2016 TTL Security Gap Analysis with Kali Linux

36
Gap Analysis & Security Evaluation Jason Murray, D.CS Cornwall-Lebanon SD www.slideshare.net/jasonmurray

Transcript of 2016 TTL Security Gap Analysis with Kali Linux

Page 1: 2016 TTL Security Gap Analysis with Kali Linux

Gap Analysis & Security Evaluation

Jason Murray, D.CSCornwall-Lebanon SD

www.slideshare.net/jasonmurray72

Page 2: 2016 TTL Security Gap Analysis with Kali Linux

Goals

• Awareness• Information Gathering• Phases of Exploitation– Think like a hacker

• Security Gap Analysis Framework• Demonstrate a few Kali Linux tools

Page 3: 2016 TTL Security Gap Analysis with Kali Linux

How vulnerable are you?

Page 4: 2016 TTL Security Gap Analysis with Kali Linux
Page 5: 2016 TTL Security Gap Analysis with Kali Linux

How easy is it to gather information?

Page 6: 2016 TTL Security Gap Analysis with Kali Linux

FireForce

Page 7: 2016 TTL Security Gap Analysis with Kali Linux
Page 8: 2016 TTL Security Gap Analysis with Kali Linux

sqlmap –u [URL]

https://www.youtube.com/watch?v=lMG5_SP61t8&list=PLJp1JCXDnG8uQWGeIp1_edu2rlfzrFB0a&index=12
https://www.youtube.com/watch?v=lMG5_SP61t8&list=PLJp1JCXDnG8uQWGeIp1_edu2rlfzrFB0a&index=12
https://www.youtube.com/watch?v=lMG5_SP61t8&list=PLJp1JCXDnG8uQWGeIp1_edu2rlfzrFB0a&index=12
Page 9: 2016 TTL Security Gap Analysis with Kali Linux

What happens if we become a target?

Page 10: 2016 TTL Security Gap Analysis with Kali Linux

5 Phases of Exploitation

1. Reconnaissance2. Scanning3. Gaining Access4. Maintaining Access5. Covering Tracks

Page 11: 2016 TTL Security Gap Analysis with Kali Linux

Reconnaissance

• Target– Internal DNS– Private Website– Dumpster Diving– Shoulder Surfing– Eavesdropping

Page 12: 2016 TTL Security Gap Analysis with Kali Linux

Reconnaissance – Whiteboarding

• Phone• Network• Websites• Email • Google• WhoIs• AnyWho• DNS• Social Network

• IP Blocks• Net Blocks• Web Server

Content• Source Code• Directories• Databases• Search Engines• URL Analysis

• Google Earth• People Sites• Financial Analysis• Job Sites• Alert Websites• Archive Sites• Web Monitoring• Google Dorking

Page 13: 2016 TTL Security Gap Analysis with Kali Linux

Target - Demo

Page 14: 2016 TTL Security Gap Analysis with Kali Linux
https://www.kali.org/
Page 15: 2016 TTL Security Gap Analysis with Kali Linux
Page 16: 2016 TTL Security Gap Analysis with Kali Linux

Scanning

• Layer 4 – TCP (flags) & UDP• Layer 3 – IP (v4 or v6) & ICMP– Host– Ports & Services– Vulnerabilities– Diagrams

Page 17: 2016 TTL Security Gap Analysis with Kali Linux

Scanning - Tools

• DNS Enumeration• nikTo• hping3• NMAP– ZenMap

http://rumyittips.com/enumerating-dns-records-with-dnsenum-tool-in-kali-linux/
http://null-byte.wonderhowto.com/how-to/hack-like-pro-find-vulnerabilities-for-any-website-using-nikto-0151729/
http://cyberpedia.in/scan-network-using-packet-assembleranalyzer-hping3-in-kali-linux/
http://null-byte.wonderhowto.com/how-to/hack-like-pro-advanced-nmap-for-reconnaissance-0151619/
https://nmap.org/zenmap/
Page 18: 2016 TTL Security Gap Analysis with Kali Linux

Advanced

• Gaining Access• Maintaining Access• Covering Tracks

Page 19: 2016 TTL Security Gap Analysis with Kali Linux

Avoid Getting Targeted

Page 20: 2016 TTL Security Gap Analysis with Kali Linux
Page 21: 2016 TTL Security Gap Analysis with Kali Linux

Security Gap Analysis

Page 22: 2016 TTL Security Gap Analysis with Kali Linux

Team

• Considerations– IT staff– Security– End Users• Teachers• Students• Community

– Management– Tech savvy & non-savvy

Page 23: 2016 TTL Security Gap Analysis with Kali Linux

Step 1: Policy, Procedure, & Guideline

• Standards– COBIT– ISO 27001

http://www.isaca.org/cobit/pages/default.aspx?utm_source=2012-cobit5-brochure&utm_medium=direct-mail&utm_content=friendly-cobit5overview&utm_campaign=cobit5
http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
Page 24: 2016 TTL Security Gap Analysis with Kali Linux

Step 1: Policy, Procedure, & Guideline

• Pen Testing Standards– Open Web Application Security Project– Penetration Testing Execution Standard– Open Source Security Testing Methodology Manual– Penetration Testing Framework

https://www.owasp.org/index.php/Main_Page
http://www.pentest-standard.org/index.php/Main_Page
http://www.isecom.org/research/
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
Page 25: 2016 TTL Security Gap Analysis with Kali Linux

Step 1: Policy, Procedure, & Guideline

• Who has access/privileges?– For how long?– Vendors vpn?– Retirees/terminations?– Logging?

• Updates?– Every node?

• Passwords– Saved in browser?– Frequency of changes?

http://journaling.clsd.net/techservices/policies/
Page 26: 2016 TTL Security Gap Analysis with Kali Linux

Step 2: Audit

• Permission• Scope– Physical and/or electronic

• Social engineering– Timetable– Resources (outsourced/in house)

• Review Framework– Following policies (awareness)

• Openings– Ports– Human Factor– Physical equipment

Page 27: 2016 TTL Security Gap Analysis with Kali Linux

Step 2: Audit

• Device Security– Encryption– Password– Device storage– Device on a non-secure network

Page 28: 2016 TTL Security Gap Analysis with Kali Linux

Step 2: Audit

• Physical Security– Access to infrastructure– Environmental safeguards• Temperature• Humidity

– Protection safeguards• Fire• Water

Page 29: 2016 TTL Security Gap Analysis with Kali Linux

Step 2: Audit

• Personnel Security– Staff backgrounds– Security awareness programs that discourage

insider attacks– Protection against terminated staff– Repercussions of malicious violation of

information security

Page 30: 2016 TTL Security Gap Analysis with Kali Linux

Step 2: Audit

• OpenVAS

http://www.openvas.org/
Page 31: 2016 TTL Security Gap Analysis with Kali Linux

Step 3: Technical Review

• Up to date– Software/patches– Policies

• Awareness – Justification for openings

• Consistency– OS, antivirus, update procedures

• Vulnerability/risk management• Encryption

Page 32: 2016 TTL Security Gap Analysis with Kali Linux

Step 4: Findings & Prioritization Summary

• Review the findings• Organize & arrange tasks to fix gaps– Electronic– Policy, procedures, guidelines– Physical

• Update Risk Management Strategy

Page 33: 2016 TTL Security Gap Analysis with Kali Linux

Questions

Page 34: 2016 TTL Security Gap Analysis with Kali Linux

Resources

• CIO• Faulkner Information Services• Forbes• Pen Test Frameworks• Tech Target• University of Minnesota• YouSigma

http://www.cio.com/article/2876708/security0/how-to-conduct-an-information-security-gap-analysis.html
http://dorkatron.com/docs/CMGT442/4%20-%20Article%201%20-%20Week%205,%20Article%201%20-%20Conducting%20an%20Information%20Security%20Gap%20Analysis.pdf
http://www.forbes.com/sites/andygreenberg/2012/04/17/hackers-tiny-spy-computer-cracks-corporate-networks-fits-in-an-altoid-tin/
http://www.pen-tests.com/penetration-testing-framework.html
http://searchsecurity.techtarget.com/tip/Key-steps-to-perform-a-successful-information-security-gap-analysis
https://it.umn.edu/gap-analysis-information-security
http://yousigma.com/technologyandarchitectures/conductinganinformationsecuritygapanalysis.html
Page 35: 2016 TTL Security Gap Analysis with Kali Linux

Kali Resources

• Free Education For All (120 lessons)• JackkTutorials• Royal Hacks• Royal Hacks (advanced)• Kali Linux Tutorials

https://www.youtube.com/watch?v=fB3DI48MNno&list=PLnjNR4-S-EVqfJWovxEJyb7I0IOkKkoYM
https://www.youtube.com/watch?v=WtLTtbe5JcM&list=PLn-akFzjAR19ka6JXJvJwUIKHGB3FeEjN
https://www.youtube.com/playlist?list=PLwumeXe7hLjvlhwkxg1wKv7YIM_CNfwL_
https://www.youtube.com/watch?v=9mrNoHdHBVU&list=PLwumeXe7hLjuQ3-4fu5VTRJ6PdD_BUaP3
https://www.youtube.com/user/kalinuxx/videos?view=0&shelf_id=2&sort=dd
Page 36: 2016 TTL Security Gap Analysis with Kali Linux
https://www.cybrary.it/

Kali linux summarised

Kali linux summarised

Hakin9 Kali Linux

Hakin9 Kali Linux

Kali Linux 2 2013

Kali Linux 2 2013

Kali Linux Installation - VMware

Kali Linux Installation - VMware

Kali Linux Final

Kali Linux Final

Kali Linux 101

Kali Linux 101

Kali Linux Tools

Kali Linux Tools

Kali - Linux

Kali - Linux

Manual Kali Linux

Manual Kali Linux

Install kali linux

Install kali linux

Kali Linux

Kali Linux

Forensica Con Kali Linux

Forensica Con Kali Linux

SCENARIOS Kali Linux - Koenig-solutions.com · 2018-12-03 · Kali Linux. • Installing Kali Linux to a hard disk inside the Virtual Machine. • Install VirtualBox Guest Addition

SCENARIOS Kali Linux - Koenig-solutions.com · 2018-12-03 · Kali Linux. • Installing Kali Linux to a hard disk inside the Virtual Machine. • Install VirtualBox Guest Addition

Kali Linux Penetration Testing

Kali Linux Penetration Testing

Kali Linux Installation Guide

Kali Linux Installation Guide

SCENARIOS Kali Linux

SCENARIOS Kali Linux

The Kali Linux Dojo - Ultimate Kali USBkali.org/dojo/eko12-2016/eko-workshop02.pdf · Kali Linux Dojo - Introduction Mati Aharoni, Kali Linux, Offensive Security. Kali Linux is more

The Kali Linux Dojo - Ultimate Kali USBkali.org/dojo/eko12-2016/eko-workshop02.pdf · Kali Linux Dojo - Introduction Mati Aharoni, Kali Linux, Offensive Security. Kali Linux is more

Kali Linux - Falconer

Kali Linux - Falconer

Kali linux v2_re_y_des

Kali linux v2_re_y_des

The Kali Linux Dojo - Rolling Your Own ISOs · A Tale of Two Workshops Kali Linux Dojo - Introduction Mati Aharoni, Kali Linux Developer Back to back workshops around the Kali Linux

The Kali Linux Dojo - Rolling Your Own ISOs · A Tale of Two Workshops Kali Linux Dojo - Introduction Mati Aharoni, Kali Linux Developer Back to back workshops around the Kali Linux