Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps Bootcamp - Week 6 - Lesson 2

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for DevSecOps DevSecOps
July 01, 2016
Technology
0
150

DevSecOps Bootcamp - Week 6 - Lesson 2

Bootcamp week 6 lesson 2

Avatar for DevSecOps

DevSecOps

July 01, 2016
Tweet

More Decks by DevSecOps

See All by DevSecOps
DevSecOps Bootcamp - Week 6 - Lesson 1
Avatar for DevSecOps devsecops
0
220
DevSecOps Bootcamp - Week 6 - Lesson 3
Avatar for DevSecOps devsecops
0
160
DevSecOps Bootcamp - Week 5 - Lesson 1
Avatar for DevSecOps devsecops
0
180
DevSecOps Bootcamp - Week 5 - Lesson 2
Avatar for DevSecOps devsecops
0
140
DevSecOps Bootcamp - Week 4 - Lesson 1
Avatar for DevSecOps devsecops
0
170
DevSecOps Bootcamp - Week 4 - Lesson 2
Avatar for DevSecOps devsecops
0
93
DevSecOps Bootcamp - Week 4 - Lesson 3
Avatar for DevSecOps devsecops
0
97
DevSecOps Bootcamp - Week 3 - Lesson 2
Avatar for DevSecOps devsecops
0
94
DevSecOps Bootcamp - Week 3 - Lesson 3
Avatar for DevSecOps devsecops
0
140

Other Decks in Technology

See All in Technology
Data Hubグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
2.7k
Embedded SREの終わりを設計する 「なんとなく」から計画的な自立支援へ
Avatar for SansanTech sansantech
PRO
3
2.3k
CDK対応したAWS DevOps Agentを試そう_20260201
Avatar for モブエンジニア(Masaki Okuda) masakiokuda
1
240
~Everything as Codeを諦めない~ 後からCDK
Avatar for mu7889yoon / Yuta Nakamura mu7889yoon
3
320
ClickHouseはどのように大規模データを活用したAIエージェントを全社展開しているのか
Avatar for Miki Matsumoto mikimatsumoto
0
210
日本の85%が使う公共SaaSは、どう育ったのか
Avatar for たけだ taketakekaho
1
150
ZOZOにおけるAI活用の現在 ~開発組織全体での取り組みと試行錯誤~
Avatar for ZOZO Developers zozotech
PRO
5
5k
超初心者からでも大丈夫!オープンソース半導体の楽しみ方〜今こそ!オレオレチップをつくろう〜
Avatar for Yamada3 keropiyo
0
110
レガシー共有バッチ基盤への挑戦 - SREドリブンなリアーキテクチャリングの取り組み
Avatar for Konishi tatsuhiro tatsukoni
0
210
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
Avatar for ktykogm 0gm
0
880
All About Sansan – for New Global Engineers
Avatar for Sansan, Inc. sansan33
PRO
1
1.3k
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
Avatar for Toro_Unit (Hiroshi Urabe) torounit
0
460

Featured

See All Featured
Building the Perfect Custom Keyboard
Avatar for Naoto Takai takai
2
680
Designing Powerful Visuals for Engaging Learning
Avatar for Mike Taylor tmiket
0
230
Unlocking the hidden potential of vector embeddings in international SEO
Avatar for Frank van Dijk frankvandijk
0
170
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
31
6.6k
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
47
7.9k
Context Engineering - Making Every Token Count
Avatar for Addy Osmani addyosmani
9
650
AI Search:
Where Are We & What Can We Do About It?
Avatar for Aleyda Solis aleyda
0
6.9k
[SF Ruby Conf 2025] Rails X
Avatar for Vladimir Dementyev palkan
1
740
Paper Plane
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
46k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
96
14k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
210k
ラッコキーワード サービス紹介資料
Avatar for ラッコ株式会社 rakko
1
2.2M

Transcript

  1. 1 BUILDING RUGGED SOFTWARE YEAR ONE / WEEK SIX /

    LESSON TWO Copyright © DevSecOps Foundation 2015-2016

  2. 2 Copyright © DevSecOps Foundation 2015-2016 • Network Attack •

    Nmap • Enumeration • Metasploit • Jenkins • JBoss • Lateral Movement • Lab 2 Agenda

  3. 3 Copyright © DevSecOps Foundation 2015-2016 • Enumerating systems •

    Enumerating listening services • Known vulnerabilities • Unknown vulnerabilities (0 –Day) • Misconfigurations • Bad default installations (HUE, Jenkins, etc…) Network Attack

  4. 4 Copyright © DevSecOps Foundation 2015-2016 • Network Mapper •

    Written by Fyodor • Extensible through Nmap scripting engine (NSE) using Lua • Many many command line args • RTFM @ https://svn.nmap.org/nmap/docs /nmap.usage.txt • Can test using scanme.nmap.org Nmap

  5. 5 Copyright © DevSecOps Foundation 2015-2016 • https://nvd.nist.gov • http://exploit-db.com

    • https://cve.mitre.org • Tools • Nessus • Qualys • Nexpose • Nmap Vulnerability Enumeration (http://exploit-db.com, 2016)

  6. 6 Copyright © DevSecOps Foundation 2015-2016 • Offensive Security Framework

    • Exploit Development • Exploit Delivery • Modular • Exploit Modules • Auxiliary Modules • Scanner Modules • Multiple Payloads • Meterpreter • Shell • Post Exploitation Modules • Gather Data • Steal and Crack Password Hashes Metasploit

  7. 7 Copyright © DevSecOps Foundation 2015-2016 • Continuous Integration •

    Continuous Deployment • Master/Slave Architecture • Distributed code execution platform • Insecure by DEFAULT Jenkins

  8. 8 Copyright © DevSecOps Foundation 2015-2016 • Java Application Server

    • Older versions are insecure by default • JMX Console can be used to deploy arbitrary applications • Many remote code execution vulnerabilities JBoss

  9. 9 Copyright © DevSecOps Foundation 2015-2016 • Establish Foothold •

    Gather loot • .bash_history • .ssh • .aws • /etc/shadow • Begin Network Enumeration • Scan (loud) • ARP (quiet) • Persistence Lateral Movement/Pivoting

  10. 10 Questions? Copyright © DevSecOps Foundation 2015-2016

  11. 11 Copyright © DevSecOps Foundation 2015-2016 • https://github.com/devsecops/bootcamp/blob/master/Week- 6/labs/LAB-2.md Lab

    2 – Exploiting Jenkins