Pentesting to check vulnerabilities.pptx

tigerctm108 22 views 14 slides Sep 16, 2024
Slide 1
Slide 1 of 14
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14

About This Presentation

Pentesting is effective to check vulnerabilities in sites and applications using security softwares

Size: 105.85 KB
Language: en
Added: Sep 16, 2024
Slides: 14 pages

Slide Content

Penetration Testing Edmund Whitehead Rayce West

Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing Viewpoints - Phases of Penetration Testing    - Reconnaissance and Information Gathering    - Network Enumeration and Scanning    - Vulnerability Testing and Exploitation - Reporting - How to become a Penetration Tester

Penetration Testing Definition of Penetration Testing: - A penetration test or pentest is a test evaluating the strengths of all security controls on the computer system. Penetration tests evaluate procedural and operational controls as well as technological controls.

Who needs Penetration Testing - Banks/Financial Institutions, Government Organizations, Online Vendors, or any organization processing and storing private information  - Most certifications require or recommend that penetration tests be performed on a regular basis to ensure the security of the system.  - PCI Data Security Standard's Section 11.3 requires organizations to  perform application and penetration tests at least once a year. - HIPAA Security Rule's section 8 of the Administrative Safeguards requires security process audits, periodic vulnerability analysis and penetration testing.

Penetration Testing Viewpoints -External vs. Internal    Penetration Testing can be performed from the viewpoint of an    external attacker or a malicious employee. - Overt vs. Covert     Penetration Testing can be performed with or without the knowledge of the IT department of the company being tested.

Phases of Penetration Testing - Reconnaissance and Information Gathering - Network Enumeration and Scanning - Vulnerability Testing and Exploitation - Reporting

Reconnaissance and Information Gathering Purpose: To discover as much information about a target (individual or organization) as possible without actually making network contact with said target.  Methods: Organization info discovery via WHOIS Google search Website browsing

WHOIS Results for www.clemson.edu Domain Name: CLEMSON.EDU Registrant:    Clemson University    340 Computer Ct    Anderson, SC 29625    UNITED STATES Administrative Contact:    Network Operations Center    Clemson University    340 Computer Court    Anderson, SC 29625    UNITED STATES    (864) 656-4634    [email protected] Technical Contact:    Mike S. Marshall    DNS Admin    Clemson University    Clemson University    340 Computer Court    Anderson, SC 29625    UNITED STATES    (864) 247-5381    [email protected] Name Servers:     EXTNS1.CLEMSON.EDU      130.127.255.252    EXTNS2.CLEMSON.EDU      130.127.255.253    EXTNS3.CLEMSON.EDU      192.42.3.5

Network Enumeration and Scanning Purpose:  To discover existing networks owned by a target as well as live hosts and services running on those hosts. Methods: Scanning programs that identify live hosts, open ports, services, and other info (Nmap, autoscan)  DNS Querying Route analysis (traceroute)

NMap Results        nmap -sS 127.0.0.1    1    2     3 Starting Nmap 4.01 at 2006-07-06 17:23 BST    4 Interesting ports on chaos (127.0.0.1):    5 (The 1668 ports scanned but not shown below are in state: closed)    6 PORT     STATE SERVICE    7 21/tcp   open  ftp    8 22/tcp   open  ssh     9 631/tcp  open  ipp   10 6000/tcp open  X11   11    12 Nmap finished: 1 IP address (1 host up) scanned in 0.207   13         seconds

Vulnerability Testing and Exploitation Purpose:  To check hosts for known vulnerabilities and to see if they are exploitable, as well as to assess the potential severity of said vulnerabilities.  Methods:  Remote vulnerability scanning (Nessus, OpenVAS) Active exploitation testing Login checking and bruteforcing Vulnerability exploitation (Metasploit, Core Impact) 0day and exploit discovery (Fuzzing, program analysis) Post exploitation techniques to assess severity (permission levels, backdoors, rootkits, etc)

Reporting Purpose:  To organize and document information found during the reconnaissance, network scanning, and vulnerability testing phases of a pentest.  Methods:   Documentation tools (Dradis) Organizes information by hosts, services, identified hazards and risks, recommendations to fix problems

How to Become  a Penetration Tester - Stay up to date on recent developments in computer security, reading newsletters and security reports are a good way to do this. - Becoming proficient with C/C++ and a scripting language such as PEARL - Microsoft, Cisco, and Novell certifications - Penetration Testing Certifications    - Certified Ethical Hacker (CEH)    -GIAC Certified Penetration Tester (GPEN)

Conclusion  Questions?
Tags
#cybersecurity
Categories
Business
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 22
  • Slides 14
  • Age 442 days
Related Slideshows
DTI BPI Pivot Small Business - BUSINESS START UP PLAN 1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
29 views
CATHOLIC EDUCATIONAL Corporate Responsibilities 1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
Karin Schaupp – Evocation; lançamento: 2000 11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
29 views
Pillars of Biblical Oneness in the Book of Acts 10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
7-10. STP + Branding and Product & Services Strategies.pptx 31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
28 views
Business Legislation PPT - UNIT 1 jimllpkggg 44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
31 views
View More in This Category