Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DevSecOps Bootcamp - Week 6 - Lesson 2
Search
DevSecOps
July 01, 2016
Technology
0
150
DevSecOps Bootcamp - Week 6 - Lesson 2
Bootcamp week 6 lesson 2
DevSecOps
July 01, 2016
Tweet
Share
More Decks by DevSecOps
See All by DevSecOps
DevSecOps Bootcamp - Week 6 - Lesson 1
devsecops
0
210
DevSecOps Bootcamp - Week 6 - Lesson 3
devsecops
0
160
DevSecOps Bootcamp - Week 5 - Lesson 1
devsecops
0
180
DevSecOps Bootcamp - Week 5 - Lesson 2
devsecops
0
140
DevSecOps Bootcamp - Week 4 - Lesson 1
devsecops
0
170
DevSecOps Bootcamp - Week 4 - Lesson 2
devsecops
0
93
DevSecOps Bootcamp - Week 4 - Lesson 3
devsecops
0
97
DevSecOps Bootcamp - Week 3 - Lesson 2
devsecops
0
94
DevSecOps Bootcamp - Week 3 - Lesson 3
devsecops
0
140
Other Decks in Technology
See All in Technology
プロダクト成長を支える開発基盤とスケールに伴う課題
yuu26
4
1.3k
茨城の思い出を振り返る ~CDKのセキュリティを添えて~ / 20260201 Mitsutoshi Matsuo
shift_evolve
PRO
1
230
制約が導く迷わない設計 〜 信頼性と運用性を両立するマイナンバー管理システムの実践 〜
bwkw
3
920
外部キー制約の知っておいて欲しいこと - RDBMSを正しく使うために必要なこと / FOREIGN KEY Night
soudai
PRO
12
5.2k
OWASP Top 10:2025 リリースと 少しの日本語化にまつわる裏話
okdt
PRO
3
590
ファインディの横断SREがTakumi byGMOと取り組む、セキュリティと開発スピードの両立
rvirus0817
1
1.3k
30万人の同時アクセスに耐えたい!新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026
genda
3
1.2k
Agile Leadership Summit Keynote 2026
m_seki
1
570
データ民主化のための LLM 活用状況と課題紹介(IVRy の場合)
wxyzzz
2
700
モダンUIでフルサーバーレスなAIエージェントをAmplifyとCDKでサクッとデプロイしよう
minorun365
4
180
レガシー共有バッチ基盤への挑戦 - SREドリブンなリアーキテクチャリングの取り組み
tatsukoni
0
210
ClickHouseはどのように大規模データを活用したAIエージェントを全社展開しているのか
mikimatsumoto
0
210
Featured
See All Featured
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
techseoconnect
PRO
0
57
Heart Work Chapter 1 - Part 1
lfama
PRO
5
35k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
120
Build The Right Thing And Hit Your Dates
maggiecrowley
38
3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Rails Girls Zürich Keynote
gr2m
96
14k
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
akihiro_kokubo
PRO
66
36k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Claude Code のすすめ
schroneko
67
210k
The Pragmatic Product Professional
lauravandoore
37
7.1k
sira's awesome portfolio website redesign presentation
elsirapls
0
150
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
128
55k
Transcript
1 BUILDING RUGGED SOFTWARE YEAR ONE / WEEK SIX /
LESSON TWO Copyright © DevSecOps Foundation 2015-2016
2 Copyright © DevSecOps Foundation 2015-2016 • Network Attack •
Nmap • Enumeration • Metasploit • Jenkins • JBoss • Lateral Movement • Lab 2 Agenda
3 Copyright © DevSecOps Foundation 2015-2016 • Enumerating systems •
Enumerating listening services • Known vulnerabilities • Unknown vulnerabilities (0 –Day) • Misconfigurations • Bad default installations (HUE, Jenkins, etc…) Network Attack
4 Copyright © DevSecOps Foundation 2015-2016 • Network Mapper •
Written by Fyodor • Extensible through Nmap scripting engine (NSE) using Lua • Many many command line args • RTFM @ https://svn.nmap.org/nmap/docs /nmap.usage.txt • Can test using scanme.nmap.org Nmap
5 Copyright © DevSecOps Foundation 2015-2016 • https://nvd.nist.gov • http://exploit-db.com
• https://cve.mitre.org • Tools • Nessus • Qualys • Nexpose • Nmap Vulnerability Enumeration (http://exploit-db.com, 2016)
6 Copyright © DevSecOps Foundation 2015-2016 • Offensive Security Framework
• Exploit Development • Exploit Delivery • Modular • Exploit Modules • Auxiliary Modules • Scanner Modules • Multiple Payloads • Meterpreter • Shell • Post Exploitation Modules • Gather Data • Steal and Crack Password Hashes Metasploit
7 Copyright © DevSecOps Foundation 2015-2016 • Continuous Integration •
Continuous Deployment • Master/Slave Architecture • Distributed code execution platform • Insecure by DEFAULT Jenkins
8 Copyright © DevSecOps Foundation 2015-2016 • Java Application Server
• Older versions are insecure by default • JMX Console can be used to deploy arbitrary applications • Many remote code execution vulnerabilities JBoss
9 Copyright © DevSecOps Foundation 2015-2016 • Establish Foothold •
Gather loot • .bash_history • .ssh • .aws • /etc/shadow • Begin Network Enumeration • Scan (loud) • ARP (quiet) • Persistence Lateral Movement/Pivoting
10 Questions? Copyright © DevSecOps Foundation 2015-2016
11 Copyright © DevSecOps Foundation 2015-2016 • https://github.com/devsecops/bootcamp/blob/master/Week- 6/labs/LAB-2.md Lab
2 – Exploiting Jenkins
devsecops
yuu26
shift_evolve
bwkw
soudai
okdt
rvirus0817
genda
m_seki
wxyzzz
minorun365
tatsukoni
mikimatsumoto
techseoconnect
lfama
.png){kind=avatar}
helenjbeal
maggiecrowley
sstephenson
gr2m
akihiro_kokubo
caitiem20
schroneko
lauravandoore
elsirapls
aki_iinuma
