Friday, December 3, 2010

Beyond Exploits: Real World Penetration Testing

This is one of the presentations that should be watched by any IT Manager or  Chief Security Officer.

People tend to focus their security posture in the vulnerabilities instead of  a sound design that protect their critical assets and, even, penetration testers commit the same mistake. Of course, bad penetration testers.

In my career in IT, I have seen many so called penetration testers that just run vulnerability scanners and then send the report to the customer.  It is plainly wrong (rubbish?) because I do not need to pay a company to scan my own network for vulnerabilities, since I can do it by myself, with the same results.

Then, what is a penetration test? It is meant to emulate a real attack, that tries to reach our core business by making use of any possible attack vector.

A penetration tester must try all the possible attack vectors. This includes: mis-configurations, bad network designs, vulnerabilities,  social engineering,  protocol weaknesses, etc. Just because an skilled attacker, the one that is motivated and can cause a big damage, will do.

H.D. Moore is the Chief Security Officer of Rapid7 and  Founder & Chief Architect of Metasploit.

This presentation shows the techniques that can be used by a skilled penetration tester in order to gain full access to the network without exploiting a single vulnerability.

It includes:  attacking the users,  password testing, design weaknesses in the Windows platform (NTLM hashes and NTLM relay),  exploit the SMB design weaknesses to gain privileges up to the domain controler,  layer 2 attacks,  IPv6, etc..

Slides  Video

No comments:

Post a Comment