Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DevSecOps Bootcamp - Week 6 - Lesson 2
Search
DevSecOps
July 01, 2016
Technology
0
150
DevSecOps Bootcamp - Week 6 - Lesson 2
Bootcamp week 6 lesson 2
DevSecOps
July 01, 2016
Tweet
Share
More Decks by DevSecOps
See All by DevSecOps
DevSecOps Bootcamp - Week 6 - Lesson 1
devsecops
0
220
DevSecOps Bootcamp - Week 6 - Lesson 3
devsecops
0
160
DevSecOps Bootcamp - Week 5 - Lesson 1
devsecops
0
180
DevSecOps Bootcamp - Week 5 - Lesson 2
devsecops
0
140
DevSecOps Bootcamp - Week 4 - Lesson 1
devsecops
0
170
DevSecOps Bootcamp - Week 4 - Lesson 2
devsecops
0
93
DevSecOps Bootcamp - Week 4 - Lesson 3
devsecops
0
97
DevSecOps Bootcamp - Week 3 - Lesson 2
devsecops
0
94
DevSecOps Bootcamp - Week 3 - Lesson 3
devsecops
0
140
Other Decks in Technology
See All in Technology
Context Engineeringが企業で不可欠になる理由
hirosatogamo
PRO
3
530
クレジットカード決済基盤を支えるSRE - 厳格な監査とSRE運用の両立 (SRE Kaigi 2026)
capytan
6
2.7k
モダンUIでフルサーバーレスなAIエージェントをAmplifyとCDKでサクッとデプロイしよう
minorun365
4
180
Tebiki Engineering Team Deck
tebiki
0
24k
広告の効果検証を題材にした因果推論の精度検証について
zozotech
PRO
0
150
OWASP Top 10:2025 リリースと 少しの日本語化にまつわる裏話
okdt
PRO
3
600
配列に見る bash と zsh の違い
kazzpapa3
1
130
会社紹介資料 / Sansan Company Profile
sansan33
PRO
15
400k
制約が導く迷わない設計 〜 信頼性と運用性を両立するマイナンバー管理システムの実践 〜
bwkw
3
920
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
5
1.6k
【Oracle Cloud ウェビナー】[Oracle AI Database + AWS] Oracle Database@AWSで広がるクラウドの新たな選択肢とAI時代のデータ戦略
oracle4engineer
PRO
1
120
Kiro IDEのドキュメントを全部読んだので地味だけどちょっと嬉しい機能を紹介する
khmoryz
0
180
Featured
See All Featured
How GitHub (no longer) Works
holman
316
140k
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
aleyda
1
1.9k
Crafting Experiences
bethany
1
48
Highjacked: Video Game Concept Design
rkendrick25
PRO
1
290
How to train your dragon (web standard)
notwaldorf
97
6.5k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
0
330
Rails Girls Zürich Keynote
gr2m
96
14k
Stewardship and Sustainability of Urban and Community Forests
pwiseman
0
110
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.6k
Leadership Guide Workshop - DevTernity 2021
reverentgeek
1
200
The Mindset for Success: Future Career Progression
greggifford
PRO
0
230
How to build a perfect <img>
jonoalderson
1
4.9k
Transcript
1 BUILDING RUGGED SOFTWARE YEAR ONE / WEEK SIX /
LESSON TWO Copyright © DevSecOps Foundation 2015-2016
2 Copyright © DevSecOps Foundation 2015-2016 • Network Attack •
Nmap • Enumeration • Metasploit • Jenkins • JBoss • Lateral Movement • Lab 2 Agenda
3 Copyright © DevSecOps Foundation 2015-2016 • Enumerating systems •
Enumerating listening services • Known vulnerabilities • Unknown vulnerabilities (0 –Day) • Misconfigurations • Bad default installations (HUE, Jenkins, etc…) Network Attack
4 Copyright © DevSecOps Foundation 2015-2016 • Network Mapper •
Written by Fyodor • Extensible through Nmap scripting engine (NSE) using Lua • Many many command line args • RTFM @ https://svn.nmap.org/nmap/docs /nmap.usage.txt • Can test using scanme.nmap.org Nmap
5 Copyright © DevSecOps Foundation 2015-2016 • https://nvd.nist.gov • http://exploit-db.com
• https://cve.mitre.org • Tools • Nessus • Qualys • Nexpose • Nmap Vulnerability Enumeration (http://exploit-db.com, 2016)
6 Copyright © DevSecOps Foundation 2015-2016 • Offensive Security Framework
• Exploit Development • Exploit Delivery • Modular • Exploit Modules • Auxiliary Modules • Scanner Modules • Multiple Payloads • Meterpreter • Shell • Post Exploitation Modules • Gather Data • Steal and Crack Password Hashes Metasploit
7 Copyright © DevSecOps Foundation 2015-2016 • Continuous Integration •
Continuous Deployment • Master/Slave Architecture • Distributed code execution platform • Insecure by DEFAULT Jenkins
8 Copyright © DevSecOps Foundation 2015-2016 • Java Application Server
• Older versions are insecure by default • JMX Console can be used to deploy arbitrary applications • Many remote code execution vulnerabilities JBoss
9 Copyright © DevSecOps Foundation 2015-2016 • Establish Foothold •
Gather loot • .bash_history • .ssh • .aws • /etc/shadow • Begin Network Enumeration • Scan (loud) • ARP (quiet) • Persistence Lateral Movement/Pivoting
10 Questions? Copyright © DevSecOps Foundation 2015-2016
11 Copyright © DevSecOps Foundation 2015-2016 • https://github.com/devsecops/bootcamp/blob/master/Week- 6/labs/LAB-2.md Lab
2 – Exploiting Jenkins
devsecops
hirosatogamo
capytan
minorun365
tebiki
zozotech
okdt
kazzpapa3
sansan33
bwkw
oracle4engineer
khmoryz
holman
aleyda
bethany
rkendrick25
notwaldorf
uxyall
gr2m
pwiseman
jcasabona
reverentgeek
greggifford
jonoalderson
