testing Tools
  • Port Scanners
  • Vulnerability Scanners
  • Application Scanners
penetration testing tools1
Penetration Testing Tools
  • Port Scanners
    • Gather info from a test target from a remote network location.
    • They tell us what network services are available for connection
    • Probes each of the target’s ports or services
      • Scans both TCP/UDP
      • Probing with TCP allows scanners to find out what OS is running
penetration testing tools2
Penetration Testing Tools
  • Port ScannersCommon Port Scanners include
    • Nmap
    • Angry IP Scanner
    • Superscan
    • NetScanTools
    • Unicornscan
penetration testing tools3
Penetration Testing Tools
  • Vulnerability Scanners
    • Tests the vulnerabilities on target system.
    • Not only collects data about ports, it tests the ports.
penetration testing tools4
Penetration Testing Tools
  • Commonly used Vulnerability Scanners
    • Nessus
    • Core Impact
    • Nexpose
    • QualysGuard
    • Retina
    • Nipper
    • SAINT
penetration testing tools5
Penetration Testing Tools
  • Application Scanners
    • Targets web based applications
    • Probes each page of an web-based application and attempts common attacks on each page of the application.
  • Tests for the potential to attack:
    • Buffer overruns
    • Cookie manipulation
    • SQL injection
    • XSS
penetration testing tools6
Penetration Testing Tools
  • Commonly used Application Scanners
    • Appscan
    • Nikto
    • WebInspect
    • w3af
    • Paros proxy
    • WebScarab
    • sqlmap
    • skipfish
the future of penetration testing
The Future of Penetration Testing
  • Idappcom developed software Traffic IQ as an attempt to replace penetration testing companies.
    • Data comes from Sourcefire, McAfee, Juniper, Cisco, etc.
    • Exploits come from Metasploit, Packetstorm and SecurityFocus forums.
    • Can be continually run, rather than “snapshot” penetration testing.
    • (Just another tool.)
penetration test demo
Penetration Test Demo
  • Tool we will use: Nmap

Goal: discover and gather information on open ports and vulnerabilities on target systems in this laboratory.

n map demo recap
Nmap Demo Recap

-sT TCP

-sS SYN

-sU UDP

-sX XMAS

-sNNULL

conclusions
Conclusions
  • Penetration testing must look for both the human and non-human weaknesses of a system.
  • Penetration test your own system before someone else does!
  • Penetration testing tools are useful, but their power is incomplete. Experience is the best tool.
recap
Recap
  • What is penetration testing?
  • Who uses it and why?
  • Types of penetration testing tools
    • Port Scanners
    • Vulnerability Scanners
    • Application Scanners
  • Nmap demo
references
References
  • Nmaphttp://nmap.org/
  • Hacker's Tiny Spy Computer Cracks Corporate Networks, Fits In An Altoid “Tin”http://www.forbes.com/sites/andygreenberg/2012/04/17/hackers-tiny-spy-computer-cracks-corporate-networks-fits-in-an-altoid-tin/
  • “FICO Hacks Itself to Prevent Cybercriminal Attacks “http://mobile.businessweek.com/articles/2012-04-03/fico-hacks-itself-to-prevent-cybercriminal-attacks
  • “Organisations can stay cyber secure with fixed-price penetration testing” http://www.melodika.net/index.php?option=com_content&task=view&id=561926&Itemid=55
  • “Idappcom seeks to displace penetration testers”http://www.pcworld.idg.com.au/article/362450/idappcom_seeks_displace_penetration_testers/