Fine Tuning Adaptive Network Penetration Test – External, Internal and Wireless

Fine Tuning Automation for Network Penetration Test

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Network Penetration Testing

A lot has been discussed earlier related to network penetration test in forums, IRC’s and security conferences but everyone looked for some automated approach to keep network penetration test related task going fast. The fast approach is desired for mass IP scans and lot of IP ranges which have to be tested in a short time. Most of these network nodes have services open which could be further investigated if these services were well known to be exploited in the wild.

networktest

There are various Network Penetration testing which could be referenced below:

  1. External Network Penetration Testing
  2. Internal Network Penetration Testing
  3. Wireless Network Penetration Testing

Now as most of you had already assumed, there could be automated approach to all of them; this however seems easy but is harder if taken from a wide security view-point. The art of choosing a set tools at your disposal for Network Security Audit lies beyond the scope defined since lot of these tools send malicious packets which could deliver stress to the web-server or critical production server costing the clients financially off their services. As a penetration tester I have learned this art from my own lesson and experiences and this would be my own personal methodology for a Network penetration test. Some of the questions which should be asked before-hand to the client before beginning with an engagement would be the major feedback on how one should be preparing for the penetration test.

Continue reading

Advertisements

Adaptive Application Framework Driven Vulnerabilities and the Padding Oracle

Securing Web Applications before Deployment.

An analysis focused on various framework used to deploy web applications.

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Abstract

Dedicated vulnerability and bug researchers go deep into the application security aspects while studying application internals and there is a prominent rise in hidden attack vectors which are never common. There is a default common misconception among the developers that deploying applications which are vendor-enabled with 3rd party proprietary framework libraries will add security to the application. Libraries which the developers rely on are themselves vulnerable if properly dissected and studied. This brings business concerns to the business assets. The business assets could be anything from bank details to storing credit card information for customers to easily access such numbers for the ease of the customers. Although data integrity is maintained when storing and is encrypted, it takes a while for an attacker to get in and get out without being really noticed. Contrary to the statements above, there is yet another belief that Open source libraries will be safer since they go revisions by the mass community but the truth is bitter. Again, deep down in the open-source libraries, there exist multiple critical vulnerabilities which needs to be addressed before deploying them as they are. The information given below will detail the vulnerabilities which are deep inside the libraries which are used to deploy rich internet based applications.

open2 open

What Developers see as a convenient way for deploying a web application?

  • Languages used: PHP, JAVA, Ruby, SCALA, Perl, Python, HASKELL, Cold Fusion and more.
  • Framework Used:NET, Zend, CodeIgniter, Spring, Catalyst, Snap, CakePHP, Yii, Fusebox, and more. Even more popular ones are Django, Sinatra, Mason, Pyjamas, Symfony and Grails.

Continue reading

Web Security Threat Prediction

Web Security Threat Prediction

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Abstract

The Web Security scene has been much complex than ever known and its time various industry take a deeper look to it to gain an in-depth gravity of the situation which affects them directly or in-directly. This could come at a blow and wouldn’t let you know until it’s too late. This post will take you mind blown from the recent predictions in terms of Web Security and will let you inform on the latest web attacks in rise and how such attacks are bad for business as well as reputation let alone financial losses. When we talk about industry, this doesn’t have to be the retail industry; it aims at stretch from the medical appliances to the car manufacturing industry and too low down to the Electronic Cigarette industry. That been said, we will look how various industrial assets which have had their presence and continue to have a presence in the web world affects them directly or indirectly and why Web Security for them is an absolute important factor too big a risk to ignore and compromise with the same.

Prediction 2015

I have come across and defined a statistical background check on as many application attack vectors and evidently from the statistical approach have come up to a very conclusive set of industries which could go bankruptcy as well as reputation loss if Web Security part is ignored. Here we have thrown out some of the industries which have a direct impact on business ignoring Web Security at their end.

  • Medical Department
  • Web Retail Department and Business Assets
  • Opensource Platforms
  • Mobile Devices

1ta

Continue reading