Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps Bootcamp - Week 6 - Lesson 2

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for DevSecOps DevSecOps
July 01, 2016
Technology
0
150

DevSecOps Bootcamp - Week 6 - Lesson 2

Bootcamp week 6 lesson 2

Avatar for DevSecOps

DevSecOps

July 01, 2016
Tweet

More Decks by DevSecOps

See All by DevSecOps
DevSecOps Bootcamp - Week 6 - Lesson 1
Avatar for DevSecOps devsecops
0
210
DevSecOps Bootcamp - Week 6 - Lesson 3
Avatar for DevSecOps devsecops
0
160
DevSecOps Bootcamp - Week 5 - Lesson 1
Avatar for DevSecOps devsecops
0
180
DevSecOps Bootcamp - Week 5 - Lesson 2
Avatar for DevSecOps devsecops
0
140
DevSecOps Bootcamp - Week 4 - Lesson 1
Avatar for DevSecOps devsecops
0
170
DevSecOps Bootcamp - Week 4 - Lesson 2
Avatar for DevSecOps devsecops
0
93
DevSecOps Bootcamp - Week 4 - Lesson 3
Avatar for DevSecOps devsecops
0
97
DevSecOps Bootcamp - Week 3 - Lesson 2
Avatar for DevSecOps devsecops
0
94
DevSecOps Bootcamp - Week 3 - Lesson 3
Avatar for DevSecOps devsecops
0
140

Other Decks in Technology

See All in Technology
学生・新卒・ジュニアから目指すSRE
Avatar for Hiroya Onoe hiroyaonoe
2
570
20260204_Midosuji_Tech
Avatar for Takuya Yonezawa takuyay0ne
1
140
Bedrock PolicyでAmazon Bedrock Guardrails利用を強制してみた
Avatar for Yudai Jinno yuu551
0
180
10Xにおける品質保証活動の全体像と改善 #no_more_wait_for_test
Avatar for nihonbuson nihonbuson
PRO
2
220
AzureでのIaC - Bicep? Terraform? それ早く言ってよ会議
Avatar for Toru Makabe torumakabe
1
440
Embedded SREの終わりを設計する 「なんとなく」から計画的な自立支援へ
Avatar for SansanTech sansantech
PRO
3
2.2k
15 years with Rails and DDD (AI Edition)
Avatar for Andrzej Krzywda andrzejkrzywda
0
180
Tebiki Engineering Team Deck
Avatar for Tebiki, Inc. tebiki
0
24k
30万人の同時アクセスに耐えたい!新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026
Avatar for GENDA genda
2
870
Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf
Avatar for 小笠原理久 riku_423
2
510
Introduction to Sansan for Engineers / エンジニア向け会社紹介
Avatar for Sansan, Inc. sansan33
PRO
6
68k
顧客の言葉を、そのまま信じない勇気
Avatar for yamatai12 yamatai1212
1
340

Featured

See All Featured
Prompt Engineering for Job Search
Avatar for Mfonobong Umondia mfonobong
0
160
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.1k
The Illustrated Guide to Node.js - THAT Conference 2024
Avatar for David Neal reverentgeek
0
250
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
Design in an AI World
Avatar for tapps tapps
0
140
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
17k
What does AI have to do with Human Rights?
Avatar for Per Axbom axbom
PRO
0
2k
Introduction to Domain-Driven Design and Collaborative software design
Avatar for Kenny Baas-Schwegler baasie
1
580
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
Avatar for Umar Saidu Auna auna
0
51
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
13
1.1k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
249
1.3M
SEO in 2025: How to Prepare for the Future of Search
Avatar for Michael King ipullrank
3
3.3k

Transcript

  1. 1 BUILDING RUGGED SOFTWARE YEAR ONE / WEEK SIX /

    LESSON TWO Copyright © DevSecOps Foundation 2015-2016

  2. 2 Copyright © DevSecOps Foundation 2015-2016 • Network Attack •

    Nmap • Enumeration • Metasploit • Jenkins • JBoss • Lateral Movement • Lab 2 Agenda

  3. 3 Copyright © DevSecOps Foundation 2015-2016 • Enumerating systems •

    Enumerating listening services • Known vulnerabilities • Unknown vulnerabilities (0 –Day) • Misconfigurations • Bad default installations (HUE, Jenkins, etc…) Network Attack

  4. 4 Copyright © DevSecOps Foundation 2015-2016 • Network Mapper •

    Written by Fyodor • Extensible through Nmap scripting engine (NSE) using Lua • Many many command line args • RTFM @ https://svn.nmap.org/nmap/docs /nmap.usage.txt • Can test using scanme.nmap.org Nmap

  5. 5 Copyright © DevSecOps Foundation 2015-2016 • https://nvd.nist.gov • http://exploit-db.com

    • https://cve.mitre.org • Tools • Nessus • Qualys • Nexpose • Nmap Vulnerability Enumeration (http://exploit-db.com, 2016)

  6. 6 Copyright © DevSecOps Foundation 2015-2016 • Offensive Security Framework

    • Exploit Development • Exploit Delivery • Modular • Exploit Modules • Auxiliary Modules • Scanner Modules • Multiple Payloads • Meterpreter • Shell • Post Exploitation Modules • Gather Data • Steal and Crack Password Hashes Metasploit

  7. 7 Copyright © DevSecOps Foundation 2015-2016 • Continuous Integration •

    Continuous Deployment • Master/Slave Architecture • Distributed code execution platform • Insecure by DEFAULT Jenkins

  8. 8 Copyright © DevSecOps Foundation 2015-2016 • Java Application Server

    • Older versions are insecure by default • JMX Console can be used to deploy arbitrary applications • Many remote code execution vulnerabilities JBoss

  9. 9 Copyright © DevSecOps Foundation 2015-2016 • Establish Foothold •

    Gather loot • .bash_history • .ssh • .aws • /etc/shadow • Begin Network Enumeration • Scan (loud) • ARP (quiet) • Persistence Lateral Movement/Pivoting

  10. 10 Questions? Copyright © DevSecOps Foundation 2015-2016

  11. 11 Copyright © DevSecOps Foundation 2015-2016 • https://github.com/devsecops/bootcamp/blob/master/Week- 6/labs/LAB-2.md Lab

    2 – Exploiting Jenkins