SlideShare ist ein Scribd-Unternehmen logo

Path of Cyber Security

Als PPTX, PDF herunterladen
Satria Ady Pradana
Satria Ady Pradana

Presentation on Workshop of Linux and Security, ST3 Telkom Purwokerto.

Technologie
1 von 45
Path of Cyber Security Satria Ady Pradana http://xathrya.id/ 1
# Whoami? • Satria Ady Pradana – Teknik Informatika ITB 2010 – Embedded Software Engineer – DracOS Dev Team – Interest in low level stuffs – Contact me: xathrya@dracos-linux.org http://xathrya.id/ 2
Provided Material • “Playground” VM – bWapp – Certain boot2root Distributed for free, ask official http://xathrya.id/ 3
Lot of people want to be hacker. You? Why? Are you sure? http://xathrya.id/ 4
So you wanna be a Hacker? http://xathrya.id/ 5
http://xathrya.id/ 6
We Have So Many Colors • White Hat • Gray Hat • Black Hat • Red Hat • Blue Hat • Green Hat • etc http://xathrya.id/ 7
The Essence of Hacking • Getting and using other people’s computers (without getting caught) • Defeat protection to attain some goals. • Exploiting something and gaining profit. • To have fun. http://xathrya.id/ 8
But my talk wont cover hacking as crime. Refine word “hacker” to be “security professional” We have two sides: • Attacker • Defender http://xathrya.id/ 9
Be Defender • Know why you do this. • Know how attacker (might) attacks. • Know how to defend yourself, your assets, etc. • Know what to do when something happen • Know why it can be like this. (If you are screwed, at least you know why) http://xathrya.id/ 10
Be Attacker • Know how target organized. • Know how target reacts to certain event. • Have vast knowledge about system • Know how to be “evil” (not necessary to be one) http://xathrya.id/ 11
But I bet you attend this meeting to be attacker. http://xathrya.id/ 12
Hacking Steps We call it penetration testing. • Reconnaissance & Analysis • Vulnerability Mapping • Gaining Access • Privilege Escalation • Maintaining Access • Covering Tracks
Stage 1: Reconnaissance Gathering information, search for valuable information related to our target. Analyze and extract knowledge if appropriate. Basically: • Footprinting • OSINT (Open-Source INTelligence)
Your Goal! • Obtain information as much as possible. http://xathrya.id/ 15
• Reconnaissance is about intelligence gathering. • Gaining facts, inferring something, relating back to target. • Direct and indirect relevance might be helpful in later stage. • The more useful information you get, the better chance you have to compromise. http://xathrya.id/ 16
Footprinting Gather information about node, machine, system, infrastructure used. Grasping the environment before execution. • Publicly exposed machine (which one we available to us) • Open port (available door to us in) • Network (relation of other systems) • Application (ex: version) • Server spesifics (OS, kernel, important drivers, existing services, etc) http://xathrya.id/ 17
OSINT • Open Source INTelligence • Open = overt, publicly available source • Not about Open-Source Software. • Try to google yourself, did you find something useful? http://xathrya.id/ 18
What Can You Get? http://xathrya.id/ 19
Now apply the same principle to target in cyberspace. http://xathrya.id/ 20
Stage 2: Vulnerability Mapping Mapping threats and potential breach to information found. • Based on the system we found, what threat available? • How we can conduct attack? • Make priority from the list, decide which one give greater chance of success. Simulate scenarios to break in before we get to the next stage.
Your Goal! • Find possible paths to penetrate target. • Creating Threat Model is helpful. http://xathrya.id/ 22
Stage 3: Gaining Access The actual penetrating phase. Our purpose is to break in, using the vulnerabilities found in previous steps. Or we might gain something when we are in this process. Just populate the list.
Your Goal! • Break in / compromise. • Create a connection (persistent / non persistent) between target and us. Mostly reverse connection. – Setup listener to receive callback. – Plant backdoor. • Do something in target. – Ex: Create new user http://xathrya.id/ 24
Stage 4: Privilege Escalation When we break in, we might not have enough privilege to take over. Therefore, we need to exploit other thing to take higher privilege.
Your Goal! • Acquire highest or enough privilege to do something. http://xathrya.id/ 26
Stage 5: Maintaining Access If we want to do a long-time campaign, we need to keep the access to compromised host available. Corporating malware is one of preferred way.
Your Goal! • Keep access to yourself or your team. http://xathrya.id/ 28
Stage 6: Covering Tracks Don’t let any trace left. • Delete logs • Fabricate logs (smarter yet trickier way) Create fake evidence (might be predefined) • Memory and Pool • File
Bonus Stage Basically do your mission or fulfill the objective. • Dump data • Maintain persistent access • Harvest credentials • Pivoting • Proxying • Etc
It looks interesting and amusing, so how can I be hacker? http://xathrya.id/ 31
How Could I be the One? Starting Path: • Networking • Programming Security is another application of computer science, with several extras. Deep understanding of subjects give better result. Extra communication skills is better. http://xathrya.id/ 32
Area of Expertise Some of fields (not all): • Network Security • Web Security • Mobile Security • IoT & Embedded System Security Pick one and dive to it. http://xathrya.id/ 33
Exploits • What is it? • Why it is important? • How to develop one? Exploit is specific to certain product or family of product, having same / similar vulnerability. http://xathrya.id/ 34
• Given code, find bugs • Given bugs, how to coerce them into an exploit? • Given exploit, how do you deploy it? • Given pwned system, how do you hide yourself? http://xathrya.id/ 35
• Enough chat, gives me demos! http://xathrya.id/ 36
Demo 1 (Web Security) • Turn Virtualbox / Vmware on! • Use bWapp VM http://xathrya.id/ 37
Demo 2 • Certain boot2root VM • Get the write-up on DracOS repository http://xathrya.id/ 38
Okay, so where we can REALLY start learning? (Assuming you want to be expert) • Take course on computer science (seriously) • Participate in competitions – CTF – Wargame • Create practice lab http://xathrya.id/ 39
CTF • Good environment to learn. • Normal security professional would do day to day… on easy mode. http://xathrya.id/ 40
Competition (Recommended) • IDSecconf CTF • Cyber Defense Challenge • Indonesia Cyber Army http://xathrya.id/ 41
Lab Building lab is tedious. try http://gauli.net/ http://xathrya.id/ 42
Advance Stuffs • Researching and discover vulnerability • Creating toolkit • Building tradecraft • Deploying “assets” in the wild • Creating forest to hide. • etc http://xathrya.id/ 43
Final advice • Be Evil! • Have fun! http://xathrya.id/ 44
Question?

Empfohlen

Another Side of Hacking
Another Side of HackingAnother Side of Hacking
Another Side of HackingSatria Ady Pradana
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavorSatria Ady Pradana
 
(Workshop) Memory Forensic - Investigating Memory Artefact
(Workshop) Memory Forensic - Investigating Memory Artefact(Workshop) Memory Forensic - Investigating Memory Artefact
(Workshop) Memory Forensic - Investigating Memory ArtefactSatria Ady Pradana
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the Software(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the SoftwareSatria Ady Pradana
 

Empfohlen

Another Side of Hacking
Another Side of HackingAnother Side of Hacking
Another Side of HackingSatria Ady Pradana
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavorSatria Ady Pradana
 
(Workshop) Memory Forensic - Investigating Memory Artefact
(Workshop) Memory Forensic - Investigating Memory Artefact(Workshop) Memory Forensic - Investigating Memory Artefact
(Workshop) Memory Forensic - Investigating Memory ArtefactSatria Ady Pradana
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the Software(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the SoftwareSatria Ady Pradana
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red TeamSatria Ady Pradana
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedAshwini Almad
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Satria Ady Pradana
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known IncidentEndgameInc
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMd Samsul Kabir
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...EndgameInc
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
DECEPTICONv2
DECEPTICONv2DECEPTICONv2
DECEPTICONv2👀 Joe Gray
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareSai Kesavamatham
 
Docker and-daily-devops
Docker and-daily-devopsDocker and-daily-devops
Docker and-daily-devopsSatria Ady Pradana
 
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...Satria Ady Pradana
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedAshwini Almad
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Satria Ady Pradana
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known IncidentEndgameInc
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...EndgameInc
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareSai Kesavamatham
 

Was ist angesagt? (20)

Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 
DECEPTICONv2
DECEPTICONv2DECEPTICONv2
DECEPTICONv2
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshare
 

Andere mochten auch

Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...Satria Ady Pradana
 
ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security Bill Gibbs
 
Tackling today's cyber security challenges - WISER Services & Solutions
Tackling today's cyber security challenges - WISER Services & SolutionsTackling today's cyber security challenges - WISER Services & Solutions
Tackling today's cyber security challenges - WISER Services & SolutionsCYBERWISER .eu
 
Cyberprzestępczość 2.0 (TAPT 2014)
Cyberprzestępczość 2.0 (TAPT 2014)Cyberprzestępczość 2.0 (TAPT 2014)
Cyberprzestępczość 2.0 (TAPT 2014)Adam Ziaja
 
Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?
Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?
Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?PwC Polska
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to securityMukesh Chinta
 
Proof Of Concept (PoC) CTF Hack The Dragon Ultah Indonesian BackTrack Team 2015
Proof Of Concept (PoC) CTF Hack The Dragon Ultah Indonesian BackTrack Team 2015Proof Of Concept (PoC) CTF Hack The Dragon Ultah Indonesian BackTrack Team 2015
Proof Of Concept (PoC) CTF Hack The Dragon Ultah Indonesian BackTrack Team 2015Taqrim Ibadi
 
Security First: What it is and What it Means for Your Business
Security First: What it is and What it Means for Your BusinessSecurity First: What it is and What it Means for Your Business
Security First: What it is and What it Means for Your BusinessGeorgian
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityNeha Gupta
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
MySQL5.6と5.7性能比較
MySQL5.6と5.7性能比較MySQL5.6と5.7性能比較
MySQL5.6と5.7性能比較hiroi10
 
MySQL5.7とMariaDB10.1の性能比較(簡易)
MySQL5.7とMariaDB10.1の性能比較(簡易)MySQL5.7とMariaDB10.1の性能比較(簡易)
MySQL5.7とMariaDB10.1の性能比較(簡易)hiroi10
 

Andere mochten auch (14)

Docker and-daily-devops
Docker and-daily-devopsDocker and-daily-devops
Docker and-daily-devops
 
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
Tugas Akhir 13510030 - Analisis Keamanan Dalam Pengembangan Sistem Transaksi ...
 
Defense of the assets
Defense of the assetsDefense of the assets
Defense of the assets
 
ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security
 
Tackling today's cyber security challenges - WISER Services & Solutions
Tackling today's cyber security challenges - WISER Services & SolutionsTackling today's cyber security challenges - WISER Services & Solutions
Tackling today's cyber security challenges - WISER Services & Solutions
 
Cyberprzestępczość 2.0 (TAPT 2014)
Cyberprzestępczość 2.0 (TAPT 2014)Cyberprzestępczość 2.0 (TAPT 2014)
Cyberprzestępczość 2.0 (TAPT 2014)
 
Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?
Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?
Dlaczego polskie firmy są tak łatwym celem dla cyberprzestępców?
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
Proof Of Concept (PoC) CTF Hack The Dragon Ultah Indonesian BackTrack Team 2015
Proof Of Concept (PoC) CTF Hack The Dragon Ultah Indonesian BackTrack Team 2015Proof Of Concept (PoC) CTF Hack The Dragon Ultah Indonesian BackTrack Team 2015
Proof Of Concept (PoC) CTF Hack The Dragon Ultah Indonesian BackTrack Team 2015
 
Security First: What it is and What it Means for Your Business
Security First: What it is and What it Means for Your BusinessSecurity First: What it is and What it Means for Your Business
Security First: What it is and What it Means for Your Business
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
 
MySQL5.6と5.7性能比較
MySQL5.6と5.7性能比較MySQL5.6と5.7性能比較
MySQL5.6と5.7性能比較
 
MySQL5.7とMariaDB10.1の性能比較(簡易)
MySQL5.7とMariaDB10.1の性能比較(簡易)MySQL5.7とMariaDB10.1の性能比較(簡易)
MySQL5.7とMariaDB10.1の性能比較(簡易)
 

Ähnlich wie Path of Cyber Security

Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationJoshua Prince
 
Cybersecurity cyberlab1
Cybersecurity cyberlab1Cybersecurity cyberlab1
Cybersecurity cyberlab1rayborg
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hackingankit sarode
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Ethical Hacking Redefined
Ethical Hacking RedefinedEthical Hacking Redefined
Ethical Hacking RedefinedPawan Patil
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingAkshay Kale
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
building foundation for ethical hacking.ppt
building foundation for ethical hacking.pptbuilding foundation for ethical hacking.ppt
building foundation for ethical hacking.pptShivaniSingha1
 
Fundamental of ethical hacking
Fundamental of ethical hackingFundamental of ethical hacking
Fundamental of ethical hackingWaseem Rauf
 
Web security chapter#2
Web security chapter#2Web security chapter#2
Web security chapter#2Ishaq Shinwari
 

Ähnlich wie Path of Cyber Security (20)

How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
Cybersecurity cyberlab1
Cybersecurity cyberlab1Cybersecurity cyberlab1
Cybersecurity cyberlab1
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
 
Introduction to ethical hacking
Introduction to ethical hackingIntroduction to ethical hacking
Introduction to ethical hacking
 
Session Slide
Session SlideSession Slide
Session Slide
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Ethical Hacking Redefined
Ethical Hacking RedefinedEthical Hacking Redefined
Ethical Hacking Redefined
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
DracOs Forensic Flavor
DracOs Forensic FlavorDracOs Forensic Flavor
DracOs Forensic Flavor
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
building foundation for ethical hacking.ppt
building foundation for ethical hacking.pptbuilding foundation for ethical hacking.ppt
building foundation for ethical hacking.ppt
 
Fundamental of ethical hacking
Fundamental of ethical hackingFundamental of ethical hacking
Fundamental of ethical hacking
 
Web security chapter#2
Web security chapter#2Web security chapter#2
Web security chapter#2
 

Mehr von Satria Ady Pradana

Rekayasa Balik - Sebuah Hikayat dari Dunia Digital
Rekayasa Balik - Sebuah Hikayat dari Dunia DigitalRekayasa Balik - Sebuah Hikayat dari Dunia Digital
Rekayasa Balik - Sebuah Hikayat dari Dunia DigitalSatria Ady Pradana
 
The Offensive Python - Practical Python for Penetration Testing
The Offensive Python - Practical Python for Penetration TestingThe Offensive Python - Practical Python for Penetration Testing
The Offensive Python - Practical Python for Penetration TestingSatria Ady Pradana
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to ExploitationSatria Ady Pradana
 
Android Security : A Hacker's Perspective
Android Security : A Hacker's PerspectiveAndroid Security : A Hacker's Perspective
Android Security : A Hacker's PerspectiveSatria Ady Pradana
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
Reverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareReverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareSatria Ady Pradana
 
Memory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory ArtefactMemory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory ArtefactSatria Ady Pradana
 
Drac lab automatic malware analysis & repository
Drac lab automatic malware analysis & repositoryDrac lab automatic malware analysis & repository
Drac lab automatic malware analysis & repositorySatria Ady Pradana
 

Mehr von Satria Ady Pradana (8)

Rekayasa Balik - Sebuah Hikayat dari Dunia Digital
Rekayasa Balik - Sebuah Hikayat dari Dunia DigitalRekayasa Balik - Sebuah Hikayat dari Dunia Digital
Rekayasa Balik - Sebuah Hikayat dari Dunia Digital
 
The Offensive Python - Practical Python for Penetration Testing
The Offensive Python - Practical Python for Penetration TestingThe Offensive Python - Practical Python for Penetration Testing
The Offensive Python - Practical Python for Penetration Testing
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
 
Android Security : A Hacker's Perspective
Android Security : A Hacker's PerspectiveAndroid Security : A Hacker's Perspective
Android Security : A Hacker's Perspective
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
 
Reverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareReverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the Software
 
Memory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory ArtefactMemory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory Artefact
 
Drac lab automatic malware analysis & repository
Drac lab automatic malware analysis & repositoryDrac lab automatic malware analysis & repository
Drac lab automatic malware analysis & repository
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Path of Cyber Security

  • 1. Path of Cyber Security Satria Ady Pradana http://xathrya.id/ 1
  • 2. # Whoami? • Satria Ady Pradana – Teknik Informatika ITB 2010 – Embedded Software Engineer – DracOS Dev Team – Interest in low level stuffs – Contact me: xathrya@dracos-linux.org http://xathrya.id/ 2
  • 3. Provided Material • “Playground” VM – bWapp – Certain boot2root Distributed for free, ask official http://xathrya.id/ 3
  • 4. Lot of people want to be hacker. You? Why? Are you sure? http://xathrya.id/ 4
  • 5. So you wanna be a Hacker? http://xathrya.id/ 5
  • 7. We Have So Many Colors • White Hat • Gray Hat • Black Hat • Red Hat • Blue Hat • Green Hat • etc http://xathrya.id/ 7
  • 8. The Essence of Hacking • Getting and using other people’s computers (without getting caught) • Defeat protection to attain some goals. • Exploiting something and gaining profit. • To have fun. http://xathrya.id/ 8
  • 9. But my talk wont cover hacking as crime. Refine word “hacker” to be “security professional” We have two sides: • Attacker • Defender http://xathrya.id/ 9
  • 10. Be Defender • Know why you do this. • Know how attacker (might) attacks. • Know how to defend yourself, your assets, etc. • Know what to do when something happen • Know why it can be like this. (If you are screwed, at least you know why) http://xathrya.id/ 10
  • 11. Be Attacker • Know how target organized. • Know how target reacts to certain event. • Have vast knowledge about system • Know how to be “evil” (not necessary to be one) http://xathrya.id/ 11
  • 12. But I bet you attend this meeting to be attacker. http://xathrya.id/ 12
  • 13. Hacking Steps We call it penetration testing. • Reconnaissance & Analysis • Vulnerability Mapping • Gaining Access • Privilege Escalation • Maintaining Access • Covering Tracks
  • 14. Stage 1: Reconnaissance Gathering information, search for valuable information related to our target. Analyze and extract knowledge if appropriate. Basically: • Footprinting • OSINT (Open-Source INTelligence)
  • 15. Your Goal! • Obtain information as much as possible. http://xathrya.id/ 15
  • 16. • Reconnaissance is about intelligence gathering. • Gaining facts, inferring something, relating back to target. • Direct and indirect relevance might be helpful in later stage. • The more useful information you get, the better chance you have to compromise. http://xathrya.id/ 16
  • 17. Footprinting Gather information about node, machine, system, infrastructure used. Grasping the environment before execution. • Publicly exposed machine (which one we available to us) • Open port (available door to us in) • Network (relation of other systems) • Application (ex: version) • Server spesifics (OS, kernel, important drivers, existing services, etc) http://xathrya.id/ 17
  • 18. OSINT • Open Source INTelligence • Open = overt, publicly available source • Not about Open-Source Software. • Try to google yourself, did you find something useful? http://xathrya.id/ 18
  • 19. What Can You Get? http://xathrya.id/ 19
  • 20. Now apply the same principle to target in cyberspace. http://xathrya.id/ 20
  • 21. Stage 2: Vulnerability Mapping Mapping threats and potential breach to information found. • Based on the system we found, what threat available? • How we can conduct attack? • Make priority from the list, decide which one give greater chance of success. Simulate scenarios to break in before we get to the next stage.
  • 22. Your Goal! • Find possible paths to penetrate target. • Creating Threat Model is helpful. http://xathrya.id/ 22
  • 23. Stage 3: Gaining Access The actual penetrating phase. Our purpose is to break in, using the vulnerabilities found in previous steps. Or we might gain something when we are in this process. Just populate the list.
  • 24. Your Goal! • Break in / compromise. • Create a connection (persistent / non persistent) between target and us. Mostly reverse connection. – Setup listener to receive callback. – Plant backdoor. • Do something in target. – Ex: Create new user http://xathrya.id/ 24
  • 25. Stage 4: Privilege Escalation When we break in, we might not have enough privilege to take over. Therefore, we need to exploit other thing to take higher privilege.
  • 26. Your Goal! • Acquire highest or enough privilege to do something. http://xathrya.id/ 26
  • 27. Stage 5: Maintaining Access If we want to do a long-time campaign, we need to keep the access to compromised host available. Corporating malware is one of preferred way.
  • 28. Your Goal! • Keep access to yourself or your team. http://xathrya.id/ 28
  • 29. Stage 6: Covering Tracks Don’t let any trace left. • Delete logs • Fabricate logs (smarter yet trickier way) Create fake evidence (might be predefined) • Memory and Pool • File
  • 30. Bonus Stage Basically do your mission or fulfill the objective. • Dump data • Maintain persistent access • Harvest credentials • Pivoting • Proxying • Etc
  • 31. It looks interesting and amusing, so how can I be hacker? http://xathrya.id/ 31
  • 32. How Could I be the One? Starting Path: • Networking • Programming Security is another application of computer science, with several extras. Deep understanding of subjects give better result. Extra communication skills is better. http://xathrya.id/ 32
  • 33. Area of Expertise Some of fields (not all): • Network Security • Web Security • Mobile Security • IoT & Embedded System Security Pick one and dive to it. http://xathrya.id/ 33
  • 34. Exploits • What is it? • Why it is important? • How to develop one? Exploit is specific to certain product or family of product, having same / similar vulnerability. http://xathrya.id/ 34
  • 35. • Given code, find bugs • Given bugs, how to coerce them into an exploit? • Given exploit, how do you deploy it? • Given pwned system, how do you hide yourself? http://xathrya.id/ 35
  • 36. • Enough chat, gives me demos! http://xathrya.id/ 36
  • 37. Demo 1 (Web Security) • Turn Virtualbox / Vmware on! • Use bWapp VM http://xathrya.id/ 37
  • 38. Demo 2 • Certain boot2root VM • Get the write-up on DracOS repository http://xathrya.id/ 38
  • 39. Okay, so where we can REALLY start learning? (Assuming you want to be expert) • Take course on computer science (seriously) • Participate in competitions – CTF – Wargame • Create practice lab http://xathrya.id/ 39
  • 40. CTF • Good environment to learn. • Normal security professional would do day to day… on easy mode. http://xathrya.id/ 40
  • 41. Competition (Recommended) • IDSecconf CTF • Cyber Defense Challenge • Indonesia Cyber Army http://xathrya.id/ 41
  • 42. Lab Building lab is tedious. try http://gauli.net/ http://xathrya.id/ 42
  • 43. Advance Stuffs • Researching and discover vulnerability • Creating toolkit • Building tradecraft • Deploying “assets” in the wild • Creating forest to hide. • etc http://xathrya.id/ 43
  • 44. Final advice • Be Evil! • Have fun! http://xathrya.id/ 44