PenTest: Cryptography for pentesters - Pentestmag

PenTest: Cryptography for pentesters

cryptography for pentesters 14 2017.pdf

Dear PenTest Readers,

We would like to present to you our newest issue, the last one in 2017. It mainly focuses on cryptography for hackers, pentesters, and cybersecurity specialists. We hope you will find the articles interesting and will have time to read them all.

First, we will start with answering questions like: “how attackers attempt to stay hidden?”, and “how they actually beat systems?”. We will inspect Mifare Classic structure, cryptography, common vulnerabilities, as well as their sources, and we will see why it is a bad idea to implement “Security through Obscurity” in your products. Moreover, we will perform MITM attacks using invisible proxy mode. We have also prepared an article that will show the components of cryptography, as well as some vulnerabilities of cryptographic systems. Last but not least, we will use secure cryptography to achieve PCI DSS compliance.

Second part of the magazine has mixed content. First, we will discuss what assets are needed to perform successful threat hunting activities. You will be shown an ethical hacking scenario, which will be a good introduction to footprinting. Vipin Chaudhary will tell a story of how he started a chain of subdomain takeovers. Lastly, you can read about a web application firewall.

We would also want to thank you for all your support. We appreciate it a lot. If you like this publication you can share it and tell your friends about it! every comment means a lot to us.

Enjoy your reading,

PenTest Magazine’s

Editorial Team

If want to buy this magazine click here

Want to download free preview? Click Here 

Table of contents

Cryptography for hackers, pentesters and cybersecurity specialists
by Munir Njiru

This is a simple article that answers the question of "how?" attackers attempt to stay hidden and "how?" they actually beat systems. It also shows strategies they use to reduce the effort of a hack hence reducing the cost to them making an attack more viable.

Mifare Classic NFC Cards Cryptography Flaws Explained
by German Namestnikov

RFID hacking is not a new topic. Actually, this is “old hat” in the world of Cyber Security. A great amount of articles and researches were written, a lot of presentations were held - all about the same things, mostly. Today we will dive into RFID hacking again. We will inspect Mifare Classic structure, cryptography, common vulnerabilities and their sources, and we will see why it is a bad idea - to implement “Security through Obscurity” in your products and, especially, in your crypto protocols. There will be a huge theoretical part and some practical examples, so, get ready to rock!

Exploiting Certificate Validation Flaw in Mobile apps
by Gaurang and Jaidip

The article discusses about exploiting the certificate validation flaw in mobile apps and conducting a real-time man-in- the middle attack using burp’s invisible proxy. An app communicating over HTTPS does not necessarily ensure the integrity and confidentiality. A mistake often made by the developer while debugging the application during development might open a risk by allowing any attacker to issue a self-signed certificate to the app. Thus, stealing the confidentiality of the victim connected in the same network. In this article, you will go through a detailed explanation and step by step walkthrough to find such flaws in mobile applications and how to use Burp’s invisible proxy and IP tables to mount a man-in- the-middle attack in a real-time scenario.

Cryptography for hackers, pentesters and cybersecurity specialists
by Washington U. de Almeida Jr.

In this article, we will explore the components of cryptography as well as some vulnerabilities of cryptographic systems, a topic of special interest to hackers, pentesters and cybersecurity specialists.

Using secure cryptography in achieving PCI DSS compliance
by Swati Sharma

PCI DSS is an industry regulatory compliance standard published by PCI SSC; Consortium comprised of multiple card brands (VISA, M/C, AmEx, Discover, and JCB). PCI DSS has 12 Requirements spanning 6 objectives.

Threat hunting
by Biswashree Byomakesh Dash

Threat Hunting is nothing but proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools. So let’s discuss what assets we need to perform successful threat hunting activities.

Ethical hacking
by Sanjay Verdu

In this scenario, the target is our house. In terms of hacking, the target could be a server, computer or a web application. Remember that Reconnaissance and Footprinting are kinda interchangeable terms. For now, remember that footprinting is a part of reconnaissance. In this article, I will discuss different kinds of footprinting that can be done in the real world.

How I started a chain of subdomain takeovers
by Vipin Chaudhary

It all started six months back when I found a blog about this interesting vulnerability called subdomain takeover (DNS Hijacking). After that, I was all into finding these bugs into different companies. Before disclosing companies where I found these issues, let’s discuss this vulnerability in detail.

Web Application Firewall
by Harpreet Singh

The article has been written to provide the readers an overall understanding of the web application firewall, it's need and how it is different from conventional firewall. This has been followed by types (so that users can have decide which one to go with), deployment strategy and how WAF can be helpful in the protection against OWASP top 10.

cryptography for pentesters 14 2017.pdf

July 23, 2021
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023