Dear PenTest Readers!
We are pleased to present you the TEASER of the second issue of PenTest StarterKit. Last time our authors explained in their articles how to begin a career as pentester. This time our main focus was to basically describe some techniques and tools which you may use or come across during your first penetration tests. From the full issue we have chosen three articles and the Interview. Also, you will find there the full issue's Editor's Note and the Table of Contents (available below as well). We hope that you will enjoy it.
Your PenTest Team.
[download id="290" format="4"]
FULL ISSUE'S TABLE OF CONTENTS:
THREATS & SOLUTIONS
A10 Last But Not Least
By Aleksandar Bratic
Open Web Application Security Project, as standard in web security has 10 most frequent and dangerous threats. In this year owasp 10 was changed, baseline for changes was owasp 10 from 2010. The article presents the updated A10 list.
Social Engineering for Pentesters
By Sumit Agarwal
Social Engineering uses human weakness to gain access to any system despite the layers of defensive security controls that may have been implemented. It is therefore an effective pentest tool to test the human weaknesses of a comprehensive security system. The article explains how to use this art and science of studying, predicting and manipulating human behavior.
Intrusion Detection System
By Deepanshu Khanna
The number of Internet users is growing up. Almost everyone around the world is accessing the Internet. E-commerce and e-business are increasing by leaps and bounds. Therefore, the competition is becoming more and more important factor. So, the number of intrusion events grows side by side. That is why this article's focus area is how to catch an attacker.
SHODAN Search Engine: Friend or Foe?
By Pranshu Bajpai
SHODAN is the Google for Hackers. It is known as 'the Scariest Search Engine' on the web, exposing loads of routers, servers, webcams, SCADA systems, and other network devices. Here we explore the capabilities of SHODAN.
Taking Over an Active Directory
By Gilad Ofir
As Pentesters and Security Specialists, we often come across a need to secure infrastructure. This need is caused by the fact that our systems are constantly at risk from either internal or external attacks. The attack, which is demonstrated in the article, presents a simple scenario where an attacker does a simple takeover of an active directory while using only backtrack and our knowledge, of course.
Persistence: Owning the Image
By Hunter Blakely
Compromising and maintaining control of a network is often thought of as a State-sponsored attack using rigorously developed software, customized to a specific target. Instead of focusing on these well known methodologies, the article discuss something a bit more abstract - using Preboot Execution Environment (PXE - pronounced “pixie”) network boot to gain control of the entire network.
Social Engineering – Pentesting the Human Element
By Fadli B. Sidek
Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
Social Engineering and Phishing Attacks Using Android Device
By Domagoj Vrataric
Picture this: you are involved in penetration testing of a serious client, a bank or telecommunication company. Besides usual testing of corporate network and Web applications, it is very important to make sure that all employees are introduced to risk of social engineering and phishing attacks. This article will show how it is possible to make such attacks with Android device and a few applications.
Hacking a Bank
By Andrei Bozeanu
A couple of years ago, I was contacted by a major commercial bank in my country to conduct a series of Blackbox penetration tests against their external network, recently after they acquired a very costly Information Security Management System from a major international audit firm. The real reason they contracted my services was in fact to see how their newly employed system would react in a real life scenario, and the scope of my actions was to gain access to their internal network, and no one, myself included thought this was going to be an easy task. Challenge accepted!
LET'S TALK ABOUT SECURITY
SECUCON 2013 Conference Summary
By PenTest Team
SECUCON 2013 – A conference hosted by SECUGENIUS – A unit of HARKSH Technologies Pvt Ltd at GGNIMT, Ludhiana with a vision to create awareness for the need of SECURITIES in social living and to spread a message of generating opportunities in the same field. The article covers a short summary of the event.
Interview with Loizos Heracleous about Dell and Its 79 Per Cent Fall in Profits
By PenTest Team
Interview with Loizos Heracleous, Professor of Strategy and Organization at Warwick Business School and Associate Fellow at the Said Business School, University of Oxford. His research has been honoured with several awards (such as the Academy of Management's Best Paper Award which he received 3 times); and has been published in leading journals such as the Harvard Business Review, Academy of Management Journal and Academy of Management Review. He has worked with blue chip corporations to develop their senior executives in the field of strategy and related areas.