Posts

Showing posts from July, 2015

Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Post a Comment
Read more

Vulnhub_Fartknocker_Challenge_Writeup

Image
I have always been using vulnhub for getting exciting challenges for practice. I am very thankful to team vulnhub. Recently few of my friends who are good penetration testers failed a challenge as they could not discover anything except a web port. When I asked them if they checked the port knocking on the target ???? Well I thought this is a great opportunity to start submitting my attempts to vulnhub challenges. I wrote this challenge while explaining this to my friends. 1] Discovering target 2] nmap scan 3] Interacting with target on open port clicking on the Wooah opened up a pcap file: 4] Looking at tte TCP traffic for Dst Port and Seq: 0 and Len: 0 we get the following ports in following sequence: 7000 8000 9000 7000 8000 9000 8888 looking at this it is very clear that this is a port knocking challenge: So lets knock the ports - we can write a script for this however since this is just 7 ports we will directly knock the ports: 5] now we have port 8888 open and a new directory /b...
Post a Comment
Read more