Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Practical White Hat Hacker Training - Introduction to Cyber Security

1,326 views

Published on

This presentation part of Prisma CSI's Practical White Hat Hacker Training v1

PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com

This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.

Published in: Education
  • Login to see the comments

Practical White Hat Hacker Training - Introduction to Cyber Security

  1. 1. www.prismacsi.com © All Rights Reserved. 11 Practical White Hat Hacker Training #1 Introduction This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
  2. 2. www.prismacsi.com © All Rights Reserved. 22 Introduction
  3. 3. www.prismacsi.com © All Rights Reserved. 33 PRISMA : Overview • Cyber security consultancy to over 100 companies in a period of over 5 years • Over 300 penetration testing projects • More than 50 training projects • The organizers and founders of some of the most important teams and activities in the country • Octosec • Canyoupwnme • Hacktrick Cyber Security Conference • Game of Pwners CTF • Hacker Camp
  4. 4. www.prismacsi.com © All Rights Reserved. 44 • Penetration Testing Services • Cyber Security Training • Consultancy services • Research and Development • Cyber Army Infrastructure Systems PRISMA : Activities
  5. 5. www.prismacsi.com © All Rights Reserved. 55 • Network Penetration Test • Web Application Penetration Test • Mobile Application Penetration Test • Banking Regulation and Supervision Agency (BRSA) Compliant Penetration Test • Distributed Denial-of-Service (DDoS) Test • Load and Stress Test • Social EngineeringTest • SCADA Penetration Test • Red Team Penetration Test • APT Attack Simulation • Mail Gateway Security Test • Physical Penetration Test Penetration Tests
  6. 6. www.prismacsi.com © All Rights Reserved. 66 • Practical White Hat Hacker Training • Network Penetration Test Training • Wireless Network Penetration Test Training • Mobile Application Security Training • Web Application Security Training • Advanced Penetration Test Training • DoS & DDoS Attacks and Protection Training • Vulnerability Management Training • Secure Software Development Training • Linux System Hardening Training • Basic Linux Training Trainings
  7. 7. www.prismacsi.com © All Rights Reserved. 77 • Source Code Analysis • Product / Project Consultancy • Vulnerability Management • HR - Recruitment Processes Technical Competence Analysis Consultancy
  8. 8. www.prismacsi.com © All Rights Reserved. 88 Let’s get to know a little about each other… Introduction
  9. 9. www.prismacsi.com © All Rights Reserved. 99 Topics
  10. 10. www.prismacsi.com © All Rights Reserved. 1010 Cyber Security Basics Appendix: Basic Network Information Appendix: Basic Linux Information Passive Information Collection Active Information Collection Vulnerability Discovery Post Exploitation Stage Exploit Stage Network Based Attacks Password Cracking Attacks Agenda
  11. 11. www.prismacsi.com © All Rights Reserved. 1111 Web Application Security Wireless Network Security IPS / IDS / WAF Evasion Techniques Social Engineering Agenda
  12. 12. www.prismacsi.com © All Rights Reserved. 1212 Cyber Security Basics
  13. 13. www.prismacsi.com © All Rights Reserved. 1313 Information Security There are 3 important criteria for information security; • Confidentiality • Integrity • Availability Availability Confidentiality Integrity Security Model
  14. 14. www.prismacsi.com © All Rights Reserved. 1414 Confidentiality • Information should only be accessible to the person or system that is allowed to access it. • Information being able to be read, written and changed by persons other than the targeted endangers this principle. • Important events experienced in the past.
  15. 15. www.prismacsi.com © All Rights Reserved. 1515 Integrity • Consistent transmission of information from the source to the targeted point without any change in its original form. • Partial corruption or partial altering of the original information means that its integrity has been compromised • Important events experienced in the past.
  16. 16. www.prismacsi.com © All Rights Reserved. 1616 Availibility • Information should be accessible and available whenever it is required by an authorized person or system. • DoS , DDoS attacks endanger this principle. • Important events experienced in the past.
  17. 17. www.prismacsi.com © All Rights Reserved. 1717 The Hacking Concept Hacking has more than one meaning; • Use of systems / hardware / software in ways other than the originally intended • Producing a solution for a problem can also be called hacking • Software Piracy = Media language
  18. 18. www.prismacsi.com © All Rights Reserved. 1818 Then who is a hacker? • According to MIT a hacker is any person working on information systems. • Computer Hacker • General description: a person who performs hacks • What’s a hack?
  19. 19. www.prismacsi.com © All Rights Reserved. 1919 Concepts • Penetration Test, Pentest Attempt by hackers to infiltrate targeted systems using various tools and techniques, thereafter reporting all identified vulnerabilities in detail. • Pentester, Penetration Test expert The person who implements/applies the concept of penetration testing and develops themsselves in the field of cyber security. Keeps track of current techniques and researches carried out by hackers hence stays up to date.
  20. 20. www.prismacsi.com © All Rights Reserved. 2020 Concepts • Hacker • White Hat Hacker • Black Hat Hacker • Grey Hat Hacker • Script Kiddie • Cracker
  21. 21. www.prismacsi.com © All Rights Reserved. 2121 General Information on Penetration Testing • Areas • Network Penetration Testing • Web Application Penetration Testing • Mobile Application Penetration Testing • Critical Infrastructure Systems Penetration Testing • DDoS and Load Tests • Risk Analysis • Vulnerability Scanning
  22. 22. www.prismacsi.com © All Rights Reserved. 2222 Types of Penetration Tests • Black Box • Grey Box • White Box
  23. 23. www.prismacsi.com © All Rights Reserved. 2323 Penetration Tests VULNERABILITY SCANNING VS PENETRATION TESTING
  24. 24. www.prismacsi.com © All Rights Reserved. 2424 Cyber Killchain Privilege Escalation Covering Footprints Exploitation Vulnerability Discovery Information Gathering
  25. 25. www.prismacsi.com © All Rights Reserved. 2525 Penetration Test Methodologies • OWASP • Web Security Tests • Mobile Application Security Tests • IoT Security Tests • OSSTMM • Open Source Security Testing Methodology Manual • Pentest-Standard
  26. 26. www.prismacsi.com © All Rights Reserved. 2626 Penetration Test Methodologies • OWASP – Web Application Penetration Testing
  27. 27. www.prismacsi.com © All Rights Reserved. 2727 Penetration Test Methodologies • OSSTMM - http://www.isecom.org/mirror/OSSTMM.3.pdf
  28. 28. www.prismacsi.com © All Rights Reserved. 2828 Penetration Test Report • Tools Used • Discovered devices • Topology • Vulnerabilities • Exploitation methods • Reachable endpoint • Risks • Defense methods • Attack combinations
  29. 29. www.prismacsi.com © All Rights Reserved. 2929 Career in Cyber Security • Offensive • Penetration Testing Expert • Network Penetration Testing Expert • Web Application Penetration Testing Expert • Mobile Application Penetration Testing Expert • Exploit Development • Malware Development
  30. 30. www.prismacsi.com © All Rights Reserved. 3030 Career in Cyber Security • Defensive • SOC – Security Operation Center – Analyst • Forensics Expert • System Security Expert • Vulnerability Management Specialist • Software Security Expert • Malware Analyst
  31. 31. www.prismacsi.com © All Rights Reserved. 3131 Certification Programs • CEH – Certified Ethical Hacker • TSE White Hat Hacker • OSCP – Offensive Security Certified Professional • OSCE – Offensive Security Certified Expert • GWAPT – GIAC Web Application Penetration Tester • GPEN – GIAC Penetration Tester
  32. 32. www.prismacsi.com © All Rights Reserved. 3232 Types of Cyber Attacks by Country • Turkey • Russia • America • Germany • China
  33. 33. www.prismacsi.com © All Rights Reserved. 3333 Turkey • Fraud attacks • Using and writing of malware • Social engineering attacks
  34. 34. www.prismacsi.com © All Rights Reserved. 3434 Russia • Writing and spreading of exploit kits • Malware • Banking attacks • ATM attacks
  35. 35. www.prismacsi.com © All Rights Reserved. 3535 Germany • Exploit Kit / 0day development • Malware • Underground activities • Hackers meeting point • Chaos Computer Club
  36. 36. www.prismacsi.com © All Rights Reserved. 3636 America • Software development • Technology development • APT / 0day development • Cyber war activities • Case of Stuxnet
  37. 37. www.prismacsi.com © All Rights Reserved. 3737 China • Malicious software • Automated software • Nationalist hacker groups • APT / 0day / Exploit development • Cyber war activities
  38. 38. www.prismacsi.com © All Rights Reserved. 3838 Chronology 2010 2018 China's largest search engine Baidu hacked. 2010 DDoS attack affects internet access. 2013 Russia halts Internet access in Estonia 2007 Morris Worm goes online 1998 1998 After the attacks in Gaza, Israel suffered cyber attacks, 5 million websites were hacked. 2009 Stuxnet is out in the wild. 2010 Wannacry paralyzes life all over the world. 2017
  39. 39. www.prismacsi.com © All Rights Reserved. 3939 News https://securityintelligence.com/are-ransomware-attacks-rising-or-falling/
  40. 40. www.prismacsi.com © All Rights Reserved. 4040 Cyber Attacker Profile • Hacker • Target-oriented cyber attack • Government / State-backed cyber attack • Religion / Racial sympathy • Ego satisfaction • Competitors and unfair competition oriented attacks • Cyberterrorism
  41. 41. www.prismacsi.com © All Rights Reserved. 4141 Cyber Attacker Profile • Untrained staff (risk of involuntary attacks) • A fired person X • Insider
  42. 42. www.prismacsi.com © All Rights Reserved. 4242 Cyber Attacker Profile • Malware attacks • If it is target based an APT may be the most likely attacker. • Any malware can affect your systems in some way. • These malware can include a system into a botnet.
  43. 43. www.prismacsi.com © All Rights Reserved. 4343 Cyber Attack Losses • In the past only prestige was lost. • Changing the interface of pages (Defacement) • Today financial loss is the most common form of loss. • After Denial-of-Service attacks companies may experience a service outage or interruption.
  44. 44. www.prismacsi.com © All Rights Reserved. 4444 Some Cyber Security Defense Mechanisms • Security Firewalls • Antivirus • SSL • Intrusion Detection System (IDS) • Intrusion Prevention Systems (IPS) • Security Information and Event Management (SIEM) • Content Filter
  45. 45. www.prismacsi.com © All Rights Reserved. 4545 Some Cyber Security Defense Mechanisms • Web Application Firewall (WAF) • Data Leakage Prevention (DLP) • Advanced Cyber Threat Detection (APT Protection) • Deep Packet Inspection (DPI) • Security Operations Center (SOC)
  46. 46. www.prismacsi.com © All Rights Reserved. 4646 Basic Terminologies • Cryptology. • Password science. • Steganography • Science of hiding data in plain sight. • Encoding • The process of converting data into a different format.. • Base64
  47. 47. www.prismacsi.com © All Rights Reserved. 4747 Terminology • Hash • It is data converted into a unique form. • Data length is fixed. (MD5 32 character) • MD5 • SHA512 • Hash Cracking Attacks • Unidirectional • Wordlist • Rainbow Table
  48. 48. www.prismacsi.com © All Rights Reserved. 4848 Basic Terminologies • Base64 - Encoding • PRISMA -> UFJJU01B • PRISMACSI -> UFJJU01BQ1NJ • UFJJU01B -> PRISMA • UFJJU01BQ1NJ –> PRISMACSI • MD5 • PRISMA -> c636499e580a2d1c4d96af7aacb67ec3 • PRISMACSI -> be92422ae4a6ebba10d743a6213b9793
  49. 49. www.prismacsi.com © All Rights Reserved. 4949 Anonymity Why the need? • They want to hide their personal data. • They want to hide their identity. • They want to hide site preferences. • They have adopted the concept of free internet.
  50. 50. www.prismacsi.com © All Rights Reserved. 5050 Anonymity Communication • Whatsapp • Telegram • Signal • IRC • Jabber
  51. 51. www.prismacsi.com © All Rights Reserved. 5151 Anonymity Deep Web • Underground • Deepweb • Darkweb Area where hackers share information.
  52. 52. www.prismacsi.com © All Rights Reserved. 5252 Anonymity Deep Web • Chaos Network • DN42 • Freenet • Anonet • Tor
  53. 53. www.prismacsi.com © All Rights Reserved. 5353 Demo Practice
  54. 54. www.prismacsi.com © All Rights Reserved. 5454 Questions ?
  55. 55. www.prismacsi.com © All Rights Reserved. 5555 www.prismacsi.com info@prismacsi.com 0 850 303 85 35 /prismacsi Contacts

×