Hacker by trade: Simulation of a Penetration Testing

JEToP – Junior Enterprise Polytechnic University of Turin
Wednesday 13th April 2016, 09:00 – 19:00

Shielder is proud to announce an event that will be held at Polytechnic University of Turin

The purpose of this event is to offer participants a quick and charming introduction to the complex world of Information Security and Penetration Testing.

A Penetration Test in simple words is an attack on a computer system that seeks for the weaknesses of the target system, which can potentially let malicious users (attackers) to gain access to the system’s data by taking control of it.

The idea is not to introduce people (participants) how to attack systems but rather allow them to be able to identify the weaknesses and vulnerabilities that their systems are affected by. To allow everyone to protect their system and avoid any kind of unpleasant incidents such as unauthorized access, data loss/steal or permanent access by third parties. The event is mainly organized to this end.

While an attacker will need to find just a single vulnerability to be able to compromise a system (that is all he/she needs in the other end), a Penetration Tester thinks wider and tries to find the maximum number of vulnerabilities and weaknesses – possibly all – that an attacker may use. Once all the test is been actioned/performed, a Penetration Tester will have to report all the vulnerabilities discovered on the system and give guidelines to his/her employer (company) about how to fix such security holes to improve the companies (or even its own) systems.

During this organized event the following topics will be covered:

  • Introduction to Penetration Testing
  • Live vulnerability assessment, analysis and management of a target system (LAB)
  • Live pentest (attack) following the findings and vulnerabilities reported (LAB)
  • Mitigation of vulnerabilities
  • Question/Answer session and Free Talk

In order to facilitate this event we will be using BackBox Linux which one of the world’s notorious Penetration testing Linux distribution. BackBox has a collection of tools that are designed for both professional and passionate Pentesters. BackBox is a Free Open Source Community and therefore it is freely available and it can be downloaded by everyone from the official web site “https://backbox.org/download”

There will be 2 coffee breaks during the event (one before the lunch and another one after lunch). At the end of the event, the organizers are thinking of moving to Einaudi 57 for a drink, where anyone is invited to meet the guys working at Shielder and have a chat with them.

Don’t miss it!

Weevely 3 overview

Weevely, the web shell for penetration testing included in BackBox since the earlier releases, has been forked and heavily rewritten as Weevely 3.0 to improve its extendibility and provide new modules for administration, post exploitation, and privilege escalation exploiting any web access.

The weevely modules ecosystem provides a working shell interface even with no shell command execution, replacing the standard shell commands (e.g. the file editors, cd and ls, SQL cli and dump, compression utilities, port scanners, etc.) with the weevely modules.

The weevely wiki tutorials shows some example on how to edit remote files, harvest and reuse some SQL credentials or bruteforce them. Who wants can follow also the tutorial about developing new modules.

Weevely can be extended to automatize the auditing or privilege escalation tasks, exploit specific vulnerabilities, enumerate accounts, scrape sensitive data, pivot on the target to scan the internal networks, run HTTP or SQL requests and do a whole lot of other cool stuff.

Weevely is installed by default on BackBox, download it now or get your version of weevely here.

BackBox Linux 4 Metapackages

BackBox 4.0 has now a fully customizable tools arsenal!

New packages have been created, one for each of the Auditing categories, which bring with them all the package of that specific pentesting field. So you can customize your box and install just what you really need, conforming to the BackBox philosophy of lightness, simplicity and completeness.

The packages we introduced to implement this new concept are:

  • backbox-documentation-reporting
  • backbox-exploitation
  • backbox-forensics-analysis
  • backbox-information-gathering
  • backbox-maintaining-access
  • backbox-miscellaneous
  • backbox-mobile-analysis
  • backbox-privilege-escalation
  • backbox-reverse-engineering
  • backbox-social-engineering
  • backbox-stress-testing
  • backbox-voip-analysis
  • backbox-vulnerability-assessment
  • backbox-wireless-analysis

Every user is strongly advised to install backbox-tools package in order to get all the categories and the tools as before, and conform to the new packaging structure. It’s as simple as:

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install backbox-tools

For any problem let us know.