Bruce Schneier Sensible Security Model (SSM)
MS 1. Identify Assets
MS 2. Create an Architecture Overview
MS 3. Decompose the Application
MS 4. Identify the Threats
OWASP Threat Model Information
OWASP External Dependencies
OWASP Entry Points
MS 5. Document the Threats
OWASP Risk Rating Methodology
Intel Threat Agent Library
Based on the MicroSoft 6. Rate the Threats
Exploit Database from Offensive Security
Rapid7 (current owner of Metasploit) also has a database
National Vulnerability Database
OWASP Countermeasure Identification
MS STRIDE provides countermeasures to identified threats
MS Threats and Countermeasures
Peter Kim discusses a selection of tools in “The Hacker Playbook” that he uses regularly. I’ve included some of them in this section as they have been found to be very useful.
Turn-key VMware or VirtualBox
Offensive Security team which can be found on IRC
Official Kali documentation
Pre-generated SSH host key, check-out Nilesh Kapoor’s talk at OWASP NZ Day 2016 on Host Hardening
VMware and VirtualBox images
ISO can be downloaded from
SSH1SUMS and gpg files
Extra help with gpg
Install Guest Additions
You will need to add your user
The Metasploit Community / Pro package is no longer shipping in Kali
Useful metasploit commands
BeEF recommended configuration
Contrary to a blog post on the beefproject, I’ve found the most useful way to run BeEF
Terminator does everything I need from a terminal. Briefly discussed on my blog
Install all of the projects
These came available from a social game and advertising website in 2009
Peter Kims “The Hacker Playbook 2”.
Search for crackstation
SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.
Install the particular VirtualBox Extension Pack on to the host:
The fact that a WAF is in place is often given away by simply inspecting the responses from the server side
To view all of the currently available local nmap scripts
NMap has a couple of good scripts out of the box for WAF detection
WAFW00F is also an excellent tool
nslookup which generally provides less information and uses its own internal libraries as opposed to the OS resolver libraries that dig uses.
/usr/share/dirbuster/wordlists/directories.jbrofuzz is not great, but it is not bad either
theHarvester is a tool for gathering e-mail acconts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers)
See issue 30
recon-ng tracks users by default using google analytics.
You can dissable this with the
Also discussed in the wiki
API keys for recon-ng
Microsoft bing virtual hosts search feature
“Penetration Tester’s Open Source Toolkit” book
I also wrote about a few other vulnerability scanners on my blog
Docker used LXC as the default execution environment before the release of version 0.9 on March 13, 2014
Docker was open sourced in March 2013
Allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
The source code is on github
Pre-built DEB, AUR and RPM packages are available for download
Firejail can even run LXC, Docker and OpenVZ containers
Technically Qubes is not a Linux distribution, it’s closer to being a Xen distro if anything
USB stacks and drivers are sand-boxed in their own unprivileged VM (currently experimental)
A storage domain has also been considered
It provides proper GUI-level (one of the main goals) isolation
Along with security as one of the primary goals of the GUI virtualisation subsystem, performance was also priority so the virtualised applications feel as if they were executed natively
Based on monolithic kernels usually containing tens of millions of lines of code. Most of this code is reachable from untrusted applications via all sorts of APIs, making the attack surface on the kernel huge.
Support for Windows 8+ is in development
Excellent tools for this task. There are also many others. Many of which are included in Kali Linux
Dradis is included in Kali Linux and the source code can be accessed from the dradisframework repository
There is a collection of security tools that Dradis integrates with
If you look at the public statistics on businesses loosing value due to being compromised regularly, the figures are staggering
I have already discussed the test condition workshop many times on-line
Cost of Change curve adapted from Scott W. Ambler’s article on Examining the Agile Cost of Change Curve, which I’ve used in many presentations and workshops.
NodeGoat The purposly vulnerable NodeJS web application
OWASP ZAP (which also comes pre-installed on Kali Linux) is a particularly useful tool for security regression testing.
Node.JS (by way of zaproxy)
ZapPenTester write-up on codeproject
There is also the Zap supported zap-api-dotnet
BSIMM again has some good guidance
Flow looks to be a good option. Providing consumers with the ability of introducing type checking progressively
Example from the flow website
contract-js NPM module
contractual NPM module
Essentials for Creating and Maintaining a High Performance Development Team
I really liked what Moxie Marlinspike said on the topic of career advice
There are competitions devoted to reassembling shredded printed documents with contestants that have successfully reassembled all printed matter:
Not all paper shredders are created equal. Understand the pros and cons:
Readers and cloners
Tessel and its RFID module
Remove or degausse MFD hard drives before the device leaves premise at end of life / lease
Detection works where prevention fails and detection is of no use without response.
Beyond Fear by Bruce Schneier
People can be your strongest or your weakest defence. This is your choice. Cultural change can be implemented from any level. The most successfully being from the shop floor
You will also need to think about company culture and whether this needs some works
The speed benefits of Li-Fi are also compelling, many times faster than current Wi-Fi speeds.
Content Michael Bazzell has collated and his excellent books on the gathering of Open Source Intelligence
The Arxan 5th Annual State of Application Security Report
https://www.arxan.com/resources/state-of-application-security/ Perception vs. Reality
The content Michael Bazzell has collated
https://inteltechniques.com/links.html and his excellent books on the gathering of Open Source Intelligence.
Studies show that motivation has a larger effect on productivity and quality than any other factor. Software Engineering Economics by Barry W. Boehm 1981.
Increase software developer productivity on my blog
Those distracted by incoming email and phone calls saw a 10-point fall in their IQ by BBC:
Gerald Weinberg’s rule that 20% of our time is lost every time we perform a context switch. This is from “Quality Software Management: Systems Thinking” by Gerald Weinberg.
Who’s your Daddy (WyD) Another password profiling tool that “extracts words/strings from supplied files and directories. It parses files according to the file-types and extracts the useful information, e.g. song titles, authors and so on from mp3’s or descriptions and titles from images.” “It supports the following filetypes: plain, html, php, doc, ppt, mp3, pdf, jpeg, odp/ods/odp and extracting raw strings.” http://www.remote-exploit.org/articles/misc_research__amp_code/index.html
“CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers” https://digi.ninja/projects/cewl.php
Hydra has many other options. Plenty of good documentation out there.
Hydra seems like the most mature of the brute force specific tools
Keep the Attack type: “Sniper” because we are only using one wordlist
Keep the Payload set to 1 and Payload type set to Simple list
A few changes to this script which may have fixed it
You can DIY with the likes of Asterisk
The government that imprisoned Kevin Mitnick for nearly five years, later sought his advice about how to keep its own networks safe from intruders
Open source framework providing all the tools anyone would need to spoof caller Ids and much more
Some services can not handle return messages though, unless the attacker has physical access to a phone that would contact the targets phone (as with flexispy)
SMS spoofing was removed from the social engineering toolkit in version 6.0 due to lack of maintenance
Episode 5 of Mr Robot
Elliot was making his way through the so called impenetrable storage facility (Steel Mountain) to plant a Raspberry Pi on the network
His colleagues diverted the manager that was escorting him out of the building by sending her a spoofed SMS message
SMiShing attacks are on the rise
The following attack was one of five that I demonstrated at WDCNZ in 2015. There was an attack leading up to this one
Also noted in the Arxan report that 80% of consumers would change providers if they knew about the vulnerabilities and had a better option. 90% of the app execs (the creators) also believed that consumers would switch if they knew and better offerings were available.
What you need to do is be aware of how much productivity is killed with each switch. Then do everything in your power to make sure your Development Team is sheltered from as much as possible. How to Increase Software Developer Productivity by Kim Carter.
The Multi-Tasking Myth by Jeff Atwood:
The trick here is that when you manage programmers, specifically, task switches take a really, really, really long time. Human Task Switches Considered Harmful.
Get yourself a OneRNG for generating true randomness
MembershipReboot also raises events via an event bus architecture that your application can listen to and take further action on
Michael Bazzell has an excellent collection of tools to assist with validating phone numbers under the “Telephone Numbers” heading at his website
Michael also has a simple tool under the “Telephone Number” heading on the left
which leverage’s a collection of phone number search API’s.
Services such that
automate the above training techniques
Retrospective is a good time and place to raise the awareness and make sure change occurs
Should Pond be used to facilitate the testing, then hosting of the application will incur Windows licensing costs.