Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DevSecOps Bootcamp - Week 6 - Lesson 2
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
DevSecOps
July 01, 2016
Technology
150
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
DevSecOps Bootcamp - Week 6 - Lesson 2
Bootcamp week 6 lesson 2
DevSecOps
July 01, 2016
More Decks by DevSecOps
See All by DevSecOps
DevSecOps Bootcamp - Week 6 - Lesson 1
devsecops
0
220
DevSecOps Bootcamp - Week 6 - Lesson 3
devsecops
0
160
DevSecOps Bootcamp - Week 5 - Lesson 1
devsecops
0
180
DevSecOps Bootcamp - Week 5 - Lesson 2
devsecops
0
140
DevSecOps Bootcamp - Week 4 - Lesson 1
devsecops
0
170
DevSecOps Bootcamp - Week 4 - Lesson 2
devsecops
0
94
DevSecOps Bootcamp - Week 4 - Lesson 3
devsecops
0
98
DevSecOps Bootcamp - Week 3 - Lesson 2
devsecops
0
95
DevSecOps Bootcamp - Week 3 - Lesson 3
devsecops
0
140
Other Decks in Technology
See All in Technology
AWS Summit 2026で見えたSIerにとっての Amazon Quickの位置づけ
maf_0521
0
110
#エンジニアBooks 30分でわかる 「技術記事を書く技術」 / engineer-books 2026-06-30
jnchito
1
130
テスト設計の本質を改めて考えてみる~生成AIを活用する時代だからこそ、作ったテストの説明性を高めよう~
yamasaki696
1
140
感情と身体を置き去りにしない、エンジニアの生きのこり方 ──いまから、ここから「自分の状態」を扱うという選択
saorimurooka
0
360
Fabricをフル活用する AI Agent Hub -製造業特化AIエージェントの設計
iotcomjpadmin
0
150
IaC コードを資産へ:AWS CDK 社内ライブラリと横断展開 / aws-summit-japan-2026
gotok365
10
1.6k
そこにあるから地図ができる~位置を示す"モノ"を愉しむ~ - Interface 2026年6月号GPS特集オフ会 / interface_202606_GPS_offline
sakaik
1
110
5分でわかる Amazon Connect_20260608
hwangbyeonghun
0
130
Comment regagner la souveraineté de vos données tout en étant payé grâce à Nostr !
rlifchitz
0
220
“詰む”前に仕組みを作れ 〜技術の波に溺れないためのキャッチアップ術〜
takasyou
7
4.3k
AIに障害切り分けを全部やってもらった。 。 。 。
estie
0
260
PostgreSQL 19 新機能概要 OSC Hokkaido 2026
nori_shinoda
0
260
Featured
See All Featured
Primal Persuasion: How to Engage the Brain for Learning That Lasts
tmiket
0
380
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
6k
The Illustrated Children's Guide to Kubernetes
chrisshort
51
52k
Testing 201, or: Great Expectations
jmmastey
46
8.2k
Navigating the moral maze — ethical principles for Al-driven product design
skipperchong
2
400
Marketing to machines
jonoalderson
1
5.5k
A Modern Web Designer's Workflow
chriscoyier
698
190k
Facilitating Awesome Meetings
lara
57
7k
Heart Work Chapter 1 - Part 1
lfama
PRO
8
36k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
170
Automating Front-end Workflow
addyosmani
1370
210k
The AI Search Optimization Roadmap by Aleyda Solis
aleyda
1
5.9k
Transcript
1 BUILDING RUGGED SOFTWARE YEAR ONE / WEEK SIX /
LESSON TWO Copyright © DevSecOps Foundation 2015-2016
2 Copyright © DevSecOps Foundation 2015-2016 • Network Attack •
Nmap • Enumeration • Metasploit • Jenkins • JBoss • Lateral Movement • Lab 2 Agenda
3 Copyright © DevSecOps Foundation 2015-2016 • Enumerating systems •
Enumerating listening services • Known vulnerabilities • Unknown vulnerabilities (0 –Day) • Misconfigurations • Bad default installations (HUE, Jenkins, etc…) Network Attack
4 Copyright © DevSecOps Foundation 2015-2016 • Network Mapper •
Written by Fyodor • Extensible through Nmap scripting engine (NSE) using Lua • Many many command line args • RTFM @ https://svn.nmap.org/nmap/docs /nmap.usage.txt • Can test using scanme.nmap.org Nmap
5 Copyright © DevSecOps Foundation 2015-2016 • https://nvd.nist.gov • http://exploit-db.com
• https://cve.mitre.org • Tools • Nessus • Qualys • Nexpose • Nmap Vulnerability Enumeration (http://exploit-db.com, 2016)
6 Copyright © DevSecOps Foundation 2015-2016 • Offensive Security Framework
• Exploit Development • Exploit Delivery • Modular • Exploit Modules • Auxiliary Modules • Scanner Modules • Multiple Payloads • Meterpreter • Shell • Post Exploitation Modules • Gather Data • Steal and Crack Password Hashes Metasploit
7 Copyright © DevSecOps Foundation 2015-2016 • Continuous Integration •
Continuous Deployment • Master/Slave Architecture • Distributed code execution platform • Insecure by DEFAULT Jenkins
8 Copyright © DevSecOps Foundation 2015-2016 • Java Application Server
• Older versions are insecure by default • JMX Console can be used to deploy arbitrary applications • Many remote code execution vulnerabilities JBoss
9 Copyright © DevSecOps Foundation 2015-2016 • Establish Foothold •
Gather loot • .bash_history • .ssh • .aws • /etc/shadow • Begin Network Enumeration • Scan (loud) • ARP (quiet) • Persistence Lateral Movement/Pivoting
10 Questions? Copyright © DevSecOps Foundation 2015-2016
11 Copyright © DevSecOps Foundation 2015-2016 • https://github.com/devsecops/bootcamp/blob/master/Week- 6/labs/LAB-2.md Lab
2 – Exploiting Jenkins