Upload File

a day in the life of a pentester

41
A day in the life of a pentester @clviper [email protected] Cláudio André

Upload: claudio-andre

Post on 29-Jul-2015

108 views

Category:

Technology


1 download

Report

Tags:

TRANSCRIPT

1. A day in the life of a pentester @clviper [email protected] Cludio Andr 2. whoami Who is a Pentester? Mobile App Architecture Android Mobile App Components OWASP Top 10 Mobile Risks Practical Examples Security Recommendations /// Agenda 3. 10+ years working in Information Systems. Pentester at BSc in Management Information Technology at ULHT. Offensive Security Certified Professional (OSCP) Security Blog: http://security.claudio.pt /// whoami 4. Ethical Hacker. 5. Ethical Hacker. Identify, Explore and Report vulnerabilities. 6. Ethical Hacker. Identify, Explore and Report vulnerabilities. Web applications, Infrastruture and Mobile apps. 7. /// Mobile App Architecture 8. Client /// Mobile App Architecture 9. Network /// Mobile App Architecture 10. Server /// Mobile App Architecture 11. Activities /// Android Mobile App Components 12. Activities Services /// Android Mobile App Components 13. Activities Services Broadcast Receivers /// Android Mobile App Components 14. Activities Services Broadcast Receivers Content Providers /// Android Mobile App Components 15. Zip Archive. Contains Dalvik class files, assets, resources and AndroidManifest.xml. Stored at /data/app. Android Application Package File (.apk) /// Android Mobile App Components - APK 16. Presents information about the app to the system. Describes app components. Define permissions. AndroidManifest.xml /// Android Mobile App Components AndroidManifest.xml 17. XML format file with key-value pairs. App settings. /// Android Mobile App Components Shared Preferences 18. Single file relational database used to store application data and settings. /// Android Mobile App Components - SQLite 19. /// OWASP Mobile Top 10 Risks 20. /// OWASP Mobile Top 10 Risks 21. /// OWASP Mobile Top 10 Risks 22. /// OWASP Mobile Top 10 Risks 23. /// OWASP Mobile Top 10 Risks 24. /// OWASP Mobile Top 10 Risks 25. /// OWASP Mobile Top 10 Risks 26. /// OWASP Mobile Top 10 Risks 27. /// OWASP Mobile Top 10 Risks 28. /// OWASP Mobile Top 10 Risks 29. /// OWASP Mobile Top 10 Risks 30. /// FourGoats Manifest 31. /// M2 Insecure Data Storage M3 Insufficient Transport Layer Protection M4 Unintended Data Leakage 32. /// M2 Insecure Data Storage 33. /// MSRC Answer 34. /// M7 Client Side Injection 35. /// M7 Client Side Injection Python POC 36. M2 - Insecure Data Storage - Shared Preferences without MODE_WORLD_READABLE. - Sensitive information should not be stored. If needed, should be encrypted from derivation of user Password/PIN and not with hardcoded encryption keys. Still vulnerable to offline brute-force. Enforce strong password policy. M3 - Insufficient Transport Layer Protection - Apply TLS transport in channels that the app transmits sensitive information to the backend. - Implement Certificate Pinning if very sensitive information is transmitted. /// Security Recommendations 37. M7 - Client Side Injection - Only export components(Activities,Services,Broadcast Receivers, Content Providers) that make sense and that cannot bypass access controls and leak Internal information. - Always validate User Input. M10 - Lack of Binary Protection - Obfuscate your code, at minimum with ProGuard. Dont make your attacker life easier. /// Security Recommendations 38. www.bsideslisbon.org 39. Thank you Questions? Doubts?


Modern day life

How$To$Become$a$Pentester$–$HackingLoops.com$How$To$Become$a$Pentester$–$HackingLoops.com$ $ Youmight$be$pursuing$or$have$other$technical$degrees$already$that$ couldsubstitutenicely.$Ipersonally$had$a$Computer

Wispi: Mini Karma Router For Pentester - Rama Tri Nanda

Operant Conditioning in Day to Day Life

The Travelling Pentester: Diaries of the Shortest Path to Compromise

"Mathematics in day to day life"

Becoming a Successful Pentester - BILLSLATER.COM

Python Básico para Hackers y Pentester

La dura vida del Pentester

Day to Day Life! - Harvie Ranching

Wispi, Mini Karma Router for Pentester

Montando Web for Pentester en VirtualBox - HighSechighsec.es/.../2013/07/Montando-Web-for-Pentester-en-VirtualBox.pdf · virtual. Entre los sistemas operativos soportados (en modo

Pentester - fakty i mity

Becoming a Successful Pentester - BILLSLATER.COM...Becoming a Successful Pentester Becoming a Successful Pentester Page 1 Version No. 1.00, December 25, 2018 ... Pentesting 101, however,

Norgenta Norddeutsche Life Science Agentur Life Science Day 24.06.04 Konturen des norddeutschen Life Science Sektors Life Science Day, TuTech, 24.6.2004

Life & Day

The Travelling Pentester - Microsoft Israel R&D Center Kit/BlueHat IL Decks... · The Travelling Pentester Diaries of the Shortest Path to ... Rohan Vazarkar ... Command line logging

Chemistry in Day to Day Life

{AB}USE Their Clouds. Cloud Computing as Viewed by Pentester

So You Want to be A Pentester? How to Transform Your ...boiseissa.org/wp-content/uploads/2015/05/DanDecloss_SoYouWantTob… · Pentester? How to Transform Your Security Career Boise

WEB FOR PENTESTER - [PentesterLab] Learn Penetration Testing

SMARTPHONE COMO HERRAMIENTA PENTESTER

Web for pentester

Green Design AIU Apprenticeship Summary / Day 1 - Life cycle thinking / Day 2 - Life cycle numerics / Day 3 - Energy & electricity / Day 4 - Water / Day

Maths in day to day life

Physics in day to day life

A Day in the Life of a Pentester: External Blind SQL ... Day in the Life of a Pentester: External Blind SQL Injection Domain Admin OWASP March/2014 Meeting By Jake Reynolds @ Depth

Wireless Technology in Day to Day Life

Web for Pentester 2 ile Web Uygulama Güvenligine Giris

LIFE INFO DAY

Science in day to day life

A DAY IN LIFE

Screw Being A Pentester - When I Grow Up I Want To Be A

Navaja Negra 2013 - El día a día real de un pentester

Oracle for Pentester - Red-Database- · PDF fileOracle for Pentester ... Download and install the Oracle Client from Oracle Technet 2. ... Install the client Overview Oracle Architecture