Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps Bootcamp - Week 6 - Lesson 2

Avatar for DevSecOps DevSecOps
July 01, 2016
Technology
0
150

DevSecOps Bootcamp - Week 6 - Lesson 2

Bootcamp week 6 lesson 2

Avatar for DevSecOps

DevSecOps

July 01, 2016
Tweet

More Decks by DevSecOps

See All by DevSecOps
DevSecOps Bootcamp - Week 6 - Lesson 1
Avatar for DevSecOps devsecops
0
210
DevSecOps Bootcamp - Week 6 - Lesson 3
Avatar for DevSecOps devsecops
0
160
DevSecOps Bootcamp - Week 5 - Lesson 1
Avatar for DevSecOps devsecops
0
180
DevSecOps Bootcamp - Week 5 - Lesson 2
Avatar for DevSecOps devsecops
0
140
DevSecOps Bootcamp - Week 4 - Lesson 1
Avatar for DevSecOps devsecops
0
170
DevSecOps Bootcamp - Week 4 - Lesson 2
Avatar for DevSecOps devsecops
0
93
DevSecOps Bootcamp - Week 4 - Lesson 3
Avatar for DevSecOps devsecops
0
97
DevSecOps Bootcamp - Week 3 - Lesson 2
Avatar for DevSecOps devsecops
0
94
DevSecOps Bootcamp - Week 3 - Lesson 3
Avatar for DevSecOps devsecops
0
140

Other Decks in Technology

See All in Technology
企業の生成AIガバナンスにおけるエージェントとセキュリティ
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
2
160
LLMを搭載したプロダクトの品質保証の模索と学び
Avatar for SmartHR 品質保証部 qa
0
1k
dbt開発 with Claude Codeのためのガードレール設計
Avatar for 10xinc 10xinc
2
1.1k
MCPで変わる Amebaデザインシステム「Spindle」の開発
Avatar for Ameba Spindle spindle
PRO
3
3.2k
人工衛星のファームウェアをRustで書く理由
Avatar for KOBA789 koba789
13
7.3k
品質視点から考える組織デザイン/Organizational Design from Quality
Avatar for miisan mii3king
0
200
おやつは300円まで!の最適化を模索してみた
Avatar for PERSOL CAREER Dev | techtekt techtekt
PRO
0
290
生成AI時代のデータ基盤設計〜ペースレイヤリングで実現する高速開発と持続性〜 / Levtech Meetup_Session_2
Avatar for Sansan R&D sansan_randd
1
150
フルカイテン株式会社 エンジニア向け採用資料
Avatar for FULL KAITEN fullkaiten
0
8.7k
職種の壁を溶かして開発サイクルを高速に回す~情報透明性と職種越境から考えるAIフレンドリーな職種間連携~
Avatar for daitasu daitasu
0
140
データアナリストからアナリティクスエンジニアになった話
Avatar for hatsu hiyokko_data
2
440
Rustから学ぶ 非同期処理の仕組み
Avatar for skanehira skanehira
1
130

Featured

See All Featured
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
332
24k
Docker and Python
Avatar for Tania Allard trallard
45
3.6k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
5.8k
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
83
9.2k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
70
11k
Making Projects Easy
Avatar for Brett Harned brettharned
117
6.4k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
72
11k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
330
21k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
224
9.9k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
252
21k
How GitHub (no longer) Works
Avatar for Zach Holman holman
315
140k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
57
5.8k

Transcript

  1. 1 BUILDING RUGGED SOFTWARE YEAR ONE / WEEK SIX /

    LESSON TWO Copyright © DevSecOps Foundation 2015-2016

  2. 2 Copyright © DevSecOps Foundation 2015-2016 • Network Attack •

    Nmap • Enumeration • Metasploit • Jenkins • JBoss • Lateral Movement • Lab 2 Agenda

  3. 3 Copyright © DevSecOps Foundation 2015-2016 • Enumerating systems •

    Enumerating listening services • Known vulnerabilities • Unknown vulnerabilities (0 –Day) • Misconfigurations • Bad default installations (HUE, Jenkins, etc…) Network Attack

  4. 4 Copyright © DevSecOps Foundation 2015-2016 • Network Mapper •

    Written by Fyodor • Extensible through Nmap scripting engine (NSE) using Lua • Many many command line args • RTFM @ https://svn.nmap.org/nmap/docs /nmap.usage.txt • Can test using scanme.nmap.org Nmap

  5. 5 Copyright © DevSecOps Foundation 2015-2016 • https://nvd.nist.gov • http://exploit-db.com

    • https://cve.mitre.org • Tools • Nessus • Qualys • Nexpose • Nmap Vulnerability Enumeration (http://exploit-db.com, 2016)

  6. 6 Copyright © DevSecOps Foundation 2015-2016 • Offensive Security Framework

    • Exploit Development • Exploit Delivery • Modular • Exploit Modules • Auxiliary Modules • Scanner Modules • Multiple Payloads • Meterpreter • Shell • Post Exploitation Modules • Gather Data • Steal and Crack Password Hashes Metasploit

  7. 7 Copyright © DevSecOps Foundation 2015-2016 • Continuous Integration •

    Continuous Deployment • Master/Slave Architecture • Distributed code execution platform • Insecure by DEFAULT Jenkins

  8. 8 Copyright © DevSecOps Foundation 2015-2016 • Java Application Server

    • Older versions are insecure by default • JMX Console can be used to deploy arbitrary applications • Many remote code execution vulnerabilities JBoss

  9. 9 Copyright © DevSecOps Foundation 2015-2016 • Establish Foothold •

    Gather loot • .bash_history • .ssh • .aws • /etc/shadow • Begin Network Enumeration • Scan (loud) • ARP (quiet) • Persistence Lateral Movement/Pivoting

  10. 10 Questions? Copyright © DevSecOps Foundation 2015-2016

  11. 11 Copyright © DevSecOps Foundation 2015-2016 • https://github.com/devsecops/bootcamp/blob/master/Week- 6/labs/LAB-2.md Lab

    2 – Exploiting Jenkins