Sei sulla pagina 1di 69

www.ErdalOzkaya.

com
Erdal.Ozkaya@itmasters.edu.au

E-mail

: Erdal.Ozkaya@itmasters.edu.au

Blog

: www.ErdalOzkaya.com

Facebook : www.Facebook.com\YourMCT
Twitter

: www.twitter.com\Erdal_Ozkaya

LinkedIn : au.linkedin.com/pub/erdal-ozkaya/11/384/844/
Windows Store: Search: Erdal Ozkaya

Windows Phone app:


http://www.windowsphone.com/en-us/store/app/erdal-ozkaya/89dafdf6-61c0-493b-b51a-c556e4f5987d
Android App
https://play.google.com/store/apps/details?id=com.appypie.appypie9d090adb2c30

Your ONE POINT Stop

https://learn.itmasters.edu.au
/

Recommended to read

DOS Attack Tools

DosHTTP
How to find it , install it, use it.

Hping3 with KALI Linux

More DOS tools

DIY DOS

More .

And more

PEN TEST 101

TO PREVENT THIS

Sound familiar ?
Costs too much money!
Too complicated
Not worth the bother!!
My SIMPLE firewall protects me
We have got A Solution

Question:

Why Penetration
Testing ?

Identify the
threats
facing your
assets

Lets Compare them!!!!

ROSI
Reduce the IT Security costs & provide a better
Return On IT Security Investment (ROSI) by
identifying & resolving vulnerabilities and
weakness

Comprehensive Assessment
Pen Testing will assure the organization that all
Policy
Procedure
Design & Implementation has been assets

Process Best Practice for legal & industry regulations


approach

ISMS PDCA example


Interested
Parties

Plan
Establish
an ISMS

Act

Do

Maintain and Improve the ISMS


Information
security
requirements and
expectations

Interested
Parties

Monitor and
review the ISMS

Check

Implement the
ISMS

Managed information
security

What Should be Tested?


A risk assessment should be conducted to
identify main threats, such us:
Communications E-Commerce & loss of confidential
information failure
Public facing systems, websites, e-mail gateways & remote
platforms
Mail, DNS, firewall, passwords, FTP, IIS & other web servers

Access Points to Your Network

Internet gateways
Modems
Wireless Networks
Physical entry
Social Engineering

What Makes a Good Penetration Test?


Establish the parameters for the pen-test such
us:
Objectives ,Limitations & justification of
procedures
Choose suitable set of tests that balance cost &
benefits
Following a methodology with proper planning &
documentation
Stating all the results clearly in the final report

Penetration Testing Is Not


An alternative to other IT security measures it
complements other tests
Expensive game of Capture the Flag
A guarantee of security
It is not a proof techniques. It can never prove the
absence of security flaws. It can only prove their
presence.

Limitations
Its only valid for the period tested
Time to perform

Types of Penetration Testing


External
Testing
Involves analysis of
publicly available
information a network
enumeration phase,
and the behaviour of
the security devices
analysed

Phases of Pen Testing


Pre- Attack Phase
Attack Phase
Post Attack Phase

Pre- Attack Phase


Goals of the attack will be defined
Reconnaissance
Refers to phase where attacker gathers as much
information as possible (Learn About Target)
1. Passive Reconnaissance
Hacker does not interact with the system directly
Use publicly available info
* Social Engineering ,Dumpster Diving
2. Active Reconnaissance
Open ports ,Router locations ,Network mapping, Details of O/S &
apps

Attack Phase

Penetrate
Perimeter
Acquire Target
Execute, Implant
Retract
Escalate
Privilege

Penetrating Testing Methodology

Skills Being Measured

Important!!!
Watch the new demos
Make sure to review my slides before the exam
Watch the exam prep video

About the exam


The exam is a timed, open book exam that you
will sit at your computer.
Only 1 attempt
If something goes wrong e-mail:
James.Hale@itmasters.edu.au
If you have any concerns about the question email
Erdal.Ozkaya@itmasters.edu.au

What is the essential difference between an Ethical


Hacker and a Hacker?
A. The ethical hacker does not use the same
techniques or skills as a Hacker.
B. The ethical hacker does it strictly for financial
motives unlike a Hacker.
C. The ethical hacker has authorization from the
owner of the target.
D. The ethical hacker is just a cracker who is getting
paid.

Answer: C
Explanation:
The ethical hacker uses the same techniques and
skills as a cracker and the motive is to find the security
breaches before a cracker does.
There is nothing that says that a cracker does not get
paid for the work he does, an ethical hacker has the
owners authorization and will get paid even if he does
not succeed to penetrate the target.

Based on the exhibit, name one tool which can do

Answer

Fill up the GAP


Enable ______________ to monitor and
track password attacks.

Answer
Security Audit

True or False
A Trojan Horse is an apparently useful and innocent
program containing additional hidden code which
allows the unauthorized collection, exploitation,
falsifycation, or destruction of data.

True

Good Luck

More Free staff on Security


http://www.microsoftvirtualacademy.com/training-courses/defense-in-depthwindows-8-1-security

Thank You

http://erdalozkaya.com/

httpwww.facebook.com/YourMCT

Keep in touch

Thank You

Thank you <3