Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps Bootcamp - Week 6 - Lesson 2

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for DevSecOps DevSecOps
July 01, 2016
Technology
0
150

DevSecOps Bootcamp - Week 6 - Lesson 2

Bootcamp week 6 lesson 2

Avatar for DevSecOps

DevSecOps

July 01, 2016
Tweet

More Decks by DevSecOps

See All by DevSecOps
DevSecOps Bootcamp - Week 6 - Lesson 1
Avatar for DevSecOps devsecops
0
210
DevSecOps Bootcamp - Week 6 - Lesson 3
Avatar for DevSecOps devsecops
0
160
DevSecOps Bootcamp - Week 5 - Lesson 1
Avatar for DevSecOps devsecops
0
180
DevSecOps Bootcamp - Week 5 - Lesson 2
Avatar for DevSecOps devsecops
0
140
DevSecOps Bootcamp - Week 4 - Lesson 1
Avatar for DevSecOps devsecops
0
170
DevSecOps Bootcamp - Week 4 - Lesson 2
Avatar for DevSecOps devsecops
0
93
DevSecOps Bootcamp - Week 4 - Lesson 3
Avatar for DevSecOps devsecops
0
97
DevSecOps Bootcamp - Week 3 - Lesson 2
Avatar for DevSecOps devsecops
0
94
DevSecOps Bootcamp - Week 3 - Lesson 3
Avatar for DevSecOps devsecops
0
140

Other Decks in Technology

See All in Technology
なぜ今、コスト最適化(倹約)が必要なのか? ~AWSでのコスト最適化の進め方「目的編」~
Avatar for Hayato Tan htan
1
110
OCI Database Management サービス詳細
Avatar for oracle4engineer oracle4engineer
PRO
1
7.4k
会社紹介資料 / Sansan Company Profile
Avatar for Sansan, Inc. sansan33
PRO
15
400k
CDK対応したAWS DevOps Agentを試そう_20260201
Avatar for モブエンジニア(Masaki Okuda) masakiokuda
1
210
Sansan Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
3.8k
日本の85%が使う公共SaaSは、どう育ったのか
Avatar for たけだ taketakekaho
1
140
データの整合性を保ちたいだけなんだ
Avatar for ShoheiMitani shoheimitani
8
3k
プロポーザルに込める段取り八分
Avatar for ShoheiMitani shoheimitani
1
180
モダンUIでフルサーバーレスなAIエージェントをAmplifyとCDKでサクッとデプロイしよう
Avatar for みのるん minorun365
4
160
フルカイテン株式会社 エンジニア向け採用資料
Avatar for FULL KAITEN fullkaiten
0
10k
今日から始める Amazon Bedrock AgentCore
Avatar for Har1101 har1101
4
400
使いにくいの壁を突破する
Avatar for SansanTech sansantech
PRO
1
120

Featured

See All Featured
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1032
470k
Odyssey Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
490
Abbi's Birthday
Avatar for Violet Bock coloredviolet
1
4.7k
Highjacked: Video Game Concept Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
280
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
Avatar for MADOX madoxten
57
50k
Amusing Abliteration
Avatar for ianozsvald ianozsvald
0
96
What does AI have to do with Human Rights?
Avatar for Per Axbom axbom
PRO
0
2k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
Avatar for Helen Beal helenjbeal
1
120
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
122
21k
Paper Plane (Part 1)
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
4k
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
Avatar for r-kagaya rkaga
60
42k
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
74
5k

Transcript

  1. 1 BUILDING RUGGED SOFTWARE YEAR ONE / WEEK SIX /

    LESSON TWO Copyright © DevSecOps Foundation 2015-2016

  2. 2 Copyright © DevSecOps Foundation 2015-2016 • Network Attack •

    Nmap • Enumeration • Metasploit • Jenkins • JBoss • Lateral Movement • Lab 2 Agenda

  3. 3 Copyright © DevSecOps Foundation 2015-2016 • Enumerating systems •

    Enumerating listening services • Known vulnerabilities • Unknown vulnerabilities (0 –Day) • Misconfigurations • Bad default installations (HUE, Jenkins, etc…) Network Attack

  4. 4 Copyright © DevSecOps Foundation 2015-2016 • Network Mapper •

    Written by Fyodor • Extensible through Nmap scripting engine (NSE) using Lua • Many many command line args • RTFM @ https://svn.nmap.org/nmap/docs /nmap.usage.txt • Can test using scanme.nmap.org Nmap

  5. 5 Copyright © DevSecOps Foundation 2015-2016 • https://nvd.nist.gov • http://exploit-db.com

    • https://cve.mitre.org • Tools • Nessus • Qualys • Nexpose • Nmap Vulnerability Enumeration (http://exploit-db.com, 2016)

  6. 6 Copyright © DevSecOps Foundation 2015-2016 • Offensive Security Framework

    • Exploit Development • Exploit Delivery • Modular • Exploit Modules • Auxiliary Modules • Scanner Modules • Multiple Payloads • Meterpreter • Shell • Post Exploitation Modules • Gather Data • Steal and Crack Password Hashes Metasploit

  7. 7 Copyright © DevSecOps Foundation 2015-2016 • Continuous Integration •

    Continuous Deployment • Master/Slave Architecture • Distributed code execution platform • Insecure by DEFAULT Jenkins

  8. 8 Copyright © DevSecOps Foundation 2015-2016 • Java Application Server

    • Older versions are insecure by default • JMX Console can be used to deploy arbitrary applications • Many remote code execution vulnerabilities JBoss

  9. 9 Copyright © DevSecOps Foundation 2015-2016 • Establish Foothold •

    Gather loot • .bash_history • .ssh • .aws • /etc/shadow • Begin Network Enumeration • Scan (loud) • ARP (quiet) • Persistence Lateral Movement/Pivoting

  10. 10 Questions? Copyright © DevSecOps Foundation 2015-2016

  11. 11 Copyright © DevSecOps Foundation 2015-2016 • https://github.com/devsecops/bootcamp/blob/master/Week- 6/labs/LAB-2.md Lab

    2 – Exploiting Jenkins