API tools faq
paste
Advertisement
viprajput

g2s18,19 prbha sir

viprajput
Jul 29th, 2018
64
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.37 KB | None | 0 0
raw download clone embed print report
  1.  
  2. Physical Security Penetration Testing
  3. -------------------------------------
  4. After virtual security auditings major coprorations may not deploy a huge amount and resources to ensure the physical environment is secure. Hence auditing physical security again can be a bigger player for these organisations.
  5.  
  6. Major Organisations which need physical Security.
  7. --------------------------------------------------
  8. - Nuclear Power Plants
  9. - Space Stations
  10. - Hydrogen Experimental sites
  11. - Data Control Centers
  12. etc etc etc...
  13.  
  14. Physical Security Check list Areas
  15. ----------------------------------
  16. 1. Organisation Surroundings
  17. 2. Ensure the people in the organisation following the physical security rules.
  18. - They must use icards for the authentication
  19. - There must be a log manager of all the in-out activities
  20. - There should be a physical resource person(team) who is monitoring 24*7 the in-out operational work by the employees.
  21. - Reason for the visit should be validated.
  22.  
  23. Check list for entering the server room.
  24. -> Name of the vistor
  25. -> Company of the visitor
  26. -> Company icard scanned copy.
  27. -> Adhar Card/dl etc
  28. -> Name of Person who is bringing the visitor
  29. -> Company he belongs to
  30. -> ICard number
  31. -> Devices they are carrying
  32. -> Hand over your phone in switched off mode to the gatekeeper
  33. -> Locker Keys will be given back to you
  34.  
  35.  
  36.  
  37. Within the working space physical security checklist
  38. - Clean Desk policy
  39. - After meeting and after all the chats and plans making, before you leave the office discussion room you have to clear the white board or glass on which you have wrote anything about the task to be executed.
  40. - You have to shredder any document before throwing it in dustbin.
  41. Dumpster Diving : Process in which where hacker sneak into the grabage of any home or organisations and look for something important.
  42. - Make sure people in organisation not write any kind of information on sticky notes and on their desk with marker or pen.
  43.  
  44.  
  45. Serious Security Checklist
  46. --------------------------
  47. 1. There must be fire extinguisher in all the rooms and places in the organisation.
  48. 2. There must an AMC with the fire departmnet company.
  49. 3. There must be biometric authentication on server room.
  50. 4. There must be cameras inside the server room.
  51. 5. Electricity room and generater room should be at seprate locations.
  52.  
  53.  
  54.  
  55.  
  56. ISO 27001 : Physical Security Control List
  57. Watch here Red Team Breach: https://www.youtube.com/watch?v=pL9q2lOZ1Fw
  58.  
  59. Database Penetration Testing
  60. ----------------------------
  61. Oracle
  62. MS-SQL MYSQL : 5.0.45 Communicaty Edition
  63. My-SQL : 3306
  64.  
  65. Step 1: Scan the system with nmap and identify the database port and its version.
  66. nmap -A Traget IP
  67.  
  68. Step 2: Scanning Version : mysql_version
  69. Step 3: info
  70. Step 4: Set RHOSTS <IP address>
  71. Step 5: run
  72. Step 6: use auxiliary/scanner/mysql/mysql_login
  73. Step 7: set USER_FILE root/Desktop/usernames.lst
  74. Step 8: set PASS_FILE root/Desktop/passwords.lst
  75. Step 9: run
  76.  
  77.  
  78. VOIP Pentesting : Voice Over Internet Protocol.
  79. ITs a process in which we try to sniff the voice packets and conversations with in the organisation in which certain VOIP devices are being used for internal communication.
  80.  
  81. Aviya : The most trusted brand in VOIP communication.
  82.  
  83.  
  84. Put call through VOIP --> Target
  85.  
  86. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  87. Attacker : Intercept via Cain n Abel having SIP intercept facility.
  88.  
  89. Demo : Tools required : Cain and Abel
  90.  
  91.  
  92.  
  93. VPN Pentesting
  94. ---------------
  95. Is to encrypt the packets coming out from devices.
  96.  
  97. =x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x
  98.  
  99.  
  100.  
  101.  
  102. Introduction to Penetration Testing
  103. -----------------------------------
  104. Its a post info gathering phase in which we exploit the vulnerabilities discovered in the VA phase.
  105. WEB PT
  106. NETWORK PT
  107. MOBILE PT - Mobile SF Framework .apk .ipa
  108. Documentation : Digital Security Report
  109.  
  110. Ethics of Penetration Tester
  111. ----------------------------
  112. 1. Nothing out of the box in scope
  113. 2. You are a hacker not a hero
  114. 3. Documentation is for developers not for CEO so make sense.
  115. 4. Read the code of conduct and make sure you will not anything which beyond our scope.
  116.  
  117. Penetration Testing Methodlogies
  118. --------------------------------
  119. 1. Web Based Pen Testing : Scope + Info Gather + Exploit + Report of remedations +
  120. Applying the patch through company team.
  121. 2. Network and Mobile
  122. 3. Process or Governence : Read the polcies,contracts,vendor agreements and so on + Find Loopholes in clauses + Report and Identify to high level management+ draft new polciy.
  123.  
  124. iso 27001 Complaince : Read
  125.  
  126. Scope Analysis
  127. ---------------
  128. Step 1: Query for VAPT
  129. Step 2: Scoping document WEB/NETWORK/MOBILE
  130. Step 3: Response Meeting
  131. Step 4: Proposal with Price and MAN per day cost
  132. Step 5: Acceptance and Date to start the project.
  133.  
  134. Customer and Legal Agreements
  135. -----------------------------
  136. -> Code of Conduct Signing
  137. -> NDA - non disclosure Agreement
  138. -> MOU - Momerendum Of Understanding
  139.  
  140.  
  141. Pen Testing Planning and Scheduling
  142. -----------------------------------
  143. Teams
  144.  
  145. VA : Web , Network , Mobile , Complaince
  146.  
  147. PT : Web , Network , Mobile , Complaince
  148.  
  149. Date Start : 21st Jan 2016 of Jan 26th Jan 2016
  150.  
  151. Total Number of Days : 6 Man Days
  152. Green Zone : 2 3 Weeks 2 day : Sat Sunday
  153. Night Shift : 8.00PM -> Monday 3AM Close 422 Servers
  154.  
  155. Sr. Resource : RM RM--> Single point of contact for the client.
  156.  
  157.  
  158. Pre Pen Testing Checklist
  159. -------------------------
  160. 1. License Requirements ????
  161. 2. List of tools to be used in the testing
  162. 3. Team Listing and Tracking
  163.  
  164.  
  165. Types of Pen Testing
  166. -> Internal : Network Pentesting and Internal Application Layer Pentesting
  167. inside which we try to audit and test all network assests of the organisation
  168. along with all in house web applications which runs on the network communication.
  169.  
  170. -> External : Web Application Testing + Pen testing through a company VPN.
  171.  
  172.  
  173.  
  174. -> White Box : Scope is clear, what os is running on each machines, open port details,
  175. service pack details , kernal details, critical or non critical details,
  176. version of services details and so on, application source code visibility etc etc.
  177.  
  178. -> Grey Box : List of IP addresses in terms of network PT and Host name details thats all. In web subdomain names and thats all.
  179.  
  180. -> Black Box : Webiste www.target.com IP List in scope.
  181.  
  182.  
  183.  
  184.  
  185.  
  186. ¬People Part : https://www.youtube.com/watch?v=knc6Iq-hNcw
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!