Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DevSecOps Bootcamp - Week 6 - Lesson 2
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
DevSecOps
July 01, 2016
Technology
0
150
DevSecOps Bootcamp - Week 6 - Lesson 2
Bootcamp week 6 lesson 2
DevSecOps
July 01, 2016
Tweet
Share
More Decks by DevSecOps
See All by DevSecOps
DevSecOps Bootcamp - Week 6 - Lesson 1
devsecops
0
220
DevSecOps Bootcamp - Week 6 - Lesson 3
devsecops
0
160
DevSecOps Bootcamp - Week 5 - Lesson 1
devsecops
0
180
DevSecOps Bootcamp - Week 5 - Lesson 2
devsecops
0
140
DevSecOps Bootcamp - Week 4 - Lesson 1
devsecops
0
170
DevSecOps Bootcamp - Week 4 - Lesson 2
devsecops
0
93
DevSecOps Bootcamp - Week 4 - Lesson 3
devsecops
0
97
DevSecOps Bootcamp - Week 3 - Lesson 2
devsecops
0
94
DevSecOps Bootcamp - Week 3 - Lesson 3
devsecops
0
140
Other Decks in Technology
See All in Technology
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
torounit
0
460
Greatest Disaster Hits in Web Performance
guaca
0
200
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
sansan33
PRO
0
3k
Context Engineeringが企業で不可欠になる理由
hirosatogamo
PRO
3
530
30万人の同時アクセスに耐えたい!新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026
genda
3
1.2k
MCPでつなぐElasticsearchとLLM - 深夜の障害対応を楽にしたい / Bridging Elasticsearch and LLMs with MCP
sashimimochi
0
150
生成AIを活用した音声文字起こしシステムの2つの構築パターンについて
miu_crescent
PRO
2
180
名刺メーカーDevグループ 紹介資料
sansan33
PRO
0
1k
Azure Durable Functions で作った NL2SQL Agent の精度向上に取り組んだ話/jat08
thara0402
0
170
All About Sansan – for New Global Engineers
sansan33
PRO
1
1.3k
Introduction to Sansan for Engineers / エンジニア向け会社紹介
sansan33
PRO
6
68k
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
5
1.6k
Featured
See All Featured
Making the Leap to Tech Lead
cromwellryan
135
9.7k
Learning to Love Humans: Emotional Interface Design
aarron
275
41k
Kristin Tynski - Automating Marketing Tasks With AI
techseoconnect
PRO
0
140
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
96
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
64
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
2
410
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.1k
Abbi's Birthday
coloredviolet
1
4.7k
Art, The Web, and Tiny UX
lynnandtonic
304
21k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.3k
Exploring the relationship between traditional SERPs and Gen AI search
raygrieselhuber
PRO
2
3.6k
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
0
430
Transcript
1 BUILDING RUGGED SOFTWARE YEAR ONE / WEEK SIX /
LESSON TWO Copyright © DevSecOps Foundation 2015-2016
2 Copyright © DevSecOps Foundation 2015-2016 • Network Attack •
Nmap • Enumeration • Metasploit • Jenkins • JBoss • Lateral Movement • Lab 2 Agenda
3 Copyright © DevSecOps Foundation 2015-2016 • Enumerating systems •
Enumerating listening services • Known vulnerabilities • Unknown vulnerabilities (0 –Day) • Misconfigurations • Bad default installations (HUE, Jenkins, etc…) Network Attack
4 Copyright © DevSecOps Foundation 2015-2016 • Network Mapper •
Written by Fyodor • Extensible through Nmap scripting engine (NSE) using Lua • Many many command line args • RTFM @ https://svn.nmap.org/nmap/docs /nmap.usage.txt • Can test using scanme.nmap.org Nmap
5 Copyright © DevSecOps Foundation 2015-2016 • https://nvd.nist.gov • http://exploit-db.com
• https://cve.mitre.org • Tools • Nessus • Qualys • Nexpose • Nmap Vulnerability Enumeration (http://exploit-db.com, 2016)
6 Copyright © DevSecOps Foundation 2015-2016 • Offensive Security Framework
• Exploit Development • Exploit Delivery • Modular • Exploit Modules • Auxiliary Modules • Scanner Modules • Multiple Payloads • Meterpreter • Shell • Post Exploitation Modules • Gather Data • Steal and Crack Password Hashes Metasploit
7 Copyright © DevSecOps Foundation 2015-2016 • Continuous Integration •
Continuous Deployment • Master/Slave Architecture • Distributed code execution platform • Insecure by DEFAULT Jenkins
8 Copyright © DevSecOps Foundation 2015-2016 • Java Application Server
• Older versions are insecure by default • JMX Console can be used to deploy arbitrary applications • Many remote code execution vulnerabilities JBoss
9 Copyright © DevSecOps Foundation 2015-2016 • Establish Foothold •
Gather loot • .bash_history • .ssh • .aws • /etc/shadow • Begin Network Enumeration • Scan (loud) • ARP (quiet) • Persistence Lateral Movement/Pivoting
10 Questions? Copyright © DevSecOps Foundation 2015-2016
11 Copyright © DevSecOps Foundation 2015-2016 • https://github.com/devsecops/bootcamp/blob/master/Week- 6/labs/LAB-2.md Lab
2 – Exploiting Jenkins
devsecops
torounit
guaca
sansan33
hirosatogamo
genda
sashimimochi
miu_crescent
thara0402
oracle4engineer
cromwellryan
aarron
techseoconnect
tmiket
tomoyanonymous
aleyda
coloredviolet
lynnandtonic
eileencodes
raygrieselhuber
honzajavorek
