Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps Bootcamp - Week 6 - Lesson 2

Avatar for DevSecOps DevSecOps
July 01, 2016
Technology
0
150

DevSecOps Bootcamp - Week 6 - Lesson 2

Bootcamp week 6 lesson 2

Avatar for DevSecOps

DevSecOps

July 01, 2016
Tweet

More Decks by DevSecOps

See All by DevSecOps
DevSecOps Bootcamp - Week 6 - Lesson 1
Avatar for DevSecOps devsecops
0
210
DevSecOps Bootcamp - Week 6 - Lesson 3
Avatar for DevSecOps devsecops
0
160
DevSecOps Bootcamp - Week 5 - Lesson 1
Avatar for DevSecOps devsecops
0
180
DevSecOps Bootcamp - Week 5 - Lesson 2
Avatar for DevSecOps devsecops
0
140
DevSecOps Bootcamp - Week 4 - Lesson 1
Avatar for DevSecOps devsecops
0
170
DevSecOps Bootcamp - Week 4 - Lesson 2
Avatar for DevSecOps devsecops
0
93
DevSecOps Bootcamp - Week 4 - Lesson 3
Avatar for DevSecOps devsecops
0
97
DevSecOps Bootcamp - Week 3 - Lesson 2
Avatar for DevSecOps devsecops
0
94
DevSecOps Bootcamp - Week 3 - Lesson 3
Avatar for DevSecOps devsecops
0
140

Other Decks in Technology

See All in Technology
AI with TiDD
Avatar for Shiraji shiraji
1
330
Snowflake導入から1年、LayerXのデータ活用の現在 / One Year into Snowflake: How LayerX Uses Data Today
Avatar for Civitaspo civitaspo
0
2.6k
ルネサンス開発者を育てる 1on1支援AIエージェント
Avatar for Yusuke Shimizu yusukeshimizu
0
120
Oracle Database@AWS:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
2
500
[Neurogica] 採用ポジション/ Recruitment Position
Avatar for Neurogica neurogica
1
140
AWSインフルエンサーへの道 / load of AWS Influencer
Avatar for WHIsaiyo whisaiyo
0
240
Microsoft Agent Frameworkの可観測性
Avatar for tomokusaba tomokusaba
1
120
AgentCore BrowserとClaude Codeスキルを活用した 『初手AI』を実現する業務自動化AIエージェント基盤
Avatar for Hirokatsu Endo ruzia
7
2.1k
ECS_EKS以外の選択肢_ROSA入門_.pdf
Avatar for モブエンジニア(Masaki Okuda) masakiokuda
1
120
20251203_AIxIoTビジネス共創ラボ_第4回勉強会_BP山崎.pdf
Avatar for AIxIoTビジネス共創ラボ iotcomjpadmin
0
150
AR Guitar: Expanding Guitar Performance from a Live House to Urban Space
Avatar for Ekito ekito_station
0
270
Cloud WAN MCP Serverから考える新しいネットワーク運用 / 20251228 Masaki Okuda
Avatar for SHIFT EVOLVE shift_evolve
PRO
0
130

Featured

See All Featured
From π to Pie charts
Avatar for Rasagy Sharma rasagy
0
97
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.9k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
304
21k
Data-driven link building: lessons from a $708K investment (BrightonSEO talk)
Avatar for Szymon szymonslowik
1
860
Navigating Team Friction
Avatar for Lara Hogan lara
191
16k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
6k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.2k
Accessibility Awareness
Avatar for Sarah Abderemane sabderemane
0
28
Neural Spatial Audio Processing for Sound Field Analysis and Control
Avatar for NII S. Koyama's Lab skoyamalab
0
140
Tell your own story through comics
Avatar for letsgokoyo letsgokoyo
0
770
The Illustrated Guide to Node.js - THAT Conference 2024
Avatar for David Neal reverentgeek
0
220
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
Avatar for Akihiro Kokubo akihiro_kokubo
PRO
65
35k

Transcript

  1. 1 BUILDING RUGGED SOFTWARE YEAR ONE / WEEK SIX /

    LESSON TWO Copyright © DevSecOps Foundation 2015-2016

  2. 2 Copyright © DevSecOps Foundation 2015-2016 • Network Attack •

    Nmap • Enumeration • Metasploit • Jenkins • JBoss • Lateral Movement • Lab 2 Agenda

  3. 3 Copyright © DevSecOps Foundation 2015-2016 • Enumerating systems •

    Enumerating listening services • Known vulnerabilities • Unknown vulnerabilities (0 –Day) • Misconfigurations • Bad default installations (HUE, Jenkins, etc…) Network Attack

  4. 4 Copyright © DevSecOps Foundation 2015-2016 • Network Mapper •

    Written by Fyodor • Extensible through Nmap scripting engine (NSE) using Lua • Many many command line args • RTFM @ https://svn.nmap.org/nmap/docs /nmap.usage.txt • Can test using scanme.nmap.org Nmap

  5. 5 Copyright © DevSecOps Foundation 2015-2016 • https://nvd.nist.gov • http://exploit-db.com

    • https://cve.mitre.org • Tools • Nessus • Qualys • Nexpose • Nmap Vulnerability Enumeration (http://exploit-db.com, 2016)

  6. 6 Copyright © DevSecOps Foundation 2015-2016 • Offensive Security Framework

    • Exploit Development • Exploit Delivery • Modular • Exploit Modules • Auxiliary Modules • Scanner Modules • Multiple Payloads • Meterpreter • Shell • Post Exploitation Modules • Gather Data • Steal and Crack Password Hashes Metasploit

  7. 7 Copyright © DevSecOps Foundation 2015-2016 • Continuous Integration •

    Continuous Deployment • Master/Slave Architecture • Distributed code execution platform • Insecure by DEFAULT Jenkins

  8. 8 Copyright © DevSecOps Foundation 2015-2016 • Java Application Server

    • Older versions are insecure by default • JMX Console can be used to deploy arbitrary applications • Many remote code execution vulnerabilities JBoss

  9. 9 Copyright © DevSecOps Foundation 2015-2016 • Establish Foothold •

    Gather loot • .bash_history • .ssh • .aws • /etc/shadow • Begin Network Enumeration • Scan (loud) • ARP (quiet) • Persistence Lateral Movement/Pivoting

  10. 10 Questions? Copyright © DevSecOps Foundation 2015-2016

  11. 11 Copyright © DevSecOps Foundation 2015-2016 • https://github.com/devsecops/bootcamp/blob/master/Week- 6/labs/LAB-2.md Lab

    2 – Exploiting Jenkins