Bruce Schneier Sensible Security Model (SSM)
http://www.win.tue.nl/~wstomv/quotes/beyond-fear.html
Scrum Guide
http://www.scrumguides.org/scrum-guide.html
MS 1. Identify Assets
https://msdn.microsoft.com/en-us/library/ff648644.aspx#c03618429_006
OWASP Assets
https://www.owasp.org/index.php/Application_Threat_Modeling#Assets
MS 2. Create an Architecture Overview
https://msdn.microsoft.com/en-us/library/ff648644.aspx#c03618429_007
MS 3. Decompose the Application
https://msdn.microsoft.com/en-us/library/ff648644.aspx#c03618429_008
MS 4. Identify the Threats
https://msdn.microsoft.com/en-us/library/ff648644.aspx#c03618429_009
OWASP Threat Model Information
https://www.owasp.org/index.php/Application_Threat_Modeling#Threat_Model_Informati
on
OWASP External Dependencies
https://www.owasp.org/index.php/Application_Threat_Modeling#External_Dependencies
OWASP Entry Points
https://www.owasp.org/index.php/Application_Threat_Modeling#Entry_Points
MS 5. Document the Threats
https://msdn.microsoft.com/en-us/library/ff648644.aspx#c03618429_010
OWASP Risk Rating Methodology
https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Intel Threat Agent Library
https://communities.intel.com/servlet/JiveServlet/previewBody/1151-102-1-1111/Threat%2
0Agent%20Library_07-2202w.pdf
Based on the MicroSoft 6. Rate the Threats
https://msdn.microsoft.com/en-us/library/ff648644.aspx#c03618429_011
Exploit Database from Offensive Security
https://github.com/offensive-security/exploit-database
Web Front-end
https://www.exploit-db.com/
SecurityFocus BugTraq
http://www.securityfocus.com/archive/1
Rapid7 (current owner of Metasploit) also has a database
http://www.rapid7.com/db/modules/search
NodeSecurity
https://nodesecurity.io/advisories
National Vulnerability Database
https://web.nvd.nist.gov/view/vuln/search
OWASP Countermeasure Identification
https://www.owasp.org/index.php/Application_Threat_Modeling#Countermeasure_Identifi
cation
MS STRIDE provides countermeasures to identified threats
https://msdn.microsoft.com/en-us/library/ff648641.aspx#c02618429_005
MS Threats and Countermeasures
https://msdn.microsoft.com/en-us/library/ff648641.aspx
Peter Kim discusses a selection of tools in “The Hacker Playbook” that he uses regularly. I’ve included some of them in this section as they have been found to be very useful.
Kali Linux
http://docs.kali.org/introduction/what-is-kali-linux
Kali repository
http://git.kali.org/gitweb/
Turn-key VMware or VirtualBox
https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/ image
Custom ARM images
https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/
NetHunter
https://www.kali.org/kali-linux-nethunter/
Offensive Security team which can be found on IRC
http://docs.kali.org/community/kali-linux-irc-channel
Official Kali documentation
http://docs.kali.org/category/installation
Pre-generated SSH host key, check-out Nilesh Kapoor’s talk at OWASP NZ Day 2016 on Host Hardening
https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016#tab=Presentation_Sch
edule
VMware and VirtualBox images
https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/
ISO can be downloaded from
https://www.kali.org/downloads/
SHA1 checksums
http://docs.kali.org/introduction/download-official-kali-linux-images
Downloads
https://www.kali.org/downloads/
SSH1SUMS and gpg files
http://archive.kali.org/kali-images/
Extra help with gpg
http://blog.binarymist.net/2015/01/31/gnupg-key-pair-with-sub-keys/
Hard-disk install
http://docs.kali.org/installation/kali-linux-hard-disk-install
Install Guest Additions
http://docs.kali.org/general-use/kali-linux-virtual-box-guest
You will need to add your user
https://www.virtualbox.org/manual/ch04.html#sf_mount_auto
The Metasploit Community / Pro package is no longer shipping in Kali
https://www.kali.org/releases/kali-linux-20-released/
Useful metasploit commands
https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/
Meterpreter Client
https://en.wikibooks.org/wiki/Metasploit/MeterpreterClient
Meterpreter Basics
https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/
Using databases
https://www.offensive-security.com/metasploit-unleashed/using-databases/
Information gathering
http://resources.infosecinstitute.com/information-gathering-using-metasploit/
BeEF recommended configuration
https://github.com/beefproject/beef/wiki/Configuration
Contrary to a blog post on the beefproject, I’ve found the most useful way to run BeEF
http://blog.beefproject.com/2014/06/kali-formerly-backtrack-linux-beef.html
BeEF console
https://github.com/beefproject/beef/wiki/BeEF-Console
Terminator does everything I need from a terminal. Briefly discussed on my blog
http://blog.binarymist.net/2013/01/19/a-decent-console-for-windows/
Veil Framework
https://www.veil-framework.com/
Install all of the projects
https://github.com/Veil-Framework/Veil
Install guides
https://www.veil-framework.com/guidesvideos/
Rockyou
http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
These came available from a social game and advertising website in 2009
Peter Kims “The Hacker Playbook 2”.
Search for crackstation
https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm
Passwords_WordList_CLEANED
http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hash
ed-passwords/
SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.
RSnakes collection
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Tamper Data
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Install the particular VirtualBox Extension Pack on to the host:
https://www.virtualbox.org/ticket/9511?cversion=0&cnum_hist=2
The fact that a WAF is in place is often given away by simply inspecting the responses from the server side
https://pentestlab.wordpress.com/2013/01/13/detecting-web-application-firewalls/
To view all of the currently available local nmap scripts
http://cyberpedia.in/nmap-scripting-engine-scanning-in-kali-linux/
NMap has a couple of good scripts out of the box for WAF detection
http-waf-detect: https://nmap.org/nsedoc/scripts/http-waf-detect.html
http-waf-fingerprint: https://nmap.org/nsedoc/scripts/http-waf-fingerprint.html
WAFW00F is also an excellent tool
https://github.com/sandrogauci/wafw00f
nslookup which generally provides less information and uses its own internal libraries as opposed to the OS resolver libraries that dig uses.
http://unix.stackexchange.com/questions/93808/dig-vs-nslookup
/usr/share/dirbuster/wordlists/directories.jbrofuzz is not great, but it is not bad either
http://null-byte.wonderhowto.com/how-to/hack-like-pro-abusing-dns-for-reconnaissance-
0157448/
theHarvester is a tool for gathering e-mail acconts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers)
https://github.com/laramies/theHarvester
See issue 30
https://github.com/laramies/theHarvester/issues/30
recon-ng tracks users by default using google analytics.
https://bitbucket.org/LaNMaSteR53/recon-ng/commits/eab6307
You can dissable this with the --no-analytics argument
https://bitbucket.org/LaNMaSteR53/recon-ng/commits/717c7c6
Also discussed in the wiki
https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide#!analytics
API keys for recon-ng
https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide#!acquiring-api-keys
Microsoft bing virtual hosts search feature
“Penetration Tester’s Open Source Toolkit” book
I also wrote about a few other vulnerability scanners on my blog
http://blog.binarymist.net/2014/03/29/up-and-running-with-kali-linux-and-friends/
#vulnerability-scanners
Exploit Database
https://github.com/offensive-security/exploit-database
Docker used LXC as the default execution environment before the release of version 0.9 on March 13, 2014
https://en.wikipedia.org/wiki/Docker_(software)
Docker was open sourced in March 2013
http://www.infoq.com/news/2013/03/Docker
Docker README
https://github.com/docker/docker
cgroups
https://en.wikipedia.org/wiki/Cgroups
firejail
Allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
https://firejail.wordpress.com/
Linux namespaces
https://lwn.net/Articles/531114/
The source code is on github
https://github.com/netblue30/firejail
Pre-built DEB, AUR and RPM packages are available for download
https://firejail.wordpress.com/download-2/
Firejail can even run LXC, Docker and OpenVZ containers
https://firejail.wordpress.com/support/frequently-asked-questions/
seccomp-bpf
https://l3net.wordpress.com/2015/04/13/firejail-seccomp-guide/
Qubes
Technically Qubes is not a Linux distribution, it’s closer to being a Xen distro if anything
https://www.qubes-os.org/doc/user-faq/#is-qubes-just-another-linux-distribution
USB stacks and drivers are sand-boxed in their own unprivileged VM (currently experimental)
https://www.qubes-os.org/doc/qubes-architecture/
A storage domain has also been considered
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-020-2015.txt#L97
It provides proper GUI-level (one of the main goals) isolation
http://theinvisiblethings.blogspot.it/2012/09/how-is-qubes-os-different-from.html
Along with security as one of the primary goals of the GUI virtualisation subsystem, performance was also priority so the virtualised applications feel as if they were executed natively
https://www.qubes-os.org/doc/user-faq/#is-qubes-just-another-linux-distribution
Based on monolithic kernels usually containing tens of millions of lines of code. Most of this code is reachable from untrusted applications via all sorts of APIs, making the attack surface on the kernel huge.
http://theinvisiblethings.blogspot.it/2012/09/how-is-qubes-os-different-from.html
Support for Windows 8+ is in development
https://www.qubes-os.org/doc/windows-appvms/
Excellent tools for this task. There are also many others. Many of which are included in Kali Linux
http://tools.kali.org/reporting-tools
Dradis is included in Kali Linux and the source code can be accessed from the dradisframework repository
https://github.com/dradis/dradisframework
There is a collection of security tools that Dradis integrates with
https://github.com/dradis/dradisframework#some-of-the-features
If you look at the public statistics on businesses loosing value due to being compromised regularly, the figures are staggering
http://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/223462991/
I have already discussed the test condition workshop many times on-line
http://blog.binarymist.net/2012/03/24/how-to-optimise-your-testing-effort/#planningTheTes
tEffort
Cost of Change curve adapted from Scott W. Ambler’s article on Examining the Agile Cost of Change Curve, which I’ve used in many presentations and workshops.
http://www.agilemodeling.com/essays/costOfChange.htm
NodeGoat The purposly vulnerable NodeJS web application
https://github.com/OWASP/NodeGoat
OWASP ZAP (which also comes pre-installed on Kali Linux) is a particularly useful tool for security regression testing.
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Node.JS (by way of zaproxy)
https://www.npmjs.com/package/zaproxy
ZapPenTester write-up on codeproject
http://www.codeproject.com/Articles/708129/Automated-penetration-testing-in-the-Micros
oft-sta
The source
https://github.com/gustavorhm/ZapPenTester
There is also the Zap supported zap-api-dotnet
https://github.com/zaproxy/zap-api-dotnet
BSIMM again has some good guidance
https://www.bsimm.com/framework/deployment/penetration-testing/
DOMXSSScanner
https://github.com/yaph/domxssscanner
JSPrime
https://www.youtube.com/watch?v=Vk5SPGpqiLc
JSWebTools
http://www.jswebtools.org/
Code Climate is a static analysis platform
https://codeclimate.com/
that provides an open and extensible model to run community provided analysis engines
https://codeclimate.com/engines
Flow looks to be a good option. Providing consumers with the ability of introducing type checking progressively
http://flowtype.org/
DBC
http://blog.binarymist.net/2010/10/11/lsp-dbc-and-nets-support/
Example from the flow website
http://flowtype.org/
contract-js NPM module
https://www.npmjs.com/package/contracts-js
contract.js home
http://www.contractsjs.org/
contractual NPM module
https://www.npmjs.com/package/contractual
restretto-js
https://code.google.com/archive/p/ristretto-js/wikis
Essentials for Creating and Maintaining a High Performance Development Team
http://blog.binarymist.net/2014/01/25/essentials-for-creating-and-maintaining-a-high-performance-development-team/
I really liked what Moxie Marlinspike said on the topic of career advice
http://www.thoughtcrime.org/blog/career-advice/
There are competitions devoted to reassembling shredded printed documents with contestants that have successfully reassembled all printed matter:
http://archive.darpa.mil/shredderchallenge/
Not all paper shredders are created equal. Understand the pros and cons:
https://en.wikipedia.org/wiki/Paper_shredder
Readers and cloners
http://hackerwarehouse.com/product/proxmark3-kit/
Tessel and its RFID module
https://tessel.io/modules#module-rfid
Lan Turtle
http://hakshop.myshopify.com/products/lan-turtle
Remove or degausse MFD hard drives before the device leaves premise at end of life / lease
http://blog.binarymist.net/2013/03/17/erasing-data-from-your-drives/
Detection works where prevention fails and detection is of no use without response.
Beyond Fear by Bruce Schneier
People can be your strongest or your weakest defence. This is your choice. Cultural change can be implemented from any level. The most successfully being from the shop floor
http://blog.binarymist.net/2014/04/26/culture-in-the-work-place/
You will also need to think about company culture and whether this needs some works
http://blog.binarymist.net/2014/04/26/culture-in-the-work-place/
The speed benefits of Li-Fi are also compelling, many times faster than current Wi-Fi speeds.
http://www.sciencealer.com/li-fi-tested-in-the-real-world-for-the-first-time-is-100-times-fa
ster-than-wi-fi
Content Michael Bazzell has collated and his excellent books on the gathering of Open Source Intelligence
https://inteltechniques.com/links.html
The Arxan 5th Annual State of Application Security Report
https://www.arxan.com/resources/state-of-application-security/ Perception vs. Reality
The content Michael Bazzell has collated
https://inteltechniques.com/links.html and his excellent books on the gathering of Open Source Intelligence.
Studies show that motivation has a larger effect on productivity and quality than any other factor. Software Engineering Economics by Barry W. Boehm 1981.
Increase software developer productivity on my blog
http://blog.binarymist.net/2013/03/02/how-to-increase-software-developer-productivity/
Those distracted by incoming email and phone calls saw a 10-point fall in their IQ by BBC:
http://news.bbc.co.uk/2/hi/uk_news/4471607.stm
Gerald Weinberg’s rule that 20% of our time is lost every time we perform a context switch. This is from “Quality Software Management: Systems Thinking” by Gerald Weinberg.
Who’s your Daddy (WyD) Another password profiling tool that “extracts words/strings from supplied files and directories. It parses files according to the file-types and extracts the useful information, e.g. song titles, authors and so on from mp3’s or descriptions and titles from images.” “It supports the following filetypes: plain, html, php, doc, ppt, mp3, pdf, jpeg, odp/ods/odp and extracting raw strings.” http://www.remote-exploit.org/articles/misc_research__amp_code/index.html
“CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers” https://digi.ninja/projects/cewl.php
Wordhound
https://bitbucket.org/mattinfosec/wordhound.git
Hydra has many other options. Plenty of good documentation out there.
http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/
Hydra seems like the most mature of the brute force specific tools
https://www.thc.org/thc-hydra/network_password_cracker_comparison.html
Keep the Attack type: “Sniper” because we are only using one wordlist
https://portswigger.net/burp/help/intruder_positions.html
Keep the Payload set to 1 and Payload type set to Simple list
https://portswigger.net/burp/help/intruder_payloads_types.html
NMap http-form-brute
https://nmap.org/nsedoc/scripts/http-form-brute.html
A few changes to this script which may have fixed it
http://seclists.org/nmap-dev/2014/q3/479
You can DIY with the likes of Asterisk
http://www.social-engineer.org/wiki/archives/CallerIDspoofing/CallerID-SpoofingWithAste
risk.html
The government that imprisoned Kevin Mitnick for nearly five years, later sought his advice about how to keep its own networks safe from intruders
http://www.politechbot.com/p-00969.html
Open source framework providing all the tools anyone would need to spoof caller Ids and much more
http://www.social-engineer.org/wiki/archives/CallerIDspoofing/CallerID-SpoofingWithAste
risk.html
Some services can not handle return messages though, unless the attacker has physical access to a phone that would contact the targets phone (as with flexispy)
http://blog.flexispy.com/spoof-sms-powerful-secret-weapon-shouldve-using/
SMS spoofing was removed from the social engineering toolkit in version 6.0 due to lack of maintenance
https://github.com/trustedsec/social-engineer-toolkit/blob/master/readme/CHANGES#L285
Episode 5 of Mr Robot
http://www.usanetwork.com/mrrobot/episode-guide/season-1-episode-5-eps143xpl0itswmv
Elliot was making his way through the so called impenetrable storage facility (Steel Mountain) to plant a Raspberry Pi on the network
His colleagues diverted the manager that was escorting him out of the building by sending her a spoofed SMS message
http://null-byte.wonderhowto.com/how-to/hacks-mr-robot-send-spoofed-sms-text-message-0163331/
SMiShing attacks are on the rise
http://www.pcworld.com/article/254979/smishing_attacks_are_on_the_rise.html
The following attack was one of five that I demonstrated at WDCNZ in 2015. There was an attack leading up to this one
https://www.youtube.com/watch?v=tb4o5UCHzSA
Also noted in the Arxan report that 80% of consumers would change providers if they knew about the vulnerabilities and had a better option. 90% of the app execs (the creators) also believed that consumers would switch if they knew and better offerings were available.
https://www.arxan.com/wp-content/uploads/2016/01/State_of_Application_Security_2016_Consolidated_Report.pdf
What you need to do is be aware of how much productivity is killed with each switch. Then do everything in your power to make sure your Development Team is sheltered from as much as possible. How to Increase Software Developer Productivity by Kim Carter.
The Multi-Tasking Myth by Jeff Atwood:
http://blog.codinghorror.com/the-multi-tasking-myth/
The trick here is that when you manage programmers, specifically, task switches take a really, really, really long time. Human Task Switches Considered Harmful.
Get yourself a OneRNG for generating true randomness
http://onerng.info/
MembershipReboot also raises events via an event bus architecture that your application can listen to and take further action on
https://brockallen.com/2014/02/10/how-membershipreboot-mitigates-login-and-two-factor-
authentication-brute-force-attacks/
Michael Bazzell has an excellent collection of tools to assist with validating phone numbers under the “Telephone Numbers” heading at his website
https://inteltechniques.com/links.html
Michael also has a simple tool under the “Telephone Number” heading on the left
https://inteltechniques.com/intel/menu.html
which leverage’s a collection of phone number search API’s.
Services such that
automate the above training techniques
A tool such as Pond can help you automate the entire testing process.
https://bitbucket.org/t0x0/pond
Chris Campbell (creator of Pond) can be found at:
https://twitter.com/t0x0_nz
Retrospective is a good time and place to raise the awareness and make sure change occurs
http://blog.binarymist.net/2012/07/28/guidance-on-running-scrum-retrospectives/
Should Pond be used to facilitate the testing, then hosting of the application will incur Windows licensing costs.
https://bitbucket.org/t0x0/pond